add support for configuration of standalone server/docker image (navikt#34)

**feat: add `RequestMappingTokenCallback`**
* tokenCallback implementation which can return claims based on token request parameter matching
* make `OAuth2TokenCallback.subject()` nullable to allow for tokens without sub claim

**feat: configure `StandaloneMockOAuth2Server.kt` from env and json**
* support loading `OAuth2Config` from env var or json file
* `httpServer` (type) can be specified from json config
* `tokenCallbacks` can be specified from json config using the `RequestMappingTokenCallback` feature

Author: tommytroen

build.gradle.kts

@@ -1,5 +1,6 @@
 import java.time.Duration
 import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
+
 val assertjVersion = "3.19.0"
 val kotlinLoggingVersion = "2.0.4"
 val logbackVersion = "1.2.3"

src/main/kotlin/no/nav/security/mock/oauth2/OAuth2Config.kt

@@ -1,13 +1,46 @@
 package no.nav.security.mock.oauth2
 
+import com.fasterxml.jackson.core.JsonParser
+import com.fasterxml.jackson.core.type.TypeReference
+import com.fasterxml.jackson.databind.DeserializationContext
+import com.fasterxml.jackson.databind.JsonDeserializer
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize
+import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
+import com.fasterxml.jackson.module.kotlin.readValue
 import no.nav.security.mock.oauth2.http.MockWebServerWrapper
+import no.nav.security.mock.oauth2.http.NettyWrapper
 import no.nav.security.mock.oauth2.http.OAuth2HttpServer
 import no.nav.security.mock.oauth2.token.OAuth2TokenCallback
 import no.nav.security.mock.oauth2.token.OAuth2TokenProvider
+import no.nav.security.mock.oauth2.token.RequestMappingTokenCallback
 
 data class OAuth2Config @JvmOverloads constructor(
     val interactiveLogin: Boolean = false,
     val tokenProvider: OAuth2TokenProvider = OAuth2TokenProvider(),
+    @JsonDeserialize(contentAs = RequestMappingTokenCallback::class)
     val tokenCallbacks: Set<OAuth2TokenCallback> = emptySet(),
+    @JsonDeserialize(using = OAuth2HttpServerDeserializer::class)
     val httpServer: OAuth2HttpServer = MockWebServerWrapper()
-)
+) {
+
+    class OAuth2HttpServerDeserializer : JsonDeserializer<OAuth2HttpServer>() {
+        enum class ServerType {
+            MockWebServerWrapper,
+            NettyWrapper
+        }
+
+        override fun deserialize(p: JsonParser, ctxt: DeserializationContext): OAuth2HttpServer {
+            return when (p.readValueAs<ServerType>(object : TypeReference<ServerType>() {})) {
+                ServerType.NettyWrapper -> NettyWrapper()
+                ServerType.MockWebServerWrapper -> MockWebServerWrapper()
+                else -> throw IllegalArgumentException("unsupported httpServer specified in config")
+            }
+        }
+    }
+
+    companion object {
+        fun fromJson(json: String): OAuth2Config {
+            return jacksonObjectMapper().readValue(json)
+        }
+    }
+}

src/main/kotlin/no/nav/security/mock/oauth2/StandaloneMockOAuth2Server.kt

@@ -1,31 +1,58 @@
 package no.nav.security.mock.oauth2
 
-import java.net.InetAddress
-import java.net.InetSocketAddress
+import no.nav.security.mock.oauth2.StandaloneConfig.hostname
+import no.nav.security.mock.oauth2.StandaloneConfig.oauth2Config
+import no.nav.security.mock.oauth2.StandaloneConfig.port
 import no.nav.security.mock.oauth2.http.NettyWrapper
 import no.nav.security.mock.oauth2.http.OAuth2HttpResponse
 import no.nav.security.mock.oauth2.http.route
+import java.io.File
+import java.io.FileNotFoundException
+import java.net.InetAddress
+import java.net.InetSocketAddress
+
+object StandaloneConfig {
+    const val JSON_CONFIG = "JSON_CONFIG"
+    const val JSON_CONFIG_PATH = "JSON_CONFIG_PATH"
+    const val SERVER_HOSTNAME = "SERVER_HOSTNAME"
+    const val SERVER_PORT = "SERVER_PORT"
+
+    fun hostname(): InetAddress = SERVER_HOSTNAME.fromEnv()
+        ?.let { InetAddress.getByName(it) } ?: InetSocketAddress(0).address
 
