NFC-46 Rename nfc token validator to auth token v11 validator. Strategy + Factory for token format validation (V1 / V1.1); delegate from AuthTokenValidatorImpl. Create unit tests.

Author: SanderKondratjevNortal

…ity/validator/NfcAuthTokenValidator.java …ity/validator/AuthTokenV11Validator.javasrc/main/java/eu/webeid/security/validator/NfcAuthTokenValidator.java renamed to src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java src/main/java/eu/webeid/security/validator/NfcAuthTokenValidator.java renamed to src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java

@@ -14,20 +14,20 @@
 
 import static eu.webeid.security.util.Strings.isNullOrEmpty;
 
-public class NfcAuthTokenValidator {
+public class AuthTokenV11Validator {
 
     private final SubjectCertificateValidatorBatch simpleSubjectCertificateValidators;
     private final Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier;
 
-    NfcAuthTokenValidator(
+    public AuthTokenV11Validator(
         SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
         Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier
     ) {
         this.simpleSubjectCertificateValidators = simpleSubjectCertificateValidators;
         this.certTrustValidatorsSupplier = certTrustValidatorsSupplier;
     }
 
-    void validate(WebEidAuthToken token, X509Certificate subjectCertificate) throws AuthTokenException {
+    public void validate(WebEidAuthToken token, X509Certificate subjectCertificate) throws AuthTokenException {
         if (isNullOrEmpty(token.getUnverifiedSigningCertificate())) {
             throw new AuthTokenParseException("'unverifiedSigningCertificate' field is missing, null or empty for format 'web-eid:1.1'");
         }

src/main/java/eu/webeid/security/validator/AuthTokenValidator.java

@@ -34,9 +34,6 @@
  */
 public interface AuthTokenValidator {
 
-    String CURRENT_TOKEN_FORMAT_VERSION = "web-eid:1";
-    String CURRENT_NFC_TOKEN_FORMAT_VERSION = "web-eid:1.1";
-
     /**
      * Parses the Web eID authentication token signed by the subject.
      *

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -35,6 +35,10 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificatePurposeValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateTrustedValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
+import eu.webeid.security.validator.format.AuthTokenV11FormatValidator;
+import eu.webeid.security.validator.format.AuthTokenV1FormatValidator;
+import eu.webeid.security.validator.format.TokenFormatValidator;
+import eu.webeid.security.validator.format.TokenFormatValidatorFactory;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 import eu.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
@@ -45,6 +49,7 @@
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
+import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 
@@ -68,7 +73,8 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
     private OcspClient ocspClient;
     private OcspServiceProvider ocspServiceProvider;
     private final AuthTokenSignatureValidator authTokenSignatureValidator;
-    private final NfcAuthTokenValidator nfcAuthTokenValidator;
+    private final TokenFormatValidatorFactory tokenFormatValidatorFactory;
+
 
     /**
      * @param configuration configuration parameters for the token validator
@@ -97,10 +103,10 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
                     trustedCACertificateCertStore));
         }
 
-        this.nfcAuthTokenValidator = new NfcAuthTokenValidator(
-            simpleSubjectCertificateValidators,
-            this::getCertTrustValidators
-        );
+        this.tokenFormatValidatorFactory = new TokenFormatValidatorFactory(List.of(
+            new AuthTokenV11FormatValidator(simpleSubjectCertificateValidators, this::getCertTrustValidators),
+            new AuthTokenV1FormatValidator()
+        ));
 
         authTokenSignatureValidator = new AuthTokenSignatureValidator(configuration.getSiteOrigin());
     }
@@ -152,18 +158,14 @@ private WebEidAuthToken parseToken(String authToken) throws AuthTokenParseExcept
     }
 
     private X509Certificate validateToken(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
-        if (token.getFormat() == null || !token.getFormat().startsWith(CURRENT_TOKEN_FORMAT_VERSION)) {
-            throw new AuthTokenParseException("Only token format version '" + CURRENT_TOKEN_FORMAT_VERSION +
-                "' is currently supported");
-        }
+        TokenFormatValidator formatValidator = tokenFormatValidatorFactory.requireFor(token.getFormat());
+
         if (token.getUnverifiedCertificate() == null || token.getUnverifiedCertificate().isEmpty()) {
             throw new AuthTokenParseException("'unverifiedCertificate' field is missing, null or empty");
         }
         final X509Certificate subjectCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedCertificate());
 
-        if (token.getFormat().startsWith(CURRENT_NFC_TOKEN_FORMAT_VERSION)) {
-            nfcAuthTokenValidator.validate(token, subjectCertificate);
-        }
+        formatValidator.validate(token, subjectCertificate);
 
         simpleSubjectCertificateValidators.executeFor(subjectCertificate);
         getCertTrustValidators().executeFor(subjectCertificate);

src/main/java/eu/webeid/security/validator/format/AuthTokenV11FormatValidator.java

