@Test public void testBasicOperation() throws Exception { // create keypair KeyPair kp = RsaProvider.generateKeyPair(1024); PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); // create provider with private key ApigeeSSO2Provider provider = new MockApigeeSSO2Provider(); provider.setManagement( setup.getMgmtSvc() ); provider.setPublicKey( publicKey ); // create user, claims and a token for those things User user = createUser(); long exp = System.currentTimeMillis() + 10000; Map<String, Object> claims = createClaims( user.getUsername(), user.getEmail(), exp ); String token = Jwts.builder().setClaims(claims).signWith( SignatureAlgorithm.RS256, privateKey).compact(); // test that provider can validate the token, get user, return token info TokenInfo tokenInfo = provider.validateAndReturnTokenInfo( token, 86400L ); Assert.assertNotNull( tokenInfo ); }
@Test public void testMalformedToken() throws Exception { // create keypair KeyPair kp = RsaProvider.generateKeyPair(1024); PublicKey publicKey = kp.getPublic(); // create provider with private key ApigeeSSO2Provider provider = new MockApigeeSSO2Provider(); provider.setManagement( setup.getMgmtSvc() ); provider.setPublicKey( publicKey ); // test that token is malformed try { provider.getClaims( "{;aklsjd;fkajsd;fkjasd;lfkj}" ); Assert.fail("Should have failed due to malformed token"); } catch ( BadTokenException e ) { Assert.assertTrue( e.getCause() instanceof MalformedJwtException ); } }
@PostConstruct void initProvider() { String jwtKeyAlias = getJWTKeyAlias(); KeyPair keyPair; if (StringUtils.isEmpty(environment.getProperty("JWT_KEYSTORE_PATH"))) { logger.info("could not find keystore path, generating key in memore"); keyPair = RsaProvider.generateKeyPair(1024); } else { try { logger.info("found a keystore path, trying to load: {}", environment.getProperty("JWT_KEYSTORE_PATH")); File file = new File(environment.getProperty("JWT_KEYSTORE_PATH")); FileInputStream is = new FileInputStream(file); KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); final String password = environment.getProperty("JWT_KEYSTORE_PASS"); final String keypass = environment.getProperty("JWT_KEY_PASS", password); keyStore.load(is, password.toCharArray()); PrivateKey privateKey = (PrivateKey) keyStore.getKey(jwtKeyAlias, keypass.toCharArray()); Certificate certificate = keyStore.getCertificate(jwtKeyAlias); PublicKey publicKey = certificate.getPublicKey(); keyPair = new KeyPair(publicKey, privateKey); logger.info("successfuly loaded keystore from file, continuing"); } catch (Exception e) { logger.error("Exception loading keystore, defaulting to in-memory generation", e); keyPair = RsaProvider.generateKeyPair(1024); } } keyPairMap.put(jwtKeyAlias, keyPair); }
@Test public void testExpiredToken() throws Exception { // create keypair KeyPair kp = RsaProvider.generateKeyPair(1024); PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); // create provider with private key ApigeeSSO2Provider provider = new MockApigeeSSO2Provider(); provider.setManagement( setup.getMgmtSvc() ); provider.setPublicKey( publicKey ); // create user, claims and a token for those things User user = createUser(); long exp = System.currentTimeMillis() - 1500; Map<String, Object> claims = createClaims( user.getUsername(), user.getEmail(), exp ); String token = Jwts.builder() .setClaims(claims) .setExpiration( new Date() ) .signWith( SignatureAlgorithm.RS256, privateKey) .compact(); Thread.sleep(500); // wait for claims to timeout // test that token is expired try { provider.validateAndReturnTokenInfo( token, 86400L ); Assert.fail("Should have failed due to expired token"); } catch ( BadTokenException e ) { Assert.assertTrue( e.getCause() instanceof ExpiredJwtException ); } }
@Test public void testBadSignature() throws Exception { // create old keypair KeyPair kp = RsaProvider.generateKeyPair(1024); PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); // create new keypair KeyPair kpNew = RsaProvider.generateKeyPair(1024); PrivateKey privateKeyNew = kpNew.getPrivate(); // create mock provider with old public key ApigeeSSO2Provider provider = new MockApigeeSSO2ProviderNewKey( publicKey, publicKey ); provider.setManagement( setup.getMgmtSvc() ); // create user, claims and a token for those things. Sign with new public key User user = createUser(); long exp = System.currentTimeMillis() + 10000; Map<String, Object> claims = createClaims( user.getUsername(), user.getEmail(), exp ); String token = Jwts.builder().setClaims(claims).signWith( SignatureAlgorithm.RS256, privateKeyNew).compact(); // test that signature exception thrown try { provider.validateAndReturnTokenInfo( token, 86400L ); Assert.fail("Should have failed due to bad signature"); } catch ( BadTokenException e ) { Assert.assertTrue( e.getCause() instanceof SignatureException ); } }
@Test public void testNewPublicKeyFetch() throws Exception { // create old keypair KeyPair kp = RsaProvider.generateKeyPair(1024); PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); // create new keypair KeyPair kpNew = RsaProvider.generateKeyPair(1024); PublicKey publicKeyNew = kpNew.getPublic(); PrivateKey privateKeyNew = kpNew.getPrivate(); // create mock provider with old and old key MockApigeeSSO2ProviderNewKey provider = new MockApigeeSSO2ProviderNewKey( publicKey, publicKeyNew ); provider.setManagement( setup.getMgmtSvc() ); // create user, claims and a token for those things. Sign with new public key User user = createUser(); long exp = System.currentTimeMillis() + 10000; Map<String, Object> claims = createClaims( user.getUsername(), user.getEmail(), exp ); String token = Jwts.builder().setClaims(claims).signWith( SignatureAlgorithm.RS256, privateKeyNew).compact(); // test that provider can validate the token, get user, return token info TokenInfo tokenInfo = provider.validateAndReturnTokenInfo( token, 86400L ); Assert.assertNotNull( tokenInfo ); // assert that provider called for new key Assert.assertTrue( provider.isGetPublicKeyCalled() ); // try it again, but this time it should fail due to freshness value provider.setPublicKey( publicKey ); // set old key // test that signature exception thrown try { provider.validateAndReturnTokenInfo( token, 86400L ); Assert.fail("Should have failed due to bad signature"); } catch ( BadTokenException e ) { Assert.assertTrue( e.getCause() instanceof SignatureException ); } }
private void generateKey() { KeyPair kp = RsaProvider.generateKeyPair(1024); publicKey = kp.getPublic(); privateKey = kp.getPrivate(); }