diff --git a/src/main/java/it/gov/pagopa/payhub/auth/exception/AuthExceptionHandler.java b/src/main/java/it/gov/pagopa/payhub/auth/exception/AuthExceptionHandler.java index 8a53d6fd..297b12c8 100644 --- a/src/main/java/it/gov/pagopa/payhub/auth/exception/AuthExceptionHandler.java +++ b/src/main/java/it/gov/pagopa/payhub/auth/exception/AuthExceptionHandler.java @@ -1,7 +1,6 @@ package it.gov.pagopa.payhub.auth.exception; -import it.gov.pagopa.payhub.auth.exception.custom.InvalidTokenException; -import it.gov.pagopa.payhub.auth.exception.custom.TokenExpiredException; +import it.gov.pagopa.payhub.auth.exception.custom.*; import it.gov.pagopa.payhub.model.generated.AuthErrorDTO; import jakarta.servlet.http.HttpServletRequest; import lombok.extern.slf4j.Slf4j; @@ -19,20 +18,36 @@ @Order(Ordered.HIGHEST_PRECEDENCE) public class AuthExceptionHandler { - @ExceptionHandler(InvalidTokenException.class) + @ExceptionHandler({InvalidTokenException.class, TokenExpiredException.class}) @ResponseStatus(HttpStatus.UNAUTHORIZED) - public AuthErrorDTO handleInvalidTokenException(InvalidTokenException ex, HttpServletRequest request){ + public AuthErrorDTO handleInvalidGrantError(RuntimeException ex, HttpServletRequest request){ String message = logAndReturnUnauthorizedExceptionMessage(ex, request); return new AuthErrorDTO(AuthErrorDTO.ErrorEnum.INVALID_GRANT, message); } - @ExceptionHandler(TokenExpiredException.class) + @ExceptionHandler(InvalidExchangeClientException.class) @ResponseStatus(HttpStatus.UNAUTHORIZED) - public AuthErrorDTO handleTokenExpiredException(TokenExpiredException ex, HttpServletRequest request){ + public AuthErrorDTO handleInvalidClientError(RuntimeException ex, HttpServletRequest request){ String message = logAndReturnUnauthorizedExceptionMessage(ex, request); - return new AuthErrorDTO(AuthErrorDTO.ErrorEnum.INVALID_GRANT, message); + return new AuthErrorDTO(AuthErrorDTO.ErrorEnum.INVALID_CLIENT, message); + } + + @ExceptionHandler({InvalidExchangeRequestException.class, InvalidTokenIssuerException.class}) + @ResponseStatus(HttpStatus.BAD_REQUEST) + public AuthErrorDTO handleInvalidRequestError(RuntimeException ex, HttpServletRequest request){ + String message = logAndReturnUnauthorizedExceptionMessage(ex, request); + + return new AuthErrorDTO(AuthErrorDTO.ErrorEnum.INVALID_REQUEST, message); + } + + @ExceptionHandler({InvalidGrantTypeException.class}) + @ResponseStatus(HttpStatus.BAD_REQUEST) + public AuthErrorDTO handleUnsupportedGrantType(RuntimeException ex, HttpServletRequest request){ + String message = logAndReturnUnauthorizedExceptionMessage(ex, request); + + return new AuthErrorDTO(AuthErrorDTO.ErrorEnum.UNSUPPORTED_GRANT_TYPE, message); } @ExceptionHandler(MissingServletRequestParameterException.class) diff --git a/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidExchangeClientException.java b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidExchangeClientException.java new file mode 100644 index 00000000..e4b90cc4 --- /dev/null +++ b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidExchangeClientException.java @@ -0,0 +1,11 @@ +package it.gov.pagopa.payhub.auth.exception.custom; + +import lombok.Getter; + +@Getter +public class InvalidExchangeClientException extends RuntimeException { + + public InvalidExchangeClientException(String message) { + super(message); + } +} diff --git a/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidExchangeRequestException.java b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidExchangeRequestException.java new file mode 100644 index 00000000..75a68892 --- /dev/null +++ b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidExchangeRequestException.java @@ -0,0 +1,11 @@ +package