mirror of
https://github.com/google/nomulus.git
synced 2025-05-06 23:17:51 +02:00
2353bcd8c5
This is the second step of migrating to our new XSRF token format. The first step ([] made validate() start accepting new tokens (basically, dual-read). This step cuts over our "writing" to write the new token format. The third and final step will drop support for validating the old token format (back to single-read). We'll do that in a subsequent push so that we don't invalidate all the current XSRF tokens that people might have in their browsers. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=149790648
459 lines
17 KiB
Java
459 lines
17 KiB
Java
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package google.registry.request.auth;
|
|
|
|
import static com.google.common.net.HttpHeaders.AUTHORIZATION;
|
|
import static com.google.common.truth.Truth.assertThat;
|
|
import static org.mockito.Mockito.mock;
|
|
import static org.mockito.Mockito.verifyZeroInteractions;
|
|
import static org.mockito.Mockito.when;
|
|
|
|
import com.google.appengine.api.users.User;
|
|
import com.google.appengine.api.users.UserService;
|
|
import com.google.common.base.Optional;
|
|
import com.google.common.collect.ImmutableList;
|
|
import com.google.common.collect.ImmutableSet;
|
|
import google.registry.request.Action;
|
|
import google.registry.security.XsrfTokenManager;
|
|
import google.registry.testing.AppEngineRule;
|
|
import google.registry.testing.ExceptionRule;
|
|
import google.registry.testing.FakeClock;
|
|
import google.registry.testing.FakeOAuthService;
|
|
import google.registry.testing.FakeUserService;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import org.junit.Before;
|
|
import org.junit.Rule;
|
|
import org.junit.Test;
|
|
import org.junit.runner.RunWith;
|
|
import org.junit.runners.JUnit4;
|
|
|
|
/** Unit tests for {@link RequestAuthenticator}. */
|
|
@RunWith(JUnit4.class)
|
|
public class RequestAuthenticatorTest {
|
|
|
|
@Rule
|
|
public final AppEngineRule appEngine = AppEngineRule.builder().build();
|
|
|
|
@Rule
|
|
public final ExceptionRule thrown = new ExceptionRule();
|
|
|
|
@Action(
|
|
path = "/auth/none",
|
|
auth = @Auth(
|
|
methods = {Auth.AuthMethod.INTERNAL},
|
|
minimumLevel = AuthLevel.NONE,
|
|
userPolicy = Auth.UserPolicy.IGNORED),
|
|
method = Action.Method.GET)
|
|
public static class AuthNone {}
|
|
|
|
@Action(
|
|
path = "/auth/internalOnly",
|
|
auth = @Auth(minimumLevel = AuthLevel.APP),
|
|
method = Action.Method.GET)
|
|
public static class AuthInternalOnly {}
|
|
|
|
@Action(
|
|
path = "/auth/anyUserAnyMethod",
|
|
auth = @Auth(
|
|
methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
|
|
minimumLevel = AuthLevel.USER,
|
|
userPolicy = Auth.UserPolicy.PUBLIC),
|
|
method = Action.Method.GET)
|
|
public static class AuthAnyUserAnyMethod {}
|
|
|
|
@Action(
|
|
path = "/auth/anyUserNoLegacy",
|
|
auth = @Auth(
|
|
methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
|
|
minimumLevel = AuthLevel.USER,
|
|
userPolicy = Auth.UserPolicy.PUBLIC),
|
|
method = Action.Method.GET)
|
|
public static class AuthAnyUserNoLegacy {}
|
|
|
|
@Action(
|
|
path = "/auth/adminUserAnyMethod",
|
|
auth = @Auth(
|
|
methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY},
|
|
minimumLevel = AuthLevel.USER,
|
|
userPolicy = Auth.UserPolicy.ADMIN),
|
|
method = Action.Method.GET)
|
|
public static class AuthAdminUserAnyMethod {}
|
|
|
|
@Action(
|
|
path = "/auth/noMethods",
|
|
auth = @Auth(methods = {}))
|
|
public static class AuthNoMethods {}
|
|
|
|
@Action(
|
|
path = "/auth/missingInternal",
|
|
auth = @Auth(methods = {Auth.AuthMethod.API, Auth.AuthMethod.LEGACY}))
|
|
public static class AuthMissingInternal {}
|
|
|
|
