public Optional<Token> getToken(HttpServletRequest request, HttpServletResponse response) { Optional<String> encodedToken = getTokenFromCookie(request); if (!encodedToken.isPresent()) { return Optional.empty(); } return validateToken(encodedToken.get(), request, response); }
@Test public void validate_token_does_nothing_when_no_jwt_cookie() { underTest.validateToken(request, response); verifyZeroInteractions(httpSession, jwtSerializer); assertThat(underTest.validateToken(request, response).isPresent()).isFalse(); }
@Test public void validate_token_does_nothing_when_empty_value_in_jwt_cookie() { when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("JWT-SESSION", "")}); underTest.validateToken(request, response); verifyZeroInteractions(httpSession, jwtSerializer); assertThat(underTest.validateToken(request, response).isPresent()).isFalse(); }
@Test public void validate_token_does_not_refresh_session_when_token_is_no_more_valid() { addJwtCookie(); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.empty()); assertThat(underTest.validateToken(request, response).isPresent()).isFalse(); }
@Test public void authenticate_from_sso() { when(httpHeadersAuthentication.authenticate(request, response)).thenReturn(Optional.of(A_USER)); when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.empty()); assertThat(underTest.authenticate(request, response).getUuid()).isEqualTo(A_USER.getUuid()); verify(httpHeadersAuthentication).authenticate(request, response); verify(jwtHttpHandler, never()).validateToken(request, response); verify(response, never()).setStatus(anyInt()); }
@Test public void authenticate_from_basic_header() { when(basicAuthentication.authenticate(request)).thenReturn(Optional.of(A_USER)); when(httpHeadersAuthentication.authenticate(request, response)).thenReturn(Optional.empty()); when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.empty()); assertThat(underTest.authenticate(request, response).getUuid()).isEqualTo(A_USER.getUuid()); verify(jwtHttpHandler).validateToken(request, response); verify(basicAuthentication).authenticate(request); verify(response, never()).setStatus(anyInt()); }
@Test public void return_false_when_jwt_throws_unauthorized_exception() throws Exception { doThrow(AuthenticationException.class).when(jwtHttpHandler).validateToken(request, response); when(basicAuthentication.authenticate(request)).thenReturn(Optional.empty()); underTest.doFilter(request, response, chain); verify(response).setContentType(MediaTypes.JSON); JsonAssert.assertJson(stringWriter.toString()).isSimilarTo("{\"valid\":false}"); }
@Test public void return_empty_if_not_authenticated() { when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.empty()); when(httpHeadersAuthentication.authenticate(request, response)).thenReturn(Optional.empty()); when(basicAuthentication.authenticate(request)).thenReturn(Optional.empty()); UserSession session = underTest.authenticate(request, response); assertThat(session.isLoggedIn()).isFalse(); assertThat(session.getUuid()).isNull(); verify(response, never()).setStatus(anyInt()); }
@Test public void authenticate_from_jwt_token() { when(httpHeadersAuthentication.authenticate(request, response)).thenReturn(Optional.empty()); when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.of(A_USER)); assertThat(underTest.authenticate(request, response).getUuid()).isEqualTo(A_USER.getUuid()); verify(response, never()).setStatus(anyInt()); }
@Test public void return_true_when_jwt_token_is_set() throws Exception { when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.of(newUserDto())); when(basicAuthentication.authenticate(request)).thenReturn(Optional.empty()); underTest.doFilter(request, response, chain); verify(response).setContentType(MediaTypes.JSON); JsonAssert.assertJson(stringWriter.toString()).isSimilarTo("{\"valid\":true}"); }
@Test public void return_false_when_basic_authenticator_throws_unauthorized_exception() throws Exception { when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.empty()); doThrow(AuthenticationException.class).when(basicAuthentication).authenticate(request); underTest.doFilter(request, response, chain); verify(response).setContentType(MediaTypes.JSON); JsonAssert.assertJson(stringWriter.toString()).isSimilarTo("{\"valid\":false}"); } }
