예제 #1
0
  @Test
  public void testAddingAndUpdatingAnApprovalPublishesEvents() throws Exception {
    UaaTestAccounts testAccounts = UaaTestAccounts.standard(null);

    Approval approval =
        new Approval()
            .setUserId(testAccounts.getUserName())
            .setClientId("app")
            .setScope("cloud_controller.read")
            .setExpiresAt(Approval.timeFromNow(1000))
            .setStatus(ApprovalStatus.APPROVED);

    eventPublisher.clearEvents();

    MockAuthentication authentication = new MockAuthentication();
    SecurityContextHolder.getContext().setAuthentication(authentication);

    dao.addApproval(approval);

    Assert.assertEquals(1, eventPublisher.getEventCount());

    ApprovalModifiedEvent addEvent = eventPublisher.getLatestEvent();
    Assert.assertEquals(approval, addEvent.getSource());
    Assert.assertEquals(authentication, addEvent.getAuthentication());
    Assert.assertEquals(
        "{\"scope\":\"cloud_controller.read\",\"status\":\"APPROVED\"}",
        addEvent.getAuditEvent().getData());

    approval.setStatus(DENIED);

    eventPublisher.clearEvents();
    dao.addApproval(approval);

    Assert.assertEquals(1, eventPublisher.getEventCount());

    ApprovalModifiedEvent modifyEvent = eventPublisher.getLatestEvent();
    Assert.assertEquals(approval, modifyEvent.getSource());
    Assert.assertEquals(authentication, modifyEvent.getAuthentication());
    Assert.assertEquals(
        "{\"scope\":\"cloud_controller.read\",\"status\":\"DENIED\"}",
        addEvent.getAuditEvent().getData());
  }
  @Test
  public void testSuccessfulAuthorizationCodeFlow() throws Exception {

    HttpHeaders headers = new HttpHeaders();
    // TODO: should be able to handle just TEXT_HTML
    headers.setAccept(Arrays.asList(MediaType.TEXT_HTML, MediaType.ALL));

    AuthorizationCodeResourceDetails resource = testAccounts.getDefaultAuthorizationCodeResource();

    URI uri =
        serverRunning
            .buildUri("/oauth/authorize")
            .queryParam("response_type", "code")
            .queryParam("state", "mystateid5")
            .queryParam("client_id", resource.getClientId())
            .queryParam("redirect_uri", resource.getPreEstablishedRedirectUri())
            .build();
    ResponseEntity<Void> result = serverRunning.getForResponse(uri.toString(), headers);
    assertEquals(HttpStatus.FOUND, result.getStatusCode());
    String location = result.getHeaders().getLocation().toString();

    if (result.getHeaders().containsKey("Set-Cookie")) {
      String cookie = result.getHeaders().getFirst("Set-Cookie");
      headers.set("Cookie", cookie);
    }

    ResponseEntity<String> response = serverRunning.getForString(location, headers);
    // should be directed to the login screen...
    String body = response.getBody();
    assertTrue(body.contains("/login.do"));
    assertTrue(body.contains("username"));
    assertTrue(body.contains("password"));

    MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
    formData.add("username", testAccounts.getUserName());
    formData.add("password", testAccounts.getPassword());

    // Should be redirected to the original URL, but now authenticated
    result = serverRunning.postForResponse("/login.do", headers, formData);
    assertEquals(HttpStatus.FOUND, result.getStatusCode());

    if (result.getHeaders().containsKey("Set-Cookie")) {
      String cookie = result.getHeaders().getFirst("Set-Cookie");
      headers.set("Cookie", cookie);
    }

    response = serverRunning.getForString(result.getHeaders().getLocation().toString(), headers);
    if (response.getStatusCode() == HttpStatus.OK) {
      body = response.getBody();
      // The grant access page should be returned
      assertTrue(body.contains("Application Authorization"));
      // Forms should have the right action
      assertTrue(body.matches("(?s).*\\saction=\"\\S*oauth/authorize\".*"));

      formData.clear();
      formData.add("user_oauth_approval", "true");
      result = serverRunning.postForResponse("/oauth/authorize", headers, formData);
      assertEquals(HttpStatus.FOUND, result.getStatusCode());
      location = result.getHeaders().getLocation().toString();
    } else {
      // Token cached so no need for second approval
      assertEquals(HttpStatus.FOUND, response.getStatusCode());
      location = response.getHeaders().getLocation().toString();
    }
    assertTrue(
        "Wrong location: " + location,
        location.matches(resource.getPreEstablishedRedirectUri() + ".*code=.+"));
    assertFalse(
        "Location should not contain cookie: " + location,
        location.matches(resource.getPreEstablishedRedirectUri() + ".*cookie=.+"));

    formData.clear();
    formData.add("client_id", resource.getClientId());
    formData.add("redirect_uri", resource.getPreEstablishedRedirectUri());
    formData.add("grant_type", "authorization_code");
    formData.add("code", location.split("code=")[1].split("&")[0]);
    HttpHeaders tokenHeaders = new HttpHeaders();
    tokenHeaders.set(
        "Authorization",
        testAccounts.getAuthorizationHeader(resource.getClientId(), resource.getClientSecret()));
    @SuppressWarnings("rawtypes")
    ResponseEntity<Map> tokenResponse =
        serverRunning.postForMap("/oauth/token", formData, tokenHeaders);
    assertEquals(HttpStatus.OK, tokenResponse.getStatusCode());
  }