From 1e5169846faa5ae258d219a47bbda0084148fcac Mon Sep 17 00:00:00 2001
From: Andy Wilkinson <wilkinsona@vmware.com>
Date: Thu, 9 Mar 2023 10:33:41 +0000
Subject: [PATCH] Fix handling of deprecated identityprovider
 verification.credentials

Fixes gh-34525
---
 ...RelyingPartyRegistrationConfiguration.java | 19 ++++++++++---------
 ...ml2RelyingPartyAutoConfigurationTests.java |  2 +-
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
index 788d4a279ac..2053bc1cb55 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
@@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.AssertingParty;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.AssertingParty.Verification;
+import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.AssertingParty.Verification.Credential;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Decryption;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Registration;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Registration.Signing;
@@ -52,6 +53,7 @@ import org.springframework.security.saml2.provider.service.registration.RelyingP
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.util.Assert;
+import org.springframework.util.ObjectUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -102,12 +104,11 @@ class Saml2RelyingPartyRegistrationConfiguration {
 			.stream()
 			.map(this::asDecryptionCredential)
 			.forEach(credentials::add));
-		builder.assertingPartyDetails(
-				(details) -> details.verificationX509Credentials((credentials) -> assertingParty.getVerification()
-					.getCredentials()
-					.stream()
-					.map(this::asVerificationCredential)
-					.forEach(credentials::add)));
+		builder.assertingPartyDetails((details) -> details
+			.verificationX509Credentials((credentials) -> assertingParty.getVerificationCredentials()
+				.stream()
+				.map(this::asVerificationCredential)
+				.forEach(credentials::add)));
 		builder.singleLogoutServiceLocation(properties.getSinglelogout().getUrl());
 		builder.singleLogoutServiceResponseLocation(properties.getSinglelogout().getResponseUrl());
 		builder.singleLogoutServiceBinding(properties.getSinglelogout().getBinding());
@@ -200,8 +201,8 @@ class Saml2RelyingPartyRegistrationConfiguration {
 			return get("metadata-uri", AssertingParty::getMetadataUri);
 		}
 
-		Verification getVerification() {
-			return get("verification", AssertingParty::getVerification);
+		List<Credential> getVerificationCredentials() {
+			return get("verification.credentials", (property) -> property.getVerification().getCredentials());
 		}
 
 		String getEntityId() {
@@ -235,7 +236,7 @@ class Saml2RelyingPartyRegistrationConfiguration {
 		@SuppressWarnings("deprecation")
 		private <T> T get(String name, Function<AssertingParty, T> getter) {
 			T newValue = getter.apply(this.registration.getAssertingparty());
-			if (newValue != null) {
+			if (!ObjectUtils.isEmpty(newValue)) {
 				return newValue;
 			}
 			T deprecatedValue = getter.apply(this.registration.getIdentityprovider());
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
index d33ae6e9527..32ad6d0d235 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
@@ -145,7 +145,7 @@ class Saml2RelyingPartyAutoConfigurationTests {
 			assertThat(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()).isEqualTo(false);
 			assertThat(registration.getSigningX509Credentials()).hasSize(1);
 			assertThat(registration.getDecryptionX509Credentials()).hasSize(1);
-			assertThat(registration.getAssertingPartyDetails().getVerificationX509Credentials()).isNotNull();
+			assertThat(registration.getAssertingPartyDetails().getVerificationX509Credentials()).hasSize(1);
 			assertThat(registration.getEntityId()).isEqualTo("{baseUrl}/saml2/foo-entity-id");
 			assertThat(registration.getSingleLogoutServiceLocation())
 				.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SLOService.php");