Added <issuer>/testutils/* paths

There are two testutils endpoints added.

GET <issuer>/testutils/fulljwkssecret
gives you the full backing JWK

POST <issuer>/testutils/sigclaims
gives you back a Base64 encoded signed token with the
provided claims and expiry time. The endpoint expects JSON
with a 'claims' field, and an optional 'expiry' field
that contains a string compatible with the java.time.Duration
format, like 'PT1H'

Both endpoints are introduced to make it possible to
create valid, custom tokens for testing purposes.

Author: erik-a-e

src/main/kotlin/no/nav/security/mock/oauth2/extensions/HttpUrlExtensions.kt

@@ -23,6 +23,8 @@ object OAuth2Endpoints {
     const val USER_INFO = "/userinfo"
     const val DEBUGGER = "/debugger"
     const val DEBUGGER_CALLBACK = "/debugger/callback"
+    const val TESTUTILS_JWKS = "/testutils/fulljwkssecret"
+    const val TESTUTILS_SIGN = "/testutils/signclaims"
 
     val all = listOf(
         OAUTH2_WELL_KNOWN,
@@ -33,7 +35,9 @@ object OAuth2Endpoints {
         JWKS,
         USER_INFO,
         DEBUGGER,
-        DEBUGGER_CALLBACK
+        DEBUGGER_CALLBACK,
+        TESTUTILS_JWKS,
+        TESTUTILS_SIGN
     )
 }
 

src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpRequestHandler.kt

@@ -1,5 +1,8 @@
 package no.nav.security.mock.oauth2.http
 
+import com.fasterxml.jackson.core.JacksonException
+import com.fasterxml.jackson.databind.node.ObjectNode
+import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import com.nimbusds.oauth2.sdk.ErrorObject
 import com.nimbusds.oauth2.sdk.GeneralException
 import com.nimbusds.oauth2.sdk.GrantType
@@ -20,6 +23,8 @@ import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.END_SESSION
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.JWKS
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.OAUTH2_WELL_KNOWN
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.OIDC_WELL_KNOWN
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.TESTUTILS_JWKS
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.TESTUTILS_SIGN
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.TOKEN
 import no.nav.security.mock.oauth2.extensions.isPrompt
 import no.nav.security.mock.oauth2.extensions.issuerId
@@ -82,6 +87,7 @@ class OAuth2HttpRequestHandler(private val config: OAuth2Config) {
         endSession()
         userInfo(config.tokenProvider)
         preflight()
+        testutils()
         get("/favicon.ico") { OAuth2HttpResponse(status = 200) }
         attach(debuggerRequestHandler)
     }
@@ -157,4 +163,52 @@ class OAuth2HttpRequestHandler(private val config: OAuth2Config) {
                 config.tokenCallbacks.firstOrNull { it.issuerId() == issuerId } ?: DefaultOAuth2TokenCallback(issuerId = issuerId)
             }
         }
+
+    private fun Route.Builder.testutils() = apply {
+
+        get(TESTUTILS_JWKS) {
+            val jwk = config.tokenProvider.fullJwkSet(it.url.issuerId())
+            json(jwk.toJSONObject(false))
+        }
+        post(TESTUTILS_SIGN) {
+            val issuerId = it.url.issuerId()
+            val om = jacksonObjectMapper()
+            try {
+                val parsedbody = om.readValue(it.body, ObjectNode::class.java)
+
+                val claimsMap = when {
+                    parsedbody.has("claims") -> {
+                        val claims = mutableMapOf<String, String>()
+                        parsedbody.get("claims").fields().forEach {
+                            claims[it.key] = it.value.toString()
+                        }
+                        claims.toMap()
+                    }
+                    else -> mapOf()
+                }
+                val expiryDuration = when {
+                    parsedbody.has("expiry") -> {
+                        val expirytxt = parsedbody.get("expiry").asText("PT1H")
+                        java.time.Duration.parse(expirytxt)
+                    }
+                    else -> java.time.Duration.parse("PT1H")
+                }
+                val signedJwt = config.tokenProvider.jwt(claimsMap, expiryDuration, issuerId)
+
+                OAuth2HttpResponse(status = 200, body = (signedJwt.serialize()))
+
+            } catch (ex: JacksonException) {
+                OAuth2HttpResponse(status = 400, body = ex.message.toString())
+            } catch (ex: java.time.format.DateTimeParseException) {
+                val outputStr = ex.message.toString() + listOf(
+                    "\n" + "`" + ex.parsedString + "`",
+                    "\nExamples of java.time.Duration string format:\n",
+                    "P1D (1 day), ",
+                    "PT1H (1 hour), ",
+                    "P0DT0H10M30S (0 days, 0 hours, 10 minutes, 30 seconds)",
+                ).joinToString("")
+                OAuth2HttpResponse(status = 400, body = outputStr)
+            }
+        }
+    }
 }

src/main/kotlin/no/nav/security/mock/oauth2/token/OAuth2TokenProvider.kt

@@ -145,4 +145,9 @@ class OAuth2TokenProvider @JvmOverloads constructor(
         builder.addClaims(additionalClaims)
         builder.build()
     }
+
+    fun fullJwkSet(issuerId: String): JWKSet {
+        val jwk = keyProvider.signingKey(issuerId)
+        return JWKSet(jwk)
+    }
 }

src/test/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpRequestHandlerTest.kt

@@ -1,5 +1,8 @@
 package no.nav.security.mock.oauth2.http
 
+import com.fasterxml.jackson.databind.node.ArrayNode
+import com.fasterxml.jackson.databind.node.ObjectNode
+import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import io.kotest.assertions.asClue
 import io.kotest.matchers.shouldBe
 import no.nav.security.mock.oauth2.OAuth2Config
@@ -9,6 +12,8 @@ import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.END_SESSION
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.JWKS
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.OAUTH2_WELL_KNOWN
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.OIDC_WELL_KNOWN
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.TESTUTILS_JWKS
+import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.TESTUTILS_SIGN
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.TOKEN
 import no.nav.security.mock.oauth2.extensions.OAuth2Endpoints.USER_INFO
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
@@ -64,6 +69,21 @@ internal class OAuth2HttpRequestHandlerTest {
                 expectedResponse = OAuth2HttpResponse(status = 302)
             ),
             request(path = "/favicon.ico", method = "GET", expectedResponse = OAuth2HttpResponse(status = 200)),
+            request(path= "/issuer1$TESTUTILS_JWKS", method="GET", expectedResponse = OAuth2HttpResponse(status = 200)),
+            request(
+                path= "/issuer1$TESTUTILS_SIGN",
+                method="POST",
+                body= (jacksonObjectMapper().createObjectNode().apply {
+                    this.put("expiry","PT1H")
+                    this.set<ObjectNode>("claims", jacksonObjectMapper().createObjectNode().apply {
+                        this.set<ArrayNode>("groups", jacksonObjectMapper().createArrayNode().apply{
+                            this.add("grp1")
+                            this.add("grp2")
+                        })
+                    })
+                }).toString(),
+                expectedResponse = OAuth2HttpResponse(status = 200)
+            )
         )
 
         private fun request(path: String, method: String, headers: Headers = Headers.headersOf(), body: String? = null, expectedResponse: OAuth2HttpResponse) =