Apply pull request suggestions

Signed-off-by: Matheus Cruz <matheuscruz.dev@gmail.com>

Author: mcruzdev

impl/core/src/main/java/io/serverlessworkflow/impl/auth/AbstractAuthRequestBuilder.java

@@ -130,7 +130,8 @@ private void tokenParam(String tokenKey, String typeKey, OAuth2TokenDefinition d
       requestBuilder
           .addQueryParam(
               tokenKey, WorkflowUtils.buildStringFilter(application, definition.getToken()))
-          .addQueryParam(typeKey, definition.getType());
+          .addQueryParam(
+              typeKey, WorkflowUtils.buildStringFilter(application, definition.getType()));
     }
   }
 
@@ -142,8 +143,11 @@ protected void subjectActor(Map<String, Object> secret) {
   private void tokenParam(String tokenKey, String typeKey, Object rawDefinition) {
     if (rawDefinition instanceof Map<?, ?> definition) {
       requestBuilder
-          .addQueryParam(tokenKey, (String) definition.get(TOKEN))
-          .addQueryParam(typeKey, (String) definition.get(TYPE));
+          .addQueryParam(
+              tokenKey,
+              WorkflowUtils.buildStringFilter(application, (String) definition.get(TOKEN)))
+          .addQueryParam(
+              typeKey, WorkflowUtils.buildStringFilter(application, (String) definition.get(TYPE)));
     }
   }
 

impl/core/src/main/java/io/serverlessworkflow/impl/auth/JwtClientAssertion.java

@@ -73,6 +73,10 @@ void accept(Map<String, Object> secret) {
           "A client assertion must be provided for JWT client authentication");
     }
     if (PASSWORD.value().equals(secret.get(GRANT))) {
+      if (secret.get(USER) == null || secret.get(AuthUtils.PASSWORD) == null) {
+        throw new IllegalArgumentException(
+            "Username and password must be provided for password grant type");
+      }
       password(secret);
     } else {
       clientCredentials(secret);
@@ -126,6 +130,10 @@ private void addAssertion(String clientId, String assertion) {
 
   @SuppressWarnings("unchecked")
   private static Map<String, Object> asClient(Map<String, Object> secret) {
-    return (Map<String, Object>) secret.get(CLIENT);
+    Object client = secret.get(CLIENT);
+    if (client != null && !(client instanceof Map<?, ?>)) {
+      throw new IllegalArgumentException("The 'client' entry must be a map");
+    }
+    return (Map<String, Object>) client;
   }
 }

impl/core/src/main/java/io/serverlessworkflow/impl/auth/OAuthRequestBuilder.java

@@ -31,8 +31,6 @@ class OAuthRequestBuilder
     extends AbstractAuthRequestBuilder<OAuth2ConnectAuthenticationProperties> {
 
   private static final String DEFAULT_TOKEN_PATH = "oauth2/token";
-  private static final String DEFAULT_REVOCATION_PATH = "oauth2/revoke";
-  private static final String DEFAULT_INTROSPECTION_PATH = "oauth2/introspect";
 
   public OAuthRequestBuilder(WorkflowApplication application) {
     super(application);
@@ -48,11 +46,8 @@ protected void authenticationURI(OAuth2ConnectAuthenticationProperties authentic
     String introspection = endpoints != null ? endpoints.getIntrospection() : null;
     requestBuilder
         .withUri(endpointResolver(uri, endpointPath(token, DEFAULT_TOKEN_PATH)))
-        .withRevocationUri(
-            Optional.of(endpointResolver(uri, endpointPath(revocation, DEFAULT_REVOCATION_PATH))))
-        .withIntrospectionUri(
-            Optional.of(
-                endpointResolver(uri, endpointPath(introspection, DEFAULT_INTROSPECTION_PATH))));
+        .withRevocationUri(optionalEndpoint(uri, revocation))
+        .withIntrospectionUri(optionalEndpoint(uri, introspection));
   }
 
