feat(OAuth2): Migrated OAuth2 configuration to align with Spring Security 5 Java DSL standards

halyard-config/src/main/java/com/netflix/spinnaker/halyard/config/model/v1/security/OAuth2.java

@@ -69,7 +69,7 @@ public void setProvider(Provider provider) {
       case GOOGLE:
         newClient.setAccessTokenUri("https://www.googleapis.com/oauth2/v4/token");
         newClient.setUserAuthorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
-        newClient.setScope("profile email");
+        newClient.setScope("profile,email");
 
         newResource.setUserInfoUri("https://www.googleapis.com/oauth2/v3/userinfo");
 
@@ -80,7 +80,7 @@ public void setProvider(Provider provider) {
       case GITHUB:
         newClient.setAccessTokenUri("https://github.com/login/oauth/access_token");
         newClient.setUserAuthorizationUri("https://github.com/login/oauth/authorize");
-        newClient.setScope("user:email");
+        newClient.setScope("user,email");
 
         newResource.setUserInfoUri("https://api.github.com/user");
 
@@ -93,7 +93,7 @@ public void setProvider(Provider provider) {
         final String idcsBaseUrl = "https://idcs-${idcsTenantId}.identity.oraclecloud.com";
         newClient.setAccessTokenUri(idcsBaseUrl + "/oauth2/v1/token");
         newClient.setUserAuthorizationUri(idcsBaseUrl + "/oauth2/v1/authorize");
-        newClient.setScope("openid urn:opc:idm:__myscopes__");
+        newClient.setScope("openid,urn:opc:idm:__myscopes__");
 
         newResource.setUserInfoUri(idcsBaseUrl + "/oauth2/v1/userinfo");
 

halyard-deploy/halyard-deploy.gradle

@@ -30,6 +30,9 @@ dependencies {
 
   testImplementation 'org.spockframework:spock-core'
   testImplementation 'org.springframework:spring-test'
+  testImplementation 'org.mockito:mockito-core'
+  testImplementation 'org.mockito:mockito-junit-jupiter'
+  testImplementation 'org.junit.jupiter:junit-jupiter'
   testRuntimeOnly 'net.bytebuddy:byte-buddy'
   testRuntimeOnly 'org.objenesis:objenesis'
 }

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/GateSpringSecurity5OAuth2ProfileFactory.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2025 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile;
+
+import com.netflix.spinnaker.halyard.config.model.v1.security.Security;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings;
+import org.springframework.stereotype.Component;
+
+/**
+ * Factory class for creating Gate configuration profiles for versions 6.67.0 and above.
+ *
+ * <p>This class extends {@link GateProfileFactory} and provides specific configurations required
+ * for Gate versions 6.67.0 and later. In these versions, a different set of properties is needed to
+ * enable OAuth2 authentication.
+ *
+ * <p>The factory determines the appropriate security configuration (OAuth2, SAML, LDAP, IAP, X509)
+ * based on the provided {@link Security} settings and constructs the {@link GateConfig}
+ * accordingly.
+ */
+@Component
+public class GateSpringSecurity5OAuth2ProfileFactory extends GateProfileFactory {
+
+  /**
+   * Creates a {@link GateConfig} instance based on the provided security settings.
+   *
+   * <p>If OAuth2 authentication is enabled, a {@link SpringConfig} is set up. If SAML
+   * authentication is enabled, a {@link SamlConfig} is set. If LDAP authentication is enabled, a
+   * {@link LdapConfig} is set. If IAP authentication is enabled, a {@link IAPConfig} is set under
+   * Google authentication. If X509 authentication is enabled, a {@link X509Config} is set.
+   *
+   * @param gate The service settings for Gate.
+   * @param security The security configuration settings.
+   * @return A configured {@link GateConfig} instance.
+   */
+  @Override
+  protected GateConfig getGateConfig(ServiceSettings gate, Security security) {
+    GateConfig config = new GateConfig(gate, security);
+
+    if (security.getAuthn().getOauth2().isEnabled()) {
+      config.setSpring(new SpringConfig(security.getAuthn().getOauth2()));
+    } else if (security.getAuthn().getSaml().isEnabled()) {
+      config.saml = new SamlConfig(security);
+    } else if (security.getAuthn().getLdap().isEnabled()) {
+      config.ldap = new LdapConfig(security);
+    } else if (security.getAuthn().getIap().isEnabled()) {
+      config.google.iap = new IAPConfig(security);
+    }
+
+    if (security.getAuthn().getX509().isEnabled()) {
+      config.x509 = new X509Config(security);
+    }
+
+    return config;
+  }
+}

