Class AbstractDuoActionTest
- java.lang.Object
-
- net.shibboleth.idp.plugin.authn.duo.impl.AbstractDuoActionTest
-
- Direct Known Subclasses:
DuoAudienceClaimLookupStrategyTest,DuoIssuerClaimLookupStrategyTest,DuoNonceClaimLookupStrategyTest,DuoUsernameClaimLookupStrategyTest,ExchangeCodeForDuoTokenTest,HealthCheckDuoOIDCAuthAPITest,PopulateDuoAuthenticationContextTest,ValidateDuoResponseStateTest,ValidateDuoTokenAuthenticationResultTest,ValidateTokenClaimsTest,ValidateTokenSignatureTest
public abstract class AbstractDuoActionTest extends Object
Abstract class for Duo 2FA OIDC Action tests.
-
-
Field Summary
Fields Modifier and Type Field Description protected net.shibboleth.idp.authn.context.AuthenticationContextacprotected static StringAPI_HOSTprotected static StringAUTHORIZE_URIprotected static StringCLIENT_IDprotected net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContextdcprotected static StringHEALTH_URIprotected ProfileRequestContextprcprotected static StringREDIRECT_URIprotected static StringSECRETprotected RequestContextsrcprotected static StringTOKEN_URI
-
Constructor Summary
Constructors Constructor Description AbstractDuoActionTest()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidaddAttemptedFlow(String flowId)Add anAuthenticationFlowDescriptorto theAuthenticationContextwith the specified flow ID.protected voidaddDuoContext()Add the Duo authentication context to the authentication context.protected voidaddDuoIntegrationToContext()Add fabricated duo integration to the duo context.protected voidassertEventId(Event event, String eventId)Check the event ID matches the eventId.protected voidassertEventIdFromProfileRequestContext(String eventId)Check theEventContextin theProfileRequestContextis aStringwhich represents the eventId argument.protected DefaultDuoOIDCIntegrationcreateDummyDuoIntegration()Create a dummy Duo integration.private StringcreateJWTJson(String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, String apiHost, String factor)Create a JWT token in JSON using the claims arguments.private StringcreateJWTJsonMissingAudAndExpClaims(String authResult, String authResultMessage, Instant iat, Instant authTime, String apiHost, String factor)Create a JWT token in JSON using the claims arguments present, but missing the 'aud' and 'exp' claims.private StringcreateJWTJsonWithNbf(String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, Instant nbf, String apiHost, String factor)Create a JWT token in JSON using the claims arguments.private StringcreateJWTJsonWithNoAuthResult(String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, String apiHost, String factor)Create a JWT token in JSON without the auth_result element.protected com.nimbusds.jwt.JWTcreatePlainDummyToken(String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, String apiHost, String factor)Create a dummy Duo plain (no sig or enc) JWT token.protected com.nimbusds.jwt.JWTcreatePlainDummyToken(String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, Instant nbf, String apiHost, String factor)Create a dummy Duo plain (no sig or enc) JWT token.protected com.nimbusds.jwt.JWTcreatePlainDummyToken(String authResult, String authResultMessage, Instant iat, Instant authTime, String apiHost, String factor)Create a dummy Duo plain (no sig or enc) JWT token which is missing the 'exp' and 'aud' claims.protected com.nimbusds.jwt.JWTcreatePlainDummyTokenNoAuthResult(String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, String apiHost, String factor)Create a dummy Duo plain (no sig or enc) JWT token with no auth_result.protected com.nimbusds.jwt.JWTcreateSignedDummyToken(String headerJson, String secret, String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, String apiHost, String factor)Create a signed Duo JWT token.protected com.nimbusds.jwt.JWTcreateSignedDummyTokenFromGivenSignature(String headerJson, String signatureBase64, String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, String apiHost, String factor)Create a signed Duo JWT token using the supplied (not computed) signature.protected com.nimbusds.jwt.JWTcreateUnsignedSignedDummyToken(String headerJson, String authResult, String authResultMessage, String aud, Instant exp, Instant iat, Instant authTime, String apiHost, String factor)Create a signed Duo JWT token which is NOT signed.voidsetup()Setup the relevant contexts per method execution.
-
-
-
Field Detail
-
CLIENT_ID
protected static final String CLIENT_ID
- See Also:
- Constant Field Values
-
REDIRECT_URI
protected static final String REDIRECT_URI
- See Also:
- Constant Field Values
-
API_HOST
protected static final String API_HOST
- See Also:
- Constant Field Values
-
AUTHORIZE_URI
protected static final String AUTHORIZE_URI
- See Also:
- Constant Field Values
-
TOKEN_URI
protected static final String TOKEN_URI
- See Also:
- Constant Field Values
-
HEALTH_URI
protected static final String HEALTH_URI
- See Also:
- Constant Field Values
-
SECRET
protected static final String SECRET
- See Also:
- Constant Field Values
-
src
protected RequestContext src
-
prc
protected ProfileRequestContext prc
-
ac
protected net.shibboleth.idp.authn.context.AuthenticationContext ac
-
dc
protected net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext dc
-
-
Method Detail
-
setup
public void setup() throws ComponentInitializationExceptionSetup the relevant contexts per method execution.
Is not inherited, so must be enabled in concrete test classes, e.g. add a setup method and call super.
