feat(OAuth2): Migrated OAuth2 configuration to align with Spring Security 5 Java DSL standards

halyard-config/src/main/java/com/netflix/spinnaker/halyard/config/model/v1/security/OAuth2.java

@@ -69,7 +69,7 @@ public void setProvider(Provider provider) {
       case GOOGLE:
         newClient.setAccessTokenUri("https://www.googleapis.com/oauth2/v4/token");
         newClient.setUserAuthorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
-        newClient.setScope("profile email");
+        newClient.setScope("profile,email");
 
         newResource.setUserInfoUri("https://www.googleapis.com/oauth2/v3/userinfo");
 
@@ -80,7 +80,7 @@ public void setProvider(Provider provider) {
       case GITHUB:
         newClient.setAccessTokenUri("https://github.com/login/oauth/access_token");
         newClient.setUserAuthorizationUri("https://github.com/login/oauth/authorize");
-        newClient.setScope("user:email");
+        newClient.setScope("user,email");
 
         newResource.setUserInfoUri("https://api.github.com/user");
 
@@ -93,7 +93,7 @@ public void setProvider(Provider provider) {
         final String idcsBaseUrl = "https://idcs-${idcsTenantId}.identity.oraclecloud.com";
         newClient.setAccessTokenUri(idcsBaseUrl + "/oauth2/v1/token");
         newClient.setUserAuthorizationUri(idcsBaseUrl + "/oauth2/v1/authorize");
-        newClient.setScope("openid urn:opc:idm:__myscopes__");
+        newClient.setScope("openid,urn:opc:idm:__myscopes__");
 
         newResource.setUserInfoUri(idcsBaseUrl + "/oauth2/v1/userinfo");
 

halyard-deploy/halyard-deploy.gradle

@@ -30,6 +30,9 @@ dependencies {
 
   testImplementation 'org.spockframework:spock-core'
   testImplementation 'org.springframework:spring-test'
+  testImplementation 'org.mockito:mockito-core'
+  testImplementation 'org.mockito:mockito-junit-jupiter'
+  testImplementation 'org.junit.jupiter:junit-jupiter'
   testRuntimeOnly 'net.bytebuddy:byte-buddy'
   testRuntimeOnly 'org.objenesis:objenesis'
 }

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/GateBoot667ProfileFactory.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2025 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile;
+
+import com.netflix.spinnaker.halyard.config.model.v1.security.Security;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings;
+import org.springframework.stereotype.Component;
+
+@Component
+public class GateBoot667ProfileFactory extends GateProfileFactory {
+
+  @Override
+  protected GateConfig getGateConfig(ServiceSettings gate, Security security) {
+    GateConfig config = new GateConfig(gate, security);
+
+    if (security.getAuthn().getOauth2().isEnabled()) {
+      config.setSpring(new SpringConfig(security.getAuthn().getOauth2()));
+    } else if (security.getAuthn().getSaml().isEnabled()) {
+      config.saml = new SamlConfig(security);
+    } else if (security.getAuthn().getLdap().isEnabled()) {
+      config.ldap = new LdapConfig(security);
+    } else if (security.getAuthn().getIap().isEnabled()) {
+      config.google.iap = new IAPConfig(security);
+    }
+
+    if (security.getAuthn().getX509().isEnabled()) {
+      config.x509 = new X509Config(security);
+    }
+
+    return config;
+  }
+}

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/SpringConfig.java

@@ -18,7 +18,10 @@
 package com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile;
 
 import com.netflix.spinnaker.halyard.config.model.v1.security.OAuth2;
+import com.netflix.spinnaker.halyard.config.model.v1.security.OAuth2.UserInfoMapping;
 import com.netflix.spinnaker.halyard.config.model.v1.security.Security;
+import java.util.HashMap;
+import java.util.Map;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
 
@@ -27,10 +30,104 @@
 class SpringConfig {
   OAuth2 oauth2;
 
