/** * Test attempting to get an access token with an invalid authorization code * * @throws Exception */ @Test public void testGetAccessTokenBadAuthCode() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=" + PUBLIC_CLIENT_ID + "&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code=BAD-CODE-OMG"); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); JSONObject tokenResponse = new JSONObject(new String( outputStream.getBuffer(), "UTF-8")); assertEquals("invalid_grant", tokenResponse.getString("error")); verify(); }
/** * Test attempting to get an access token with an invalid authorization code * * @throws Exception */ @Test public void testGetAccessTokenBadAuthCode() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=" + PUBLIC_CLIENT_ID + "&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code=BAD-CODE-OMG"); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); JSONObject tokenResponse = new JSONObject(new String( outputStream.getBuffer(), "UTF-8")); assertEquals("invalid_grant", tokenResponse.getString("error")); verify(); }
/** * Test attempting to get an access token with a bad grant type * * @throws Exception */ @Test public void testGetAccessTokenBadGrantType() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=" + PUBLIC_CLIENT_ID + "&grant_type=BAD_GRANT&redirect_uri=" + URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code=" + PUBLIC_AUTH_CODE); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); JSONObject tokenResponse = new JSONObject(new String( outputStream.getBuffer(), "UTF-8")); assertEquals("unsupported_grant_type", tokenResponse.getString("error")); verify(); }
/** * Test attempting to get an access token with an unregistered client ID * * @throws Exception */ @Test public void testGetAccessTokenBadClient() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=BAD_CLIENT&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code=" + PUBLIC_AUTH_CODE); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); JSONObject tokenResponse = new JSONObject(new String( outputStream.getBuffer(), "UTF-8")); assertEquals("invalid_client", tokenResponse.getString("error")); verify(); }
/** * Test attempting to get an access token with an unregistered client ID * * @throws Exception */ @Test public void testGetAccessTokenBadClient() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=BAD_CLIENT&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code=" + PUBLIC_AUTH_CODE); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); JSONObject tokenResponse = new JSONObject(new String( outputStream.getBuffer(), "UTF-8")); assertEquals("invalid_client", tokenResponse.getString("error")); verify(); }
req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_OK);
req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_OK);
/** * Test using URL parameter with client cred flow * * @throws Exception */ @Test public void testClientCredFlowParams() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT + "&grant_type=client_credentials&client_secret=" + CLIENT_CRED_SECRET); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(HttpServletResponse.SC_OK); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); JSONObject tokenResponse = new JSONObject(new String( outputStream.getBuffer(), "UTF-8")); assertEquals("bearer", tokenResponse.getString("token_type")); assertNotNull(tokenResponse.getString("access_token")); assertTrue(tokenResponse.getLong("expires_in") > 0); verify(); }
/** * Test using basic authentication scheme for client cred flow * * @throws Exception */ @Test public void testClientCredFlowBadHeader() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "grant_type=client_credentials"); req.setHeader("Authorization", "Basic *^%#"); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST)); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); String response = new String(outputStream.getBuffer(), "UTF-8"); JSONObject respObj = new JSONObject(response); assertTrue(respObj.has("error")); verify(); }
/** * Test using basic authentication scheme for client cred flow * * @throws Exception */ @Test public void testClientCredFlowBadHeader() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "grant_type=client_credentials"); req.setHeader("Authorization", "Basic *^%#"); req.setMethod("POST"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.setStatus(EasyMock.eq(HttpServletResponse.SC_BAD_REQUEST)); MockServletOutputStream outputStream = new MockServletOutputStream(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).anyTimes(); PrintWriter writer = new PrintWriter(outputStream); EasyMock.expect(resp.getWriter()).andReturn(writer).anyTimes(); replay(); servlet.service(req, resp); writer.flush(); String response = new String(outputStream.getBuffer(), "UTF-8"); JSONObject respObj = new JSONObject(response); assertTrue(respObj.has("error")); verify(); }
req.setMethod("GET"); req.setServletPath("/oauth2"); req.setPathInfo("/authorize"); HttpServletResponse resp = mock(HttpServletResponse.class);
