test: ✅ add test for OIDC authentication

Author: SCadilhac

src/test/java/net/netshot/netshot/FakeOidcIdpServer.java

@@ -0,0 +1,330 @@
+package net.netshot.netshot;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.glassfish.grizzly.http.server.HttpHandler;
+import org.glassfish.grizzly.http.server.HttpServer;
+import org.glassfish.grizzly.http.server.Request;
+import org.glassfish.grizzly.http.server.Response;
+import com.fasterxml.jackson.databind.node.JsonNodeFactory;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+import jakarta.ws.rs.ForbiddenException;
+import jakarta.ws.rs.core.MediaType;
+import lombok.Getter;
+import lombok.Setter;
+
+public class FakeOidcIdpServer {
+
+	public static class User {
+		private String username;
+		private String role;
+
+		public  User(String username, String role) {
+			this.username = username;
+			this.role = role;
+		}
+	}
+
+	final static private URI DEFAULT_BASE_URI = URI.create("http://localhost:8980/");
+	final static private String DISCOVERY_PATH = "/.well-known/openid-configuration";
+	final static private String AUTH_PATH = "/protocol/openid-connect/auth";
+	final static private String TOKEN_PATH = "/protocol/openid-connect/token";
+	final static private String JWKS_PATH = "/protocol/openid-connect/certs";
+
+	final static private String SAMPLE_KID = "ukbTXswbjExjfqPBKPREf8VULCASfzi05E97YKsj6g0";
+
+
+	// Sample RSA key (PCKS8, PEM-encoded)
+	final static private String SAMPLE_PRIVATE_KEY = 
+		"MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDLFrHaHNdJAyV3" +
+		"Tctaam0MX978CKEDKGlxeuRmSnjMVDfTljI7zThWowbJ4sqg6ICvDtTlfAAhIPxp" +
+		"spPYHITyA79PV57/Y/k3Cz55DMpm19YwJUbEcHSn2Z6fIcOmXanPiNUB3A1Zx/Jx" +
+		"ZHYPzgIaWGEwRTBECjSIlZwYM1iOVtZaMrOSqc5z2cfRVNfBYQ5/mDn3ZEGv+ny+" +
+		"auVEAgmhmlaGxgX7mLToRBzv0t9TNfM8kosaYBG+QanCh92vsswEAASUDtzzkmiN" +
+		"g1tQ0c8gew22hOJJnh/ohtn+mNHWkS5UISzBlpZWl9/6olv71s1tyvbZhfhyXp0x" +
+		"FN6qsK7zAgMBAAECggEAApruBiInlHBKmAvl7c9+sNFya7sNzoIQTc92dzKn93Fy" +
+		"U+MFDiWISvtry19lTqIc5uH8UvZ/wLnXf+DPRIIjjHOfp4kBHHD8xSF+S13U8A1l" +
+		"wH4oUoqUwuoOPsFXbRHRHonrtzEXWyb7xUubt7RihevLUPiz17OZaYUg/vutotaU" +
+		"p0pOiJ3OQStS4F44MIcc9xUUXo6j2OfkYRCIsgYhPdsjpGQhpEd6ANKPBkjqHoyQ" +
+		"B47ctALf2nlwtjtn/Wa1sctBzy4Oy3F2guNtaZZGnuhk8NE8yv/pDgFmABE8+cAZ" +
+		"9waivuf4OkbmRp7WWYIjA69bzcHJWWOZXjLHsPSHVQKBgQD8nLGbPTPwC2LK6nkk" +
+		"8mkrGn130z9YX3zUXUuIXXbfc1IT0cBGgLk+gHKgo75yqlQCa7/Tkz2ZJA2eu0vV" +
+		"D4IqpcgBCNlBKOIGG2ninvzy0dYzPP5LtwqFAjIxF63faMGU8+ym1/KMGzHqPoYz" +
+		"BiDaWJgp+UrxwuigPeOOH50rFQKBgQDNz/g2G4+6+JCNfBlQOYubeLODrOVb8qEj" +
+		"M2Gi1BUtqA+XmEElwtKWUXqgH+I9gKHRWo4AUD0Yi64f5T7zRwe0rDfUhDc67Wpz" +
+		"8HVm98fTRK6VOdwXRt/1jAchWG07otz+KOA2ou3nQqMmY52tKdDz1mL6FzJ/fcAe" +
+		"UyizQQtT5wKBgCVySPW9PdzAo1V3KpwqfyKPm7fOjd5Y0VVduxus1zlKjAk6F6mb" +
+		"3VoBinx7qXiv/SIavOXtNr1j1c0I8LXVxbLyvlJA8IuzNsY2/BxG+zI3nuwbh4rL" +
