Skip to content

Commit 24b79cd

Browse files
daniel-zamoradaniel-zamora
committed
CMR-11017: adds jwt token int and unit tests
1 parent 107f4f9 commit 24b79cd

File tree

3 files changed

+438
-0
lines changed

3 files changed

+438
-0
lines changed

access-control-app/src/cmr/access_control/test/util.clj

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -459,3 +459,38 @@
459459
(let [params (merge-with into options {:headers {:client-id config/cmr-client-id}})
460460
response (client/post (enable-access-control-writes-url) params)]
461461
(is (= 200 (:status response)))))
462+
463+
(defn grant-group-ingest-management
464+
"Grants INGEST_MANAGEMENT_ACL permissions to a group for a provider."
465+
[context user-specs permission-type object-identity-type provider-id]
466+
(let [group-concept-id (get-or-create-group context (make-group user-specs))
467+
acl (merge (catalog-item-acl "INGEST_MANAGEMENT_ACL")
468+
{:group_permissions [{:group_id group-concept-id
469+
:permissions [permission-type]}]
470+
:catalog_item_identity {:name "INGEST_MANAGEMENT_ACL"
471+
:provider_id provider-id
472+
:collection_applicable true}})]
473+
(ingest-acl (config/echo-system-token) acl)))
474+
475+
(defn grant-group-non-nasa-draft-user
476+
"Grants NON_NASA_DRAFT_USER permissions to a group for a provider."
477+
[context user-specs permission-type object-identity-type provider-id]
478+
(let [group-concept-id (get-or-create-group context (make-group user-specs))
479+
acl (merge (catalog-item-acl "NON_NASA_DRAFT_USER")
480+
{:group_permissions [{:group_id group-concept-id
481+
:permissions [permission-type]}]
482+
:catalog_item_identity {:name "NON_NASA_DRAFT_USER"
483+
:provider_id provider-id
484+
:collection_applicable true}})]
485+
(ingest-acl (config/echo-system-token) acl)))
486+
487+
(defn get-or-create-group
488+
"Gets or creates a group for the given user specs."
489+
[context group-attrs]
490+
(let [token (config/echo-system-token)
491+
group-name (:name group-attrs)
492+
existing-groups (search-for-groups token {:name group-name})
493+
existing-group (first (:items existing-groups))]
494+
(if existing-group
495+
(:concept_id existing-group)
496+
(:concept_id (create-group token group-attrs)))))