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/SpringConfig.java

@@ -18,7 +18,10 @@
 package com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile;
 
 import com.netflix.spinnaker.halyard.config.model.v1.security.OAuth2;
+import com.netflix.spinnaker.halyard.config.model.v1.security.OAuth2.UserInfoMapping;
 import com.netflix.spinnaker.halyard.config.model.v1.security.Security;
+import java.util.HashMap;
+import java.util.Map;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
 
@@ -27,10 +30,104 @@
 class SpringConfig {
   OAuth2 oauth2;
 
+  OAuth2Security security;
+
   SpringConfig(Security security) {
     OAuth2 oauth2 = security.getAuthn().getOauth2();
     if (oauth2.isEnabled()) {
       this.oauth2 = oauth2;
     }
   }
+
+  SpringConfig(OAuth2 oauth2) {
+    if (oauth2.isEnabled()) {
+      this.security = populateOAuth2Security(oauth2);
+    }
+  }
+
+  private OAuth2Security populateOAuth2Security(OAuth2 oauth2) {
+    OAuth2.Provider provider = oauth2.getProvider();
+    OAuth2Security.OAuth2.Client client = new OAuth2Security.OAuth2.Client();
+
+    Map<String, String> registration = new HashMap<>();
+    Map<String, String> prvdr = new HashMap<>();
+
+    switch (provider) {
+      case GOOGLE:
+        client.getProvider().setGoogle(prvdr);
+        client.getRegistration().setGoogle(registration);
+        break;
+      case GITHUB:
+        client.getProvider().setGithub(prvdr);
+        client.getRegistration().setGithub(registration);
+        break;
+      case ORACLE:
+        client.getProvider().setOracle(prvdr);
+        client.getRegistration().setOracle(registration);
+        break;
+      case AZURE:
+        client.getProvider().setAzure(prvdr);
+        client.getRegistration().setAzure(registration);
+        break;
+      case OTHER:
+        client.getProvider().setOther(prvdr);
+        client.getRegistration().setOther(registration);
+        break;
+      default:
+        throw new RuntimeException("Unknown provider type " + provider);
+    }
+
+    registration.put("client-id", oauth2.getClient().getClientId());
+    registration.put("client-secret", oauth2.getClient().getClientSecret());
+    registration.put("scope", oauth2.getClient().getScope());
+    registration.put(
+        "clientAuthenticationScheme", oauth2.getClient().getClientAuthenticationScheme());
+    registration.put(
+        "redirect-uri", "\"" + oauth2.getClient().getPreEstablishedRedirectUri() + "\"");
+    prvdr.put("token-uri", oauth2.getClient().getAccessTokenUri());
+    prvdr.put("authorization-uri", oauth2.getClient().getUserAuthorizationUri());
+    prvdr.put("user-info-uri", oauth2.getResource().getUserInfoUri());
+    client.getRegistration().setUserInfoMapping(oauth2.getUserInfoMapping());
+    client.getRegistration().setUserInfoRequirements(oauth2.getUserInfoRequirements());
+
+    OAuth2Security security = new OAuth2Security();
+    security.getOAuth2().setClient(client);
+    return security;
+  }
+
+  @Data
+  public class OAuth2Security {
+    private OAuth2 oAuth2 = new OAuth2();
+
+    @Data
+    public class OAuth2 {
+      private Client client = new Client();
+
+      @Data
+      public static class Client {
+        private Registration registration = new Registration();
+        private Provider provider = new Provider();
+      }
+
+      @Data
+      public static class Registration {
+        private UserInfoMapping userInfoMapping;
+        private Map<String, String> userInfoRequirements;
+        private Map<String, String> google;
+        private Map<String, String> github;
+        private Map<String, String> azure;
+        private Map<String, String> oracle;
+        private Map<String, String> other;
+      }
+
+      @Data
+      public static class Provider {
+        private Map<String, String> google;
+        private Map<String, String> github;
+        private Map<String, String> azure;
+        private Map<String, String> oracle;
+        private Map<String, String> other;
+      }
+    }
+  }
 }

