feat: support for refresh_token grant, some more tests and test utils (#12)

* feat: support for refresh_token grant, some more tests and test utils
* chore: suppress warnings for functions et al which is part of public API
* chore: reduce visibility for grant handler classes

Author: tommytroen

src/main/kotlin/no/nav/security/mock/oauth2/MockOAuth2Server.kt

@@ -30,6 +30,7 @@ import okhttp3.mockwebserver.MockWebServer
 import okhttp3.mockwebserver.RecordedRequest
 
 // TODO make open so others can extend?
+@Suppress("unused", "MemberVisibilityCanBePrivate")
 class MockOAuth2Server(
     val config: OAuth2Config = OAuth2Config()
 ) {

src/main/kotlin/no/nav/security/mock/oauth2/OAuth2Exception.kt

@@ -4,6 +4,7 @@ import com.nimbusds.oauth2.sdk.ErrorObject
 import com.nimbusds.oauth2.sdk.GrantType
 import com.nimbusds.oauth2.sdk.OAuth2Error
 
+@Suppress("unused")
 class OAuth2Exception(val errorObject: ErrorObject?, msg: String, throwable: Throwable?) :
     RuntimeException(msg, throwable) {
     constructor(msg: String) : this(null, msg, null)

src/main/kotlin/no/nav/security/mock/oauth2/extensions/String.kt

@@ -0,0 +1,14 @@
+package no.nav.security.mock.oauth2.extensions
+
+import java.net.URLDecoder
+import java.nio.charset.StandardCharsets
+
+internal fun String.keyValuesToMap(listDelimiter: String): Map<String, String> =
+    this.split(listDelimiter)
+        .filter { it.contains("=") }
+        .associate {
+            val (key, value) = it.split("=")
+            key.urlDecode().trim() to value.urlDecode().trim()
+        }
+
+internal fun String.urlDecode(): String = URLDecoder.decode(this, StandardCharsets.UTF_8)

src/main/kotlin/no/nav/security/mock/oauth2/grant/AuthorizationCodeGrantHandler.kt

@@ -6,7 +6,6 @@ import com.nimbusds.oauth2.sdk.OAuth2Error
 import com.nimbusds.oauth2.sdk.TokenRequest
 import com.nimbusds.openid.connect.sdk.AuthenticationRequest
 import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse
-import java.util.UUID
 import kotlin.collections.set
 import mu.KotlinLogging
 import no.nav.security.mock.oauth2.OAuth2Exception
@@ -21,8 +20,9 @@ import okhttp3.HttpUrl
 
 private val log = KotlinLogging.logger {}
 
-class AuthorizationCodeHandler(
-    private val tokenProvider: OAuth2TokenProvider = OAuth2TokenProvider()
+internal class AuthorizationCodeHandler(
+    private val tokenProvider: OAuth2TokenProvider,
+    private val refreshTokenManager: RefreshTokenManager
 ) : GrantHandler {
 
     private val codeToAuthRequestCache: MutableMap<AuthorizationCode, AuthenticationRequest> = HashMap()
@@ -67,14 +67,15 @@ class AuthorizationCodeHandler(
         val scope: String? = tokenRequest.scope?.toString()
         val nonce: String? = authenticationRequest?.nonce?.value
         val loginTokenCallbackOrDefault = getLoginTokenCallbackOrDefault(code, oAuth2TokenCallback)
-        val idToken: SignedJWT = tokenProvider.idToken(tokenRequest, issuerUrl, nonce, loginTokenCallbackOrDefault)
+        val idToken: SignedJWT = tokenProvider.idToken(tokenRequest, issuerUrl, loginTokenCallbackOrDefault, nonce)
         val accessToken: SignedJWT = tokenProvider.accessToken(tokenRequest, issuerUrl, loginTokenCallbackOrDefault, nonce)
+        val refreshToken: RefreshToken = refreshTokenManager.refreshToken(loginTokenCallbackOrDefault)
 
         return OAuth2TokenResponse(
             tokenType = "Bearer",
             idToken = idToken.serialize(),
             accessToken = accessToken.serialize(),
-            refreshToken = UUID.randomUUID().toString(),
+            refreshToken = refreshToken,
             expiresIn = idToken.expiresIn(),
             scope = scope
         )

src/main/kotlin/no/nav/security/mock/oauth2/grant/ClientCredentialsGrantHandler.kt

@@ -7,7 +7,7 @@ import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
 import okhttp3.HttpUrl
 
-class ClientCredentialsGrantHandler(
+internal class ClientCredentialsGrantHandler(
     private val tokenProvider: OAuth2TokenProvider
 ) : GrantHandler {
 

src/main/kotlin/no/nav/security/mock/oauth2/grant/JwtBearerGrantHandler.kt

@@ -12,7 +12,7 @@ import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
 import okhttp3.HttpUrl
 
