@Test public void testAuthenticateKeystoreRSA() throws Exception { final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(getClass().getResourceAsStream("/keystore.jks"), "password".toCharArray()); final Key privateKey = ks.getKey("trellis", "password".toCharArray()); final String token = Jwts.builder().setSubject("https://people.apache.org/~acoburn/#i") .signWith(privateKey, SignatureAlgorithm.RS256).compact(); final Authenticator authenticator = new JwtAuthenticator( ks.getCertificate("trellis-public").getPublicKey()); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticateKeystoreEC() throws Exception { final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(getClass().getResourceAsStream("/keystore.jks"), "password".toCharArray()); final Key privateKey = ks.getKey("trellis-ec", "password".toCharArray()); final String token = Jwts.builder().setSubject("https://people.apache.org/~acoburn/#i") .signWith(privateKey, SignatureAlgorithm.ES256).compact(); final Authenticator authenticator = new JwtAuthenticator( ks.getCertificate("trellis-ec").getPublicKey()); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticationTokenWebid() { final String key = "N0NuokWWb5XjMP+V3XLfyLkaSArwxNm17VeAvv7+y4+Y/DmxBLenvwOPO404lfl6UfyyEGgQ02ETDEPRMwV/+Q=="; final String token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ3ZWJpZCI6Imh0dHBzOi8vcGVvcGxlLmFwYWNoZS5vcmcvfm" + "Fjb2J1cm4vI2kiLCJzdWIiOiJhY29idXJuIiwibmFtZSI6IkFhcm9uIENvYnVybiIsImlzcyI6Imh0dHA6Ly9leGFtcGxlLm9yZy8ifQ" + ".kIHJDSzaisxfIF5fQou2e9rBInsDsl0vZ4QQ60zlZlSufm9nnmC7eL-875WPsVGzPAfptF6MrImrpFeNxdW9ZQ"; final Authenticator authenticator = new JwtAuthenticator(hmacShaKeyFor(Base64.getDecoder().decode(key))); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticateKeystore() throws Exception { final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(getClass().getResourceAsStream("/keystore.jks"), "password".toCharArray()); final Key privateKey = ks.getKey("trellis", "password".toCharArray()); final String token = Jwts.builder().setSubject("https://people.apache.org/~acoburn/#i") .signWith(privateKey, SignatureAlgorithm.RS256).compact(); final Authenticator authenticator = new JwtAuthenticator( ks.getCertificate("trellis").getPublicKey()); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticateToken() { final String key = "N0NuokWWb5XjMP+V3XLfyLkaSArwxNm17VeAvv7+y4+Y/DmxBLenvwOPO404lfl6UfyyEGgQ02ETDEPRMwV/+Q=="; final String token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL3Blb3BsZS5hcGFjaGUub3JnL35" + "hY29idXJuLyNpIn0.n-C7xhjVyn3WEWGfSXfuqrjXVSoAnD08sO5K8mDsBiZF6Z8lwiksGos6lR-6RjD5jI25d1yPJ47LKBWqMlMm_A"; final Authenticator authenticator = new JwtAuthenticator(hmacShaKeyFor(Base64.getDecoder().decode(key))); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticateTokenIssSub() { final String key = "N0NuokWWb5XjMP+V3XLfyLkaSArwxNm17VeAvv7+y4+Y/DmxBLenvwOPO404lfl6UfyyEGgQ02ETDEPRMwV/+Q=="; final String token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhY29idXJuIiwibmFtZSI6IkFhcm9uIENvYnVyb" + "iIsImlzcyI6Imh0dHA6Ly9leGFtcGxlLm9yZy8ifQ.4Srityp5iPScGyqvkPakD3DmtXYWhkyHjr0K6B7kpcR2ll8MC-hGpYoIDM8ar" + "ro3dyZQp0kDhPfYZ6MiAGfGTQ"; final Authenticator authenticator = new JwtAuthenticator(hmacShaKeyFor(Base64.getDecoder().decode(key))); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("http://example.org/acoburn", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticationNoPrincipal() { final String key = "w8+z9hrcbr3ktQ5WTr9xNZknke3L/RAj8r8RieriWozGu1M4RDgkpJcfTEg90pqYyadbIBLy+qFHu1JJ8O0rjw=="; final String token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhY29idXJuIiwibmFtZSI6IkFhcm9" + "uIENvYnVybiJ9.srs7gSbix8nLDuFmwYCEN0In-5pa6-59D5nqF1UgRD-hsJBS2UoieYoBJZNGGKj1hO1DaboqtuS_36bE9QGdCw"; final Authenticator authenticator = new JwtAuthenticator(hmacShaKeyFor(Base64.getDecoder().decode(key))); final Optional<Principal> result = authenticator.authenticate(token); assertFalse(result.isPresent(), "Unexpected principal!"); }
