From 38710bd3d22f9a7d0f19c41aac26e187e714ac59 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Wed, 24 Feb 2016 15:33:52 -0500
Subject: [PATCH] unit tests for HEART mode

---
 ...faultOAuth2ClientDetailsEntityService.java |   6 +-
 .../TestBlacklistAwareRedirectResolver.java   |  20 ++
 ...faultOAuth2ClientDetailsEntityService.java | 211 ++++++++++++++++++
 3 files changed, 234 insertions(+), 3 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
index 363c5ff2e..5beb8794a 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
@@ -226,7 +226,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 				}
 				
 				// make sure we've got the right authentication method
-				if (client.getTokenEndpointAuthMethod() == null || client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
+				if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
 					throw new IllegalArgumentException("[HEART mode] Authorization code clients must use the private_key authentication method");
 				}
 				
@@ -243,7 +243,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 				}
 				
 				// make sure we've got the right authentication method
-				if (client.getTokenEndpointAuthMethod() == null || client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
+				if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
 					throw new IllegalArgumentException("[HEART mode] Implicit clients must use the none authentication method");
 				}
 				
@@ -260,7 +260,7 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 				}
 				
 				// make sure we've got the right authentication method
-				if (client.getTokenEndpointAuthMethod() == null || client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
+				if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
 					throw new IllegalArgumentException("[HEART mode] Client credentials clients must use the private_key authentication method");
 				}
 				
diff --git a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java
index 11ced0a1c..69a477bdb 100644
--- a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java
+++ b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java
@@ -20,6 +20,7 @@ package org.mitre.oauth2.service.impl;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.service.BlacklistedSiteService;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
@@ -51,6 +52,9 @@ public class TestBlacklistAwareRedirectResolver {
 	@Mock
 	private ClientDetails client;
 
+	@Mock
+	private ConfigurationPropertiesBean config;
+	
 	@InjectMocks
 	private BlacklistAwareRedirectResolver resolver;
 
@@ -72,6 +76,7 @@ public class TestBlacklistAwareRedirectResolver {
 		when(client.getAuthorizedGrantTypes()).thenReturn(ImmutableSet.of("authorization_code"));
 		when(client.getRegisteredRedirectUri()).thenReturn(ImmutableSet.of(goodUri, blacklistedUri));
 
+		when(config.isHeartMode()).thenReturn(false);
 	}
 
 	@Test
@@ -128,5 +133,20 @@ public class TestBlacklistAwareRedirectResolver {
 		assertThat(res2, is(true));
 
 	}
+	
+	@Test
+	public void testHeartMode() {
+		when(config.isHeartMode()).thenReturn(true);
+
+		// this is not an exact match
+		boolean res1 = resolver.redirectMatches(pathUri, goodUri);
+
+		assertThat(res1, is(false));
+
+		// this is an exact match
+		boolean res2 = resolver.redirectMatches(goodUri, goodUri);
+
+		assertThat(res2, is(true));
+	}
 
 }
diff --git a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java
index 4c73bf913..4fd29489a 100644
--- a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java
+++ b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java
@@ -16,17 +16,22 @@
  *******************************************************************************/
 package org.mitre.oauth2.service.impl;
 
+import static org.mockito.Matchers.anyString;
+
 import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.model.SystemScope;
 import org.mitre.oauth2.repository.OAuth2ClientRepository;
 import org.mitre.oauth2.repository.OAuth2TokenRepository;
 import org.mitre.oauth2.service.SystemScopeService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.model.WhitelistedSite;
 import org.mitre.openid.connect.service.ApprovedSiteService;
 import org.mitre.openid.connect.service.BlacklistedSiteService;
@@ -46,9 +51,11 @@ import org.springframework.security.oauth2.common.exceptions.InvalidClientExcept
 
 import com.google.common.collect.Sets;
 
+import static org.hamcrest.CoreMatchers.any;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.hamcrest.CoreMatchers.nullValue;
 
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.fail;
@@ -83,6 +90,9 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
 
 	@Mock
 	private StatsService statsService;
+	
+	@Mock
+	private ConfigurationPropertiesBean config;
 
