java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java - shindig - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.shindig.social.core.oauth;

 import org.apache.commons.codec.binary.Base64;
 import org.apache.shindig.common.testing.FakeHttpServletRequest;
 import org.apache.shindig.social.core.oauth2.OAuth2Servlet;
 import org.apache.shindig.social.dataservice.integration.AbstractLargeRestfulTests;
 import org.easymock.EasyMock;
 import org.json.JSONObject;
 import org.junit.Before;
 import org.junit.Test;

 import javax.servlet.http.HttpServletResponse;

 import java.io.PrintWriter;
 import java.net.URLEncoder;

 public class OAuth2ClientCredentialFlowTest extends AbstractLargeRestfulTests {

   protected static final String CLIENT_CRED_CLIENT = "testClientCredentialsClient";
   protected static final String CLIENT_CRED_SECRET = "clientCredentialsClient_secret";

   protected OAuth2Servlet servlet = null;

   @Before
   @Override
   public void abstractLargeRestfulBefore() throws Exception {
     super.abstractLargeRestfulBefore();
     servlet = new OAuth2Servlet();
     injector.injectMembers(servlet);
   };

   /**
    * Test using basic authentication scheme for client cred flow
    *
    * @throws Exception
    */
   @Test
   public void testClientCredFlowBadHeader() throws Exception {
     FakeHttpServletRequest req = new FakeHttpServletRequest(
         "http://localhost:8080", "/oauth2", "grant_type=client_credentials");
     req.setHeader("Authorization", "Basic *^%#");
     req.setMethod("POST");
     req.setServletPath("/oauth2");
     req.setPathInfo("/access_token");
     HttpServletResponse resp = mock(HttpServletResponse.class);
     resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST));
     MockServletOutputStream outputStream = new MockServletOutputStream();
     EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
     PrintWriter writer = new PrintWriter(outputStream);
     EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
     replay();
     servlet.service(req, resp);
     writer.flush();

     String response = new String(outputStream.getBuffer(), "UTF-8");
     JSONObject respObj = new JSONObject(response);
     assertTrue(respObj.has("error"));
     verify();
   }

   /**
    * Test using basic authentication scheme for client cred flow
    *
    * @throws Exception
    */
   @Test
   public void testClientCredFlowBadPass() throws Exception {
     FakeHttpServletRequest req = new FakeHttpServletRequest(
         "http://localhost:8080", "/oauth2", "grant_type=client_credentials");
     req.setHeader(
         "Authorization",
         "Basic "
             + Base64.encodeBase64String((CLIENT_CRED_CLIENT + ":badsecret")
                 .getBytes("UTF-8")));
     req.setMethod("POST");
     req.setServletPath("/oauth2");
     req.setPathInfo("/access_token");
     HttpServletResponse resp = mock(HttpServletResponse.class);
     resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST));
     MockServletOutputStream outputStream = new MockServletOutputStream();
     EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
     PrintWriter writer = new PrintWriter(outputStream);
     EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
     replay();
     servlet.service(req, resp);
     writer.flush();

     String response = new String(outputStream.getBuffer(), "UTF-8");
     JSONObject respObj = new JSONObject(response);
     assertTrue(respObj.has("error"));
     verify();
   }

   /**
    * Test using basic authentication scheme for client cred flow
    *
    * @throws Exception
    */
   @Test
   public void testClientCredFlowBasicAuth() throws Exception {
     FakeHttpServletRequest req = new FakeHttpServletRequest(
         "http://localhost:8080", "/oauth2", "grant_type=client_credentials");
     req.setHeader(
         "Authorization",
         "Basic "
             + Base64
                 .encodeBase64String((CLIENT_CRED_CLIENT + ":" + CLIENT_CRED_SECRET)
                     .getBytes("UTF-8")));
     req.setMethod("POST");
     req.setServletPath("/oauth2");
     req.setPathInfo("/access_token");
     HttpServletResponse resp = mock(HttpServletResponse.class);
     resp.setStatus(HttpServletResponse.SC_OK);
     MockServletOutputStream outputStream = new MockServletOutputStream();
     EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
     PrintWriter writer = new PrintWriter(outputStream);
     EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
     replay();
     servlet.service(req, resp);
     writer.flush();

