| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| package org.apache.shindig.social.core.oauth; |
| |
| import org.apache.commons.codec.binary.Base64; |
| import org.apache.shindig.common.testing.FakeHttpServletRequest; |
| import org.apache.shindig.social.core.oauth2.OAuth2Servlet; |
| import org.apache.shindig.social.dataservice.integration.AbstractLargeRestfulTests; |
| import org.easymock.EasyMock; |
| import org.json.JSONObject; |
| import org.junit.Before; |
| import org.junit.Test; |
| |
| import javax.servlet.http.HttpServletResponse; |
| |
| import java.io.PrintWriter; |
| import java.net.URLEncoder; |
| |
| public class OAuth2ClientCredentialFlowTest extends AbstractLargeRestfulTests { |
| |
| protected static final String CLIENT_CRED_CLIENT = "testClientCredentialsClient"; |
| protected static final String CLIENT_CRED_SECRET = "clientCredentialsClient_secret"; |
| |
| protected OAuth2Servlet servlet = null; |
| |
| @Before |
| @Override |
| public void abstractLargeRestfulBefore() throws Exception { |
| super.abstractLargeRestfulBefore(); |
| servlet = new OAuth2Servlet(); |
| injector.injectMembers(servlet); |
| }; |
| |
| /** |
| * Test using basic authentication scheme for client cred flow |
| * |
| * @throws Exception |
| */ |
| @Test |
| public void testClientCredFlowBadHeader() throws Exception { |
| FakeHttpServletRequest req = new FakeHttpServletRequest( |
| "http://localhost:8080", "/oauth2", "grant_type=client_credentials"); |
| req.setHeader("Authorization", "Basic *^%#"); |
| req.setMethod("POST"); |
| req.setServletPath("/oauth2"); |
| req.setPathInfo("/access_token"); |
| HttpServletResponse resp = mock(HttpServletResponse.class); |
| resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST)); |
| MockServletOutputStream outputStream = new MockServletOutputStream(); |
| EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); |
| PrintWriter writer = new PrintWriter(outputStream); |
| EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); |
| replay(); |
| servlet.service(req, resp); |
| writer.flush(); |
| |
| String response = new String(outputStream.getBuffer(), "UTF-8"); |
| JSONObject respObj = new JSONObject(response); |
| assertTrue(respObj.has("error")); |
| verify(); |
| } |
| |
| /** |
| * Test using basic authentication scheme for client cred flow |
| * |
| * @throws Exception |
| */ |
| @Test |
| public void testClientCredFlowBadPass() throws Exception { |
| FakeHttpServletRequest req = new FakeHttpServletRequest( |
| "http://localhost:8080", "/oauth2", "grant_type=client_credentials"); |
| req.setHeader( |
| "Authorization", |
| "Basic " |
| + Base64.encodeBase64String((CLIENT_CRED_CLIENT + ":badsecret") |
| .getBytes("UTF-8"))); |
| req.setMethod("POST"); |
| req.setServletPath("/oauth2"); |
| req.setPathInfo("/access_token"); |
| HttpServletResponse resp = mock(HttpServletResponse.class); |
| resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST)); |
| MockServletOutputStream outputStream = new MockServletOutputStream(); |
| EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); |
| PrintWriter writer = new PrintWriter(outputStream); |
| EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); |
| replay(); |
| servlet.service(req, resp); |
| writer.flush(); |
| |
| String response = new String(outputStream.getBuffer(), "UTF-8"); |
| JSONObject respObj = new JSONObject(response); |
| assertTrue(respObj.has("error")); |
| verify(); |
| } |
| |
| /** |
| * Test using basic authentication scheme for client cred flow |
| * |
| * @throws Exception |
| */ |
| @Test |
| public void testClientCredFlowBasicAuth() throws Exception { |
| FakeHttpServletRequest req = new FakeHttpServletRequest( |
| "http://localhost:8080", "/oauth2", "grant_type=client_credentials"); |
| req.setHeader( |
| "Authorization", |
| "Basic " |
| + Base64 |
| .encodeBase64String((CLIENT_CRED_CLIENT + ":" + CLIENT_CRED_SECRET) |
| .getBytes("UTF-8"))); |
| req.setMethod("POST"); |
| req.setServletPath("/oauth2"); |
| req.setPathInfo("/access_token"); |
| HttpServletResponse resp = mock(HttpServletResponse.class); |
| resp.setStatus(HttpServletResponse.SC_OK); |
| MockServletOutputStream outputStream = new MockServletOutputStream(); |
| EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); |
| PrintWriter writer = new PrintWriter(outputStream); |
| EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); |
| replay(); |
| servlet.service(req, resp); |
| writer.flush(); |
| |
| JSONObject tokenResponse = new JSONObject(new String( |
| outputStream.getBuffer(), "UTF-8")); |
| |
| assertEquals("bearer", tokenResponse.getString("token_type")); |
| assertNotNull(tokenResponse.getString("access_token")); |
| assertTrue(tokenResponse.getLong("expires_in") > 0); |
| verify(); |
| } |
| |
| /** |
| * Test using URL parameter with client cred flow |
| * |
| * @throws Exception |
| */ |
| @Test |
| public void testClientCredFlowParams() throws Exception { |
| FakeHttpServletRequest req = new FakeHttpServletRequest( |
| "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT |
| + "&grant_type=client_credentials&client_secret=" |
| + CLIENT_CRED_SECRET); |
| req.setMethod("POST"); |
| req.setServletPath("/oauth2"); |
| req.setPathInfo("/access_token"); |
| HttpServletResponse resp = mock(HttpServletResponse.class); |
| resp.setStatus(HttpServletResponse.SC_OK); |
| MockServletOutputStream outputStream = new MockServletOutputStream(); |
| EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); |
| PrintWriter writer = new PrintWriter(outputStream); |
| EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); |
| replay(); |
| servlet.service(req, resp); |
| writer.flush(); |
| |
| JSONObject tokenResponse = new JSONObject(new String( |
| outputStream.getBuffer(), "UTF-8")); |
| |
| assertEquals("bearer", tokenResponse.getString("token_type")); |
| assertNotNull(tokenResponse.getString("access_token")); |
| assertTrue(tokenResponse.getLong("expires_in") > 0); |
| verify(); |
| } |
| |
| /** |
| * Test attempting to get access token via GET request |
| */ |
| @Test |
| public void testGetAccessTokenBadMethodType() throws Exception { |
| FakeHttpServletRequest req = new FakeHttpServletRequest( |
| "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT |
| + "&grant_type=client_credentials&client_secret=" |
| + CLIENT_CRED_SECRET); |
| req.setMethod("GET"); |
| req.setServletPath("/oauth2"); |
| req.setPathInfo("/access_token"); |
| |
| HttpServletResponse resp = mock(HttpServletResponse.class); |
| resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " + |
| "when making access token requests."); |
| |
| replay(); |
| servlet.service(req, resp); |
| |
| verify(); |
| } |
| |
| } |