Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.nifi.web.security.jwt; import io.jsonwebtoken.JwtException; import org.apache.commons.codec.CharEncoding; import org.apache.commons.codec.binary.Base64; import org.apache.nifi.admin.service.AdministrationException; import org.apache.nifi.admin.service.KeyService; import org.apache.nifi.key.Key; import org.apache.nifi.web.security.token.LoginAuthenticationToken; import org.codehaus.jettison.json.JSONObject; import org.junit.After; import org.junit.Before; import org.junit.Ignore; import org.junit.Test; import org.mockito.Mockito; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.LinkedHashMap; import java.util.Map; import static org.junit.Assert.assertEquals; import static org.junit.Assert.fail; import static org.mockito.Matchers.anyInt; import static org.mockito.Matchers.anyString; import static org.mockito.Mockito.when; public class JwtServiceTest { private static final Logger logger = LoggerFactory.getLogger(JwtServiceTest.class); /** * These constant strings were generated using the tool at http://jwt.io */ private static final String VALID_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRl" + "ciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZ" + "XJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoxLCJleHAiOjI0NDc4MDg3NjEsIm" + "lhdCI6MTQ0NzgwODcwMX0.r6aGZ6FNNYMOpcXW8BK2VYaQeX1uO0Aw1KJfjB3Q1DU"; // This token has an empty subject field private static final String INVALID_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZG" + "VudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvI" + "iwia2lkIjoxLCJleHAiOjI0NDc4MDg3NjEsImlhdCI6MTQ0NzgwODcwMX0" + ".x_1p2M6E0vwWHWMujIUnSL3GkFoDqqICllRxo2SMNaw"; private static final String VALID_UNSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZC" + "I6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJl" + "c3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9"; // This token has an empty subject field private static final String INVALID_UNSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVu" + "dGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoi" + "YWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9"; // Algorithm field is "none" private static final String VALID_MALSIGNED_TOKEN = "eyJhbGciOiJub25lIn0" + ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZC" + "I6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJl" + "c3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoxNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9" + ".mPO_wMNMl_zjMNevhNvUoXbSJ9Kx6jAe5OxDIAzKQbI"; // Algorithm field is "none" and no signature is present private static final String VALID_MALSIGNED_NO_SIG_TOKEN = "eyJhbGciOiJub25lIn0" + ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY" + "2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIj" + "oiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9."; // This token has an empty subject field private static final String INVALID_MALSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVud" + "Gl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYW" + "xvcHJlc3RvIiwiZXhwIjoxNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.WAwmUY4KHKV2oARNodkqDkbZsfRXGZfD2Ccy64GX9QF"; // This token is signed but expired private static final String EXPIRED_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik" + "1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvc" + "HJlc3RvIiwia2lkIjoxLCJleHAiOjE0NDc4MDg3NjEsImlhdCI6MTQ0NzgwODcw" + "MX0.ZPDIhNKuL89vTGXcuztOYaGifwcrQy_gid4j8Sspmto"; // Subject is "mgilman" but signed with "alopresto" key private static final String IMPOSTER_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiJtZ2lsbWFuIiwiaXNzIjoiTW9ja0lkZW50aXR5UHJvdmlkZXIiLCJ" + "hdWQiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI" + "6ImFsb3ByZXN0byIsImtpZCI6MSwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc" + "4MDg3MDF9.aw5OAvLTnb_sHmSQOQzW-A7NImiZgXJ2ngbbNL2Ymkc"; // Issuer field is set to unknown provider private static final String UNKNOWN_ISSUER_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJVbmtub3duSWRlbnRpdHlQcm92aWRlciIsIm" + "F1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxv" + "cHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9" + ".SAd9tyNwSaijWet9wvAWSNmpxmPSK4XQuLx7h3ARqBo"; // Issuer