1 package com.atlassian.asap.core.server.jersey;
2
3 import com.atlassian.asap.api.Jwt;
4 import com.atlassian.asap.api.JwtClaims;
5 import com.atlassian.asap.api.exception.AuthorizationFailedException;
6 import com.google.common.collect.ImmutableMap;
7 import com.google.common.collect.ImmutableSet;
8 import org.junit.Before;
9 import org.junit.Rule;
10 import org.junit.Test;
11 import org.mockito.Mock;
12 import org.mockito.junit.MockitoJUnit;
13 import org.mockito.junit.MockitoRule;
14
15 import java.util.HashSet;
16 import java.util.Optional;
17 import java.util.function.Function;
18
19 import static com.google.common.collect.Sets.newHashSet;
20 import static java.util.Arrays.asList;
21 import static org.hamcrest.MatcherAssert.assertThat;
22 import static org.hamcrest.Matchers.equalTo;
23 import static org.mockito.Mockito.times;
24 import static org.mockito.Mockito.verify;
25 import static org.mockito.Mockito.when;
26
27
28 public class AsapValidatorTest {
29
30 @Rule
31 public MockitoRule rule = MockitoJUnit.rule();
32
33 @Mock
34 private Asap asap;
35
36 @Mock
37 private Jwt jwt;
38
39 @Mock
40 private JwtClaims claims;
41
42 @Mock
43 private Function<Asap, AsapValidator.Whitelist> whitelistProvider;
44 private HashSet<String> authorizedSubjects;
45 private HashSet<String> authorizedIssuers;
46
47 @Before
48 public void setUp() {
49 authorizedSubjects = newHashSet();
50 authorizedIssuers = newHashSet();
51 when(claims.getSubject()).thenReturn(Optional.empty());
52 when(jwt.getClaims()).thenReturn(claims);
53 when(whitelistProvider.apply(asap)).thenReturn(new AsapValidator.Whitelist(
54 authorizedSubjects, authorizedIssuers));
55
56 }
57
58 @Test
59 public void validate() throws AuthorizationFailedException {
60 authorizedIssuers.add("foo");
61 when(claims.getIssuer()).thenReturn("foo");
62 new AsapValidator(whitelistProvider).validate(asap, jwt);
63 verify(claims, times(2)).getIssuer();
64 }
65
66 @Test
67 public void validateWithAllowAny() throws AuthorizationFailedException {
68 when(claims.getIssuer()).thenReturn("foo");
69 when(claims.getSubject()).thenReturn(Optional.of("bar"));
70 new AsapValidator(whitelistProvider).validate(asap, jwt);
71 verify(claims, times(2)).getIssuer();
72 }
73
74 @Test
75 public void validateWithEnvironmentVariable() throws AuthorizationFailedException {
76 authorizedIssuers.add("foo");
77 when(claims.getIssuer()).thenReturn("foo");
78 new AsapValidator(whitelistProvider).validate(asap, jwt);
79 verify(claims, times(2)).getIssuer();
80 }
81
82 @Test
83 public void validateWithMultiple() throws AuthorizationFailedException {
84 authorizedIssuers.addAll(asList("fz", "foo"));
85 when(claims.getIssuer()).thenReturn("foo");
86 new AsapValidator(whitelistProvider).validate(asap, jwt);
87 verify(claims, times(2)).getIssuer();
88 }
89
90 @Test(expected = AuthorizationFailedException.class)
91 public void validateFailedWithInvalidSubject() throws AuthorizationFailedException {
92 authorizedIssuers.add("foo");
93 authorizedSubjects.add("bar");
94 when(claims.getIssuer()).thenReturn("foo");
95 when(claims.getSubject()).thenReturn(Optional.of("baz"));
96 new AsapValidator(whitelistProvider).validate(asap, jwt);
97 }
98
99 @Test(expected = AuthorizationFailedException.class)
100 public void validateFailedWithInvalidIssuer() throws AuthorizationFailedException {
101 authorizedIssuers.add("foo");
102 when(claims.getIssuer()).thenReturn("bar");
103 new AsapValidator(whitelistProvider).validate(asap, jwt);
104 }
105
106 @Test
107 public void getWhitelistFromEnvironmentVariables() throws AuthorizationFailedException {
108 AsapValidator.Whitelist wl = new AsapValidator.EnvironmentVariablesWhitelistProvider(
109 "subjects", "issuers", ImmutableMap.of(
110 "subjects", "foo,bar",
111 "issuers", "baz"
112 )).apply(asap);
113 assertThat(wl.getAuthorizedSubjects(), equalTo(newHashSet("foo", "bar")));
114 assertThat(wl.getAuthorizedIssuers(), equalTo(newHashSet("baz")));
115 }
116
117 @Test
118 public void getWhitelistFromAnnotation() throws AuthorizationFailedException {
119 when(asap.authorizedSubjects()).thenReturn(new String[]{"foo", "bar"});
120 when(asap.authorizedIssuers()).thenReturn(new String[]{"baz"});
121 AsapValidator.Whitelist wl = new AsapValidator.AsapWhitelistProvider().apply(asap);
122 assertThat(wl.getAuthorizedSubjects(), equalTo(newHashSet("foo", "bar")));
123 assertThat(wl.getAuthorizedIssuers(), equalTo(newHashSet("baz")));
124 }
125
126 @Test
127 public void testWhiteListFromAnnotationWithConfigSupport() throws AuthorizationFailedException {
128 when(asap.authorizedSubjects()).thenReturn(new String[]{"foo", "bar"});
129 when(asap.authorizedIssuers()).thenReturn(new String[]{"baz"});
130 AsapValidator.Whitelist wl = getAnnotationProviderWithConfig().apply(asap);
131 assertThat(wl.getAuthorizedSubjects(), equalTo(newHashSet("foo", "bar")));
132 assertThat(wl.getAuthorizedIssuers(), equalTo(newHashSet("baz")));
133 }
134
135 @Test
136 public void testWhiteListWhenAnnotationMissing() throws AuthorizationFailedException {
137 when(asap.authorizedSubjects()).thenReturn(new String[]{});
138 when(asap.authorizedIssuers()).thenReturn(new String[]{});
139 AsapValidator.Whitelist wl = getAnnotationProviderWithConfig().apply(asap);
140 assertThat(wl.getAuthorizedSubjects(), equalTo(newHashSet("subject1", "subject2", "subject3")));
141 assertThat(wl.getAuthorizedIssuers(), equalTo(newHashSet("issuer1", "issuer2", "issuer3")));
142 }
143
144 private Function<Asap, AsapValidator.Whitelist> getAnnotationProviderWithConfig() {
145 return new AsapValidator.AsapAnnotationWhitelistProviderWithConfigSupport(ImmutableSet.of("subject1", "subject2", "subject3"), ImmutableSet.of("issuer1", "issuer2", "issuer3"));
146
147 }
148
149
150 }