View Javadoc

1   package com.atlassian.asap.core.server.filter;
2   
3   import com.atlassian.asap.api.Jwt;
4   import com.atlassian.asap.api.JwtBuilder;
5   import com.google.common.collect.ImmutableMap;
6   import com.google.common.collect.ImmutableSet;
7   import org.junit.Test;
8   
9   import java.util.Map;
10  import java.util.Optional;
11  import java.util.Set;
12  import java.util.function.Predicate;
13  
14  import static org.hamcrest.MatcherAssert.assertThat;
15  import static org.hamcrest.Matchers.is;
16  
17  public class IssuerAndSubjectAwareRequestAuthorizationFilterTest {
18      @Test
19      public void isAuthorizedForSubjectMatch() throws Exception {
20          Map<String, Predicate<String>> rules = ImmutableMap.of(
21                  "good/issuer", "good/subject"::equals
22          );
23          IssuerAndSubjectAwareRequestAuthorizationFilter filter = new IssuerAndSubjectAwareRequestAuthorizationFilter(rules);
24          Jwt jwt = getJwt("good/issuer", "good/subject");
25  
26          assertThat(filter.isAuthorized(null, jwt), is(true));
27      }
28  
29      @Test
30      public void isAuthorizedForServiceWithNoSubject() throws Exception {
31          Map<String, Predicate<String>> rules = ImmutableMap.of(
32                  "good/issuer", "good/issuer"::equals
33          );
34          IssuerAndSubjectAwareRequestAuthorizationFilter filter = new IssuerAndSubjectAwareRequestAuthorizationFilter(rules);
35          Jwt jwt = getJwt("good/issuer", null);
36  
37          assertThat(filter.isAuthorized(null, jwt), is(true));
38      }
39  
40      @Test
41      public void isNotAuthorizedForGoodIssuerNoMatch() throws Exception {
42          Map<String, Predicate<String>> rules = ImmutableMap.of(
43                  "good/issuer", "good/subject"::equals
44          );
45          IssuerAndSubjectAwareRequestAuthorizationFilter filter = new IssuerAndSubjectAwareRequestAuthorizationFilter(rules);
46          Jwt jwt = getJwt("good/issuer", "bad/subject");
47  
48          assertThat(filter.isAuthorized(null, jwt), is(false));
49      }
50  
51      @Test
52      public void isNotAuthorizedForBadIssuerGoodSubject() throws Exception {
53          Map<String, Predicate<String>> rules = ImmutableMap.of(
54                  "good/issuer", "good/subject"::equals
55          );
56          IssuerAndSubjectAwareRequestAuthorizationFilter filter = new IssuerAndSubjectAwareRequestAuthorizationFilter(rules);
57          Jwt jwt = getJwt("bad/issuer", "good/subject");
58  
59          assertThat(filter.isAuthorized(null, jwt), is(false));
60      }
61  
62      @Test
63      public void issuerConstructorDisallowsImpersonation() throws Exception {
64          Set<String> issuers = ImmutableSet.of("good/issuer", "another/good/issuer");
65          IssuerAndSubjectAwareRequestAuthorizationFilter filter = IssuerAndSubjectAwareRequestAuthorizationFilter.issuers(issuers);
66          Jwt badJwt = getJwt("bad/issuer", null);
67          Jwt goodJwt = getJwt("good/issuer", "good/issuer");
68          Jwt crossJwt = getJwt("good/issuer", "another/good/issuer");
69  
70          assertThat("the issuer is invalid", filter.isAuthorized(null, badJwt), is(false));
71          assertThat("the issuer is valid", filter.isAuthorized(null, goodJwt), is(true));
72          assertThat("the issuer is valid, but is impersonating another issuer",
73                  filter.isAuthorized(null, crossJwt), is(false));
74      }
75  
76      static Jwt getJwt(String issuer, String subject) {
77          return JwtBuilder.newJwt()
78                  .issuer(issuer)
79                  .subject(Optional.ofNullable(subject))
80                  .keyId("ignored")
81                  .audience("ignored")
82                  .build();
83      }
84  }
85