Add tests to oauth2-client

Fixes spring-projectsgh-4299

Author: jgrandja

oauth2/oauth2-client/spring-security-oauth2-client.gradle

@@ -9,5 +9,9 @@ dependencies {
 
 	optional project(':spring-security-oauth2-jose')
 
+	testCompile powerMock2Dependencies
+	testCompile 'com.squareup.okhttp3:mockwebserver'
+	testCompile 'com.fasterxml.jackson.core:jackson-databind'
+
 	provided 'javax.servlet:javax.servlet-api'
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClient.java

@@ -100,7 +100,9 @@ public OAuth2AccessTokenResponse getTokenResponse(OAuth2AuthorizationCodeGrantRe
 			httpRequest.setReadTimeout(30000);
 			tokenResponse = com.nimbusds.oauth2.sdk.TokenResponse.parse(httpRequest.send());
 		} catch (ParseException pe) {
-			throw new OAuth2AuthenticationException(new OAuth2Error(INVALID_TOKEN_RESPONSE_ERROR_CODE), pe);
+			OAuth2Error oauth2Error = new OAuth2Error(INVALID_TOKEN_RESPONSE_ERROR_CODE,
+				"An error occurred parsing the Access Token response: " + pe.getMessage(), null);
+			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), pe);
 		} catch (IOException ioe) {
 			throw new AuthenticationServiceException("An error occurred while sending the Access Token Request: " +
 					ioe.getMessage(), ioe);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java

@@ -262,7 +262,7 @@ private void validateIdToken(OidcIdToken idToken, ClientRegistration clientRegis
 		// 10. The iat Claim can be used to reject tokens that were issued too far away from the current time,
 		// limiting the amount of time that nonces need to be stored to prevent attacks.
 		// The acceptable range is Client specific.
-		Instant maxIssuedAt = now.plusSeconds(30);
+		Instant maxIssuedAt = Instant.now().plusSeconds(30);
 		if (issuedAt.isAfter(maxIssuedAt)) {
 			this.throwInvalidIdTokenException();
 		}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/NimbusUserInfoResponseClient.java

@@ -27,6 +27,7 @@
 import org.springframework.http.client.AbstractClientHttpResponse;
 import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
@@ -57,7 +58,7 @@ <T> T getUserInfoResponse(OAuth2UserRequest userInfoRequest, Class<T> returnType
 			userInfoRequest.getClientRegistration(), userInfoRequest.getAccessToken());
 		try {
 			return (T) this.genericHttpMessageConverter.read(returnType, userInfoResponse);
-		} catch (IOException ex) {
+		} catch (IOException | HttpMessageNotReadableException ex) {
 			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
 				"An error occurred reading the UserInfo Success response: " + ex.getMessage(), null);
 			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);
@@ -69,7 +70,7 @@ <T> T getUserInfoResponse(OAuth2UserRequest userInfoRequest, ParameterizedTypeRe
 			userInfoRequest.getClientRegistration(), userInfoRequest.getAccessToken());
 		try {
 			return (T) this.genericHttpMessageConverter.read(typeReference.getType(), null, userInfoResponse);
-		} catch (IOException ex) {
+		} catch (IOException | HttpMessageNotReadableException ex) {
 			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
 				"An error occurred reading the UserInfo Success response: " + ex.getMessage(), null);
 			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java

@@ -26,6 +26,7 @@
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 import java.util.Arrays;
@@ -52,6 +53,7 @@ public class OidcUserService implements OAuth2UserService<OidcUserRequest, OidcU
 
 	@Override
 	public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
+		Assert.notNull(userRequest, "userRequest cannot be null");
 		OidcUserInfo userInfo = null;
 		if (this.shouldRetrieveUserInfo(userRequest)) {
 			ParameterizedTypeReference<Map<String, Object>> typeReference =

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/CustomUserTypesOAuth2UserService.java

