|
| 1 | +/** |
| 2 | + * Copyright 2025 Martynas Jusevičius <martynas@atomgraph.com> |
| 3 | + * |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | + * you may not use this file except in compliance with the License. |
| 6 | + * You may obtain a copy of the License at |
| 7 | + * |
| 8 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | + * |
| 10 | + * Unless required by applicable law or agreed to in writing, software |
| 11 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | + * See the License for the specific language governing permissions and |
| 14 | + * limitations under the License. |
| 15 | + * |
| 16 | + */ |
| 17 | +package com.atomgraph.linkeddatahub.server.filter.request.auth; |
| 18 | + |
| 19 | +import jakarta.ws.rs.container.ContainerRequestContext; |
| 20 | +import java.net.URLEncoder; |
| 21 | +import java.nio.charset.StandardCharsets; |
| 22 | +import java.security.cert.CertificateException; |
| 23 | +import java.security.cert.X509Certificate; |
| 24 | +import org.junit.jupiter.api.BeforeEach; |
| 25 | +import org.junit.jupiter.api.Test; |
| 26 | +import org.junit.jupiter.api.extension.ExtendWith; |
| 27 | +import org.mockito.Mock; |
| 28 | +import org.mockito.junit.jupiter.MockitoExtension; |
| 29 | +import static org.junit.jupiter.api.Assertions.assertEquals; |
| 30 | +import static org.junit.jupiter.api.Assertions.assertNotNull; |
| 31 | +import static org.junit.jupiter.api.Assertions.assertNull; |
| 32 | +import static org.junit.jupiter.api.Assertions.assertThrows; |
| 33 | +import static org.junit.jupiter.api.Assertions.assertTrue; |
| 34 | +import static org.mockito.Mockito.when; |
| 35 | + |
| 36 | +/** |
| 37 | + * Unit tests for {@link ProxiedWebIDFilter}, which extracts the client certificate from the |
| 38 | + * {@code Client-Cert} request header (URL-encoded PEM) instead of the TLS connection. |
| 39 | + * |
| 40 | + * @author Martynas Jusevičius {@literal <martynas@atomgraph.com>} |
| 41 | + */ |
| 42 | +@ExtendWith(MockitoExtension.class) |
| 43 | +public class ProxiedWebIDFilterTest |
| 44 | +{ |
| 45 | + |
| 46 | + private static final String CLIENT_CERT_HEADER_NAME = "Client-Cert"; |
| 47 | + |
| 48 | + /** A self-signed X.509 certificate (CN=Test WebID, O=LinkedDataHub) in PEM form. */ |
| 49 | + private static final String CERT_PEM = |
| 50 | + "-----BEGIN CERTIFICATE-----\n" + |
| 51 | + "MIIC1jCCAb4CCQD35LqgLKP0ATANBgkqhkiG9w0BAQsFADAtMRMwEQYDVQQDDApU\n" + |
| 52 | + "ZXN0IFdlYklEMRYwFAYDVQQKDA1MaW5rZWREYXRhSHViMB4XDTI2MDYxODA4Mzkz\n" + |
| 53 | + "OFoXDTI2MDYxOTA4MzkzOFowLTETMBEGA1UEAwwKVGVzdCBXZWJJRDEWMBQGA1UE\n" + |
| 54 | + "CgwNTGlua2VkRGF0YUh1YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" + |
| 55 | + "AMRsMfh0IikmxDbZ0kca2FRI+WXelczdi+dU9ZC42cAZJM6pEu9icvCdTKBKipYE\n" + |
| 56 | + "07PkfAgsmkS3qzly1iQzyXZFzopndg9FdFvWZyn8SdxNSKCcQt13NTp8sXflkdxK\n" + |
