From 92f4952b1bdc2f2e039ff0c0117e1f641c988e74 Mon Sep 17 00:00:00 2001
From: Antoine Auger <antoineauger@users.noreply.github.com>
Date: Fri, 14 Oct 2022 17:00:11 +0200
Subject: [PATCH] test(introspect): add tests for non-default algorithm

---
 .../mock/oauth2/introspect/IntrospectTest.kt  | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/introspect/IntrospectTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/introspect/IntrospectTest.kt
index fbb37ee7..b87e9bf6 100644
--- a/src/test/kotlin/no/nav/security/mock/oauth2/introspect/IntrospectTest.kt
+++ b/src/test/kotlin/no/nav/security/mock/oauth2/introspect/IntrospectTest.kt
@@ -2,6 +2,7 @@ package no.nav.security.mock.oauth2.introspect
 
 import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import com.fasterxml.jackson.module.kotlin.readValue
+import com.nimbusds.jose.JWSAlgorithm
 import io.kotest.assertions.asClue
 import io.kotest.assertions.throwables.shouldThrow
 import io.kotest.matchers.maps.shouldContain
@@ -13,12 +14,14 @@ import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.INTROSPECT
 import no.nav.security.mock.oauth2.http.OAuth2HttpRequest
 import no.nav.security.mock.oauth2.http.OAuth2HttpResponse
 import no.nav.security.mock.oauth2.http.routes
+import no.nav.security.mock.oauth2.token.KeyProvider
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
 import okhttp3.Headers
 import okhttp3.HttpUrl.Companion.toHttpUrl
 import org.junit.jupiter.api.Test
 
 internal class IntrospectTest {
+    private val rs384TokenProvider = OAuth2TokenProvider(keyProvider = KeyProvider(initialKeys = emptyList(), algorithm = JWSAlgorithm.RS384.name))
 
     @Test
     fun `introspect should return active and claims from bearer token`() {
@@ -42,6 +45,27 @@ internal class IntrospectTest {
         }
     }
 
+    @Test
+    fun `introspect should return active and claims for non-default algorithm from bearer token`() {
+        val issuerUrl = "http://localhost/default"
+        val claims = mapOf(
+            "iss" to issuerUrl,
+            "client_id" to "yolo",
+            "token_type" to "token",
+            "sub" to "foo"
+        )
+        val token = rs384TokenProvider.jwt(claims)
+        println("token: " + token.jwtClaimsSet.toJSONObject())
+        val request = request("$issuerUrl$INTROSPECT", token.serialize())
+
+        routes { introspect(rs384TokenProvider) }.invoke(request).asClue {
+            it.status shouldBe 200
+            val response = it.parse<Map<String, Any>>()
+            response shouldContainAll claims
+            response shouldContain ("active" to true)
+        }
+    }
+
     @Test
     fun `introspect should return active false when token is missing`() {
         val url = "http://localhost/default$INTROSPECT"
@@ -66,6 +90,27 @@ internal class IntrospectTest {
         }
     }
 
+    @Test
+    fun `introspect should return active false when token was signed with a different algorithm than token provider`() {
+        val issuerUrl = "http://localhost/default"
+        val claims = mapOf(
+            "iss" to issuerUrl,
+            "client_id" to "yolo",
+            "token_type" to "token",
+            "sub" to "foo"
+        )
+        val token = rs384TokenProvider.jwt(claims)
+        println("token: " + token.jwtClaimsSet.toJSONObject())
+        val request = request("$issuerUrl$INTROSPECT", token.serialize())
+
+        routes {
+            introspect(OAuth2TokenProvider())
+        }.invoke(request).asClue {
+            it.status shouldBe 200
+            it.parse<Map<String, Any>>() shouldContainExactly mapOf("active" to false)
+        }
+    }
+
     @Test
     fun `introspect should return 401 when no Authorization header is provided`() {
         val url = "http://localhost/default$INTROSPECT"