Better support for meta annotations by using AnnotatedElementUtils.findMergedAnnotation (#255)

*AnnotatedElementUtils.findMergedAnnotation instead of AnnotationUtils.findAnnotation

Author: janolaveide

token-validation-spring/src/main/java/no/nav/security/token/support/spring/validation/interceptor/SpringJwtTokenAnnotationHandler.java

@@ -1,43 +1,34 @@
 package no.nav.security.token.support.spring.validation.interceptor;
 
+import static org.springframework.core.annotation.AnnotatedElementUtils.findMergedAnnotation;
+
 import java.lang.annotation.Annotation;
+import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Method;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
 
-import org.springframework.core.annotation.AnnotationUtils;
-
 import no.nav.security.token.support.core.context.TokenValidationContextHolder;
 import no.nav.security.token.support.core.validation.JwtTokenAnnotationHandler;
 
-public class SpringJwtTokenAnnotationHandler extends JwtTokenAnnotationHandler {
-
+public final class SpringJwtTokenAnnotationHandler extends JwtTokenAnnotationHandler {
 
-    public SpringJwtTokenAnnotationHandler(TokenValidationContextHolder tokenValidationContextHolder) {
-        super(tokenValidationContextHolder);
+    public SpringJwtTokenAnnotationHandler(TokenValidationContextHolder holder) {
+        super(holder);
     }
 
     @Override
-    protected Annotation getAnnotation(Method method, List<Class<? extends Annotation>> types) {
-       return Optional.ofNullable(scanAnnotation(method, types))
-               .orElseGet(() -> scanAnnotation(method.getDeclaringClass(), types));
-    }
-
-    private static Annotation scanAnnotation(Method m, List<Class<? extends Annotation>> types) {
-        return types.stream()
-                .map(t -> AnnotationUtils.findAnnotation(m, t))
-                .filter(Objects::nonNull)
-                .findFirst()
-                .orElse(null);
+    protected Annotation getAnnotation(Method m, List<Class<? extends Annotation>> types) {
+        return Optional.ofNullable(findAnnotation(m, types))
+                .orElseGet(() -> findAnnotation(m.getDeclaringClass(), types));
     }
 
-    private static Annotation scanAnnotation(Class<?> clazz, List<Class<? extends Annotation>> types) {
+    private static Annotation findAnnotation(AnnotatedElement e, List<Class<? extends Annotation>> types) {
         return types.stream()
-                .map(t -> AnnotationUtils.findAnnotation(clazz, t))
+                .map(t -> findMergedAnnotation(e, t))
                 .filter(Objects::nonNull)
                 .findFirst()
                 .orElse(null);
     }
-
 }

token-validation-spring/src/test/java/no/nav/security/token/support/spring/integrationtest/MetaProtected.java

@@ -0,0 +1,33 @@
+package no.nav.security.token.support.spring.integrationtest;
+
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import org.springframework.core.annotation.AliasFor;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import no.nav.security.token.support.core.api.ProtectedWithClaims;
+
+@RestController
+@Documented
+@ProtectedWithClaims(issuer = "knownissuer")
+@Target(TYPE)
+@Retention(RUNTIME)
+@RequestMapping
+public @interface MetaProtected {
+    @AliasFor(annotation = RequestMapping.class, attribute = "value")
+    String[] value() default {};
+
+    @AliasFor(annotation = ProtectedWithClaims.class, attribute = "claimMap")
+    String[] claimMap() default "acr=Level4";
+
+    @AliasFor(annotation = RequestMapping.class, attribute = "produces")
+    String[] produces() default APPLICATION_JSON_VALUE;
+
+}

token-validation-spring/src/test/java/no/nav/security/token/support/spring/integrationtest/MetaProtectedRestController.java

@@ -0,0 +1,14 @@
+package no.nav.security.token.support.spring.integrationtest;
+
+import org.springframework.web.bind.annotation.GetMapping;
+
+@MetaProtected(MetaProtectedRestController.METAPROTECTED)
+public class MetaProtectedRestController {
+    static final String METAPROTECTED = "/metaprotected";
+
+    @GetMapping
+    public String metaProtectedWithClaimsMethod() {
+        return "protected with some required claims";
+    }
+
+}

token-validation-spring/src/test/java/no/nav/security/token/support/spring/integrationtest/ProtectedRestControllerIntegrationTest.java

@@ -1,14 +1,25 @@
 package no.nav.security.token.support.spring.integrationtest;
 
