Fix tests with kc 25

Signed-off-by: Clément Dufaure <[email protected]>
InseeFr · Sep 17, 2024 · e1bb49c · e1bb49c
1 parent e1d23c2
commit e1bb49c
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 18 deletions.
diff --git a/src/test/java/fr/insee/keycloak/providers/agentconnect/AgentConnectIdentityProviderTest.java b/src/test/java/fr/insee/keycloak/providers/agentconnect/AgentConnectIdentityProviderTest.java
@@ -49,8 +49,9 @@ void setup() throws IOException {
     httpClientProvider = mock(HttpClientProvider.class);
     httpClient = mock(CloseableHttpClient.class);
 
-    when(httpClientProvider.get(config.getJwksUrl()))
-        .thenAnswer(answer -> new ByteArrayInputStream(publicKeysStore.toJsonByteArray()));
+    when(httpClientProvider.getString(config.getJwksUrl())).
+        thenReturn(publicKeysStore.toJsonFormat());
+    when(httpClientProvider.getMaxConsumedResponseSize()).thenCallRealMethod();
     session = givenKeycloakSession(httpClientProvider, httpClient);
 
     provider = new AgentConnectIdentityProvider(session, config);
@@ -107,10 +108,16 @@ void should_throw_exception_when_no_public_key_found_in_json_web_key_set_for_asy
     }
 
     @Test
-    void should_validate_rs256_signed_token() {
+    void should_validate_rs256_signed_token() throws IOException {
       var kid = "RSA-KID";
+      var encodedToken = givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore);
+
       // JWKS Reload should find the publicKey added by the givenAnRSA method
-      var token = provider.validateToken(givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore));
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
+      var token = provider.validateToken(encodedToken);
 
       assertThat(token).isNotNull();
       assertThat(token.getSubject()).isEqualTo("fakeSub");
@@ -120,10 +127,17 @@ void should_validate_rs256_signed_token() {
     }
 
     @Test
-    void should_validate_es256_signed_token() {
+    void should_validate_es256_signed_token() throws IOException {
       var kid = "ECDSA-KID";
-      // JWKS Reload should find the publicKey added by the givenAnECDSA method
-      var token = provider.validateToken(givenAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore));
+
+      var encodedToken = givenAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore);
+
+      // JWKS Reload should find the publicKey added by the givenAnRSA method
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
+      var token = provider.validateToken(encodedToken);
 
       assertThat(token).isNotNull();
       assertThat(token.getSubject()).isEqualTo("fakeSub");
@@ -148,11 +162,15 @@ void setup() throws IOException {
     }
 
     @Test
-    void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interface() {
+    void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interface() throws IOException {
       var kid = "RSA-KID";
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var signedIdToken = givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdToken);
 
       var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
@@ -166,11 +184,15 @@ void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interf
     }
 
     @Test
-    void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_selected_eidas_level_from_admin_interface() {
+    void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_selected_eidas_level_from_admin_interface() throws IOException {
       var kid = "RSA-KID";
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var signedIdTokenWithEidas1 = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithEidas1);
 
       assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
@@ -179,11 +201,15 @@ void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_sele
     }
 
     @Test
-    void should_throw_exception_when_id_token_does_not_contains_acr_claim() {
+    void should_throw_exception_when_id_token_does_not_contains_acr_claim() throws IOException {
       var kid = "RSA-KID";
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var signedIdTokenWithoutEidasLevel = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, NO_EIDAS_LEVEL_JWT, publicKeysStore);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithoutEidasLevel);
 
       assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
@@ -192,11 +218,15 @@ void should_throw_exception_when_id_token_does_not_contains_acr_claim() {
     }
 