-data class Configuration(
-    val server: Server = Server()
-) {
-    data class Server(
-        val hostname: InetAddress = "SERVER_HOSTNAME".fromEnv()?.let { InetAddress.getByName(it) } ?: InetSocketAddress(0).address,
-        val port: Int = "SERVER_PORT".fromEnv()?.toInt() ?: 8080
-    )
+    fun port(): Int = SERVER_PORT.fromEnv()?.toInt() ?: 8080
+
+    fun oauth2Config(): OAuth2Config = with(jsonFromEnv()) {
+        if (this != null) {
+            OAuth2Config.fromJson(this)
+        } else {
+            OAuth2Config(
+                interactiveLogin = true,
+                httpServer = NettyWrapper()
+            )
+        }
+    }
+
+    private fun jsonFromEnv() = JSON_CONFIG.fromEnv() ?: JSON_CONFIG_PATH.fromEnv("config.json").readFile()
+
+    private fun String.readFile(): String? =
+        try {
+            File(this).readText()
+        } catch (e: FileNotFoundException) {
+            null
+        }
 }
 
 fun main() {
-    val config = Configuration()
     MockOAuth2Server(
-        OAuth2Config(
-            interactiveLogin = true,
-            httpServer = NettyWrapper()
-        ),
+        oauth2Config(),
         route("/isalive") {
             OAuth2HttpResponse(status = 200, body = "alive and well")
         }
-    ).start(config.server.hostname, config.server.port)
+    ).apply {
+        start(hostname(), port())
+    }
 }
 
+fun String.fromEnv(default: String): String = System.getenv(this) ?: default
 fun String.fromEnv(): String? = System.getenv(this)

src/main/kotlin/no/nav/security/mock/oauth2/extensions/NimbusExtensions.kt

@@ -22,11 +22,13 @@ import com.nimbusds.oauth2.sdk.auth.ClientAuthentication
 import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT
 import com.nimbusds.oauth2.sdk.id.Issuer
 import com.nimbusds.openid.connect.sdk.AuthenticationRequest
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue
 import com.nimbusds.openid.connect.sdk.Prompt
 import java.time.Duration
 import java.time.Instant
 import java.util.HashSet
 import no.nav.security.mock.oauth2.OAuth2Exception
+import no.nav.security.mock.oauth2.grant.TokenExchangeGrant
 import no.nav.security.mock.oauth2.invalidRequest
 
 fun AuthenticationRequest.isPrompt(): Boolean =
@@ -38,6 +40,13 @@ fun TokenRequest.grantType(): GrantType =
     this.authorizationGrant?.type
         ?: throw OAuth2Exception(OAuth2Error.INVALID_REQUEST, "missing required parameter grant_type")
 
+fun TokenRequest.scopesWithoutOidcScopes() =
+    scope?.toStringList()?.filterNot { value ->
+        OIDCScopeValue.values().map { it.toString() }.contains(value)
+    } ?: emptyList()
+
+fun TokenRequest.tokenExchangeGrantOrNull(): TokenExchangeGrant? = authorizationGrant as? TokenExchangeGrant
+
 fun TokenRequest.authorizationCode(): AuthorizationCode =
     this.authorizationGrant
         ?.let { it as? AuthorizationCodeGrant }

src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpRequest.kt

@@ -48,6 +48,7 @@ data class OAuth2HttpRequest(
         val clientAuthentication = ClientAuthentication.parse(httpRequest).requirePrivateKeyJwt(this.url.toString(), 120)
         val tokenExchangeGrant = TokenExchangeGrant.parse(formParameters.map)
 
