From 3b76d662ec87b021a3c903dd4536569523836513 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Slobodan=20Adamovi=C4=87?= Date: Thu, 18 Aug 2022 11:06:22 +0200 Subject: [PATCH] Backport of #86374 which fixes a failing test. (#89448) --- .../authc/oidc/OpenIdConnectRealmTests.java | 97 ++++++++++--------- 1 file changed, 51 insertions(+), 46 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java index 576b80154f9bf..f3a27537feecd 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java @@ -56,6 +56,7 @@ import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.greaterThan; import static org.hamcrest.Matchers.hasKey; import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.notNullValue; @@ -276,16 +277,14 @@ public void testBuildRelyingPartyConfigWithoutOpenIdScope() { final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null, null); final String state = response.getState(); final String nonce = response.getNonce(); - assertThat( + assertEqualUrlStrings( response.getAuthenticationRequestUrl(), - equalTo( - "https://op.example.com/login?scope=scope1+scope2+openid&response_type=code" - + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" - + state - + "&nonce=" - + nonce - + "&client_id=rp-my" - ) + "https://op.example.com/login?scope=scope1+scope2+openid&response_type=code" + + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + + state + + "&nonce=" + + nonce + + "&client_id=rp-my" ); assertThat(response.getRealmName(), equalTo(REALM_NAME)); } @@ -309,16 +308,14 @@ public void testBuildingAuthenticationRequest() { final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null, null); final String state = response.getState(); final String nonce = response.getNonce(); - assertThat( + assertEqualUrlStrings( response.getAuthenticationRequestUrl(), - equalTo( - "https://op.example.com/login?scope=openid+scope1+scope2&response_type=code" - + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" - + state - + "&nonce=" - + nonce - + "&client_id=rp-my" - ) + "https://op.example.com/login?scope=openid+scope1+scope2&response_type=code" + + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + + state + + "&nonce=" + + nonce + + "&client_id=rp-my" ); assertThat(response.getRealmName(), equalTo(REALM_NAME)); } @@ -339,16 +336,14 @@ public void testBuilidingAuthenticationRequestWithDefaultScope() { final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null, null); final String state = response.getState(); final String nonce = response.getNonce(); - assertThat( + assertEqualUrlStrings( response.getAuthenticationRequestUrl(), - equalTo( - "https://op.example.com/login?scope=openid&response_type=code" - + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" - + state - + "&nonce=" - + nonce - + "&client_id=rp-my" - ) + "https://op.example.com/login?scope=openid&response_type=code" + + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + + state + + "&nonce=" + + nonce + + "&client_id=rp-my" ); assertThat(response.getRealmName(), equalTo(REALM_NAME)); } @@ -409,16 +404,14 @@ public void testBuildingAuthenticationRequestWithExistingStateAndNonce() { final String nonce = new Nonce().getValue(); final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(state, nonce, null); - assertThat( + assertEqualUrlStrings( response.getAuthenticationRequestUrl(), - equalTo( - "https://op.example.com/login?scope=openid&response_type=code" - + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" - + state - + "&nonce=" - + nonce - + "&client_id=rp-my" - ) + "https://op.example.com/login?scope=openid&response_type=code" + + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + + state + + "&nonce=" + + nonce + + "&client_id=rp-my" ); assertThat(response.getRealmName(), equalTo(REALM_NAME)); } @@ -441,21 +434,33 @@ public void testBuildingAuthenticationRequestWithLoginHint() { final String thehint = randomAlphaOfLength(8); final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(state, nonce, thehint); - assertThat( + assertEqualUrlStrings( response.getAuthenticationRequestUrl(), - equalTo( - "https://op.example.com/login?login_hint=" - + thehint - + "&scope=openid&response_type=code&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" - + state - + "&nonce=" - + nonce - + "&client_id=rp-my" - ) + "https://op.example.com/login?login_hint=" + + thehint + + "&scope=openid&response_type=code&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + + state + + "&nonce=" + + nonce + + "&client_id=rp-my" ); assertThat(response.getRealmName(), equalTo(REALM_NAME)); } + private void assertEqualUrlStrings(String actual, String expected) { + final int endOfPath = actual.indexOf('?'); + assertThat(endOfPath, greaterThan(-1)); + assertThat(actual.substring(0, endOfPath + 1), equalTo(expected.substring(0, endOfPath + 1))); + + final HashMap actualParams = new HashMap<>(); + RestUtils.decodeQueryString(actual, endOfPath + 1, actualParams); + + final HashMap expectedParams = new HashMap<>(); + RestUtils.decodeQueryString(expected, endOfPath + 1, expectedParams); + + assertThat(actualParams, equalTo(expectedParams)); + } + private AuthenticationResult authenticateWithOidc( String principal, UserRoleMapper roleMapper,