cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] 01/10: Make sure that the OAuth authenticate principal name matches the client_id (if specified)
Date Mon, 16 Sep 2019 12:20:22 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 337609d81a9f53e7680cb79d9ab733a79f4cd769
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Wed Sep 11 00:43:48 2019 +0100

    Make sure that the OAuth authenticate principal name matches the client_id (if specified)
---
 .../oauth2/services/AbstractTokenService.java      |  25 +++--
 .../grants/AuthorizationGrantNegativeTest.java     | 123 +++++++++++++++++++++
 .../oauth2/grants/AuthorizationGrantTest.java      |   4 +-
 3 files changed, 138 insertions(+), 14 deletions(-)

diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index a5e82a2..8e32cca 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -56,8 +56,8 @@ public class AbstractTokenService extends AbstractOAuthService {
         SecurityContext sc = getMessageContext().getSecurityContext();
         Principal principal = sc.getUserPrincipal();
 
+        String clientId = retrieveClientId(params);
         if (principal == null) {
-            String clientId = retrieveClientId(params);
             if (clientId != null) {
                 String clientSecret = params.getFirst(OAuthConstants.CLIENT_SECRET);
                 if (clientSecret != null) {
@@ -77,11 +77,12 @@ public class AbstractTokenService extends AbstractOAuthService {
                 }
             }
         } else {
-            String clientId = retrieveClientId(params);
             if (clientId != null) {
-                if (clientId.equals(principal.getName())) {
-                    client = (Client)getMessageContext().get(Client.class.getName());
+                if (!clientId.equals(principal.getName())) {
+                    reportInvalidClient();
                 }
+
+                client = (Client)getMessageContext().get(Client.class.getName());
                 if (client == null) {
                     client = getClient(clientId, params);
                 }
@@ -108,7 +109,7 @@ public class AbstractTokenService extends AbstractOAuthService {
             reportInvalidClient(new OAuthError(OAuthConstants.UNAUTHORIZED_CLIENT));
         }
     }
-    
+
     protected String retrieveClientId(MultivaluedMap<String, String> params) {
         String clientId = params.getFirst(OAuthConstants.CLIENT_ID);
         if (clientId == null) {
@@ -164,14 +165,14 @@ public class AbstractTokenService extends AbstractOAuthService {
             reportInvalidClient();
         }
         X509Certificate cert = OAuthUtils.getRootTLSCertificate(tlsSessionInfo);
-        
-        if (subjectDn != null 
+
+        if (subjectDn != null
             && !subjectDn.equals(OAuthUtils.getSubjectDnFromTLSCertificates(cert)))
{
             LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS certificate");
             reportInvalidClient();
         }
         String issuerDn = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN);
-        if (issuerDn != null 
+        if (issuerDn != null
             && !issuerDn.equals(OAuthUtils.getIssuerDnFromTLSCertificates(cert)))
{
             LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS certificate");
             reportInvalidClient();
@@ -187,7 +188,7 @@ public class AbstractTokenService extends AbstractOAuthService {
         return (TLSSessionInfo)getMessageContext().get(TLSSessionInfo.class.getName());
     }
 
-    
+
     protected Client getClientFromTLSCertificates(SecurityContext sc,
                                                   TLSSessionInfo tlsSessionInfo,
                                                   MultivaluedMap<String, String> params)
{
@@ -206,11 +207,11 @@ public class AbstractTokenService extends AbstractOAuthService {
         }
         return client;
     }
-    
+
     protected void compareTlsCertificates(TLSSessionInfo tlsInfo,
                                           List<String> base64EncodedCerts) {
         if (!OAuthUtils.compareTlsCertificates(tlsInfo, base64EncodedCerts)) {
-            reportInvalidClient();    
+            reportInvalidClient();
         }
     }
 
