Redacted fields should not show up in JSON

[#141161389] https://www.pivotaltracker.com/story/show/141161389
[#141161179] https://www.pivotaltracker.com/story/show/141161179

model/src/main/java/org/cloudfoundry/identity/uaa/provider/AbstractXOAuthIdentityProviderDefinition.java

@@ -15,6 +15,7 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
 
 import java.lang.reflect.ParameterizedType;
 import java.net.URL;
@@ -98,6 +99,7 @@ public T setRelyingPartyId(String relyingPartyId) {
         return (T) this;
     }
 
+    @JsonInclude(JsonInclude.Include.NON_NULL)
     public String getRelyingPartySecret() {
         return relyingPartySecret;
     }

model/src/main/java/org/cloudfoundry/identity/uaa/provider/ExternalIdentityProviderDefinition.java

@@ -1,6 +1,19 @@
+/*******************************************************************************
+ * Cloud Foundry
+ * Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ * <p>
+ * This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ * You may not use this product except in compliance with the License.
+ * <p>
+ * This product includes a number of subcomponents with
+ * separate copyright notices and license terms. Your use of these
+ * subcomponents is subject to the terms and conditions of the
+ * subcomponent's license, as noted in the LICENSE file.
+ *******************************************************************************/
 package org.cloudfoundry.identity.uaa.provider;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 
 import java.util.Collections;
 import java.util.HashMap;
@@ -11,18 +24,7 @@
 import static java.util.Collections.emptyList;
 import static java.util.Collections.emptyMap;
 
-/*******************************************************************************
- * Cloud Foundry
- * Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
- * <p>
- * This product is licensed to you under the Apache License, Version 2.0 (the "License").
- * You may not use this product except in compliance with the License.
- * <p>
- * This product includes a number of subcomponents with
- * separate copyright notices and license terms. Your use of these
- * subcomponents is subject to the terms and conditions of the
- * subcomponent's license, as noted in the LICENSE file.
- *******************************************************************************/
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class ExternalIdentityProviderDefinition extends AbstractIdentityProviderDefinition {
     public static final String GROUP_ATTRIBUTE_NAME = "external_groups"; //can be a string or a list of strings
     public static final String EMAIL_ATTRIBUTE_NAME = "email"; //can be a string

model/src/main/java/org/cloudfoundry/identity/uaa/provider/LdapIdentityProviderDefinition.java

@@ -13,6 +13,8 @@
 package org.cloudfoundry.identity.uaa.provider;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.springframework.core.env.AbstractEnvironment;
 import org.springframework.core.env.MapPropertySource;
@@ -24,6 +26,7 @@
 import java.util.List;
 import java.util.Map;
 
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class LdapIdentityProviderDefinition extends ExternalIdentityProviderDefinition {
     public static final String LDAP_TLS_NONE = "none";
     public static final String LDAP_TLS_SIMPLE = "simple";
@@ -236,6 +239,7 @@ public String getBaseUrl() {
         return baseUrl;
     }
 
+    @JsonInclude(JsonInclude.Include.NON_NULL)
     public String getBindPassword() {
         return bindPassword;
     }

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/ldap/LdapMockMvcTests.java

@@ -86,6 +86,7 @@
 import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -800,6 +801,7 @@ public void test_read_and_write_config_then_login() throws Exception {
             .getResponse()
             .getContentAsString();
 
+        assertThat(response, not(containsString("bindPassword")));
         IdentityProvider<LdapIdentityProviderDefinition> provider = JsonUtils.readValue(response, new TypeReference<IdentityProvider<LdapIdentityProviderDefinition>>() {});
         assertNull(provider.getConfig().getBindPassword());
 

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsDocs.java

@@ -142,6 +142,8 @@ public class IdentityProviderEndpointsDocs extends InjectedMockContextTest {
         STORE_CUSTOM_ATTRIBUTES
     };
 
+    FieldDescriptor relayingPartySecret = fieldWithPath("config.relyingPartySecret").required().type(STRING).description("The client secret of the relying party at the external OAuth provider");
+
     private static ApacheDsSSLContainer apacheDS;
 
     @AfterClass
@@ -198,7 +200,7 @@ public static void startApacheDS() throws Exception {
         LDAP_GROUP_FILE,
         LDAP_URL,
         LDAP_BIND_USER_DN,
-        LDAP_BIND_PASSWORD,
+//        LDAP_BIND_PASSWORD,
         LDAP_USER_SEARCH_BASE,
         LDAP_USER_SEARCH_FILTER,
         LDAP_GROUP_SEARCH_BASE,
@@ -282,7 +284,6 @@ public static void startApacheDS() throws Exception {
         LDAP_ATTRIBUTE_MAPPING_PHONE,
 