+        // TODO: add scope if present in request
         return TokenRequest(
             this.url.toUri(),
             clientAuthentication,

src/main/kotlin/no/nav/security/mock/oauth2/token/OAuth2TokenCallback.kt

@@ -2,15 +2,16 @@ package no.nav.security.mock.oauth2.token
 
 import com.nimbusds.oauth2.sdk.GrantType
 import com.nimbusds.oauth2.sdk.TokenRequest
-import com.nimbusds.openid.connect.sdk.OIDCScopeValue
-import java.util.UUID
 import no.nav.security.mock.oauth2.extensions.clientIdAsString
 import no.nav.security.mock.oauth2.extensions.grantType
-import no.nav.security.mock.oauth2.grant.TokenExchangeGrant
+import no.nav.security.mock.oauth2.extensions.scopesWithoutOidcScopes
+import no.nav.security.mock.oauth2.extensions.tokenExchangeGrantOrNull
+import java.time.Duration
+import java.util.UUID
 
 interface OAuth2TokenCallback {
     fun issuerId(): String
-    fun subject(tokenRequest: TokenRequest): String
+    fun subject(tokenRequest: TokenRequest): String?
     fun audience(tokenRequest: TokenRequest): List<String>
     fun addClaims(tokenRequest: TokenRequest): Map<String, Any>
     fun tokenExpiry(): Long
@@ -36,13 +37,13 @@ open class DefaultOAuth2TokenCallback(
     }
 
     override fun audience(tokenRequest: TokenRequest): List<String> {
-        val oidcScopeList = OIDCScopeValue.values().map { it.toString() }
-        return audience
-            ?: (tokenRequest.authorizationGrant as? TokenExchangeGrant)?.audience
-            ?: let {
-                tokenRequest.scope?.toStringList()
-                    ?.filterNot { oidcScopeList.contains(it) }
-            } ?: listOf("default")
+        val audienceParam = tokenRequest.tokenExchangeGrantOrNull()?.audience
+        return when {
+            audience != null -> audience
+            audienceParam != null -> audienceParam
+            tokenRequest.scope != null -> tokenRequest.scopesWithoutOidcScopes()
+            else -> listOf("default")
+        }
     }
 
     override fun addClaims(tokenRequest: TokenRequest): Map<String, Any> =
@@ -57,3 +58,38 @@ open class DefaultOAuth2TokenCallback(
 
     override fun tokenExpiry(): Long = expiry
 }
+
+data class RequestMappingTokenCallback(
+    val issuerId: String,
+    val requestMappings: Set<RequestMapping>,
+    val tokenExpiry: Long = Duration.ofHours(1).toSeconds()
+) : OAuth2TokenCallback {
+    override fun issuerId(): String = issuerId
+    override fun subject(tokenRequest: TokenRequest): String? =
+        requestMappings.getClaimOrNull(tokenRequest, "sub")
+
+    override fun audience(tokenRequest: TokenRequest): List<String> =
+        requestMappings.getClaimOrNull(tokenRequest, "aud") ?: emptyList()
+
+    override fun addClaims(tokenRequest: TokenRequest): Map<String, Any> =
+        requestMappings.getClaims(tokenRequest)
+
+    override fun tokenExpiry(): Long = tokenExpiry
+
+    private fun Set<RequestMapping>.getClaims(tokenRequest: TokenRequest) =
+        firstOrNull { it.isMatch(tokenRequest) }?.claims ?: emptyMap()
+
+    private inline fun <reified T> Set<RequestMapping>.getClaimOrNull(tokenRequest: TokenRequest, key: String): T? =
+        getClaims(tokenRequest)[key] as? T
+}
+
+data class RequestMapping(
+    private val requestParam: String,
+    private val match: String = "*",
+    val claims: Map<String, Any> = emptyMap()
+) {
+    fun isMatch(tokenRequest: TokenRequest): Boolean =
+        tokenRequest.toHTTPRequest().queryParameters[requestParam]?.any {
+            if (match != "*") it == match else true
+        } ?: false
+}