     JSONObject tokenResponse = new JSONObject(new String(
         outputStream.getBuffer(), "UTF-8"));

     assertEquals("bearer", tokenResponse.getString("token_type"));
     assertNotNull(tokenResponse.getString("access_token"));
     assertTrue(tokenResponse.getLong("expires_in") > 0);
     verify();
   }

   /**
    * Test using URL parameter with client cred flow
    *
    * @throws Exception
    */
   @Test
   public void testClientCredFlowParams() throws Exception {
     FakeHttpServletRequest req = new FakeHttpServletRequest(
         "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT
             + "&grant_type=client_credentials&client_secret="
             + CLIENT_CRED_SECRET);
     req.setMethod("POST");
     req.setServletPath("/oauth2");
     req.setPathInfo("/access_token");
     HttpServletResponse resp = mock(HttpServletResponse.class);
     resp.setStatus(HttpServletResponse.SC_OK);
     MockServletOutputStream outputStream = new MockServletOutputStream();
     EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
     PrintWriter writer = new PrintWriter(outputStream);
     EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
     replay();
     servlet.service(req, resp);
     writer.flush();

     JSONObject tokenResponse = new JSONObject(new String(
         outputStream.getBuffer(), "UTF-8"));

     assertEquals("bearer", tokenResponse.getString("token_type"));
     assertNotNull(tokenResponse.getString("access_token"));
     assertTrue(tokenResponse.getLong("expires_in") > 0);
     verify();
   }

   /**
    * Test attempting to get access token via GET request
    */
   @Test
   public void testGetAccessTokenBadMethodType() throws Exception {
     FakeHttpServletRequest req = new FakeHttpServletRequest(
         "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT
             + "&grant_type=client_credentials&client_secret="
             + CLIENT_CRED_SECRET);
     req.setMethod("GET");
     req.setServletPath("/oauth2");
     req.setPathInfo("/access_token");

     HttpServletResponse resp = mock(HttpServletResponse.class);
     resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " +
         "when making access token requests.");

     replay();
     servlet.service(req, resp);

     verify();
   }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.shindig.social.core.oauth;

	import org.apache.commons.codec.binary.Base64;
	import org.apache.shindig.common.testing.FakeHttpServletRequest;
	import org.apache.shindig.social.core.oauth2.OAuth2Servlet;
	import org.apache.shindig.social.dataservice.integration.AbstractLargeRestfulTests;
	import org.easymock.EasyMock;
	import org.json.JSONObject;
	import org.junit.Before;
	import org.junit.Test;

	import javax.servlet.http.HttpServletResponse;

	import java.io.PrintWriter;
	import java.net.URLEncoder;

	public class OAuth2ClientCredentialFlowTest extends AbstractLargeRestfulTests {

	protected static final String CLIENT_CRED_CLIENT = "testClientCredentialsClient";
	protected static final String CLIENT_CRED_SECRET = "clientCredentialsClient_secret";

	protected OAuth2Servlet servlet = null;

	@Before
	@Override
	public void abstractLargeRestfulBefore() throws Exception {
	super.abstractLargeRestfulBefore();
	servlet = new OAuth2Servlet();
	injector.injectMembers(servlet);
	};

	/**
	* Test using basic authentication scheme for client cred flow
	*
	* @throws Exception
	*/
	@Test
	public void testClientCredFlowBadHeader() throws Exception {
	FakeHttpServletRequest req = new FakeHttpServletRequest(
	"http://localhost:8080", "/oauth2", "grant_type=client_credentials");
	req.setHeader("Authorization", "Basic *^%#");
	req.setMethod("POST");
	req.setServletPath("/oauth2");
	req.setPathInfo("/access_token");
	HttpServletResponse resp = mock(HttpServletResponse.class);
	resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST));
	MockServletOutputStream outputStream = new MockServletOutputStream();
	EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
	PrintWriter writer = new PrintWriter(outputStream);
	EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
	replay();
	servlet.service(req, resp);
	writer.flush();

	String response = new String(outputStream.getBuffer(), "UTF-8");
	JSONObject respObj = new JSONObject(response);
	assertTrue(respObj.has("error"));
	verify();
	}

