Merge pull request #26236 from c00crane/25734

WasReqUrl tests for Social Clients
OpenLiberty · Jun 14, 2024 · 45a3ca0 · 45a3ca0
2 parents 3b125cb + c1b8f9d
commit 45a3ca0
Show file tree

Hide file tree

Showing 35 changed files with 920 additions and 150 deletions.
diff --git a/dev/com.ibm.ws.security.fat.common.SSO.clientTests/CommonTests.gradle b/dev/com.ibm.ws.security.fat.common.SSO.clientTests/CommonTests.gradle
@@ -231,7 +231,7 @@ task copyPKCEAndPrivateKeyJwtOPServer (dependsOn: [':com.ibm.ws.security.fat.com
       include 'goodBasicRegistry.xml'
       include 'oidcProvider_PKCEAndPrivateKeyJwt.xml'
       include 'oidcServerFeatures.xml'
-   }
+    }
 
     /* copy the test marker app - used to log test case start/stop in server side logs */
     copy { 
@@ -258,3 +258,69 @@ task copyPKCEAndPrivateKeyJwtOPServer (dependsOn: [':com.ibm.ws.security.fat.com
 
 }
 }
+
+task copyWasReqUrlOPServer (dependsOn: [':com.ibm.ws.security.fat.common:assemble']) {
+  doLast {
+
+    println "in copyWasReqUrlOPServer"
+    def serverNames = project.findProperty('wasReqUrl_serverNames').split(",")
+    def srcServerName = project.findProperty('wasReqUrl_srcServerName')
+
+    println "serverNames: ${serverNames}"
+    println "srcServerName: ${srcServerName}"
+
+	serverNames.each { serverName ->
+      /*
+       * Copy common artifacts to test servers.
+       */
+      println "serverName: ${serverName}"
+
+      copy { 
+        from project(':com.ibm.ws.security.fat.common.SSO.clientTests').file("publish/servers/${srcServerName}")
+        into new File(autoFvtDir, "publish/servers/${serverName}")
+        include '**'
+      }
+
+      /* copy shared config files */
+      copy { 
+        from project(':com.ibm.ws.security.fat.common').file('publish/shared/config/')
+        into new File(autoFvtDir, "publish/servers/${serverName}/imports")
+        include 'allAlgSSLSettings.xml'
+      }
+
+      copy { 
+        from project(':com.ibm.ws.security.fat.common.SSO.clientTests').file('publish/shared/config/')
+        into new File(autoFvtDir, "publish/servers/${serverName}/imports")
+        include 'goodBasicRegistry.xml'
+        include 'oidcServerFeatures.xml'
+        include 'goodSSLSettings.xml'
+        include 'miscNoSslSettings.xml'
+		include 'oauthProvider_1.xml'
+     }
+
+      /* copy the test marker app - used to log test case start/stop in server side logs */
+      copy { 
+        from new File(project(':com.ibm.ws.security.fat.common').buildDir, 'test-application/testmarker.war')
+        into new File(autoFvtDir, "publish/servers/${serverName}/dropins")
+      }
+
+  	  /* copy shared key/trust stores from the common security fat project */
+      copy { 
+        from project(':com.ibm.ws.security.fat.common').file('publish/shared/securityKeys')
+        into new File(autoFvtDir, "publish/servers/${serverName}/")
+        include 'commonBasicKeyStore.jks'
+        include 'commonTrustStore.jks'
+      }
+
+      copy {
+        from new File(project(':com.ibm.ws.security.oauth.oidc_fat.common').projectDir, 'publish/files/serversettings/')
+        into new File(autoFvtDir, "publish/servers/${serverName}/imports")
+        include 'oauthRoles_1.xml'
+        include 'formlogin_1.xml'
+        include 'op_fatTestPorts.xml'
+      }              
+    }
+
+  }
+
+}
diff --git a/...ent/fat/IBM/OidcClientWasReqURLTests.java → ...Tests/WasReqUrl/ClientWasReqURLTests.java b/...ent/fat/IBM/OidcClientWasReqURLTests.java → ...Tests/WasReqUrl/ClientWasReqURLTests.java
