Validate secrets only with text

This fixes client creation rest call with empty secret. Empty client secret is allowed via YAML setting already, but in a REST call there is an error: Client Secret must be at least 1 characters in length. Why this occurs: There is a policy validator for user and client policy validation. For users, a minimum of 1 char for a password might be ok, for a client not. A secret can be empty. Before 76.22.0 a missing secret in a client creation call was defaulted to an empty secret, but with #2455 this was fixed. The fix prevented the creation with an empty secret. Therefore, this here is a fix for a regression introduced with 76.22.0. It simply prevents the policy validation if the secret is without text (null or empty).
cloudfoundry · Oct 25, 2023 · dc772e8 · dc772e8
1 parent 874c62d
commit dc772e8
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/...er/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaExceptionTranslator.java b/...er/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaExceptionTranslator.java
@@ -3,6 +3,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator;
 
@@ -12,6 +13,8 @@ public class UaaExceptionTranslator extends DefaultWebResponseExceptionTranslato
     public ResponseEntity<OAuth2Exception> translate(Exception e) throws Exception {
         if (e instanceof AccountNotVerifiedException) {
             return handleOAuth2Exception(new ForbiddenException(e.getMessage(), e));
+        } else if (e instanceof BadCredentialsException) {
+            return handleOAuth2Exception(OAuth2Exception.create(OAuth2Exception.UNAUTHORIZED_CLIENT, e.getMessage()));
         }
 
         return super.translate(e);

diff --git a/...st/java/org/cloudfoundry/identity/uaa/integration/ClientInfoEndpointIntegrationTests.java b/...st/java/org/cloudfoundry/identity/uaa/integration/ClientInfoEndpointIntegrationTests.java
@@ -84,7 +84,7 @@ public void testUnauthenticated() {
         @SuppressWarnings("rawtypes")
         ResponseEntity<Map> response = serverRunning.getForObject("/clientinfo", Map.class, headers);
         assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
-        assertEquals("unauthorized", response.getBody().get("error"));
+        assertEquals("unauthorized_client", response.getBody().get("error"));
 
     }
 

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
@@ -858,7 +858,7 @@ void token_endpoint_should_return_Basic_WWW_Authenticate_Header() throws Excepti
                 .andExpect(
                         header()
                                 .stringValues("WWW-Authenticate",
-                                        "Basic realm=\"UAA/client\", error=\"unauthorized\", error_description=\"Bad credentials\"")
+                                        "Basic realm=\"UAA/client\"")
                 );
     }
 
@@ -3530,7 +3530,7 @@ void testGetPasswordGrantInvalidPassword() throws Exception {
                 .param(OAuth2Utils.GRANT_TYPE, "password")
                 .param(OAuth2Utils.CLIENT_ID, clientId))
                 .andExpect(status().isUnauthorized())
-                .andExpect(content().string("{\"error\":\"unauthorized\",\"error_description\":\"Bad credentials\"}"));
+                .andExpect(content().string("{\"error\":\"unauthorized_client\",\"error_description\":\"Bad credentials\"}"));
     }
 
     @Test