-import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.PlainJWT;
-import com.nimbusds.jwt.SignedJWT;
-import com.nimbusds.oauth2.sdk.TokenRequest;
-import io.restassured.module.mockmvc.RestAssuredMockMvc;
-import no.nav.security.mock.oauth2.MockOAuth2Server;
-import no.nav.security.mock.oauth2.token.OAuth2TokenCallback;
-import no.nav.security.token.support.test.JwkGenerator;
+import static io.restassured.module.mockmvc.RestAssuredMockMvc.given;
+import static no.nav.security.token.support.spring.integrationtest.MetaProtectedRestController.METAPROTECTED;
+import static no.nav.security.token.support.spring.integrationtest.ProtectedRestController.PROTECTED;
+import static no.nav.security.token.support.spring.integrationtest.ProtectedRestController.PROTECTED_WITH_CLAIMS;
+import static no.nav.security.token.support.spring.integrationtest.ProtectedRestController.PROTECTED_WITH_CLAIMS2;
+import static no.nav.security.token.support.spring.integrationtest.ProtectedRestController.PROTECTED_WITH_CLAIMS_ANY_CLAIMS;
+import static no.nav.security.token.support.spring.integrationtest.ProtectedRestController.UNPROTECTED;
+import static no.nav.security.token.support.test.JwtTokenGenerator.ACR;
+import static no.nav.security.token.support.test.JwtTokenGenerator.AUD;
+import static no.nav.security.token.support.test.JwtTokenGenerator.createSignedJWT;
+
+import java.util.Collection;
+import java.util.Date;
+import java.util.Map;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.concurrent.TimeUnit;
+
+import javax.servlet.Filter;
+
 import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -21,16 +32,19 @@
 import org.springframework.test.web.servlet.setup.MockMvcConfigurer;
 import org.springframework.web.context.WebApplicationContext;
 
-import javax.servlet.Filter;
-import java.util.*;
-import java.util.concurrent.TimeUnit;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.oauth2.sdk.TokenRequest;
 
-import static io.restassured.module.mockmvc.RestAssuredMockMvc.given;
-import static no.nav.security.token.support.spring.integrationtest.ProtectedRestController.*;
-import static no.nav.security.token.support.test.JwtTokenGenerator.*;
+import io.restassured.module.mockmvc.RestAssuredMockMvc;
+import no.nav.security.mock.oauth2.MockOAuth2Server;
+import no.nav.security.mock.oauth2.token.OAuth2TokenCallback;
+import no.nav.security.token.support.test.JwkGenerator;
 
 @SpringBootTest
-@ContextConfiguration(classes = {ProtectedApplication.class, ProtectedApplicationConfig.class})
+@ContextConfiguration(classes = { ProtectedApplication.class, ProtectedApplicationConfig.class })
 @ActiveProfiles("test")
 class ProtectedRestControllerIntegrationTest {
 
@@ -56,21 +70,21 @@ public void afterConfigurerAdded(ConfigurableMockMvcBuilder<?> builder) {
     @Test
     void unprotectedMethod() {
         given()
-            .when()
-            .get(UNPROTECTED)
-            .then()
-            .log().ifValidationFails()
-            .statusCode(HttpStatus.OK.value());
+                .when()
+                .get(UNPROTECTED)
+                .then()
+                .log().ifValidationFails()
+                .statusCode(HttpStatus.OK.value());
     }
 
     @Test
     void noTokenInRequest() {
         given()
-            .when()
-            .get(PROTECTED)
-            .then()
-            .log().ifValidationFails()
-            .statusCode(HttpStatus.UNAUTHORIZED.value());
+                .when()
+                .get(PROTECTED)
+                .then()
+                .log().ifValidationFails()
+                .statusCode(HttpStatus.UNAUTHORIZED.value());
 
     }
 
@@ -100,8 +114,8 @@ void signedTokenInRequestUnknownAudience() {
     @Test
     void signedTokenInRequestProtectedWithClaimsMethodMissingRequiredClaims() {
         JWTClaimsSet jwtClaimsSet = defaultJwtClaimsSetBuilder()
-            .claim("importantclaim", "vip")
-            .build();
+                .claim("importantclaim", "vip")
+                .build();
         expectStatusCode(PROTECTED_WITH_CLAIMS, issueToken("knownissuer", jwtClaimsSet).serialize(), HttpStatus.UNAUTHORIZED);
     }
 
@@ -118,18 +132,24 @@ void signedTokenInRequestProtectedMethodShouldBeOk() {
         expectStatusCode(PROTECTED, jwt.serialize(), HttpStatus.OK);
     }
 
+    @Test
+    void signedTokenInRequestProtectedMetaMethodShouldBeOk() {
+        JWT jwt = issueToken("knownissuer", jwtClaimsSetKnownIssuer());
+        expectStatusCode(METAPROTECTED, jwt.serialize(), HttpStatus.OK);
+    }
+
     @Test
     void signedTokenInRequestProtectedWithClaimsMethodShouldBeOk() {
         JWTClaimsSet jwtClaimsSet = defaultJwtClaimsSetBuilder()
-            .claim("importantclaim", "vip")
-            .claim("acr", "Level4")
-            .build();
+                .claim("importantclaim", "vip")
+                .claim("acr", "Level4")
+                .build();
 
         expectStatusCode(PROTECTED_WITH_CLAIMS, issueToken("knownissuer", jwtClaimsSet).serialize(), HttpStatus.OK);
 
