feat: Support ZTIS with XSUAA #453
Conversation
MatKuhr
added
please merge
| { | ||
| final String clientid = getOAuthCredentialOrThrow(String.class, "clientid"); | ||
|
|
||
| final Option<String> exactCredentialType = getOAuthCredential(String.class, "credential-type"); |
There was a problem hiding this comment.
see the impact of this refactoring. I figured since the feature is very new, SAP internal only and probably not used a lot yet we can accept this
MatKuhr
added
do not merge
| return getCredentialType() == CredentialType.X509 ? getCertificateIdentity() : getSecretIdentity(); | ||
| final String clientid = getOAuthCredentialOrThrow(String.class, "clientid"); | ||
|
|
||
| return switch( getCredentialType() ) { |
There was a problem hiding this comment.
In preparation of removing SecurityLibWorkarounds via #454 (see https://github.com/SAP/cloud-sdk-java-backlog/issues/428 )
Alternatively, one could apply this change standalone in this PR.
| @@ -8,11 +8,11 @@ | |||
|
|
|||
| ### 🔧 Compatibility Notes | |||
|
|
|||
| - | |||
| - Using the `X509_ATTESTED` credential type now requires a version >= `3.4.0` of the [BTP Security Library](https://github.com/SAP/cloud-security-services-integration-library). | |||
There was a problem hiding this comment.
I wonder what happens at runtime, or how "hard" this requirement is (or needs to be).
(Update to to xsuaa 3.4.0+ was in sdk 5.8.0 1month ago.)
There was a problem hiding this comment.
We would log a warning that we don't recongise X509_ATTESTED, then try to apply BINDING_SECRET but fail with an IllegalSomethingException, because the binding doesn't contain a secret.
There was a problem hiding this comment.
I meant: in these lines we are referencing the enum values at runtime directly.
Rendering 3.4.0 the new lower bound for (transitive) security library dependency version. As I said, this may be fine. But we need to be aware of such implications.
Thinking about this, we may be required to define a default case handling in the switch statement, otherwise this code may break for future additions to the enum type.
There was a problem hiding this comment.
Good point!
I tried out what happens in a demo application. Turns out: This seems to be fine. I compiled the SDK with version 3.5.0 and then used it in the app with 3.3.5. Nothing bad happens 😄
CredentialType type = SecurityLibWorkarounds.getCredentialType("X509_GENERATED");
System.out.println(type); // x509
System.out.println(List.of(CredentialType.values())); // [x509, instance-secret, binding-secret]
Where I changed SecurityLibWorkarounds.getCredentialType to also include the switch statement, just to quickly run this test.
MatKuhr
added
please merge
There was a problem hiding this comment.
Please address / take note of my comment here
#453 (comment)
Looks good to me.
MatKuhr
added
do not merge
MatKuhr
added
please merge
Context
This PR improves the credential type detection to deal with a lowercase variant of
x509_attested, which will be used by XSUAA.Definition of Done
Error handling created / updated & covered by the tests aboveDocumentation updated