Fix flaky

.github/workflows/maven-build-2.x.yml

@@ -0,0 +1,62 @@
+# SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
+# SPDX-License-Identifier: Apache-2.0
+---
+<<<<<<<< HEAD:.github/workflows/maven-build.yml
+name: Maven Build main
+
+env:
+  NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+========
+name: Maven Build main-2.x
+>>>>>>>> fix-flaky:.github/workflows/maven-build-2.x.yml
+
+on:
+  push:
+    branches: [ main-2.x ]
+  pull_request:
+    branches: [ main-2.x ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java-version: [ 17 ]
+    name: Build with Java ${{ matrix.java-version }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: mvn cache
+        uses: actions/cache@v2
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-owasp-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-owasp-
+      - name: Set up JDK ${{ matrix.java-version }}
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: ${{ matrix.java-version }}
+      - name: Build with Maven
+        run: mvn -B install --file pom.xml
+      - name: Run java-security integration tests
+        run: cd java-security-it; mvn -B package --file pom.xml
+      - name: Run spring-xsuaa integration tests
+        run: cd spring-xsuaa-it; mvn -B package --file pom.xml
+      - name: Build spring-security-basic-auth
+        run: cd samples/spring-security-basic-auth; mvn -B package --file pom.xml
+      - name: Build spring-security-xsuaa-usage
+        run: cd samples/spring-security-xsuaa-usage; mvn -B package --file pom.xml
+      - name: Build spring-webflux-security-xsuaa-usage
+        run: cd samples/spring-webflux-security-xsuaa-usage; mvn -B package --file pom.xml
+      - name: Build java-security-usage
+        run: cd samples/java-security-usage; mvn -B package --file pom.xml
+      - name: Build sap-java-buildpack-api-usage
+        run: cd samples/sap-java-buildpack-api-usage; mvn -B package --file pom.xml
+      - name: Build java-tokenclient-usage
+        run: cd samples/java-tokenclient-usage; mvn -B package --file pom.xml
+      - name: Build java-security-usage-ias
+        run: cd samples/java-security-usage-ias; mvn -B package --file pom.xml
+      - name: Build spring-security-hybrid-usage
+        run: cd samples/spring-security-hybrid-usage; mvn -B package --file pom.xml

.github/workflows/maven-build.yml

@@ -1,16 +1,20 @@
 # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
 # SPDX-License-Identifier: Apache-2.0
 ---
+<<<<<<<< HEAD:.github/workflows/maven-build.yml
 name: Maven Build main
 
 env:
   NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+========
+name: Maven Build main-2.x
+>>>>>>>> fix-flaky:.github/workflows/maven-build-2.x.yml
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main-2.x ]
   pull_request:
-    branches: [ main ]
+    branches: [ main-2.x ]
 
 jobs:
   build:

CHANGELOG.md

@@ -1,6 +1,32 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 3.3.4
+- [env] service plan property is no longer uppercased when building `OAuth2ServiceConfiguration` from service bindings of the environment
+- [spring-security] fixes a bug in which a second XSUAA configuration of plan "broker" was ignored in spring-security auto-configuration for versions 3.3.2 and 3.3.3
+
+#### Dependency upgrades
+- Bump io.projectreactor:reactor-core from 3.6.1 to 3.6.2
+- Bump spring.core.version from 6.1.2 to 6.1.3
+- Bump slf4j.api.version from 2.0.10 to 2.0.11
+
+## 3.3.3
+- [java-security]
+  - reduce `HybridTokenFactory` logging noise - in case of missing service configuration warn message will be logged just once
+  - upgrade jetty ee9 to jetty ee10
+- [java-security-test]
+  - fixes version mismatch issue when jetty BoM is used
+  - `JwtGenerator` ensures that claims are always in the same order
+- [token-client]
+  - remove httpclient caching from DefaultHttpClientFactory (#1416)
+
+#### Dependency upgrades
+- Bump spring.boot.version from 3.2.0 to 3.2.1
+- Bump spring.core.version from 6.0.14 to 6.1.2
+- Bump log4j2.version from 2.22.0 to 2.22.1
+- Bump slf4j.api.version from 2.0.9 to 2.0.10
+
+
 ## 3.3.2
 - [java-security]
   - add `name` property of service binding as property to OAuth2ServiceConfiguration

