Skip to content

Commit

Permalink
fix: add checks on accessTokenData not found in AuthTokenAudienceRule (
Browse files Browse the repository at this point in the history 
…#1306)
  • Loading branch information
@wolf4ood
wolf4ood authored May 15, 2024
1 parent 6a27157 commit e037eba
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 0 deletions.
3 changes: 3 additions & 0 deletions ...ava/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@ public Result<Void> checkRule(@NotNull ClaimToken authenticationToken, @Nullable
var tokenId = getTokenId(accessToken);

var accessTokenData = store.getById(tokenId);
if (accessTokenData == null) {
return Result.failure("Token with id '%s' not found".formatted(tokenId));
}
var expectedAudience = accessTokenData.additionalProperties().getOrDefault(AUDIENCE_PROPERTY, null);
if (expectedAudience instanceof String expectedAud) {
return expectedAud.equals(issuer) ? Result.success() : Result.failure("Principal '%s' is not authorized to refresh this token.".formatted(issuer));
Expand Down
10 changes: 10 additions & 0 deletions ...org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRuleTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,4 +78,14 @@ void checkRule_audienceNotPresent() {
.detail()
.isEqualTo("Property '%s' was expected to be java.lang.String but was null.".formatted(AUDIENCE_PROPERTY));
}

@Test
void checkRule_accessTokenDataNotFound() {
when(store.getById(TEST_TOKEN_ID)).thenReturn(null);

assertThat(rule.checkRule(createAuthenticationToken(TEST_TOKEN_ID), Map.of()))
.isFailed()
.detail()
.isEqualTo("Token with id '%s' not found".formatted(TEST_TOKEN_ID));
}
}
37 changes: 37 additions & 0 deletions ...rg/eclipse/tractusx/edc/dataplane/tokenrefresh/e2e/DataPlaneTokenRefreshEndToEndTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,43 @@ void refresh_invalidAuthenticationToken_missingAudience() {
.body(containsString("Required claim 'aud' not present on token."));
}

@DisplayName("The authentication token has a invalid id")
@Test
void refresh_invalidTokenId() {
prepareDataplaneRuntime();

var authorizationService = DATAPLANE_RUNTIME.getService(DataPlaneAuthorizationService.class);
var edr = authorizationService.createEndpointDataReference(createStartMessage("test-process-id", CONSUMER_DID))
.orElseThrow(f -> new AssertionError(f.getFailureDetail()));

var refreshToken = edr.getStringProperty(TX_AUTH_NS + "refreshToken");
var accessToken = edr.getStringProperty(EDC_NAMESPACE + "authorization");


authorizationService.revokeEndpointDataReference("test-process-id", "Revoked");
var tokenId = getJwtId(accessToken);

var claims = new JWTClaimsSet.Builder()
.claim("token", accessToken)
.issuer(CONSUMER_DID)
.subject(CONSUMER_DID)
.audience("did:web:bob")
.jwtID(tokenId)
.build();

var authToken = createJwt(consumerKey, claims);

RUNTIME_CONFIG.getRefreshApi().baseRequest()
.queryParam("grant_type", "refresh_token")
.queryParam("refresh_token", refreshToken)
.header(AUTHORIZATION, "Bearer " + authToken)
.post("/token")
.then()
.log().ifValidationFails()
.statusCode(401)
.body(containsString("Authentication token validation failed: Token with id '%s' not found".formatted(tokenId)));
}

private void prepareDataplaneRuntime() {
var vault = DATAPLANE_RUNTIME.getContext().getService(Vault.class);
vault.storeSecret(PROVIDER_KEY_ID, providerKey.toJSONString());
Expand Down

0 comments on commit e037eba

Please sign in to comment.