Adapt to nullability changes in spring-security-oauth2-jose

See gh-49446

Author: wilkinsona

module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerPropertiesMapper.java

@@ -33,6 +33,7 @@
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
 import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
+import org.springframework.util.Assert;
 
 /**
  * Maps {@link OAuth2AuthorizationServerProperties} to Authorization Server types.
@@ -132,11 +133,14 @@ private JwsAlgorithm jwsAlgorithm(String signingAlgorithm) {
 		if (jwsAlgorithm == null) {
 			jwsAlgorithm = MacAlgorithm.from(name);
 		}
+		Assert.notNull(jwsAlgorithm, "JWS algorithm " + name + " is unknown");
 		return jwsAlgorithm;
 	}
 
 	private SignatureAlgorithm signatureAlgorithm(String signatureAlgorithm) {
-		return SignatureAlgorithm.from(signatureAlgorithm.toUpperCase(Locale.ROOT));
+		SignatureAlgorithm algorithm = SignatureAlgorithm.from(signatureAlgorithm.toUpperCase(Locale.ROOT));
+		Assert.notNull(algorithm, "Signature algorithm " + signatureAlgorithm + " is unknown");
+		return algorithm;
 	}
 
 }

module/spring-boot-security-oauth2-authorization-server/src/test/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerJwtAutoConfigurationTests.java

@@ -31,6 +31,7 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
 
 /**
  * Tests for {@link OAuth2AuthorizationServerJwtAutoConfiguration}.
@@ -96,7 +97,7 @@ static class TestJwtDecoderConfiguration {
 
 		@Bean
 		JwtDecoder jwtDecoder() {
-			return (token) -> null;
+			return mock(JwtDecoder.class);
 		}
 
 	}

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/JwtDecoderConfiguration.java

@@ -31,6 +31,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@@ -47,6 +48,7 @@
 import org.springframework.security.oauth2.jwt.SupplierJwtDecoder;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
 
 /**
  * {@link Configuration @Configuration} for JWT decoder beans.
@@ -82,7 +84,7 @@ class JwtDecoderConfiguration {
 	@ConditionalOnPublicKeyJwtDecoder
 	JwtDecoder jwtDecoderByPublicKeyValue() throws Exception {
 		PublicKeyJwtDecoderBuilder builder = NimbusJwtDecoder.withPublicKey(getReadPublicKey());
-		builder.signatureAlgorithm(SignatureAlgorithm.from(exactlyOneAlgorithm()));
+		builder.signatureAlgorithm(exactlyOneAlgorithm());
 		NimbusJwtDecoder decoder = builder.build();
 		decoder.setJwtValidator(getValidator());
 		return decoder;
@@ -98,18 +100,26 @@ private byte[] decodeKeyProperty(String value) {
 			.decode(value.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", ""));
 	}
 
-	private String exactlyOneAlgorithm() {
+	private SignatureAlgorithm exactlyOneAlgorithm() {
 		List<String> algorithms = this.properties.getJwsAlgorithms();
 		Assert.state(algorithms != null && algorithms.size() == 1,
 				() -> "Creating a JWT decoder using a public key requires exactly one JWS algorithm but "
 						+ algorithms.size() + " were configured");
-		return algorithms.get(0);
+		SignatureAlgorithm algorithm = SignatureAlgorithm.from(algorithms.get(0));
+		if (algorithm == null) {
+			throw new InvalidConfigurationPropertyValueException(
+					"spring.security.oauth2.resourceserver.jwt.jws-algorithms",
+					StringUtils.collectionToCommaDelimitedString(algorithms), "Unknown algorithm");
+		}
+		return algorithm;
 	}
 
 	@Bean
 	@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
 	JwtDecoder jwtDecoderByJwkKeySetUri() {
-		JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(this.properties.getJwkSetUri());
+		String jwkSetUri = this.properties.getJwkSetUri();
+		Assert.state(jwkSetUri != null, "No JWK Set URI property specified");
+		JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri);
 		builder.jwsAlgorithms(this::jwsAlgorithms);
 		return buildJwkSetUriJwtDecoder(builder);
 	}

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveJwtDecoderConfiguration.java

