refactor: show client jwt configuration (#3302)

* refactor: show client jwt configuration

These entries are not visible with uaac client get cf:

jwks_uri
jwks keys
jwt_creds

* refactor: add need entries only to ClientDetailsModification

* add test to check expected results

* test change because of sonar

* test fix

Author: strehle

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientDetailsModification.java renamed to server/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientDetailsModification.java

@@ -4,10 +4,17 @@
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonSetter;
+import org.cloudfoundry.identity.uaa.client.ClientJwtConfiguration;
 import org.cloudfoundry.identity.uaa.client.UaaClientDetails;
+import org.cloudfoundry.identity.uaa.oauth.jwk.JsonWebKey;
+import org.cloudfoundry.identity.uaa.oauth.jwk.JsonWebKeySet;
 import org.cloudfoundry.identity.uaa.oauth.provider.ClientDetails;
 
+import java.util.List;
+import java.util.Objects;
+
 @JsonInclude(JsonInclude.Include.NON_NULL)
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class ClientDetailsModification extends UaaClientDetails {
@@ -22,6 +29,15 @@ public class ClientDetailsModification extends UaaClientDetails {
     @JsonIgnore
     private String action = NONE;
 
+    @JsonProperty("jwks_uri")
+    private String jwksUri;
+
+    @JsonProperty("jwks")
+    private transient JsonWebKeySet<JsonWebKey> jwkSet;
+
+    @JsonProperty("jwt_creds")
+    private transient List<ClientJwtCredential> clientJwtCredentials;
+
     public ClientDetailsModification() {
     }
 
@@ -32,6 +48,12 @@ public ClientDetailsModification(ClientDetails prototype) {
             if (baseClientDetails.getAutoApproveScopes() != null) {
                 this.setAutoApproveScopes(baseClientDetails.getAutoApproveScopes());
             }
+            if (baseClientDetails.getClientJwtConfig() instanceof String ) {
+                ClientJwtConfiguration clientJwtConfiguration = ClientJwtConfiguration.readValue(baseClientDetails);
+                this.setJwksUri(clientJwtConfiguration.getJwksUri());
+                this.setJwkSet(clientJwtConfiguration.getJwkSet());
+                this.setClientJwtCredentials(clientJwtConfiguration.getClientJwtCredentials());
+            }
         }
         if (prototype instanceof ClientDetailsModification modification) {
             this.action = modification.getAction();
@@ -87,4 +109,63 @@ private boolean valid(String action) {
                 || UPDATE_SECRET.equals(action)
                 || SECRET.equals(action);
     }
+
+    public String getJwksUri() {
+        return this.jwksUri;
+    }
+
+    public void setJwksUri(String jwksUri) {
+        this.jwksUri = jwksUri;
+    }
+
+    public JsonWebKeySet<JsonWebKey> getJwkSet() {
+        return this.jwkSet;
+    }
+
+    public void setJwkSet(final JsonWebKeySet<JsonWebKey> jwkSet) {
+        this.jwkSet = jwkSet;
+    }
+
+    public List<ClientJwtCredential> getClientJwtCredentials() {
+        return this.clientJwtCredentials;
+    }
+
+    public void setClientJwtCredentials(final List<ClientJwtCredential> clientJwtCredentials) {
+        this.clientJwtCredentials = clientJwtCredentials;
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        if (this == other) {
+            return true;
+        }
+        if (other == null || getClass() != other.getClass()) {
+            return false;
+        }
+        if (!super.equals(other)) {
+            return false;
+        }
+        ClientDetailsModification that = (ClientDetailsModification) other;
+        if (!Objects.equals(jwksUri, that.jwksUri)) {
+            return false;
+        }
+        if (!Objects.equals(jwkSet, that.jwkSet)) {
+            return false;
+        }
+        if (!Objects.equals(clientJwtCredentials, that.clientJwtCredentials)) {
+            return false;
+        }
+        return Objects.equals(action, that.action);
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = super.hashCode();
+        result = prime * result + (action != null ? action.hashCode() : 0);
+        result = prime * result + (jwksUri == null ? 0 : jwksUri.hashCode());
+        result = prime * result + (jwkSet == null ? 0 : jwkSet.hashCode());
+        result = prime * result + (clientJwtCredentials == null ? 0 : clientJwtCredentials.hashCode());
+        return result;
+    }
 }

server/src/test/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsTests.java

@@ -985,6 +985,44 @@ void updateClientWithAutoapproveScopesList() {
         assertThat(updated.isAutoApprove("foo.write")).isFalse();
     }
 
+    @Test
+    void getClientWithFederatedJwt() {
+        // Given
+        UaaClientDetails uaaClientDetails = new UaaClientDetails(input);
+        uaaClientDetails.setAutoApproveScopes(uaaClientDetails.getScope());
+        List<ClientJwtCredential> jwtCredentials = List.of(new ClientJwtCredential("subject", "issuer", null));
+        ClientJwtConfiguration clientJwtConfiguration = new ClientJwtConfiguration(jwtCredentials);
+        clientJwtConfiguration.setJwksUri("http://localhost:8080/uaa/token_keys");
+        clientJwtConfiguration.writeValue(uaaClientDetails);
+        when(clientDetailsService.retrieve(input.getClientId(), IdentityZoneHolder.get().getId())).thenReturn(
+                uaaClientDetails);
+        when(mockSecurityContextAccessor.getClientId()).thenReturn(detail.getClientId());
+        when(mockSecurityContextAccessor.isClient()).thenReturn(true);
+        // Then
+        ClientDetails result = endpoints.getClientDetails(input.getClientId());
+        // When
+        assertThat(result.getClientSecret()).isNull();
+        ClientDetailsModification modification = (ClientDetailsModification) result;
+        assertThat(modification.getClientJwtCredentials()).size().isEqualTo(1);
+        assertThat(modification.getJwkSet()).isNull();
+        assertThat(modification.getJwksUri()).isEqualTo("http://localhost:8080/uaa/token_keys");
+        ClientJwtCredential clientJwtCredential = modification.getClientJwtCredentials().get(0);
+        assertThat(clientJwtCredential).isNotNull();
+        assertThat(clientJwtCredential.getIssuer()).isEqualTo("issuer");
+        assertThat(clientJwtCredential.getSubject()).isEqualTo("subject");
+        assertThat(clientJwtCredential.getAudience()).isNull();
+        ClientDetailsModification modification2 = new ClientDetailsModification(uaaClientDetails);
+        modification2.setAction("add");
+        // Compare results and original with and without secret
+        assertThat(modification).isNotEqualTo(modification2);
+        assertThat(modification.hashCode()).isNotEqualTo(modification2.hashCode());
+        uaaClientDetails.setClientSecret(null);
+        ClientDetailsModification modification3 = new ClientDetailsModification(uaaClientDetails);
+        assertThat(modification).isEqualTo(modification3).hasSameHashCodeAs(modification3);
+        assertThat(modification.getAction()).isNotEqualTo(modification2.getAction());
+        assertThat(modification.getAction()).isEqualTo(modification3.getAction());
+    }
+
     @Test
     void updateClientWithAutoapproveScopesTrue() {
         Mockito.when(clientDetailsService.retrieve(input.getClientId(), IdentityZoneHolder.get().getId())).thenReturn(