@Test public void return_true_when_no_jwt_nor_basic_auth_and_no_force_authentication() throws Exception { settings.setProperty("sonar.forceAuthentication", "false"); when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.empty()); when(basicAuthentication.authenticate(request)).thenReturn(Optional.empty()); underTest.doFilter(request, response, chain); verify(response).setContentType(MediaTypes.JSON); JsonAssert.assertJson(stringWriter.toString()).isSimilarTo("{\"valid\":true}"); }
@Test public void return_true_when_basic_auth() throws Exception { when(jwtHttpHandler.validateToken(request, response)).thenReturn(Optional.empty()); when(basicAuthentication.authenticate(request)).thenReturn(Optional.of(newUserDto())); underTest.doFilter(request, response, chain); verify(response).setContentType(MediaTypes.JSON); JsonAssert.assertJson(stringWriter.toString()).isSimilarTo("{\"valid\":true}"); }
@Test public void validate_token_does_not_refresh_session_when_user_is_disabled() { addJwtCookie(); UserDto user = addUser(false); Claims claims = createToken(user.getLogin(), NOW); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); assertThat(underTest.validateToken(request, response).isPresent()).isFalse(); }
@Test public void validate_token() { UserDto user = db.users().insertUser(); addJwtCookie(); Claims claims = createToken(user.getUuid(), NOW); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); assertThat(underTest.validateToken(request, response).isPresent()).isTrue(); verify(jwtSerializer, never()).encode(any(JwtSerializer.JwtSession.class)); }
@Test public void validate_token_refresh_session_when_refresh_time_is_reached() { UserDto user = db.users().insertUser(); addJwtCookie(); // Token was created 10 days ago and refreshed 6 minutes ago Claims claims = createToken(user.getUuid(), TEN_DAYS_AGO); claims.put("lastRefreshTime", SIX_MINUTES_AGO); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); assertThat(underTest.validateToken(request, response).isPresent()).isTrue(); verify(jwtSerializer).refresh(any(Claims.class), eq(3 * 24 * 60 * 60)); }
@Test public void validate_token_does_not_refresh_session_when_refresh_time_is_not_reached() { UserDto user = db.users().insertUser(); addJwtCookie(); // Token was created 10 days ago and refreshed 4 minutes ago Claims claims = createToken(user.getUuid(), TEN_DAYS_AGO); claims.put("lastRefreshTime", FOUR_MINUTES_AGO); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); assertThat(underTest.validateToken(request, response).isPresent()).isTrue(); verify(jwtSerializer, never()).refresh(any(Claims.class), anyInt()); }
@Test public void validate_token_does_not_refresh_session_when_disconnected_timeout_is_reached() { UserDto user = db.users().insertUser(); addJwtCookie(); // Token was created 4 months ago, refreshed 4 minutes ago, and it expired in 5 minutes Claims claims = createToken(user.getUuid(), NOW - (4L * 30 * 24 * 60 * 60 * 1000)); claims.setExpiration(new Date(NOW + 5 * 60 * 1000)); claims.put("lastRefreshTime", FOUR_MINUTES_AGO); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); assertThat(underTest.validateToken(request, response).isPresent()).isFalse(); }
@Test public void validate_token_refresh_state_when_refreshing_token() { UserDto user = db.users().insertUser(); addJwtCookie(); // Token was created 10 days ago and refreshed 6 minutes ago Claims claims = createToken(user.getUuid(), TEN_DAYS_AGO); claims.put("xsrfToken", "CSRF_STATE"); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); underTest.validateToken(request, response); verify(jwtSerializer).refresh(any(Claims.class), anyInt()); verify(jwtCsrfVerifier).refreshState(request, response, "CSRF_STATE", 3 * 24 * 60 * 60); }
@Test public void validate_token_verify_csrf_state() { UserDto user = db.users().insertUser(); addJwtCookie(); Claims claims = createToken(user.getUuid(), NOW); claims.put("xsrfToken", CSRF_STATE); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); underTest.validateToken(request, response); verify(jwtCsrfVerifier).verifyState(request, CSRF_STATE, user.getUuid()); }