it.gov.pagopa.payhub.auth.exception.custom; + +import lombok.Getter; + +@Getter +public class InvalidExchangeRequestException extends RuntimeException { + + public InvalidExchangeRequestException(String message) { + super(message); + } +} diff --git a/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidGrantTypeException.java b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidGrantTypeException.java new file mode 100644 index 00000000..5f92cd12 --- /dev/null +++ b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidGrantTypeException.java @@ -0,0 +1,11 @@ +package it.gov.pagopa.payhub.auth.exception.custom; + +import lombok.Getter; + +@Getter +public class InvalidGrantTypeException extends RuntimeException { + + public InvalidGrantTypeException(String message) { + super(message); + } +} diff --git a/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidTokenIssuerException.java b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidTokenIssuerException.java new file mode 100644 index 00000000..bf445706 --- /dev/null +++ b/src/main/java/it/gov/pagopa/payhub/auth/exception/custom/InvalidTokenIssuerException.java @@ -0,0 +1,11 @@ +package it.gov.pagopa.payhub.auth.exception.custom; + +import lombok.Getter; + +@Getter +public class InvalidTokenIssuerException extends RuntimeException { + + public InvalidTokenIssuerException(String message) { + super(message); + } +} diff --git a/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ExchangeTokenServiceImpl.java b/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ExchangeTokenServiceImpl.java index 057bdb6b..7e39c0e1 100644 --- a/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ExchangeTokenServiceImpl.java +++ b/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ExchangeTokenServiceImpl.java @@ -1,8 +1,10 @@ package it.gov.pagopa.payhub.auth.service.exchange; +import lombok.extern.slf4j.Slf4j; import org.springframework.stereotype.Service; @Service +@Slf4j public class ExchangeTokenServiceImpl implements ExchangeTokenService{ private final ValidateTokenService validateTokenService; @@ -13,6 +15,8 @@ public ExchangeTokenServiceImpl(ValidateTokenService validateTokenService) { @Override public void postToken(String clientId, String grantType, String subjectToken, String subjectIssuer, String subjectTokenType, String scope) { + log.info("Client {} requested to exchange a {} token provided by {} asking for grant type {} and scope {}", + clientId, subjectTokenType, subjectIssuer, grantType, scope); validateTokenService.validate(clientId, grantType, subjectToken, subjectIssuer, subjectTokenType, scope); } } diff --git a/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenService.java b/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenService.java index 25784b33..35ad7ffc 100644 --- a/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenService.java +++ b/src/main/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenService.java @@ -1,7 +1,7 @@ package it.gov.pagopa.payhub.auth.service.exchange; import io.jsonwebtoken.Claims; -import it.gov.pagopa.payhub.auth.exception.custom.InvalidTokenException; +import it.gov.pagopa.payhub.auth.exception.custom.