diff --git a/README.md b/README.md index 419f8dd4..bcf1a7b1 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ As of version 0.3.3 the Docker image is published to the [GitHub Container Regis :exclamation: # mock-oauth2-server -A scriptable/customizable web server for testing HTTP clients using OAuth2/OpenID Connect or applications with a dependency to a running OAuth2 server (i.e. APIs requiring signed JWTs from a known issuer). The server also provides the neccessary endpoints for token validation (endpoint for JWKS) and ID Provider metadata discovery ("well-known" endpoints providing server metadata) +A scriptable/customizable web server for testing HTTP clients using OAuth2/OpenID Connect or applications with a dependency to a running OAuth2 server (i.e. APIs requiring signed JWTs from a known issuer). The server also provides the necessary endpoints for token validation (endpoint for JWKS) and ID Provider metadata discovery ("well-known" endpoints providing server metadata) **mock-oauth2-server** is written in Kotlin using the great [OkHttp MockWebServer](https://github.com/square/okhttp/tree/master/mockwebserver) as the underlying server library and can be used in unit/integration tests in both **Java** and **Kotlin** or in any language as a standalone server in e.g. docker-compose. @@ -35,7 +35,7 @@ The motivation behind this library is to provide a setup such that application d * Verify expected requests made to the server * Customizable through exposure of underlying [OkHttp MockWebServer](https://github.com/square/okhttp/tree/master/mockwebserver) * **Standalone support** - i.e. run as application in IDE, run inside your app, or as a Docker image (provided) -* **OAuth2 Client Debugger** - e.g. support for triggering OIDC Auth Code Flow and receiving callback in debugger app, view token reponse from server (intended for standalone support) +* **OAuth2 Client Debugger** - e.g. support for triggering OIDC Auth Code Flow and receiving callback in debugger app, view token response from server (intended for standalone support) @@ -334,6 +334,73 @@ services: The debugger is a OAuth2 client implementing the `authorization_code` flow with a UI for debugging (e.g. request parameters). Point your browser to [http://localhost:8080/default/debugger](http://localhost:8080/default/debugger) to check it out. +### Enabling HTTPS + +In order to enable HTTPS you can either provide your own keystore or let the server generate one for you. + +#### Unit tests + +You need to supply the server with an SSL config, in order to do that you must specify your chosen server type in `OAuth2Config` and +pass in the SSL config to your server. + +*Generate keystore:* +```kotlin +val ssl = Ssl() +val server = MockOAuth2Server( + OAuth2Config(httpServer = MockWebServerWrapper(ssl)) +) +``` +*This will generate a SSL certificate for `localhost` and can be added to your client's truststore by getting the ssl config: +`ssl.sslKeystore.keyStore`* + +*Bring your own:* +```kotlin +val ssl = Ssl( + SslKeystore( + keyPassword = "", + keystoreFile = File("src/test/resources/localhost.p12"), + keystorePassword = "", + keystoreType = SslKeystore.KeyStoreType.PKCS12 + ) +) +val server = MockOAuth2Server( + OAuth2Config(httpServer = MockWebServerWrapper(ssl)) +) +``` + +#### Docker / Standalone mode - JSON_CONFIG + +In order to enable HTTPS for the server in Docker or standalone mode +you can either make the server generate the keystore or bring your own. + +*Generate keystore:* + +```json +{ + "httpServer" : { + "type" : "NettyWrapper", + "ssl" : {} + } +} +``` + +*Bring your own:* + +```json + +{ + "httpServer" : { + "type" : "NettyWrapper", + "ssl" : { + "keyPassword" : "", + "keystoreFile" : "src/test/resources/localhost.p12", + "keystoreType" : "PKCS12", + "keystorePassword" : "" + } + } +} +``` + ## 👥 Contact This project is currently maintained by the organisation [@navikt](https://github.com/navikt). diff --git a/build.gradle.kts b/build.gradle.kts index 93b7727e..b3babb19 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -1,6 +1,9 @@ import java.time.Duration import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask + + + val assertjVersion = "3.19.0" val kotlinLoggingVersion = "2.0.6" val logbackVersion = "1.2.3" @@ -12,6 +15,7 @@ val junitJupiterVersion = "5.7.2" val kotlinVersion = "1.5.10" val freemarkerVersion = "2.3.31" val kotestVersion = "4.6.0" +val bouncyCastleVersion = "1.68" val mavenRepoBaseUrl = "https://oss.sonatype.org" val mainClassKt = "no.nav.security.mock.oauth2.StandaloneMockOAuth2ServerKt" @@ -61,6 +65,7 @@ dependencies { implementation("io.github.microutils:kotlin-logging:$kotlinLoggingVersion") implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jacksonVersion") implementation("org.freemarker:freemarker:$freemarkerVersion") + implementation("org.bouncycastle:bcpkix-jdk15on:$bouncyCastleVersion") testImplementation("org.assertj:assertj-core:$assertjVersion") testImplementation("org.junit.jupiter:junit-jupiter-api:$junitJupiterVersion") testImplementation("org.junit.jupiter:junit-jupiter-params:$junitJupiterVersion") diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/OAuth2Config.kt b/src/main/kotlin/no/nav/security/mock/oauth2/OAuth2Config.kt index b5b7c73d..63a6666c 100644 --- a/src/main/kotlin/no/nav/security/mock/oauth2/OAuth2Config.kt +++ b/src/main/kotlin/no/nav/security/mock/oauth2/OAuth2Config.kt @@ -1,18 +1,21 @@ package no.nav.security.mock.oauth2 import com.fasterxml.jackson.core.JsonParser -import com.fasterxml.jackson.core.type.TypeReference import com.fasterxml.jackson.databind.DeserializationContext import com.fasterxml.jackson.databind.JsonDeserializer +import com.fasterxml.jackson.databind.JsonNode import com.fasterxml.jackson.databind.annotation.JsonDeserialize import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper import com.fasterxml.jackson.module.kotlin.readValue import no.nav.security.mock.oauth2.http.MockWebServerWrapper import no.nav.security.mock.oauth2.http.NettyWrapper import no.nav.security.mock.oauth2.http.OAuth2HttpServer +import no.nav.security.mock.oauth2.http.Ssl +import no.nav.security.mock.oauth2.http.SslKeystore import no.nav.security.mock.oauth2.token.OAuth2TokenCallback import no.nav.security.mock.oauth2.token.OAuth2TokenProvider import no.nav.security.mock.oauth2.token.RequestMappingTokenCallback +import java.io.File data class OAuth2Config @JvmOverloads constructor( val interactiveLogin: Boolean = false, @@ -29,11 +32,34 @@ data class OAuth2Config @JvmOverloads constructor( NettyWrapper } + data class ServerConfig( + val type: ServerType, + val ssl: SslConfig? = null + ) + + data class SslConfig( + val keyPassword: String = "", + val keystoreFile: File? = null, + val keystoreType: SslKeystore.KeyStoreType = SslKeystore.KeyStoreType.PKCS12, + val keystorePassword: String = "" + ) { + fun ssl() = Ssl(sslKeyStore()) + + private fun sslKeyStore() = + if (keystoreFile == null) SslKeystore() else SslKeystore(keyPassword, keystoreFile, keystoreType, keystorePassword) + } + override fun deserialize(p: JsonParser, ctxt: DeserializationContext): OAuth2HttpServer { - return when (p.readValueAs(object : TypeReference() {})) { - ServerType.NettyWrapper -> NettyWrapper() - ServerType.MockWebServerWrapper -> MockWebServerWrapper() - else -> throw IllegalArgumentException("unsupported httpServer specified in config") + val node: JsonNode = p.readValueAsTree() + val serverConfig: ServerConfig = if (node.isObject) { + p.codec.treeToValue(node, ServerConfig::class.java) + } else { + ServerConfig(ServerType.valueOf(node.textValue())) + } + val ssl: Ssl? = serverConfig.ssl?.ssl() + return when (serverConfig.type) { + ServerType.NettyWrapper -> NettyWrapper(ssl) + ServerType.MockWebServerWrapper -> MockWebServerWrapper(ssl) } } } diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpServer.kt