Refactor ExternalLoginAuthenticationManager (#3607)

adrianhoelzl-sap · web-flow · commit 620f4c4063a6 · 2025-10-09T08:54:12.000+02:00
* Use Lombok Getter and Setter annotation

* Remove static import of Optional.ofNullable

* Clean up

* Introduce constant for fallback e-mail domain

* Refactor generateEmailIfNullOrEmpty

* Make class ExternalLoginAuthenticationManager abstract

* Make method ExternalLoginAuthenticationManager#isAddNewShadowUser abstract

* Make method ExternalLoginAuthenticationManager#getExternalAuthenticationDetails abstract

* Make methods ExternalLoginAuthenticationManager#getOrigin and ExternalLoginAuthenticationManager#setOrigin abstract

* Make method ExternalLoginAuthenticationManager#setApplicationEventPublisher final

* Make method ExternalLoginAuthenticationManager#publish final

* Make method ExternalLoginAuthenticationManager#userAuthenticated abstract

* Make method ExternalLoginAuthenticationManager#mapAuthorities final

* Make method ExternalLoginAuthenticationManager#haveUserAttributesChanged final

* Make method ExternalLoginAuthenticationManager#generateEmailIfNullOrEmpty final

* Make method ExternalLoginAuthenticationManager#getExternalUserAuthorities abstract

* Address warnings in LdapLoginAuthenticationManager

* Address warnings in ExternalLoginAuthenticationManager

* Fix comment in LdapLoginAuthenticationManager
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/SpringServletXmlBeansConfiguration.java b/server/src/main/java/org/cloudfoundry/identity/uaa/SpringServletXmlBeansConfiguration.java
@@ -9,7 +9,6 @@
 import org.cloudfoundry.identity.uaa.client.ClientAdminEndpointsValidator;
 import org.cloudfoundry.identity.uaa.client.event.ClientAdminEventPublisher;
 import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeStore;
-import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.impl.config.IdentityProviderBootstrap;
 import org.cloudfoundry.identity.uaa.impl.config.IdentityZoneConfigurationBootstrap;
 import org.cloudfoundry.identity.uaa.impl.config.UaaConfiguration;
@@ -340,7 +339,6 @@ LdapLoginAuthenticationManager ldapLoginAuthenticationMgr(
     ) {
         LdapLoginAuthenticationManager bean = new LdapLoginAuthenticationManager(provisioning);
         bean.setUserDatabase(userDatabase);
-        bean.setOrigin(OriginKeys.LDAP);
         return bean;
     }
 
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java
@@ -1,5 +1,7 @@
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
+import lombok.Getter;
+import lombok.Setter;
 import org.apache.commons.lang3.StringUtils;
 import org.cloudfoundry.identity.uaa.authentication.AccountNotPreCreatedException;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
@@ -23,6 +25,7 @@
 import org.cloudfoundry.identity.uaa.user.VerifiableUser;
 import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.jspecify.annotations.NonNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.BeanNameAware;
@@ -47,71 +50,45 @@
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Optional;
 
 import static java.util.Collections.emptySet;
-import static java.util.Optional.ofNullable;
 
-public class ExternalLoginAuthenticationManager<ExternalAuthenticationDetails> implements AuthenticationManager, ApplicationEventPublisherAware, BeanNameAware {
+public abstract class ExternalLoginAuthenticationManager<ExternalAuthenticationDetails> implements AuthenticationManager, ApplicationEventPublisherAware, BeanNameAware {
 
     public static final String USER_ATTRIBUTE_PREFIX = "user.attribute.";
+    private static final String FALLBACK_EMAIL_DOMAIN_TEMPLATE = "user.from.%s.cf";
+
     protected final Logger logger = LoggerFactory.getLogger(getClass());
 
     private ApplicationEventPublisher eventPublisher;
 
+    @Getter
+    @Setter
     private UaaUserDatabase userDatabase;
 
     private String name;
 
-    private String origin = "unknown";
-
+    @Getter
+    @Setter
     private IdentityProviderProvisioning providerProvisioning;
 
+    @Getter
+    @Setter
     private ScimGroupExternalMembershipManager externalMembershipManager;
 
-
     public ExternalLoginAuthenticationManager(IdentityProviderProvisioning providerProvisioning) {
         this.providerProvisioning = providerProvisioning;
     }
 
