[Prod/Test] Implement /oauth/error and /oauth/confirm_access zone path

Author: fhanik

docs/path-based-zones-endpoints-without-z-support.md

@@ -144,8 +144,8 @@ This document lists endpoints that do **not** yet have a dual path mapping for `
 
 | Endpoint(s)                              | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints |
 |------------------------------------------|--------------------|---------------------|----------------------|-----------------------------------|
-| `/oauth/confirm_access`                  | AccessController | No | No | — |
-| `/oauth/error`                           | AccessController | No | No | — |
+| ✅ `/oauth/confirm_access`               | AccessController | No | No | — |
+| ✅ `/oauth/error`                        | AccessController | No | No | — |
 | `/oauth/token/revoke/user/{userId}` etc. | TokenRevocationEndpoint | No | No (OauthEndpointSecurityConfiguration /oauth/token/revoke/** has no /z/) | — |
 | ✅ `/check_token`                        | CheckTokenEndpoint | No | No | — |
 | ✅ `/introspect`                         | IntrospectEndpoint | No | No | — |

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/AccessController.java

@@ -71,7 +71,7 @@ public AccessController(
         this.groupProvisioning = groupProvisioning;
     }
 
-    @RequestMapping("/oauth/confirm_access")
+    @RequestMapping({"/oauth/confirm_access", "/z/{subdomain}/oauth/confirm_access"})
     public String confirm(Map<String, Object> model, final HttpServletRequest request, Principal principal,
             SessionStatus sessionStatus) {
 
@@ -244,7 +244,7 @@ private String getRedirectUri(ClientDetails client, AuthorizationRequest clientA
         return result;
     }
 
-    @RequestMapping("/oauth/error")
+    @RequestMapping({"/oauth/error", "/z/{subdomain}/oauth/error"})
     public String handleError(WebRequest request, Map<String, Object> model) {
         // There is already an error entry in the model
         Object object = request.getAttribute("error", RequestAttributes.SCOPE_REQUEST);

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/provider/endpoint/WhitelabelApprovalEndpoint.java

@@ -29,7 +29,7 @@ public class WhitelabelApprovalEndpoint {
     private static final String CSRF = "_csrf";
     private static final String SCOPES = "scopes";
 
-    @GetMapping(value = "/oauth/confirm_access")
+    @GetMapping(value = {"/oauth/confirm_access", "/z/{subdomain}/oauth/confirm_access"})
     public ModelAndView getAccessConfirmation(Map<String, Object> model, HttpServletRequest request) {
         final String approvalContent = createTemplate(model, request);
         if (request.getAttribute(CSRF) != null) {

uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpointMockMvcTest.java

@@ -3,16 +3,22 @@
 import org.cloudfoundry.identity.uaa.DefaultTestContext;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
+import org.cloudfoundry.identity.uaa.client.UaaClientDetails;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
+import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.ZoneResolutionMode;
 import org.cloudfoundry.identity.uaa.scim.ScimUser;
 import org.cloudfoundry.identity.uaa.test.ZoneSeeder;
 import org.cloudfoundry.identity.uaa.test.ZoneSeederExtension;
 import org.cloudfoundry.identity.uaa.user.UaaAuthority;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.EnumSource;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.MockHttpSession;
 import org.cloudfoundry.identity.uaa.oauth.common.exceptions.RedirectMismatchException;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
@@ -235,4 +241,33 @@ private MockHttpServletRequestBuilder authCodeAuthorizeRequest(String redirectUr
                 .param(REDIRECT_URI, redirectUri)
                 .session(session);
     }
+
+    @Nested
+    @DefaultTestContext
+    class ConfirmAccessAndErrorZonePathSupport {
+
+        @ParameterizedTest
+        @EnumSource(ZoneResolutionMode.class)
+        void confirm_access_responds_for_zone_path(ZoneResolutionMode mode) throws Exception {
+            String subdomain = "zone" + System.nanoTime();
+            UaaClientDetails client = new UaaClientDetails("client-id", "", "openid", "authorization_code", "", "http://redirect");
+            client.setClientSecret("secret");
+            MockMvcUtils.createOtherIdentityZoneAndReturnResult(subdomain, mockMvc, webApplicationContext, client, IdentityZoneHolder.getCurrentZoneId());
+
+            mockMvc.perform(mode.createRequestBuilder(subdomain, HttpMethod.GET, "/oauth/confirm_access"))
+                    .andExpect(status().is3xxRedirection());
+        }
+
+        @ParameterizedTest
+        @EnumSource(ZoneResolutionMode.class)
+        void oauth_error_responds_for_zone_path(ZoneResolutionMode mode) throws Exception {
+            String subdomain = "zone" + System.nanoTime();
+            UaaClientDetails client = new UaaClientDetails("client-id", "", "openid", "authorization_code", "", "http://redirect");
+            client.setClientSecret("secret");
+            MockMvcUtils.createOtherIdentityZoneAndReturnResult(subdomain, mockMvc, webApplicationContext, client, IdentityZoneHolder.getCurrentZoneId());
+
+            mockMvc.perform(mode.createRequestBuilder(subdomain, HttpMethod.GET, "/oauth/error"))
+                    .andExpect(status().is3xxRedirection());
+        }
+    }
 }