README.md

@@ -124,7 +124,7 @@ The SAP Cloud Security Services Integration is published to maven central: https
         <dependency>
             <groupId>com.sap.cloud.security</groupId>
             <artifactId>java-bom</artifactId>
-            <version>3.3.2</version>
+            <version>3.3.4</version>
             <scope>import</scope>
             <type>pom</type>
         </dependency>

api/README.md

@@ -0,0 +1,10 @@
+## Configuration
+
+### Maven Dependencies
+```xml
+<dependency>
+    <groupId>com.sap.cloud.security.xsuaa</groupId>
+    <artifactId>api</artifactId>
+    <version>2.13.7</version>
+</dependency>
+```

api/pom.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- SPDX-FileCopyrightText: 2018-2022 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors -->
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>com.sap.cloud.security.xsuaa</groupId>
+	<artifactId>api</artifactId>
+
+	<parent>
+		<groupId>com.sap.cloud.security.xsuaa</groupId>
+		<artifactId>parent</artifactId>
+		<version>2.13.7</version>
+	</parent>
+
+	<packaging>jar</packaging>
+
+	<name>api</name>
+	<url>http://maven.apache.org</url>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+	</properties>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-javadoc-plugin</artifactId>
+				<version>3.5.0</version>
+				<executions>
+					<execution>
+						<id>attach-javadocs</id>
+						<goals>
+							<goal>jar</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>

bom/pom.xml

@@ -8,7 +8,7 @@
 
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-bom</artifactId>
-    <version>3.3.2</version>
+    <version>3.3.4</version>
     <packaging>pom</packaging>
     <name>java-bom</name>
 

env/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>com.sap.cloud.security.xsuaa</groupId>
         <artifactId>parent</artifactId>
-        <version>3.3.2</version>
+        <version>3.3.4</version>
     </parent>
 
     <groupId>com.sap.cloud.security</groupId>

env/src/main/java/com/sap/cloud/security/config/ServiceBindingEnvironment.java

@@ -78,7 +78,8 @@ public ServiceBindingEnvironment withEnvironmentVariableReader(UnaryOperator<Str
 	@Nullable
 	@Override
 	public OAuth2ServiceConfiguration getXsuaaConfiguration() {
-		List<ServiceConstants.Plan> orderedServicePlans = List.of(ServiceConstants.Plan.APPLICATION, ServiceConstants.Plan.BROKER,
+		List<ServiceConstants.Plan> orderedServicePlans = List.of(ServiceConstants.Plan.APPLICATION,
+				ServiceConstants.Plan.BROKER,
 				ServiceConstants.Plan.SPACE, ServiceConstants.Plan.DEFAULT);
 		List<OAuth2ServiceConfiguration> xsuaaConfigurations = getServiceConfigurationsAsList().get(XSUAA);
 
@@ -135,11 +136,14 @@ public Map<Service, List<OAuth2ServiceConfiguration>> getServiceConfigurationsAs
 	 * Gives access to all service configurations parsed from the environment. The
 	 * service configurations are parsed on the first access, then cached.
 	 *
-	 * Note that the result contains only one service configuration per service plan and does not contain configurations
-	 * with a service plan other than those from {@link ServiceConstants}#Plan.
-	 * Use {@link ServiceBindingEnvironment#getServiceConfigurationsAsList()} to get a complete list of configurations.
+	 * Note that the result contains only one service configuration per service plan
+	 * and does not contain configurations with a service plan other than those from
+	 * {@link ServiceConstants}#Plan. Use
+	 * {@link ServiceBindingEnvironment#getServiceConfigurationsAsList()} to get a
+	 * complete list of configurations.
 	 *
-	 * @return the service configurations grouped first by service, then by service plan.
+	 * @return the service configurations grouped first by service, then by service
+	 *         plan.
 	 */
 	@Override
 	public Map<Service, Map<ServiceConstants.Plan, OAuth2ServiceConfiguration>> getServiceConfigurations() {
@@ -158,8 +162,7 @@ public Map<Service, Map<ServiceConstants.Plan, OAuth2ServiceConfiguration>> getS
 					.collect(Collectors.toMap(
 							config -> ServiceConstants.Plan.from(config.getProperty(SERVICE_PLAN)),
 							Function.identity(),
-							(a, b) -> a
-					));
+							(a, b) -> a));
 
