fix federated credential administration (#3377)

strehle · adrianhoelzl-sap · dependabot[bot] · web-flow · commit 2495629be4f0 · 2025-03-31T16:07:41.000+02:00
* fix federated credential administration * Update model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtCredential.java Co-authored-by: Adrian Hölzl <102049638+adrianhoelzl-sap@users.noreply.github.com> * build(deps): bump joda-time:joda-time from 2.13.1 to 2.14.0 (#3378) Bumps [joda-time:joda-time](https://github.com/JodaOrg/joda-time) from 2.13.1 to 2.14.0. - [Release notes](https://github.com/JodaOrg/joda-time/releases) - [Changelog](https://github.com/JodaOrg/joda-time/blob/main/RELEASE-NOTES.txt) - [Commits](JodaOrg/joda-time@v2.13.1...v2.14.0) --- updated-dependencies: - dependency-name: joda-time:joda-time dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * review * review --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Adrian Hölzl <102049638+adrianhoelzl-sap@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtChangeRequest.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtChangeRequest.java
@@ -7,7 +7,6 @@
 
 import static org.cloudfoundry.identity.uaa.oauth.client.ClientJwtChangeRequest.ChangeMode.ADD;
 import static org.cloudfoundry.identity.uaa.oauth.client.ClientJwtChangeRequest.ChangeMode.DELETE;
-import static org.cloudfoundry.identity.uaa.oauth.client.ClientJwtChangeRequest.ChangeMode.UPDATE;
 
 @JsonInclude(JsonInclude.Include.NON_NULL)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -124,8 +123,8 @@ public String getChangeValue() {
 
     @JsonIgnore
     public boolean isFederated() {
-        return ((changeMode == ADD || changeMode == UPDATE) && issuer != null && subject != null) ||
-                (changeMode == DELETE && (issuer != null || subject != null));
+        // private_key_jwt according to RFC 7523. audience is addition supported, but optional
+        return issuer != null && subject != null;
     }
 
     @JsonIgnore
diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtCredential.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtCredential.java
@@ -10,6 +10,7 @@
 import org.springframework.util.StringUtils;
 
 import java.util.List;
+import java.util.Objects;
 
 @JsonInclude(JsonInclude.Include.NON_EMPTY)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -45,4 +46,21 @@ public static List<ClientJwtCredential> parse(String clientJwtCredentials) {
         }
     }
 
+    @Override
+    public boolean equals(Object object) {
+        if (this == object) return true;
+        if (object == null || getClass() != object.getClass()) return false;
+        ClientJwtCredential that = (ClientJwtCredential) object;
+        return subject.equals(that.subject) &&
+               issuer.equals(that.issuer) &&
+               Objects.equals(audience, that.audience);
+    }
+
+    @Override
+    public int hashCode() {
+        int result = subject.hashCode();
+        result = 31 * result + issuer.hashCode();
+        result = 31 * result + (audience != null ? audience.hashCode() : 0);
+        return result;
+    }
 }
diff --git a/model/src/test/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtCredentialTest.java b/model/src/test/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtCredentialTest.java
@@ -40,4 +40,16 @@ void testDeserializerParserException() {
         assertThatThrownBy(() -> ClientJwtCredential.parse("[\"iss\":\"issuer\"]"))
                 .isInstanceOf(IllegalArgumentException.class).hasMessage("Client jwt configuration cannot be parsed");
     }
+
+    @Test
+    void testHashCode() {
+        assertThat(new ClientJwtCredential("subject", "issuer", "audience")).hasSameHashCodeAs(new ClientJwtCredential("subject", "issuer", "audience"));
+        assertThat(new ClientJwtCredential("subject", "issuer", "audience")).doesNotHaveSameHashCodeAs(new ClientJwtCredential("subject", "issuer", null));
+    }
+
+    @Test
+    void testEquals() {
+        assertThat(new ClientJwtCredential("subject", "issuer", "audience")).isEqualTo(new ClientJwtCredential("subject", "issuer", "audience"));
+        assertThat(new ClientJwtCredential("subject", "issuer", "audience")).isNotEqualTo(new ClientJwtCredential("subject", "issuer", null));
+    }
 }
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpoints.java
@@ -562,7 +562,7 @@ public ActionResult changeClientJwt(@PathVariable String client_id, @RequestBody
         ActionResult result;
         switch (change.getChangeMode()) {
             case ADD :
-                if (change.getChangeValue() != null) {
+                if (change.getChangeValue() != null && !change.isFederated()) {
                     clientRegistrationService.addClientJwtConfig(client_id, change.getChangeValue(), IdentityZoneHolder.get().getId(), false);
                     result = new ActionResult("ok", "Client jwt configuration is added");
                 } else {
@@ -577,7 +577,7 @@ public ActionResult changeClientJwt(@PathVariable String client_id, @RequestBody
                 break;
 
