Skip to content

Commit

Permalink
fix: Use highest level script in case ACR script is not found. Added …
Browse files Browse the repository at this point in the history
…FF to keep existing behavior. (#1070)
  • Loading branch information
Milton-Ch authored Mar 23, 2022
1 parent 5aff67e commit 07473d9
Show file tree
Hide file tree
Showing 15 changed files with 398 additions and 8 deletions.
4 changes: 4 additions & 0 deletions docker-jans-persistence-loader/scripts/upgrade.py
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,10 @@ def _transform_auth_dynamic_config(conf):
conf["redirectUrisRegexEnabled"] = True
should_update = True

if "useHighestLevelScriptIfAcrScriptNotFound" not in conf:
conf["useHighestLevelScriptIfAcrScriptNotFound"] = True
should_update = True

# return the conf and flag to determine whether it needs update or not
return conf, should_update

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -436,5 +436,6 @@
"deviceAuthzRequestExpiresIn": 1800,
"deviceAuthzTokenPollInterval": 5,
"deviceAuthzResponseTypeToProcessAuthz": "code",
"redirectUrisRegexEnabled": true
"redirectUrisRegexEnabled": true,
"useHighestLevelScriptIfAcrScriptNotFound": true
}
Original file line number Diff line number Diff line change
Expand Up @@ -360,5 +360,6 @@
"deviceAuthzResponseTypeToProcessAuthz": "code",
"staticKid": "%(staticKid)s",
"forceOfflineAccessScopeToEnableRefreshToken" : false,
"redirectUrisRegexEnabled": true
"redirectUrisRegexEnabled": true,
"useHighestLevelScriptIfAcrScriptNotFound": true
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
package io.jans.as.client.ws.rs;

import io.jans.as.client.*;
import io.jans.as.client.client.AssertBuilder;
import io.jans.as.model.common.ResponseType;
import io.jans.as.model.register.ApplicationType;
import io.jans.as.model.util.StringUtils;
import org.testng.annotations.Parameters;
import org.testng.annotations.Test;

import java.util.Arrays;
import java.util.List;
import java.util.UUID;

import static org.testng.Assert.assertNotNull;

/**
* Integration tests to validate redirect uris regex behavior
*
*/
public class AuthorizationAcrValuesTest extends BaseTest {

/**
* This method is used to test when acr_values is not send in Authentication URL
*/
@Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
@Test
public void requestAuthorizationAcrValues_NoAcrsValues_NotNull(
final String userId, final String userSecret, final String redirectUris, final String redirectUri,
final String sectorIdentifierUri) {
showTitle("requestAuthorizationAcrValues_NoAcrsValues_NotNull");

List<ResponseType> responseTypes = Arrays.asList(
ResponseType.CODE,
ResponseType.TOKEN,
ResponseType.ID_TOKEN);

// 1. Register client
RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app",
StringUtils.spaceSeparatedToList(redirectUris));
registerRequest.setResponseTypes(responseTypes);
registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

RegisterClient registerClient = new RegisterClient(registrationEndpoint);
registerClient.setRequest(registerRequest);
RegisterResponse registerResponse = registerClient.exec();

showClient(registerClient);
AssertBuilder.registerResponse(registerResponse).created().check();

String clientId = registerResponse.getClientId();

// 3. Request authorization
responseTypes = Arrays.asList(
ResponseType.TOKEN,
ResponseType.ID_TOKEN);

List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
String nonce = UUID.randomUUID().toString();
String state = UUID.randomUUID().toString();

AuthorizationRequest authorizationRequest1 = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
authorizationRequest1.setState(state);
authorizationRequest1.setNonce(nonce);

AuthorizationResponse authorizationResponse1 = authenticateResourceOwnerAndGrantAccess(
authorizationEndpoint, authorizationRequest1, userId, userSecret);

assertNotNull(authorizationResponse1.getLocation(), "The location is null");
assertNotNull(authorizationResponse1.getAccessToken(), "The access token is null");
assertNotNull(authorizationResponse1.getState(), "The state is null");
assertNotNull(authorizationResponse1.getTokenType(), "The token type is null");
assertNotNull(authorizationResponse1.getExpiresIn(), "The expires in value is null");
assertNotNull(authorizationResponse1.getScope(), "The scope must be null");
}

/**
* This method is used to test when acr_values is sent in Authentication URL
*/
@Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
@Test
public void requestAuthorizationAcrValues_withBasic_NotNull(
final String userId, final String userSecret, final String redirectUris, final String redirectUri,
final String sectorIdentifierUri) {

showTitle("requestAuthorizationAcrValues_withBasic_NotNull");

List<ResponseType> responseTypes = Arrays.asList(
ResponseType.CODE,
ResponseType.TOKEN,
ResponseType.ID_TOKEN);

// 1. Register client
RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app",
StringUtils.spaceSeparatedToList(redirectUris));
registerRequest.setResponseTypes(responseTypes);
registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

RegisterClient registerClient = new RegisterClient(registrationEndpoint);
registerClient.setRequest(registerRequest);
RegisterResponse registerResponse = registerClient.exec();

showClient(registerClient);
AssertBuilder.registerResponse(registerResponse).created().check();