 			result.put(service, planConfigurations);
 		}
@@ -194,7 +197,7 @@ private void clearServiceConfigurations() {
 	private ServiceConstants.Plan getServicePlan(OAuth2ServiceConfiguration config) {
 		try {
 			return ServiceConstants.Plan.from(config.getProperty(SERVICE_PLAN));
-		} catch(IllegalArgumentException e) {
+		} catch (IllegalArgumentException e) {
 			return null;
 		}
 	}

env/src/main/java/com/sap/cloud/security/config/ServiceBindingMapper.java

@@ -42,7 +42,7 @@ public static OAuth2ServiceConfigurationBuilder mapToOAuth2ServiceConfigurationB
 		OAuth2ServiceConfigurationBuilder builder = OAuth2ServiceConfigurationBuilder.forService(service)
 				.withProperties(credentials.getEntries(String.class))
 				.withProperty(NAME, b.getName().orElse(""))
-				.withProperty(SERVICE_PLAN, b.getServicePlan().orElse(ServiceConstants.Plan.APPLICATION.name()).toUpperCase());
+				.withProperty(SERVICE_PLAN, b.getServicePlan().orElse(ServiceConstants.Plan.APPLICATION.toString()));
 
 		if (IAS.equals(service)) {
 			parseDomains(builder, credentials);

env/src/test/java/com/sap/cloud/security/config/ServiceBindingEnvironmentTest.java

@@ -26,7 +26,8 @@ class ServiceBindingEnvironmentTest {
 	static void setUp() throws IOException {
 		String singleXsuaaConfiguration = IOUtils.resourceToString("/vcapXsuaaServiceSingleBinding.json", UTF_8);
 		String multipleXsuaaConfigurations = IOUtils.resourceToString("/vcapXsuaaServiceMultipleBindings.json", UTF_8);
-		String multipleXsuaaApplicationPlanConfigurations = IOUtils.resourceToString("/vcapXsuaaServiceMultipleApplicationPlanBindings.json", UTF_8);
+		String multipleXsuaaApplicationPlanConfigurations = IOUtils
+				.resourceToString("/vcapXsuaaServiceMultipleApplicationPlanBindings.json", UTF_8);
 		String singleIasConfiguration = IOUtils.resourceToString("/vcapIasServiceSingleBinding.json", UTF_8);
 		String unknownXsuaaPlanConfig = IOUtils.resourceToString("/vcapUnknownServicePlan.json", UTF_8);
 		vcapXsa = IOUtils.resourceToString("/vcapXsuaaXsaSingleBinding.json", UTF_8);
@@ -73,7 +74,9 @@ void getXsuaaConfigurationForTokenExchange() {
 		assertNotSame(cutMultipleXsuaa.getXsuaaConfigurationForTokenExchange(),
 				cutMultipleXsuaa.getXsuaaConfiguration());
 
-		assertThat(cutMultipleApplicationPlanXsuaa.getXsuaaConfigurationForTokenExchange().getProperty(ServiceConstants.SERVICE_PLAN),
+		assertThat(
+				cutMultipleApplicationPlanXsuaa.getXsuaaConfigurationForTokenExchange()
+						.getProperty(ServiceConstants.SERVICE_PLAN),
 				equalToIgnoringCase(ServiceConstants.Plan.BROKER.toString()));
 		assertNotSame(cutMultipleApplicationPlanXsuaa.getXsuaaConfigurationForTokenExchange(),
 				cutMultipleXsuaa.getXsuaaConfiguration());
@@ -138,7 +141,8 @@ void getServiceConfigurations() {
 		configs = cutMultipleApplicationPlanXsuaa.getServiceConfigurations();
 		assertThat(configs.get(Service.XSUAA).entrySet(), hasSize(2));
 		assertThat(configs.get(Service.IAS).entrySet(), is(empty()));
-		assertThat(configs.get(Service.XSUAA).get(ServiceConstants.Plan.APPLICATION).getProperty(ServiceConstants.XSUAA.APP_ID), equalTo("na-d6a3278d-5e07-40e9-92ae-546bbfd9cdde!t8066"));
+		assertThat(configs.get(Service.XSUAA).get(ServiceConstants.Plan.APPLICATION)
+				.getProperty(ServiceConstants.XSUAA.APP_ID), equalTo("na-d6a3278d-5e07-40e9-92ae-546bbfd9cdde!t8066"));
 		assertNotNull(configs.get(Service.XSUAA).get(ServiceConstants.Plan.BROKER));
 		assertNotNull(configs.get(Service.XSUAA).get(ServiceConstants.Plan.APPLICATION));
 

