NFC-46 Delegate supports() in AuthTokenValidatorImpl to tokenValidatorFactory. Refactor AuthTokenV11Validator to extend AuthTokenV1Validator and delegate common validation logic. Delegate parsing to format-specific validators via factory

Author: SanderKondratjevNortal

src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java

@@ -6,42 +6,46 @@
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
+import eu.webeid.security.validator.ocsp.OcspClient;
+import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 
+import java.security.cert.CertStore;
+import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Set;
-import java.util.function.Supplier;
 
 import static eu.webeid.security.util.Strings.isNullOrEmpty;
 
-public final class AuthTokenV11Validator implements AuthTokenValidator {
+final class AuthTokenV11Validator extends AuthTokenV1Validator {
 
     private static final String SUPPORTED_PREFIX = "web-eid:1.1";
 
-    private final SubjectCertificateValidatorBatch simpleSubjectCertificateValidators;
-    private final Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier;
-    private final AuthTokenSignatureValidator authTokenSignatureValidator;
-
     public AuthTokenV11Validator(
             SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
-            Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier,
-            AuthTokenSignatureValidator authTokenSignatureValidator
+            Set<TrustAnchor> trustedCACertificateAnchors,
+            CertStore trustedCACertificateCertStore,
+            AuthTokenSignatureValidator authTokenSignatureValidator,
+            AuthTokenValidationConfiguration configuration,
+            OcspClient ocspClient,
+            OcspServiceProvider ocspServiceProvider
     ) {
-        this.simpleSubjectCertificateValidators = simpleSubjectCertificateValidators;
-        this.certTrustValidatorsSupplier = certTrustValidatorsSupplier;
-        this.authTokenSignatureValidator = authTokenSignatureValidator;
+        super(
+                simpleSubjectCertificateValidators,
+                trustedCACertificateAnchors,
+                trustedCACertificateCertStore,
+                authTokenSignatureValidator,
+                configuration,
+                ocspClient,
+                ocspServiceProvider
+        );
     }
 
     @Override
     public boolean supports(String format) {
         return format != null && format.startsWith(SUPPORTED_PREFIX);
     }
 
-    @Override
-    public WebEidAuthToken parse(String authToken) throws AuthTokenException {
-        throw new UnsupportedOperationException("Parsing is handled by AuthTokenValidatorImpl. " + this.getClass().getSimpleName() + " only supports validation.");
-    }
-
     @Override
     public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
         if (token.getFormat() == null || !token.getFormat().startsWith(SUPPORTED_PREFIX)) {
@@ -65,17 +69,7 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo
             throw new AuthTokenParseException("Signing certificate subject does not match authentication certificate subject");
         }
 
-        simpleSubjectCertificateValidators.executeFor(signingCertificate);
-        certTrustValidatorsSupplier.get().executeFor(signingCertificate);
-
-        authTokenSignatureValidator.validate(
-                token.getAlgorithm(),
-                token.getSignature(),
-                signingCertificate.getPublicKey(),
-                currentChallengeNonce
-        );
-
-        return subjectCertificate;
+        return super.validate(token, currentChallengeNonce);
     }
 
     private static void validateSupportedSignatureAlgorithms(List<SupportedSignatureAlgorithm> algorithms) throws AuthTokenParseException {

src/main/java/eu/webeid/security/validator/AuthTokenV1Validator.java

@@ -1,5 +1,6 @@
 package eu.webeid.security.validator;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateLoader;
 import eu.webeid.security.exceptions.AuthTokenException;
@@ -10,14 +11,15 @@
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 
+import java.io.IOException;
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Set;
 
-public final class AuthTokenV1Validator implements AuthTokenValidator {
+class AuthTokenV1Validator implements AuthTokenValidator {
 
-    private static final String SUPPORTED_TOKEN_FORMAT_VERSION = "web-eid:1";
+    protected static final String SUPPORTED_TOKEN_FORMAT_VERSION = "web-eid:1";
 
     private final SubjectCertificateValidatorBatch simpleSubjectCertificateValidators;
     private final Set<TrustAnchor> trustedCACertificateAnchors;
@@ -52,7 +54,15 @@ public boolean supports(String format) {
 
     @Override
     public WebEidAuthToken parse(String authToken) throws AuthTokenException {
-        throw new UnsupportedOperationException("Parsing is handled by AuthTokenValidatorImpl. " + this.getClass().getSimpleName() + " only supports validation.");
+        try {
+            final WebEidAuthToken token = new ObjectMapper().readValue(authToken, WebEidAuthToken.class);
+            if (token == null) {
+                throw new AuthTokenParseException("Web eID authentication token is null");
+            }
+            return token;
+        } catch (IOException e) {
+            throw new AuthTokenParseException("Error parsing Web eID authentication token", e);
+        }
     }
 
     @Override

src/main/java/eu/webeid/security/validator/AuthTokenValidatorFactory.java

@@ -4,6 +4,8 @@
 
 import java.util.List;
 
