OIDCDynamicRegistrationTest.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.cxf.systest.jaxrs.security.oidc;

import java.net.URL;
import java.util.Collections;

import javax.ws.rs.core.Response;

import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.services.ClientRegistration;
import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationResponse;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;

import org.junit.BeforeClass;

public class OIDCDynamicRegistrationTest extends AbstractBusClientServerTestBase {
    public static final String PORT = OIDCDynRegistrationServer.PORT;

    @BeforeClass
    public static void startServers() throws Exception {
        assertTrue("server did not launch correctly",
                   launchServer(OIDCDynRegistrationServer.class, true));
    }

    @org.junit.Test
    public void testGetClientRegNotAvail() throws Exception {
        URL busFile = OIDCDynamicRegistrationTest.class.getResource("client.xml");
        String address = "https://localhost:" + PORT + "/services/dynamic/register";
        WebClient wc = WebClient.create(address, Collections.singletonList(new JsonMapObjectProvider()),
                         busFile.toString());
        Response r = wc.accept("application/json").path("some-client-id").get();
        assertEquals(401, r.getStatus());
    }
    @org.junit.Test
    public void testRegisterClientNoInitialAccessToken() throws Exception {
        URL busFile = OIDCDynamicRegistrationTest.class.getResource("client.xml");
        String address = "https://localhost:" + PORT + "/services/dynamic/register";
        WebClient wc = WebClient.create(address, Collections.singletonList(new JsonMapObjectProvider()),
                         busFile.toString());
        wc.accept("application/json").type("application/json");
         
        assertEquals(401, wc.post(newClientRegistration()).getStatus());
    }
    
    @org.junit.Test
    public void testRegisterClientInitialAccessTokenCodeGrant() throws Exception {
        URL busFile = OIDCDynamicRegistrationTest.class.getResource("client.xml");
        String address = "https://localhost:" + PORT + "/services/dynamicWithAt/register";
        WebClient wc = WebClient.create(address, Collections.singletonList(new JsonMapObjectProvider()),
                         busFile.toString());

        wc.accept("application/json").type("application/json");
        ClientRegistration reg = newClientRegistration(); 
        ClientRegistrationResponse resp = null;
        assertEquals(401, wc.post(reg).getStatus());
        
        wc.authorization(new ClientAccessToken("Bearer", "123456789"));
        resp = wc.post(reg, ClientRegistrationResponse.class);
        
        assertNotNull(resp.getClientId());
        assertNotNull(resp.getClientSecret());
        assertEquals(address + "/" + resp.getClientId(),
                     resp.getRegistrationClientUri());
        String regAccessToken = resp.getRegistrationAccessToken();
        assertNotNull(regAccessToken);

        wc.reset();
        wc.path(resp.getClientId());
        assertEquals(401, wc.get().getStatus());

        wc.authorization(new ClientAccessToken("Bearer", regAccessToken));
        ClientRegistration clientRegResp = wc.get(ClientRegistration.class);
        testCommonRegProperties(clientRegResp);

        assertNull(clientRegResp.getTokenEndpointAuthMethod());
        
        assertEquals(200, wc.delete().getStatus());
    }
    private void testCommonRegProperties(ClientRegistration clientRegResp) {
        assertNotNull(clientRegResp);
        assertEquals("web", clientRegResp.getApplicationType());
        assertEquals("dynamic_client", clientRegResp.getClientName());
        assertEquals("openid", clientRegResp.getScope());
        assertEquals(Collections.singletonList("authorization_code"),
                     clientRegResp.getGrantTypes());
        assertEquals(Collections.singletonList("https://a/b/c"),
                     clientRegResp.getRedirectUris());
        assertEquals(Collections.singletonList("https://rp/logout"),
                     clientRegResp.getListStringProperty("post_logout_redirect_uris"));
    }

    @org.junit.Test
    public void testRegisterClientInitialAccessTokenCodeGrantTls() throws Exception {
        URL busFile = OIDCDynamicRegistrationTest.class.getResource("client.xml");
        String address = "https://localhost:" + PORT + "/services/dynamicWithAt/register";
        WebClient wc = WebClient.create(address, Collections.singletonList(new JsonMapObjectProvider()),
                         busFile.toString());

        wc.accept("application/json").type("application/json");
        ClientRegistration reg = newClientRegistration();
        reg.setTokenEndpointAuthMethod(OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
        reg.setProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, 
                        "CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US");
        
        ClientRegistrationResponse resp = null;
        assertEquals(401, wc.post(reg).getStatus());
        
        wc.authorization(new ClientAccessToken("Bearer", "123456789"));
        resp = wc.post(reg, ClientRegistrationResponse.class);
        
        assertNotNull(resp.getClientId());
        assertNull(resp.getClientSecret());
        assertEquals(address + "/" + resp.getClientId(),
                     resp.getRegistrationClientUri());
        String regAccessToken = resp.getRegistrationAccessToken();
        assertNotNull(regAccessToken);

        wc.reset();
        wc.path(resp.getClientId());
        assertEquals(401, wc.get().getStatus());

        wc.authorization(new ClientAccessToken("Bearer", regAccessToken));
        ClientRegistration clientRegResp = wc.get(ClientRegistration.class);
        testCommonRegProperties(clientRegResp);
        assertEquals(OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS, clientRegResp.getTokenEndpointAuthMethod());
        assertEquals("CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US", 
                     clientRegResp.getProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN));
        
        assertEquals(200, wc.delete().getStatus());
    }

    private ClientRegistration newClientRegistration() {
        ClientRegistration reg = new ClientRegistration();
        reg.setApplicationType("web");
        reg.setScope("openid");
        reg.setClientName("dynamic_client");
        reg.setGrantTypes(Collections.singletonList("authorization_code"));
        reg.setRedirectUris(Collections.singletonList("https://a/b/c"));
        
        reg.setProperty("post_logout_redirect_uris", 
                        Collections.singletonList("https://rp/logout"));
        return reg;
    }

}