more tests

cloudfoundry · Aug 23, 2023 · e72194a · e72194a
1 parent 8530edc
commit e72194a
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 8 deletions.
diff --git a/...src/main/java/org/cloudfoundry/identity/uaa/zone/MultitenantJdbcClientDetailsService.java b/...src/main/java/org/cloudfoundry/identity/uaa/zone/MultitenantJdbcClientDetailsService.java
@@ -284,14 +284,11 @@ public void addClientKeyConfig(String clientId, String keyConfig, String zoneId,
         if (privateKeyJwtConfiguration != null) {
             BaseClientDetails clientDetails = (BaseClientDetails) loadClientByClientId(clientId, zoneId);
             PrivateKeyJwtConfiguration existingConfig = PrivateKeyJwtConfiguration.createFromClientDetails(clientDetails);
-            if (existingConfig != null) {
-                PrivateKeyJwtConfiguration result =
-                PrivateKeyJwtConfiguration.merge(existingConfig, privateKeyJwtConfiguration, overwrite);
-                if (result != null) {
-                    result.persistToClientDetail(clientDetails);
-                }
-                updateClientDetails(clientDetails, zoneId);
+            PrivateKeyJwtConfiguration result = PrivateKeyJwtConfiguration.merge(existingConfig, privateKeyJwtConfiguration, overwrite);
+            if (result != null) {
+                result.persistToClientDetail(clientDetails);
             }
+            updateClientDetails(clientDetails, zoneId);
         }
     }
 

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/client/ClientAdminBootstrapTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/client/ClientAdminBootstrapTests.java
@@ -252,6 +252,34 @@ void simpleAddClientWithSignupSuccessRedirectUrl() throws Exception {
         assertTrue(clientDetails.getRegisteredRedirectUri().contains("callback_url"));
     }
 
+    @Test
+    void simpleAddClientWithJwksUri() throws Exception {
+        Map<String, Object> map = new HashMap<>();
+        map.put("id", "foo");
+        map.put("secret", "bar");
+        map.put("scope", "openid");
+        map.put("authorized-grant-types", GRANT_TYPE_AUTHORIZATION_CODE);
+        map.put("authorities", "uaa.none");
+        map.put("redirect-uri", "http://localhost/callback");
+        map.put("jwks_uri", "https://localhost:8080/uaa");
+        ClientDetails clientDetails = doSimpleTest(map, clientAdminBootstrap, multitenantJdbcClientDetailsService, clients);
+        assertNotNull(clientDetails.getAdditionalInformation().get(ClientConstants.PRIVATE_KEY_CONFIG));
+    }
+
+    @Test
+    void simpleAddClientWithJwkSet() throws Exception {
+        Map<String, Object> map = new HashMap<>();
+        map.put("id", "foo");
+        map.put("secret", "bar");
+        map.put("scope", "openid");
+        map.put("authorized-grant-types", GRANT_TYPE_AUTHORIZATION_CODE);
+        map.put("authorities", "uaa.none");
+        map.put("redirect-uri", "http://localhost/callback");
+        map.put("jwks", "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"kid\":\"key-1\",\"alg\":\"RS256\",\"n\":\"u_A1S-WoVAnHlNQ_1HJmOPBVxIdy1uSNsp5JUF5N4KtOjir9EgG9HhCFRwz48ykEukrgaK4ofyy_wRXSUJKW7Q\"}");
+        ClientDetails clientDetails = doSimpleTest(map, clientAdminBootstrap, multitenantJdbcClientDetailsService, clients);
+        assertNotNull(clientDetails.getAdditionalInformation().get(ClientConstants.PRIVATE_KEY_CONFIG));
+    }
+
     @Test
     void clientMetadata_getsBootstrapped() {
         Map<String, Object> map = new HashMap<>();
@@ -592,7 +620,7 @@ static ClientDetails doSimpleTest(
 
         for (String key : Arrays.asList("resource-ids", "scope", "authorized-grant-types", "authorities",
                 "redirect-uri", "secret", "id", "override", "access-token-validity",
-                "refresh-token-validity")) {
+                "refresh-token-validity", "jwks", "jwks_uri")) {
             info.remove(key);
         }
         for (Map.Entry<String, Object> entry : info.entrySet()) {

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsTests.java
@@ -9,7 +9,9 @@
 import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsCreation;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification;
+import org.cloudfoundry.identity.uaa.oauth.client.PrivateKeyChangeRequest;
 import org.cloudfoundry.identity.uaa.oauth.client.SecretChangeRequest;
+import org.cloudfoundry.identity.uaa.resources.ActionResult;
 import org.cloudfoundry.identity.uaa.resources.QueryableResourceManager;
 import org.cloudfoundry.identity.uaa.resources.ResourceMonitor;
 import org.cloudfoundry.identity.uaa.resources.SearchResults;
@@ -73,6 +75,7 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.Mockito.withSettings;
@@ -1076,6 +1079,82 @@ void testCreateClientWithPrivateKeyUri() {
         assertTrue(PrivateKeyJwtConfiguration.createFromClientDetails(created).configEquals(PrivateKeyJwtConfiguration.parse(jwksUri)));
     }
 