@@ -244,7 +245,7 @@ public class AbstractTokenService extends AbstractOAuthService {
     protected Client getClient(String clientId, MultivaluedMap<String, String> params)
{
         return getClient(clientId, params.getFirst(OAuthConstants.CLIENT_SECRET), params);
     }
-    
+
     protected Client getClient(String clientId, String clientSecret, MultivaluedMap<String,
String> params) {
         if (clientId == null) {
             reportInvalidRequestError("Client ID is null");
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
index f854e09..8bbb662 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.java
@@ -550,6 +550,129 @@ public class AuthorizationGrantNegativeTest extends AbstractBusClientServerTestB
         }
     }
 
+    // Here we are sending a different client Id in both the authz + token requests
+    @org.junit.Test
+    public void testNonMatchingClientId() throws Exception {
+        URL busFile = AuthorizationGrantTest.class.getResource("client.xml");
+
+        String address = "https://localhost:" + port + "/services/";
+        WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        String code = OAuth2TestUtils.getAuthorizationCode(client);
+        assertNotNull(code);
+
+        // Now get the access token using a different client id
+        client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                  "consumer-id-aud", "this-is-a-secret", busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+
+        Form form = new Form();
+        form.param("grant_type", "authorization_code");
+        form.param("code", code);
+        form.param("client_id", "consumer-id-aud");
+
+        // Now try to get a token
+        Response response = client.post(form);
+        try {
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on trying to get a token");
+        } catch (ResponseProcessingException ex) {
+            //expected
+        }
+    }
+
+    // Here we are sending a different client Id in both the authz + token requests
+    @org.junit.Test
+    public void testNonMatchingClientIdBasicAuth() throws Exception {
+        URL busFile = AuthorizationGrantTest.class.getResource("client.xml");
+
+        String address = "https://localhost:" + port + "/services/";
+        WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        String code = OAuth2TestUtils.getAuthorizationCode(client);
+        assertNotNull(code);
+
+        // Now get the access token using a different client id
+        client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                  "consumer-id-aud", "this-is-a-secret", busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+
+        Form form = new Form();
+        form.param("grant_type", "authorization_code");
+        form.param("code", code);
+
+        // Now try to get a token
+        Response response = client.post(form);
+        try {
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on trying to get a token");
+        } catch (ResponseProcessingException ex) {
+            //expected
+        }
+    }
+
+    // Here we are sending a different client Id in both the authz + token requests, where
in the
+    // token request we authenticate using a different clientId
+    @org.junit.Test
+    public void testNonMatchingClientDifferentClientIds() throws Exception {
+        URL busFile = AuthorizationGrantTest.class.getResource("client.xml");
+
+        String address = "https://localhost:" + port + "/services/";
+        WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        String code = OAuth2TestUtils.getAuthorizationCode(client);
+        assertNotNull(code);
+
+        // Now get the access token using a different client id
+        client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                  "consumer-id-aud", "this-is-a-secret", busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        client.type("application/x-www-form-urlencoded").accept("application/json");
+        client.path("token");
+
+        Form form = new Form();
+        form.param("grant_type", "authorization_code");
+        form.param("code", code);
+        form.param("client_id", "consumer-id");
+
+        // Now try to get a token
+        Response response = client.post(form);
+        try {
+            response.readEntity(ClientAccessToken.class);
+            fail("Failure expected on trying to get a token");
+        } catch (ResponseProcessingException ex) {
+            //expected
+        }
+    }
+
     //
     // SAML Authorization grants
     //
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
index 99d36d5..161da2f 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
@@ -484,7 +484,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase
{
 
         String address = "https://localhost:" + port + "/services/";
         WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
-                                            "alice", "security", busFile.toString());
+                                            "consumer-id", "this-is-a-secret", busFile.toString());
 
         // Create the SAML Assertion
         String assertion = OAuth2TestUtils.createToken(address + "token");
@@ -514,7 +514,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase
{
 
         String address = "https://localhost:" + port + "/services/";
         WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
-                                            "alice", "security", busFile.toString());
+                                            "consumer-id", "this-is-a-secret", busFile.toString());
 
         // Create the JWT Token
         String token = OAuth2TestUtils.createToken("DoubleItSTSIssuer", "consumer-id",


Mime
View raw message