support "multisegment" issuer (#31)

* feat: support "multisegment" issuer
* i.e. issuerId can consist of multiple segments/paths

Author: tommytroen

src/main/kotlin/no/nav/security/mock/oauth2/MockOAuth2Server.kt

@@ -15,10 +15,12 @@ import java.net.InetAddress
 import java.net.URI
 import java.time.Duration
 import java.util.UUID
+import java.util.concurrent.TimeUnit
 import mu.KotlinLogging
 import no.nav.security.mock.oauth2.extensions.toAuthorizationEndpointUrl
 import no.nav.security.mock.oauth2.extensions.toEndSessionEndpointUrl
 import no.nav.security.mock.oauth2.extensions.toJwksUrl
+import no.nav.security.mock.oauth2.extensions.toOAuth2AuthorizationServerMetadataUrl
 import no.nav.security.mock.oauth2.extensions.toTokenEndpointUrl
 import no.nav.security.mock.oauth2.extensions.toWellKnownUrl
 import no.nav.security.mock.oauth2.http.MockWebServerWrapper
@@ -32,8 +34,6 @@ import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
 import okhttp3.HttpUrl
 import okhttp3.mockwebserver.MockResponse
 import okhttp3.mockwebserver.RecordedRequest
-import java.lang.RuntimeException
-import java.util.concurrent.TimeUnit
 
 private val log = KotlinLogging.logger { }
 
@@ -84,6 +84,7 @@ open class MockOAuth2Server(
         } ?: throw UnsupportedOperationException("can only takeRequest when httpServer is of type MockWebServer")
 
     fun wellKnownUrl(issuerId: String): HttpUrl = url(issuerId).toWellKnownUrl()
+    fun oauth2AuthorizationServerMetadataUrl(issuerId: String): HttpUrl = url(issuerId).toOAuth2AuthorizationServerMetadataUrl()
     fun tokenEndpointUrl(issuerId: String): HttpUrl = url(issuerId).toTokenEndpointUrl()
     fun jwksUrl(issuerId: String): HttpUrl = url(issuerId).toJwksUrl()
     fun issuerUrl(issuerId: String): HttpUrl = url(issuerId)

src/main/kotlin/no/nav/security/mock/oauth2/extensions/HttpUrlExtensions.kt

@@ -2,48 +2,85 @@ package no.nav.security.mock.oauth2.extensions
 
 import com.nimbusds.oauth2.sdk.OAuth2Error
 import no.nav.security.mock.oauth2.OAuth2Exception
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.AUTHORIZATION
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.DEBUGGER
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.DEBUGGER_CALLBACK
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.END_SESSION
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.JWKS
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.OAUTH2_WELL_KNOWN
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.OIDC_WELL_KNOWN
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.TOKEN
 import okhttp3.HttpUrl
 