java-api/README.md

@@ -5,6 +5,6 @@
 <dependency>
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-api</artifactId>
-    <version>3.3.2</version>
+    <version>3.3.4</version>
 </dependency>
 ```

java-api/pom.xml

@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>3.3.2</version>
+		<version>3.3.4</version>
 	</parent>
 
 	<groupId>com.sap.cloud.security</groupId>

java-api/src/main/java/com/sap/cloud/security/config/Environment.java

@@ -5,21 +5,19 @@
  */
 package com.sap.cloud.security.config;
 
+import javax.annotation.Nullable;
 import java.util.List;
 import java.util.Map;
 
-import javax.annotation.Nullable;
-
-
-
 /**
  * Central entry point to access the OAuth configuration
  * ({@link OAuth2ServiceConfiguration}) of a supported identity {@link Service}.
  */
 public interface Environment {
 	/**
-	 * Return the primary OAuth service configuration of Xsuaa identity service instance.
-	 * 
+	 * Return the primary OAuth service configuration of Xsuaa identity service
+	 * instance.
+	 *
 	 * @return the OAuth service configuration or null, in case there is no instance
 	 */
 	@Nullable
@@ -43,8 +41,8 @@ public interface Environment {
 
 	/**
 	 * In case there is only one Xsuaa identity service instance, this one gets
-	 * returned. In case there are multiple bindings the primary one of plan "broker" gets
-	 * returned.
+	 * returned. In case there are multiple bindings the primary one of plan
+	 * "broker" gets returned.
 	 *
 	 * @return the service configuration to be used for token exchange
 	 *
@@ -53,9 +51,9 @@ public interface Environment {
 	 */
 	@Nullable
 	OAuth2ServiceConfiguration getXsuaaConfigurationForTokenExchange();
-	
+
 	/**
-	 * Gives access to all service configurations parsed from the environment. 
+	 * Gives access to all service configurations parsed from the environment.
 	 *
 	 * @return the service configurations grouped by service
 	 */

java-api/src/main/java/com/sap/cloud/security/token/Token.java

@@ -201,8 +201,9 @@ default String getZoneId() {
 	 *
 	 * @return the unique application tenant identifier.
 	 */
-	default String getAppTid(){
-		return hasClaim(SAP_GLOBAL_APP_TID) ? getClaimAsString(SAP_GLOBAL_APP_TID) : getClaimAsString(SAP_GLOBAL_ZONE_ID);
+	default String getAppTid() {
+		return hasClaim(SAP_GLOBAL_APP_TID) ? getClaimAsString(SAP_GLOBAL_APP_TID)
+				: getClaimAsString(SAP_GLOBAL_ZONE_ID);
 	}
 
 	/**

java-api/src/main/java/com/sap/cloud/security/token/TokenClaims.java

@@ -34,7 +34,6 @@ private TokenClaims() {
 	public static final String SAP_GLOBAL_SCIM_ID = "scim_id";
 	public static final String SAP_GLOBAL_USER_ID = "user_uuid";
 
-
 	/**
 	 * @deprecated Use {@link TokenClaims#SAP_GLOBAL_APP_TID} instead.
 	 */

java-api/src/main/java/com/sap/cloud/security/token/validation/TestIssuerValidator.java

@@ -1,8 +1,9 @@
 package com.sap.cloud.security.token.validation;
 
 /**
- * This interface is for INTERNAL usage only to add backward-compatibility for test credentials with trusted domain 'localhost' to the issuer validation.
+ * This interface is for INTERNAL usage only to add backward-compatibility for
+ * test credentials with trusted domain 'localhost' to the issuer validation.
  */
 public interface TestIssuerValidator {
-    boolean isValidIssuer(String issuer);
+	boolean isValidIssuer(String issuer);
 }

java-api/src/main/java/com/sap/cloud/security/token/validation/XsuaaJkuFactory.java

@@ -1,8 +1,9 @@
 package com.sap.cloud.security.token.validation;
 
 /**
- * This interface is for INTERNAL usage only to add backward-compatibility for test credentials with uaadomain 'localhost' during JKU construction.
+ * This interface is for INTERNAL usage only to add backward-compatibility for
+ * test credentials with uaadomain 'localhost' during JKU construction.
  */
 public interface XsuaaJkuFactory {
-    String create(String token);
+	String create(String token);
 }