feat: add tests for external api

pom.xml

@@ -109,6 +109,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-opentelemetry</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc</artifactId>
+        </dependency>
 
         <!-- OTHER -->
         <dependency>
@@ -141,6 +145,11 @@
             <artifactId>tkit-quarkus-test-db-import</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-keycloak-server</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/io/github/onecx/permission/common/services/TokenService.java

@@ -13,7 +13,6 @@
 import jakarta.json.JsonObject;
 import jakarta.json.JsonValue;
 
-import org.eclipse.microprofile.config.ConfigProvider;
 import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.jwt.JwtClaims;
 import org.jose4j.jwt.MalformedClaimException;
@@ -34,8 +33,7 @@ public class TokenService {
 
     private static final Pattern CLAIM_PATH_PATTERN = Pattern.compile("\\/(?=(?:(?:[^\"]*\"){2})*[^\"]*$)");
 
-    private static final String[] CLAIM_PATH = splitClaimPath(
-            ConfigProvider.getConfig().getValue("onecx.permission.token.claim.path", String.class));
+    private static String[] CLAIM_PATH = null;
 
     @Inject
     JWTAuthContextInfo authContextInfo;
@@ -57,6 +55,10 @@ public List<String> getTokenRoles(String tokenData) {
     private List<String> getRoles(String tokenData)
             throws JoseException, InvalidJwtException, MalformedClaimException, ParseException {
 
+        if (CLAIM_PATH == null) {
+            CLAIM_PATH = splitClaimPath(config.tokenClaimPath());
+        }
+
         if (config.tokenVerified()) {
             var info = authContextInfo;
 
@@ -70,7 +72,13 @@ private List<String> getRoles(String tokenData)
             }
 
             var token = parser.parse(tokenData, info);
-            var first = (JsonValue) token.getClaim(CLAIM_PATH[0]);
+            var tmp = token.getClaim(CLAIM_PATH[0]);
+            JsonValue first;
+            if (tmp instanceof JsonValue) {
+                first = (JsonValue) tmp;
+            } else {
+                first = replaceClaimValueWithJsonValue(tmp);
+            }
             return findClaimWithRoles(config, first, CLAIM_PATH);
 
         } else {
@@ -125,7 +133,7 @@ private static String[] splitClaimPath(String claimPath) {
 
     private static JsonValue findClaimValue(JsonValue json, String[] pathArray, int step) {
         if (json == null) {
-            log.debug("No claim exists at the path '{}' at the path segment '{}'", pathArray, pathArray[step]);
+            log.debug("No claim exists at the path '{}' at the path segment '{}'", pathArray, pathArray[step - 1]);
             return null;
         }
 
@@ -134,7 +142,7 @@ private static JsonValue findClaimValue(JsonValue json, String[] pathArray, int
                 JsonValue claimValue = json.asJsonObject().get(pathArray[step].replace("\"", ""));
                 return findClaimValue(claimValue, pathArray, step + 1);
             } else {
-                log.debug("Claim value at the path '{}' is not a json object. Step: {}", pathArray, step);
+                log.debug("Claim value at the path '{}' is not a json object. Step: {}", pathArray, step - 1);
             }
         }
         return json;

src/main/resources/application.properties

@@ -14,6 +14,7 @@ tkit.rs.context.tenant-id.enabled=true
 onecx.permission.token.verified=true
 onecx.permission.token.issuer.public-key-location.suffix=/protocol/openid-connect/certs
 onecx.permission.token.issuer.public-key-location.enabled=false
+onecx.permission.token.claim.path=realm_access/roles
 
 tkit.dataimport.enabled=false
 tkit.dataimport.configurations.permission.file=dev-data.import.json
@@ -44,6 +45,8 @@ quarkus.test.integration-test-profile=test
 %test.tkit.rs.context.tenant-id.mock.data.org1=tenant-100
 %test.tkit.rs.context.tenant-id.mock.data.org2=tenant-200
 %test.tkit.rs.context.tenant-id.mock.data.i100=i100
+%test.quarkus.keycloak.devservices.roles.bob=n3
+%test.smallrye.jwt.verify.key.location=${keycloak.url}/realms/quarkus/protocol/openid-connect/certs
 