private void setupRequest(String pathInfo, String actualMethod, String overrideMethod) throws IOException { FakeHttpServletRequest fakeReq = new FakeHttpServletRequest("/social/rest", pathInfo, ""); fakeReq.setPathInfo(pathInfo); fakeReq.setParameter(DataServiceServlet.X_HTTP_METHOD_OVERRIDE, overrideMethod); fakeReq.setCharacterEncoding("UTF-8"); if (!("GET").equals(actualMethod) && !("HEAD").equals(actualMethod)) { fakeReq.setPostData("", "UTF-8"); } fakeReq.setMethod(actualMethod); fakeReq.setAttribute(AuthInfoUtil.Attribute.SECURITY_TOKEN.getId(), FAKE_GADGET_TOKEN); fakeReq.setContentType(ContentTypes.OUTPUT_JSON_CONTENT_TYPE); req = fakeReq; }
private void setupRequest(String pathInfo, String actualMethod, String overrideMethod) throws IOException { FakeHttpServletRequest fakeReq = new FakeHttpServletRequest("/social/rest", pathInfo, ""); fakeReq.setPathInfo(pathInfo); fakeReq.setParameter(DataServiceServlet.X_HTTP_METHOD_OVERRIDE, overrideMethod); fakeReq.setCharacterEncoding("UTF-8"); if (!("GET").equals(actualMethod) && !("HEAD").equals(actualMethod)) { fakeReq.setPostData("", "UTF-8"); } fakeReq.setMethod(actualMethod); fakeReq.setAttribute(AuthInfoUtil.Attribute.SECURITY_TOKEN.getId(), FAKE_GADGET_TOKEN); fakeReq.setContentType(ContentTypes.OUTPUT_JSON_CONTENT_TYPE); req = fakeReq; }
private void setupRequest(String pathInfo, String actualMethod, String overrideMethod) throws IOException { FakeHttpServletRequest fakeReq = new FakeHttpServletRequest("/social/rest", pathInfo, ""); fakeReq.setPathInfo(pathInfo); fakeReq.setParameter(DataServiceServlet.X_HTTP_METHOD_OVERRIDE, overrideMethod); fakeReq.setCharacterEncoding("UTF-8"); if (!("GET").equals(actualMethod) && !("HEAD").equals(actualMethod)) { fakeReq.setPostData("", "UTF-8"); } fakeReq.setMethod(actualMethod); fakeReq.setAttribute(AuthInfo.Attribute.SECURITY_TOKEN.getId(), FAKE_GADGET_TOKEN); fakeReq.setContentType(ContentTypes.OUTPUT_JSON_CONTENT_TYPE); req = fakeReq; }
private void setupRequest(String pathInfo, String actualMethod, String overrideMethod) throws IOException { FakeHttpServletRequest fakeReq = new FakeHttpServletRequest("/social/rest", pathInfo, ""); fakeReq.setPathInfo(pathInfo); fakeReq.setParameter(DataServiceServlet.X_HTTP_METHOD_OVERRIDE, overrideMethod); fakeReq.setCharacterEncoding("UTF-8"); if (!("GET").equals(actualMethod) && !("HEAD").equals(actualMethod)) { fakeReq.setPostData("", "UTF-8"); } fakeReq.setMethod(actualMethod); fakeReq.setAttribute(AuthInfoUtil.Attribute.SECURITY_TOKEN.getId(), FAKE_GADGET_TOKEN); fakeReq.setContentType(ContentTypes.OUTPUT_JSON_CONTENT_TYPE); req = fakeReq; }
private void setupRequest(String pathInfo, String actualMethod, String overrideMethod) throws IOException { FakeHttpServletRequest fakeReq = new FakeHttpServletRequest("/social/rest", pathInfo, ""); fakeReq.setPathInfo(pathInfo); fakeReq.setParameter(DataServiceServlet.X_HTTP_METHOD_OVERRIDE, overrideMethod); fakeReq.setCharacterEncoding("UTF-8"); if (!("GET").equals(actualMethod) && !("HEAD").equals(actualMethod)) { fakeReq.setPostData("", "UTF-8"); } fakeReq.setMethod(actualMethod); fakeReq.setAttribute(AuthInfo.Attribute.SECURITY_TOKEN.getId(), FAKE_GADGET_TOKEN); fakeReq.setContentType(ContentTypes.OUTPUT_JSON_CONTENT_TYPE); req = fakeReq; }
/** * Test attempting to get access token via GET request */ @Test public void testGetAccessTokenBadMethodType() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT + "&grant_type=client_credentials&client_secret=" + CLIENT_CRED_SECRET); req.setMethod("GET"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " + "when making access token requests."); replay(); servlet.service(req, resp); verify(); }
/** * Test attempting to get access token via GET request */ @Test public void testGetAccessTokenBadMethodType() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT + "&grant_type=client_credentials&client_secret=" + CLIENT_CRED_SECRET); req.setMethod("GET"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " + "when making access token requests."); replay(); servlet.service(req, resp); verify(); }
/** * Test attempting to get access token via GET request */ @Test public void testGetAccessTokenBadMethodType() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080/oauth2"); req.setContentType("application/x-www-form-urlencoded"); req.setPostData( "client_id=" + PUBLIC_CLIENT_ID + "&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(PUBLIC_REDIRECT_URI, "UTF-8") + "&code=" + PUBLIC_AUTH_CODE, "UTF-8"); req.setMethod("GET"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " + "when making access token requests."); replay(); servlet.service(req, resp); verify(); }
/** * Test attempting to get access token via GET request */ @Test public void testGetAccessTokenBadMethodType() throws Exception { FakeHttpServletRequest req = new FakeHttpServletRequest( "http://localhost:8080/oauth2"); req.setContentType("application/x-www-form-urlencoded"); req.setPostData( "client_id=" + PUBLIC_CLIENT_ID + "&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(PUBLIC_REDIRECT_URI, "UTF-8") + "&code=" + PUBLIC_AUTH_CODE, "UTF-8"); req.setMethod("GET"); req.setServletPath("/oauth2"); req.setPathInfo("/access_token"); HttpServletResponse resp = mock(HttpServletResponse.class); resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " + "when making access token requests."); replay(); servlet.service(req, resp); verify(); }