spring-security: initial integration spring-security-oauth2-core (#8709)

2022-10-07 19:09:19 +02:00 · 2022-10-07 19:09:19 +02:00 · 45ab6736ed
parent f0b22db527
commit 45ab6736ed
6 changed files with 143 additions and 2 deletions
--- a/projects/spring-security/Dockerfile
+++ b/projects/spring-security/Dockerfile
@ -22,5 +22,8 @@ RUN git clone --depth 1 https://github.com/spring-projects/spring-security

 COPY build.sh $SRC/
 COPY *Fuzzer.java $SRC/
+COPY oauth2-core/*Fuzzer.java $SRC/
+COPY acl/*Fuzzer.java $SRC/
 COPY *.patch $SRC/
+
 WORKDIR $SRC/spring-security
--- a/projects/spring-security/acl/AclFormattingUtilsFuzzer.java
+++ b/projects/spring-security/acl/AclFormattingUtilsFuzzer.java
@ -0,0 +1,53 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+import org.springframework.security.acls.domain.AclFormattingUtils;
+
+
+
+public class AclFormattingUtilsFuzzer {
+
+     public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+
+        String origin;
+        String bits;
+        int mask;
+        char code;
+        char off;
+
+        mask = data.consumeInt();
+        code = data.consumeChar();
+        origin = data.consumeString(250);
+        bits = data.consumeRemainingAsString();
+
+        String printBinary1;
+        String printBinary2;
+        String mergePatterns;
+        String demergePatterns;
+        try {
+            printBinary1 = AclFormattingUtils.printBinary(mask);
+            printBinary2 = AclFormattingUtils.printBinary(mask, code);
+            mergePatterns = AclFormattingUtils.mergePatterns(origin, bits);
+            demergePatterns = AclFormattingUtils.demergePatterns(origin, bits);
+        }
+        catch(IllegalArgumentException iae) {
+
+        }
+    }
+
+}
--- a/projects/spring-security/build.sh
+++ b/projects/spring-security/build.sh
@ -32,6 +32,8 @@ GRADLE_ARGS="-x test -x javadoc"
 ./gradlew shadowJar $GRADLE_ARGS -b messaging/spring-security-messaging.gradle
 ./gradlew shadowJar $GRADLE_ARGS -b web/spring-security-web.gradle
 ./gradlew shadowJar $GRADLE_ARGS -b test/spring-security-test.gradle
+./gradlew shadowJar $GRADLE_ARGS -b oauth2/oauth2-core/spring-security-oauth2-core.gradle
+./gradlew shadowJar $GRADLE_ARGS -b acl/spring-security-acl.gradle

 # Copy all shadow jars to the $OUT folder
 find . -name "*-all.jar" -print0 | while read -d $'\0' file
--- a/projects/spring-security/diff.patch
+++ b/projects/spring-security/diff.patch
@ -1,3 +1,12 @@
+diff --git a/acl/spring-security-acl.gradle b/acl/spring-security-acl.gradle
+index 976d8d4..f01b423 100644
+--- a/acl/spring-security-acl.gradle
+++ b/acl/spring-security-acl.gradle
+@@ -1,3 +1,4 @@
+apply plugin: "com.github.johnrengelman.shadow"
+ apply plugin: 'io.spring.convention.spring-module'
+ 
+ dependencies {
 diff --git a/build.gradle b/build.gradle
 diff --git a/build.gradle b/build.gradle
 index 21893a7..faf7dff 100644
@ -62,7 +71,7 @@ index fb306f6..b27cd44 100644
 +
 dependencies {
 	api platform("org.springframework:spring-framework-bom:$springFrameworkVersion")
- 	api platform("io.projectreactor:reactor-bom:2022.0.0-M4")
+ 	api platform("io.projectreactor:reactor-bom:$reactorVersion")
 diff --git a/ldap/spring-security-ldap.gradle b/ldap/spring-security-ldap.gradle
 index c4f6c08..39023ed 100644
 --- a/ldap/spring-security-ldap.gradle
--- a/projects/spring-security/oauth2-core/OAuth2AccessTokenFuzzer.java
+++ b/projects/spring-security/oauth2-core/OAuth2AccessTokenFuzzer.java
@ -0,0 +1,73 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+
+import java.time.Instant;
+import java.util.Arrays;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+public class OAuth2AccessTokenFuzzer {
+
+    private static final OAuth2AccessToken.TokenType TOKEN_TYPE = OAuth2AccessToken.TokenType.BEARER;
+    private static final Instant ISSUED_AT = Instant.now();
+    private static final Instant EXPIRES_AT = Instant.from(ISSUED_AT).plusSeconds(60);
+
+    public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+
+        Set<String> scope;
+        String tmpScope;
+        String value;
+        boolean proceed = true;
+        OAuth2AccessToken accessToken = null;
+
+        boolean isScope = data.consumeBoolean();
+        if (isScope) {
+
+            tmpScope = data.consumeString(250);
+            value = data.consumeString(250);
+
+            scope = new LinkedHashSet<>(Arrays.asList(tmpScope));
+            try {
+                accessToken = new OAuth2AccessToken(TOKEN_TYPE, value, ISSUED_AT, EXPIRES_AT, scope);
+            }
+            catch (IllegalArgumentException iae) {
+                proceed = false;
+             }
+        }
+        else {
+            value = data.consumeRemainingAsString();
+
+            try {
+                accessToken = new OAuth2AccessToken(TOKEN_TYPE, value, ISSUED_AT, EXPIRES_AT);
+            }
+            catch (IllegalArgumentException iae) {
+                proceed = false;
+             }
+        }
+
+        if (proceed) {
+            String tokenValue = accessToken.getTokenValue();
+            int hashCode = accessToken.hashCode();
+            OAuth2AccessToken compareToken = new OAuth2AccessToken(TOKEN_TYPE, value, ISSUED_AT, EXPIRES_AT);
+            boolean compareTokens = accessToken.equals(compareToken);
+        }
+    }
+
+}
--- a/projects/spring-security/project.yaml
+++ b/projects/spring-security/project.yaml
@ -14,4 +14,5 @@ vendor_ccs:
  - "glendowne@code-intelligence.com"
  - "patrice.salathe@code-intelligence.com"
  - "hlin@code-intelligence.com"
-  - "yoshi.weber@gmail.com"
+  - "jacek.trossen@code-intelligence.com"
+  - "peter.samarin@code-intelligence.com"