ensure server is using localhost when no address i specified. add more tests, including verifying tokens issued by the server

Author: tommytroen

src/main/kotlin/no/nav/security/mock/oauth2/MockOAuth2Server.kt

@@ -22,29 +22,28 @@ import okhttp3.mockwebserver.MockResponse
 import okhttp3.mockwebserver.MockWebServer
 import okhttp3.mockwebserver.RecordedRequest
 import java.io.IOException
-import java.net.InetSocketAddress
+import java.net.InetAddress
 import java.net.URI
 import java.util.concurrent.BlockingQueue
 import java.util.concurrent.LinkedBlockingQueue
 
 private val log = KotlinLogging.logger {}
 
+// TODO make open so others can extend?
 class MockOAuth2Server(
     val config: OAuth2Config = OAuth2Config()
 ) {
     private val mockWebServer: MockWebServer = MockWebServer()
 
     var dispatcher: Dispatcher = MockOAuth2Dispatcher(config)
 
-    fun start() {
-        mockWebServer.start()
-        mockWebServer.dispatcher = dispatcher
-    }
+    @Throws(IOException::class)
+    @JvmOverloads
+    fun start(port: Int = 0) = start(InetAddress.getByName("localhost"), port)
 
-    fun start(port: Int = 0) {
-        val address = InetSocketAddress(0).address
-        log.info("attempting to start server on port $port and InetAddress=$address")
-        mockWebServer.start(address, port)
+    @Throws(IOException::class)
+    fun start(inetAddress: InetAddress, port: Int) {
+        mockWebServer.start(inetAddress, port)
         mockWebServer.dispatcher = dispatcher
     }
 

src/main/kotlin/no/nav/security/mock/oauth2/StandaloneMockOAuth2Server.kt

@@ -6,6 +6,7 @@ import com.natpryce.konfig.Key
 import com.natpryce.konfig.intType
 import com.natpryce.konfig.overriding
 import com.natpryce.konfig.stringType
+import java.net.InetSocketAddress
 
 private val config = ConfigurationProperties.systemProperties() overriding
         EnvironmentVariables()
@@ -21,9 +22,10 @@ data class Configuration(
 
 fun main() {
     val config = Configuration()
+    // TODO check if ok in docker compose
     MockOAuth2Server(
         OAuth2Config(
             interactiveLogin = true
         )
-    ).start(config.server.port)
+    ).start(InetSocketAddress(0).address, config.server.port)
 }

src/test/kotlin/no/nav/security/mock/oauth2/MockOAuth2ServerTest.kt

@@ -2,9 +2,14 @@ package no.nav.security.mock.oauth2
 
 import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import com.fasterxml.jackson.module.kotlin.readValue
+import com.nimbusds.jose.jwk.JWKSet
+import com.nimbusds.jwt.JWTClaimsSet
 import com.nimbusds.jwt.SignedJWT
 import com.nimbusds.oauth2.sdk.GrantType
+import com.nimbusds.oauth2.sdk.id.Issuer
+import no.nav.security.mock.oauth2.extensions.verifySignatureAndIssuer
 import no.nav.security.mock.oauth2.http.OAuth2TokenResponse
+import no.nav.security.mock.oauth2.http.WellKnown
 import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
 import okhttp3.Credentials
@@ -52,6 +57,31 @@ class MockOAuth2ServerTest {
         interactiveLoginServer.shutdown()
     }
 
