Validate ResourceServerProperties in PostConstruct

Closes gh-8916
2017-05-02 17:04:07 -07:00 · 2017-05-02 17:04:07 -07:00 · c04f28d9e5
parent 9ef3a448e6
commit c04f28d9e5
2 changed files with 83 additions and 48 deletions
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerProperties.java
@ -16,6 +16,8 @@
 package org.springframework.boot.autoconfigure.security.oauth2.resource;
 import javax.annotation.PostConstruct;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import org.springframework.beans.BeansException;
@ -28,8 +30,9 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerEndpointsConfiguration;
 import org.springframework.util.StringUtils;
-import org.springframework.validation.Errors;
+import org.springframework.validation.BeanPropertyBindingResult;
-import org.springframework.validation.Validator;
+import org.springframework.validation.BindException;
 import org.springframework.validation.BindingResult;
 /**
 * Configuration properties for OAuth2 Resources.
@ -39,7 +42,7 @@ import org.springframework.validation.Validator;
 * @since 1.3.0
 */
@ConfigurationProperties(prefix = "security.oauth2.resource")
-public class ResourceServerProperties implements Validator, BeanFactoryAware {
+public class ResourceServerProperties implements BeanFactoryAware {
 	@JsonIgnore
 	private final String clientId;
@ -185,13 +188,8 @@ public class ResourceServerProperties implements Validator, BeanFactoryAware {
 		this.filterOrder = filterOrder;
 	}
-	@Override
+	@PostConstruct
-	public boolean supports(Class<?> clazz) {
+	public void validate() throws Exception {
 		return ResourceServerProperties.class.isAssignableFrom(clazz);
 	}
 	@Override
 	public void validate(Object target, Errors errors) {
 		if (countBeans(AuthorizationServerEndpointsConfiguration.class) > 0) {
 			// If we are an authorization server we don't need remote resource token
 			// services
@ -202,14 +200,25 @@ public class ResourceServerProperties implements Validator, BeanFactoryAware {
 			// resource token services
 			return;
 		}
 		ResourceServerProperties resource = (ResourceServerProperties) target;
 		validate(resource, errors);
 	}
 	private void validate(ResourceServerProperties target, Errors errors) {
 		if (!StringUtils.hasText(this.clientId)) {
 			return;
 		}
 		BindingResult result = getBindingResult();
 		if (result.hasErrors()) {
 			throw new BindException(result);
 		}
 	}
 	private int countBeans(Class<?> type) {
 		return BeanFactoryUtils.beanNamesForTypeIncludingAncestors(this.beanFactory, type,
 				true, false).length;
 	}
 	private BindingResult getBindingResult() {
 		BindingResult errors = new BeanPropertyBindingResult(this, "resourceServerProperties");
 		boolean jwtConfigPresent = StringUtils.hasText(this.jwt.getKeyUri())
 				|| StringUtils.hasText(this.jwt.getKeyValue());
 		boolean jwkConfigPresent = StringUtils.hasText(this.jwk.getKeySetUri());
@ -219,29 +228,21 @@ public class ResourceServerProperties implements Validator, BeanFactoryAware {
 					"Only one of jwt.keyUri (or jwt.keyValue) and jwk.keySetUri should"
 							+ " be configured.");
 		}
-		else {
+		if (!jwtConfigPresent && !jwkConfigPresent) {
-			if (jwtConfigPresent || jwkConfigPresent) {
+			if (!StringUtils.hasText(this.userInfoUri)
-				// It's a JWT decoder
+					&& !StringUtils.hasText(this.tokenInfoUri)) {
 				return;
 			}
 			if (!StringUtils.hasText(target.getUserInfoUri())
 					&& !StringUtils.hasText(target.getTokenInfoUri())) {
 				errors.rejectValue("tokenInfoUri", "missing.tokenInfoUri",
 						"Missing tokenInfoUri and userInfoUri and there is no "
 								+ "JWT verifier key");
 			}
-			if (StringUtils.hasText(target.getTokenInfoUri()) && isPreferTokenInfo()) {
+			if (StringUtils.hasText(this.tokenInfoUri) && this.isPreferTokenInfo()) {
 				if (!StringUtils.hasText(this.clientSecret)) {
 					errors.rejectValue("clientSecret", "missing.clientSecret",
 							"Missing client secret");
 				}
 			}
 		}
-	}
+		return errors;
 	private int countBeans(Class<?> type) {
 		return BeanFactoryUtils.beanNamesForTypeIncludingAncestors(this.beanFactory, type,
 				true, false).length;
 	}
 	public class Jwt {
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerPropertiesTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerPropertiesTests.java
@ -19,15 +19,21 @@ package org.springframework.boot.autoconfigure.security.oauth2.resource;
 import java.util.Map;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.hamcrest.BaseMatcher;
 import org.hamcrest.Description;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 import org.springframework.beans.factory.ListableBeanFactory;
 import org.springframework.validation.BindException;
 import org.springframework.validation.Errors;
 import org.springframework.validation.FieldError;
 import org.springframework.validation.ObjectError;
 import org.springframework.web.context.support.StaticWebApplicationContext;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyZeroInteractions;
 /**
@ -44,6 +50,9 @@ public class ResourceServerPropertiesTests {
 	private Errors errors = mock(Errors.class);
 	@Rule
 	public ExpectedException thrown = ExpectedException.none();
 	@Test