src/main/kotlin/no/nav/security/mock/oauth2/token/OAuth2TokenProvider.kt

@@ -90,7 +90,7 @@ class OAuth2TokenProvider {
 
     private fun defaultClaims(
         issuerUrl: HttpUrl,
-        subject: String,
+        subject: String?,
         audience: List<String>,
         nonce: String?,
         additionalClaims: Map<String, Any>,

src/main/resources/logback.xml

@@ -8,6 +8,8 @@
         </layout>
     </appender>
 
+    <logger name="io.netty" level="info" />
+
     <root level="debug">
         <appender-ref ref="stdout"/>
     </root>

src/test/kotlin/no/nav/security/mock/oauth2/OAuth2ConfigTest.kt

@@ -0,0 +1,104 @@
+package no.nav.security.mock.oauth2
+
+import com.fasterxml.jackson.databind.exc.InvalidFormatException
+import io.kotest.assertions.throwables.shouldThrow
+import io.kotest.matchers.collections.shouldContainAll
+import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.types.beInstanceOf
+import no.nav.security.mock.oauth2.FullConfig.configJson
+import no.nav.security.mock.oauth2.HttpServerConfig.withMockWebServerWrapper
+import no.nav.security.mock.oauth2.HttpServerConfig.withNettyHttpServer
+import no.nav.security.mock.oauth2.HttpServerConfig.withUnknownHttpServer
+import no.nav.security.mock.oauth2.http.MockWebServerWrapper
+import no.nav.security.mock.oauth2.http.NettyWrapper
+import org.intellij.lang.annotations.Language
+import org.junit.jupiter.api.Test
+
+internal class OAuth2ConfigTest {
+
+    @Test
+    fun `create httpServer from json`() {
+        OAuth2Config.fromJson(withNettyHttpServer).httpServer should beInstanceOf<NettyWrapper>()
+        OAuth2Config.fromJson(withMockWebServerWrapper).httpServer should beInstanceOf<MockWebServerWrapper>()
+        shouldThrow<InvalidFormatException> {
+            OAuth2Config.fromJson(withUnknownHttpServer)
+        }
+    }
+
+    @Test
+    fun `create full config from json with multiple tokenCallbacks`() {
+        val config = OAuth2Config.fromJson(configJson)
+        config.interactiveLogin shouldBe true
+        config.httpServer should beInstanceOf<NettyWrapper>()
+        config.tokenCallbacks.size shouldBe 2
+        config.tokenCallbacks.map {
+            it.issuerId()
+        }.toList() shouldContainAll listOf("issuer1", "issuer2")
+    }
+}
+
+object FullConfig {
+    @Language("json")
+    val configJson = """{
+      "interactiveLogin" : true,
+      "httpServer": "NettyWrapper",
+      "tokenCallbacks": [
+        {
+          "issuerId": "issuer1",
+          "tokenExpiry": 120,
+          "requestMappings": [
+            {
+              "requestParam": "scope",
+              "match": "scope1",
+              "claims": {
+                "sub": "subByScope",
+                "aud": [
+                  "audByScope"
+                ]
+              }
+            }
+          ]
+        },
+        {
+          "issuerId": "issuer2",
+          "requestMappings": [
+            {
+              "requestParam": "someparam",
+              "match": "somevalue",
+              "claims": {
+                "sub": "subBySomeParam",
+                "aud": [
+                  "audBySomeParam"
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    }
+    """.trimIndent()
+}
+
+object HttpServerConfig {
+    @Language("json")
+    val withMockWebServerWrapper = """
+        {
+          "httpServer": "MockWebServerWrapper"
+        }
+    """.trimIndent()
+
+    @Language("json")
+    val withNettyHttpServer = """
+        {
+          "httpServer": "NettyWrapper"
+        }
+    """.trimIndent()
+
+    @Language("json")
+    val withUnknownHttpServer = """
+        {
+          "httpServer": "UnknownServer"
+        }
+    """.trimIndent()
+}