In the first lab we extended an existing Microservice to an OAuth 2.0 and OpenID Connect 1.0 compliant Resource Server. Target of this lab is to add automated security tests for this Microservice.
Testing is an important topic. The DevOps culture also propagates Automate All The Things. This applies to writing and automating tests as well.
The important point here is to write the right tests. A well-known approach is shown as part of the Test-Pyramid by Mike Cohn.
Test Pyramid
Most tests should be written as easy unit tests, this type of testing is quite cheap and provides fast feedback if things are still working as expected or anything has been broken.
Integration tests (aka tests on the service layer) are a bit more effort, often these tests depend on a runtime environment like a Java EE or Spring container. Typically, these tests run significantly slower and are often causing long CI/CD waiting times.
The tests with most effort are acceptance tests, UI tests or End2End tests which do a complete test of the application from api to data access layer. These tests run very long and are expensive to write and to maintain.
If you want to get more into this topic then check out this very good article for The Practical Test Pyramid.
In this lab we will write tests on the first layer (a unit test) and on the second layer (a security integration test).
Learning Targets
In this lab we will add security tests for an OAuth2/OIDC compliant resource server. Tests should have a minimum of dependencies on other components so the tests run without the requirement of a real identity provider.
In this lab you will learn how to:
How to write automated tests simulating a bearer token authentication using JSON web tokens (JWT)
How to write automated tests to verify authorization based on JWT.
Folder Contents
In the folder of lab 2 you find 2 applications:
initial: This is the application we will use as starting point for this lab
final: This application is the completed reference for this lab
Start the Lab
In this lab we will implement:
An integration test to verify correct authentication & authorization for the ToDo API using JWT
Please start this lab with project located in lab2/initial.
Integration Test
Open the existing class com.example.todo.api.ToDoRestControllerIntegrationTest, and we will add/change the missing parts.
First you need to enable support for spring security and uncomment the line with .apply(springSecurity()) in (1). Now security is enabled and all tests calling the secured endpoints will fail with a 401 status.
All tests are currently disabled as this would break the automatic build of the github action. So please remove all lines with the @Disabled annotation same as in line (2).
To add the missing authentication to the tests you have two options:
You can use the provided getJwt() operation and the JwtAuthzConverter() (see markers (3) and (4) above) and add the JWT to the call like here:
Or you can make it by more directly specifying the JWT using a lambda expression like here:
Please do not forget to also test security and especially authorization on the method layer as well (verify the operations annotated with_@PreAuthorize_). As this is not special for JWT/OAuth there is no lab in the workshop for this.
This is the end of the lab. In the next lab 3 we will propagate the JWT to call another Microservice.