+    @Test
+    void testCreateClientWithPrivateKeyUriInvalid() {
+        // invalid jwks_uri
+        String jwksUri = "http://myhost/openid/jwks-uri";
+        when(clientDetailsService.retrieve(anyString(), anyString())).thenReturn(input);
+        when(mockSecurityContextAccessor.getClientId()).thenReturn(detail.getClientId());
+        when(mockSecurityContextAccessor.isClient()).thenReturn(true);
+
+        input.setClientSecret("secret");
+        detail.setAuthorizedGrantTypes(input.getAuthorizedGrantTypes());
+        ClientDetailsCreation createRequest = createClientDetailsCreation(input);
+        createRequest.setPrivateKeySet(jwksUri);
+        ClientDetails result = endpoints.createClientDetails(createRequest);
+        assertNull(result.getClientSecret());
+        ArgumentCaptor<BaseClientDetails> clientCaptor = ArgumentCaptor.forClass(BaseClientDetails.class);
+        verify(clientDetailsService).create(clientCaptor.capture(), anyString());
+        BaseClientDetails created = clientCaptor.getValue();
+        assertNull(PrivateKeyJwtConfiguration.createFromClientDetails(created));
+    }
+
+    @Test
+    void testAddPrivateKeyJwtConfigUri() {
+        when(mockSecurityContextAccessor.getClientId()).thenReturn("bar");
+        when(mockSecurityContextAccessor.isClient()).thenReturn(true);
+        when(mockSecurityContextAccessor.isAdmin()).thenReturn(true);
+
+        when(clientDetailsService.retrieve(detail.getClientId(), IdentityZoneHolder.get().getId())).thenReturn(detail);
+
+        PrivateKeyChangeRequest change = new PrivateKeyChangeRequest();
+        // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata, see jwks_uri
+        String jwksUri = "https://any.domain.net/openid/jwks-uri";
+        change.setKeyUrl(jwksUri);
+        change.setChangeMode(PrivateKeyChangeRequest.ChangeMode.ADD);
+
+        ActionResult result = endpoints.changePrivateKey(detail.getClientId(), change);
+        assertEquals("Private key is added", result.getMessage());
+        verify(clientRegistrationService, times(1)).addClientKeyConfig(detail.getClientId(), jwksUri, IdentityZoneHolder.get().getId(), false);
+
+        change.setKeyUrl(null);
+        result = endpoints.changePrivateKey(detail.getClientId(), change);
+        assertEquals("No key added", result.getMessage());
+    }
+
+    @Test
+    void testChangeDeletePrivateKeyJwtConfigUri() {
+        when(mockSecurityContextAccessor.getClientId()).thenReturn("bar");
+        when(mockSecurityContextAccessor.isClient()).thenReturn(true);
+        when(mockSecurityContextAccessor.isAdmin()).thenReturn(true);
+
+        when(clientDetailsService.retrieve(detail.getClientId(), IdentityZoneHolder.get().getId())).thenReturn(detail);
+
+        PrivateKeyChangeRequest change = new PrivateKeyChangeRequest();
+        // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata, see jwks_uri
+        String jwksUri = "https://any.domain.net/openid/jwks-uri";
+        change.setKeyUrl(jwksUri);
+        change.setChangeMode(PrivateKeyChangeRequest.ChangeMode.ADD);
+
+        ActionResult result = endpoints.changePrivateKey(detail.getClientId(), change);
+        assertEquals("Private key is added", result.getMessage());
+        verify(clientRegistrationService, times(1)).addClientKeyConfig(detail.getClientId(), jwksUri, IdentityZoneHolder.get().getId(), false);
+
+        jwksUri = "https://any.new.domain.net/openid/jwks-uri";
+        change.setChangeMode(PrivateKeyChangeRequest.ChangeMode.UPDATE);
+        change.setKeyUrl(jwksUri);
+        result = endpoints.changePrivateKey(detail.getClientId(), change);
+        assertEquals("Private key updated", result.getMessage());
+        verify(clientRegistrationService, times(1)).addClientKeyConfig(detail.getClientId(), jwksUri, IdentityZoneHolder.get().getId(), true);
+
+        PrivateKeyJwtConfiguration.parse(jwksUri).persistToClientDetail(detail);
+        change.setChangeMode(PrivateKeyChangeRequest.ChangeMode.DELETE);
+        change.setKeyUrl(jwksUri);
+        result = endpoints.changePrivateKey(detail.getClientId(), change);
+        assertEquals("Private key is deleted", result.getMessage());
+        verify(clientRegistrationService, times(1)).deleteClientKeyConfig(detail.getClientId(), jwksUri, IdentityZoneHolder.get().getId());
+    }
+
     @Test
     void testCreateClientWithPrivateKeySet() {
         // Example JWK, a key is bound to a kid, means assumption is, a key is the same if kid is the same