             case DELETE :
-                if (ClientJwtConfiguration.readValue(uaaUaaClientDetails) != null && change.getChangeValue() != null) {
+                if (ClientJwtConfiguration.readValue(uaaUaaClientDetails) != null && change.getChangeValue() != null && !change.isFederated()) {
                     clientRegistrationService.deleteClientJwtConfig(client_id, change.getChangeValue(), IdentityZoneHolder.get().getId());
                     result = new ActionResult("ok", "Client jwt configuration is deleted");
                 } else {
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientJwtConfiguration.java b/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientJwtConfiguration.java
@@ -311,6 +311,7 @@ public static ClientJwtConfiguration merge(ClientJwtConfiguration existingConfig
                 result = new ClientJwtConfiguration(newConfig.jwksUri, null);
             } else {
                 result = existingConfig;
+                result.jwksUri = existingConfig.jwksUri != null ? existingConfig.jwksUri : newConfig.jwksUri;
             }
         }
         if (newConfig.jwkSet != null) {
@@ -319,6 +320,7 @@ public static ClientJwtConfiguration merge(ClientJwtConfiguration existingConfig
                     result = new ClientJwtConfiguration(null, newConfig.jwkSet);
                 } else {
                     result = existingConfig;
+                    result.jwkSet = newConfig.jwkSet;
                 }
             } else {
                 JsonWebKeySet<JsonWebKey> existingKeySet = existingConfig.jwkSet;
@@ -357,39 +359,35 @@ public static ClientJwtConfiguration delete(ClientJwtConfiguration existingConfi
         if (tobeDeleted == null) {
             return existingConfig;
         }
-        ClientJwtConfiguration result = null;
+        ClientJwtConfiguration result = existingConfig;
         if (existingConfig.jwkSet != null && tobeDeleted.jwksUri != null) {
             JsonWebKeySet<JsonWebKey> existingKeySet = existingConfig.jwkSet;
             List<JsonWebKey> keys = existingKeySet.getKeys().stream().filter(k -> !tobeDeleted.jwksUri.equals(k.getKid())).toList();
             if (keys.isEmpty()) {
-                result = null;
+                result.jwkSet = null;
             } else {
                 result = new ClientJwtConfiguration(null, new JsonWebKeySet<>(keys));
             }
         } else if (existingConfig.jwkSet != null && tobeDeleted.jwkSet != null) {
             List<JsonWebKey> existingKeys = new ArrayList<>(existingConfig.getJwkSet().getKeys());
             existingKeys.removeAll(tobeDeleted.jwkSet.getKeys());
             if (existingKeys.isEmpty()) {
-                result = null;
+                result.jwkSet = null;
             } else {
                 result = new ClientJwtConfiguration(null, new JsonWebKeySet<>(existingKeys));
             }
         } else if (existingConfig.jwksUri != null && tobeDeleted.jwksUri != null) {
             if ("*".equals(tobeDeleted.jwksUri) || existingConfig.jwksUri.equals(tobeDeleted.jwksUri)) {
-                result = null;
-            } else {
-                result = existingConfig;
+                result.jwksUri = null;
             }
         } else if (existingConfig.clientJwtCredentials != null && tobeDeleted.clientJwtCredentials != null) {
             existingConfig.clientJwtCredentials = existingConfig.clientJwtCredentials.stream()
                     .filter (c -> tobeDeleted.clientJwtCredentials.stream()
-                    .filter(e -> e.getSubject().equals(c.getSubject()) && e.getIssuer().equals(c.getIssuer())).isParallel()).toList();
-            result = existingConfig;
-            if (ObjectUtils.isEmpty(result.clientJwtCredentials)) {
+                    .noneMatch(e -> e.getSubject().equals(c.getSubject()) && e.getIssuer().equals(c.getIssuer()))).toList();
+            if (ObjectUtils.isEmpty(result.clientJwtCredentials) || tobeDeleted.clientJwtCredentials.equals(List.of(new ClientJwtCredential("*", "*", null))) || tobeDeleted.clientJwtCredentials.equals(List.of(new ClientJwtCredential("*", "*", "*")))) {
                 result.clientJwtCredentials = null;
             }
-            result = ObjectUtils.isEmpty(result.jwkSet) && ObjectUtils.isEmpty(result.jwksUri) ? null : result;
         }
-        return result;
+        return ObjectUtils.isEmpty(result.jwkSet) && ObjectUtils.isEmpty(result.jwksUri) && ObjectUtils.isEmpty(result.clientJwtCredentials) ? null : result;
     }
 }
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/client/ClientJwtConfigurationTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/client/ClientJwtConfigurationTest.java
@@ -161,7 +161,7 @@ void configMergeDifferentType() {
         assertThat(configuration.getJwksUri()).isNull();
         configuration = ClientJwtConfiguration.merge(configuration, ClientJwtConfiguration.parse("https://any/jwks-uri"), false);
         assertThat(configuration.getJwkSet().getKeys()).hasSize(1);
-        assertThat(configuration.getJwksUri()).isNull();
+        assertThat(configuration.getJwksUri()).isEqualTo("https://any/jwks-uri");
 