 	@SuppressWarnings("unchecked")
 	public void json() throws Exception {
@ -59,7 +68,7 @@ public class ResourceServerPropertiesTests {
 	public void validateWhenClientIdNullShouldNotFail() throws Exception {
 		this.properties = new ResourceServerProperties(null, "secret");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -68,9 +77,10 @@ public class ResourceServerPropertiesTests {
 		this.properties.getJwk().setKeySetUri("http://my-auth-server/token_keys");
 		this.properties.getJwt().setKeyUri("http://my-auth-server/token_key");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.thrown.expect(BindException.class);
-		verify(this.errors).reject("ambiguous.keyUri",
+		this.thrown.expect(getMatcher("Only one of jwt.keyUri (or jwt.keyValue) " +
-				"Only one of jwt.keyUri (or jwt.keyValue) and jwk.keySetUri should be configured.");
+				"and jwk.keySetUri should be configured.", null));
 		this.properties.validate();
 	}
 	@Test
@ -79,16 +89,18 @@ public class ResourceServerPropertiesTests {
 		this.properties.getJwk().setKeySetUri("http://my-auth-server/token_keys");
 		this.properties.getJwt().setKeyValue("my-key");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+
-		verify(this.errors).reject("ambiguous.keyUri",
+		this.thrown.expect(BindException.class);
-				"Only one of jwt.keyUri (or jwt.keyValue) and jwk.keySetUri should be configured.");
+		this.thrown.expect(getMatcher("Only one of jwt.keyUri (or jwt.keyValue) " +
 				"and jwk.keySetUri should be configured.", null));
 		this.properties.validate();
 	}
 	@Test
 	public void validateWhenJwkKeySetUriProvidedShouldSucceed() throws Exception {
 		this.properties.getJwk().setKeySetUri("http://my-auth-server/token_keys");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -96,7 +108,7 @@ public class ResourceServerPropertiesTests {
 	public void validateWhenKeyValuePresentShouldSucceed() throws Exception {
 		this.properties.getJwt().setKeyValue("my-key");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -106,7 +118,7 @@ public class ResourceServerPropertiesTests {
 		this.properties = new ResourceServerProperties("client", "");
 		this.properties.getJwk().setKeySetUri("http://my-auth-server/token_keys");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -114,16 +126,17 @@ public class ResourceServerPropertiesTests {
 	public void validateWhenKeyConfigAbsentAndInfoUrisNotConfiguredShouldFail()
 			throws Exception {
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.thrown.expect(BindException.class);
-		verify(this.errors).rejectValue("tokenInfoUri", "missing.tokenInfoUri",
+		this.thrown.expect(getMatcher("Missing tokenInfoUri and userInfoUri and there" +
-				"Missing tokenInfoUri and userInfoUri and there is no JWT verifier key");
+				" is no JWT verifier key", "tokenInfoUri"));
 		this.properties.validate();
 	}
 	@Test
 	public void validateWhenTokenUriConfiguredShouldNotFail() throws Exception {
 		this.properties.setTokenInfoUri("http://my-auth-server/userinfo");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -131,7 +144,7 @@ public class ResourceServerPropertiesTests {
 	public void validateWhenUserInfoUriConfiguredShouldNotFail() throws Exception {
 		this.properties.setUserInfoUri("http://my-auth-server/userinfo");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -142,9 +155,9 @@ public class ResourceServerPropertiesTests {
 		this.properties.setTokenInfoUri("http://my-auth-server/check_token");
 		this.properties.setUserInfoUri("http://my-auth-server/userinfo");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.thrown.expect(BindException.class);
-		verify(this.errors).rejectValue("clientSecret", "missing.clientSecret",
+		this.thrown.expect(getMatcher("Missing client secret", "clientSecret"));
-				"Missing client secret");
+		this.properties.validate();
 	}
 	@Test
@ -153,7 +166,7 @@ public class ResourceServerPropertiesTests {
 		this.properties = new ResourceServerProperties("client", "");
 		this.properties.setUserInfoUri("http://my-auth-server/userinfo");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -165,7 +178,7 @@ public class ResourceServerPropertiesTests {
 		this.properties.setTokenInfoUri("http://my-auth-server/check_token");
 		this.properties.setUserInfoUri("http://my-auth-server/userinfo");
 		setListableBeanFactory();
-		this.properties.validate(this.properties, this.errors);
+		this.properties.validate();
 		verifyZeroInteractions(this.errors);
 	}
@ -186,4 +199,25 @@ public class ResourceServerPropertiesTests {
 		this.properties.setBeanFactory(beanFactory);
 	}
 	private BaseMatcher<BindException> getMatcher(String message, String field) {
 		return new BaseMatcher<BindException>() {
 			@Override
 			public void describeTo(Description description) {
 			}
 			@Override
 			public boolean matches(Object item) {
 				BindException ex = (BindException) item;
 				ObjectError error = ex.getAllErrors().get(0);
 				boolean messageMatches = message.equals(error.getDefaultMessage());
 				if (field == null) {
 					return messageMatches;
 				}
 				String fieldErrors = ((FieldError) error).getField();
 				return messageMatches && fieldErrors.equals(field);
 			}
 		};
 	}
 }