Stops requiring a client secret when the "password" grant type is used

apis-authorization-server/src/main/java/org/surfnet/oaaas/auth/OAuth2ValidatorImpl.java

@@ -199,6 +199,7 @@ protected void validateAttributes(AccessTokenRequest request) {
   protected void validateClient(AccessTokenRequest accessTokenRequest, 
       BasicAuthCredentials clientCredentials) {
     Client client = null;
+    String grantType = accessTokenRequest.getGrantType();
 
     // Were we given client credentials via basic auth?
     if (!clientCredentials.isNull()) {
@@ -208,30 +209,34 @@ protected void validateClient(AccessTokenRequest accessTokenRequest,
       }
       client = getClient(clientCredentials.getUsername(), clientCredentials.getPassword(), 
           UNAUTHORIZED_CLIENT);
-    } else if (!StringUtils.isBlank(accessTokenRequest.getClientId())) {
+    } else /* if (!StringUtils.isBlank(accessTokenRequest.getClientId())) */ {
       // Use the request parameters to obtain the client
       client = getClient(accessTokenRequest.getClientId(), accessTokenRequest.getClientSecret(), 
-          UNKNOWN_CLIENT_ID);
+          UNKNOWN_CLIENT_ID, !GRANT_TYPE_PASSWORD.equals(grantType));
     }
 
     // Record the associated client
     accessTokenRequest.setClient(client);
   }
-  
-  private Client getClient(String clientId, String clientSecret, ValidationResponse error) {
+
+  private Client getClient(String clientId, String clientSecret, ValidationResponse error, boolean isClientSecretRequired) {
     // Find the indicated client
     Client client = clientRepository.findByClientId(clientId);
     if (client == null) {
       throw new ValidationResponseException(error);
     }
-    
-    // Confirm that the credentials match those for the client
-    if (!client.verifySecret(clientSecret)) {
+
+    // Confirm that the credentials match those for the client, if required
+    if (isClientSecretRequired && !client.verifySecret(clientSecret)) {
       throw new ValidationResponseException(error);
     }
     return client;
   }
 
+  private Client getClient(String clientId, String clientSecret, ValidationResponse error) {
+    return getClient(clientId, clientSecret, error, true);
+  }
+
   protected void validateAccessTokenRequest(AccessTokenRequest accessTokenRequest) {
     if (accessTokenRequest.getGrantType().equals(GRANT_TYPE_CLIENT_CREDENTIALS)) {
       // We must have a client

apis-authorization-server/src/main/java/org/surfnet/oaaas/resource/HealthResource.java

@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.surfnet.oaaas.resource;
+
+import javax.inject.Named;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+/**
+ * Resource for handling simple health checks, enabling the authorization
+ * server to be monitored by external watchers/tools. 
+ *
+ */
+@Named
+@Path("/health")
+@Produces(MediaType.APPLICATION_JSON)
+public class HealthResource {
+
+  @GET
+  public Response healthCheck() {
+	  return Response.ok("{ \"status\": \"OK\" }").build();
+  }
+}

apis-authorization-server/src/test/java/org/surfnet/oaaas/auth/OAuth2ValidatorImplTest.java

@@ -208,4 +208,20 @@ private AuthorizationRequest getAuthorizationRequest(Client client) {
     return request;
   }
 
+  @Test
+  public void testPasswordTokenRequest() {
+    AccessTokenRequest invalidAccessTokenRequest = new AccessTokenRequest();
+    invalidAccessTokenRequest.setGrantType(OAuth2Validator.GRANT_TYPE_PASSWORD);
+    invalidAccessTokenRequest.setClientId(client.getClientId());
+    ValidationResponse invalidResponse = validator.validate(invalidAccessTokenRequest, BasicAuthCredentials.createCredentialsFromHeader(null));
+    assertEquals(ValidationResponse.INVALID_GRANT_PASSWORD, invalidResponse);
+
+    AccessTokenRequest validAccessTokenRequest = new AccessTokenRequest();
+    validAccessTokenRequest.setGrantType(OAuth2Validator.GRANT_TYPE_PASSWORD);
+    validAccessTokenRequest.setClientId(client.getClientId());
+    validAccessTokenRequest.setUsername("username");
+    validAccessTokenRequest.setPassword("password");
+    ValidationResponse validResponse = validator.validate(validAccessTokenRequest, BasicAuthCredentials.createCredentialsFromHeader(null));
+    assertEquals(ValidationResponse.VALID, validResponse);
+  }
 }

apis-authorization-server/src/test/java/org/surfnet/oaaas/resource/HealthResourceTest.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2012 SURFnet bv, The Netherlands
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.surfnet.oaaas.resource;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.MockitoAnnotations;
+
+import static org.junit.Assert.assertEquals;
+
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+
+public class HealthResourceTest {
+
+  @InjectMocks
+  private HealthResource healthResource;
+
+  @Before
+  public void before() {
+    MockitoAnnotations.initMocks(this);
+  }
+
+  @Test
+  public void testHealthCheck() {
+	Response response = healthResource.healthCheck();
+    assertEquals("{ \"status\": \"OK\" }", response.getEntity());
+    assertEquals(Status.OK.getStatusCode(), response.getStatus());
+  }
+}