+		"yHhtGemjG/g5PDELc7JL4r2YLm8N87DOoMIdTfky5kQuY3OVmQzxbMf9AoGBAJXo" +
+		"MBuBEbyWxfs389waPhSc4uw658iEPlg8WZZXMaHSsqCxdmpBsE9qw42UC57ObY7m" +
+		"jV2vFAEn5Ek5GhPqnbM8aWHyd6QFP6946pp4SeUZNqxcu3F83y2js6HXHaD9bEf3" +
+		"j/Bb1jrGr70Le9KgDaE9e1Q7xz1TY7byzUdbThvrAoGBAIsjuzdd376LUb6ClFVL" +
+		"KMMCNFq9z2c8YHYITmKTRUVGtrKcS1daHByBiLA24jI43xzNVcjwaaI+OUmjH5XY" +
+		"qhWo2p2F+diSkZSK7wBq9wFQaURXDv36QzdVbspMQluruMmUa5FCnApNoX4hPIUS" +
+		"oby0A0cpHjPY+bR+KlAPivKg";
+
+	// Sample IdP certificate for tests (private key above)
+	final static private String SAMPLE_CERTIFICATE =
+		"MIIClzCCAX8CBgGXq4B+JzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI1MDYyNjA5" +
+		"MDgzNFoXDTM1MDYyNjA5MTAxNFowDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEP" +
+		"ADCCAQoCggEBAMsWsdoc10kDJXdNy1pqbQxf3vwIoQMoaXF65GZKeMxUN9OWMjvNOFajBsniyqDogK8O" +
+		"1OV8ACEg/Gmyk9gchPIDv09Xnv9j+TcLPnkMymbX1jAlRsRwdKfZnp8hw6Zdqc+I1QHcDVnH8nFkdg/O" +
+		"AhpYYTBFMEQKNIiVnBgzWI5W1loys5KpznPZx9FU18FhDn+YOfdkQa/6fL5q5UQCCaGaVobGBfuYtOhE" +
+		"HO/S31M18zySixpgEb5BqcKH3a+yzAQABJQO3POSaI2DW1DRzyB7DbaE4kmeH+iG2f6Y0daRLlQhLMGW" +
+		"llaX3/qiW/vWzW3K9tmF+HJenTEU3qqwrvMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAasPZXVq0qJn4" +
+		"mt1h0wZSlpyPm54hV2MNlxE7bd1I2fRtxmBTTUuOLEi6ca5iStKoHO6N7kCGlSWLs49/dqeNKjHweCV7" +
+		"daK7t8tp8sKNPEcDoz0jFiVXVeUTLm0VjrdbdCSpamm9/Z/4EMaxE5SQKTHEHu83uqr1biNjr6n82WSj" +
+		"xWMdh/hDQbtS08rItYSrkxJ3PLIdhxqJ/uUTZ3EqE3Ulcc+coiIzeyVdO/r4sZJvG2XLyidGsxQBcCef" +
+		"5AlNWd7EQUc1lioS1HNSqTiXwxKvfAd06bGCN3mz8z6XgpFNTRDtHsmK3L7h5EYNa3DBKg/mgxfE3DJt" +
+		"XXCXJHBCzQ==";
+
+	@Getter @Setter
+	private URI baseUri;
+	@Getter @Setter
+	private String clientId;
+	@Getter @Setter
+	private String clientSecret;
+	@Getter @Setter
+	private URI redirectUri;
+	private PrivateKey privKey;
+	private Certificate certificate;
+
+	private Map<String, User> authorizationCodes = new HashMap<>();
+
+	private HttpServer server = null;
+
+	public FakeOidcIdpServer(URI baseUri) throws GeneralSecurityException {
+		this.baseUri = baseUri;
+		this.loadSampleCert();
+	}
+
+	public FakeOidcIdpServer() throws GeneralSecurityException {
+		this(DEFAULT_BASE_URI);
+	}
+
+	public void registerClient(String clientId, String clientSecret, URI redirectUri) {
+		this.clientId = clientId;
+		this.clientSecret = clientSecret;
+		this.redirectUri = redirectUri;
+	}
+
+	public void addAuthorizatioCode(String code, String username, String role) {
+		this.authorizationCodes.put(code, new User(username, role));
+	}
+
+	private void loadSampleCert() throws NoSuchAlgorithmException, InvalidKeySpecException, CertificateException {
+		CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+		InputStream is = new ByteArrayInputStream(Base64.getDecoder().decode(SAMPLE_CERTIFICATE));
+		this.certificate = certFactory.generateCertificate(is);
