setAllowEmpty method created

Signed-off-by: Ferenc Kemeny <[email protected]>

Author: FerencKemeny

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtAudienceValidator.java

@@ -32,25 +32,25 @@ public final class JwtAudienceValidator implements OAuth2TokenValidator<Jwt> {
 
 	private final JwtClaimValidator<Collection<String>> validator;
 
+	private boolean allowEmpty;
+
 	/**
-	 * Constructs a {@link JwtAudienceValidator} using the provided parameters with
-	 * {@link JwtClaimNames#ISS "iss"} claim is REQUIRED
+	 * Constructs a {@link JwtAudienceValidator} using the provided parameters
 	 * @param audience - The audience that each {@link Jwt} should have.
 	 */
 	public JwtAudienceValidator(String audience) {
-		this(audience, true);
+		Assert.notNull(audience, "audience cannot be null");
+		this.allowEmpty = false;
+		this.validator = new JwtClaimValidator<>(JwtClaimNames.AUD,
+				(claimValue) -> (claimValue != null) ? claimValue.contains(audience) : allowEmpty);
 	}
 
 	/**
-	 * Constructs a {@link JwtIssuerValidator} using the provided parameters
-	 * @param audience - The audience that each {@link Jwt} should have.
-	 * @param required -{@code true} if the {@link JwtClaimNames#AUD "aud"} claim is
-	 * REQUIRED in the {@link Jwt}, {@code false} otherwise
+	 * Whether to allow the {@code aud} claim to be empty. The default value is
+	 * {@code false}
 	 */
-	public JwtAudienceValidator(String audience, boolean required) {
-		Assert.notNull(audience, "audience cannot be null");
-		this.validator = new JwtClaimValidator<>(JwtClaimNames.AUD,
-				(claimValue) -> (claimValue != null) ? claimValue.contains(audience) : !required);
+	public void setAllowEmpty(boolean allowEmpty) {
+		this.allowEmpty = allowEmpty;
 	}
 
 	@Override

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java

@@ -30,25 +30,25 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
 
 	private final JwtClaimValidator<Object> validator;
 
+	private boolean allowEmpty;
+
 	/**
-	 * Constructs a {@link JwtIssuerValidator} using the provided parameters with
-	 * {@link JwtClaimNames#ISS "iss"} claim is REQUIRED
+	 * Constructs a {@link JwtIssuerValidator} using the provided parameters
 	 * @param issuer - The issuer that each {@link Jwt} should have.
 	 */
 	public JwtIssuerValidator(String issuer) {
-		this(issuer, true);
+		Assert.notNull(issuer, "issuer cannot be null");
+		this.allowEmpty = true;
+		this.validator = new JwtClaimValidator<>(JwtClaimNames.ISS,
+				(claimValue) -> (claimValue != null) ? issuer.equals(claimValue.toString()) : allowEmpty);
 	}
 
 	/**
-	 * Constructs a {@link JwtIssuerValidator} using the provided parameters
-	 * @param issuer - The issuer that each {@link Jwt} should have.
-	 * @param required -{@code true} if the {@link JwtClaimNames#ISS "iss"} claim is
-	 * REQUIRED in the {@link Jwt}, {@code false} otherwise
+	 * Whether to allow the {@code iss} claim to be empty. The default value is
+	 * {@code false}
 	 */
-	public JwtIssuerValidator(String issuer, boolean required) {
-		Assert.notNull(issuer, "issuer cannot be null");
-		this.validator = new JwtClaimValidator<>(JwtClaimNames.ISS,
-				(claimValue) -> (claimValue != null) ? issuer.equals(claimValue.toString()) : !required);
+	public void setAllowEmpty(boolean allowEmpty) {
+		this.allowEmpty = allowEmpty;
 	}
 
 	@Override

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java

@@ -52,7 +52,7 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
 
 	private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
 
-	private final boolean required;
+	private boolean allowEmpty;
 
 	private final Duration clockSkew;
 
@@ -62,29 +62,29 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
 	 * A basic instance with no custom verification and the default max clock skew
 	 */
 	public JwtTimestampValidator() {
-		this(DEFAULT_MAX_CLOCK_SKEW, false);
-	}
-
-	public JwtTimestampValidator(boolean required) {
-		this(DEFAULT_MAX_CLOCK_SKEW, required);
+		this(DEFAULT_MAX_CLOCK_SKEW);
 	}
 
 	public JwtTimestampValidator(Duration clockSkew) {
-		this(clockSkew, false);
-	}
-
-	public JwtTimestampValidator(Duration clockSkew, boolean required) {
 		Assert.notNull(clockSkew, "clockSkew cannot be null");
-		this.required = required;
+		this.allowEmpty = true;
 		this.clockSkew = clockSkew;
 	}
 
