Skip to content

Allow null or empty authorities for DefaultOAuth2User #9380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Allow null or empty authorities for DefaultOAuth2User #9380

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions ...2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.util.Assert;

/**
Expand Down Expand Up @@ -65,13 +66,14 @@ public class DefaultOAuth2User implements OAuth2User, Serializable {
*/
public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes,
String nameAttributeKey) {
Assert.notEmpty(authorities, "authorities cannot be empty");
Assert.notEmpty(attributes, "attributes cannot be empty");
Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
if (!attributes.containsKey(nameAttributeKey)) {
throw new IllegalArgumentException("Missing attribute '" + nameAttributeKey + "' in attributes");
}
this.authorities = Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)));
this.authorities = (authorities != null)
? Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)))
: Collections.unmodifiableSet(new LinkedHashSet<>(AuthorityUtils.NO_AUTHORITIES));
this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
this.nameAttributeKey = nameAttributeKey;
}
Expand Down
26 changes: 21 additions & 5 deletions ...rc/test/java/org/springframework/security/oauth2/core/oidc/user/DefaultOidcUserTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import org.junit.Test;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
Expand Down Expand Up @@ -66,11 +67,6 @@ public class DefaultOidcUserTests {

private static final OidcUserInfo USER_INFO = new OidcUserInfo(USER_INFO_CLAIMS);

@Test
public void constructorWhenAuthoritiesIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(null, ID_TOKEN));
}

@Test
public void constructorWhenIdTokenIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, null));
Expand All @@ -81,6 +77,26 @@ public void constructorWhenNameAttributeKeyInvalidThenThrowIllegalArgumentExcept
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, ID_TOKEN, "invalid"));
}

@Test
public void constructorWhenAuthoritiesIsNullThenCreatedWithNoAuthorities() {
DefaultOidcUser user = new DefaultOidcUser(null, ID_TOKEN);
assertThat(user.getClaims()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
assertThat(user.getIdToken()).isEqualTo(ID_TOKEN);
assertThat(user.getName()).isEqualTo(SUBJECT);
assertThat(user.getAuthorities()).isNotNull().isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
}

@Test
public void constructorWhenAuthoritiesIsEmptyThenCreatedWithNoAuthorities() {
DefaultOidcUser user = new DefaultOidcUser(AuthorityUtils.NO_AUTHORITIES, ID_TOKEN);
assertThat(user.getClaims()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
assertThat(user.getIdToken()).isEqualTo(ID_TOKEN);
assertThat(user.getName()).isEqualTo(SUBJECT);
assertThat(user.getAuthorities()).isNotNull().isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
}

@Test
public void constructorWhenAuthoritiesIdTokenProvidedThenCreated() {
DefaultOidcUser user = new DefaultOidcUser(AUTHORITIES, ID_TOKEN);
Expand Down
29 changes: 17 additions & 12 deletions ...e/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,18 +47,6 @@ public class DefaultOAuth2UserTests {

private static final Map<String, Object> ATTRIBUTES = Collections.singletonMap(ATTRIBUTE_NAME_KEY, USERNAME);

@Test
public void constructorWhenAuthoritiesIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new DefaultOAuth2User(null, ATTRIBUTES, ATTRIBUTE_NAME_KEY));
}

@Test
public void constructorWhenAuthoritiesIsEmptyThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new DefaultOAuth2User(Collections.emptySet(), ATTRIBUTES, ATTRIBUTE_NAME_KEY));
}

@Test
public void constructorWhenAttributesIsNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException()
Expand All @@ -82,6 +70,22 @@ public void constructorWhenNameAttributeKeyIsInvalidThenThrowIllegalArgumentExce
.isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid"));
}

@Test
public void constructorWhenAuthoritiesIsNullThenCreatedWithNoAuthorities() {
DefaultOAuth2User user = new DefaultOAuth2User(null, ATTRIBUTES, ATTRIBUTE_NAME_KEY);
assertThat(user.getName()).isEqualTo(USERNAME);
assertThat(user.getAuthorities()).isNotNull().isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
}

@Test
public void constructorWhenAuthoritiesIsEmptyThenCreatedWithNoAuthorities() {
DefaultOAuth2User user = new DefaultOAuth2User(Collections.emptySet(), ATTRIBUTES, ATTRIBUTE_NAME_KEY);
assertThat(user.getName()).isEqualTo(USERNAME);
assertThat(user.getAuthorities()).isNotNull().isEmpty();
assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
}

@Test
public void constructorWhenAllParametersProvidedAndValidThenCreated() {
DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, ATTRIBUTE_NAME_KEY);
Expand All @@ -92,6 +96,7 @@ public void constructorWhenAllParametersProvidedAndValidThenCreated() {
}

// gh-4917

@Test
public void constructorWhenCreatedThenIsSerializable() {
DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, ATTRIBUTE_NAME_KEY);
Expand Down