-fun HttpUrl.isWellKnownUrl(): Boolean = this == this.toWellKnownUrl() || this == this.toOAuth2AuthorizationServerMetadataUrl()
-fun HttpUrl.isAuthorizationEndpointUrl(): Boolean = this.withoutQuery() == this.toAuthorizationEndpointUrl()
-fun HttpUrl.isTokenEndpointUrl(): Boolean = this == this.toTokenEndpointUrl()
-fun HttpUrl.isEndSessionEndpointUrl(): Boolean = this.withoutQuery() == this.toEndSessionEndpointUrl()
-fun HttpUrl.isJwksUrl(): Boolean = this == this.toJwksUrl()
-fun HttpUrl.isDebuggerUrl(): Boolean = this.withoutQuery() == this.toDebuggerUrl()
-fun HttpUrl.isDebuggerCallbackUrl(): Boolean = this.withoutQuery() == this.toDebuggerCallbackUrl()
-
-fun HttpUrl.toOAuth2AuthorizationServerMetadataUrl() = this.resolvePath("/${issuerId()}/.well-known/oauth-authorization-server")
-fun HttpUrl.toWellKnownUrl(): HttpUrl = this.resolvePath("/${issuerId()}/.well-known/openid-configuration")
-fun HttpUrl.toAuthorizationEndpointUrl(): HttpUrl = this.resolvePath("/${issuerId()}/authorize")
-fun HttpUrl.toEndSessionEndpointUrl(): HttpUrl = this.resolvePath("/${issuerId()}/endsession")
-fun HttpUrl.toTokenEndpointUrl(): HttpUrl = this.resolvePath("/${issuerId()}/token")
-fun HttpUrl.toJwksUrl(): HttpUrl = this.resolvePath("/${issuerId()}/jwks")
-fun HttpUrl.toIssuerUrl(): HttpUrl = this.resolvePath("/${issuerId()}")
-fun HttpUrl.toDebuggerUrl(): HttpUrl = this.resolvePath("/${issuerId()}/debugger")
-fun HttpUrl.toDebuggerCallbackUrl(): HttpUrl = this.resolvePath("/${issuerId()}/debugger/callback")
-
-fun HttpUrl.issuerId(): String = this.pathSegments.getOrNull(0)
-    ?: throw OAuth2Exception(OAuth2Error.INVALID_REQUEST, "issuerId must be first segment in url path")
+object OAuth2Endpoints {
+    const val OAUTH2_WELL_KNOWN = "/.well-known/oauth-authorization-server"
+    const val OIDC_WELL_KNOWN = "/.well-known/openid-configuration"
+    const val AUTHORIZATION = "/authorize"
+    const val TOKEN = "/token"
+    const val END_SESSION = "/endsession"
+    const val JWKS = "/jwks"
+    const val DEBUGGER = "/debugger"
+    const val DEBUGGER_CALLBACK = "/debugger/callback"
 
-fun HttpUrl.Builder.removeAllEncodedQueryParams(vararg params: String) =
-    apply { params.forEach { removeAllEncodedQueryParameters(it) } }
+    val all = listOf(
+        OAUTH2_WELL_KNOWN,
+        OIDC_WELL_KNOWN,
+        AUTHORIZATION,
+        TOKEN,
+        END_SESSION,
+        JWKS,
+        DEBUGGER,
+        DEBUGGER_CALLBACK
+    )
+}
 
-fun HttpUrl.match(path: String) =
-    path.trimPath().let {
-        this.pathSegments.containsAll(it.split("/"))
+fun HttpUrl.isWellKnownUrl(): Boolean = this.endsWith(OAUTH2_WELL_KNOWN) || this.endsWith(OIDC_WELL_KNOWN)
+fun HttpUrl.isAuthorizationEndpointUrl(): Boolean = this.endsWith(AUTHORIZATION)
+fun HttpUrl.isTokenEndpointUrl(): Boolean = this.endsWith(TOKEN)
+fun HttpUrl.isEndSessionEndpointUrl(): Boolean = this.endsWith(END_SESSION)
+fun HttpUrl.isJwksUrl(): Boolean = this.endsWith(JWKS)
+fun HttpUrl.isDebuggerUrl(): Boolean = this.endsWith(DEBUGGER)
+fun HttpUrl.isDebuggerCallbackUrl(): Boolean = this.endsWith(DEBUGGER_CALLBACK)
+
+fun HttpUrl.toOAuth2AuthorizationServerMetadataUrl() = issuer(OAUTH2_WELL_KNOWN)
+fun HttpUrl.toWellKnownUrl(): HttpUrl = issuer(OIDC_WELL_KNOWN)
+fun HttpUrl.toAuthorizationEndpointUrl(): HttpUrl = issuer(AUTHORIZATION)
+fun HttpUrl.toEndSessionEndpointUrl(): HttpUrl = issuer(END_SESSION)
+fun HttpUrl.toTokenEndpointUrl(): HttpUrl = issuer(TOKEN)
+fun HttpUrl.toJwksUrl(): HttpUrl = issuer(JWKS)
+fun HttpUrl.toIssuerUrl(): HttpUrl = issuer()
+fun HttpUrl.toDebuggerUrl(): HttpUrl = issuer(DEBUGGER)
+fun HttpUrl.toDebuggerCallbackUrl(): HttpUrl = issuer(DEBUGGER_CALLBACK)
+
+fun HttpUrl.issuerId(): String {
+    val path = this.pathSegments.joinToString("/").trimPath()
+    OAuth2Endpoints.all.forEach {
+        if (path.endsWith(it)) {
+            return path.substringBefore(it)
+        }
     }
+    return path
+}
+
+fun HttpUrl.Builder.removeAllEncodedQueryParams(vararg params: String) =
+    apply { params.forEach { removeAllEncodedQueryParameters(it) } }
 