diff --git a/...SSO.clientTests/publish/servers/com.ibm.ws.security.SSO.op.wasReqUrl/bootstrap.properties b/...SSO.clientTests/publish/servers/com.ibm.ws.security.SSO.op.wasReqUrl/bootstrap.properties
@@ -0,0 +1,31 @@
+###############################################################################
+# Copyright (c) 2021 IBM Corporation and others.
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License 2.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-2.0/
+# 
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#     IBM Corporation - initial API and implementation
+###############################################################################
+
+bootstrap.include=../testports.properties
+
+com.ibm.ws.logging.trace.specification=*=info=enabled:\
+OpenIdConnect=all:\
+OPENIDCONNECT=all:\
+com.ibm.ws.security.oauth*=all=enabled:\
+com.ibm.ws.security.openidconnect*=all=enabled:\
+com.ibm.ws.security.jwt*=all=enabled:\
+com.ibm.ws.security.common*=all=enabled:\
+com.ibm.ws.webcontainer.security.*=all=enabled:\
+com.ibm.oauth.*=all=enabled:\
+com.ibm.wsspi.security.oauth20.*=all=enabled:\
+org.apache.http.client.*=all:\
+OpenIdConnect=all:\
+OPENIDCONNECT=all
+
+com.ibm.ws.logging.max.file.size=0
+ds.loglevel=debug
diff --git a/...ests/publish/servers/com.ibm.ws.security.SSO.op.wasReqUrl/configs/op_server_WasReqUrl.xml b/...ests/publish/servers/com.ibm.ws.security.SSO.op.wasReqUrl/configs/op_server_WasReqUrl.xml
@@ -0,0 +1,32 @@
+<!--
+    Copyright (c) 2023, 2024 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License 2.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-2.0/
+    
+    SPDX-License-Identifier: EPL-2.0
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+
+<server>
+
+	<include location="${server.config.dir}/imports/oidcServerFeatures.xml" />
+
+	<include location="${server.config.dir}/imports/goodBasicRegistry.xml" />
+
+	<include location="${server.config.dir}/imports/goodSSLSettings.xml" />
+
+	<include location="${server.config.dir}/imports/miscNoSslSettings.xml" />
+
+	<include location="${server.config.dir}/imports/oauthRoles_1.xml" />
+
+	<include location="${server.config.dir}/imports/oauthProvider_1.xml" />
+
+	<include location="${server.config.dir}/imports/op_fatTestPorts.xml" />
+
+	<variable name="oidcSignAlg" value="HS256"/>
+
+</server>
diff --git a/dev/com.ibm.ws.security.fat.common.SSO.clientTests/publish/shared/config/goodSSLSettings.xml b/dev/com.ibm.ws.security.fat.common.SSO.clientTests/publish/shared/config/goodSSLSettings.xml
@@ -0,0 +1,32 @@
+<!--
+    Copyright (c) 2021 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License 2.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-2.0/
+    
+    SPDX-License-Identifier: EPL-2.0
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+<server>
+
+	<sslDefault sslRef="DefaultSSLSettings" />
+	<ssl
+		id="DefaultSSLSettings"
+		keyStoreRef="myKeyStore"
+		trustStoreRef="myTrustStore"
+		clientAuthenticationSupported="true" />
+	<keyStore
+		id="myKeyStore"
+		password="Liberty"
+		type="jks"
+		location="${server.config.dir}/commonBasicKeyStore.jks" />
+	<keyStore
+		id="myTrustStore"
+		password="Liberty"
+		type="jks"
+		location="${server.config.dir}/commonTrustStore.jks" />
+
+</server>        
diff --git a/...om.ibm.ws.security.fat.common.SSO.clientTests/publish/shared/config/miscNoSslSettings.xml b/...om.ibm.ws.security.fat.common.SSO.clientTests/publish/shared/config/miscNoSslSettings.xml
@@ -0,0 +1,20 @@
+<!--
+    Copyright (c) 2021 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License 2.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-2.0/
+    
+    SPDX-License-Identifier: EPL-2.0
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+<server>