+    @Test
+    fun startServerWithFixedPort() {
+        val serverWithFixedPort = MockOAuth2Server()
+        serverWithFixedPort.start(1234)
+        val wellKnown: WellKnown = assertWellKnownResponseForIssuer(serverWithFixedPort, "default")
+
+        val tokenIssuedDirectlyFromServer: SignedJWT = serverWithFixedPort.issueToken("default", "yo", DefaultOAuth2TokenCallback())
+        assertThat(tokenIssuedDirectlyFromServer.verifySignatureAndIssuer(Issuer(wellKnown.issuer), retrieveJwks(wellKnown.jwksUri))).isNotNull
+
+        val authCodeTokenResponse: Response = client.newCall(
+            authCodeTokenRequest(
+                wellKnown.tokenEndpoint.toHttpUrlOrNull()!!,
+                "client",
+                "someredirect",
+                "scope1",
+                "123"
+            )
+        ).execute()
+
+        val tokenResponse: OAuth2TokenResponse = jacksonObjectMapper().readValue(authCodeTokenResponse.body!!.string())
+        val tokenFromAuthCode: SignedJWT = tokenResponse.idToken!!.let { SignedJWT.parse(it) }
+        assertThat(tokenFromAuthCode.verifySignatureAndIssuer(Issuer(wellKnown.issuer), retrieveJwks(wellKnown.jwksUri))).isNotNull
+        serverWithFixedPort.shutdown()
+    }
+
     @Test
     fun wellKnownUrlForMultipleIssuers() {
         assertWellKnownResponseForIssuer("default")
@@ -62,9 +92,10 @@ class MockOAuth2ServerTest {
     @Test
     fun enqueuedResponse() {
         assertWellKnownResponseForIssuer("default")
-        server.enqueueResponse(MockResponse()
-            .setResponseCode(200)
-            .setBody("some body")
+        server.enqueueResponse(
+            MockResponse()
+                .setResponseCode(200)
+                .setBody("some body")
         )
         val request: Request = Request.Builder()
             .url(server.url("/someurl"))
@@ -281,6 +312,52 @@ class MockOAuth2ServerTest {
         assertThat(accessToken.jwtClaimsSet.issuer).endsWith("default")
     }
 
+    @Test
+    fun issueTokenDirectlyFromMockOAuth2Server() {
+        val signedJWT: SignedJWT = server.issueToken(
+            "default", "client1", DefaultOAuth2TokenCallback(
+                issuerId = "default",
+                subject = "mysub",
+                audience = "muyaud",
+                claims = mapOf("someclaim" to "claimvalue")
+            )
+        )
+        val wellKnownResponseBody = assertWellKnownResponseForIssuer("default")!!
+        val wellKnown: WellKnown = jacksonObjectMapper().readValue(wellKnownResponseBody)
+        val jwkSet: JWKSet = retrieveJwks(wellKnown.jwksUri)
+        val jwtClaimsSet: JWTClaimsSet = signedJWT.verifySignatureAndIssuer(Issuer(wellKnown.issuer), jwkSet)
+        assertThat(jwtClaimsSet.issuer).isEqualTo(wellKnown.issuer)
+        assertThat(jwtClaimsSet.subject).isEqualTo("mysub")
+        assertThat(jwtClaimsSet.audience).containsExactly("muyaud")
+        assertThat(jwtClaimsSet.getClaim("someclaim")).isEqualTo("claimvalue")
+    }
+
+    private fun retrieveJwks(jwksUri: String): JWKSet {
+        return client.newCall(
+            Request.Builder()
+                .url(jwksUri)
+                .get()
+                .build()
+        ).execute().body?.string()?.let {
+            JWKSet.parse(it)
+        } ?: throw RuntimeException("could not retrieve jwks")
+    }
+
+    private fun assertWellKnownResponseForIssuer(mockOAuth2Server: MockOAuth2Server, issuerId: String): WellKnown {
+        val wellKnownResponse: Response = client.newCall(
+            Request.Builder()
+                .url(mockOAuth2Server.wellKnownUrl(issuerId))
+                .get()
+                .build()
+        ).execute()
+        val wellKnown: WellKnown = jacksonObjectMapper().readValue(wellKnownResponse.body!!.string())
+        assertThat(wellKnown.issuer).isEqualTo(mockOAuth2Server.issuerUrl(issuerId).toString())
+        assertThat(wellKnown.authorizationEndpoint).isEqualTo(mockOAuth2Server.authorizationEndpointUrl(issuerId).toString())
+        assertThat(wellKnown.tokenEndpoint).isEqualTo(mockOAuth2Server.tokenEndpointUrl(issuerId).toString())
+        assertThat(wellKnown.jwksUri).isEqualTo(mockOAuth2Server.jwksUrl(issuerId).toString())
+        return wellKnown
+    }
+
     private fun assertWellKnownResponseForIssuer(issuerId: String): String? {
         val request: Request = Request.Builder()
             .url(server.wellKnownUrl(issuerId))

src/test/kotlin/no/nav/security/mock/oauth2/examples/AbstractExampleApp.kt

@@ -105,7 +105,7 @@ abstract class AbstractExampleApp(oauth2DiscoveryUrl: String) {
 
     fun json(value: Any): MockResponse = MockResponse()
         .setResponseCode(200)
-        .setHeader("Content-Type","application/json")
+        .setHeader("Content-Type", "application/json")
         .setBody(ObjectMapper().writeValueAsString(value))
 
     abstract fun handleRequest(request: RecordedRequest): MockResponse