@Test public void testAuthenticateKeystoreECWebsite() throws Exception { final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(getClass().getResourceAsStream("/keystore.jks"), "password".toCharArray()); final Key privateKey = ks.getKey("trellis-ec", "password".toCharArray()); final String token = Jwts.builder().setSubject("acoburn") .claim("website", "https://people.apache.org/~acoburn/#i") .signWith(privateKey, SignatureAlgorithm.ES256).compact(); final Authenticator authenticator = new JwtAuthenticator( ks.getCertificate("trellis-ec").getPublicKey()); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticationTokenWebidBadKey() { final String key = "2YuUlb+t36yVzrTkYLl8xBlBJSC41CE7uNF3somMDxdYDfcACv9JYIU54z17s4Ah313uKu/4Ll+vDNKpxx6v4Q=="; final String token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ3ZWJpZCI6Imh0dHBzOi8vcGVvcGxlLmFwYWNoZS5vcmcvfm" + "Fjb2J1cm4vI2kiLCJzdWIiOiJhY29idXJuIiwibmFtZSI6IkFhcm9uIENvYnVybiIsImlzcyI6Imh0dHA6Ly9leGFtcGxlLm9yZy8ifQ" + ".kIHJDSzaisxfIF5fQou2e9rBInsDsl0vZ4QQ60zlZlSufm9nnmC7eL-875WPsVGzPAfptF6MrImrpFeNxdW9ZQ"; final Authenticator authenticator = new JwtAuthenticator(hmacShaKeyFor(Base64.getDecoder().decode(key))); assertThrows(SecurityException.class, () -> authenticator.authenticate(token), "Parsed bad JWT!"); }
@Test public void testGarbledToken() { final String key = "thj983z1fiqAiaV7Nv4nWpjaDi6eVTd7jOGxbs92mp8="; final String token = "blahblah"; final Authenticator authenticator = new JwtAuthenticator(hmacShaKeyFor(Base64.getDecoder().decode(key))); assertThrows(MalformedJwtException.class, () -> authenticator.authenticate(token), "Parsed bad JWT!"); } }
@Test public void testFilterInvalidAuth() throws Exception { final String key = "BdEaIIfv67jl8mRL+/vnuf3RzfVfpkxtel8icx2B8uSudOcwVXr7zpwj92UtKCOkVGi2FaE+O4q55P3p7UE7Eg=="; final String token = Jwts.builder().setSubject(WEBID1).signWith(hmacShaKeyFor(key.getBytes(UTF_8))).compact(); when(mockContext.getHeaderString(AUTHORIZATION)).thenReturn("Bearer " + token); final OAuthFilter filter = new OAuthFilter(new JwtAuthenticator(hmacShaKeyFor(key.replaceFirst("B", "A") .getBytes()))); assertThrows(NotAuthorizedException.class, () -> filter.filter(mockContext)); }
@Test public void testAuthenticateEC() { final KeyPair keypair = EllipticCurveProvider.generateKeyPair(SignatureAlgorithm.ES256); final String token = Jwts.builder().setSubject("https://people.apache.org/~acoburn/#i") .signWith(keypair.getPrivate(), SignatureAlgorithm.ES256).compact(); final Authenticator authenticator = new JwtAuthenticator(keypair.getPublic()); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticateRSA() { final KeyPair keypair = RsaProvider.generateKeyPair(); final String token = Jwts.builder().setSubject("https://people.apache.org/~acoburn/#i") .signWith(keypair.getPrivate(), SignatureAlgorithm.RS256).compact(); final Authenticator authenticator = new JwtAuthenticator(keypair.getPublic()); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testFilterExpiredJwt() throws Exception { final Key key = secretKeyFor(SignatureAlgorithm.HS512); final String token = Jwts.builder().claim("webid", WEBID1).setExpiration(from(now().minusSeconds(10))) .signWith(key).compact(); when(mockContext.getHeaderString(AUTHORIZATION)).thenReturn("Bearer " + token); final OAuthFilter filter = new OAuthFilter(new JwtAuthenticator(key)); assertThrows(NotAuthorizedException.class, () -> filter.filter(mockContext)); }
