use preexisiting scope by default but prevent overriding of builder scope and update unit tests

This commit is contained in:
Konstantin Schaper
2020-11-04 09:38:29 +01:00
parent 36b6b221a4
commit b5f042ad15
2 changed files with 14 additions and 6 deletions

View File

@@ -40,9 +40,7 @@ import java.time.Clock;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
/**
@@ -71,7 +69,6 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
private Instant refreshExpiration;
private String parentKeyId;
private Scope scope = Scope.empty();
private Set<String> groups = new HashSet<>();
private final Map<String,Object> custom = Maps.newHashMap();
@@ -155,8 +152,13 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
@Override
public JwtAccessToken build() {
if (SecurityUtils.getSubject().getPrincipals().getRealmNames().contains(ApiKeyRealm.NAME)) {
scope = Scope.valueOf(SecurityUtils.getSubject().getPrincipals().oneByType(Scope.class));
final Scope principalScope = SecurityUtils.getSubject().getPrincipals().oneByType(Scope.class);
if (principalScope != null) {
if (scope != null && !scope.isEmpty()) {
throw new AuthorizationException(String.format("cannot merge builder scope (%s) with principal scope (%s)", scope, principalScope));
}
LOG.debug("using existing scope for new access token: {}", principalScope);
scope = principalScope;
}
String id = keyGenerator.createKey();

View File

@@ -146,13 +146,19 @@ class JwtAccessTokenBuilderTest {
}
@Test
void testSimpleRequest() {
void shouldCreateJwtAndUsePreviousScope() {
JwtAccessTokenBuilder builder = factory.create().subject("dent");
final JwtAccessToken accessToken = builder.build();
assertThat(accessToken).isNotNull();
assertThat(accessToken.getSubject()).isEqualTo("dent");
assertThat((Collection<String>) accessToken.getCustom("scope").get()).containsExactly("dummy:scope:*");
}
@Test
void shouldThrowExceptionWhenScopeAlreadyDefinedInBuilder() {
JwtAccessTokenBuilder builder = factory.create().scope(Scope.valueOf("an:incompatible:scope")).subject("dent");
assertThrows(AuthorizationException.class, builder::build);
}
}
@Nested