Merge pull request #3622 from fhanik/pr/add-userinfo-test-case

add userinfo test case

Author: fhanik

scripts/boot/application.yml

@@ -9,7 +9,7 @@ server:
   port: 8443
   max-http-header-size: 14336
   tomcat:
-    basedir: "${uaa.location.tomcat}"
+    basedir: "${uaa.boot.location.tomcat}"
     connection-timeout: 20000
     keep-alive-timeout: 120000
     remoteip:
@@ -19,7 +19,7 @@ server:
       port-header: "X-Forwarded-Port"
     accesslog:
       enabled: true
-      directory: "${uaa.location.tomcat}"
+      directory: "${uaa.boot.location.tomcat}"
       prefix: "localhost_access"
       suffix: ".log"
       rotate: false
@@ -29,7 +29,7 @@ server:
     enabled-protocols: "TLSv1.2,TLSv1.3"
     ciphers: "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384"
     protocol: TLS
-    key-store: "${uaa.location.certificate}/uaa_keystore.p12"
+    key-store: "${uaa.boot.location.certificate}/uaa_keystore.p12"
     key-store-type: "PKCS12"
     key-alias: "uaa_ssl_cert"
     key-store-password: "k0*l*s3cur1tyr0ck$"

scripts/boot/boot-with-tls.sh

@@ -35,8 +35,8 @@ fi
 pushd ${SCRIPT_DIR}
   java \
       -Dlogging.level.org.springframework.security=TRACE \
-      -Duaa.location.tomcat=${ROOT_DIR}/scripts/boot/tomcat \
-      -Duaa.location.certificate=${ROOT_DIR}/scripts/certificates \
+      -Duaa.boot.location.tomcat=${ROOT_DIR}/scripts/boot/tomcat \
+      -Duaa.boot.location.certificate=${ROOT_DIR}/scripts/certificates \
       -Dlogging.config=${ROOT_DIR}/scripts/boot/log4j2.properties \
       -DCLOUDFOUNDRY_CONFIG_PATH=${ROOT_DIR}/scripts/cargo \
       -DSECRETS_DIR=${ROOT_DIR}/scripts/cargo \

uaa/build.gradle

@@ -237,15 +237,14 @@ bootRun {
     dependsOn rootProject.cleanBootTomcatDir
     mainClass = "org.cloudfoundry.experimental.boot.UaaBootApplication"
     systemProperty("logging.level.org.springframework.security", "TRACE")
-    systemProperty("server.tomcat.basedir", file("../scripts/boot/tomcat/").getAbsolutePath())
-    systemProperty("logging.config", file("../scripts/boot/log4j2.properties/").getAbsolutePath())
-    systemProperty("SECRETS_DIR", System.getProperty("SECRETS_DIR", file("../scripts/cargo").getAbsolutePath()))
+    systemProperty("logging.config", file("../scripts/boot/log4j2.properties").getAbsolutePath())
+    systemProperty("uaa.boot.location.tomcat", System.getProperty("uaa.boot.location.tomcat", file("../scripts/boot/tomcat").getAbsolutePath()))
     systemProperty("spring.profiles.active", System.getProperty("spring.profiles.active", "hsqldb"))
     systemProperty("metrics.perRequestMetrics", System.getProperty("metrics.perRequestMetrics", "true"))
     systemProperty("smtp.host", "localhost")
     systemProperty("smtp.port", 2525)
     systemProperty("java.security.egd", "file:/dev/./urandom")
-    systemProperty("CLOUDFOUNDRY_CONFIG_PATH", file("../scripts/cargo").getAbsolutePath())
+    systemProperty("CLOUDFOUNDRY_CONFIG_PATH", file("../scripts/boot").getAbsolutePath())
     systemProperty("server.servlet.context-path", "/uaa")
     systemProperty("statsd.enabled", "true")
 }

uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java

@@ -427,6 +427,63 @@ void shadowUserNameDefaultsToOIDCSubjectClaim() {
         assertThat(shadowUser.getUserName()).isEqualTo(expectedUsername);
     }
 
+    @Test
+    void claimsComeFromUserInfoEndpoint() {
+        AbstractExternalOAuthIdentityProviderDefinition<?> oldConfig = identityProvider.getConfig();
+        Map<String, Object> attributeMappings = new HashMap<>(identityProvider.getConfig().getAttributeMappings());
+        attributeMappings.remove(USER_NAME_ATTRIBUTE_NAME);
+        oldConfig.setAttributeMappings(attributeMappings);
+        oldConfig.setLinkText("My Oauth2.0 Provider");
+        //change the type so that we will use the /userinfo endpoint
+        identityProvider.setType(OriginKeys.OAUTH20);
+        updateProvider();
+
+        webDriver.get(zoneUrl);
+        webDriver.clickAndWait(By.linkText(oldConfig.getLinkText()));
+
+        webDriver.findElement(By.name("username")).clear();
+        webDriver.findElement(By.name("username")).sendKeys(testAccounts.getUserName());
+        webDriver.findElement(By.name("password")).sendKeys(testAccounts.getPassword());
+        webDriver.clickAndWait(By.xpath("//input[@value='Sign in']"));
+
+        webDriver.get(baseUrl);
+        Cookie cookie = webDriver.manage().getCookieNamed("JSESSIONID");
+
+        ServerRunningExtension localhostServerRunning = ServerRunningExtension.connect();
+        localhostServerRunning.setHostName("localhost");
+
+        String clientId = "client" + new RandomValueStringGenerator(5).generate();
+        UaaClientDetails client = new UaaClientDetails(clientId, null, "openid", GRANT_TYPE_AUTHORIZATION_CODE, "openid", baseUrl);
+        client.setClientSecret("clientsecret");
+        client.setAutoApproveScopes(Collections.singletonList("true"));
+        IntegrationTestUtils.createClient(adminToken, baseUrl, client);
+
+        Map<String, String> authCodeTokenResponse = IntegrationTestUtils.getAuthorizationCodeTokenMap(localhostServerRunning,
+                clientId,
+                "clientsecret",
+                null,
+                null,
+                "token id_token",
+                cookie.getValue(),
+                baseUrl,
+                null,
+                false);
+
+        //validate that we have an ID token, and that it contains costCenter and manager values
+        String idToken = authCodeTokenResponse.get("id_token");
+        assertThat(idToken).isNotNull();
+
+        Jwt idTokenClaims = JwtHelper.decode(idToken);
+        Map<String, Object> claims = JsonUtils.readValue(idTokenClaims.getClaims(), new TypeReference<>() {});
+        String expectedUsername = (String) claims.get(SUB);
+
+        String anAdminToken = IntegrationTestUtils.getClientCredentialsToken(zoneUrl, zoneClient.getClientId(), zoneClient.getClientSecret());
+        ScimUser shadowUser = IntegrationTestUtils.getUser(anAdminToken, zoneUrl, identityProvider.getOriginKey(), expectedUsername);
+        assertThat(shadowUser.getUserName()).isEqualTo(expectedUsername);
+        //there is no 'scope' attribute exposed on the /userinfo endpoint in this test.
+        assertThat(shadowUser.getGroups().stream().map(g -> g.getDisplay())).doesNotContain(createdGroup.getDisplayName());
+    }
+
     @Test
     void successfulLoginWithOIDC_and_SAML_Provider_PlusRefreshRotation() throws Exception {
         SamlIdentityProviderDefinition saml = IntegrationTestUtils.createSimplePHPSamlIDP("simplesamlphp", OriginKeys.UAA, samlServerConfig.getSamlServerUrl());