b/src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpServer.kt index f611032b..25131489 100644 --- a/src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpServer.kt +++ b/src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpServer.kt @@ -57,13 +57,18 @@ interface OAuth2HttpServer : AutoCloseable { fun url(path: String): HttpUrl } -class MockWebServerWrapper : OAuth2HttpServer { +class MockWebServerWrapper@JvmOverloads constructor( + val ssl: Ssl? = null +) : OAuth2HttpServer { val mockWebServer: MockWebServer = MockWebServer() override fun start(inetAddress: InetAddress, port: Int, requestHandler: RequestHandler): OAuth2HttpServer = apply { mockWebServer.start(inetAddress, port) - log.debug("started server on address=$inetAddress and port=${mockWebServer.port}") mockWebServer.dispatcher = MockWebServerDispatcher(requestHandler) + if (ssl != null) { + mockWebServer.useHttps(ssl.sslContext().socketFactory, false) + } + log.debug("started server on address=$inetAddress and port=${mockWebServer.port}, httpsEnabled=${ssl != null}") } override fun stop(): OAuth2HttpServer = apply { @@ -94,7 +99,9 @@ class MockWebServerWrapper : OAuth2HttpServer { } } -class NettyWrapper : OAuth2HttpServer { +class NettyWrapper @JvmOverloads constructor( + val ssl: Ssl? = null +) : OAuth2HttpServer { private val masterGroup = NioEventLoopGroup() private val workerGroup = NioEventLoopGroup() private var closeFuture: ChannelFuture? = null @@ -109,6 +116,9 @@ class NettyWrapper : OAuth2HttpServer { .childHandler( object : ChannelInitializer() { public override fun initChannel(ch: SocketChannel) { + if (ssl != null) { + ch.pipeline().addFirst("ssl", ssl.nettySslHandler()) + } ch.pipeline().addLast("codec", HttpServerCodec()) ch.pipeline().addLast("keepAlive", HttpServerKeepAliveHandler()) ch.pipeline().addLast("aggregator", HttpObjectAggregator(Int.MAX_VALUE)) @@ -136,14 +146,21 @@ class NettyWrapper : OAuth2HttpServer { override fun port(): Int = if (port > 0) port else address.port override fun url(path: String): HttpUrl { + val scheme = if (ssl != null) { + "https" + } else { + "http" + } return HttpUrl.Builder() - .scheme("http") + .scheme(scheme) .host(address.address.canonicalHostName) .port(port()) .build() .resolve(path)!! } + private fun Ssl.nettySslHandler(): SslHandler = SslHandler(sslEngine()) + internal class RouterChannelHandler(val requestHandler: RequestHandler) : SimpleChannelInboundHandler() { override fun channelRead0(ctx: ChannelHandlerContext, request: FullHttpRequest) { diff --git a/src/main/kotlin/no/nav/security/mock/oauth2/http/Ssl.kt b/src/main/kotlin/no/nav/security/mock/oauth2/http/Ssl.kt new file mode 100644 index 00000000..f6499de2 --- /dev/null +++ b/src/main/kotlin/no/nav/security/mock/oauth2/http/Ssl.kt @@ -0,0 +1,128 @@ +package no.nav.security.mock.oauth2.http + +import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers +import org.bouncycastle.asn1.x500.X500Name +import org.bouncycastle.asn1.x509.AlgorithmIdentifier +import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier +import org.bouncycastle.asn1.x509.BasicConstraints +import org.bouncycastle.asn1.x509.ExtendedKeyUsage +import org.bouncycastle.asn1.x509.Extension +import org.bouncycastle.asn1.x509.GeneralName +import org.bouncycastle.asn1.x509.GeneralNames +import org.bouncycastle.asn1.x509.KeyPurposeId +import org.bouncycastle.asn1.x509.KeyUsage +import org.bouncycastle.asn1.x509.SubjectKeyIdentifier +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo +import org.bouncycastle.cert.X509ExtensionUtils +import org.bouncycastle.cert.X509v3CertificateBuilder +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder +import org.bouncycastle.jce.provider.BouncyCastleProvider +import org.bouncycastle.operator.ContentSigner +import org.bouncycastle.operator.bc.BcDigestCalculatorProvider +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder +import java.io.File +import java.math.BigInteger +import java.security.KeyPair +import java.security.KeyPairGenerator +import java.security.KeyStore +import java.security.PublicKey +import java.security.cert.X509Certificate +import java.time.Duration +import java.time.Instant +import java.util.Date +import javax.net.ssl.KeyManagerFactory +import javax.net.ssl.SSLContext +import javax.net.ssl.SSLEngine + +class Ssl @JvmOverloads constructor( + val sslKeystore: SslKeystore = SslKeystore() +) { + fun sslEngine(): SSLEngine = sslContext().createSSLEngine().apply { + useClientMode = false + needClientAuth = false + } + + fun sslContext(): SSLContext { + val keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()).apply { + init(sslKeystore.keyStore, sslKeystore.keyPassword.toCharArray()) + } + return SSLContext.getInstance("TLS").apply { + init(keyManager.keyManagers, null, null) + } + } +} + +class SslKeystore @JvmOverloads constructor( + val keyPassword: String = "", + val keyStore: KeyStore = generate("localhost", keyPassword) +) { + @JvmOverloads constructor( + keyPassword: String, + keystoreFile: File, + keystoreType: KeyStoreType = KeyStoreType.PKCS12, + keystorePassword: String = "", + ) : this(keyPassword, keyStore(keystoreFile, keystoreType, keystorePassword)) + + enum class KeyStoreType { + PKCS12, + JKS + } + + companion object { + private const val CERT_SIGNATURE_ALG = "SHA256withRSA" + private const val KEY_ALG = "RSA" + private const val KEY_SIZE = 2048 + + fun generate(hostname: String, keyPassword: String): KeyStore { + val keyPair = KeyPairGenerator.getInstance(KEY_ALG).apply { initialize(KEY_SIZE) }.generateKeyPair() + val cert = keyPair.toX509Certificate(hostname) + return KeyStore.getInstance(KeyStoreType.PKCS12.name).apply { + this.load(null) + this.setKeyEntry(hostname, keyPair.private, keyPassword.toCharArray(), arrayOf(cert)) + } + } + + private fun keyStore( + keystoreFile: File, + keystoreType: KeyStoreType = KeyStoreType.PKCS12, + keystorePassword: String = "", + ) = KeyStore.getInstance(keystoreType.name).apply { + keystoreFile.inputStream().use { + load(it, keystorePassword.toCharArray()) + } + } + + private fun KeyPair.toX509Certificate(cn: String, expiry: Duration = Duration.ofDays(365)): X509Certificate { + val now = Instant.now() + val x500Name = X500Name("CN=$cn") + val contentSigner: ContentSigner = JcaContentSignerBuilder(CERT_SIGNATURE_ALG).build(this.private) + val certificateHolder = JcaX509v3CertificateBuilder( + x500Name, + BigInteger.valueOf(now.toEpochMilli()), + Date.from(now), + Date.from(now.plus(expiry)), + x500Name, + this.public + ).addExtensions(cn, this.public).build(contentSigner) + return JcaX509CertificateConverter().setProvider(BouncyCastleProvider()).getCertificate(certificateHolder) + } + + private fun X509v3CertificateBuilder.addExtensions(cn: String, publicKey: PublicKey) = apply { + addExtension(Extension.subjectKeyIdentifier, false, publicKey.createSubjectKeyId()) + .addExtension(Extension.authorityKeyIdentifier, false, publicKey.createAuthorityKeyId()) + .addExtension(Extension.basicConstraints, true, BasicConstraints(true)) + .addExtension(Extension.subjectAlternativeName, false, GeneralNames(GeneralName(GeneralName.dNSName, cn))) + .addExtension(Extension.keyUsage, false, KeyUsage(KeyUsage.digitalSignature)) + .addExtension(Extension.extendedKeyUsage, false, ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)) + } + + private fun PublicKey.createSubjectKeyId(): SubjectKeyIdentifier = + X509ExtensionUtils(digestCalculator()).createSubjectKeyIdentifier(SubjectPublicKeyInfo.getInstance(encoded)) + + private fun PublicKey.createAuthorityKeyId(): AuthorityKeyIdentifier = + X509ExtensionUtils(digestCalculator()).createAuthorityKeyIdentifier(SubjectPublicKeyInfo.getInstance(encoded)) + + private fun