-class JwtBearerGrantHandler(private val tokenProvider: OAuth2TokenProvider) : GrantHandler {
+internal class JwtBearerGrantHandler(private val tokenProvider: OAuth2TokenProvider) : GrantHandler {
 
     override fun tokenResponse(
         request: OAuth2HttpRequest,

src/main/kotlin/no/nav/security/mock/oauth2/grant/RefreshTokenGrantHandler.kt

@@ -0,0 +1,48 @@
+package no.nav.security.mock.oauth2.grant
+
+import com.nimbusds.jwt.SignedJWT
+import com.nimbusds.oauth2.sdk.GrantType
+import com.nimbusds.oauth2.sdk.RefreshTokenGrant
+import com.nimbusds.oauth2.sdk.TokenRequest
+import mu.KotlinLogging
+import no.nav.security.mock.oauth2.extensions.expiresIn
+import no.nav.security.mock.oauth2.http.OAuth2HttpRequest
+import no.nav.security.mock.oauth2.http.OAuth2TokenResponse
+import no.nav.security.mock.oauth2.invalidGrant
+import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
+import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
+import okhttp3.HttpUrl
+
+private val log = KotlinLogging.logger {}
+
+internal class RefreshTokenGrantHandler(
+    private val tokenProvider: OAuth2TokenProvider,
+    private val refreshTokenManager: RefreshTokenManager
+) : GrantHandler {
+
+    override fun tokenResponse(
+        request: OAuth2HttpRequest,
+        issuerUrl: HttpUrl,
+        oAuth2TokenCallback: OAuth2TokenCallback
+    ): OAuth2TokenResponse {
+        val tokenRequest = request.asNimbusTokenRequest()
+        val refreshToken = tokenRequest.refreshTokenGrant().refreshToken.value
+        log.debug("issuing token for refreshToken=$refreshToken")
+        val scope: String? = tokenRequest.scope?.toString()
+        val refreshTokenCallbackOrDefault = refreshTokenManager[refreshToken] ?: oAuth2TokenCallback
+        val idToken: SignedJWT = tokenProvider.idToken(tokenRequest, issuerUrl, refreshTokenCallbackOrDefault)
+        val accessToken: SignedJWT = tokenProvider.accessToken(tokenRequest, issuerUrl, refreshTokenCallbackOrDefault)
+
+        return OAuth2TokenResponse(
+            tokenType = "Bearer",
+            idToken = idToken.serialize(),
+            accessToken = accessToken.serialize(),
+            refreshToken = refreshToken,
+            expiresIn = idToken.expiresIn(),
+            scope = scope
+        )
+    }
+
+    private fun TokenRequest.refreshTokenGrant(): RefreshTokenGrant =
+        (this.authorizationGrant as? RefreshTokenGrant) ?: invalidGrant(GrantType.REFRESH_TOKEN)
+}

src/main/kotlin/no/nav/security/mock/oauth2/grant/RefreshTokenManager.kt

@@ -0,0 +1,18 @@
+package no.nav.security.mock.oauth2.grant
+
+import java.util.UUID
+import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
+
+typealias RefreshToken = String
+
+internal data class RefreshTokenManager(
+    private val cache: MutableMap<RefreshToken, OAuth2TokenCallback> = HashMap()
+) {
+    operator fun get(refreshToken: RefreshToken) = cache[refreshToken]
+
+    fun refreshToken(tokenCallback: OAuth2TokenCallback): RefreshToken {
+        val refreshToken = UUID.randomUUID().toString()
+        cache[refreshToken] = tokenCallback
+        return refreshToken
+    }
+}

src/main/kotlin/no/nav/security/mock/oauth2/grant/TokenExchangeGrant.kt

@@ -6,6 +6,7 @@ import no.nav.security.mock.oauth2.invalidRequest
 
 val TOKEN_EXCHANGE = GrantType("urn:ietf:params:oauth:grant-type:token-exchange")
 
+@Suppress("MemberVisibilityCanBePrivate")
 class TokenExchangeGrant(
     val subjectTokenType: String,
     val subjectToken: String,

src/main/kotlin/no/nav/security/mock/oauth2/grant/TokenExchangeGrantHandler.kt

@@ -10,7 +10,7 @@ import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
 import okhttp3.HttpUrl
 
-class TokenExchangeGrantHandler(private val tokenProvider: OAuth2TokenProvider) : GrantHandler {
+internal class TokenExchangeGrantHandler(private val tokenProvider: OAuth2TokenProvider) : GrantHandler {
 
     override fun tokenResponse(
         request: OAuth2HttpRequest,