@Test public void testFilterAuth() throws Exception { final Key key = secretKeyFor(SignatureAlgorithm.HS512); final String token = Jwts.builder().setSubject(WEBID1).signWith(key).compact(); final ContainerRequestContext mockCtx = mock(ContainerRequestContext.class); when(mockCtx.getSecurityContext()).thenReturn(mockSecurityContext); when(mockCtx.getHeaderString(AUTHORIZATION)).thenReturn("Bearer " + token); final OAuthFilter filter = new OAuthFilter(new JwtAuthenticator(key)); filter.filter(mockCtx); verify(mockCtx).setSecurityContext(securityArgument.capture()); assertEquals(WEBID1, securityArgument.getValue().getUserPrincipal().getName(), "Unexpected agent IRI!"); assertEquals(OAuthFilter.SCHEME, securityArgument.getValue().getAuthenticationScheme(), "Unexpected scheme!"); assertFalse(securityArgument.getValue().isSecure(), "Unexpected secure flag!"); assertTrue(securityArgument.getValue().isUserInRole("some role"), "Not in user role!"); }
@Test public void testFilterWebid() throws Exception { final Key key = secretKeyFor(SignatureAlgorithm.HS512); final String token = Jwts.builder().claim("webid", WEBID2).signWith(key).compact(); when(mockContext.getHeaderString(AUTHORIZATION)).thenReturn("Bearer " + token); final OAuthFilter filter = new OAuthFilter(new JwtAuthenticator(key)); filter.filter(mockContext); verify(mockContext).setSecurityContext(securityArgument.capture()); assertEquals(WEBID2, securityArgument.getValue().getUserPrincipal().getName(), "Unexpected agent IRI!"); assertEquals(OAuthFilter.SCHEME, securityArgument.getValue().getAuthenticationScheme(), "Unexpected scheme!"); assertFalse(securityArgument.getValue().isSecure(), "Unexpected secure flag!"); assertTrue(securityArgument.getValue().isUserInRole("some role"), "Not in user role!"); }
@Test public void testAuthenticate() { final Key key = secretKeyFor(SignatureAlgorithm.HS256); final String token = Jwts.builder().setSubject("https://people.apache.org/~acoburn/#i") .signWith(key).compact(); final Authenticator authenticator = new JwtAuthenticator(key); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("https://people.apache.org/~acoburn/#i", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticateSubIss() { final Key key = secretKeyFor(SignatureAlgorithm.HS512); final String token = Jwts.builder().setSubject("acoburn").setIssuer("http://localhost") .signWith(key).compact(); final Authenticator authenticator = new JwtAuthenticator(key); final Optional<Principal> result = authenticator.authenticate(token); assertTrue(result.isPresent(), "Missing principal!"); result.ifPresent(p -> assertEquals("http://localhost/acoburn", p.getName(), "Incorrect webid!")); }
@Test public void testAuthenticateNoSub() { final Key key = secretKeyFor(SignatureAlgorithm.HS384); final String token = Jwts.builder().setIssuer("http://localhost").signWith(key).compact(); final Authenticator authenticator = new JwtAuthenticator(key); final Optional<Principal> result = authenticator.authenticate(token); assertFalse(result.isPresent(), "Unexpected principal!"); }
@Test public void testAuthenticateSubNoWebIss() { final Key key = secretKeyFor(SignatureAlgorithm.HS512); final String token = Jwts.builder().setSubject("acoburn").setIssuer("some org").signWith(key).compact(); final Authenticator authenticator = new JwtAuthenticator(key); final Optional<Principal> result = authenticator.authenticate(token); assertFalse(result.isPresent(), "Unexpected principal!"); }