field is absent private static final String NO_ISSUER_TOKEN = "eyJhbGciOiJIUzI1NiJ9" + ".eyJzdWIiOiJhbG9wcmVzdG8iLCJhdWQiOiJNb2NrSWRlbnRpdHlQcm92a" + "WRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsb3ByZXN0byIsImtpZCI" + "6MSwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.6kDjDanA" + "g0NQDb3C8FmgbBAYDoIfMAEkF4WMVALsbJA"; private static final String DEFAULT_HEADER = "{\"alg\":\"HS256\"}"; private static final String DEFAULT_IDENTITY = "alopresto"; private static final String TOKEN_DELIMITER = "."; private static final String HMAC_SECRET = "test_hmac_shared_secret"; private KeyService mockKeyService; // Class under test private JwtService jwtService; private String generateHS256Token(String rawHeader, String rawPayload, boolean isValid, boolean isSigned) { return generateHS256Token(rawHeader, rawPayload, HMAC_SECRET, isValid, isSigned); } private String generateHS256Token(String rawHeader, String rawPayload, String hmacSecret, boolean isValid, boolean isSigned) { try { logger.info("Generating token for " + rawHeader + " + " + rawPayload); String base64Header = Base64.encodeBase64URLSafeString(rawHeader.getBytes(CharEncoding.UTF_8)); String base64Payload = Base64.encodeBase64URLSafeString(rawPayload.getBytes(CharEncoding.UTF_8)); // TODO: Support valid/invalid manipulation final String body = base64Header + TOKEN_DELIMITER + base64Payload; String signature = generateHMAC(hmacSecret, body); return body + TOKEN_DELIMITER + signature; } catch (NoSuchAlgorithmException | InvalidKeyException | UnsupportedEncodingException e) { final String errorMessage = "Could not generate the token"; logger.error(errorMessage, e); fail(errorMessage); return null; } } private String generateHMAC(String hmacSecret, String body) throws NoSuchAlgorithmException, UnsupportedEncodingException, InvalidKeyException { Mac hmacSHA256 = Mac.getInstance("HmacSHA256"); SecretKeySpec secret_key = new SecretKeySpec(hmacSecret.getBytes("UTF-8"), "HmacSHA256"); hmacSHA256.init(secret_key); return Base64.encodeBase64URLSafeString(hmacSHA256.doFinal(body.getBytes("UTF-8"))); } @Before public void setUp() throws Exception { final Key key = new Key(); key.setId(1); key.setIdentity(DEFAULT_IDENTITY); key.setKey(HMAC_SECRET); mockKeyService = Mockito.mock(KeyService.class); when(mockKeyService.getKey(anyInt())).thenReturn(key); when(mockKeyService.getOrCreateKey(anyString())).thenReturn(key); jwtService = new JwtService(mockKeyService); } @After public void tearDown() throws Exception { } @Test public void testShouldGetAuthenticationForValidToken() throws Exception { // Arrange String token = VALID_SIGNED_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert assertEquals("Identity", DEFAULT_IDENTITY, identity); } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForInvalidToken() throws Exception { // Arrange String token = INVALID_SIGNED_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForEmptyToken() throws Exception { // Arrange String token = ""; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForUnsignedToken() throws Exception { // Arrange String token = VALID_UNSIGNED_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForMalsignedToken() throws Exception { // Arrange String token = VALID_MALSIGNED_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForTokenWithWrongAlgorithm() throws Exception { // Arrange String token = VALID_MALSIGNED_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForTokenWithWrongAlgorithmAndNoSignature() throws Exception { // Arrange String token = VALID_MALSIGNED_NO_SIG_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Ignore("Not yet implemented") @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForTokenFromUnknownIdentityProvider() throws Exception { // Arrange String token = UNKNOWN_ISSUER_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForTokenFromEmptyIdentityProvider() throws Exception { // Arrange String token = NO_ISSUER_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForExpiredToken() throws Exception { // Arrange String token = EXPIRED_SIGNED_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test(expected = JwtException.class) public