@@ -49,6 +49,7 @@ public CustomUserTypesOAuth2UserService(Map<String, Class<? extends OAuth2User>>
 
 	@Override
 	public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
+		Assert.notNull(userRequest, "userRequest cannot be null");
 		String registrationId = userRequest.getClientRegistration().getRegistrationId();
 		Class<? extends OAuth2User> customUserType;
 		if ((customUserType = this.customUserTypes.get(registrationId)) == null) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/DefaultOAuth2UserService.java

@@ -23,6 +23,7 @@
 import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 import java.util.HashSet;
@@ -52,6 +53,7 @@ public class DefaultOAuth2UserService implements OAuth2UserService<OAuth2UserReq
 
 	@Override
 	public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
+		Assert.notNull(userRequest, "userRequest cannot be null");
 		String userNameAttributeName = userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();
 		if (!StringUtils.hasText(userNameAttributeName)) {
 			OAuth2Error oauth2Error = new OAuth2Error(

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/DelegatingOAuth2UserService.java

@@ -51,6 +51,7 @@ public DelegatingOAuth2UserService(List<OAuth2UserService<R, U>> userServices) {
 
 	@Override
 	public U loadUser(R userRequest) throws OAuth2AuthenticationException {
+		Assert.notNull(userRequest, "userRequest cannot be null");
 		return this.userServices.stream()
 			.map(userService -> userService.loadUser(userRequest))
 			.filter(Objects::nonNull)

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/NimbusUserInfoResponseClient.java

@@ -27,6 +27,7 @@
 import org.springframework.http.client.AbstractClientHttpResponse;
 import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
@@ -54,7 +55,7 @@ <T> T getUserInfoResponse(OAuth2UserRequest userInfoRequest, Class<T> returnType
 			userInfoRequest.getClientRegistration(), userInfoRequest.getAccessToken());
 		try {
 			return (T) this.genericHttpMessageConverter.read(returnType, userInfoResponse);
-		} catch (IOException ex) {
+		} catch (IOException | HttpMessageNotReadableException ex) {
 			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
 				"An error occurred reading the UserInfo Success response: " + ex.getMessage(), null);
 			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);
@@ -66,7 +67,7 @@ <T> T getUserInfoResponse(OAuth2UserRequest userInfoRequest, ParameterizedTypeRe
 			userInfoRequest.getClientRegistration(), userInfoRequest.getAccessToken());
 		try {
 			return (T) this.genericHttpMessageConverter.read(typeReference.getType(), null, userInfoResponse);
-		} catch (IOException ex) {
+		} catch (IOException | HttpMessageNotReadableException ex) {
 			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
 				"An error occurred reading the UserInfo Success response: " + ex.getMessage(), null);
 			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepository.java

@@ -16,6 +16,7 @@
 package org.springframework.security.oauth2.client.web;
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.util.Assert;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -36,6 +37,7 @@ public final class HttpSessionOAuth2AuthorizationRequestRepository implements Au
 
 	@Override
 	public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
+		Assert.notNull(request, "request cannot be null");
 		HttpSession session = request.getSession(false);
 		if (session != null) {
 			return (OAuth2AuthorizationRequest) session.getAttribute(this.sessionAttributeName);
@@ -46,6 +48,8 @@ public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest re
 	@Override
 	public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest, HttpServletRequest request,
 											HttpServletResponse response) {
+		Assert.notNull(request, "request cannot be null");
+		Assert.notNull(response, "response cannot be null");
 		if (authorizationRequest == null) {
 			this.removeAuthorizationRequest(request);
 			return;
@@ -55,6 +59,7 @@ public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationReq
 
 	@Override
 	public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request) {
+		Assert.notNull(request, "request cannot be null");
 		OAuth2AuthorizationRequest authorizationRequest = this.loadAuthorizationRequest(request);
 		if (authorizationRequest != null) {
 			request.getSession().removeAttribute(this.sessionAttributeName);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilder.java

