org.surfnet.oaaas.it.ClientCredentialGrantTestIT.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.surfnet.oaaas.it.ClientCredentialGrantTestIT.java

Introduction

Here is the source code for org.surfnet.oaaas.it.ClientCredentialGrantTestIT.java

Source

/*
 * Copyright 2012 SURFnet bv, The Netherlands
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.surfnet.oaaas.it;

import com.sun.jersey.api.client.ClientResponse;
import org.apache.commons.io.IOUtils;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.impl.client.DefaultHttpClient;
import org.codehaus.jackson.map.ObjectMapper;
import org.junit.Test;
import org.surfnet.oaaas.auth.OAuth2Validator;
import org.surfnet.oaaas.model.*;

import java.io.IOException;
import java.io.InputStream;
import java.util.HashMap;
import java.util.Map;

import static org.hamcrest.core.IsNot.not;
import static org.junit.Assert.*;
import static org.junit.Assert.assertEquals;

/**
 * Test for Client Credential. Prerequisite is the client 'it-test-client-credential-grant', 'some-secret-client-credential-grant' that may issue client credential grants
 */
public class ClientCredentialGrantTestIT extends AbstractAuthorizationServerTest {

    /*
     * The ObjectMapper from the super class is expecting class meta data as it converts VerifyTokenResponse instances and this is not conform spec for AccessTokenResponses
     */
    private ObjectMapper mapper = new ObjectMapper();

    @Test
    public void clientCredentialAccessTokenHappy() throws IOException {

        InputStream responseContent = performClientCredentialTokenPost("it-test-client-credential-grant",
                "some-secret-client-credential-grant");

        String content = IOUtils.toString(responseContent);

        AccessTokenResponse accessTokenResponse = mapper.readValue(content, AccessTokenResponse.class);
        assertNotNull(accessTokenResponse.getAccessToken());
        assertEquals(0, accessTokenResponse.getExpiresIn());
        assertEquals(OAuth2Validator.BEARER, accessTokenResponse.getTokenType());

        //now check the actual result for an resource server (the one 'owning' the client we used) checking this access token

        final ClientResponse response = client.resource(baseUrlWith("/v1/tokeninfo"))
                .queryParam("access_token", accessTokenResponse.getAccessToken())
                .header("Authorization", authorizationBasic("it-test-resource-server", "somesecret"))
                .get(ClientResponse.class);
        assertEquals(200, response.getStatus());
        String json = response.getEntity(String.class);
        final VerifyTokenResponse verifyTokenResponse = mapper.readValue(json, VerifyTokenResponse.class);

        //The client name equals the principal name as we did not authenticate with the AbstractAuthenticator
        assertEquals("it-test-client-credential-grant", verifyTokenResponse.getPrincipal().getName());
    }

    @Test
    public void clientCredentialAccessTokenWithClientNotAllowed() throws IOException {
        InputStream responseContent = performClientCredentialTokenPost("it-test-client-grant", "somesecret-grant");

        Map response = mapper.readValue(responseContent, HashMap.class);
        assertEquals("unauthorized_client", response.get("error"));
        assertEquals("The client has no permisssion for client credentials", response.get("error_description"));
    }

    private InputStream performClientCredentialTokenPost(String username, String password) throws IOException {
        String tokenUrl = String.format("%s/oauth2/token", baseUrl());
        final HttpPost tokenRequest = new HttpPost(tokenUrl);
        String postBody = String.format("grant_type=%s", OAuth2Validator.GRANT_TYPE_CLIENT_CREDENTIALS);

        tokenRequest.setEntity(new ByteArrayEntity(postBody.getBytes()));
        tokenRequest.addHeader("Authorization", authorizationBasic(username, password));
        tokenRequest.addHeader("Content-Type", "application/x-www-form-urlencoded");

        HttpResponse tokenHttpResponse = new DefaultHttpClient().execute(tokenRequest);
        return tokenHttpResponse.getEntity().getContent();
    }

}