test(introspect): add tests for non-default algorithm

navikt · Oct 14, 2022 · 92f4952 · 92f4952
1 parent 7574e12
commit 92f4952
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/introspect/IntrospectTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/introspect/IntrospectTest.kt
@@ -2,6 +2,7 @@ package no.nav.security.mock.oauth2.introspect
 
 import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import com.fasterxml.jackson.module.kotlin.readValue
+import com.nimbusds.jose.JWSAlgorithm
 import io.kotest.assertions.asClue
 import io.kotest.assertions.throwables.shouldThrow
 import io.kotest.matchers.maps.shouldContain
@@ -13,12 +14,14 @@ import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.INTROSPECT
 import no.nav.security.mock.oauth2.http.OAuth2HttpRequest
 import no.nav.security.mock.oauth2.http.OAuth2HttpResponse
 import no.nav.security.mock.oauth2.http.routes
+import no.nav.security.mock.oauth2.token.KeyProvider
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
 import okhttp3.Headers
 import okhttp3.HttpUrl.Companion.toHttpUrl
 import org.junit.jupiter.api.Test
 
 internal class IntrospectTest {
+    private val rs384TokenProvider = OAuth2TokenProvider(keyProvider = KeyProvider(initialKeys = emptyList(), algorithm = JWSAlgorithm.RS384.name))
 
     @Test
     fun `introspect should return active and claims from bearer token`() {
@@ -42,6 +45,27 @@ internal class IntrospectTest {
         }
     }
 
+    @Test
+    fun `introspect should return active and claims for non-default algorithm from bearer token`() {
+        val issuerUrl = "http://localhost/default"
+        val claims = mapOf(
+            "iss" to issuerUrl,
+            "client_id" to "yolo",
+            "token_type" to "token",
+            "sub" to "foo"
+        )
+        val token = rs384TokenProvider.jwt(claims)
+        println("token: " + token.jwtClaimsSet.toJSONObject())
+        val request = request("$issuerUrl$INTROSPECT", token.serialize())
+
+        routes { introspect(rs384TokenProvider) }.invoke(request).asClue {
+            it.status shouldBe 200
+            val response = it.parse<Map<String, Any>>()
+            response shouldContainAll claims
+            response shouldContain ("active" to true)
+        }
+    }
+
     @Test
     fun `introspect should return active false when token is missing`() {
         val url = "http://localhost/default$INTROSPECT"
@@ -66,6 +90,27 @@ internal class IntrospectTest {
         }
     }
 
+    @Test
+    fun `introspect should return active false when token was signed with a different algorithm than token provider`() {
+        val issuerUrl = "http://localhost/default"
+        val claims = mapOf(
+            "iss" to issuerUrl,
+            "client_id" to "yolo",
+            "token_type" to "token",
+            "sub" to "foo"
+        )
+        val token = rs384TokenProvider.jwt(claims)
+        println("token: " + token.jwtClaimsSet.toJSONObject())
+        val request = request("$issuerUrl$INTROSPECT", token.serialize())
+
+        routes {
+            introspect(OAuth2TokenProvider())
+        }.invoke(request).asClue {
+            it.status shouldBe 200
+            it.parse<Map<String, Any>>() shouldContainExactly mapOf("active" to false)
+        }
+    }
+
     @Test
     fun `introspect should return 401 when no Authorization header is provided`() {
         val url = "http://localhost/default$INTROSPECT"