         LDAP_BIND_USER_DN.ignored(),
-        LDAP_BIND_PASSWORD.ignored(),
         LDAP_USER_SEARCH_BASE.ignored(),
         LDAP_USER_SEARCH_FILTER.ignored(),
         LDAP_GROUP_SEARCH_BASE.ignored(),
@@ -437,7 +438,6 @@ public void createOAuthIdentityProvider() throws Exception {
             fieldWithPath("config.showLinkText").optional(true).type(BOOLEAN).description("A flag controlling whether a link to this provider's login will be shown on the UAA login page"),
             fieldWithPath("config.linkText").optional(null).type(STRING).description("Text to use for the login link to the provider"),
             fieldWithPath("config.relyingPartyId").required().type(STRING).description("The client ID which is registered with the external OAuth provider for use by the UAA"),
-            fieldWithPath("config.relyingPartySecret").required().type(STRING).description("The client secret of the relying party at the external OAuth provider"),
             fieldWithPath("config.skipSslValidation").optional(null).type(BOOLEAN).description("A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server"),
             fieldWithPath("config.scopes").optional(null).type(ARRAY).description("What scopes to request on a call to the external OAuth provider"),
             fieldWithPath("config.checkTokenUrl").optional(null).type(OBJECT).description("Reserved for future OAuth use."),
@@ -448,7 +448,7 @@ public void createOAuthIdentityProvider() throws Exception {
             fieldWithPath("config.attributeMappings.user_name").optional("preferred_username").type(STRING).description("Map `user_name` to the attribute for username in the provider assertion."),
             fieldWithPath("config.issuer").optional(null).type(STRING).description("The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.")
         });
-        Snippet requestFields = requestFields(idempotentFields);
+        Snippet requestFields = requestFields((FieldDescriptor[]) ArrayUtils.add(idempotentFields, relayingPartySecret));
 
         Snippet responseFields = responseFields((FieldDescriptor[]) ArrayUtils.addAll(idempotentFields, new FieldDescriptor[]{
             VERSION,
@@ -506,7 +506,6 @@ public void createOidcIdentityProvider() throws Exception {
             fieldWithPath("config.showLinkText").optional(true).type(BOOLEAN).description("A flag controlling whether a link to this provider's login will be shown on the UAA login page"),
             fieldWithPath("config.linkText").optional(null).type(STRING).description("Text to use for the login link to the provider"),
             fieldWithPath("config.relyingPartyId").required().type(STRING).description("The client ID which is registered with the external OAuth provider for use by the UAA"),
-            fieldWithPath("config.relyingPartySecret").required().type(STRING).description("The client secret of the relying party at the external OAuth provider"),
             fieldWithPath("config.skipSslValidation").optional(null).type(BOOLEAN).description("A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server"),
             fieldWithPath("config.scopes").optional(null).type(ARRAY).description("What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide " +
                                                                                       "`openid`, `roles`, or `profile` to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively."),
@@ -519,7 +518,7 @@ public void createOidcIdentityProvider() throws Exception {
             fieldWithPath("config.attributeMappings.user_name").optional("preferred_username").type(STRING).description("Map `user_name` to the attribute for username in the provider assertion."),
             fieldWithPath("config.issuer").optional(null).type(STRING).description("The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.")
         });
-        Snippet requestFields = requestFields(idempotentFields);
+        Snippet requestFields = requestFields((FieldDescriptor[]) ArrayUtils.add(idempotentFields, relayingPartySecret));
 
         Snippet responseFields = responseFields((FieldDescriptor[]) ArrayUtils.addAll(idempotentFields, new FieldDescriptor[]{
             VERSION,
@@ -566,6 +565,7 @@ public void create_Simple_Bind_LDAPIdentityProvider() throws Exception {
         providerDefinition.setUserDNPatternDelimiter(";");
         providerDefinition.setMailAttributeName("mail");
         identityProvider.setConfig(providerDefinition);
+        providerDefinition.setBindPassword(null);
         identityProvider.setSerializeConfigRaw(true);
 
         FieldDescriptor[] fields = ldapSimpleBindFields;
@@ -596,7 +596,7 @@ public void create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider() thro
         identityProvider.setConfig(providerDefinition);
         identityProvider.setSerializeConfigRaw(true);
 
-        FieldDescriptor[] fields = ldapSearchAndBind_GroupsToScopes;
+        FieldDescriptor[] fields = (FieldDescriptor[]) ArrayUtils.add(ldapSearchAndBind_GroupsToScopes, LDAP_BIND_PASSWORD);
         createLDAPProvider(identityProvider, fields, "create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider");
 
     }

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/providers/IdentityProviderEndpointsMockMvcTests.java

@@ -56,9 +56,12 @@
 import java.util.Map;
 
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_NAME_ATTRIBUTE_NAME;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.springframework.http.MediaType.APPLICATION_JSON;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
@@ -508,8 +511,7 @@ public void testListIdpsInZone() throws Exception {
             .contentType(APPLICATION_JSON);
 
         MvcResult result = getMockMvc().perform(requestBuilder).andExpect(status().isOk()).andReturn();
-        List<IdentityProvider> identityProviderList = JsonUtils.readValue(result.getResponse().getContentAsString(), new TypeReference<List<IdentityProvider>>() {
-        });
+        List<IdentityProvider> identityProviderList = JsonUtils.readValue(result.getResponse().getContentAsString(), new TypeReference<List<IdentityProvider>>() {});
         assertEquals(numberOfIdps + 1, identityProviderList.size());
         assertTrue(identityProviderList.contains(newIdp));
     }
@@ -601,8 +603,10 @@ public void validateOauthProviderConfigDuringUpdate() throws Exception {
                                                        .content(JsonUtils.writeValueAsString(identityProvider))
                                                        .contentType(APPLICATION_JSON)
         ).andExpect(status().isCreated()).andReturn();
-        identityProvider = JsonUtils.readValue(mvcResult.getResponse().getContentAsString(), new TypeReference<IdentityProvider<AbstractXOAuthIdentityProviderDefinition>>() {
-        });
+
+        String response = mvcResult.getResponse().getContentAsString();
+        assertThat(response, not(containsString("relyingPartySecret")));
+        identityProvider = JsonUtils.readValue(response, new TypeReference<IdentityProvider<AbstractXOAuthIdentityProviderDefinition>>() {});
         identityProvider.getConfig().setTokenUrl(null);
 
         getMockMvc().perform(put("/identity-providers/" + identityProvider.getId())