@@ -33,6 +33,7 @@
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnIssuerLocationJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnPublicKeyJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
@@ -88,7 +89,7 @@ class ReactiveJwtDecoderConfiguration {
 	NimbusReactiveJwtDecoder reactiveJwtDecoderByPublicKeyValue() throws Exception {
 		RSAPublicKey publicKey = getReadPublicKey();
 		PublicKeyReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder.withPublicKey(publicKey);
-		builder.signatureAlgorithm(SignatureAlgorithm.from(exactlyOneAlgorithm()));
+		builder.signatureAlgorithm(exactlyOneAlgorithm());
 		NimbusReactiveJwtDecoder decoder = builder.build();
 		decoder.setJwtValidator(getValidator());
 		return decoder;
@@ -104,19 +105,25 @@ private byte[] decodeKeyProperty(String value) {
 			.decode(value.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", ""));
 	}
 
-	private String exactlyOneAlgorithm() {
+	private SignatureAlgorithm exactlyOneAlgorithm() {
 		List<String> algorithms = this.properties.getJwsAlgorithms();
 		Assert.state(algorithms != null && algorithms.size() == 1,
 				() -> "Creating a JWT decoder using a public key requires exactly one JWS algorithm but "
 						+ algorithms.size() + " were configured");
-		return algorithms.get(0);
+		SignatureAlgorithm algorithm = SignatureAlgorithm.from(algorithms.get(0));
+		if (algorithm == null) {
+			throw new InvalidConfigurationPropertyValueException(
+					"spring.security.oauth2.resourceserver.jwt.jws-algorithms", algorithms.get(0), "Unknown algorithm");
+		}
+		return algorithm;
 	}
 
 	@Bean
 	@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
 	ReactiveJwtDecoder reactiveJwtDecoderByJwkKeySetUri() {
-		JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder
-			.withJwkSetUri(this.properties.getJwkSetUri());
+		String jwkSetUri = this.properties.getJwkSetUri();
+		Assert.notNull(jwkSetUri, "No JWK Set URI specified");
+		JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri);
 		builder.jwsAlgorithms(this::jwsAlgorithms);
 		return buildJwkSetUriJwtDecoder(builder);
 	}

module/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/JwtConverterCustomizationsArgumentsProvider.java

@@ -72,10 +72,10 @@ public Stream<? extends Arguments> provideArguments(ParameterDeclarations parame
 			.claim(customPrincipalClaim, customPrincipalValue);
 		Jwt noAuthoritiesCustomizationsJwt = jwtBuilder.claim("scp", jwtScopes[0] + " " + jwtScopes[1]).build();
 		Jwt customAuthoritiesDelimiterJwt = jwtBuilder.claim("scp", jwtScopes[0] + "~" + jwtScopes[1]).build();
-		Jwt customAuthoritiesClaimJwt = jwtBuilder.claim("scp", null)
+		Jwt customAuthoritiesClaimJwt = jwtBuilder.claim("scp", "value")
 			.claim(customAuthoritiesClaim, jwtScopes[0] + " " + jwtScopes[1])
 			.build();
-		Jwt customAuthoritiesClaimAndDelimiterJwt = jwtBuilder.claim("scp", null)
+		Jwt customAuthoritiesClaimAndDelimiterJwt = jwtBuilder.claim("scp", "value")
 			.claim(customAuthoritiesClaim, jwtScopes[0] + "~" + jwtScopes[1])
 			.build();
 		String[] customPrefixAuthorities = { customPrefix + jwtScopes[0], customPrefix + jwtScopes[1] };

module/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/OAuth2ResourceServerAutoConfigurationTests.java

@@ -46,6 +46,7 @@
 import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
@@ -314,7 +315,8 @@ void autoConfigurationShouldFailIfAlgorithmIsInvalid() {
 					"spring.security.oauth2.resourceserver.jwt.jws-algorithms=NOT_VALID")
 			.run((context) -> assertThat(context).hasFailed()
 				.getFailure()
-				.hasMessageContaining("signatureAlgorithm cannot be null"));
+				.hasMessageContaining("Unknown algorithm")
+				.hasRootCauseExactlyInstanceOf(InvalidConfigurationPropertyValueException.class));
 	}
 
 	@Test