+  OAuth2Security security;
+
   SpringConfig(Security security) {
     OAuth2 oauth2 = security.getAuthn().getOauth2();
     if (oauth2.isEnabled()) {
       this.oauth2 = oauth2;
     }
   }
+
+  SpringConfig(OAuth2 oauth2) {
+    if (oauth2.isEnabled()) {
+      this.security = populateOAuth2Security(oauth2);
+    }
+  }
+
+  private OAuth2Security populateOAuth2Security(OAuth2 oauth2) {
+    OAuth2.Provider provider = oauth2.getProvider();
+    OAuth2Security.OAuth2.Client client = new OAuth2Security.OAuth2.Client();
+
+    Map<String, String> registration = new HashMap<>();
+    Map<String, String> prvdr = new HashMap<>();
+
+    switch (provider) {
+      case GOOGLE:
+        client.getProvider().setGoogle(prvdr);
+        client.getRegistration().setGoogle(registration);
+        break;
+      case GITHUB:
+        client.getProvider().setGithub(prvdr);
+        client.getRegistration().setGithub(registration);
+        break;
+      case ORACLE:
+        client.getProvider().setOracle(prvdr);
+        client.getRegistration().setOracle(registration);
+        break;
+      case AZURE:
+        client.getProvider().setAzure(prvdr);
+        client.getRegistration().setAzure(registration);
+        break;
+      case OTHER:
+        client.getProvider().setOther(prvdr);
+        client.getRegistration().setOther(registration);
+        break;
+      default:
+        throw new RuntimeException("Unknown provider type " + provider);
+    }
+
+    registration.put("client-id", oauth2.getClient().getClientId());
+    registration.put("client-secret", oauth2.getClient().getClientSecret());
+    registration.put("scope", oauth2.getClient().getScope());
+    registration.put(
+        "clientAuthenticationScheme", oauth2.getClient().getClientAuthenticationScheme());
+    registration.put(
+        "redirect-uri", "\"" + oauth2.getClient().getPreEstablishedRedirectUri() + "\"");
+    prvdr.put("token-uri", oauth2.getClient().getAccessTokenUri());
+    prvdr.put("authorization-uri", oauth2.getClient().getUserAuthorizationUri());
+    prvdr.put("user-info-uri", oauth2.getResource().getUserInfoUri());
+    client.getRegistration().setUserInfoMapping(oauth2.getUserInfoMapping());
+    client.getRegistration().setUserInfoRequirements(oauth2.getUserInfoRequirements());
+
+    OAuth2Security security = new OAuth2Security();
+    security.getOauth2().setClient(client);
+    return security;
+  }
+
+  @Data
+  private class OAuth2Security {
+    private OAuth2 oauth2 = new OAuth2();
+
+    @Data
+    private class OAuth2 {
+      private Client client = new Client();
+
+      @Data
+      public static class Client {
+        private Registration registration = new Registration();
+        private Provider provider = new Provider();
+      }
+
+      @Data
+      public static class Registration {
+        private UserInfoMapping userInfoMapping;
+        private Map<String, String> userInfoRequirements;
+        private Map<String, String> google;
+        private Map<String, String> github;
+        private Map<String, String> azure;
+        private Map<String, String> oracle;
+        private Map<String, String> other;
+      }
+
+      @Data
+      public static class Provider {
+        private Map<String, String> google;
+        private Map<String, String> github;
+        private Map<String, String> azure;
+        private Map<String, String> oracle;
+        private Map<String, String> other;
+      }
+    }
+  }
 }

halyard-deploy/src/main/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/service/GateService.java

@@ -24,6 +24,7 @@
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerRuntimeSettings;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot128ProfileFactory;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot154ProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot667ProfileFactory;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateProfileFactory;
 import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.Profile;
 import java.nio.file.Paths;
@@ -49,6 +50,8 @@ public abstract class GateService extends SpringService<GateService.Gate> {
 
   @Autowired private GateBoot128ProfileFactory boot128ProfileFactory;
 
+  @Autowired private GateBoot667ProfileFactory boot667ProfileFactory;
+
   @Override
   public SpinnakerArtifact getArtifact() {
     return SpinnakerArtifact.GATE;
@@ -87,17 +90,22 @@ public List<Profile> getProfiles(
     return profiles;
   }
 
-  private GateProfileFactory getGateProfileFactory(String deploymentName) {
+  GateProfileFactory getGateProfileFactory(String deploymentName) {
     String version =
         getArtifactService().getArtifactVersion(deploymentName, SpinnakerArtifact.GATE);
+    log.info("the current spinnaker version is: " + version);
     try {
       if (Versions.lessThan(version, BOOT_UPGRADED_VERSION)) {
         return boot128ProfileFactory;
       }
+
+      if (Versions.lessThan(version, "6.67.0")) {
+        return boot154ProfileFactory;
+      }
     } catch (IllegalArgumentException iae) {
       log.warn("Could not resolve Gate version, using `boot154ProfileFactory`.");
     }
-    return boot154ProfileFactory;
+    return boot667ProfileFactory;
   }
 
   public GateService() {

halyard-deploy/src/test/groovy/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/service/GateServiceTest.java