   @Override
@@ -61,28 +56,44 @@ protected void authenticationURI(Map<String, Object> secret) {
     Map<?, ?> endpoints =
         secret.get("endpoints") instanceof Map<?, ?> raw ? (Map<?, ?>) raw : Map.of();
     requestBuilder
-        .withUri(staticUri(authority, endpoints, "token", DEFAULT_TOKEN_PATH))
-        .withRevocationUri(
-            Optional.of(staticUri(authority, endpoints, "revocation", DEFAULT_REVOCATION_PATH)))
-        .withIntrospectionUri(
-            Optional.of(
-                staticUri(authority, endpoints, "introspection", DEFAULT_INTROSPECTION_PATH)));
+        .withUri(
+            staticUri(authority, endpointPath((String) endpoints.get("token"), DEFAULT_TOKEN_PATH)))
+        .withRevocationUri(optionalStaticUri(authority, endpoints.get("revocation")))
+        .withIntrospectionUri(optionalStaticUri(authority, endpoints.get("introspection")));
+  }
+
+  private static String stripLeadingSlash(String path) {
+    return path.startsWith("/") ? path.substring(1) : path;
   }
 
   private static String endpointPath(String path, String defaultPath) {
-    return path != null ? path.replaceAll("^/", "") : defaultPath;
+    return path != null ? stripLeadingSlash(path) : defaultPath;
   }
 
   private WorkflowValueResolver<URI> endpointResolver(
       WorkflowValueResolver<URI> authority, String path) {
     return (w, t, m) -> concatURI(authority.apply(w, t, m), path);
   }
 
-  private static WorkflowValueResolver<URI> staticUri(
-      URI authority, Map<?, ?> endpoints, String key, String defaultPath) {
-    String path =
-        endpoints.get(key) instanceof String value ? endpointPath(value, defaultPath) : defaultPath;
+  // Revocation and introspection are optional capabilities: they are only wired up when the
+  // workflow (or secret) explicitly declares the corresponding endpoint, so that providers without
+  // these endpoints fail with a clear "not configured" error instead of calling a guessed path.
+  private Optional<WorkflowValueResolver<URI>> optionalEndpoint(
+      WorkflowValueResolver<URI> authority, String path) {
+    return path == null
+        ? Optional.empty()
+        : Optional.of(endpointResolver(authority, stripLeadingSlash(path)));
+  }
+
+  private static WorkflowValueResolver<URI> staticUri(URI authority, String path) {
     URI uri = concatURI(authority, path);
     return (w, t, m) -> uri;
   }
+
+  private static Optional<WorkflowValueResolver<URI>> optionalStaticUri(
+      URI authority, Object path) {
+    return path instanceof String value
+        ? Optional.of(staticUri(authority, stripLeadingSlash(value)))
+        : Optional.empty();
+  }
 }

impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/auth/JaxRSAccessTokenProvider.java

@@ -85,11 +85,12 @@ public TokenIntrospection introspect(
     return execute(
         context,
         () -> {
-          Response response =
-              postManagementRequest(workflow, context, model, uri, token, tokenTypeHint);
-          ensureSuccessful(response, context, "introspect token");
-          Map<String, Object> body = response.readEntity(new GenericType<>() {});
-          return new TokenIntrospection(Boolean.TRUE.equals(body.get("active")), body);
+          try (Response response =
+              postManagementRequest(workflow, context, model, uri, token, tokenTypeHint)) {
+            ensureSuccessful(response, context, "introspect token");
+            Map<String, Object> body = response.readEntity(new GenericType<>() {});
+            return new TokenIntrospection(Boolean.TRUE.equals(body.get("active")), body);
+          }
         });
   }
 
@@ -105,10 +106,11 @@ public void revoke(
         context,
         () -> {
           // RFC 7009: a successful revocation responds with HTTP 200 and an empty body.
-          Response response =
-              postManagementRequest(workflow, context, model, uri, token, tokenTypeHint);
-          ensureSuccessful(response, context, "revoke token");
-          return null;
+          try (Response response =
+              postManagementRequest(workflow, context, model, uri, token, tokenTypeHint)) {
+            ensureSuccessful(response, context, "revoke token");
+            return null;
+          }
         });
   }
 