	/**
	* Test using basic authentication scheme for client cred flow
	*
	* @throws Exception
	*/
	@Test
	public void testClientCredFlowBadPass() throws Exception {
	FakeHttpServletRequest req = new FakeHttpServletRequest(
	"http://localhost:8080", "/oauth2", "grant_type=client_credentials");
	req.setHeader(
	"Authorization",
	"Basic "
	+ Base64.encodeBase64String((CLIENT_CRED_CLIENT + ":badsecret")
	.getBytes("UTF-8")));
	req.setMethod("POST");
	req.setServletPath("/oauth2");
	req.setPathInfo("/access_token");
	HttpServletResponse resp = mock(HttpServletResponse.class);
	resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST));
	MockServletOutputStream outputStream = new MockServletOutputStream();
	EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
	PrintWriter writer = new PrintWriter(outputStream);
	EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
	replay();
	servlet.service(req, resp);
	writer.flush();

	String response = new String(outputStream.getBuffer(), "UTF-8");
	JSONObject respObj = new JSONObject(response);
	assertTrue(respObj.has("error"));
	verify();
	}

	/**
	* Test using basic authentication scheme for client cred flow
	*
	* @throws Exception
	*/
	@Test
	public void testClientCredFlowBasicAuth() throws Exception {
	FakeHttpServletRequest req = new FakeHttpServletRequest(
	"http://localhost:8080", "/oauth2", "grant_type=client_credentials");
	req.setHeader(
	"Authorization",
	"Basic "
	+ Base64
	.encodeBase64String((CLIENT_CRED_CLIENT + ":" + CLIENT_CRED_SECRET)
	.getBytes("UTF-8")));
	req.setMethod("POST");
	req.setServletPath("/oauth2");
	req.setPathInfo("/access_token");
	HttpServletResponse resp = mock(HttpServletResponse.class);
	resp.setStatus(HttpServletResponse.SC_OK);
	MockServletOutputStream outputStream = new MockServletOutputStream();
	EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
	PrintWriter writer = new PrintWriter(outputStream);
	EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
	replay();
	servlet.service(req, resp);
	writer.flush();

	JSONObject tokenResponse = new JSONObject(new String(
	outputStream.getBuffer(), "UTF-8"));

	assertEquals("bearer", tokenResponse.getString("token_type"));
	assertNotNull(tokenResponse.getString("access_token"));
	assertTrue(tokenResponse.getLong("expires_in") > 0);
	verify();
	}

	/**
	* Test using URL parameter with client cred flow
	*
	* @throws Exception
	*/
	@Test
	public void testClientCredFlowParams() throws Exception {
	FakeHttpServletRequest req = new FakeHttpServletRequest(
	"http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT
	+ "&grant_type=client_credentials&client_secret="
	+ CLIENT_CRED_SECRET);
	req.setMethod("POST");
	req.setServletPath("/oauth2");
	req.setPathInfo("/access_token");
	HttpServletResponse resp = mock(HttpServletResponse.class);
	resp.setStatus(HttpServletResponse.SC_OK);
	MockServletOutputStream outputStream = new MockServletOutputStream();
	EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes();
	PrintWriter writer = new PrintWriter(outputStream);
	EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes();
	replay();
	servlet.service(req, resp);
	writer.flush();

	JSONObject tokenResponse = new JSONObject(new String(
	outputStream.getBuffer(), "UTF-8"));

	assertEquals("bearer", tokenResponse.getString("token_type"));
	assertNotNull(tokenResponse.getString("access_token"));
	assertTrue(tokenResponse.getLong("expires_in") > 0);
	verify();
	}

	/**
	* Test attempting to get access token via GET request
	*/
	@Test
	public void testGetAccessTokenBadMethodType() throws Exception {
	FakeHttpServletRequest req = new FakeHttpServletRequest(
	"http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT
	+ "&grant_type=client_credentials&client_secret="
	+ CLIENT_CRED_SECRET);
	req.setMethod("GET");
	req.setServletPath("/oauth2");
	req.setPathInfo("/access_token");

	HttpServletResponse resp = mock(HttpServletResponse.class);
	resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " +
	"when making access token requests.");

	replay();
	servlet.service(req, resp);

	verify();
	}

	}