-    public IdentityProviderProvisioning getProviderProvisioning() {
-        return providerProvisioning;
-    }
-
-    public void setProviderProvisioning(IdentityProviderProvisioning providerProvisioning) {
-        this.providerProvisioning = providerProvisioning;
-    }
-
-    public ScimGroupExternalMembershipManager getExternalMembershipManager() {
-        return externalMembershipManager;
-    }
-
-    public void setExternalMembershipManager(ScimGroupExternalMembershipManager externalMembershipManager) {
-        this.externalMembershipManager = externalMembershipManager;
-    }
-
-    public String getOrigin() {
-        return origin;
-    }
-
-    public void setOrigin(String origin) {
-        this.origin = origin;
-    }
-
     @Override
-    public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
+    public final void setApplicationEventPublisher(@NonNull ApplicationEventPublisher eventPublisher) {
         this.eventPublisher = eventPublisher;
     }
 
-    /**
-     * @param userDatabase the userDatabase to set
-     */
-    public void setUserDatabase(UaaUserDatabase userDatabase) {
-        this.userDatabase = userDatabase;
-    }
+    public abstract String getOrigin();
 
-    public UaaUserDatabase getUserDatabase() {
-        return this.userDatabase;
-    }
+    public abstract void setOrigin(String origin);
 
     @Override
     public Authentication authenticate(Authentication request) throws AuthenticationException {
@@ -171,14 +148,17 @@ protected void populateAuthenticationAttributes(UaaAuthentication authentication
         if (authentication.getAuthenticationMethods() == null) {
             authentication.setAuthenticationMethods(new HashSet<>());
         }
+
         authentication.getAuthenticationMethods().add("ext");
+
+        // persist the user attributes and external groups in the user info table if configured in the IdP
         if ((hasUserAttributes(authentication) || hasExternalGroups(authentication)) && getProviderProvisioning() != null) {
             IdentityProvider<ExternalIdentityProviderDefinition> provider = getProviderProvisioning().retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
             if (provider.getConfig() != null && provider.getConfig().isStoreCustomAttributes()) {
                 logger.debug("Storing custom attributes for user_id:{}", authentication.getPrincipal().getId());
                 UserInfo userInfo = new UserInfo()
                         .setUserAttributes(authentication.getUserAttributes())
-                        .setRoles(new LinkedList<>(ofNullable(authentication.getExternalGroups()).orElse(emptySet())));
+                        .setRoles(new LinkedList<>(Optional.ofNullable(authentication.getExternalGroups()).orElse(emptySet())));
                 getUserDatabase().storeUserInfo(authentication.getPrincipal().getId(), userInfo);
             }
         }
@@ -192,31 +172,23 @@ private boolean hasUserAttributes(UaaAuthentication authentication) {
         return authentication.getUserAttributes() != null && !authentication.getUserAttributes().isEmpty();
     }
 
-    protected ExternalAuthenticationDetails getExternalAuthenticationDetails(Authentication authentication) throws AuthenticationException {
-        return null;
-    }
+    protected abstract ExternalAuthenticationDetails getExternalAuthenticationDetails(Authentication authentication) throws AuthenticationException;
 
-    protected boolean isAddNewShadowUser() {
-        return true;
-    }
+    protected abstract boolean isAddNewShadowUser();
 
     protected MultiValueMap<String, String> getUserAttributes(UserDetails request) {
         return new LinkedMultiValueMap<>();
     }
 
-    protected List<String> getExternalUserAuthorities(UserDetails request) {
-        return new LinkedList<>();
-    }
+    protected abstract List<String> getExternalUserAuthorities(UserDetails request);
 
-    protected void publish(ApplicationEvent event) {
+    protected final void publish(ApplicationEvent event) {
         if (eventPublisher != null) {
             eventPublisher.publishEvent(event);
         }
     }
 
-    protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequest, UaaUser userFromDb) {
-        return userFromDb;
-    }
+    protected abstract UaaUser userAuthenticated(Authentication request, UaaUser userFromRequest, UaaUser userFromDb);
 
     protected UaaUser getUser(Authentication request, ExternalAuthenticationDetails authDetails) {
         UserDetails userDetails;
@@ -259,7 +231,7 @@ protected UaaUser getUser(Authentication request, ExternalAuthenticationDetails
 