@@ -117,9 +119,10 @@ private Map<String, Object> invoke(
     return execute(
         taskContext,
         () -> {
-          Response response = executeRequest(workflowContext, taskContext, model);
-          ensureSuccessful(response, taskContext, "obtain token");
-          return response.readEntity(new GenericType<>() {});
+          try (Response response = executeRequest(workflowContext, taskContext, model)) {
+            ensureSuccessful(response, taskContext, "obtain token");
+            return response.readEntity(new GenericType<>() {});
+          }
         });
   }
 

impl/test/src/test/java/io/serverlessworkflow/impl/auth/OAuthRequestBuilderTest.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.serverlessworkflow.impl.auth;
+
+import static io.serverlessworkflow.api.types.OAuth2AuthenticationData.OAuth2AuthenticationDataGrant.CLIENT_CREDENTIALS;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import io.serverlessworkflow.api.types.OAuth2AuthenticationDataClient;
+import io.serverlessworkflow.api.types.OAuth2AuthenticationPropertiesEndpoints;
+import io.serverlessworkflow.api.types.OAuth2ConnectAuthenticationProperties;
+import io.serverlessworkflow.api.types.UriTemplate;
+import io.serverlessworkflow.impl.WorkflowApplication;
+import java.net.URI;
+import org.junit.jupiter.api.Test;
+
+class OAuthRequestBuilderTest {
+
+  private static final URI AUTHORITY = URI.create("http://localhost:8888/realms/test-realm");
+
+  @Test
+  void resolvesConfiguredEndpointsAndNormalizesLeadingSlash() {
+    OAuth2ConnectAuthenticationProperties props = baseProperties();
+    props.withEndpoints(
+        new OAuth2AuthenticationPropertiesEndpoints()
+            .withToken("protocol/openid-connect/token")
+            // Leading slash must be stripped before being concatenated to the authority.
+            .withRevocation("/protocol/openid-connect/revoke")
+            .withIntrospection("protocol/openid-connect/introspect"));
+
+    HttpRequestInfo info = build(props);
+
+    assertEquals(
+        URI.create("http://localhost:8888/realms/test-realm/protocol/openid-connect/token"),
+        info.uri().apply(null, null, null));
+    assertTrue(info.revocationUri().isPresent());
+    assertEquals(
+        URI.create("http://localhost:8888/realms/test-realm/protocol/openid-connect/revoke"),
+        info.revocationUri().get().apply(null, null, null));
+    assertTrue(info.introspectionUri().isPresent());
+    assertEquals(
+        URI.create("http://localhost:8888/realms/test-realm/protocol/openid-connect/introspect"),
+        info.introspectionUri().get().apply(null, null, null));
+  }
+
+  @Test
+  void appliesDefaultTokenPathAndLeavesManagementEndpointsUnconfigured() {
+    HttpRequestInfo info = build(baseProperties());
+
+    assertEquals(
+        URI.create("http://localhost:8888/realms/test-realm/oauth2/token"),
+        info.uri().apply(null, null, null));
+    assertFalse(info.revocationUri().isPresent());
+    assertFalse(info.introspectionUri().isPresent());
+  }
+
+  private static OAuth2ConnectAuthenticationProperties baseProperties() {
+    OAuth2ConnectAuthenticationProperties props = new OAuth2ConnectAuthenticationProperties();
+    props.withAuthority(new UriTemplate().withLiteralUri(AUTHORITY));
+    props.withGrant(CLIENT_CREDENTIALS);
+    props.withClient(
+        new OAuth2AuthenticationDataClient().withId("serverless-workflow").withSecret("secret"));
+    return props;
+  }
+
+  private static HttpRequestInfo build(OAuth2ConnectAuthenticationProperties props) {
+    try (WorkflowApplication app = WorkflowApplication.builder().build()) {
+      return new OAuthRequestBuilder(app).apply(props);
+    }
+  }
+}