Fix unit tests for 2.15.0 (#1325)

finkmanAtSap · web-flow · commit 1f94a597c00f · 2023-10-23T10:47:28.000+02:00
* Fix for null value in verificationkey claim
* Fix broken unit tests
diff --git a/java-security-it/src/test/java/com/sap/cloud/security/test/integration/ssrf/JavaSSRFAttackTest.java b/java-security-it/src/test/java/com/sap/cloud/security/test/integration/ssrf/JavaSSRFAttackTest.java
@@ -13,6 +13,7 @@
 import com.sap.cloud.security.token.validation.CombiningValidator;
 import com.sap.cloud.security.token.validation.ValidationResult;
 import com.sap.cloud.security.token.validation.validators.JwtValidatorBuilder;
+import org.apache.http.client.ResponseHandler;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
@@ -25,6 +26,7 @@
 import java.io.IOException;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.isA;
 import static org.mockito.Mockito.times;
 
 /**
@@ -72,7 +74,7 @@ public void maliciousPartOfJwksIsNotUsedToObtainToken(String jwksUrl, boolean is
 
 		assertThat(result.isValid()).isEqualTo(isValid);
 		ArgumentCaptor<HttpUriRequest> httpUriRequestCaptor = ArgumentCaptor.forClass(HttpUriRequest.class);
-		Mockito.verify(httpClient, times(1)).execute(httpUriRequestCaptor.capture());
+		Mockito.verify(httpClient, times(1)).execute(httpUriRequestCaptor.capture(), isA(ResponseHandler.class));
 		HttpUriRequest request = httpUriRequestCaptor.getValue();
 		assertThat(request.getURI().getHost()).isEqualTo("localhost"); // ensure request was sent to trusted host
 	}
diff --git a/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/XsuaaJwtSignatureValidator.java b/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/XsuaaJwtSignatureValidator.java
@@ -35,8 +35,8 @@ protected PublicKey getPublicKey(Token token, JwtSignatureAlgorithm algorithm) t
             }
         }
 
-        if (key == null && configuration.hasProperty(CFConstants.XSUAA.VERIFICATION_KEY)) {
-            String fallbackKey = configuration.getProperty(CFConstants.XSUAA.VERIFICATION_KEY);
+        String fallbackKey = configuration.hasProperty(CFConstants.XSUAA.VERIFICATION_KEY) ? configuration.getProperty(CFConstants.XSUAA.VERIFICATION_KEY) : null;
+        if (key == null && fallbackKey != null) {
             try {
                 key = JsonWebKeyImpl.createPublicKeyFromPemEncodedPublicKey(JwtSignatureAlgorithm.RS256, fallbackKey);
             } catch (NoSuchAlgorithmException | InvalidKeySpecException ex) {

Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,8 @@ protected PublicKey getPublicKey(Token token, JwtSignatureAlgorithm algorithm) t`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
`38`		`- if (key == null && configuration.hasProperty(CFConstants.XSUAA.VERIFICATION_KEY)) {`
`39`		`- String fallbackKey = configuration.getProperty(CFConstants.XSUAA.VERIFICATION_KEY);`
	`38`	`+ String fallbackKey = configuration.hasProperty(CFConstants.XSUAA.VERIFICATION_KEY) ? configuration.getProperty(CFConstants.XSUAA.VERIFICATION_KEY) : null;`
	`39`	`+ if (key == null && fallbackKey != null) {`
`40`	`40`	`try {`
`41`	`41`	`key = JsonWebKeyImpl.createPublicKeyFromPemEncodedPublicKey(JwtSignatureAlgorithm.RS256, fallbackKey);`
`42`	`42`	`} catch (NoSuchAlgorithmException \| InvalidKeySpecException ex) {`