         configuration = ClientJwtConfiguration.merge(configuration, ClientJwtConfiguration.parse("https://any/jwks-uri"), true);
         assertThat(configuration.getJwkSet()).isNull();
@@ -176,7 +176,8 @@ void configMergeDifferentType() {
         assertThat(configuration.getJwksUri()).isEqualTo("https://new/jwks-uri");
 
         configuration = ClientJwtConfiguration.merge(ClientJwtConfiguration.parse("https://any/jwks-uri"), ClientJwtConfiguration.parse(jsonJwkSet), false);
-        assertThat(configuration.getJwkSet()).isNull();
+        assertThat(configuration.getJwkSet()).isNotNull();
+        assertThat(configuration.getJwkSet().getKeys()).hasSize(1);
         assertThat(configuration.getJwksUri()).isEqualTo("https://any/jwks-uri");
 
         configuration = ClientJwtConfiguration.merge(ClientJwtConfiguration.parse("https://any/jwks-uri"), ClientJwtConfiguration.parse(jsonJwkSet), true);
@@ -225,6 +226,37 @@ void configDelete() {
         assertThat(configuration).isNotNull();
     }
 
+    @Test
+    void configDeleteFederated() {
+        ClientJwtCredential existingKey1 = new ClientJwtCredential("subject1", "issuer1", "audience1");
+        ClientJwtCredential existingKey2 = new ClientJwtCredential("subject2", "issuer2", "audience2");
+        ClientJwtConfiguration existingConfiguration = new ClientJwtConfiguration(List.of(existingKey1, existingKey2));
+        assertThat(ClientJwtConfiguration.delete(existingConfiguration, new ClientJwtConfiguration(List.of(new ClientJwtCredential("not-existing", "not-existing", null))))).isEqualTo(existingConfiguration);
+        assertThat(ClientJwtConfiguration.delete(existingConfiguration, new ClientJwtConfiguration(List.of(existingKey1)))).isEqualTo(new ClientJwtConfiguration(List.of(existingKey2)));
+        existingConfiguration = new ClientJwtConfiguration(List.of(existingKey1, existingKey2));
+        assertThat(ClientJwtConfiguration.delete(existingConfiguration, existingConfiguration)).isNull();
+        assertThat(ClientJwtConfiguration.delete(new ClientJwtConfiguration(List.of(existingKey1, existingKey2)), new ClientJwtConfiguration(List.of(new ClientJwtCredential("*", "*", null))))).isNull();
+        assertThat(ClientJwtConfiguration.delete(new ClientJwtConfiguration(List.of(existingKey1, existingKey2)), new ClientJwtConfiguration(List.of(new ClientJwtCredential("*", "*", "*"))))).isNull();
+    }
+
+    @Test
+    void configDeleteMixedJwtConfiguration() {
+        ClientJwtCredential existingKey1 = new ClientJwtCredential("subject1", "issuer1", "audience1");
+        ClientJwtCredential existingKey2 = new ClientJwtCredential("subject2", "issuer2", "audience2");
+        ClientJwtConfiguration existingConfiguration = ClientJwtConfiguration.parse("https://other/jwks-uri");
+        existingConfiguration.setClientJwtCredentials(List.of(existingKey1, existingKey2));
+        assertThat(ClientJwtConfiguration.delete(existingConfiguration, new ClientJwtConfiguration(List.of(new ClientJwtCredential("not-existing", "not-existing", null))))).isEqualTo(existingConfiguration);
+        assertThat(ClientJwtConfiguration.delete(existingConfiguration, new ClientJwtConfiguration(List.of(existingKey1))).getClientJwtCredentials()).hasSize(1);
+        assertThat(ClientJwtConfiguration.delete(existingConfiguration, new ClientJwtConfiguration(List.of(existingKey1, existingKey2))).getClientJwtCredentials()).isNull();
+        // complex deletion - given
+        existingConfiguration = new ClientJwtConfiguration(List.of(existingKey1, existingKey2));
+        existingConfiguration = ClientJwtConfiguration.merge(existingConfiguration, ClientJwtConfiguration.parse("https://other/jwks-uri"), false);
+        // When
+        existingConfiguration = ClientJwtConfiguration.delete(existingConfiguration, ClientJwtConfiguration.parse("https://other/jwks-uri"));
+        // Then
+        assertThat(existingConfiguration).isEqualTo(new ClientJwtConfiguration(List.of(existingKey1, existingKey2)));
+    }
+
     @Test
     void configDeleteNull() {
         assertThat(ClientJwtConfiguration.delete(null, ClientJwtConfiguration.parse("https://other/jwks-uri"))).isNull();
@@ -238,6 +270,7 @@ void testHashCode() {
         assertThat(key2.hashCode()).isNotEqualTo(key1.hashCode());
         assertThat(key1).hasSameHashCodeAs(key1);
         assertThat(key2).hasSameHashCodeAs(key2);
+        assertThat(new ClientJwtCredential("subject", "issuer", "audience")).hasSameHashCodeAs(new ClientJwtCredential("subject", "issuer", "audience"));
     }
 
     @Test