+		PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(SAMPLE_PRIVATE_KEY));
+		KeyFactory kf = KeyFactory.getInstance("RSA");
+		this.privKey = kf.generatePrivate(privSpec);
+	}
+
+	private void checkBasicAuth(Request request) throws ForbiddenException {
+		final String basicPrefix = "Basic ";
+		String authHeader = request.getHeader("Authorization");
+		if (authHeader == null) {
+			throw new ForbiddenException("Authorization header not present");
+		}
+		if (!authHeader.startsWith(basicPrefix)) {
+			throw new ForbiddenException("Authorization header is not basic auth");
+		}
+		String encodedCredentials = authHeader.substring(basicPrefix.length());
+		String decodedCredentials = new String(Base64.getDecoder().decode(encodedCredentials), 
+			StandardCharsets.UTF_8);
+		String expectedCredentials = "%s:%s".formatted(this.clientId, this.clientSecret);
+		if (!expectedCredentials.equals(decodedCredentials)) {
+			throw new ForbiddenException("Invalid credentials");
+		}
+	}
+
+	private String signEncodeToken(ObjectNode token) throws SignatureException, InvalidKeyException, NoSuchAlgorithmException {
+		ObjectNode header = JsonNodeFactory.instance.objectNode()
+			.put("alg", "RS256")
+			.put("typ", "JWT")
+			.put("kid", SAMPLE_KID);
+		String jwt = encodeJson(header) + "." + encodeJson(token);
+		Signature signature = Signature.getInstance("SHA256withRSA");
+		signature.initSign(privKey);
+		signature.update(jwt.getBytes(StandardCharsets.UTF_8));
+		byte[] signBytes = signature.sign();
+		jwt = jwt + "." + Base64.getUrlEncoder().encodeToString(signBytes);
+		return jwt;
+	}
+
+	private String encodeJson(ObjectNode token) {
+		return Base64.getUrlEncoder().encodeToString(
+			token.toString().getBytes(StandardCharsets.UTF_8));
+	}
+
+	private ObjectNode generateIdToken(User user) {
+		ObjectNode token = JsonNodeFactory.instance.objectNode()
+			.put("exp", Instant.now().plus(1, ChronoUnit.HOURS).getEpochSecond())
+			.put("iat", Instant.now().getEpochSecond())
+			.put("auth_time", Instant.now().getEpochSecond())
+			.put("jti", "f9e39317-81e0-4334-a75e-994003f1d160")
+			.put("iss", this.baseUri.toString())
+			.put("typ", "ID")
+			.put("azp", this.clientId)
+			.put("sid", "5eac7f33-3818-4438-b20a-78dfaec74abd")
+			.put("scope", "openid")
+			.put("acr", "1")
+			.put("aud", this.clientId)
+			.put("sub", "8b17b6a1-3c91-491b-9f9f-d7c314f08271")
+			.put("preferred_username", user.username)
+			.put("role", user.role);
+		return token;
+	}
+
+	private ObjectNode generateAccessToken(User user) {
+		ObjectNode token = JsonNodeFactory.instance.objectNode()
+			.put("exp", Instant.now().plus(1, ChronoUnit.HOURS).getEpochSecond())
+			.put("iat", Instant.now().getEpochSecond())
+			.put("jti", "trrtna:df789356-42fe-4bf3-8607-303161e9fe0e")
+			.put("iss", this.baseUri.toString())
+			.put("typ", "Bearer")
+			.put("azp", this.clientId)