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/service/GateService.java

@@ -25,6 +25,7 @@
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot128ProfileFactory;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot154ProfileFactory;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateSpringSecurity5OAuth2ProfileFactory;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.Profile;
 import java.nio.file.Paths;
 import java.util.Collections;
@@ -49,6 +50,8 @@ public abstract class GateService extends SpringService<GateService.Gate> {
 
   @Autowired private GateBoot128ProfileFactory boot128ProfileFactory;
 
+  @Autowired private GateSpringSecurity5OAuth2ProfileFactory springSecurity5OAuth2ProfileFactory;
+
   @Override
   public SpinnakerArtifact getArtifact() {
     return SpinnakerArtifact.GATE;
@@ -87,17 +90,36 @@ public List<Profile> getProfiles(
     return profiles;
   }
 
-  private GateProfileFactory getGateProfileFactory(String deploymentName) {
+  /**
+   * Retrieves the appropriate GateProfileFactory based on the given deployment's Gate version.
+   *
+   * <p>- If version is less than 0.7.0, returns {@code boot128ProfileFactory}. - If version is
+   * between 0.7.0 and 6.67.0, returns {@code boot154ProfileFactory}. - If version is greater than
+   * 6.67.0 or invalid, defaults to {@code springSecurity5OAuth2ProfileFactory}.
+   *
+   * @param deploymentName Name of the deployment.
+   * @return The appropriate {@link GateProfileFactory} instance.
+   */
+  GateProfileFactory getGateProfileFactory(String deploymentName) {
     String version =
         getArtifactService().getArtifactVersion(deploymentName, SpinnakerArtifact.GATE);
+    log.info("the current spinnaker version is: " + version);
     try {
       if (Versions.lessThan(version, BOOT_UPGRADED_VERSION)) {
         return boot128ProfileFactory;
       }
+
+      // For Gate versions 6.67.0 and above, a different set of properties is required to enable
+      // OAuth2.
+      // Therefore, boot154ProfileFactory is not used, and springSecurity5OAuth2ProfileFactory is
+      // chosen instead.
+      if (Versions.lessThan(version, "6.68.0")) {
+        return boot154ProfileFactory;
+      }
     } catch (IllegalArgumentException iae) {
       log.warn("Could not resolve Gate version, using `boot154ProfileFactory`.");
     }
-    return boot154ProfileFactory;
+    return springSecurity5OAuth2ProfileFactory;
   }
 
   public GateService() {

halyard-deploy/src/test/groovy/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/service/GateServiceTest.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2025 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.netflix.spinnaker.halyard.deploy.services.v1.ArtifactService;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerArtifact;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot128ProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot154ProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateSpringSecurity5OAuth2ProfileFactory;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+class GateServiceTest {
+
+  private GateService gateService;
+  private GateBoot128ProfileFactory mockBoot128ProfileFactory;
+  private GateBoot154ProfileFactory mockBoot154ProfileFactory;
+  private GateSpringSecurity5OAuth2ProfileFactory mockBoot667ProfileFactory;
+  private ArtifactService mockArtifactService;
+
+  @BeforeEach
+  void setUp() {
+    gateService = mock(GateService.class, CALLS_REAL_METHODS);
+    mockBoot128ProfileFactory = mock(GateBoot128ProfileFactory.class);
+    mockBoot154ProfileFactory = mock(GateBoot154ProfileFactory.class);
+    mockBoot667ProfileFactory = mock(GateSpringSecurity5OAuth2ProfileFactory.class);
+    mockArtifactService = mock(ArtifactService.class);
+
+    gateService.setBoot128ProfileFactory(mockBoot128ProfileFactory);
+    gateService.setBoot154ProfileFactory(mockBoot154ProfileFactory);
+    gateService.setSpringSecurity5OAuth2ProfileFactory(mockBoot667ProfileFactory);
+    when(gateService.getArtifactService()).thenReturn(mockArtifactService);
+  }
+
+  @Test
+  void testGetGateProfileFactoryVersionLessThan070() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("0.6.9");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot128ProfileFactory, result);
+  }
+
+  @Test
+  void testGetGateProfileFactoryVersionBetween070And667() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("6.66.0");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot154ProfileFactory, result);
+  }
+
+  @Test
+  void testGetGateProfileFactoryVersionGreaterThan667() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("6.67.1");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot667ProfileFactory, result);
+  }
+
+  @Test
+  void testGetGateProfileFactoryInvalidVersionUsesDefault() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("invalid-version");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot667ProfileFactory, result);
+  }
+}