| 57 | + "SfOseUx1cZ0T4ylGNwkqxcqZo5b06CJqiZqjgO4x7kYWWrli44AgzMkT3AgJqq5X\n" + |
| 58 | + "iSo5j8gOjicR+ZywLAEvWH0ITja4sIgsQzZHxbquOuPEevnT+135M33wHxsY5MHJ\n" + |
| 59 | + "Ykxid7C4ifVm4jXf81CmnoCifR9UeBnMZ0QBPBP/Exv+CpTgb3TBAfF1o1QsEuM3\n" + |
| 60 | + "60fYmqLcwLiKgZqDJ7ZH80UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAeYJGVnFq\n" + |
| 61 | + "CARK15JQQk1YBAUPspkFWAeXH9UzYyxpqt0bLlYO9g4KExJVJvE9Qub2lHXBs36j\n" + |
| 62 | + "/elRF+PR5Zt/6LD26OnSu+QWkFSqbO6Otul7g9ikMufuhNrZyyOOzidqFfcfkhWx\n" + |
| 63 | + "FZh+yZhGoo2f+ddMuYbK3lKI+/DMswfdNN6VN++EOYskjWBB85GKUxEJTLEF2yE+\n" + |
| 64 | + "yRtqnQfX3ucvO2Zd1XHsgknzoSfG8CXZF3GDcqzzEZ6Aa//xtwYRCmNmj9E9SdMY\n" + |
| 65 | + "xuCHnQP3cV/vBBhxt1BWdIRtcU6xpasNMfWGgAxqrCTz+GnT7FExbe5qt6CgX7yl\n" + |
| 66 | + "JLw8c9VNQzsM9g==\n" + |
| 67 | + "-----END CERTIFICATE-----\n"; |
| 68 | + |
| 69 | + @Mock private ContainerRequestContext requestContext; |
| 70 | + |
| 71 | + private ProxiedWebIDFilter filter; |
| 72 | + |
| 73 | + @BeforeEach |
| 74 | + public void setUp() |
| 75 | + { |
| 76 | + filter = new ProxiedWebIDFilter(); |
| 77 | + } |
| 78 | + |
| 79 | + @Test |
| 80 | + public void testCertificateFactoryIsX509() |
| 81 | + { |
| 82 | + assertNotNull(filter.getCertificateFactory()); |
| 83 | + assertEquals("X.509", filter.getCertificateFactory().getType()); |
| 84 | + } |
| 85 | + |
| 86 | + /** No {@code Client-Cert} header — no certificate. */ |
| 87 | + @Test |
| 88 | + public void testNoHeaderReturnsNull() throws Exception |
| 89 | + { |
| 90 | + when(requestContext.getHeaderString(CLIENT_CERT_HEADER_NAME)).thenReturn(null); |
| 91 | + assertNull(filter.getWebIDCertificate(requestContext)); |
| 92 | + } |
| 93 | + |
| 94 | + /** A URL-encoded PEM certificate in the header is decoded and parsed into an X509Certificate. */ |
| 95 | + @Test |
| 96 | + public void testValidHeaderParsesCertificate() throws Exception |
| 97 | + { |
| 98 | + String encoded = URLEncoder.encode(CERT_PEM, StandardCharsets.UTF_8); |
| 99 | + when(requestContext.getHeaderString(CLIENT_CERT_HEADER_NAME)).thenReturn(encoded); |
| 100 | + |
| 101 | + X509Certificate cert = filter.getWebIDCertificate(requestContext); |
| 102 | + |
| 103 | + assertNotNull(cert); |
| 104 | + assertTrue(cert.getSubjectX500Principal().getName().contains("Test WebID")); |
| 105 | + } |
| 106 | + |
| 107 | + /** A header that is not a valid certificate must surface as a CertificateException. */ |
| 108 | + @Test |
| 109 | + public void testMalformedHeaderThrows() |
| 110 | + { |
| 111 | + when(requestContext.getHeaderString(CLIENT_CERT_HEADER_NAME)).thenReturn("garbage-not-a-cert"); |
| 112 | + assertThrows(CertificateException.class, () -> filter.getWebIDCertificate(requestContext)); |
| 113 | + } |
| 114 | + |
| 115 | +} |
0 commit comments