         JWTClaimsSet jwtClaimsSet2 = defaultJwtClaimsSetBuilder()
-            .claim("claim1", "1")
-            .build();
+                .claim("claim1", "1")
+                .build();
 
         expectStatusCode(PROTECTED_WITH_CLAIMS_ANY_CLAIMS, issueToken("knownissuer", jwtClaimsSet2).serialize(), HttpStatus.OK);
     }
@@ -138,12 +158,12 @@ void signedTokenInRequestProtectedWithClaimsMethodShouldBeOk() {
     void signedTokenInRequestWithoutSubAndAudClaimsShouldBeOk() {
         Date now = new Date();
         JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder()
-            .jwtID(UUID.randomUUID().toString())
-            .claim("auth_time", now)
-            .notBeforeTime(now)
-            .issueTime(now)
-            .expirationTime(new Date(now.getTime() + TimeUnit.MINUTES.toMillis(1)))
-            .build();
+                .jwtID(UUID.randomUUID().toString())
+                .claim("auth_time", now)
+                .notBeforeTime(now)
+                .issueTime(now)
+                .expirationTime(new Date(now.getTime() + TimeUnit.MINUTES.toMillis(1)))
+                .build();
 
         expectStatusCode(PROTECTED_WITH_CLAIMS2, issueToken("knownissuer2", jwtClaimsSet).serialize(), HttpStatus.OK);
     }
@@ -152,36 +172,36 @@ void signedTokenInRequestWithoutSubAndAudClaimsShouldBeOk() {
     void signedTokenInRequestWithoutSubAndAudClaimsShouldBeNotBeOk() {
         Date now = new Date();
         JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder()
-            .jwtID(UUID.randomUUID().toString())
-            .claim("auth_time", now)
-            .notBeforeTime(now)
-            .issueTime(now)
-            .expirationTime(new Date(now.getTime() + TimeUnit.MINUTES.toMillis(1)))
-            .build();
+                .jwtID(UUID.randomUUID().toString())
+                .claim("auth_time", now)
+                .notBeforeTime(now)
+                .issueTime(now)
+                .expirationTime(new Date(now.getTime() + TimeUnit.MINUTES.toMillis(1)))
+                .build();
 
         expectStatusCode(PROTECTED_WITH_CLAIMS, issueToken("knownissuer", jwtClaimsSet).serialize(), HttpStatus.UNAUTHORIZED);
     }
 
     private static void expectStatusCode(String uri, String token, HttpStatus httpStatus) {
         given()
-            .header("Authorization", "Bearer " + token)
-            .when()
-            .get(uri)
-            .then()
-            .log().ifValidationFails()
-            .statusCode(httpStatus.value());
+                .header("Authorization", "Bearer " + token)
+                .when()
+                .get(uri)
+                .then()
+                .log().ifValidationFails()
+                .statusCode(httpStatus.value());
     }
 
     private static JWTClaimsSet.Builder defaultJwtClaimsSetBuilder() {
         Date now = new Date();
         return new JWTClaimsSet.Builder()
-            .subject("testsub")
-            .audience(AUD)
-            .jwtID(UUID.randomUUID().toString())
-            .claim("auth_time", now)
-            .notBeforeTime(now)
-            .issueTime(now)
-            .expirationTime(new Date(now.getTime() + TimeUnit.MINUTES.toMillis(1)));
+                .subject("testsub")
+                .audience(AUD)
+                .jwtID(UUID.randomUUID().toString())
+                .claim("auth_time", now)
+                .notBeforeTime(now)
+                .issueTime(now)
+                .expirationTime(new Date(now.getTime() + TimeUnit.MINUTES.toMillis(1)));
     }
 
     private static JWTClaimsSet jwtClaimsSetKnownIssuer() {
@@ -193,19 +213,19 @@ private static JWTClaimsSet jwtClaimsSet(String audience) {
     }
 
     public static JWTClaimsSet buildClaimSet(String subject, String audience, String authLevel,
-                                             long expiry) {
+            long expiry) {
         Date now = new Date();
         return new JWTClaimsSet.Builder()
-            .subject(subject)
-            .audience(audience)
-            .jwtID(UUID.randomUUID().toString())
-            .claim("acr", authLevel)
-            .claim("ver", "1.0")
-            .claim("nonce", "myNonce")
-            .claim("auth_time", now)
-            .notBeforeTime(now)
-            .issueTime(now)
-            .expirationTime(new Date(now.getTime() + expiry)).build();
+                .subject(subject)
+                .audience(audience)
+                .jwtID(UUID.randomUUID().toString())
+                .claim("acr", authLevel)
+                .claim("ver", "1.0")
+                .claim("nonce", "myNonce")
+                .claim("auth_time", now)
+                .notBeforeTime(now)
+                .issueTime(now)
+                .expirationTime(new Date(now.getTime() + expiry)).build();
     }
 
     private SignedJWT issueToken(String issuerId, JWTClaimsSet jwtClaimsSet) {
@@ -229,10 +249,10 @@ public String issuerId() {
             @Override
             public String audience(@NotNull TokenRequest tokenRequest) {
                 return Optional.ofNullable(jwtClaimsSet.getAudience())
-                    .stream()
-                    .flatMap(a -> a.stream())
-                    .findFirst()
-                    .orElse(null);
+                        .stream()
+                        .flatMap(a -> a.stream())
+                        .findFirst()
+                        .orElse(null);
             }
 
             @NotNull