@Action(
|
|
path = "/auth/wrongMethodOrdering",
|
|
auth = @Auth(methods = {Auth.AuthMethod.API, Auth.AuthMethod.INTERNAL}))
|
|
public static class AuthWrongMethodOrdering {}
|
|
|
|
@Action(
|
|
path = "/auth/duplicateMethods",
|
|
auth = @Auth(methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.API}))
|
|
public static class AuthDuplicateMethods {}
|
|
|
|
@Action(
|
|
path = "/auth/internalWithUser",
|
|
auth = @Auth(methods = {Auth.AuthMethod.INTERNAL}, minimumLevel = AuthLevel.USER))
|
|
public static class AuthInternalWithUser {}
|
|
|
|
@Action(
|
|
path = "/auth/wronglyIgnoringUser",
|
|
auth = @Auth(
|
|
methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
|
|
userPolicy = Auth.UserPolicy.IGNORED))
|
|
public static class AuthWronglyIgnoringUser {}
|
|
|
|
private final UserService mockUserService = mock(UserService.class);
|
|
private final HttpServletRequest req = mock(HttpServletRequest.class);
|
|
|
|
private final User testUser = new User("test@google.com", "test@google.com");
|
|
private final FakeUserService fakeUserService = new FakeUserService();
|
|
private final XsrfTokenManager xsrfTokenManager =
|
|
new XsrfTokenManager(new FakeClock(), fakeUserService);
|
|
private final FakeOAuthService fakeOAuthService = new FakeOAuthService(
|
|
false /* isOAuthEnabled */,
|
|
testUser,
|
|
false /* isUserAdmin */,
|
|
"test-client-id",
|
|
ImmutableList.of("test-scope1", "test-scope2", "nontest-scope"));
|
|
|
|
@Before
|
|
public void before() throws Exception {
|
|
when(req.getMethod()).thenReturn("POST");
|
|
}
|
|
|
|
private RequestAuthenticator createRequestAuthenticator(UserService userService) {
|
|
return new RequestAuthenticator(
|
|
new AppEngineInternalAuthenticationMechanism(),
|
|
ImmutableList.<AuthenticationMechanism>of(
|
|
new OAuthAuthenticationMechanism(
|
|
fakeOAuthService,
|
|
ImmutableSet.of("test-scope1", "test-scope2", "test-scope3"),
|
|
ImmutableSet.of("test-scope1", "test-scope2"),
|
|
ImmutableSet.of("test-client-id", "other-test-client-id"))),
|
|
new LegacyAuthenticationMechanism(userService, xsrfTokenManager));
|
|
}
|
|
|
|
private Optional<AuthResult> runTest(UserService userService, Class<?> clazz) {
|
|
return createRequestAuthenticator(userService)
|
|
.authorize(clazz.getAnnotation(Action.class).auth(), req);
|
|
}
|
|
|
|
@Test
|
|
public void testNoAuthNeeded_noneFound() throws Exception {
|
|
Optional<AuthResult> authResult = runTest(mockUserService, AuthNone.class);
|
|
|
|
verifyZeroInteractions(mockUserService);
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.NONE);
|
|
}
|
|
|
|
@Test
|
|
public void testNoAuthNeeded_internalFound() throws Exception {
|
|
when(req.getHeader("X-AppEngine-QueueName")).thenReturn("__cron");
|
|
|
|
Optional<AuthResult> authResult = runTest(mockUserService, AuthNone.class);
|
|
|
|
verifyZeroInteractions(mockUserService);
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.APP);
|
|
assertThat(authResult.get().userAuthInfo()).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testInternalAuth_notInvokedInternally() throws Exception {
|
|
Optional<AuthResult> authResult = runTest(mockUserService, AuthInternalOnly.class);
|
|
|
|
verifyZeroInteractions(mockUserService);
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testInternalAuth_success() throws Exception {
|
|
when(req.getHeader("X-AppEngine-QueueName")).thenReturn("__cron");
|
|
|
|
Optional<AuthResult> authResult = runTest(mockUserService, AuthInternalOnly.class);
|
|
|
|
verifyZeroInteractions(mockUserService);
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.APP);
|
|
assertThat(authResult.get().userAuthInfo()).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAnyUserAnyMethod_notLoggedIn() throws Exception {