digestCalculator() = BcDigestCalculatorProvider().get(AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)) + } +} diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/OAuth2ConfigTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/OAuth2ConfigTest.kt index 4a00c189..b3396a5c 100644 --- a/src/test/kotlin/no/nav/security/mock/oauth2/OAuth2ConfigTest.kt +++ b/src/test/kotlin/no/nav/security/mock/oauth2/OAuth2ConfigTest.kt @@ -1,12 +1,18 @@ package no.nav.security.mock.oauth2 -import com.fasterxml.jackson.databind.exc.InvalidFormatException +import com.fasterxml.jackson.databind.JsonMappingException import io.kotest.assertions.throwables.shouldThrow +import io.kotest.matchers.Matcher +import io.kotest.matchers.MatcherResult import io.kotest.matchers.collections.shouldContainAll import io.kotest.matchers.should import io.kotest.matchers.shouldBe import io.kotest.matchers.types.beInstanceOf import no.nav.security.mock.oauth2.FullConfig.configJson +import no.nav.security.mock.oauth2.HttpServerConfig.mockWebServerWithGeneratedKeystore +import no.nav.security.mock.oauth2.HttpServerConfig.mockWebServerWithProvidedKeystore +import no.nav.security.mock.oauth2.HttpServerConfig.nettyWithGeneratedKeystore +import no.nav.security.mock.oauth2.HttpServerConfig.nettyWithProvidedKeystore import no.nav.security.mock.oauth2.HttpServerConfig.withMockWebServerWrapper import no.nav.security.mock.oauth2.HttpServerConfig.withNettyHttpServer import no.nav.security.mock.oauth2.HttpServerConfig.withUnknownHttpServer @@ -14,6 +20,12 @@ import no.nav.security.mock.oauth2.http.MockWebServerWrapper import no.nav.security.mock.oauth2.http.NettyWrapper import org.intellij.lang.annotations.Language import org.junit.jupiter.api.Test +import java.io.File +import java.security.KeyStore +import java.security.cert.X509Certificate +import java.time.Duration +import java.time.Instant +import java.util.Date internal class OAuth2ConfigTest { @@ -21,7 +33,7 @@ internal class OAuth2ConfigTest { fun `create httpServer from json`() { OAuth2Config.fromJson(withNettyHttpServer).httpServer should beInstanceOf() OAuth2Config.fromJson(withMockWebServerWrapper).httpServer should beInstanceOf() - shouldThrow { + shouldThrow { OAuth2Config.fromJson(withUnknownHttpServer) } } @@ -36,6 +48,57 @@ internal class OAuth2ConfigTest { it.issuerId() }.toList() shouldContainAll listOf("issuer1", "issuer2") } + + @Test + fun `create NettyWrapper with https enabled and provided keystore`() { + val server = OAuth2Config.fromJson(nettyWithProvidedKeystore).httpServer as NettyWrapper + val actualKeyStore = server.ssl?.sslKeystore?.keyStore + val actualPrivateKey = actualKeyStore?.getKey("localhost", "".toCharArray()) + val expectedPrivateKey = privateKeyFromFile() + actualPrivateKey shouldBe expectedPrivateKey + } + + @Test + fun `create MockWebServerWrapper with https enabled and provided keystore`() { + val server = OAuth2Config.fromJson(mockWebServerWithProvidedKeystore).httpServer as MockWebServerWrapper + val actualKeyStore = server.ssl?.sslKeystore?.keyStore + val actualPrivateKey = actualKeyStore?.getKey("localhost", "".toCharArray()) + val expectedPrivateKey = privateKeyFromFile() + actualPrivateKey shouldBe expectedPrivateKey + } + + @Test + fun `create NettyWrapper with https enabled and generated keystore`() { + val server = OAuth2Config.fromJson(nettyWithGeneratedKeystore).httpServer as NettyWrapper + val actualKeyStore = server.ssl?.sslKeystore?.keyStore + val actualCert = actualKeyStore?.getCertificate("localhost") as X509Certificate + actualCert.notBefore should beAroundNow() + } + + @Test + fun `create MockWebServerWrapper with https enabled and generated keystore`() { + val server = OAuth2Config.fromJson(mockWebServerWithGeneratedKeystore).httpServer as MockWebServerWrapper + val actualKeyStore = server.ssl?.sslKeystore?.keyStore + val actualCert = actualKeyStore?.getCertificate("localhost") as X509Certificate + actualCert.notBefore should beAroundNow() + } + + private fun beAroundNow(skew: Duration = Duration.ofSeconds(2)) = object : Matcher { + override fun test(value: Date): MatcherResult { + val now = Instant.now() + val withSkew = value.toInstant().plus(skew) + return MatcherResult( + withSkew.isAfter(now), + "Date $withSkew should be after $now", + "Date $withSkew should not be after $now" + ) + } + } + + private fun privateKeyFromFile() = + KeyStore.getInstance("PKCS12").apply { + File("src/test/resources/localhost.p12").inputStream().use { load(it, "".toCharArray()) } + }.getKey("localhost", "".toCharArray()) } object FullConfig { @@ -101,4 +164,48 @@ object HttpServerConfig { "httpServer": "UnknownServer" } """.trimIndent() + + @Language("json") + val nettyWithProvidedKeystore = """ + { + "httpServer" : { + "type" : "NettyWrapper", + "ssl" : { + "keystoreFile" : "src/test/resources/localhost.p12" + } + } + } + """.trimIndent() + + @Language("json") + val nettyWithGeneratedKeystore = """ + { + "httpServer" : { + "type" : "NettyWrapper", + "ssl" : {} + } + } + """.trimIndent() + + @Language("json") + val mockWebServerWithGeneratedKeystore = """ + { + "httpServer" : { + "type" : "MockWebServerWrapper", + "ssl" : {} + } + } + """.trimIndent() + + @Language("json") + val mockWebServerWithProvidedKeystore = """ + { + "httpServer" : { + "type" : "MockWebServerWrapper", + "ssl" : { + "keystoreFile" : "src/test/resources/localhost.p12" + } + } + } + """.trimIndent() } diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt index f1629925..dea4fef7 100644 --- a/src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt +++ b/src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt @@ -13,7 +13,9 @@ import io.kotest.matchers.string.shouldStartWith import no.nav.security.mock.oauth2.MockOAuth2Server import no.nav.security.mock.oauth2.OAuth2Config import no.nav.security.mock.oauth2.extensions.verifySignatureAndIssuer +import no.nav.security.mock.oauth2.http.MockWebServerWrapper import no.nav.security.mock.oauth2.http.OAuth2HttpResponse +import no.nav.security.mock.oauth2.http.Ssl import no.nav.security.mock.oauth2.http.WellKnown import no.nav.security.mock.oauth2.http.route import no.nav.security.mock.oauth2.testutils.audience @@ -26,6 +28,7 @@ import no.nav.security.mock.oauth2.testutils.post import no.nav.security.mock.oauth2.testutils.subject import no.nav.security.mock.oauth2.testutils.toTokenResponse import no.nav.security.mock.oauth2.testutils.tokenRequest +import no.nav.security.mock.oauth2.testutils.withTrustStore import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback import no.nav.security.mock.oauth2.withMockOAuth2Server import okhttp3.HttpUrl.Companion.toHttpUrl @@ -81,6 +84,18 @@ class MockOAuth2ServerIntegrationTest { } } + @Test + fun `wellknown should include https addresses when MockWebServerWrapper is started with https enabled`() { + val ssl = Ssl() + val server = MockOAuth2Server( + OAuth2Config(httpServer = MockWebServerWrapper(ssl)) + ).apply { start() } + client.withTrustStore(ssl.sslKeystore.keyStore).get(server.wellKnownUrl("issuer1")).parse().asClue { + it urlsShouldStartWith "https" + } + server.shutdown() + } + @Test fun `token request with enqueued token callback should return claims from tokencallback (with exception of id_token and oidc rules)`() { val server = MockOAuth2Server().apply { start() } diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/server/OAuth2HttpServerTest.kt b/src/test/kotlin/no/nav/security/mock/oauth2/server/OAuth2HttpServerTest.kt index 1b18cd18..498d95d2 100644 --- a/src/test/kotlin/no/nav/security/mock/oauth2/server/OAuth2HttpServerTest.kt +++ b/src/test/kotlin/no/nav/security/mock/oauth2/server/OAuth2HttpServerTest.kt @@ -7,19 +7,22 @@ import no.nav.security.mock.oauth2.http.NettyWrapper import no.nav.security.mock.oauth2.http.OAuth2HttpResponse import no.nav.security.mock.oauth2.http.OAuth2HttpServer import no.nav.security.mock.oauth2.http.RequestHandler +import no.nav.security.mock.oauth2.http.Ssl +import