+			.put("sid", "c83ec19e-fc41-4764-9fe6-2b92b46fa10e")
+			.put("acr", "1")
+			.put("preferred_username", user.username);
+		return token;
+	}
+
+	public void start() throws IOException {
+		this.server = HttpServer.createSimpleServer(null,
+			this.baseUri.getHost(), this.baseUri.getPort());
+		this.server.getServerConfiguration().addHttpHandler(new HttpHandler() {
+			@Override
+			public void service(Request request, Response response) throws Exception {
+				ObjectNode data = JsonNodeFactory.instance.objectNode()
+					.put("issuer", baseUri.toString())
+					.put("authorization_endpoint", baseUri.resolve(AUTH_PATH).toString())
+					.put("token_endpoint", baseUri.resolve(TOKEN_PATH).toString())
+					.put("jwks_uri", baseUri.resolve(JWKS_PATH).toString());
+				data.putArray("grant_types_supported")
+					.add("authorization_code");
+				data.putArray("response_types_supported")
+					.add("code")
+					.add("none")
+					.add("id_token")
+					.add("token");
+				data.putArray("claims_supported")
+					.add("aud")
+					.add("sub")
+					.add("iss")
+					.add("auth_time")
+					.add("preferred_username")
+					.add("email");
+				data.putArray("subject_types_supported")
+					.add("public");
+				data.putArray("id_token_signing_alg_values_supported")
+					.add("RS256");
+				data.putArray("token_endpoint_auth_methods_supported")
+					.add("client_secret_basic");
+				String content = data.toPrettyString();
+				response.setContentType(MediaType.APPLICATION_JSON);
+				response.setContentLength(content.length());
+				response.getWriter().write(content);
+			}
+		}, DISCOVERY_PATH);
+		this.server.getServerConfiguration().addHttpHandler(new HttpHandler() {
+			@Override
+			public void service(Request request, Response response) throws Exception {
+				try {
+					checkBasicAuth(request);
+					if (!MediaType.APPLICATION_FORM_URLENCODED_TYPE.withCharset(StandardCharsets.UTF_8.name())
+							.equals(MediaType.valueOf(request.getContentType()))) {
+						throw new Exception("Received token request content type is not form-urlencoded");
+					}
+					if (!"authorization_code".equals(request.getParameter("grant_type"))) {
+						throw new Exception("The received grant_type is not correct");
+					}
+					if (!redirectUri.toString().equals(request.getParameter("redirect_uri"))) {
+						throw new Exception("The received redirect_uri is not correct");
+					}
+					String code = request.getParameter("code");
+					if (code == null) {
+						throw new ForbiddenException("Missing code parameter");
+					}
+					User user = authorizationCodes.remove(code);
+					if (user == null) {
+						throw new ForbiddenException("Invalid authorization code");
+					}
+					ObjectNode data = JsonNodeFactory.instance.objectNode()
+						.put("token_type", "Bearer")
+						.put("refresh_token", "...")