*; import it.gov.pagopa.payhub.auth.utils.JWTValidator; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; @@ -12,26 +12,65 @@ @Service @Slf4j class ValidateTokenService { - private final String audience; - private final String issuer; + public static final String ALLOWED_CLIENT_ID = "piattaforma-unitaria"; + public static final String ALLOWED_GRANT_TYPE="urn:ietf:params:oauth:grant-type:token-exchange"; + public static final String ALLOWED_SUBJECT_TOKEN_TYPE="urn:ietf:params:oauth:token-type:id_token"; + public static final String ALLOWED_SCOPE="openid"; + + private final String allowedAudience; + private final String allowedIssuer; private final String urlJwkProvider; private final JWTValidator jwtValidator; - public ValidateTokenService(@Value("${jwt.token.audience:}")String audience, - @Value("${jwt.token.issuer:}")String issuer, + public ValidateTokenService(@Value("${jwt.token.audience:}")String allowedAudience, + @Value("${jwt.token.issuer:}")String allowedIssuer, @Value("${jwt.token.jwk:}")String urlJwkProvider, JWTValidator jwtValidator) { - this.audience = audience; - this.issuer = issuer; + this.allowedAudience = allowedAudience; + this.allowedIssuer = allowedIssuer; + this.urlJwkProvider = urlJwkProvider; this.jwtValidator = jwtValidator; } public void validate(String clientId, String grantType, String subjectToken, String subjectIssuer, String subjectTokenType, String scope) { + validateClient(clientId); + validateProtocolConfiguration(grantType, subjectTokenType, scope); + validateSubjectTokenIssuer(subjectIssuer); + validateSubjectToken(subjectToken); + } + + private void validateClient(String clientId) { + if (!ALLOWED_CLIENT_ID.equals(clientId)){ + throw new InvalidExchangeClientException("Invalid clientId " + clientId); + } + } + + private void validateProtocolConfiguration(String grantType, String subjectTokenType, String scope) { + if (!ALLOWED_GRANT_TYPE.equals(grantType)){ + throw new InvalidGrantTypeException("Invalid grantType " + grantType); + } + if (!ALLOWED_SUBJECT_TOKEN_TYPE.equals(subjectTokenType)){ + throw new InvalidTokenException("Invalid subjectTokenType " + subjectTokenType); + } + if (!ALLOWED_SCOPE.equals(scope)){ + throw new InvalidExchangeRequestException("Invalid scope " + scope); + } + } + + private void validateSubjectTokenIssuer(String subjectIssuer) { + if (!allowedIssuer.equals(subjectIssuer)){ + throw new InvalidTokenIssuerException("Invalid subjectIssuer " + subjectIssuer); + } + } + + private void validateSubjectToken(String subjectToken) { Map data = jwtValidator.validate(subjectToken, urlJwkProvider); - if (!(data.get(Claims.AUDIENCE).equals(audience) && data.get(Claims.ISSUER).equals(issuer))){ - throw new InvalidTokenException("Invalid audience or issuer in the token"); + if (!allowedAudience.equals(data.get(Claims.AUDIENCE))){ + throw new InvalidTokenException("Invalid audience: " + allowedAudience); + } + if (!allowedIssuer.equals(data.get(Claims.ISSUER))){ + throw new InvalidTokenException("Invalid issuer: " + allowedIssuer); } - log.info("Token validated successfully"); } } diff --git a/src/test/java/it/gov/pagopa/payhub/auth/controller/AuthControllerTest.java b/src/test/java/it/gov/pagopa/payhub/auth/controller/AuthControllerTest.java index c835d969..ebd4ca37 100644 --- a/src/test/java/it/gov/pagopa/payhub/auth/controller/AuthControllerTest.java +++ b/src/test/java/it/gov/pagopa/payhub/auth/controller/AuthControllerTest.java @@ -2,6 +2,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import it.gov.pagopa.payhub.auth.exception.AuthExceptionHandler; +import it.gov.pagopa.payhub.auth.exception.custom.*; import it.gov.pagopa.payhub.auth.service.AuthService; import it.gov.pagopa.payhub.model.generated.AuthErrorDTO; import org.junit.jupiter.api.Assertions; @@ -10,11 +11,13 @@ import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.boot.test.mock.mockito.MockBean; import org.springframework.context.annotation.Import; +import org.springframework.http.HttpStatus; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.mockito.Mockito.doNothing; +import static org.mockito.Mockito.doThrow; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; @@ -28,10 +31,58 @@ class AuthControllerTest { private ObjectMapper objectMapper; @MockBean - AuthService