no.nav.security.mock.oauth2.http.SslKeystore import no.nav.security.mock.oauth2.http.redirect -import no.nav.security.mock.oauth2.testutils.client import no.nav.security.mock.oauth2.testutils.get import no.nav.security.mock.oauth2.testutils.post +import no.nav.security.mock.oauth2.testutils.withTrustStore import okhttp3.Headers import okhttp3.OkHttpClient import org.junit.jupiter.api.Test +import java.io.File private val log = KotlinLogging.logger { } internal class OAuth2HttpServerTest { - val client: OkHttpClient = client() + val httpClient = OkHttpClient().newBuilder().followRedirects(false).build() val requestHandler: RequestHandler = { log.debug("received request on url=${it.url}") @@ -42,13 +45,46 @@ internal class OAuth2HttpServerTest { NettyWrapper().start(port = 1234, requestHandler).shouldServeRequests().stop() } + @Test + fun `Netty server should start and serve requests with generated keystore and HTTPS enabled`() { + val ssl = Ssl() + NettyWrapper(ssl).start(requestHandler).shouldServeRequests(ssl).stop() + NettyWrapper(ssl).start(port = 1234, requestHandler).shouldServeRequests(ssl).stop() + } + + @Test + fun `Netty server should start and serve requests with provided keystore and HTTPS enabled`() { + val ssl = Ssl( + SslKeystore( + keyPassword = "", + keystoreFile = File("src/test/resources/localhost.p12"), + keystorePassword = "", + keystoreType = SslKeystore.KeyStoreType.PKCS12 + ) + ) + NettyWrapper(ssl).start(requestHandler).shouldServeRequests(ssl).stop() + } + @Test fun `MockWebServer should start and serve requests`() { MockWebServerWrapper().start(requestHandler).shouldServeRequests().stop() MockWebServerWrapper().start(port = 1234, requestHandler).shouldServeRequests().stop() } - private fun OAuth2HttpServer.shouldServeRequests() = apply { + @Test + fun `MockWebServer should start and serve requests with generated keystore and HTTPS enabled`() { + val ssl = Ssl() + MockWebServerWrapper(ssl).start(requestHandler).shouldServeRequests(ssl).stop() + MockWebServerWrapper(ssl).start(port = 1234, requestHandler).shouldServeRequests(ssl).stop() + } + + private fun OAuth2HttpServer.shouldServeRequests(ssl: Ssl? = null) = apply { + val client = if (ssl != null) { + httpClient.withTrustStore(ssl.sslKeystore.keyStore) + } else { + httpClient + } + client.get( this.url("/header"), Headers.headersOf("header1", "headervalue1") diff --git a/src/test/kotlin/no/nav/security/mock/oauth2/testutils/Http.kt b/src/test/kotlin/no/nav/security/mock/oauth2/testutils/Http.kt index 6820cdf2..66249795 100644 --- a/src/test/kotlin/no/nav/security/mock/oauth2/testutils/Http.kt +++ b/src/test/kotlin/no/nav/security/mock/oauth2/testutils/Http.kt @@ -11,6 +11,10 @@ import okhttp3.HttpUrl import okhttp3.OkHttpClient import okhttp3.Request import okhttp3.Response +import java.security.KeyStore +import javax.net.ssl.SSLContext +import javax.net.ssl.TrustManagerFactory +import javax.net.ssl.X509TrustManager fun Response.toTokenResponse(): ParsedTokenResponse = ParsedTokenResponse( this.code, @@ -31,6 +35,14 @@ fun client(followRedirects: Boolean = false): OkHttpClient = .followRedirects(followRedirects) .build() +fun OkHttpClient.withTrustStore(keyStore: KeyStore, followRedirects: Boolean = false): OkHttpClient = + newBuilder().apply { + followRedirects(followRedirects) + val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).apply { init(keyStore) } + val sslContext = SSLContext.getInstance("TLS").apply { init(null, trustManagerFactory.trustManagers, null) } + sslSocketFactory(sslContext.socketFactory, trustManagerFactory.trustManagers[0] as X509TrustManager) + }.build() + fun OkHttpClient.tokenRequest(url: HttpUrl, parameters: Map): Response = tokenRequest(url, Headers.headersOf(), parameters) diff --git a/src/test/resources/localhost.p12 b/src/test/resources/localhost.p12 new file mode 100644 index 00000000..ec2bd543 Binary files /dev/null and b/src/test/resources/localhost.p12 differ