@@ -17,6 +17,7 @@
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.web.util.UriComponentsBuilder;
 
@@ -35,6 +36,7 @@
 class OAuth2AuthorizationRequestUriBuilder {
 
 	URI build(OAuth2AuthorizationRequest authorizationRequest) {
+		Assert.notNull(authorizationRequest, "authorizationRequest cannot be null");
 		Set<String> scopes = authorizationRequest.getScopes();
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder
 			.fromUriString(authorizationRequest.getAuthorizationUri())

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/InMemoryOAuth2AuthorizedClientServiceTests.java

@@ -0,0 +1,188 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client;
+
+import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+/**
+ * Tests for {@link InMemoryOAuth2AuthorizedClientService}.
+ *
+ * @author Joe Grandja
+ */
+public class InMemoryOAuth2AuthorizedClientServiceTests {
+	private String registrationId1 = "registration-1";
+	private String registrationId2 = "registration-2";
+	private String registrationId3 = "registration-3";
+	private String principalName1 = "principal-1";
+	private String principalName2 = "principal-2";
+
+	private ClientRegistration registration1 = ClientRegistration.withRegistrationId(this.registrationId1)
+		.clientId("client-1")
+		.clientSecret("secret")
+		.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+		.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+		.redirectUri("{scheme}://{serverName}:{serverPort}{contextPath}/login/oauth2/code/{registrationId}")
+		.scope("user")
+		.authorizationUri("https://provider.com/oauth2/authorize")
+		.tokenUri("https://provider.com/oauth2/token")
+		.userInfoUri("https://provider.com/oauth2/user")
+		.userNameAttributeName("id")
+		.clientName("client-1")
+		.build();
+
+	private ClientRegistration registration2 = ClientRegistration.withRegistrationId(this.registrationId2)
+		.clientId("client-2")
+		.clientSecret("secret")
+		.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+		.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+		.redirectUri("{scheme}://{serverName}:{serverPort}{contextPath}/login/oauth2/code/{registrationId}")
+		.scope("openid", "profile", "email")
+		.authorizationUri("https://provider.com/oauth2/authorize")
+		.tokenUri("https://provider.com/oauth2/token")
+		.userInfoUri("https://provider.com/oauth2/userinfo")
+		.jwkSetUri("https://provider.com/oauth2/keys")
+		.clientName("client-2")
+		.build();
+
+	private ClientRegistration registration3 = ClientRegistration.withRegistrationId(this.registrationId3)
+		.clientId("client-3")
+		.clientSecret("secret")
+		.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+		.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+		.redirectUri("{scheme}://{serverName}:{serverPort}{contextPath}/login/oauth2/code/{registrationId}")
+		.scope("openid", "profile")
+		.authorizationUri("https://provider.com/oauth2/authorize")
+		.tokenUri("https://provider.com/oauth2/token")
+		.userInfoUri("https://provider.com/oauth2/userinfo")
+		.jwkSetUri("https://provider.com/oauth2/keys")
+		.clientName("client-3")
+		.build();
+
+	private ClientRegistrationRepository clientRegistrationRepository =
+		new InMemoryClientRegistrationRepository(this.registration1, this.registration2, this.registration3);
+
+	private InMemoryOAuth2AuthorizedClientService authorizedClientService =
+		new InMemoryOAuth2AuthorizedClientService(this.clientRegistrationRepository);
+
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorWhenClientRegistrationRepositoryIsNullThenThrowIllegalArgumentException() {
+		new InMemoryOAuth2AuthorizedClientService(null);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void loadAuthorizedClientWhenClientRegistrationIdIsNullThenThrowIllegalArgumentException() {
+		this.authorizedClientService.loadAuthorizedClient(null, this.principalName1);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void loadAuthorizedClientWhenPrincipalNameIsNullThenThrowIllegalArgumentException() {