 	@InjectMocks
 	private DefaultOAuth2ClientDetailsEntityService service;
@@ -135,6 +145,8 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
 
 		// we're not testing reserved scopes here, just pass through when it's called
 		Mockito.when(scopeService.removeReservedScopes(Matchers.anySet())).then(AdditionalAnswers.returnsFirstArg());
+		
+		Mockito.when(config.isHeartMode()).thenReturn(false);
 
 	}
 
@@ -353,4 +365,203 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
 
 		assertThat(client.getScope().contains(SystemScopeService.OFFLINE_ACCESS), is(equalTo(false)));
 	}
+	
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_authcode_invalidGrants() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("authorization_code");
+		grantTypes.add("implicit");
+		grantTypes.add("client_credentials");
+		client.setGrantTypes(grantTypes);
+
+		service.saveNewClient(client);
+		
+	}
+	
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_implicit_invalidGrants() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("implicit");
+		grantTypes.add("authorization_code");
+		grantTypes.add("client_credentials");
+		client.setGrantTypes(grantTypes);
+
+		service.saveNewClient(client);
+		
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_clientcreds_invalidGrants() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("client_credentials");
+		grantTypes.add("authorization_code");
+		grantTypes.add("implicit");
+		client.setGrantTypes(grantTypes);
+
+		service.saveNewClient(client);
+		
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_authcode_authMethod() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("authorization_code");
+		client.setGrantTypes(grantTypes);
+		
+		client.setTokenEndpointAuthMethod(AuthMethod.SECRET_POST);
+
+		service.saveNewClient(client);
+		
+	}
+	
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_implicit_authMethod() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("implicit");
+		client.setGrantTypes(grantTypes);
+
+		client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
+
+		service.saveNewClient(client);
+		
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_clientcreds_authMethod() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("client_credentials");
+		client.setGrantTypes(grantTypes);
+
+		client.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
+
+		service.saveNewClient(client);
+		
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_authcode_redirectUris() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("authorization_code");
+		client.setGrantTypes(grantTypes);
+		
+		client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
+
+		service.saveNewClient(client);
+		
+	}
+	
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_implicit_redirectUris() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("implicit");
+		client.setGrantTypes(grantTypes);
+
+		client.setTokenEndpointAuthMethod(AuthMethod.NONE);
+
+		service.saveNewClient(client);
+		
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_clientcreds_redirectUris() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("client_credentials");
+		client.setGrantTypes(grantTypes);
+
+		client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
+
+		client.setRedirectUris(Sets.newHashSet("http://foo.bar/"));
+
+		service.saveNewClient(client);
+		
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_clientSecret() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("authorization_code");
+		client.setGrantTypes(grantTypes);
+		
+		client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
+		
+		client.setRedirectUris(Sets.newHashSet("http://foo.bar/"));
+
+		client.setClientSecret("secret!");
+		
+		service.saveNewClient(client);
+		
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void heartMode_noJwks() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("authorization_code");
+		client.setGrantTypes(grantTypes);
+		
+		client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
+		
+		client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
+
+		client.setJwks(null);
+		client.setJwksUri(null);
+		
+		service.saveNewClient(client);
+		
+	}
+	
+	@Test
+	public void heartMode_validAuthcodeClient() {
+		Mockito.when(config.isHeartMode()).thenReturn(true);
+
+		ClientDetailsEntity client = new ClientDetailsEntity();
+		Set<String> grantTypes = new LinkedHashSet<>();
+		grantTypes.add("authorization_code");
+		grantTypes.add("refresh_token");
+		client.setGrantTypes(grantTypes);
+		
+		client.setTokenEndpointAuthMethod(AuthMethod.PRIVATE_KEY);
+		
+		client.setRedirectUris(Sets.newHashSet("https://foo.bar/"));
+
+		client.setJwksUri("https://foo.bar/jwks");
+		
+		service.saveNewClient(client);
+		
+		assertThat(client.getClientId(), is(notNullValue(String.class)));
+		assertThat(client.getClientSecret(), is(nullValue()));
+	}
+	
 }