Merge branch 'develop' of github.com:cloudfoundry/uaa into fix/redirect-when-only-saml-allowed

* 'develop' of github.com:cloudfoundry/uaa:
  Backfill test cases for using refresh token value that was created with refresh_token_validity seconds specified [#178076368]
  Bump Spring Dependencies (#1580)
  fix: test token audience claim in an unordered way

Author: strehle

dependencies.gradle

@@ -12,11 +12,11 @@ versions.aspectJVersion = "1.9.4"
 versions.apacheDsVersion = "2.0.0.AM26"
 versions.bouncyCastleVersion = "1.69"
 versions.hamcrestVersion = "2.2"
-versions.springBootVersion = "2.4.6"
+versions.springBootVersion = "2.4.7"
 versions.springSecurityJwtVersion = "1.1.1.RELEASE"
 versions.springSecurityOAuthVersion = "2.5.0.RELEASE"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
-versions.springVersion = "5.3.7"
+versions.springVersion = "5.3.8"
 versions.xmlBind = "2.3.0.1"
 versions.tomcatCargoVersion = "9.0.46"
 

server/src/test/java/org/cloudfoundry/identity/uaa/oauth/DeprecatedUaaTokenServicesTests.java

@@ -75,6 +75,7 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.startsWith;
 import static org.hamcrest.Matchers.*;
+import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.core.AllOf.allOf;
 import static org.hamcrest.number.OrderingComparison.greaterThan;
 import static org.hamcrest.number.OrderingComparison.lessThanOrEqualTo;
@@ -2103,7 +2104,7 @@ private void assertCommonClientAccessTokenProperties(OAuth2AccessToken accessTok
           username(is(nullValue())),
           cid(is(CLIENT_ID)),
           scope(is(tokenSupport.clientScopes)),
-          audience(is(tokenSupport.resourceIds)),
+          audience(containsInAnyOrder(tokenSupport.resourceIds.toArray(new String[]{}))),
           jwtId(not(isEmptyString())),
           issuedAt(is(greaterThan(0))),
           expiry(is(greaterThan(0)))));
@@ -2114,7 +2115,7 @@ private void assertCommonUserAccessTokenProperties(OAuth2AccessToken accessToken
         assertThat(accessToken, allOf(username(is(tokenSupport.username)),
           clientId(is(clientId)),
           subject(is(tokenSupport.userId)),
-          audience(is(tokenSupport.resourceIds)),
+          audience(containsInAnyOrder(tokenSupport.resourceIds.toArray(new String[]{}))),
           origin(is(OriginKeys.UAA)),
           revocationSignature(is(not(nullValue()))),
           cid(is(clientId)),
@@ -2132,7 +2133,7 @@ private void assertCommonUserRefreshTokenProperties(OAuth2RefreshToken refreshTo
           OAuth2RefreshTokenMatchers.username(is(tokenSupport.username)),
           OAuth2RefreshTokenMatchers.clientId(is(CLIENT_ID)),
           OAuth2RefreshTokenMatchers.subject(is(not(nullValue()))),
-          OAuth2RefreshTokenMatchers.audience(is(tokenSupport.resourceIds)),
+          OAuth2RefreshTokenMatchers.audience(containsInAnyOrder(tokenSupport.resourceIds.toArray(new String[]{}))),
           OAuth2RefreshTokenMatchers.origin(is(OriginKeys.UAA)),
           OAuth2RefreshTokenMatchers.revocationSignature(is(not(nullValue()))),
           OAuth2RefreshTokenMatchers.jwtId(not(isEmptyString())),

server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2AccessTokenMatchers.java

@@ -61,7 +61,7 @@ public static Matcher<OAuth2AccessToken> scope(Matcher<Object> scopes) {
         return new OAuth2AccessTokenMatchers(ClaimConstants.SCOPE, scopes);
     }
 
-    public static Matcher<OAuth2AccessToken> audience(Matcher<Object> resourceIds) {
+    public static Matcher<OAuth2AccessToken> audience(Matcher<Iterable<? extends String>> resourceIds) {
         return new OAuth2AccessTokenMatchers(ClaimConstants.AUD, resourceIds);
     }
 

server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/matchers/OAuth2RefreshTokenMatchers.java

@@ -62,7 +62,7 @@ public static Matcher<OAuth2RefreshToken> scope(Matcher<Object> scopes) {
         return new OAuth2RefreshTokenMatchers(ClaimConstants.GRANTED_SCOPES, scopes);
     }
 