+
+	<httpSession cookieHttpOnly="false" />
+
+	<webAppSecurity
+		httpOnlyCookies="false"
+		allowFailOverToBasicAuth="true" />
+</server>
diff --git a/dev/com.ibm.ws.security.fat.common.SSO.clientTests/publish/shared/config/oauthProvider_1.xml b/dev/com.ibm.ws.security.fat.common.SSO.clientTests/publish/shared/config/oauthProvider_1.xml
@@ -0,0 +1,63 @@
+<!--
+    Copyright (c) 2021, 2023 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License 2.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-2.0/
+    
+    SPDX-License-Identifier: EPL-2.0
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+<server>
+
+	<openidConnectProvider
+		id="OidcConfigSample"
+		scope="myScopeSample"
+		jwkEnabled="${oidcJWKEnabled}"
+		signatureAlgorithm="${oidcSignAlg}"
+		oauthProviderRef="OAuthConfigSample"
+		issuerIdentifier="http://localhost:${bvt.prop.security_1_HTTP_default}/oidc/endpoint/OidcConfigSample"
+	/>
+	<!-- TODO: remove issuerIdentifier when back-channel logout beta is removed -->
+
+	<oauthProvider
+		id="OAuthConfigSample"
+		filter="request-url%=SimpleServlet;request-url!=snooping"
+		httpsRequired="false"
+		allowPublicClients="false"
+		oauthOnly="true"
+		autoAuthorize="true"
+		jwtAccessToken="${oidcCreateJWTToken}"
+	>
+
+		<autoAuthorizeClient>client01</autoAuthorizeClient>
+		<autoAuthorizeClient>client02</autoAuthorizeClient>
+
+
+		<localStore>
+			<client
+				name="client01"
+				secret="{xor}LDo8LTor"
+				displayname="client01"
+				redirect="http://localhost:${bvt.prop.security_2_HTTP_default}/oidcclient/redirect/client01,
+							https://localhost:${bvt.prop.security_2_HTTP_default.secure}/ibm/api/social-login/redirect/client01"
+				scope="ALL_SCOPES"
+				enabled="true" />
+		    <!-- !d becomes \d for regexp evaluation, any 4 digit port should be accepted. -->
+		   	<client
+				name="client02"
+				secret="{xor}LDo8LTor"
+				displayname="client02"
+				allowRegexpRedirects="true"
+				redirect="regexp:http://localhost:!d!d!d!d/oidcclient/redirect/client02,
+							regexp:https://localhost:!d!d!d!d/ibm/api/social-login/redirect/client02"
+				scope="ALL_SCOPES"
+				enabled="true" />
+
+		</localStore>
+
+	</oauthProvider>
+
+</server>
diff --git a/...bm.ws.security.fat.common.SSO.clientTests/publish/shared/securityKeys/goodSSLSettings.xml b/...bm.ws.security.fat.common.SSO.clientTests/publish/shared/securityKeys/goodSSLSettings.xml
@@ -0,0 +1,32 @@
+<!--
+    Copyright (c) 2021 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License 2.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-2.0/
+    
+    SPDX-License-Identifier: EPL-2.0
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+<server>
+
+	<sslDefault sslRef="DefaultSSLSettings" />
+	<ssl
+		id="DefaultSSLSettings"
+		keyStoreRef="myKeyStore"
+		trustStoreRef="myTrustStore"
+		clientAuthenticationSupported="true" />
+	<keyStore
+		id="myKeyStore"
+		password="Liberty"
+		type="jks"
+		location="${server.config.dir}/commonBasicKeyStore.jks" />
+	<keyStore
+		id="myTrustStore"
+		password="Liberty"
+		type="jks"
+		location="${server.config.dir}/commonTrustStore.jks" />
+
+</server>        
diff --git a/...h.oidc_fat.common/src/com/ibm/ws/security/oauth_oidc/fat/commonTest/MessageConstants.java b/...h.oidc_fat.common/src/com/ibm/ws/security/oauth_oidc/fat/commonTest/MessageConstants.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2020, 2023 IBM Corporation and others.
+ * Copyright (c) 2020, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -175,6 +175,8 @@ public class MessageConstants extends com.ibm.ws.security.fat.common.MessageCons
 