String clientId = registerResponse.getClientId();

// 2. Request authorization
responseTypes = Arrays.asList(
ResponseType.TOKEN,
ResponseType.ID_TOKEN);

List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
String nonce = UUID.randomUUID().toString();
String state = UUID.randomUUID().toString();

AuthorizationRequest authorizationRequest1 = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
authorizationRequest1.setState(state);
authorizationRequest1.setNonce(nonce);
authorizationRequest1.setAcrValues(Arrays.asList("basic") );

AuthorizationResponse authorizationResponse1 = authenticateResourceOwnerAndGrantAccess(
authorizationEndpoint, authorizationRequest1, userId, userSecret);

assertNotNull(authorizationResponse1.getLocation(), "The location is null");
assertNotNull(authorizationResponse1.getAccessToken(), "The access token is null");
assertNotNull(authorizationResponse1.getState(), "The state is null");
assertNotNull(authorizationResponse1.getTokenType(), "The token type is null");
assertNotNull(authorizationResponse1.getExpiresIn(), "The expires in value is null");
assertNotNull(authorizationResponse1.getScope(), "The scope must be null");
}
}
6 changes: 5 additions & 1 deletion jans-auth-server/client/src/test/resources/testng.xml
Original file line number Diff line number Diff line change
Expand Up @@ -1156,5 +1156,9 @@
<class name="io.jans.as.client.ws.rs.jarm.AuthorizationServerMetadataHttpTest"/>
</classes>
</test>

<test name="Test Authorization ACR values" enabled="true">
<classes>
<class name="io.jans.as.client.ws.rs.AuthorizationAcrValuesTest"/>
</classes>
</test>
</suite>
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ public class AppConfiguration implements Configuration {

//feature flags
private Boolean redirectUrisRegexEnabled = false;
private Boolean useHighestLevelScriptIfAcrScriptNotFound = true;

private Boolean authenticationFiltersEnabled;
private Boolean clientAuthenticationFiltersEnabled;
Expand Down Expand Up @@ -2483,4 +2484,12 @@ public Boolean getRedirectUrisRegexEnabled() {
public void setRedirectUrisRegexEnabled(Boolean redirectUrisRegexEnabled) {
this.redirectUrisRegexEnabled = redirectUrisRegexEnabled;
}

public Boolean getUseHighestLevelScriptIfAcrScriptNotFound() {
return useHighestLevelScriptIfAcrScriptNotFound != null && useHighestLevelScriptIfAcrScriptNotFound;
}

public void setUseHighestLevelScriptIfAcrScriptNotFound(Boolean useHighestLevelScriptIfAcrScriptNotFound) {
this.useHighestLevelScriptIfAcrScriptNotFound = useHighestLevelScriptIfAcrScriptNotFound;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import io.jans.as.common.service.common.ApplicationFactory;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.server.service.cdi.event.ReloadAuthScript;
import io.jans.as.server.service.external.internal.InternalDefaultPersonAuthenticationType;
import io.jans.model.AuthenticationScriptUsageType;
Expand Down Expand Up @@ -49,6 +50,9 @@ public class ExternalAuthenticationService extends ExternalScriptService {
@Inject
private InternalDefaultPersonAuthenticationType internalDefaultPersonAuthenticationType;

@Inject
private AppConfiguration appConfiguration;

private static final long serialVersionUID = 7339887464253044927L;

private Map<AuthenticationScriptUsageType, List<CustomScriptConfiguration>> customScriptConfigurationsMapByUsageType;
Expand Down Expand Up @@ -354,14 +358,17 @@ public CustomScriptConfiguration determineCustomScriptConfiguration(Authenticati

if (authModes.size() > 0) {
for (String authMode : authModes) {
for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurationsMapByUsageType.get(usageType)) {
for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurationsMapByUsageType.get(usageType) ) {
if (StringHelper.equalsIgnoreCase(authMode, customScriptConfiguration.getName())) {
return customScriptConfiguration;
}
}
}
}

if (appConfiguration.getUseHighestLevelScriptIfAcrScriptNotFound()) {
return getDefaultExternalAuthenticator(usageType);
}
return null;
}

Expand Down Expand Up @@ -540,4 +547,12 @@ public AuthenticationScriptUsageType getUsageType() {

return new CustomScriptConfiguration(customScript, internalDefaultPersonAuthenticationType, new HashMap<>(0));
}

public void setCustomScriptConfigurationsMapByUsageType(Map<AuthenticationScriptUsageType, List<CustomScriptConfiguration>> customScriptConfigurationsMapByUsageType) {
this.customScriptConfigurationsMapByUsageType = customScriptConfigurationsMapByUsageType;
}

public void setDefaultExternalAuthenticators(Map<AuthenticationScriptUsageType, CustomScriptConfiguration> defaultExternalAuthenticators) {
this.defaultExternalAuthenticators = defaultExternalAuthenticators;
}
}
Loading

0 comments on commit 07473d9

Please sign in to comment.