- Throws:
ComponentInitializationException- on error.
-
createPlainDummyToken
protected com.nimbusds.jwt.JWT createPlainDummyToken(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)Create a dummy Duo plain (no sig or enc) JWT token.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.apiHost- the api hostfactor- the duo factor- Returns:
- the duo auth token.
-
createPlainDummyTokenNoAuthResult
protected com.nimbusds.jwt.JWT createPlainDummyTokenNoAuthResult(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)Create a dummy Duo plain (no sig or enc) JWT token with no auth_result.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.apiHost- the api hostfactor- the duo factor- Returns:
- the duo auth token.
-
createPlainDummyToken
protected com.nimbusds.jwt.JWT createPlainDummyToken(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)Create a dummy Duo plain (no sig or enc) JWT token which is missing the 'exp' and 'aud' claims.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.iat- issued at.authTime- the auth time.apiHost- the api hostfactor- the duo factor- Returns:
- the duo auth token.
-
createPlainDummyToken
protected com.nimbusds.jwt.JWT createPlainDummyToken(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull Instant nbf, @Nonnull String apiHost, @Nonnull String factor)Create a dummy Duo plain (no sig or enc) JWT token.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.nbf- not before time.apiHost- the api hostfactor- the duo factor- Returns:
- the duo auth token.
-
createSignedDummyToken
protected com.nimbusds.jwt.JWT createSignedDummyToken(@Nonnull String headerJson, @Nonnull String secret, @Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)Create a signed Duo JWT token.- Parameters:
headerJson- the header that defines the crypto params.secret- the secret used to sign the JWT.authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.apiHost- the api hostname.factor- the duo factor.- Returns:
- the duo auth token.
-
createSignedDummyTokenFromGivenSignature
protected com.nimbusds.jwt.JWT createSignedDummyTokenFromGivenSignature(@Nonnull String headerJson, @Nonnull String signatureBase64, @Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)Create a signed Duo JWT token using the supplied (not computed) signature. Can be used to generate a token with an invalid signature.- Parameters:
headerJson- the header that defines the crypto params.signatureBase64- the base64 encoded signature.authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.apiHost- the api hostname.factor- the duo factor.- Returns:
- the duo auth token.
-
createUnsignedSignedDummyToken
protected com.nimbusds.jwt.JWT createUnsignedSignedDummyToken(@Nonnull String headerJson, @Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)Create a signed Duo JWT token which is NOT signed. Allows testing of unsupported algorithms.- Parameters:
headerJson- the header that defines the crypto params.authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.apiHost- the api hostname.factor- the duo factor.- Returns:
- the duo auth token.
-
createJWTJson
private String createJWTJson(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)
Create a JWT token in JSON using the claims arguments.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.apiHost- the api host.factor- the factor.- Returns:
- the duo auth token.
-
createJWTJsonWithNoAuthResult
private String createJWTJsonWithNoAuthResult(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)
Create a JWT token in JSON without the auth_result element.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.apiHost- the api host.factor- the factor.- Returns:
- the duo auth token.
-
createJWTJsonMissingAudAndExpClaims
private String createJWTJsonMissingAudAndExpClaims(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull String apiHost, @Nonnull String factor)
Create a JWT token in JSON using the claims arguments present, but missing the 'aud' and 'exp' claims.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.iat- issued at.authTime- the auth time.apiHost- the api host.factor- the factor.- Returns:
- the duo auth token.
-
createJWTJsonWithNbf
private String createJWTJsonWithNbf(@Nonnull String authResult, @Nonnull String authResultMessage, @Nonnull String aud, @Nonnull Instant exp, @Nonnull Instant iat, @Nonnull Instant authTime, @Nonnull Instant nbf, @Nonnull String apiHost, @Nonnull String factor)
Create a JWT token in JSON using the claims arguments. Includes the not before claim which is not part of the normal Duo (or OIDC) response, but is part of the JWT spec.- Parameters:
authResult- the authentication result e.g. allow.authResultMessage- a user friendly result message.aud- audienceexp- expiration time.iat- issued at.authTime- the auth time.nbf- the not before time.apiHost- the api host.factor- the factor.- Returns:
- the duo auth token.
-
addAttemptedFlow
protected void addAttemptedFlow(@Nonnull String flowId)Add anAuthenticationFlowDescriptorto theAuthenticationContextwith the specified flow ID.- Parameters:
flowId- the flow ID.
-
assertEventIdFromProfileRequestContext
protected void assertEventIdFromProfileRequestContext(@Nonnull String eventId)Check theEventContextin theProfileRequestContextis aStringwhich represents the eventId argument.- Parameters:
eventId- the eventId to check.
-
assertEventId
protected void assertEventId(@Nullable Event event, @Nonnull String eventId)Check the event ID matches the eventId.- Parameters:
event- the event to check the ID of.eventId- the ID to match.
-
addDuoContext
protected void addDuoContext()
Add the Duo authentication context to the authentication context.
-
addDuoIntegrationToContext
protected void addDuoIntegrationToContext()
Add fabricated duo integration to the duo context.
-
createDummyDuoIntegration
@Nonnull protected DefaultDuoOIDCIntegration createDummyDuoIntegration()
Create a dummy Duo integration.- Returns:
- a dummy Duo integration.
-
-