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAnyUserAnyMethod_xsrfFailure() throws Exception {
|
|
fakeUserService.setUser(testUser, false);
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAnyUserAnyMethod_success() throws Exception {
|
|
fakeUserService.setUser(testUser, false /* isAdmin */);
|
|
when(req.getHeader(XsrfTokenManager.X_CSRF_TOKEN))
|
|
.thenReturn(xsrfTokenManager.generateToken(testUser.getEmail()));
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
|
assertThat(authResult.get().userAuthInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
|
|
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isFalse();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAnyUserAnyMethod_xsrfNotRequiredForGet() throws Exception {
|
|
fakeUserService.setUser(testUser, false);
|
|
when(req.getMethod()).thenReturn("GET");
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
|
assertThat(authResult.get().userAuthInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAdminUserAnyMethod_notLoggedIn() throws Exception {
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAdminUserAnyMethod_notAdminUser() throws Exception {
|
|
fakeUserService.setUser(testUser, false /* isAdmin */);
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAdminUserAnyMethod_xsrfFailure() throws Exception {
|
|
fakeUserService.setUser(testUser, true);
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testAdminUserAnyMethod_success() throws Exception {
|
|
fakeUserService.setUser(testUser, true /* isAdmin */);
|
|
when(req.getHeader(XsrfTokenManager.X_CSRF_TOKEN))
|
|
.thenReturn(xsrfTokenManager.generateToken(testUser.getEmail()));
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAdminUserAnyMethod.class);
|
|
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
|
assertThat(authResult.get().userAuthInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
|
|
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isTrue();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testOAuth_success() throws Exception {
|
|
fakeOAuthService.setUser(testUser);
|
|
fakeOAuthService.setOAuthEnabled(true);
|
|
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
|
assertThat(authResult.get().userAuthInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
|
|
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isFalse();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().authorizedScopes())
|
|
.containsAllOf("test-scope1", "test-scope2");
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().oauthClientId())
|
|
.isEqualTo("test-client-id");
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().rawAccessToken())
|
|
.isEqualTo("TOKEN");
|
|
}
|
|
|
|
@Test
|
|
public void testOAuthAdmin_success() throws Exception {
|
|
fakeOAuthService.setUser(testUser);
|
|
fakeOAuthService.setUserAdmin(true);
|
|
fakeOAuthService.setOAuthEnabled(true);
|
|
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
|
assertThat(authResult.get().userAuthInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
|
|
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isTrue();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().authorizedScopes())
|
|
.containsAllOf("test-scope1", "test-scope2");
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().oauthClientId())
|
|
.isEqualTo("test-client-id");
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().rawAccessToken())
|
|
.isEqualTo("TOKEN");
|
|
}
|
|
|
|
@Test
|
|
public void testOAuthMissingAuthenticationToken_failure() throws Exception {
|
|
fakeOAuthService.setUser(testUser);
|
|
fakeOAuthService.setOAuthEnabled(true);
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testOAuthClientIdMismatch_failure() throws Exception {