+		this.authorizedClientService.loadAuthorizedClient(this.registrationId1, null);
+	}
+
+	@Test
+	public void loadAuthorizedClientWhenClientRegistrationNotFoundThenReturnNull() {
+		OAuth2AuthorizedClient authorizedClient = this.authorizedClientService.loadAuthorizedClient(
+			"registration-not-found", this.principalName1);
+		assertThat(authorizedClient).isNull();
+	}
+
+	@Test
+	public void loadAuthorizedClientWhenClientRegistrationFoundButNotAssociatedToPrincipalThenReturnNull() {
+		OAuth2AuthorizedClient authorizedClient = this.authorizedClientService.loadAuthorizedClient(
+			this.registrationId1, "principal-not-found");
+		assertThat(authorizedClient).isNull();
+	}
+
+	@Test
+	public void loadAuthorizedClientWhenClientRegistrationFoundAndAssociatedToPrincipalThenReturnAuthorizedClient() {
+		Authentication authentication = mock(Authentication.class);
+		when(authentication.getName()).thenReturn(this.principalName1);
+
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
+			this.registration1, this.principalName1, mock(OAuth2AccessToken.class));
+		this.authorizedClientService.saveAuthorizedClient(authorizedClient, authentication);
+
+		OAuth2AuthorizedClient loadedAuthorizedClient = this.authorizedClientService.loadAuthorizedClient(
+			this.registrationId1, this.principalName1);
+		assertThat(loadedAuthorizedClient).isEqualTo(authorizedClient);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void saveAuthorizedClientWhenAuthorizedClientIsNullThenThrowIllegalArgumentException() {
+		this.authorizedClientService.saveAuthorizedClient(null, mock(Authentication.class));
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void saveAuthorizedClientWhenPrincipalIsNullThenThrowIllegalArgumentException() {
+		this.authorizedClientService.saveAuthorizedClient(mock(OAuth2AuthorizedClient.class), null);
+	}
+
+	@Test
+	public void saveAuthorizedClientWhenSavedThenCanLoad() {
+		Authentication authentication = mock(Authentication.class);
+		when(authentication.getName()).thenReturn(this.principalName2);
+
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
+			this.registration3, this.principalName2, mock(OAuth2AccessToken.class));
+		this.authorizedClientService.saveAuthorizedClient(authorizedClient, authentication);
+
+		OAuth2AuthorizedClient loadedAuthorizedClient = this.authorizedClientService.loadAuthorizedClient(
+			this.registrationId3, this.principalName2);
+		assertThat(loadedAuthorizedClient).isEqualTo(authorizedClient);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void removeAuthorizedClientWhenClientRegistrationIdIsNullThenThrowIllegalArgumentException() {
+		this.authorizedClientService.removeAuthorizedClient(null, this.principalName2);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void removeAuthorizedClientWhenPrincipalNameIsNullThenThrowIllegalArgumentException() {
+		this.authorizedClientService.removeAuthorizedClient(this.registrationId2, null);
+	}
+
+	@Test
+	public void removeAuthorizedClientWhenSavedThenRemoved() {
+		Authentication authentication = mock(Authentication.class);
+		when(authentication.getName()).thenReturn(this.principalName2);
+
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
+			this.registration2, this.principalName2, mock(OAuth2AccessToken.class));
+		this.authorizedClientService.saveAuthorizedClient(authorizedClient, authentication);
+
+		OAuth2AuthorizedClient loadedAuthorizedClient = this.authorizedClientService.loadAuthorizedClient(
+			this.registrationId2, this.principalName2);
+		assertThat(loadedAuthorizedClient).isNotNull();
+
+		this.authorizedClientService.removeAuthorizedClient(this.registrationId2, this.principalName2);
+
+		loadedAuthorizedClient = this.authorizedClientService.loadAuthorizedClient(
+			this.registrationId2, this.principalName2);
+		assertThat(loadedAuthorizedClient).isNull();
+	}
+}