Add Clock Skew Tests

l1nn3n · cummiisa000 · jzheaux · commit 6ad328f90952 · 2019-10-17T20:19:47.000-06:00
Fixes gh-7511 Co-authored-by: Isaac Cummings <josh.cummings+zac@gmail.com>
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProviderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProviderTests.java
@@ -153,4 +153,22 @@ public void authorizeWhenClientCredentialsAndTokenNotExpiredThenNotReauthorize()
 						.build();
 		assertThat(this.authorizedClientProvider.authorize(authorizationContext)).isNull();
 	}
+
+	@Test
+	public void authorizeWhenClientCredentialsAndTokenNotExpiredByClockSkewThenNotReauthorize() {
+		ClientCredentialsOAuth2AuthorizedClientProvider authorizedClientProvider =
+				new ClientCredentialsOAuth2AuthorizedClientProvider();
+		authorizedClientProvider.setClockSkew(Duration.ofHours(24));
+		Instant issuedAt = Instant.now().minus(Duration.ofDays(1));
+		OAuth2AccessToken expiredToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "token",
+				issuedAt, issuedAt.plus(Duration.ofHours(1)));
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
+				this.clientRegistration, this.principal.getName(), expiredToken);
+
+		OAuth2AuthorizationContext authorizationContext =
+				OAuth2AuthorizationContext.withAuthorizedClient(authorizedClient)
+						.principal(this.principal)
+						.build();
+		assertThat(authorizedClientProvider.authorize(authorizationContext)).isNull();
+	}
 }
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProviderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProviderTests.java
@@ -187,4 +187,25 @@ public void authorizeWhenPasswordAndAuthorizedWithRefreshTokenAndTokenExpiredThe
 						.build();
 		assertThat(this.authorizedClientProvider.authorize(authorizationContext)).isNull();
 	}
+
+	@Test
+	public void authorizeWhenPasswordAndAuthorizedWithoutRefreshTokenAndTokenNotExpiredByClockSkewThenNotReauthorize() {
+		PasswordOAuth2AuthorizedClientProvider authorizedClientProvider =
+				new PasswordOAuth2AuthorizedClientProvider();
+		authorizedClientProvider.setClockSkew(Duration.ofHours(24));
+		Instant issuedAt = Instant.now().minus(Duration.ofDays(1));
+		Instant expiresAt = issuedAt.plus(Duration.ofMinutes(60));
+		OAuth2AccessToken accessToken = new OAuth2AccessToken(
+				OAuth2AccessToken.TokenType.BEARER, "access-token-expired", issuedAt, expiresAt);
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
+				this.clientRegistration, this.principal.getName(), accessToken);	// without refresh token
+
+		OAuth2AuthorizationContext authorizationContext =
+				OAuth2AuthorizationContext.withAuthorizedClient(authorizedClient)
+						.attribute(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, "username")
+						.attribute(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, "password")
+						.principal(this.principal)
+						.build();
+		assertThat(authorizedClientProvider.authorize(authorizationContext)).isNull();
+	}
 }
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProviderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProviderTests.java
@@ -135,6 +135,21 @@ public void authorizeWhenAuthorizedAndAccessTokenNotExpiredThenNotReauthorize()
 		assertThat(this.authorizedClientProvider.authorize(authorizationContext).block()).isNull();
 	}
 
+	@Test
+	public void authorizeWhenAuthorizedAndAccessTokenNotExpiredByClockSkewThenNotReauthorize() {
+		RefreshTokenReactiveOAuth2AuthorizedClientProvider authorizedClientProvider
+				= new RefreshTokenReactiveOAuth2AuthorizedClientProvider();
+		authorizedClientProvider.setClockSkew(Duration.ofHours(24));
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.clientRegistration, this.principal.getName(),
+				this.authorizedClient.getAccessToken(), this.authorizedClient.getRefreshToken());
+
+		OAuth2AuthorizationContext authorizationContext =
+				OAuth2AuthorizationContext.withAuthorizedClient(authorizedClient)
+						.principal(this.principal)
+						.build();
+		assertThat(authorizedClientProvider.authorize(authorizationContext).block()).isNull();
+	}
+
 	@Test
 	public void authorizeWhenAuthorizedAndAccessTokenExpiredThenReauthorize() {
 		OAuth2AccessTokenResponse accessTokenResponse = TestOAuth2AccessTokenResponses.accessTokenResponse()
