-
Notifications
You must be signed in to change notification settings - Fork 827
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: do not default a missing secret to an empty one (#2455)
* fix: do not default a missing secret to an empty one If client has no secret set, then configuration should have no secret Before: a missing secret was set as empty and this empty secret can be used even with client credential. After: a missing secret is null in DB layer so that you cannot do secret based login. There are other authentications so that the client is still usable. * refactorings resulted from sonar recommendations * review * review
- Loading branch information
Showing
12 changed files
with
118 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 36 additions & 2 deletions
38
server/src/main/java/org/cloudfoundry/identity/uaa/client/UaaClient.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,58 @@ | ||
package org.cloudfoundry.identity.uaa.client; | ||
|
||
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants; | ||
import org.springframework.security.core.GrantedAuthority; | ||
import org.springframework.security.core.SpringSecurityCoreVersion; | ||
import org.springframework.security.core.userdetails.User; | ||
import org.springframework.security.core.userdetails.UserDetails; | ||
|
||
import java.util.Collection; | ||
import java.util.Collections; | ||
import java.util.Map; | ||
import java.util.Optional; | ||
|
||
public class UaaClient extends User { | ||
|
||
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; | ||
private transient Map<String, Object> additionalInformation; | ||
|
||
private final String secret; | ||
|
||
public UaaClient(String username, String password, Collection<? extends GrantedAuthority> authorities, Map<String, Object> additionalInformation) { | ||
super(username, password, authorities); | ||
super(username, password == null ? "" : password, authorities); | ||
this.additionalInformation = additionalInformation; | ||
this.secret = password; | ||
} | ||
|
||
public UaaClient(UserDetails userDetails, String secret) { | ||
super(userDetails.getUsername(), secret == null ? "" : secret, userDetails.isEnabled(), userDetails.isAccountNonExpired(), | ||
userDetails.isCredentialsNonExpired(), userDetails.isAccountNonLocked(), userDetails.getAuthorities()); | ||
if (userDetails instanceof UaaClient) { | ||
this.additionalInformation = ((UaaClient) userDetails).getAdditionalInformation(); | ||
} | ||
this.secret = secret; | ||
} | ||
|
||
public Map<String, Object> getAdditionalInformation() { | ||
public boolean isAllowPublic() { | ||
Object allowPublic = Optional.ofNullable(additionalInformation).map(e -> e.get(ClientConstants.ALLOW_PUBLIC)).orElse(Collections.emptyMap()); | ||
if ((allowPublic instanceof String && Boolean.TRUE.toString().equalsIgnoreCase((String) allowPublic)) || (allowPublic instanceof Boolean && Boolean.TRUE.equals(allowPublic))) { | ||
return true; | ||
} else { | ||
return false; | ||
} | ||
} | ||
|
||
private Map<String, Object> getAdditionalInformation() { | ||
return this.additionalInformation; | ||
} | ||
|
||
/** | ||
* Allow to return a null password. Super class does not allow to omit a password, therefore use own method | ||
* | ||
* @return The password of the client, can be null if no secret is set | ||
*/ | ||
@Override | ||
public String getPassword() { | ||
return this.secret; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.