fix: fail with an error if error during token extraction

https://gravitee.atlassian.net/browse/APIM-3382
gravitee-io · Nov 24, 2023 · cd4937d · cd4937d
1 parent 00b8508
commit cd4937d
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/pom.xml b/pom.xml
@@ -22,7 +22,7 @@
 
     <groupId>io.gravitee.policy</groupId>
     <artifactId>gravitee-policy-oauth2</artifactId>
-    <version>3.0.3</version>
+    <version>3.0.4-apim-3382-SNAPSHOT</version>
 
     <name>Gravitee.io APIM - Policy - OAuth2</name>
     <description>Check access token validity during request processing using token introspection</description>
@@ -39,9 +39,9 @@
         <gravitee-policy-api.version>1.11.0</gravitee-policy-api.version>
         <gravitee-node.version>4.0.0</gravitee-node.version>
         <gravitee-common.version>2.1.1</gravitee-common.version>
-        <gravitee-apim.version>4.0.0-SNAPSHOT</gravitee-apim.version>
+        <gravitee-apim.version>4.0.0</gravitee-apim.version>
         <gravitee-resource-api.version>1.1.0</gravitee-resource-api.version>
-        <gravitee-resource-oauth2-provider-api.version>1.3.0</gravitee-resource-oauth2-provider-api.version>
+        <gravitee-resource-oauth2-provider-api.version>1.4.0</gravitee-resource-oauth2-provider-api.version>
         <gravitee-resource-cache-provider-api.version>1.4.0</gravitee-resource-cache-provider-api.version>
         <nimbus-jose-jwt.version>9.15.2</nimbus-jose-jwt.version>
         <guava.version>31.1-jre</guava.version>

diff --git a/src/main/java/io/gravitee/policy/oauth2/Oauth2Policy.java b/src/main/java/io/gravitee/policy/oauth2/Oauth2Policy.java
@@ -100,6 +100,9 @@ public Maybe<SecurityToken> extractSecurityToken(HttpExecutionContext ctx) {
                 if (introspectionResult.hasClientId()) {
                     return Maybe.just(SecurityToken.forClientId(introspectionResult.getClientId()));
                 }
+                if (introspectionResult.getOauth2ResponseThrowable() != null) {
+                    return Maybe.error(introspectionResult.getOauth2ResponseThrowable());
+                }
                 return Maybe.just(SecurityToken.invalid(SecurityToken.TokenType.CLIENT_ID));
             });
     }

diff --git a/src/test/java/io/gravitee/policy/oauth2/Oauth2PolicyTest.java b/src/test/java/io/gravitee/policy/oauth2/Oauth2PolicyTest.java
@@ -67,6 +67,7 @@
 import io.gravitee.resource.cache.api.Cache;
 import io.gravitee.resource.cache.api.CacheResource;
 import io.gravitee.resource.oauth2.api.OAuth2Resource;
+import io.gravitee.resource.oauth2.api.OAuth2ResourceException;
 import io.gravitee.resource.oauth2.api.OAuth2Response;
 import io.reactivex.rxjava3.core.Completable;
 import io.reactivex.rxjava3.observers.TestObserver;
@@ -524,6 +525,18 @@ void extractSecurityTokenShouldReturnEmptyWhenTokenIsPresentButIntrospectionFail
         obs.assertComplete().assertValueCount(0);
     }
 
+    @Test
+    void extractSecurityTokenShouldReturnInvalidTokenWhenIntrospectionInError() {
+        prepareOauth2Resource();
+        String token = prepareToken();
+        OAuth2ResourceException errorDuringIntrospection = new OAuth2ResourceException("Error during introspection");
+        prepareIntrospection(token, errorDuringIntrospection);
+
+        final TestObserver<SecurityToken> obs = cut.extractSecurityToken(ctx).test();
+
+        obs.assertError(errorDuringIntrospection);
+    }
+
     @Test
     void extractSecurityTokenShouldReturnTokenWhenTokenIsPresentAndIntrospectionSucceed() throws IOException {
         prepareOauth2Resource();
@@ -587,6 +600,20 @@ private void prepareIntrospection(String token, String payload, boolean success)
             .introspect(eq(token), any(Handler.class));
     }
 
+    private void prepareIntrospection(String token, Throwable throwable) {
+        final OAuth2Response oAuth2Response = mock(OAuth2Response.class);
+        lenient().when(oAuth2Response.isSuccess()).thenReturn(false);
+        lenient().when(oAuth2Response.getPayload()).thenReturn(throwable.getMessage());
+        lenient().when(oAuth2Response.getThrowable()).thenReturn(throwable);
+
+        doAnswer(i -> {
+                i.<Handler<OAuth2Response>>getArgument(1).handle(oAuth2Response);
+                return null;
+            })
+            .when(oAuth2Resource)
+            .introspect(eq(token), any(Handler.class));
+    }
+
     private void verifyInterruptWith(int httpStatus, String key, final String message) {
         verify(ctx)
             .interruptWith(