 fun HttpUrl.endsWith(path: String): Boolean = this.pathSegments.joinToString("/").endsWith(path.trimPath())
 
 private fun String.trimPath() = removePrefix("/").removeSuffix("/")
 
-private fun HttpUrl.withoutQuery(): HttpUrl = this.newBuilder().query(null).build()
+private fun HttpUrl.issuer(path: String = ""): HttpUrl =
+    baseUrl().let {
+        it.resolve(joinPaths(issuerId(), path))
+            ?: throw OAuth2Exception(OAuth2Error.INVALID_REQUEST, "cannot resolve path $path")
+    }
+
+private fun joinPaths(vararg path: String) =
+    path.filter { it.isNotEmpty() }.joinToString("/") { it.trimPath() }
 
-private fun HttpUrl.resolvePath(path: String): HttpUrl {
-    return HttpUrl.Builder()
+private fun HttpUrl.baseUrl(): HttpUrl =
+    HttpUrl.Builder()
         .scheme(this.scheme)
         .host(this.host)
         .port(this.port)
         .build()
-        .resolve(path.removePrefix("/")) ?: throw OAuth2Exception(OAuth2Error.INVALID_REQUEST, "cannot resolve path $path")
-}

src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpRequestHandler.kt

@@ -10,6 +10,8 @@ import com.nimbusds.oauth2.sdk.GrantType.REFRESH_TOKEN
 import com.nimbusds.oauth2.sdk.OAuth2Error
 import com.nimbusds.oauth2.sdk.ParseException
 import com.nimbusds.openid.connect.sdk.AuthenticationRequest
+import java.net.URLEncoder
+import java.nio.charset.Charset
 import java.util.concurrent.BlockingQueue
 import java.util.concurrent.LinkedBlockingQueue
 import mu.KotlinLogging
@@ -41,8 +43,6 @@ import no.nav.security.mock.oauth2.login.Login
 import no.nav.security.mock.oauth2.login.LoginRequestHandler
 import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
 import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
-import java.net.URLEncoder
-import java.nio.charset.Charset
 
 private val log = KotlinLogging.logger {}
 
@@ -86,8 +86,10 @@ class OAuth2HttpRequestHandler(
 
     private fun handleEndSessionRequest(request: OAuth2HttpRequest): OAuth2HttpResponse {
         log.debug("handle end session request $request")
-        val postLogoutRedirectUri = request.url.queryParameter("post_logout_redirect_uri") ?: "https://www.nav.no"
-        return redirect(postLogoutRedirectUri)
+        val postLogoutRedirectUri = request.url.queryParameter("post_logout_redirect_uri")
+        return postLogoutRedirectUri?.let {
+            redirect(postLogoutRedirectUri)
+        } ?: html("logged out")
     }
 
     private fun handleAuthenticationRequest(request: OAuth2HttpRequest): OAuth2HttpResponse {

