Improve brittle tests using opaque token introspection

asvanberg · asvanberg · commit de5347a63d85 · 2025-02-23T13:22:01.000+01:00
The tests that went through opaque token introspection rely on mocking
a specific method in the RestOperations interface which is very brittle
and hampers the ability to refactor internals.

They are changed to instead make actual HTTP requests to a MockWebServer
instead allowing refactoring changes. This is necessary to allow the
implementation to be swapped from NimbusOpaqueTokenIntrospector to
SpringOpaqueTokenIntrospector because the latter uses
RestOperations#exchange(String, ParameterizedType) instead of
RestOperations#exchange(String, String) of the former.

Signed-off-by: Andreas Svanberg &lt;andreas.svanberg@mensa.se&gt;
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
@@ -61,6 +61,7 @@
 import org.springframework.context.EnvironmentAware;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.env.ConfigurableEnvironment;
@@ -146,6 +147,7 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.RestOperations;
+import org.springframework.web.client.RestTemplate;
 import org.springframework.web.context.support.GenericWebApplicationContext;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
@@ -618,8 +620,8 @@ public void requestWhenDefaultConfiguredThenSessionIsNotCreated() throws Excepti
 
 	@Test
 	public void requestWhenIntrospectionConfiguredThenSessionIsNotCreated() throws Exception {
-		this.spring.register(RestOperationsConfig.class, OpaqueTokenConfig.class, BasicController.class).autowire();
-		mockRestOperations(json("Active"));
+		this.spring.register(OpaqueTokenConfig.class, BasicController.class).autowire();
+		mockWebServer(json("Active"));
 		// @formatter:off
 		MvcResult result = this.mvc.perform(get("/authenticated").with(bearerToken("token")))
 				.andExpect(status().isOk())
@@ -1060,8 +1062,8 @@ public void getWhenDefaultAndCustomJwtAuthenticationManagerThenCustomUsed() thro
 
 	@Test
 	public void getWhenIntrospectingThenOk() throws Exception {
-		this.spring.register(RestOperationsConfig.class, OpaqueTokenConfig.class, BasicController.class).autowire();
-		mockRestOperations(json("Active"));
+		this.spring.register(OpaqueTokenConfig.class, BasicController.class).autowire();
+		mockWebServer(json("Active"));
 		// @formatter:off
 		this.mvc.perform(get("/authenticated").with(bearerToken("token")))
 				.andExpect(status().isOk())
@@ -1071,9 +1073,8 @@ public void getWhenIntrospectingThenOk() throws Exception {
 
 	@Test
 	public void getWhenOpaqueTokenInLambdaAndIntrospectingThenOk() throws Exception {
-		this.spring.register(RestOperationsConfig.class, OpaqueTokenInLambdaConfig.class, BasicController.class)
-			.autowire();
-		mockRestOperations(json("Active"));
+		this.spring.register(OpaqueTokenInLambdaConfig.class, BasicController.class).autowire();
+		mockWebServer(json("Active"));
 		// @formatter:off
 		this.mvc.perform(get("/authenticated").with(bearerToken("token")))
 				.andExpect(status().isOk())
@@ -1083,8 +1084,8 @@ public void getWhenOpaqueTokenInLambdaAndIntrospectingThenOk() throws Exception
 
 	@Test
 	public void getWhenIntrospectionFailsThenUnauthorized() throws Exception {
-		this.spring.register(RestOperationsConfig.class, OpaqueTokenConfig.class).autowire();
-		mockRestOperations(json("Inactive"));
+		this.spring.register(OpaqueTokenConfig.class).autowire();
+		mockWebServer(json("Inactive"));
 		// @formatter:off
 		this.mvc.perform(get("/").with(bearerToken("token")))
 				.andExpect(status().isUnauthorized())
@@ -1094,8 +1095,8 @@ public void getWhenIntrospectionFailsThenUnauthorized() throws Exception {
 
 	@Test
 	public void getWhenIntrospectionLacksScopeThenForbidden() throws Exception {
-		this.spring.register(RestOperationsConfig.class, OpaqueTokenConfig.class).autowire();
-		mockRestOperations(json("ActiveNoScopes"));
+		this.spring.register(OpaqueTokenConfig.class).autowire();
+		mockWebServer(json("ActiveNoScopes"));
 		// @formatter:off
 		this.mvc.perform(get("/requires-read-scope").with(bearerToken("token")))
 				.andExpect(status().isForbidden())
@@ -1400,13 +1401,11 @@ public void getJwtAuthenticationConverterWhenDuplicateConverterBeansThenThrowsEx
 
 	@Test
 	public void getWhenCustomAuthenticationConverterThenUsed() throws Exception {
-		this.spring
-			.register(RestOperationsConfig.class, OpaqueTokenAuthenticationConverterConfig.class, BasicController.class)
-			.autowire();
+		this.spring.register(OpaqueTokenAuthenticationConverterConfig.class, BasicController.class).autowire();
 		OpaqueTokenAuthenticationConverter authenticationConverter = bean(OpaqueTokenAuthenticationConverter.class);
 		given(authenticationConverter.convert(anyString(), any(OAuth2AuthenticatedPrincipal.class)))
 			.willReturn(new TestingAuthenticationToken("jdoe", null, Collections.emptyList()));
-		mockRestOperations(json("Active"));
+		mockWebServer(json("Active"));
 		// @formatter:off
 		this.mvc.perform(get("/authenticated").with(bearerToken("token")))
 				.andExpect(status().isOk())
@@ -2343,6 +2342,7 @@ AuthenticationEventPublisher authenticationEventPublisher() {
 	@Configuration
 	@EnableWebSecurity
 	@EnableWebMvc
+	@Import(OpaqueTokenIntrospectorConfig.class)
 	static class OpaqueTokenConfig {
 
 		@Bean
@@ -2364,6 +2364,7 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	@Configuration
 	@EnableWebSecurity
 	@EnableWebMvc
+	@Import(OpaqueTokenIntrospectorConfig.class)
 	static class OpaqueTokenInLambdaConfig {
 
 		@Bean
@@ -2387,6 +2388,7 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
 	@Configuration
 	@EnableWebSecurity
+	@Import(OpaqueTokenIntrospectorConfig.class)
 	static class OpaqueTokenAuthenticationManagerConfig {
 
 		@Bean
@@ -2559,6 +2561,7 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	@Configuration
 	@EnableWebSecurity
 	@EnableWebMvc
+	@Import(OpaqueTokenIntrospectorConfig.class)
 	static class OpaqueTokenAuthenticationConverterConfig {
 
 		@Bean
@@ -2583,6 +2586,20 @@ OpaqueTokenAuthenticationConverter authenticationConverter() {
 
 	}
 
+	@Configuration
+	@Import(WebServerConfig.class)
+	static class OpaqueTokenIntrospectorConfig {
+
+		@Value("${mockwebserver.url:https://example.org}")
+		String introspectUri;
+
+		@Bean
+		NimbusOpaqueTokenIntrospector introspector() {
+			return new NimbusOpaqueTokenIntrospector(this.introspectUri, new RestTemplate());
+		}
+
+	}
+
 	@Configuration
 	static class JwtDecoderConfig {
 
@@ -2694,11 +2711,6 @@ NimbusJwtDecoder jwtDecoder() {
 				.build();
 		}
 
-		@Bean
-		NimbusOpaqueTokenIntrospector tokenIntrospectionClient() {
-			return new NimbusOpaqueTokenIntrospector("https://example.org/introspect", this.rest);
-		}
-
 	}
 
 	private static class BearerTokenRequestPostProcessor implements RequestPostProcessor {