+	/**
+	 * Whether to allow the {@code exp} or {@code nbf} header to be empty. The default value is
+	 * {@code true}
+	 */
+	public void setAllowEmpty(boolean allowEmpty) {
+		this.allowEmpty = allowEmpty;
+	}
+
 	@Override
 	public OAuth2TokenValidatorResult validate(Jwt jwt) {
 		Assert.notNull(jwt, "jwt cannot be null");
 		Instant expiry = jwt.getExpiresAt();
 		Instant notBefore = jwt.getNotBefore();
-		if (this.required && !(expiry != null || notBefore != null)) {
+		if (!this.allowEmpty && !(expiry != null || notBefore != null)) {
 			OAuth2Error oAuth2Error = createOAuth2Error("exp and nbf are required");
 			return OAuth2TokenValidatorResult.failure(oAuth2Error);
 		}

oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtAudienceValidatorTests.java

@@ -31,72 +31,50 @@
  */
 class JwtAudienceValidatorTests {
 
-	private final JwtAudienceValidator validatorDefault = new JwtAudienceValidator("audience");
-
-	private final JwtAudienceValidator validatorRequiredTrue = new JwtAudienceValidator("audience", true);
-
-	private final JwtAudienceValidator validatorRequiredFalse = new JwtAudienceValidator("audience", false);
+	private final JwtAudienceValidator validator = new JwtAudienceValidator("audience");
 
 	@Test
-	void givenRequiredDefaultJwtWithMatchingAudienceThenShouldValidate() {
+	void givenAllowEmptyDefaultJwtWithMatchingAudienceThenShouldValidate() {
 		Jwt jwt = TestJwts.jwt().audience(List.of("audience")).build();
-		OAuth2TokenValidatorResult result = this.validatorDefault.validate(jwt);
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
 		assertThat(result).isEqualTo(OAuth2TokenValidatorResult.success());
 	}
 
 	@Test
-	void givenRequiredJwtWithMatchingAudienceThenShouldValidate() {
+	void givenAllowEmptyTrueJwtWithMatchingAudienceThenShouldValidate() {
 		Jwt jwt = TestJwts.jwt().audience(List.of("audience")).build();
-		OAuth2TokenValidatorResult result = this.validatorRequiredTrue.validate(jwt);
+		this.validator.setAllowEmpty(true);
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
 		assertThat(result).isEqualTo(OAuth2TokenValidatorResult.success());
 	}
 
 	@Test
-	void givenNotRequiredJwtWithMatchingAudienceThenShouldValidate() {
-		Jwt jwt = TestJwts.jwt().audience(List.of("audience")).build();
-		OAuth2TokenValidatorResult result = this.validatorRequiredFalse.validate(jwt);
-		assertThat(result).isEqualTo(OAuth2TokenValidatorResult.success());
-	}
-
-	@Test
-	void givenRequiredDefaultJwtWithoutMatchingAudienceThenShouldValidate() {
+	void givenAllowEmptyDefaultJwtWithoutMatchingAudienceThenShouldValidate() {
 		Jwt jwt = TestJwts.jwt().audience(List.of("other")).build();
-		OAuth2TokenValidatorResult result = this.validatorDefault.validate(jwt);
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
 		assertThat(result.hasErrors()).isTrue();
 	}
 
 	@Test
-	void givenRequiredJwtWithoutMatchingAudienceThenShouldValidate() {
+	void givenAllowEmptyJwtWithoutMatchingAudienceThenShouldValidate() {
 		Jwt jwt = TestJwts.jwt().audience(List.of("other")).build();
-		OAuth2TokenValidatorResult result = this.validatorRequiredTrue.validate(jwt);
-		assertThat(result.hasErrors()).isTrue();
-	}
-
-	@Test
-	void givenNotRequiredJwtWithoutMatchingAudienceThenShouldValidate() {
-		Jwt jwt = TestJwts.jwt().audience(List.of("other")).build();
-		OAuth2TokenValidatorResult result = this.validatorRequiredFalse.validate(jwt);
-		assertThat(result.hasErrors()).isTrue();
-	}
-
-	@Test
-	void givenRequiredDefaultJwtWithoutAudienceThenShouldValidate() {
-		Jwt jwt = TestJwts.jwt().audience(null).build();
-		OAuth2TokenValidatorResult result = this.validatorDefault.validate(jwt);
+		this.validator.setAllowEmpty(true);
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
 		assertThat(result.hasErrors()).isTrue();
 	}
 
 	@Test
-	void givenRequiredJwtWithoutAudienceThenShouldValidate() {
+	void givenAllowEmptyDefaultJwtWithoutAudienceThenShouldValidate() {
 		Jwt jwt = TestJwts.jwt().audience(null).build();
-		OAuth2TokenValidatorResult result = this.validatorRequiredTrue.validate(jwt);
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
 		assertThat(result.hasErrors()).isTrue();
 	}
 
 	@Test
-	void givenNotRequiredJwtWithoutAudienceThenShouldValidate() {
+	void givenAllowEmptyTrueJwtWithoutAudienceThenShouldValidate() {
 		Jwt jwt = TestJwts.jwt().audience(null).build();
-		OAuth2TokenValidatorResult result = this.validatorRequiredFalse.validate(jwt);
+		this.validator.setAllowEmpty(true);
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
 		assertThat(result.hasErrors()).isFalse();
 	}