Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow null or empty authorities for DefaultOAuth2User 

Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
This commit is contained in:
Mayur Patel 2021-01-27 11:34:00 +05:30 committed by Joe Grandja
parent 42013ee3a1
commit fc24c7991c
3 changed files with 44 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -29,6 +29,7 @@ import java.util.TreeSet;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion; import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
@ -65,13 +66,14 @@ public class DefaultOAuth2User implements OAuth2User, Serializable {
*/ */
public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes, public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes,
String nameAttributeKey) { String nameAttributeKey) {
Assert.notEmpty(authorities, "authorities cannot be empty");
Assert.notEmpty(attributes, "attributes cannot be empty"); Assert.notEmpty(attributes, "attributes cannot be empty");
Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty"); Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
if (!attributes.containsKey(nameAttributeKey)) { if (!attributes.containsKey(nameAttributeKey)) {
throw new IllegalArgumentException("Missing attribute '" + nameAttributeKey + "' in attributes"); throw new IllegalArgumentException("Missing attribute '" + nameAttributeKey + "' in attributes");
} }
this.authorities = Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities))); this.authorities = (authorities != null)
? Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)))
: Collections.unmodifiableSet(new LinkedHashSet<>(AuthorityUtils.NO_AUTHORITIES));
this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes)); this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
this.nameAttributeKey = nameAttributeKey; this.nameAttributeKey = nameAttributeKey;
} }

28
oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/user/DefaultOidcUserTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -25,6 +25,7 @@ import java.util.Set;
import org.junit.Test; import org.junit.Test;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames; import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
import org.springframework.security.oauth2.core.oidc.OidcIdToken; import org.springframework.security.oauth2.core.oidc.OidcIdToken;
@ -66,11 +67,6 @@ public class DefaultOidcUserTests {
private static final OidcUserInfo USER_INFO = new OidcUserInfo(USER_INFO_CLAIMS); private static final OidcUserInfo USER_INFO = new OidcUserInfo(USER_INFO_CLAIMS);
@Test
public void constructorWhenAuthoritiesIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(null, ID_TOKEN));
}
@Test @Test
public void constructorWhenIdTokenIsNullThenThrowIllegalArgumentException() { public void constructorWhenIdTokenIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, null)); assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, null));
@ -81,6 +77,26 @@ public class DefaultOidcUserTests {
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, ID_TOKEN, "invalid")); assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, ID_TOKEN, "invalid"));
} }
@Test
public void constructorWhenAuthoritiesIsNullThenCreatedWithEmptyAuthorities() {
DefaultOidcUser user = new DefaultOidcUser(null, ID_TOKEN);
assertThat(user.getClaims()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
assertThat(user.getIdToken()).isEqualTo(ID_TOKEN);
assertThat(user.getName()).isEqualTo(SUBJECT);
assertThat(user.getAuthorities()).isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
}
@Test
public void constructorWhenAuthoritiesIsEmptyThenCreated() {
DefaultOidcUser user = new DefaultOidcUser(AuthorityUtils.NO_AUTHORITIES, ID_TOKEN);
assertThat(user.getClaims()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
assertThat(user.getIdToken()).isEqualTo(ID_TOKEN);
assertThat(user.getName()).isEqualTo(SUBJECT);
assertThat(user.getAuthorities()).isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
}
@Test @Test
public void constructorWhenAuthoritiesIdTokenProvidedThenCreated() { public void constructorWhenAuthoritiesIdTokenProvidedThenCreated() {
DefaultOidcUser user = new DefaultOidcUser(AUTHORITIES, ID_TOKEN); DefaultOidcUser user = new DefaultOidcUser(AUTHORITIES, ID_TOKEN);

30
oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -47,18 +47,6 @@ public class DefaultOAuth2UserTests {
private static final Map<String, Object> ATTRIBUTES = Collections.singletonMap(ATTRIBUTE_NAME_KEY, USERNAME); private static final Map<String, Object> ATTRIBUTES = Collections.singletonMap(ATTRIBUTE_NAME_KEY, USERNAME);
@Test
public void constructorWhenAuthoritiesIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new DefaultOAuth2User(null, ATTRIBUTES, ATTRIBUTE_NAME_KEY));
}
@Test
public void constructorWhenAuthoritiesIsEmptyThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new DefaultOAuth2User(Collections.emptySet(), ATTRIBUTES, ATTRIBUTE_NAME_KEY));
}
@Test @Test
public void constructorWhenAttributesIsNullThenThrowIllegalArgumentException() { public void constructorWhenAttributesIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException() assertThatIllegalArgumentException()
@ -82,6 +70,22 @@ public class DefaultOAuth2UserTests {
.isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid")); .isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid"));
} }
@Test
public void constructorWhenAuthoritiesIsNullThenCreatedWithEmptyAuthorities() {
DefaultOAuth2User user = new DefaultOAuth2User(null, ATTRIBUTES, ATTRIBUTE_NAME_KEY);
assertThat(user.getName()).isEqualTo(USERNAME);
assertThat(user.getAuthorities()).isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
}
@Test
public void constructorWhenAuthoritiesIsEmptyThenCreated() {
DefaultOAuth2User user = new DefaultOAuth2User(Collections.emptySet(), ATTRIBUTES, ATTRIBUTE_NAME_KEY);
assertThat(user.getName()).isEqualTo(USERNAME);
assertThat(user.getAuthorities()).isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
}
@Test @Test
public void constructorWhenAllParametersProvidedAndValidThenCreated() { public void constructorWhenAllParametersProvidedAndValidThenCreated() {
DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, ATTRIBUTE_NAME_KEY); DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, ATTRIBUTE_NAME_KEY);