     public static final String CWWKS2300E_HTTP_WITH_PUBLIC_CLIENT = "CWWKS2300E";
 
+    public static final String CWWKS2352E_MISSING_SAMESITE_COOKIE = "CWWKS2352E";
+
     public static final String CWWKS2416E_TOKEN_REQUEST_ERROR = "CWWKS2416E";
 
     public static final String CWWKS2430E_FAILED_TO_BUILD_TOKEN_FOR_CLIENT_AUTH = "CWWKS2430E";

diff --git a/...rity.oidc.client_fat.2/fat/src/com/ibm/ws/security/openidconnect/client/fat/FATSuite.java b/...rity.oidc.client_fat.2/fat/src/com/ibm/ws/security/openidconnect/client/fat/FATSuite.java
@@ -26,7 +26,6 @@
 import com.ibm.ws.security.openidconnect.client.fat.IBM.OidcClientLTPACookieTests;
 import com.ibm.ws.security.openidconnect.client.fat.IBM.OidcClientSameSiteTests;
 import com.ibm.ws.security.openidconnect.client.fat.IBM.OidcClientSignatureAlgTests;
-import com.ibm.ws.security.openidconnect.client.fat.IBM.OidcClientWasReqURLTests;
 import com.ibm.ws.security.openidconnect.client.fat.IBM.OidcPropagationConsumeUserinfoTests;
 import com.ibm.ws.security.openidconnect.client.fat.IBM.OidcPropagationRemoteValidationTests;
 
@@ -39,7 +38,6 @@
         OidcClientCookieNameTests.class,
         OidcClientLTPACookieTests.class,
         OidcClientSameSiteTests.class,
-        OidcClientWasReqURLTests.class,
         OidcClientSignatureAlgTests.class,
         OidcClientEncryptionTests.class,
         OidcClientConsumeUserinfoTests.class,
@@ -55,7 +53,7 @@ public class FATSuite extends CommonLocalLDAPServerSuite {
      *
      * This was done to increase coverage of EE9 and EE10 while not adding a large amount of of test runtime.
      */
-	@ClassRule
-	public static RepeatTests repeat = LargeProjectRepeatActions.createEE9OrEE10Repeats();
+    @ClassRule
+    public static RepeatTests repeat = LargeProjectRepeatActions.createEE9OrEE10Repeats();
 
 }
diff --git a/dev/com.ibm.ws.security.oidc.client_fat.3/build.gradle b/dev/com.ibm.ws.security.oidc.client_fat.3/build.gradle
@@ -12,7 +12,7 @@
  *******************************************************************************/
 apply from: '../com.ibm.ws.security.fat.common.SSO.clientTests/CommonTests.gradle'
 
-addRequiredLibraries.dependsOn copyPKCEOPServer, copyPrivateKeyJwtOPServer, copyPKCEAndPrivateKeyJwtOPServer
+addRequiredLibraries.dependsOn copyPKCEOPServer, copyPrivateKeyJwtOPServer, copyPKCEAndPrivateKeyJwtOPServer, copyWasReqUrlOPServer
 
 repositories {
   if (isUsingArtifactory) {
@@ -80,7 +80,8 @@ autoFVT.doLast {
   def servers = [
     'com.ibm.ws.security.openidconnect.client-1.0_fat.rp.pkce',
     'com.ibm.ws.security.openidconnect.client-1.0_fat.rp.privateKeyJwt',
-    'com.ibm.ws.security.openidconnect.client-1.0_fat.rp.pkceAndPrivateKeyJwt'
+    'com.ibm.ws.security.openidconnect.client-1.0_fat.rp.pkceAndPrivateKeyJwt',
+    'com.ibm.ws.security.openidconnect.client-1.0_fat.rp.wasReqUrl'
   ]
   servers.each { server ->
     copy { 
@@ -113,7 +114,6 @@ autoFVT.doLast {
       into new File(autoFvtDir, 'publish/servers/' + server + '/imports')
       include 'oauthRoles_1.xml'
       include 'formlogin_1.xml'
-      include 'op_fatTestPorts.xml'
     }  
 
     copy {
@@ -149,4 +149,25 @@ autoFVT.doLast {
     }           
 
   }
+
+  servers = [
+    'com.ibm.ws.security.openidconnect.client-1.0_fat.rp.wasReqUrl'
+  ]
+  servers.each { server ->  
+     /* copy shared key/trust stores from the common security fat project */
+     println "Copy keys for:  ${server}"
+      copy { 
+        from project(':com.ibm.ws.security.fat.common').file('publish/shared/securityKeys')
+        into new File(autoFvtDir, "publish/servers/${server}/")
+        include 'commonBasicKeyStore.jks'
+        include 'commonTrustStore.jks'
+      }
+
+     copy { 
+        from project(':com.ibm.ws.security.fat.common.SSO.clientTests').file('publish/shared/config/')
+        into new File(autoFvtDir, "publish/servers/${server}/imports")
+        include 'goodSSLSettings.xml'
+     }
+
+  }
 }