 %test.tkit.dataimport.enabled=true
 %test.tkit.dataimport.configurations.permission.enabled=true

src/test/java/io/github/onecx/permission/rs/external/v1/PermissionRestControllerConfigIssuerTest.java

@@ -0,0 +1,45 @@
+package io.github.onecx.permission.rs.external.v1;
+
+import io.github.onecx.permission.test.AbstractTest;
+
+//@QuarkusTest
+//@TestHTTPEndpoint(PermissionRestController.class)
+//@WithDBData(value = "data/test-v1.xml", deleteBeforeInsert = true, deleteAfterTest = true, rinseAndRepeat = true)
+public class PermissionRestControllerConfigIssuerTest extends AbstractTest {
+    //
+    //    @InjectMock
+    //    TokenConfig tokenConfig;
+    //
+    //    @Inject
+    //    Config config;
+    //
+    //    @BeforeEach
+    //    void beforeEach() {
+    //        var tmp = config.unwrap(SmallRyeConfig.class).getConfigMapping(TokenConfig.class);
+    //        Mockito.when(tokenConfig.tokenClaimSeparator()).thenReturn(tmp.tokenClaimSeparator());
+    //        Mockito.when(tokenConfig.tokenClaimPath()).thenReturn("groups");
+    //        Mockito.when(tokenConfig.tokenVerified()).thenReturn(true);
+    //        Mockito.when(tokenConfig.tokenPublicKeyLocationSuffix()).thenReturn(tmp.tokenPublicKeyLocationSuffix());
+    //        Mockito.when(tokenConfig.tokenPublicKeyEnabled()).thenReturn(true);
+    //    }
+    //
+    //    @Test
+    //    void skipTokenVerified() {
+    //
+    //        KeycloakTestClient keycloakClient = new KeycloakTestClient();
+    //        var accessToken = keycloakClient.getAccessToken("bob");
+    //
+    //        var dto = given()
+    //                .contentType(APPLICATION_JSON)
+    //                .body(new PermissionRequestDTOV1().token(accessToken))
+    //                .post("/application/app1")
+    //                .then()
+    //                .statusCode(OK.getStatusCode())
+    //                .extract()
+    //                .body().as(ApplicationPermissionsDTOV1.class);
+    //
+    //        assertThat(dto).isNotNull();
+    //        assertThat(dto.getPermissions()).isNotNull().hasSize(1);
+    //        assertThat(dto.getPermissions().get("o1")).isNotNull().hasSize(1).containsExactly("a3");
+    //    }
+}

src/test/java/io/github/onecx/permission/test/AbstractTest.java

@@ -7,16 +7,23 @@
 import java.security.PrivateKey;
 import java.util.List;
 
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.inject.Produces;
+import jakarta.inject.Inject;
 import jakarta.json.Json;
 import jakarta.json.JsonObjectBuilder;
 
+import org.eclipse.microprofile.config.Config;
 import org.eclipse.microprofile.config.ConfigProvider;
 import org.eclipse.microprofile.jwt.Claims;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 
+import io.github.onecx.permission.common.models.TokenConfig;
+import io.quarkus.test.Mock;
 import io.restassured.config.RestAssuredConfig;
+import io.smallrye.config.SmallRyeConfig;
 import io.smallrye.jwt.build.Jwt;
 import io.smallrye.jwt.util.KeyUtils;
 
@@ -66,4 +73,17 @@ protected static String createToken(String organizationId, List<String> roles) {
             throw new RuntimeException(ex);
         }
     }
+
+    public static class ConfigProducer {
+
+        @Inject
+        Config config;
+
+        @Produces
+        @ApplicationScoped
+        @Mock
+        TokenConfig config() {
+            return config.unwrap(SmallRyeConfig.class).getConfigMapping(TokenConfig.class);
+        }
+    }
 }