@@ -0,0 +1,31 @@
+package eu.webeid.security.validator.format;
+
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.AuthTokenV11Validator;
+import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
+
+import java.security.cert.X509Certificate;
+import java.util.function.Supplier;
+
+public final class AuthTokenV11FormatValidator implements TokenFormatValidator {
+
+    private static final String SUPPORTED_PREFIX = "web-eid:1.1";
+
+    private final AuthTokenV11Validator delegate;
+
+    public AuthTokenV11FormatValidator(SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
+                                       Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier) {
+        this.delegate = new AuthTokenV11Validator(simpleSubjectCertificateValidators, certTrustValidatorsSupplier);
+    }
+
+    @Override
+    public boolean supports(String format) {
+        return format != null && format.startsWith(SUPPORTED_PREFIX);
+    }
+
+    @Override
+    public void validate(WebEidAuthToken token, X509Certificate subjectCertificate) throws AuthTokenException {
+        delegate.validate(token, subjectCertificate);
+    }
+}

src/main/java/eu/webeid/security/validator/format/AuthTokenV1FormatValidator.java

@@ -0,0 +1,19 @@
+package eu.webeid.security.validator.format;
+
+import eu.webeid.security.authtoken.WebEidAuthToken;
+
+import java.security.cert.X509Certificate;
+
+public final class AuthTokenV1FormatValidator implements TokenFormatValidator {
+    private static final String SUPPORTED_TOKEN_FORMAT_VERSION = "web-eid:1";
+
+    @Override
+    public boolean supports(String format) {
+        return format != null && format.startsWith(SUPPORTED_TOKEN_FORMAT_VERSION);
+    }
+
+    @Override
+    @SuppressWarnings("java:S1186")
+    public void validate(WebEidAuthToken token, X509Certificate subjectCertificate) {
+    }
+}

src/main/java/eu/webeid/security/validator/format/TokenFormatValidator.java

@@ -0,0 +1,11 @@
+package eu.webeid.security.validator.format;
+
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.exceptions.AuthTokenException;
+
+import java.security.cert.X509Certificate;
+
+public interface TokenFormatValidator {
+    boolean supports(String format);
+    void validate(WebEidAuthToken token, X509Certificate subjectCertificate) throws AuthTokenException;
+}

src/main/java/eu/webeid/security/validator/format/TokenFormatValidatorFactory.java

@@ -0,0 +1,29 @@
+package eu.webeid.security.validator.format;
+
+import eu.webeid.security.exceptions.AuthTokenParseException;
+
+import java.util.List;
+
+public final class TokenFormatValidatorFactory {
+    public static final String CURRENT_TOKEN_FORMAT_VERSION = "web-eid:1";
+    private final List<TokenFormatValidator> validators;
+
+    public TokenFormatValidatorFactory(List<TokenFormatValidator> validators) {
+        this.validators = List.copyOf(validators);
+    }
+
+    public TokenFormatValidator requireFor(String format) throws AuthTokenParseException {
+        if (format == null || format.isBlank()) {
+            throw new AuthTokenParseException("'format' field is missing");
+        }
+
+        if (!format.startsWith(CURRENT_TOKEN_FORMAT_VERSION)) {
+            throw new AuthTokenParseException("Only token format version '" + CURRENT_TOKEN_FORMAT_VERSION + "' is currently supported");
+        }
+        return validators.stream()
+                .filter(v -> v.supports(format))
+                .findFirst()
+                .orElseThrow(() -> new AuthTokenParseException("Unsupported token format: " + format));
+    }
+}
+

src/test/java/eu/webeid/security/validator/format/AuthTokenV11FormatValidatorTest.java

