hadoop-hdfs-project/hadoop-hdfs-client/src/test/java/org/apache/hadoop/hdfs/web/oauth2/TestClientCredentialTimeBasedTokenRefresher.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.hadoop.hdfs.web.oauth2;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.net.ServerSocketUtil;
import org.apache.hadoop.util.Timer;
import org.apache.http.HttpStatus;
import org.codehaus.jackson.map.ObjectMapper;
import org.junit.Test;
import org.mockserver.client.server.MockServerClient;
import org.mockserver.integration.ClientAndServer;
import org.mockserver.model.Header;
import org.mockserver.model.HttpRequest;
import org.mockserver.model.HttpResponse;
import org.mockserver.model.Parameter;
import org.mockserver.model.ParameterBody;

import java.io.IOException;
import java.util.Map;
import java.util.TreeMap;

import static org.apache.hadoop.hdfs.client.HdfsClientConfigKeys.ACCESS_TOKEN_PROVIDER_KEY;
import static org.apache.hadoop.hdfs.client.HdfsClientConfigKeys.OAUTH_CLIENT_ID_KEY;
import static org.apache.hadoop.hdfs.client.HdfsClientConfigKeys.OAUTH_REFRESH_URL_KEY;
import static org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants.ACCESS_TOKEN;
import static org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants.CLIENT_CREDENTIALS;
import static org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants.CLIENT_ID;
import static org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants.CLIENT_SECRET;
import static org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants.EXPIRES_IN;
import static org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants.GRANT_TYPE;
import static org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants.TOKEN_TYPE;
import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.mockserver.integration.ClientAndServer.startClientAndServer;
import static org.mockserver.matchers.Times.exactly;
import static org.mockserver.model.HttpRequest.request;
import static org.mockserver.model.HttpResponse.response;

public class TestClientCredentialTimeBasedTokenRefresher {
  public final static Header CONTENT_TYPE_APPLICATION_JSON
      = new Header("Content-Type", "application/json");

  public final static String CLIENT_ID_FOR_TESTING = "joebob";

  public Configuration buildConf(String credential, String tokenExpires,
                                 String clientId, String refreshURL) {
    // Configurations are simple enough that it's not worth mocking them out.
    Configuration conf = new Configuration();
    conf.set(CredentialBasedAccessTokenProvider.OAUTH_CREDENTIAL_KEY,
        credential);
    conf.set(ACCESS_TOKEN_PROVIDER_KEY,
        ConfCredentialBasedAccessTokenProvider.class.getName());
    conf.set(OAUTH_CLIENT_ID_KEY, clientId);
    conf.set(OAUTH_REFRESH_URL_KEY, refreshURL);
    return conf;
  }

  @Test
  public void refreshUrlIsCorrect() throws IOException {
    final int PORT = ServerSocketUtil.getPort(0, 20);
    final String REFRESH_ADDRESS = "http://localhost:" + PORT + "/refresh";

    long tokenExpires = 0;

    Configuration conf = buildConf("myreallycoolcredential",
        Long.toString(tokenExpires),
        CLIENT_ID_FOR_TESTING,
        REFRESH_ADDRESS);

    Timer mockTimer = mock(Timer.class);
    when(mockTimer.now()).thenReturn(tokenExpires + 1000l);

    AccessTokenProvider credProvider =
        new ConfCredentialBasedAccessTokenProvider(mockTimer);
    credProvider.setConf(conf);
    
    // Build mock server to receive refresh request
    ClientAndServer mockServer  = startClientAndServer(PORT);

    HttpRequest expectedRequest = request()
        .withMethod("POST")
        .withPath("/refresh")
        .withBody( 
        // Note, OkHttp does not sort the param values, so we need to do
        // it ourselves via the ordering provided to ParameterBody...
            ParameterBody.params(
                Parameter.param(CLIENT_SECRET, "myreallycoolcredential"),
                Parameter.param(GRANT_TYPE, CLIENT_CREDENTIALS),
                Parameter.param(CLIENT_ID, CLIENT_ID_FOR_TESTING)
                ));

    MockServerClient mockServerClient = new MockServerClient("localhost", PORT);

    // https://tools.ietf.org/html/rfc6749#section-5.1
    Map<String, Object> map = new TreeMap<>();
    
    map.put(EXPIRES_IN, "0987654321");
    map.put(TOKEN_TYPE, "bearer");
    map.put(ACCESS_TOKEN, "new access token");

    ObjectMapper mapper = new ObjectMapper();
    
    HttpResponse resp = response()
        .withStatusCode(HttpStatus.SC_OK)
        .withHeaders(
            CONTENT_TYPE_APPLICATION_JSON
        )
        .withBody(mapper.writeValueAsString(map));

    mockServerClient
        .when(expectedRequest, exactly(1))
        .respond(resp);

    assertEquals("new access token", credProvider.getAccessToken());

    mockServerClient.verify(expectedRequest);

    mockServerClient.clear(expectedRequest);
    mockServer.stop();
  }
}