Skip to content

Commit

Permalink
Validate secrets only with text
Browse files Browse the repository at this point in the history
This fixes client creation rest call with empty secret.
Empty client secret is allowed via YAML setting already, but
in a REST call there is an error:
Client Secret must be at least 1 characters in length.

Why this occurs: There is a policy validator for user and client
policy validation.

For users, a minimum of 1 char for a password might be ok,
for a client not. A secret can be empty.

Before 76.22.0 a missing secret in a client creation call was defaulted
to an empty secret, but with #2455
this was fixed. The fix prevented the creation with an empty secret.

Therefore, this here is a fix for a regression introduced with 76.22.0.
It simply prevents the policy validation if the secret is without text
(null or empty).
  • Loading branch information
strehle committed Oct 25, 2023
1 parent 874c62d commit 1b1bff7
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
import org.passay.PasswordValidator;
import org.passay.PropertiesMessageResolver;
import org.passay.RuleResult;
import org.springframework.util.StringUtils;

import java.util.LinkedList;
import java.util.List;
Expand Down Expand Up @@ -71,7 +72,7 @@ public ZoneAwareClientSecretPolicyValidator(ClientSecretPolicy globalDefaultClie

@Override
public void validate(String clientSecret) throws InvalidClientSecretException {
if(clientSecret == null) {
if(!StringUtils.hasText(clientSecret)) {
return;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ void setUp() {
@Test
void testEmptyClientSecret() {
zone.getConfig().setClientSecretPolicy(defaultPolicy);
assertThrows(InvalidClientSecretException.class, () -> validator.validate(TEST_SECRET_1));
validator.validate(TEST_SECRET_1);
}

@Test
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import org.cloudfoundry.identity.uaa.resources.SearchResults;
import org.cloudfoundry.identity.uaa.test.TestAccountSetup;
import org.cloudfoundry.identity.uaa.test.UaaTestAccounts;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.zone.ClientSecretPolicy;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
Expand Down Expand Up @@ -170,6 +171,21 @@ public void createClientWithSecondarySecret() {
assertEquals(HttpStatus.CREATED, result.getStatusCode());
}

@Test
public void createClientWithEmptySecret() {
OAuth2AccessToken token = getClientCredentialsAccessToken("clients.admin");
HttpHeaders headers = getAuthenticatedHeaders(token);
var client = new ClientDetailsCreation();
client.setClientId(new RandomValueStringGenerator().generate());
client.setClientSecret(UaaStringUtils.EMPTY_STRING);
client.setAuthorizedGrantTypes(List.of("password"));

ResponseEntity<Void> result = serverRunning.getRestTemplate()
.exchange(serverRunning.getUrl("/oauth/clients"), HttpMethod.POST,
new HttpEntity<>(client, headers), Void.class);
assertEquals(HttpStatus.CREATED, result.getStatusCode());
}

@Test
public void testCreateClients() throws Exception {
doCreateClients();
Expand Down

0 comments on commit 1b1bff7

Please sign in to comment.