     @Test
-    void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_with_a_supported_eidas_level() {
+    void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_with_a_supported_eidas_level() throws IOException {
       var kid = "RSA-KID";
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var signedIdTokenWithoutEidasLevel = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, UNSUPPORTED_EIDAS_LEVEL_JWT, publicKeysStore);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithoutEidasLevel);
 
       assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))

diff --git a/...est/java/fr/insee/keycloak/providers/franceconnect/FranceConnectIdentityProviderTest.java b/...est/java/fr/insee/keycloak/providers/franceconnect/FranceConnectIdentityProviderTest.java
@@ -55,18 +55,17 @@ void setup() throws IOException {
     httpClientProvider = mock(HttpClientProvider.class);
     httpClient = mock(CloseableHttpClient.class);
 
-    when(httpClientProvider.get(config.getJwksUrl()))
-        .thenAnswer(
-            answer -> new ByteArrayInputStream(publicKeysStore.toJsonByteArray())
-        );
+    when(httpClientProvider.getString(config.getJwksUrl())).
+        thenReturn(publicKeysStore.toJsonFormat());
+    when(httpClientProvider.getMaxConsumedResponseSize()).thenCallRealMethod();
     session = givenKeycloakSession(httpClientProvider, httpClient);
 
     provider = new FranceConnectIdentityProvider(session, config);
   }
 
   @Test
   void should_load_jwks_from_jwks_url_when_configuration_supports_jwks() throws IOException {
-    verify(httpClientProvider, times(1)).get(config.getJwksUrl());
+    verify(httpClientProvider, times(1)).getString(config.getJwksUrl());
 
     var noJWKSSupportsConfig = givenConfigForIntegrationV1AndEidasLevel2();
     var httpClientProvider = mock(HttpClientProvider.class);
@@ -158,9 +157,15 @@ void should_search_in_vault_for_secret_key_on_hs256_token_validation() {
     }
 
     @Test
-    void should_validate_rsa_oaep_encrypted_token_for_eidas2_and_eidas3_levels() {
+    void should_validate_rsa_oaep_encrypted_token_for_eidas2_and_eidas3_levels() throws IOException {
+      var encodedToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS("ECDSA-KID", publicKeysStore, rsaKey);
+
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var token = provider.validateToken(
-          givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS("ECDSA-KID", publicKeysStore, rsaKey)
+          encodedToken
       );
 
       assertThat(token).isNotNull();
@@ -237,6 +242,10 @@ void should_extract_information_from_JWE_userinfo_endpoint_response_for_eidas2_a
 
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
 
       assertThat(brokeredIdentityContext).isNotNull();
@@ -264,6 +273,10 @@ void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interf
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var jweIdToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore, rsaKey);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);
 
       var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
@@ -292,6 +305,10 @@ void should_extract_information_from_JWT_userinfo_endpoint_response_for_eidas1()
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var jweIdToken = SignatureUtils.givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);
 
       var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
@@ -317,6 +334,10 @@ void should_extract_information_from_userinfo_endpoint_response_for_json_media_t
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var jweIdToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore, rsaKey);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);
 
       var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
@@ -349,6 +370,10 @@ void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_sele
           givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore)
       );
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithEidas1);
 
       assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
@@ -369,13 +394,20 @@ void should_throw_exception_when_id_token_does_not_contains_acr_claim() throws I
       when(httpClient.execute(any()))
           .thenAnswer(answer -> httpResponse);
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var kid = "ECDSA-KID";
       var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
       var jweIdTokenWithoutEidasLevel = givenAnRSAOAEPJWE(
           rsaKey,
           givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, NO_EIDAS_LEVEL_JWT, publicKeysStore)
       );
 
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithoutEidasLevel);
 
       assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
@@ -403,6 +435,10 @@ void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_
           givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, UNSUPPORTED_EIDAS_LEVEL_JWT, publicKeysStore)
       );
 
+      // set request with uptated keystore
+      when(httpClientProvider.getString(config.getJwksUrl())).
+          thenReturn(publicKeysStore.toJsonFormat());
+
       var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithoutEidasLevel);
 
       assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))