|
|
fakeOAuthService.setUser(testUser);
|
|
fakeOAuthService.setOAuthEnabled(true);
|
|
fakeOAuthService.setClientId("wrong-client-id");
|
|
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testOAuthNoScopes_failure() throws Exception {
|
|
fakeOAuthService.setUser(testUser);
|
|
fakeOAuthService.setOAuthEnabled(true);
|
|
fakeOAuthService.setAuthorizedScopes();
|
|
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testOAuthMissingScope_failure() throws Exception {
|
|
fakeOAuthService.setUser(testUser);
|
|
fakeOAuthService.setOAuthEnabled(true);
|
|
fakeOAuthService.setAuthorizedScopes("test-scope1", "test-scope3");
|
|
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testOAuthExtraScope_success() throws Exception {
|
|
fakeOAuthService.setUser(testUser);
|
|
fakeOAuthService.setOAuthEnabled(true);
|
|
fakeOAuthService.setAuthorizedScopes("test-scope1", "test-scope2", "test-scope3");
|
|
when(req.getHeader(AUTHORIZATION)).thenReturn("Bearer TOKEN");
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isPresent();
|
|
assertThat(authResult.get().authLevel()).isEqualTo(AuthLevel.USER);
|
|
assertThat(authResult.get().userAuthInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().user()).isEqualTo(testUser);
|
|
assertThat(authResult.get().userAuthInfo().get().isUserAdmin()).isFalse();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo()).isPresent();
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().authorizedScopes())
|
|
.containsAllOf("test-scope1", "test-scope2", "test-scope3");
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().oauthClientId())
|
|
.isEqualTo("test-client-id");
|
|
assertThat(authResult.get().userAuthInfo().get().oauthTokenInfo().get().rawAccessToken())
|
|
.isEqualTo("TOKEN");
|
|
}
|
|
|
|
@Test
|
|
public void testAnyUserNoLegacy_failureWithLegacyUser() throws Exception {
|
|
fakeUserService.setUser(testUser, false /* isAdmin */);
|
|
|
|
Optional<AuthResult> authResult = runTest(fakeUserService, AuthAnyUserNoLegacy.class);
|
|
|
|
assertThat(authResult).isAbsent();
|
|
}
|
|
|
|
@Test
|
|
public void testNoMethods_failure() throws Exception {
|
|
thrown.expect(IllegalArgumentException.class, "Must specify at least one auth method");
|
|
|
|
runTest(fakeUserService, AuthNoMethods.class);
|
|
}
|
|
|
|
@Test
|
|
public void testMissingInternal_failure() throws Exception {
|
|
thrown.expect(IllegalArgumentException.class,
|
|
"Auth method INTERNAL must always be specified, and as the first auth method");
|
|
|
|
runTest(fakeUserService, AuthMissingInternal.class);
|
|
}
|
|
|
|
@Test
|
|
public void testWrongMethodOrdering_failure() throws Exception {
|
|
thrown.expect(IllegalArgumentException.class,
|
|
"Auth methods must be unique and strictly in order - INTERNAL, API, LEGACY");
|
|
|
|
runTest(fakeUserService, AuthWrongMethodOrdering.class);
|
|
}
|
|
|
|
@Test
|
|
public void testDuplicateMethods_failure() throws Exception {
|
|
thrown.expect(IllegalArgumentException.class,
|
|
"Auth methods must be unique and strictly in order - INTERNAL, API, LEGACY");
|
|
|
|
runTest(fakeUserService, AuthDuplicateMethods.class);
|
|
}
|
|
|
|
@Test
|
|
public void testInternalWithUser_failure() throws Exception {
|
|
thrown.expect(IllegalArgumentException.class,
|
|
"Actions with only INTERNAL auth may not require USER auth level");
|
|
|
|
runTest(fakeUserService, AuthInternalWithUser.class);
|
|
}
|
|
|
|
@Test
|
|
public void testWronglyIgnoringUser_failure() throws Exception {
|
|
thrown.expect(IllegalArgumentException.class,
|
|
"Actions with auth methods beyond INTERNAL must not specify the IGNORED user policy");
|
|
|
|
runTest(fakeUserService, AuthWronglyIgnoringUser.class);
|
|
}
|
|
}
|