-    public static Matcher<OAuth2RefreshToken> audience(Matcher<Object> resourceIds) {
+    public static Matcher<OAuth2RefreshToken> audience(Matcher<Iterable<? extends String>> resourceIds) {
         return new OAuth2RefreshTokenMatchers(ClaimConstants.AUD, resourceIds);
     }
 

uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java

@@ -22,14 +22,11 @@
 import org.cloudfoundry.identity.uaa.oauth.token.CompositeToken;
 import org.cloudfoundry.identity.uaa.user.JdbcUaaUserDatabase;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
+import org.cloudfoundry.identity.uaa.util.TimeService;
 import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
 import org.cloudfoundry.identity.uaa.zone.MultitenantClientServices;
 import org.joda.time.DateTime;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.*;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -481,6 +478,94 @@ void happyCase(List<String> amrs) {
         }
     }
 
+    @Nested
+    @DisplayName("when the client was created with refresh_token_validity specified")
+    @DefaultTestContext
+    @TestPropertySource(properties = {"uaa.url=https://uaa.some.test.domain.com:555/uaa"})
+    @DirtiesContext
+    class WhenRefreshTokenValidityIsSpecified {
+        private RefreshTokenCreator refreshTokenCreator;
+        private RefreshTokenRequestData refreshTokenRequestData;
+        private UaaUser uaaUser;
+        private TokenRequest tokenRequest;
+
+        @Autowired
+        private TokenEndpointBuilder tokenEndpointBuilder;
+        @Autowired
+        private TimeService timeService;
+        @Autowired
+        private KeyInfoService keyInfoService;
+
+        @BeforeEach
+        void init() {
+            refreshTokenRequestData = new RefreshTokenRequestData(
+                    GRANT_TYPE_AUTHORIZATION_CODE,
+                    Sets.newHashSet("openid", "user_attributes"),
+                    null,
+                    "",
+                    Sets.newHashSet(""),
+                    "jku_test",
+                    false,
+                    new Date(),
+                    null,
+                    null
+            );
+            uaaUser = jdbcUaaUserDatabase.retrieveUserByName("admin", "uaa");
+            tokenRequest = new TokenRequest(new HashMap<>(), "jku_test",
+                    Lists.newArrayList("openid", "user_attributes"),
+                    GRANT_TYPE_REFRESH_TOKEN);
+        }
+
+        @ParameterizedTest
+        @ValueSource(ints = { 3600, 24*3600*15, Integer.MAX_VALUE })
+        void validExpClaim(int validitySeconds) {
+            RefreshTokenCreator refreshTokenCreator = createRefreshTokenCreator(
+                    validitySeconds);
+            CompositeExpiringOAuth2RefreshToken refreshToken =
+                    refreshTokenCreator.createRefreshToken(uaaUser,
+                            refreshTokenRequestData, null);
+            Assertions.assertNotNull(refreshToken);
+
+            OAuth2AccessToken accessToken = tokenServices.refreshAccessToken(
+                    refreshToken.getValue(), tokenRequest);
+            Assertions.assertNotNull(accessToken);
+        }
+
+        @ParameterizedTest
+        @ValueSource(ints = { -3600, Integer.MIN_VALUE })
+        void invalidExpClaim(int validitySeconds) {
+            RefreshTokenCreator refreshTokenCreator = createRefreshTokenCreator(
+                    validitySeconds);
+            CompositeExpiringOAuth2RefreshToken refreshToken =
+                    refreshTokenCreator.createRefreshToken(uaaUser,
+                            refreshTokenRequestData, null);
+            Assertions.assertNotNull(refreshToken);
+
+            // Verifying with generic Exception instead of specific type because
+            // refreshAccessToken() throws an Exception of which type is
+            // different from the one that is declared in its method signature
+            Assertions.assertThrows(Exception.class, () ->
+                    tokenServices.refreshAccessToken(refreshToken.getValue(),
+                            tokenRequest));
+        }
+
+        private RefreshTokenCreator createRefreshTokenCreator(
+                int validitySeconds) {
+            TokenValidityResolver tokenValidityResolver =
+                    new TokenValidityResolver(
+                            new ClientTokenValidity() {
+                                public Integer getValiditySeconds(String clientId) {
+                                    return validitySeconds;
+                                }
+                                public Integer getZoneValiditySeconds() {
+                                    return 2592000;
+                                }
+                            }, 2592000, timeService);
+            return new RefreshTokenCreator(false, tokenValidityResolver,
+                    tokenEndpointBuilder, timeService, keyInfoService);
+        }
+    }
+
     private OAuth2Authentication constructUserAuthenticationFromAuthzRequest(AuthorizationRequest authzRequest,
                                                                              String userId,
                                                                              String userOrigin,