From e972e183075b50753f35312c0fbdc009fa0c062c Mon Sep 17 00:00:00 2001
From: Enrico Risa <enrico.risa@gmail.com>
Date: Tue, 14 May 2024 12:02:59 +0200
Subject: [PATCH] fix: add checks on accessTokenData not found in
 AuthTokenAudienceRule

---
 .../core/rules/AuthTokenAudienceRule.java     |  3 ++
 .../core/rules/AuthTokenAudienceRuleTest.java | 10 +++++
 .../DataPlaneTokenRefreshEndToEndTest.java    | 37 +++++++++++++++++++
 3 files changed, 50 insertions(+)

diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRule.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRule.java
index 49bf722e3..34eb5a4b9 100644
--- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRule.java
+++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRule.java
@@ -54,6 +54,9 @@ public Result<Void> checkRule(@NotNull ClaimToken authenticationToken, @Nullable
         var tokenId = getTokenId(accessToken);
 
         var accessTokenData = store.getById(tokenId);
+        if (accessTokenData == null) {
+            return Result.failure("Token with id '%s' not found".formatted(tokenId));
+        }
         var expectedAudience = accessTokenData.additionalProperties().getOrDefault(AUDIENCE_PROPERTY, null);
         if (expectedAudience instanceof String expectedAud) {
             return expectedAud.equals(issuer) ? Result.success() : Result.failure("Principal '%s' is not authorized to refresh this token.".formatted(issuer));
diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRuleTest.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRuleTest.java
index bf4637fe7..4840e505f 100644
--- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRuleTest.java
+++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRuleTest.java
@@ -78,4 +78,14 @@ void checkRule_audienceNotPresent() {
                 .detail()
                 .isEqualTo("Property '%s' was expected to be java.lang.String but was null.".formatted(AUDIENCE_PROPERTY));
     }
+
+    @Test
+    void checkRule_accessTokenDataNotFound() {
+        when(store.getById(TEST_TOKEN_ID)).thenReturn(null);
+
+        assertThat(rule.checkRule(createAuthenticationToken(TEST_TOKEN_ID), Map.of()))
+                .isFailed()
+                .detail()
+                .isEqualTo("Token with id '%s' not found".formatted(TEST_TOKEN_ID));
+    }
 }
\ No newline at end of file
diff --git a/edc-tests/edc-dataplane/edc-dataplane-tokenrefresh-tests/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/e2e/DataPlaneTokenRefreshEndToEndTest.java b/edc-tests/edc-dataplane/edc-dataplane-tokenrefresh-tests/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/e2e/DataPlaneTokenRefreshEndToEndTest.java
index ff888c8fc..9e3440725 100644
--- a/edc-tests/edc-dataplane/edc-dataplane-tokenrefresh-tests/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/e2e/DataPlaneTokenRefreshEndToEndTest.java
+++ b/edc-tests/edc-dataplane/edc-dataplane-tokenrefresh-tests/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/e2e/DataPlaneTokenRefreshEndToEndTest.java
@@ -316,6 +316,43 @@ void refresh_invalidAuthenticationToken_missingAudience() {
                 .body(containsString("Required claim 'aud' not present on token."));
     }
 
+    @DisplayName("The authentication token has a invalid id")
+    @Test
+    void refresh_invalidTokenId() {
+        prepareDataplaneRuntime();
+
+        var authorizationService = DATAPLANE_RUNTIME.getService(DataPlaneAuthorizationService.class);
+        var edr = authorizationService.createEndpointDataReference(createStartMessage("test-process-id", CONSUMER_DID))
+                .orElseThrow(f -> new AssertionError(f.getFailureDetail()));
+
+        var refreshToken = edr.getStringProperty(TX_AUTH_NS + "refreshToken");
+        var accessToken = edr.getStringProperty(EDC_NAMESPACE + "authorization");
+
+
+        authorizationService.revokeEndpointDataReference("test-process-id", "Revoked");
+        var tokenId = getJwtId(accessToken);
+
+        var claims = new JWTClaimsSet.Builder()
+                .claim("token", accessToken)
+                .issuer(CONSUMER_DID)
+                .subject(CONSUMER_DID)
+                .audience("did:web:bob")
+                .jwtID(tokenId)
+                .build();
+
+        var authToken = createJwt(consumerKey, claims);
+
+        RUNTIME_CONFIG.getRefreshApi().baseRequest()
+                .queryParam("grant_type", "refresh_token")
+                .queryParam("refresh_token", refreshToken)
+                .header(AUTHORIZATION, "Bearer " + authToken)
+                .post("/token")
+                .then()
+                .log().ifValidationFails()
+                .statusCode(401)
+                .body(containsString("Authentication token validation failed: Token with id '%s' not found".formatted(tokenId)));
+    }
+
     private void prepareDataplaneRuntime() {
         var vault = DATAPLANE_RUNTIME.getContext().getService(Vault.class);
         vault.storeSecret(PROVIDER_KEY_ID, providerKey.toJSONString());