@@ -0,0 +1,113 @@
+package eu.webeid.security.validator.format;
+
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.AuthTokenV11Validator;
+import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.NullAndEmptySource;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.mockito.ArgumentMatchers;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+import java.lang.reflect.Field;
+import java.security.cert.X509Certificate;
+import java.util.function.Supplier;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+
+class AuthTokenV11FormatValidatorTest {
+
+    @Mock
+    private AuthTokenV11Validator delegate;
+
+    @Mock
+    private WebEidAuthToken token;
+
+    @Mock
+    private X509Certificate certificate;
+
+    private AutoCloseable mocks;
+
+    @BeforeEach
+    void setUp() {
+        this.mocks = MockitoAnnotations.openMocks(this);
+    }
+
+    @AfterEach
+    void tearDown() throws Exception {
+        if (this.mocks != null) {
+            this.mocks.close();
+        }
+    }
+
+    @ParameterizedTest
+    @ValueSource(strings = { "web-eid:1.1", "web-eid:1.1.0", "web-eid:1.10" })
+    void supports_acceptsV11AndPrefixedVariants(String format) {
+        SubjectCertificateValidatorBatch scvb = mock(SubjectCertificateValidatorBatch.class);
+        Supplier<SubjectCertificateValidatorBatch> supplier = () -> mock(SubjectCertificateValidatorBatch.class);
+
+        AuthTokenV11FormatValidator v = new AuthTokenV11FormatValidator(scvb, supplier);
+
+        assertThat(v.supports(format)).isTrue();
+    }
+
+    @ParameterizedTest
+    @NullAndEmptySource
+    @ValueSource(strings = { "web-eid:1", "web-eid:1.0", "web-eid:2", "webauthn:1.1" })
+    void supports_rejectsOthers(String format) {
+        SubjectCertificateValidatorBatch scvb = mock(SubjectCertificateValidatorBatch.class);
+        Supplier<SubjectCertificateValidatorBatch> supplier = () -> mock(SubjectCertificateValidatorBatch.class);
+
+        AuthTokenV11FormatValidator v = new AuthTokenV11FormatValidator(scvb, supplier);
+
+        assertThat(v.supports(format)).isFalse();
+    }
+
+    @Test
+    void validate_delegatesToUnderlyingValidator() throws Exception {
+        SubjectCertificateValidatorBatch scvb = mock(SubjectCertificateValidatorBatch.class);
+        Supplier<SubjectCertificateValidatorBatch> supplier = () -> mock(SubjectCertificateValidatorBatch.class);
+
+        AuthTokenV11FormatValidator v = new AuthTokenV11FormatValidator(scvb, supplier);
+        setPrivateDelegate(v, this.delegate);
+
+        v.validate(this.token, this.certificate);
+
+        verify(this.delegate, times(1)).validate(this.token, this.certificate);
+        verifyNoMoreInteractions(this.delegate);
+    }
+
+    @Test
+    void validate_propagatesExceptionsFromDelegate() throws Exception {
+        SubjectCertificateValidatorBatch scvb = mock(SubjectCertificateValidatorBatch.class);
+        Supplier<SubjectCertificateValidatorBatch> supplier = () -> mock(SubjectCertificateValidatorBatch.class);
+
+        AuthTokenV11FormatValidator v = new AuthTokenV11FormatValidator(scvb, supplier);
+        setPrivateDelegate(v, this.delegate);
+
+        doThrow(new AuthTokenException("boom"){}).when(this.delegate)
+            .validate(ArgumentMatchers.any(), ArgumentMatchers.any());
+
+        assertThatThrownBy(() -> v.validate(this.token, this.certificate))
+            .isInstanceOf(AuthTokenException.class)
+            .hasMessageContaining("boom");
+    }
+
+    private static void setPrivateDelegate(AuthTokenV11FormatValidator v, AuthTokenV11Validator mockDelegate)
+        throws NoSuchFieldException, IllegalAccessException {
+        Field f = AuthTokenV11FormatValidator.class.getDeclaredField("delegate");
+        f.setAccessible(true);
+        f.set(v, mockDelegate);
+    }
+}

src/test/java/eu/webeid/security/validator/format/AuthTokenV1FormatValidatorTest.java

@@ -0,0 +1,38 @@
+package eu.webeid.security.validator.format;
+
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.NullAndEmptySource;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.junit.jupiter.api.Test;
+
+import java.security.cert.X509Certificate;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.mockito.Mockito.mock;
+
+class AuthTokenV1FormatValidatorTest {
+
+    private final AuthTokenV1FormatValidator validator = new AuthTokenV1FormatValidator();
+
+    @ParameterizedTest
+    @ValueSource(strings = { "web-eid:1", "web-eid:1.0", "web-eid:1.1", "web-eid:1.10" })
+    void supports_acceptsAllMajor1Variants(String format) {
+        assertThat(validator.supports(format)).isTrue();
+    }
+
+    @ParameterizedTest
+    @NullAndEmptySource
+    @ValueSource(strings = { "web-eid", "web-eid:0.9", "web-eid:2", "webauthn:1" })
+    void supports_rejectsNullEmptyAndOtherMajors(String format) {
+        assertThat(validator.supports(format)).isFalse();
+    }
+
+    @Test
+    void validate_isNoopAndDoesNotThrow() {
+        WebEidAuthToken token = mock(WebEidAuthToken.class);
+        X509Certificate cert = mock(X509Certificate.class);
+        assertThatCode(() -> validator.validate(token, cert)).doesNotThrowAnyException();
+    }
+}