         String phoneNumber = userDetails instanceof DialableByPhone dbp ? dbp.getPhoneNumber() : null;
         String externalId = userDetails instanceof ExternallyIdentifiable ei ? ei.getExternalId() : name;
-        boolean verified = userDetails instanceof VerifiableUser vu ? vu.isVerified() : false;
+        boolean verified = userDetails instanceof VerifiableUser vu && vu.isVerified();
         UaaUserPrototype userPrototype = new UaaUserPrototype()
                 .withVerified(verified)
                 .withUsername(name)
@@ -278,27 +250,33 @@ protected UaaUser getUser(Authentication request, ExternalAuthenticationDetails
         return new UaaUser(userPrototype);
     }
 
-    protected String generateEmailIfNullOrEmpty(String name) {
-        String email;
-        if (name != null) {
-            if (name.contains("@")) {
-                if (name.split("@").length == 2 && !name.startsWith("@") && !name.endsWith("@")) {
-                    email = name;
-                } else {
-                    email = name.replace("@", "") + "@user.from." + getOrigin() + ".cf";
-                }
-            } else {
-                email = name + "@user.from." + getOrigin() + ".cf";
-            }
-        } else {
+    protected final String generateEmailIfNullOrEmpty(String name) {
+        if (name == null) {
             throw new BadCredentialsException("Cannot determine username from credentials supplied");
         }
-        return email;
+
+        final String fallbackEmailDomain = FALLBACK_EMAIL_DOMAIN_TEMPLATE.formatted(getOrigin());
+
+        // use fallback domain if no '@' is present
+        if (!name.contains("@")) {
+            return name + "@" + fallbackEmailDomain;
+        }
+
+        // use as-is if it represents a valid e-mail address
+        if (name.split("@").length == 2 && !name.startsWith("@") && !name.endsWith("@")) {
+            return name;
+        }
+
+        // otherwise, remove any '@' characters and use fallback domain
+        return name.replace("@", "") + "@" + fallbackEmailDomain;
     }
 
-    protected boolean haveUserAttributesChanged(UaaUser existingUser, UaaUser user) {
-        return !StringUtils.equals(existingUser.getGivenName(), user.getGivenName()) || !StringUtils.equals(existingUser.getFamilyName(), user.getFamilyName()) ||
-                !StringUtils.equals(existingUser.getPhoneNumber(), user.getPhoneNumber()) || !StringUtils.equals(existingUser.getEmail(), user.getEmail()) || !StringUtils.equals(existingUser.getExternalId(), user.getExternalId());
+    protected final boolean haveUserAttributesChanged(UaaUser existingUser, UaaUser user) {
+        return !StringUtils.equals(existingUser.getGivenName(), user.getGivenName())
+                || !StringUtils.equals(existingUser.getFamilyName(), user.getFamilyName())
+                || !StringUtils.equals(existingUser.getPhoneNumber(), user.getPhoneNumber())
+                || !StringUtils.equals(existingUser.getEmail(), user.getEmail())
+                || !StringUtils.equals(existingUser.getExternalId(), user.getExternalId());
     }
 
     /**
@@ -312,7 +290,7 @@ protected boolean haveUserAttributesChanged(UaaUser existingUser, UaaUser user)
      *         'external_groups' attribute mapping of the IdP
      * @return the internal groups
      */
-    protected List<SimpleGrantedAuthority> evaluateExternalGroupMappings(String origin, Collection<? extends GrantedAuthority> externalGroups) {
+    protected final List<SimpleGrantedAuthority> evaluateExternalGroupMappings(String origin, Collection<? extends GrantedAuthority> externalGroups) {
         List<SimpleGrantedAuthority> result = new LinkedList<>();
         for (GrantedAuthority authority : externalGroups) {
             String externalGroup = authority.getAuthority();
@@ -329,7 +307,7 @@ protected List<SimpleGrantedAuthority> evaluateExternalGroupMappings(String orig
     }
 
     @Override
-    public void setBeanName(String name) {
+    public void setBeanName(@NonNull String name) {
         this.name = name;
     }
 }
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/LdapLoginAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/LdapLoginAuthenticationManager.java
@@ -16,6 +16,7 @@
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
+import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.LdapIdentityProviderDefinition;
@@ -28,6 +29,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.util.MultiValueMap;
@@ -44,20 +46,38 @@
 import static java.util.Collections.emptyList;
 import static org.cloudfoundry.identity.uaa.util.UaaStringUtils.retainAllMatches;
 
