@Override public String generateCsrfState() { return csrfVerifier.generateState(request, response); }
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider) { verifyState(request, response, provider, DEFAULT_STATE_PARAMETER_NAME); }
@Override public void verifyCsrfState(String parameterName) { csrfVerifier.verifyState(request, response, identityProvider, parameterName); }
@Test public void generate_state() { String state = underTest.generateState(request, response); assertThat(state).isNotEmpty(); verify(response).addCookie(cookieArgumentCaptor.capture()); verifyCookie(cookieArgumentCaptor.getValue()); }
@Override public void verifyCsrfState() { csrfVerifier.verifyState(request, response, identityProvider); }
@Test public void generate_csrf_state() { OAuth2IdentityProvider.InitContext context = newInitContext(); context.generateCsrfState(); verify(csrfVerifier).generateState(request, response); }
@Test public void verify_state() { String state = "state"; when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("OAUTHSTATE", sha256Hex(state))}); when(request.getParameter("aStateParameter")).thenReturn(state); underTest.verifyState(request, response, identityProvider, "aStateParameter"); verify(response).addCookie(cookieArgumentCaptor.capture()); Cookie updatedCookie = cookieArgumentCaptor.getValue(); assertThat(updatedCookie.getName()).isEqualTo("OAUTHSTATE"); assertThat(updatedCookie.getValue()).isNull(); assertThat(updatedCookie.getPath()).isEqualTo("/"); assertThat(updatedCookie.getMaxAge()).isEqualTo(0); }
@Override public String generateCsrfState() { return csrfVerifier.generateState(request, response); }
@Test public void verify_state_using_default_state_parameter() { String state = "state"; when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("OAUTHSTATE", sha256Hex(state))}); when(request.getParameter("state")).thenReturn(state); underTest.verifyState(request, response, identityProvider); verify(response).addCookie(cookieArgumentCaptor.capture()); Cookie updatedCookie = cookieArgumentCaptor.getValue(); assertThat(updatedCookie.getName()).isEqualTo("OAUTHSTATE"); assertThat(updatedCookie.getValue()).isNull(); assertThat(updatedCookie.getPath()).isEqualTo("/"); assertThat(updatedCookie.getMaxAge()).isEqualTo(0); }
@Test public void verify_csrf_state() { OAuth2IdentityProvider.CallbackContext callback = newCallbackContext(); callback.verifyCsrfState(); verify(csrfVerifier).verifyState(request, response, identityProvider); }
@Test public void fail_with_AuthenticationException_when_state_cookie_is_null() { when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("OAUTHSTATE", null)}); when(request.getParameter("state")).thenReturn("state"); thrown.expect(authenticationException().from(AuthenticationEvent.Source.oauth2(identityProvider)).withoutLogin().andNoPublicMessage()); thrown.expectMessage("CSRF state value is invalid"); underTest.verifyState(request, response, identityProvider); }
@Test public void fail_with_AuthenticationException_when_state_parameter_is_empty() { when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("OAUTHSTATE", sha1Hex("state"))}); when(request.getParameter("state")).thenReturn(""); thrown.expect(authenticationException().from(AuthenticationEvent.Source.oauth2(identityProvider)).withoutLogin().andNoPublicMessage()); thrown.expectMessage("CSRF state value is invalid"); underTest.verifyState(request, response, identityProvider); }
@Test public void fail_with_AuthenticationException_when_state_cookie_is_not_the_same_as_state_parameter() { when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("OAUTHSTATE", sha1Hex("state"))}); when(request.getParameter("state")).thenReturn("other value"); thrown.expect(authenticationException().from(AuthenticationEvent.Source.oauth2(identityProvider)).withoutLogin().andNoPublicMessage()); thrown.expectMessage("CSRF state value is invalid"); underTest.verifyState(request, response, identityProvider); }
@Test public void fail_with_AuthenticationException_when_cookie_is_missing() { when(request.getCookies()).thenReturn(new Cookie[] {}); thrown.expect(authenticationException().from(AuthenticationEvent.Source.oauth2(identityProvider)).withoutLogin().andNoPublicMessage()); thrown.expectMessage("Cookie 'OAUTHSTATE' is missing"); underTest.verifyState(request, response, identityProvider); }
@Override public void verifyCsrfState() { csrfVerifier.verifyState(request, response, identityProvider); }