diff --git a/src/test/java/fr/insee/keycloak/providers/agentconnect/AgentConnectIdentityProviderTest.java b/src/test/java/fr/insee/keycloak/providers/agentconnect/AgentConnectIdentityProviderTest.java index 037e281..e975636 100644 --- a/src/test/java/fr/insee/keycloak/providers/agentconnect/AgentConnectIdentityProviderTest.java +++ b/src/test/java/fr/insee/keycloak/providers/agentconnect/AgentConnectIdentityProviderTest.java @@ -49,8 +49,9 @@ void setup() throws IOException { httpClientProvider = mock(HttpClientProvider.class); httpClient = mock(CloseableHttpClient.class); - when(httpClientProvider.get(config.getJwksUrl())) - .thenAnswer(answer -> new ByteArrayInputStream(publicKeysStore.toJsonByteArray())); + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + when(httpClientProvider.getMaxConsumedResponseSize()).thenCallRealMethod(); session = givenKeycloakSession(httpClientProvider, httpClient); provider = new AgentConnectIdentityProvider(session, config); @@ -107,10 +108,16 @@ void should_throw_exception_when_no_public_key_found_in_json_web_key_set_for_asy } @Test - void should_validate_rs256_signed_token() { + void should_validate_rs256_signed_token() throws IOException { var kid = "RSA-KID"; + var encodedToken = givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore); + // JWKS Reload should find the publicKey added by the givenAnRSA method - var token = provider.validateToken(givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore)); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + + var token = provider.validateToken(encodedToken); assertThat(token).isNotNull(); assertThat(token.getSubject()).isEqualTo("fakeSub"); @@ -120,10 +127,17 @@ void should_validate_rs256_signed_token() { } @Test - void should_validate_es256_signed_token() { + void should_validate_es256_signed_token() throws IOException { var kid = "ECDSA-KID"; - // JWKS Reload should find the publicKey added by the givenAnECDSA method - var token = provider.validateToken(givenAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore)); + + var encodedToken = givenAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore); + + // JWKS Reload should find the publicKey added by the givenAnRSA method + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + + var token = provider.validateToken(encodedToken); assertThat(token).isNotNull(); assertThat(token.getSubject()).isEqualTo("fakeSub"); @@ -148,11 +162,15 @@ void setup() throws IOException { } @Test - void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interface() { + void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interface() throws IOException { var kid = "RSA-KID"; var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var signedIdToken = givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdToken); var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse); @@ -166,11 +184,15 @@ void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interf } @Test - void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_selected_eidas_level_from_admin_interface() { + void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_selected_eidas_level_from_admin_interface() throws IOException { var kid = "RSA-KID"; var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var signedIdTokenWithEidas1 = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithEidas1); assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse)) @@ -179,11 +201,15 @@ void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_sele } @Test - void should_throw_exception_when_id_token_does_not_contains_acr_claim() { + void should_throw_exception_when_id_token_does_not_contains_acr_claim() throws IOException { var kid = "RSA-KID"; var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var signedIdTokenWithoutEidasLevel = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, NO_EIDAS_LEVEL_JWT, publicKeysStore); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithoutEidasLevel); assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse)) @@ -192,11 +218,15 @@ void should_throw_exception_when_id_token_does_not_contains_acr_claim() { } @Test - void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_with_a_supported_eidas_level() { + void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_with_a_supported_eidas_level() throws IOException { var kid = "RSA-KID"; var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var signedIdTokenWithoutEidasLevel = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, UNSUPPORTED_EIDAS_LEVEL_JWT, publicKeysStore); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithoutEidasLevel); assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse)) diff --git a/src/test/java/fr/insee/keycloak/providers/franceconnect/FranceConnectIdentityProviderTest.java b/src/test/java/fr/insee/keycloak/providers/franceconnect/FranceConnectIdentityProviderTest.java index 38092ad..d0ab4c7 100644 --- a/src/test/java/fr/insee/keycloak/providers/franceconnect/FranceConnectIdentityProviderTest.java +++ b/src/test/java/fr/insee/keycloak/providers/franceconnect/FranceConnectIdentityProviderTest.java @@ -55,10 +55,9 @@ void setup() throws IOException { httpClientProvider = mock(HttpClientProvider.class); httpClient = mock(CloseableHttpClient.class); - when(httpClientProvider.get(config.getJwksUrl())) - .thenAnswer( - answer -> new ByteArrayInputStream(publicKeysStore.toJsonByteArray()) - ); + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + when(httpClientProvider.getMaxConsumedResponseSize()).thenCallRealMethod(); session = givenKeycloakSession(httpClientProvider, httpClient); provider = new FranceConnectIdentityProvider(session, config); @@ -66,7 +65,7 @@ void setup() throws IOException { @Test void should_load_jwks_from_jwks_url_when_configuration_supports_jwks() throws IOException { - verify(httpClientProvider, times(1)).get(config.getJwksUrl()); + verify(httpClientProvider, times(1)).getString(config.getJwksUrl()); var noJWKSSupportsConfig = givenConfigForIntegrationV1AndEidasLevel2(); var httpClientProvider = mock(HttpClientProvider.class); @@ -158,9 +157,15 @@ void should_search_in_vault_for_secret_key_on_hs256_token_validation() { } @Test - void should_validate_rsa_oaep_encrypted_token_for_eidas2_and_eidas3_levels() { + void should_validate_rsa_oaep_encrypted_token_for_eidas2_and_eidas3_levels() throws IOException { + var encodedToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS("ECDSA-KID", publicKeysStore, rsaKey); + + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var token = provider.validateToken( - givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS("ECDSA-KID", publicKeysStore, rsaKey) + encodedToken ); assertThat(token).isNotNull(); @@ -237,6 +242,10 @@ void should_extract_information_from_JWE_userinfo_endpoint_response_for_eidas2_a var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse); assertThat(brokeredIdentityContext).isNotNull(); @@ -264,6 +273,10 @@ void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interf var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var jweIdToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore, rsaKey); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken); var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse); @@ -292,6 +305,10 @@ void should_extract_information_from_JWT_userinfo_endpoint_response_for_eidas1() var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var jweIdToken = SignatureUtils.givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken); var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse); @@ -317,6 +334,10 @@ void should_extract_information_from_userinfo_endpoint_response_for_json_media_t var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var jweIdToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore, rsaKey); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken); var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse); @@ -349,6 +370,10 @@ void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_sele givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore) ); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithEidas1); assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse)) @@ -369,6 +394,10 @@ void should_throw_exception_when_id_token_does_not_contains_acr_claim() throws I when(httpClient.execute(any())) .thenAnswer(answer -> httpResponse); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var kid = "ECDSA-KID"; var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315"; var jweIdTokenWithoutEidasLevel = givenAnRSAOAEPJWE( @@ -376,6 +405,9 @@ void should_throw_exception_when_id_token_does_not_contains_acr_claim() throws I givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, NO_EIDAS_LEVEL_JWT, publicKeysStore) ); + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithoutEidasLevel); assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse)) @@ -403,6 +435,10 @@ void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_ givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, UNSUPPORTED_EIDAS_LEVEL_JWT, publicKeysStore) ); + // set request with uptated keystore + when(httpClientProvider.getString(config.getJwksUrl())). + thenReturn(publicKeysStore.toJsonFormat()); + var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithoutEidasLevel); assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))