-public class LdapLoginAuthenticationManager extends ExternalLoginAuthenticationManager {
+public class LdapLoginAuthenticationManager extends ExternalLoginAuthenticationManager<Object> {
 
     protected static Logger logger = LoggerFactory.getLogger(LdapLoginAuthenticationManager.class);
 
     public LdapLoginAuthenticationManager(final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning providerProvisioning) {
         super(providerProvisioning);
     }
 
+    private String origin = OriginKeys.LDAP;
+
+    @Override
+    public String getOrigin() {
+        return origin;
+    }
+
+    @Override
+    public void setOrigin(String origin) {
+        // only used in LdapLoginAuthenticationManagerTests
+        this.origin = origin;
+    }
+
     @Override
     protected void populateAuthenticationAttributes(UaaAuthentication authentication, Authentication request, Object authenticationData) {
         super.populateAuthenticationAttributes(authentication, request, authenticationData);
         authentication.getAuthenticationMethods().add("pwd");
     }
 
+    @Override
+    protected Object getExternalAuthenticationDetails(Authentication authentication) throws AuthenticationException {
+        return null;
+    }
+
     @Override
     protected MultiValueMap<String, String> getUserAttributes(UserDetails request) {
         MultiValueMap<String, String> result = super.getUserAttributes(request);
@@ -73,7 +93,7 @@ protected MultiValueMap<String, String> getUserAttributes(UserDetails request) {
                         String[] values = ldapDetails.getAttribute((String) entry.getValue(), false);
                         if (values != null && values.length > 0) {
                             result.put(key, Arrays.asList(values));
-                            logger.debug("Mappcustom attribute key:{} and value:{}", key, result.get(key));
+                            logger.debug("Map custom attribute key:{} and value:{}", key, result.get(key));
                         }
                     }
                 }
@@ -86,17 +106,17 @@ protected MultiValueMap<String, String> getUserAttributes(UserDetails request) {
 
     @Override
     protected List<String> getExternalUserAuthorities(UserDetails request) {
-        List<String> result = super.getExternalUserAuthorities(request);
+        List<String> result = new LinkedList<>();
         if (getProviderProvisioning() != null) {
             IdentityProvider provider = getProviderProvisioning().retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
             LdapIdentityProviderDefinition ldapIdentityProviderDefinition = ObjectUtils.castInstance(provider.getConfig(), LdapIdentityProviderDefinition.class);
             List<String> externalWhiteList = ldapIdentityProviderDefinition.getExternalGroupsWhitelist();
-            result = new ArrayList<>(retainAllMatches(getAuthoritesAsNames(request.getAuthorities()), externalWhiteList));
+            result = new ArrayList<>(retainAllMatches(getAuthoritiesAsNames(request.getAuthorities()), externalWhiteList));
         }
         return result;
     }
 
-    protected Set<String> getAuthoritesAsNames(Collection<? extends GrantedAuthority> authorities) {
+    protected Set<String> getAuthoritiesAsNames(Collection<? extends GrantedAuthority> authorities) {
         Set<String> result = new HashSet<>();
         authorities = new LinkedList<>(authorities != null ? authorities : emptyList());
         for (GrantedAuthority a : authorities) {
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -436,7 +436,7 @@ protected void populateAuthenticationAttributes(UaaAuthentication authentication
 
     @Override
     protected List<String> getExternalUserAuthorities(UserDetails request) {
-        return super.getExternalUserAuthorities(request);
+        return new LinkedList<>();
     }
 
     @Override
@@ -598,9 +598,6 @@ private boolean isRegisteredIdpAuthentication(Authentication request) {
 
     @Override
     protected boolean isAddNewShadowUser() {
-        if (!super.isAddNewShadowUser()) {
-            return false;
-        }
         IdentityProvider<AbstractExternalOAuthIdentityProviderDefinition> provider = getProviderProvisioning().retrieveByOrigin(getOrigin(), identityZoneManager.getCurrentIdentityZoneId());
         return provider.getConfig().isAddShadowUserOnLogin();
     }
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManagerTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManagerTest.java