authServiceMock; + private AuthService authServiceMock; @Test void givenExpectedAuthTokenThenOk() throws Exception { + MvcResult result = + invokeAndVerify(null, HttpStatus.OK, null); + + Assertions.assertNotNull(result); + } + + @Test + void givenRequestWithoutAuthTokenThenBadRequest() throws Exception { + MvcResult result = mockMvc.perform( + post("/payhub/auth/token") + ).andExpect(status().isBadRequest()).andReturn(); + + AuthErrorDTO actual = objectMapper.readValue(result.getResponse().getContentAsString(), + AuthErrorDTO.class); + assertEquals(AuthErrorDTO.ErrorEnum.INVALID_REQUEST, actual.getError()); + } + + @Test + void givenInvalidExchangeClientExceptionThenInvalidClientError() throws Exception { + invokeAndVerify(new InvalidExchangeClientException("description"), HttpStatus.UNAUTHORIZED, AuthErrorDTO.ErrorEnum.INVALID_CLIENT); + } + + @Test + void givenInvalidExchangeRequestExceptionThenInvalidClientError() throws Exception { + invokeAndVerify(new InvalidExchangeRequestException("description"), HttpStatus.BAD_REQUEST, AuthErrorDTO.ErrorEnum.INVALID_REQUEST); + } + + @Test + void givenInvalidGrantTypeExceptionThenInvalidClientError() throws Exception { + invokeAndVerify(new InvalidGrantTypeException("description"), HttpStatus.BAD_REQUEST, AuthErrorDTO.ErrorEnum.UNSUPPORTED_GRANT_TYPE); + } + + @Test + void givenInvalidTokenExceptionThenInvalidClientError() throws Exception { + invokeAndVerify(new InvalidTokenException("description"), HttpStatus.UNAUTHORIZED, AuthErrorDTO.ErrorEnum.INVALID_GRANT); + } + + @Test + void givenInvalidTokenIssuerExceptionThenInvalidClientError() throws Exception { + invokeAndVerify(new InvalidTokenIssuerException("description"), HttpStatus.BAD_REQUEST, AuthErrorDTO.ErrorEnum.INVALID_REQUEST); + } + + @Test + void givenTokenExpiredExceptionThenInvalidClientError() throws Exception { + invokeAndVerify(new TokenExpiredException("description"), HttpStatus.UNAUTHORIZED, AuthErrorDTO.ErrorEnum.INVALID_GRANT); + } + + MvcResult invokeAndVerify(RuntimeException exception, HttpStatus expectedStatus, AuthErrorDTO.ErrorEnum expectedError) throws Exception { String clientId="CLIENT_ID"; String grantType="GRANT_TYPE"; String subjectToken="SUBJECT_TOKEN"; @@ -39,7 +90,10 @@ void givenExpectedAuthTokenThenOk() throws Exception { String subjectTokenType="SUBJECT_TOKEN_TYPE"; String scope="SCOPE"; - doNothing().when(authServiceMock).postToken(clientId,grantType,subjectToken,subjectIssuer,subjectTokenType,scope); + (exception != null + ? doThrow(exception) + : doNothing()) + .when(authServiceMock).postToken(clientId,grantType,subjectToken,subjectIssuer,subjectTokenType,scope); MvcResult result = mockMvc.perform( post("/payhub/auth/token") @@ -49,19 +103,17 @@ void givenExpectedAuthTokenThenOk() throws Exception { .param("subject_issuer", subjectIssuer) .param("subject_token_type", subjectTokenType) .param("scope", scope) - ).andExpect(status().is2xxSuccessful()).andReturn(); + ).andExpect(status().is(expectedStatus.value())).andReturn(); - Assertions.assertNotNull(result); - } + if(exception != null && expectedError != null) { + AuthErrorDTO actual = objectMapper.readValue(result.getResponse().getContentAsString(), + AuthErrorDTO.class); + assertEquals(expectedError, actual.getError()); + assertEquals(exception.getMessage(), actual.getErrorDescription()); + } else { + Assertions.assertFalse(result.getResponse().getContentAsString().contains("error")); + } - @Test - void givenRequestWithoutAuthTokenThenBadRequest() throws Exception { - MvcResult result = mockMvc.perform( - post("/payhub/auth/token") - ).andExpect(status().isBadRequest()).andReturn(); - - AuthErrorDTO actual = objectMapper.readValue(result.getResponse().getContentAsString(), - AuthErrorDTO.class); - assertEquals(AuthErrorDTO.ErrorEnum.INVALID_REQUEST, actual.getError()); + return result; } } diff --git a/src/test/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenServiceTest.java b/src/test/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenServiceTest.java index 895daf68..f70ebbd0 100644 --- a/src/test/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenServiceTest.java +++ b/src/test/java/it/gov/pagopa/payhub/auth/service/exchange/ValidateTokenServiceTest.java @@ -1,7 +1,7 @@ package it.gov.pagopa.payhub.auth.service.exchange; import com.github.tomakehurst.wiremock.WireMockServer; -import it.gov.pagopa.payhub.auth.exception.custom.InvalidTokenException; +import it.gov.pagopa.payhub.auth.exception.custom.*; import it.gov.pagopa.payhub.auth.utils.JWTValidator; import it.gov.pagopa.payhub.auth.utils.JWTValidatorUtils; import org.junit.jupiter.api.AfterEach; @@ -25,8 +25,8 @@ class ValidateTokenServiceTest { public static final Date EXPIRES_AT = new Date(System.currentTimeMillis() + 3600000); - private static final String AUD = "AUD"; - private static final String ISS = "ISS"; + private static final String ALLOWED_AUDIENCE = "AUD"; + private static final String ALLOWED_SUBECJECT_ISSUER = "ISS"; private ValidateTokenService validateTokenService; private WireMockServer wireMockServer; @@ -40,64 +40,97 @@ void setup(){ wireMockServer = new WireMockServer(wireMockConfig().dynamicPort()); wireMockServer.start(); utils = new JWTValidatorUtils(wireMockServer); - validateTokenService = new ValidateTokenService(AUD, ISS, utils.getUrlJwkProvider(), jwtValidator); + validateTokenService = new ValidateTokenService(ALLOWED_AUDIENCE, ALLOWED_SUBECJECT_ISSUER, utils.getUrlJwkProvider(), jwtValidator); } @AfterEach void clean(){ wireMockServer.stop(); } + @Test - void authTokenOk() throws Exception { - String clientId = "CLIENT_ID"; - String grantType = "GRANT_TYPE"; + void givenValidRequestThenOk() throws Exception { String subjectToken = utils.generateJWK(EXPIRES_AT); - String subjectIssuer = "SUBJECT_ISSUER"; - String subjectTokenType = "SUBJECT_TOKEN_TYPE"; - String scope = "SCOPE"; - - Map claimsMap = createJWKClaims(ISS, AUD); + Map claimsMap = createJWKClaims(ALLOWED_SUBECJECT_ISSUER, ALLOWED_AUDIENCE); String wireMockUrl = utils.getUrlJwkProvider(); when(jwtValidator.validate(subjectToken, wireMockUrl)).thenReturn(claimsMap); - validateTokenService.validate(clientId, grantType, subjectToken, subjectIssuer, subjectTokenType, scope); + validateTokenService.validate(ValidateTokenService.ALLOWED_CLIENT_ID, ValidateTokenService.ALLOWED_GRANT_TYPE, subjectToken, ALLOWED_SUBECJECT_ISSUER, ValidateTokenService.ALLOWED_SUBJECT_TOKEN_TYPE, ValidateTokenService.ALLOWED_SCOPE); Mockito.verify(jwtValidator, times(1)).validate(subjectToken, wireMockUrl); } @Test - void authTokenWrongIss() throws Exception { - String clientId = "CLIENT_ID"; - String grantType = "GRANT_TYPE"; + void givenInvalidClientThenInvalidExchangeClientException() throws Exception { + String subjectToken = utils.generateJWK(EXPIRES_AT); + Map claimsMap = createJWKClaims(ALLOWED_SUBECJECT_ISSUER, ALLOWED_AUDIENCE); + + String wireMockUrl = utils.getUrlJwkProvider(); + when(jwtValidator.validate(subjectToken, wireMockUrl)).thenReturn(claimsMap); + + assertThrows(InvalidExchangeClientException.class, () -> + validateTokenService.validate("UNEXPECTED_CLIENT_ID", ValidateTokenService.ALLOWED_GRANT_TYPE, subjectToken, ALLOWED_SUBECJECT_ISSUER, ValidateTokenService.ALLOWED_SUBJECT_TOKEN_TYPE, ValidateTokenService.ALLOWED_SCOPE)); + } + + @Test + void givenInvalidGrantTypeException() throws Exception { + String subjectToken = utils.generateJWK(EXPIRES_AT); + Map claimsMap = createJWKClaims(ALLOWED_SUBECJECT_ISSUER, ALLOWED_AUDIENCE); + + String wireMockUrl = utils.getUrlJwkProvider(); + when(jwtValidator.validate(subjectToken, wireMockUrl)).thenReturn(claimsMap); + + assertThrows(InvalidGrantTypeException.class, () -> + validateTokenService.validate(ValidateTokenService.ALLOWED_CLIENT_ID, "UNEXPECTED_GRANT_TYPE", subjectToken, ALLOWED_SUBECJECT_ISSUER, ValidateTokenService.ALLOWED_SUBJECT_TOKEN_TYPE, ValidateTokenService.ALLOWED_SCOPE)); + } + + @Test + void givenInvalidSubjectTokenIssuerThenInvalidTokenIssuerException() throws Exception { + String subjectToken = utils.generateJWK(EXPIRES_AT); + Map claimsMap = createJWKClaims(ALLOWED_SUBECJECT_ISSUER, ALLOWED_AUDIENCE); + + String wireMockUrl = utils.getUrlJwkProvider(); + when(jwtValidator.validate(subjectToken, wireMockUrl)).thenReturn(claimsMap); + + assertThrows(InvalidTokenIssuerException.class, () -> + validateTokenService.validate(ValidateTokenService.ALLOWED_CLIENT_ID, ValidateTokenService.ALLOWED_GRANT_TYPE, subjectToken, "UNEXPECTED_SUBECJECT_ISSUER", ValidateTokenService.ALLOWED_SUBJECT_TOKEN_TYPE, ValidateTokenService.ALLOWED_SCOPE)); + } + + @Test + void givenInvalidScopeThenInvalidExchangeRequestException() throws Exception { + String subjectToken = utils.generateJWK(EXPIRES_AT); + Map claimsMap = createJWKClaims(ALLOWED_SUBECJECT_ISSUER, ALLOWED_AUDIENCE); + + String wireMockUrl = utils.getUrlJwkProvider(); + when(jwtValidator.validate(subjectToken, wireMockUrl)).thenReturn(claimsMap); + + assertThrows(InvalidExchangeRequestException.class, () -> + validateTokenService.validate(ValidateTokenService.ALLOWED_CLIENT_ID, ValidateTokenService.ALLOWED_GRANT_TYPE, subjectToken, ALLOWED_SUBECJECT_ISSUER, ValidateTokenService.ALLOWED_SUBJECT_TOKEN_TYPE, "UNEXPECTED_SCOPE")); + } + + @Test + void givenInvalidIssuerClaimThenInvalidTokenException() throws Exception { String subjectToken = utils.generateJWK(EXPIRES_AT); - String subjectIssuer = "SUBJECT_ISSUER"; - String subjectTokenType = "SUBJECT_TOKEN_TYPE"; - String scope = "SCOPE"; - Map claimsMap = createJWKClaims("ISS_FAKE", AUD); + Map claimsMap = createJWKClaims("ISS_FAKE", ALLOWED_AUDIENCE); String wireMockUrl = utils.getUrlJwkProvider(); when(jwtValidator.validate(subjectToken, wireMockUrl)).thenReturn(claimsMap); assertThrows(InvalidTokenException.class, () -> - validateTokenService.validate(clientId, grantType, subjectToken, subjectIssuer, subjectTokenType, scope)); + validateTokenService.validate(ValidateTokenService.ALLOWED_CLIENT_ID, ValidateTokenService.ALLOWED_GRANT_TYPE, subjectToken, ALLOWED_SUBECJECT_ISSUER, ValidateTokenService.ALLOWED_SUBJECT_TOKEN_TYPE, ValidateTokenService.ALLOWED_SCOPE)); } @Test - void authTokenWrongAud() throws Exception { - String clientId = "CLIENT_ID"; - String grantType = "GRANT_TYPE"; + void givenInvalidAudienceClaimThenInvalidTokenException() throws Exception { String subjectToken = utils.generateJWK(EXPIRES_AT); - String subjectIssuer = "SUBJECT_ISSUER"; - String subjectTokenType = "SUBJECT_TOKEN_TYPE"; - String scope = "SCOPE"; - Map claimsMap = createJWKClaims(ISS, "AUD_FAKE"); + Map claimsMap = createJWKClaims(ALLOWED_SUBECJECT_ISSUER, "AUD_FAKE"); String wireMockUrl = utils.getUrlJwkProvider(); when(jwtValidator.validate(subjectToken, wireMockUrl)).thenReturn(claimsMap); assertThrows(InvalidTokenException.class, () -> - validateTokenService.validate(clientId, grantType, subjectToken, subjectIssuer, subjectTokenType, scope)); + validateTokenService.validate(ValidateTokenService.ALLOWED_CLIENT_ID, ValidateTokenService.ALLOWED_GRANT_TYPE, subjectToken, ALLOWED_SUBECJECT_ISSUER, ValidateTokenService.ALLOWED_SUBJECT_TOKEN_TYPE, ValidateTokenService.ALLOWED_SCOPE)); }