+						.put("access_token", signEncodeToken(generateAccessToken(user)))
+						.put("id_token", signEncodeToken(generateIdToken(user)))
+						.put("expires_in", 3600);
+					String content = data.toPrettyString();
+					response.setContentType(MediaType.APPLICATION_JSON);
+					response.setContentLength(content.length());
+					response.getWriter().write(content);
+				}
+				catch (ForbiddenException e) {
+					response.setStatus(
+						jakarta.ws.rs.core.Response.Status.UNAUTHORIZED.getStatusCode(), "Unauthorized");
+					return;
+				}
+				catch (Exception e) {
+					response.setStatus(
+						jakarta.ws.rs.core.Response.Status.BAD_REQUEST.getStatusCode(), "Bad request");
+					return;
+				}
+			}
+		}, TOKEN_PATH);
+		this.server.getServerConfiguration().addHttpHandler(new HttpHandler() {
+			@Override
+			public void service(Request request, Response response) throws Exception {
+				ObjectNode data = JsonNodeFactory.instance.objectNode();
+				BigInteger certModulus = ((RSAPublicKey) certificate.getPublicKey()).getModulus();
+				BigInteger certExponent = ((RSAPublicKey) certificate.getPublicKey()).getPublicExponent();
+				ObjectNode key = JsonNodeFactory.instance.objectNode()
+					.put("kid", SAMPLE_KID)
+					.put("kty", "RSA")
+					.put("alg", "RS256")
+					.put("n", Base64.getUrlEncoder().encodeToString(certModulus.toByteArray()))
+					.put("e", Base64.getUrlEncoder().encodeToString(certExponent.toByteArray()));
+				key.putArray("x5c").add(Base64.getEncoder().encodeToString(certificate.getEncoded()));
+				data.putArray("keys").add(key);
+				String content = data.toPrettyString();
+				response.setContentType(MediaType.APPLICATION_JSON);
+				response.setContentLength(content.length());
+				response.getWriter().write(content);
+			}
+		}, JWKS_PATH);
+		this.server.start();
+	}
+
+	public void shutdown() {
+		if (this.server != null) {
+			this.server.shutdown();
+		}
+	}
+	
+}

src/test/java/net/netshot/netshot/NetshotApiClient.java

@@ -82,6 +82,12 @@ public WrongApiResponseException(String message, HttpResponse<?> response) {
 	@Getter @Setter
 	private String newPassword;
 
+	@Getter @Setter
+	private String authorizationCode;
+
+	@Getter @Setter
+	private String redirectUri;
+
 	@Getter @Setter
 	private HttpCookie sessionCookie;
 
@@ -111,6 +117,12 @@ public void setLogin(String username, String password) {
 		this.apiToken = null;
 	}
 
+	public void setOidcCodeLogin(String authorizationCode, String redirectUri) {
+		this.authorizationCode = authorizationCode;
+		this.redirectUri = redirectUri;
+		this.apiToken = null;
+	}
+
 	private HttpRequest.BodyPublisher jsonNodePublisher(JsonNode jsonNode) throws JsonProcessingException {
 		return HttpRequest.BodyPublishers.ofString(
 			this.getObjectMapper().writeValueAsString(jsonNode));
@@ -159,10 +171,16 @@ protected void login() throws IOException, InterruptedException {
 		builder.header("Accept", this.mediaType.toString());
 		builder.header("Content-Type", this.mediaType.toString());
 		ObjectNode payload = JsonNodeFactory.instance.objectNode();
-		payload.put("username", this.username);
-		payload.put("password", this.password);
-		if (this.newPassword != null) {
-			payload.put("newPassword", this.newPassword);
+		if (this.username != null) {
+			payload.put("username", this.username);
+			payload.put("password", this.password);
+			if (this.newPassword != null) {
+				payload.put("newPassword", this.newPassword);
+			}
+		}
+		else if (this.authorizationCode != null) {
+			payload.put("authorizationCode", this.authorizationCode);
+			payload.put("redirectUri", this.redirectUri);
 		}
 		builder.POST(this.jsonNodePublisher(payload));
 		HttpRequest request = builder.build();
@@ -205,7 +223,8 @@ protected HttpRequest.Builder initRequest(String path) throws IOException, Inter
 		if (this.apiToken != null) {
 			builder.header("X-Netshot-API-Token", this.apiToken);
 		}
-		else if (this.username != null && this.password != null) {
+		else if ((this.username != null && this.password != null) ||
+				this.authorizationCode != null) {
 			if (this.sessionCookie == null) {
 				this.login();
 			}