common-app-lib/test/cmr/common_app/test/launchpad_token_validation_test.clj

Lines changed: 200 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,200 @@
1+
(ns cmr.common-app.test.launchpad-token-validation-test
2+
(:require
3+
[clojure.test :refer [deftest is testing]]
4+
[cmr.common-app.api.launchpad-token-validation :as lt-validation]
5+
[cmr.common-app.config :as config]
6+
[cmr.transmit.config :as transmit-config]
7+
[cmr.transmit.tokens :as tokens]
8+
[cmr.acl.core :as acl]
9+
[cmr.common.util :as util]))
10+
11+
;; Helper to create test context
12+
(defn mock-context [token]
13+
{:token token})
14+
15+
;; Mock claims by token
16+
(defn mock-get-jwt-claims [token]
17+
(case token
18+
"JWT-L5" {:uid "user-l5" :assurance_level 5}
19+
"JWT-L4" {:uid "user-l4" :assurance_level 4}
20+
"JWT-L3" {:uid "user-l3" :assurance_level 3}
21+
"JWT-L2" {:uid "user-l2" :assurance_level 2}
22+
"JWT-NO-LEVEL" {:uid "user-no-level"}
23+
nil))
24+
25+
(deftest validate-write-token-level-5-success-test
26+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
27+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
28+
util/is-launchpad-token? (constantly false)
29+
config/launchpad-token-enforced (constantly true)
30+
config/enable-idfed-jwt-authentication (constantly true)
31+
config/enable-launchpad-saml-authentication (constantly false)
32+
config/required-assurance-level (constantly 4)
33+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
34+
35+
(testing "Level 5 JWT passes validation without ACL check"
36+
(is (nil? (lt-validation/validate-write-token
37+
(mock-context "JWT-L5")
38+
"PROV1"))))))
39+
40+
(deftest validate-write-token-level-4-success-test
41+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
42+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
43+
util/is-launchpad-token? (constantly false)
44+
config/launchpad-token-enforced (constantly true)
45+
config/enable-idfed-jwt-authentication (constantly true)
46+
config/enable-launchpad-saml-authentication (constantly false)
47+
config/required-assurance-level (constantly 4)
48+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")
49+
;; Mock ACL check to pass
50+
acl/verify-non-nasa-draft-permission (fn [_ _ _ _] nil)]
51+
52+
(testing "Level 4 JWT passes when NON_NASA_DRAFT_USER ACL check succeeds"
53+
(is (nil? (lt-validation/validate-write-token
54+
(mock-context "JWT-L4")
55+
"PROV1"))))))
56+
57+
(deftest validate-write-token-level-4-no-provider-id-test
58+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
59+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
60+
util/is-launchpad-token? (constantly false)
61+
config/launchpad-token-enforced (constantly true)
62+
config/enable-idfed-jwt-authentication (constantly true)
63+
config/enable-launchpad-saml-authentication (constantly false)
64+
config/required-assurance-level (constantly 4)
65+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
66+
67+
(testing "Level 4 JWT without provider-id skips ACL check"
68+
;; Should not throw - validates token but can't check provider ACL
69+
(is (nil? (lt-validation/validate-write-token
70+
(mock-context "JWT-L4")))))))
71+
72+
(deftest validate-write-token-level-3-rejected-test
73+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
74+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
75+
util/is-launchpad-token? (constantly false)
76+
config/launchpad-token-enforced (constantly true)
77+
config/enable-idfed-jwt-authentication (constantly true)
78+
config/enable-launchpad-saml-authentication (constantly false)
79+
config/required-assurance-level (constantly 4)
80+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
81+
82+
(testing "Level 3 JWT is rejected (below minimum assurance level)"
83+
(is (thrown? clojure.lang.ExceptionInfo
84+
(lt-validation/validate-write-token
85+
(mock-context "JWT-L3")
86+
"PROV1"))))))
87+
88+
(deftest validate-write-token-level-2-rejected-test
89+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
90+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
91+
util/is-launchpad-token? (constantly false)
92+
config/launchpad-token-enforced (constantly true)
93+
config/enable-idfed-jwt-authentication (constantly true)
94+
config/enable-launchpad-saml-authentication (constantly false)
95+
config/required-assurance-level (constantly 4)
96+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
97+
98+
(testing "Level 2 JWT is rejected (below minimum assurance level)"
99+
(is (thrown? clojure.lang.ExceptionInfo
100+
(lt-validation/validate-write-token
101+
(mock-context "JWT-L2")
102+
"PROV1"))))))
103+
104+
(deftest validate-write-token-missing-assurance-level-test
105+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
106+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
107+
util/is-launchpad-token? (constantly false)
108+
config/launchpad-token-enforced (constantly true)
109+
config/enable-idfed-jwt-authentication (constantly true)
110+
config/enable-launchpad-saml-authentication (constantly false)
111+
config/required-assurance-level (constantly 4)
112+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
113+
114+
(testing "JWT without assurance_level claim is rejected"
115+
(is (thrown? clojure.lang.ExceptionInfo
116+
(lt-validation/validate-write-token
117+
(mock-context "JWT-NO-LEVEL")
118+
"PROV1"))))))
119+
120+
(deftest validate-write-token-invalid-jwt-test
121+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
122+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
123+
util/is-launchpad-token? (constantly false)
124+
config/launchpad-token-enforced (constantly true)
125+
config/enable-idfed-jwt-authentication (constantly true)
126+
config/enable-launchpad-saml-authentication (constantly false)
127+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
128+
129+
(testing "Invalid JWT (fails decryption) is rejected"
130+
(is (thrown? clojure.lang.ExceptionInfo
131+
(lt-validation/validate-write-token
132+
(mock-context "JWT-INVALID")
133+
"PROV1"))))))
134+
135+
(deftest validate-write-token-saml-token-test
136+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
137+
util/is-jwt-token? (constantly false)
138+
util/is-launchpad-token? (fn [token] (= token "SAML-TOKEN"))
139+
config/launchpad-token-enforced (constantly true)
140+
config/enable-idfed-jwt-authentication (constantly true)
141+
config/enable-launchpad-saml-authentication (constantly true)
142+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
143+
144+
(testing "Launchpad SAML token passes when enabled"
145+
(is (nil? (lt-validation/validate-write-token
146+
(mock-context "SAML-TOKEN")
147+
"PROV1"))))))
148+
149+
(deftest validate-write-token-jwt-disabled-test
150+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
151+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
152+
util/is-launchpad-token? (constantly false)
153+
config/launchpad-token-enforced (constantly true)
154+
config/enable-idfed-jwt-authentication (constantly false)
155+
config/enable-launchpad-saml-authentication (constantly false)
156+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
157+
158+
(testing "JWT tokens rejected when feature toggle disabled"
159+
(is (thrown? clojure.lang.ExceptionInfo
160+
(lt-validation/validate-write-token
161+
(mock-context "JWT-L5")
162+
"PROV1"))))))
163+
164+
(deftest validate-write-token-saml-disabled-test
165+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
166+
util/is-jwt-token? (constantly false)
167+
util/is-launchpad-token? (fn [token] (= token "SAML-TOKEN"))
168+
config/launchpad-token-enforced (constantly true)
169+
config/enable-idfed-jwt-authentication (constantly false)
170+
config/enable-launchpad-saml-authentication (constantly false)
171+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
172+
173+
(testing "SAML tokens rejected when feature toggle disabled"
174+
(is (thrown? clojure.lang.ExceptionInfo
175+
(lt-validation/validate-write-token
176+
(mock-context "SAML-TOKEN")
177+
"PROV1"))))))
178+
179+
(deftest validate-write-token-enforcement-disabled-test
180+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
181+
util/is-jwt-token? (fn [token] (re-find #"^JWT-" token))
182+
util/is-launchpad-token? (constantly false)
183+
config/launchpad-token-enforced (constantly false)
184+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
185+
186+
(testing "Token validation skipped when enforcement disabled"
187+
;; Should not validate or throw when enforcement is off
188+
(is (nil? (lt-validation/validate-write-token
189+
(mock-context "JWT-L3")
190+
"PROV1"))))))
191+
192+
(deftest validate-write-token-system-token-test
193+
(with-redefs [tokens/get-jwt-claims mock-get-jwt-claims
194+
config/launchpad-token-enforced (constantly true)
195+
transmit-config/echo-system-token (constantly "SYSTEM-TOKEN")]
196+
197+
(testing "System token always passes"
198+
(is (nil? (lt-validation/validate-write-token
199+
(mock-context "SYSTEM-TOKEN")
200+
"PROV1"))))))

0 commit comments

Comments
 (0)