void testShouldNotGetAuthenticationForImposterToken() throws Exception { // Arrange String token = IMPOSTER_SIGNED_TOKEN; // Act String identity = jwtService.getAuthenticationFromToken(token); logger.debug("Extracted identity: " + identity); // Assert // Should fail } @Test public void testShouldGenerateSignedToken() throws Exception { // Arrange // Token expires in 60 seconds final int EXPIRATION_MILLIS = 60000; LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken("alopresto", EXPIRATION_MILLIS, "MockIdentityProvider"); logger.debug("Generating token for " + loginAuthenticationToken); final String EXPECTED_HEADER = DEFAULT_HEADER; // Convert the expiration time from ms to s final long TOKEN_EXPIRATION_SEC = (long) (loginAuthenticationToken.getExpiration() / 1000.0); // Act String token = jwtService.generateSignedToken(loginAuthenticationToken); logger.debug("Generated JWT: " + token); // Run after the SUT generates the token to ensure the same issued at time // Split the token, decode the middle section, and form a new String final String DECODED_PAYLOAD = new String(Base64.decodeBase64(token.split("\\.")[1].getBytes())); final long ISSUED_AT_SEC = Long.valueOf( DECODED_PAYLOAD.substring(DECODED_PAYLOAD.lastIndexOf(":") + 1, DECODED_PAYLOAD.length() - 1)); logger.trace("Actual token was issued at " + ISSUED_AT_SEC); // Always use LinkedHashMap to enforce order of the keys because the signature depends on order Map<String, Object> claims = new LinkedHashMap<>(); claims.put("sub", "alopresto"); claims.put("iss", "MockIdentityProvider"); claims.put("aud", "MockIdentityProvider"); claims.put("preferred_username", "alopresto"); claims.put("kid", 1); claims.put("exp", TOKEN_EXPIRATION_SEC); claims.put("iat", ISSUED_AT_SEC); logger.trace("JSON Object to String: " + new JSONObject(claims).toString()); final String EXPECTED_PAYLOAD = new JSONObject(claims).toString(); final String EXPECTED_TOKEN_STRING = generateHS256Token(EXPECTED_HEADER, EXPECTED_PAYLOAD, true, true); logger.debug("Expected JWT: " + EXPECTED_TOKEN_STRING); // Assert assertEquals("JWT token", EXPECTED_TOKEN_STRING, token); } @Test(expected = IllegalArgumentException.class) public void testShouldNotGenerateTokenWithNullAuthenticationToken() throws Exception { // Arrange LoginAuthenticationToken nullLoginAuthenticationToken = null; logger.debug("Generating token for " + nullLoginAuthenticationToken); // Act jwtService.generateSignedToken(nullLoginAuthenticationToken); // Assert // Should throw exception } @Test(expected = JwtException.class) public void testShouldNotGenerateTokenWithEmptyIdentity() throws Exception { // Arrange final int EXPIRATION_MILLIS = 60000; LoginAuthenticationToken emptyIdentityLoginAuthenticationToken = new LoginAuthenticationToken("", EXPIRATION_MILLIS, "MockIdentityProvider"); logger.debug("Generating token for " + emptyIdentityLoginAuthenticationToken); // Act jwtService.generateSignedToken(emptyIdentityLoginAuthenticationToken); // Assert // Should throw exception } @Test(expected = JwtException.class) public void testShouldNotGenerateTokenWithNullIdentity() throws Exception { // Arrange final int EXPIRATION_MILLIS = 60000; LoginAuthenticationToken nullIdentityLoginAuthenticationToken = new LoginAuthenticationToken(null, EXPIRATION_MILLIS, "MockIdentityProvider"); logger.debug("Generating token for " + nullIdentityLoginAuthenticationToken); // Act jwtService.generateSignedToken(nullIdentityLoginAuthenticationToken); // Assert // Should throw exception } @Test(expected = JwtException.class) public void testShouldNotGenerateTokenWithMissingKey() throws Exception { // Arrange final int EXPIRATION_MILLIS = 60000; LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken("alopresto", EXPIRATION_MILLIS, "MockIdentityProvider"); logger.debug("Generating token for " + loginAuthenticationToken); // Set up the bad key service KeyService missingKeyService = Mockito.mock(KeyService.class); when(missingKeyService.getOrCreateKey(anyString())) .thenThrow(new AdministrationException("Could not find a " + "key for that user")); jwtService = new JwtService(missingKeyService); // Act jwtService.generateSignedToken(loginAuthenticationToken); // Assert // Should throw exception } }