@@ -0,0 +1,74 @@
+package com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.netflix.spinnaker.halyard.deploy.services.v1.ArtifactService;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.SpinnakerArtifact;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot128ProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot154ProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateBoot667ProfileFactory;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile.GateProfileFactory;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+class GateServiceTest {
+
+  private GateService gateService;
+  private GateBoot128ProfileFactory mockBoot128ProfileFactory;
+  private GateBoot154ProfileFactory mockBoot154ProfileFactory;
+  private GateBoot667ProfileFactory mockBoot667ProfileFactory;
+  private ArtifactService mockArtifactService;
+
+  @BeforeEach
+  void setUp() {
+    gateService = mock(GateService.class, CALLS_REAL_METHODS);
+    mockBoot128ProfileFactory = mock(GateBoot128ProfileFactory.class);
+    mockBoot154ProfileFactory = mock(GateBoot154ProfileFactory.class);
+    mockBoot667ProfileFactory = mock(GateBoot667ProfileFactory.class);
+    mockArtifactService = mock(ArtifactService.class);
+
+    gateService.setBoot128ProfileFactory(mockBoot128ProfileFactory);
+    gateService.setBoot154ProfileFactory(mockBoot154ProfileFactory);
+    gateService.setBoot667ProfileFactory(mockBoot667ProfileFactory);
+    when(gateService.getArtifactService()).thenReturn(mockArtifactService);
+  }
+
+  @Test
+  void testGetGateProfileFactoryVersionLessThan070() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("0.6.9");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot128ProfileFactory, result);
+  }
+
+  @Test
+  void testGetGateProfileFactoryVersionBetween070And667() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("6.66.0");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot154ProfileFactory, result);
+  }
+
+  @Test
+  void testGetGateProfileFactoryVersionGreaterThan667() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("6.67.1");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot667ProfileFactory, result);
+  }
+
+  @Test
+  void testGetGateProfileFactoryInvalidVersionUsesDefault() {
+    when(mockArtifactService.getArtifactVersion("test-deployment", SpinnakerArtifact.GATE))
+        .thenReturn("invalid-version");
+
+    GateProfileFactory result = gateService.getGateProfileFactory("test-deployment");
+    assertEquals(mockBoot667ProfileFactory, result);
+  }
+}

halyard-deploy/src/test/java/com/netflix/spinnaker/halyard/deploy/spinnaker/v1/profile/GateBoot667ProfileFactoryTest.java

@@ -0,0 +1,55 @@
+package com.netflix.spinnaker.halyard.deploy.spinnaker.v1.profile;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.netflix.spinnaker.halyard.config.model.v1.security.ApiSecurity;
+import com.netflix.spinnaker.halyard.config.model.v1.security.Authn;
+import com.netflix.spinnaker.halyard.config.model.v1.security.OAuth2;
+import com.netflix.spinnaker.halyard.config.model.v1.security.Security;
+import com.netflix.spinnaker.halyard.config.model.v1.security.SpringSsl;
+import com.netflix.spinnaker.halyard.config.model.v1.security.X509;
+import com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+@ExtendWith(MockitoExtension.class)
+class GateBoot667ProfileFactoryTest {
+
+  private GateBoot667ProfileFactory factory;
+  private ServiceSettings mockServiceSettings;
+  private Security mockSecurity;
+  private Authn mockAuthn;
+  private OAuth2 oAuth2;
+
+  @BeforeEach
+  void setUp() {
+    factory = new GateBoot667ProfileFactory();
+    oAuth2 = new OAuth2();
+    oAuth2.setEnabled(true);
+    oAuth2.setProvider(OAuth2.Provider.GOOGLE);
+    mockServiceSettings = mock(ServiceSettings.class);
+    mockSecurity = mock(Security.class);
+    mockAuthn = mock(Authn.class);
+    ApiSecurity mockApiSecurity = mock(ApiSecurity.class);
+    when(mockSecurity.getAuthn()).thenReturn(mockAuthn);
+    when(mockAuthn.getOauth2()).thenReturn(oAuth2);
+    X509 x509 = new X509();
+    when(mockAuthn.getX509()).thenReturn(x509);
+
+    when(mockSecurity.getApiSecurity()).thenReturn(mockApiSecurity);
+    SpringSsl springSsl = mock(SpringSsl.class);
+    when(mockApiSecurity.getSsl()).thenReturn(springSsl);
+  }
+
+  @Test
+  void testGetGateConfigWithOAuth2Enabled() {
+    GateProfileFactory.GateConfig config = factory.getGateConfig(mockServiceSettings, mockSecurity);
+    assertNotNull(config);
+    assertNotNull(config.getSpring());
+    assertNotNull(config.getSpring().getSecurity());
+  }
+}