src/test/kotlin/no/nav/security/mock/oauth2/MockOAuth2ServerTest.kt

@@ -13,6 +13,7 @@ import io.kotest.matchers.shouldBe
 import io.kotest.matchers.string.shouldStartWith
 import java.net.URLEncoder
 import java.time.Duration
+import java.util.concurrent.TimeUnit
 import no.nav.security.mock.oauth2.extensions.verifySignatureAndIssuer
 import no.nav.security.mock.oauth2.http.OAuth2HttpResponse
 import no.nav.security.mock.oauth2.http.OAuth2TokenResponse
@@ -38,7 +39,6 @@ import org.junit.jupiter.api.AfterEach
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Disabled
 import org.junit.jupiter.api.Test
-import java.util.concurrent.TimeUnit
 
 // TODO add more tests for exception handling
 class MockOAuth2ServerTest {
@@ -115,6 +115,7 @@ class MockOAuth2ServerTest {
         assertWellKnownResponseForIssuer("default")
         assertWellKnownResponseForIssuer("foo")
         assertWellKnownResponseForIssuer("bar")
+        assertWellKnownResponseForIssuer("path1/path2/path3")
     }
 
     @Test
@@ -136,16 +137,6 @@ class MockOAuth2ServerTest {
         assertThat(response.body?.string()).isEqualTo("some body")
     }
 
-    @Test
-    fun noIssuerIdInUrlShouldReturn404() {
-        val request: Request = Request.Builder()
-            .url(server.baseUrl().newBuilder().addPathSegments("/.well-known/openid-configuration").build())
-            .get()
-            .build()
-
-        assertThat(client.newCall(request).execute().code).isEqualTo(404)
-    }
-
     @Test
     fun startAuthorizationCodeFlow() {
         val authorizationCodeFlowUrl = authorizationCodeFlowUrl(

src/test/kotlin/no/nav/security/mock/oauth2/extensions/HttpUrlExtensionsTest.kt

@@ -0,0 +1,33 @@
+package no.nav.security.mock.oauth2.extensions
+
+import io.kotest.matchers.shouldBe
+import okhttp3.HttpUrl.Companion.toHttpUrl
+import org.junit.jupiter.api.Test
+
+internal class HttpUrlExtensionsTest {
+
+    @Test
+    fun `urls with no segments, one segment and multiple segments`() {
+        "http://localhost".toHttpUrl().issuerId() shouldBe ""
+        `verify oauth2 endpoint urls`("http://localhost")
+
+        "http://localhost/path1".toHttpUrl().issuerId() shouldBe "path1"
+        `verify oauth2 endpoint urls`("http://localhost/path1")
+
+        "http://localhost/path1/path2".toHttpUrl().issuerId() shouldBe "path1/path2"
+        `verify oauth2 endpoint urls`("http://localhost/path1/path2")
+    }
+
+    private fun `verify oauth2 endpoint urls`(baseUrl: String) {
+        val httpUrl = baseUrl.toHttpUrl()
+        httpUrl.toIssuerUrl() shouldBe "$baseUrl".toHttpUrl()
+        httpUrl.toWellKnownUrl() shouldBe "$baseUrl/.well-known/openid-configuration".toHttpUrl()
+        httpUrl.toOAuth2AuthorizationServerMetadataUrl() shouldBe "$baseUrl/.well-known/oauth-authorization-server".toHttpUrl()
+        httpUrl.toTokenEndpointUrl() shouldBe "$baseUrl/token".toHttpUrl()
+        httpUrl.toAuthorizationEndpointUrl() shouldBe "$baseUrl/authorize".toHttpUrl()
+        httpUrl.toDebuggerCallbackUrl() shouldBe "$baseUrl/debugger/callback".toHttpUrl()
+        httpUrl.toDebuggerUrl() shouldBe "$baseUrl/debugger".toHttpUrl()
+        httpUrl.toEndSessionEndpointUrl() shouldBe "$baseUrl/endsession".toHttpUrl()
+        httpUrl.toJwksUrl() shouldBe "$baseUrl/jwks".toHttpUrl()
+    }
+}