+import static eu.webeid.security.validator.AuthTokenV1Validator.SUPPORTED_TOKEN_FORMAT_VERSION;
+
 public final class AuthTokenValidatorFactory {
     private final List<AuthTokenValidator> validators;
 
@@ -15,6 +17,6 @@ public AuthTokenValidator requireFor(String format) throws AuthTokenParseExcepti
         return validators.stream()
                 .filter(v -> v.supports(format))
                 .findFirst()
-                .orElseThrow(() -> new AuthTokenParseException("Only token format version 'web-eid:1' is currently supported"));
+                .orElseThrow(() -> new AuthTokenParseException("Only token format version '" + SUPPORTED_TOKEN_FORMAT_VERSION + "' is currently supported"));
     }
 }

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -88,14 +88,12 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
         this.tokenValidatorFactory = new AuthTokenValidatorFactory(List.of(
             new AuthTokenV11Validator(
                 simpleSubjectCertificateValidators,
-                () -> AuthTokenV1Validator.createCertTrustValidators(
-                    copiedConfig,
-                    trustedCACertificateAnchors,
-                    trustedCACertificateCertStore,
-                    ocspClient,
-                    ocspServiceProvider
-                ),
-                authTokenSignatureValidator
+                trustedCACertificateAnchors,
+                trustedCACertificateCertStore,
+                authTokenSignatureValidator,
+                copiedConfig,
+                ocspClient,
+                ocspServiceProvider
             ),
             new AuthTokenV1Validator(
                 simpleSubjectCertificateValidators,
@@ -111,15 +109,21 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
 
     @Override
     public boolean supports(String format) {
-        throw new UnsupportedOperationException("AuthTokenValidatorImpl is not format-specific. Use format-specific validators instead.");
+        try {
+            tokenValidatorFactory.requireFor(format);
+            return true;
+        } catch (AuthTokenParseException e) {
+            return false;
+        }
     }
 
     @Override
     public WebEidAuthToken parse(String authToken) throws AuthTokenException {
         try {
             LOG.info("Starting token parsing");
             validateTokenLength(authToken);
-            return parseToken(authToken);
+            WebEidAuthToken token = parseToken(authToken);
+            return tokenValidatorFactory.requireFor(token.getFormat()).parse(authToken);
         } catch (Exception e) {
             // Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
             LOG.warn("Token parsing was interrupted:", e);

src/test/java/eu/webeid/security/validator/AuthTokenStructureTest.java

@@ -22,8 +22,6 @@
 
 package eu.webeid.security.validator;
 
-import eu.webeid.security.authtoken.WebEidAuthToken;
-import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.testutil.AbstractTestWithValidator;
 import org.junit.jupiter.api.Test;
@@ -65,10 +63,8 @@ void whenTokenTooLong_thenParsingFails() {
     }
 
     @Test
-    void whenUnknownTokenVersion_thenParsingFails() throws AuthTokenException {
-        final WebEidAuthToken token = replaceTokenField(VALID_AUTH_TOKEN, "web-eid:1", "invalid");
-        assertThatThrownBy(() -> validator
-            .validate(token, ""))
+    void whenUnknownTokenVersion_thenParsingFails() {
+        assertThatThrownBy(() -> replaceTokenField(VALID_AUTH_TOKEN, "web-eid:1", "invalid"))
             .isInstanceOf(AuthTokenParseException.class)
             .hasMessage("Only token format version 'web-eid:1' is currently supported");
     }

src/test/java/eu/webeid/security/validator/AuthTokenV11ValidatorTest.java

@@ -2,13 +2,18 @@
 
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
+import eu.webeid.security.validator.ocsp.OcspClient;
+import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.NullAndEmptySource;
 import org.junit.jupiter.params.provider.ValueSource;
 
-import java.util.function.Supplier;
+import java.security.cert.CertStore;
+import java.security.cert.TrustAnchor;
+import java.util.Collections;
+import java.util.Set;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -24,9 +29,22 @@ class AuthTokenV11ValidatorTest {
     @BeforeEach
     void setUp() {
         SubjectCertificateValidatorBatch scvb = mock(SubjectCertificateValidatorBatch.class);
-        Supplier<SubjectCertificateValidatorBatch> trustSupplier = () -> mock(SubjectCertificateValidatorBatch.class);
+        Set<TrustAnchor> trustAnchors = Collections.emptySet();
+        CertStore certStore = mock(CertStore.class);
         AuthTokenSignatureValidator signatureValidator = mock(AuthTokenSignatureValidator.class);
-        validator = new AuthTokenV11Validator(scvb, trustSupplier, signatureValidator);
+        AuthTokenValidationConfiguration config = mock(AuthTokenValidationConfiguration.class);
+        OcspClient ocspClient = mock(OcspClient.class);
+        OcspServiceProvider ocspServiceProvider = mock(OcspServiceProvider.class);
+
+        validator = new AuthTokenV11Validator(
+            scvb,
+            trustAnchors,
+            certStore,
+            signatureValidator,
+            config,
+            ocspClient,
+            ocspServiceProvider
+        );
     }
 
     @ParameterizedTest