Fixes cloudfoundry#1636 Client creation endpoint does not accept two …

…secrets to support rotation
tkurylek · Aug 19, 2021 · 9018849 · 9018849
1 parent db8e899
commit 9018849
Show file tree

Hide file tree

Showing 6 changed files with 192 additions and 33 deletions.
diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientDetailsCreation.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientDetailsCreation.java
@@ -0,0 +1,24 @@
+package org.cloudfoundry.identity.uaa.oauth.client;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.springframework.security.oauth2.provider.client.BaseClientDetails;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ClientDetailsCreation extends BaseClientDetails {
+
+    @JsonProperty("secondary_client_secret")
+    private String secondaryClientSecret;
+
+    @JsonIgnore
+    public String getSecondaryClientSecret() {
+        return secondaryClientSecret;
+    }
+
+    public void setSecondaryClientSecret(final String secondaryClientSecret) {
+        this.secondaryClientSecret = secondaryClientSecret;
+    }
+}
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpoints.java
@@ -17,6 +17,7 @@
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
 import org.cloudfoundry.identity.uaa.client.ClientDetailsValidator.Mode;
 import org.cloudfoundry.identity.uaa.error.UaaException;
+import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsCreation;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification;
 import org.cloudfoundry.identity.uaa.oauth.client.SecretChangeRequest;
 import org.cloudfoundry.identity.uaa.resources.ActionResult;
@@ -196,7 +197,18 @@ public ClientDetails getClientDetails(@PathVariable String client) {
     @RequestMapping(value = "/oauth/clients", method = RequestMethod.POST)
     @ResponseStatus(HttpStatus.CREATED)
     @ResponseBody
-    public ClientDetails createClientDetails(@RequestBody BaseClientDetails client) {
+    @Transactional
+    public ClientDetails createClientDetails(@RequestBody ClientDetailsCreation client) {
+        final var createdClientDetails = createClientDetailsInternal(client);
+        if (client.getSecondaryClientSecret() != null) {
+            clientDetailsValidator.getClientSecretValidator().validate(client.getSecondaryClientSecret());
+            clientRegistrationService.addClientSecret(createdClientDetails.getClientId(),
+                    client.getSecondaryClientSecret(), IdentityZoneHolder.get().getId());
+        }
+        return createdClientDetails;
+    }
+
+    private ClientDetails createClientDetailsInternal(BaseClientDetails client) {
         ClientDetails details = clientDetailsValidator.validate(client, Mode.CREATE);
 
         return removeSecret(clientDetailsService.create(details, IdentityZoneHolder.get().getId()));
@@ -215,7 +227,7 @@ public List<String> getRestrictedClientScopes() {
     @ResponseBody
     public ClientDetails createRestrictedClientDetails(@RequestBody BaseClientDetails client) {
         restrictedScopesValidator.validate(client, Mode.CREATE);
-        return createClientDetails(client);
+        return createClientDetailsInternal(client);
     }
 
     @RequestMapping(value = "/oauth/clients/tx", method = RequestMethod.POST)