Add test: haveResourceServerScopeInAccessTokenWhenThereAreMultiResourceServerScopesInAuthCode (Azure#18407)

Rujun Chen · web-flow · commit dc8f3e1e5bc3 · 2021-01-06T10:01:07.000+08:00
* Add test: haveResourceServerScopeInAccessTokenWhenThereAreMultiResourceServerScopesInAuthCode
diff --git a/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/webapp/AADWebAppConfiguration.java b/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/webapp/AADWebAppConfiguration.java
@@ -86,9 +86,11 @@ private AzureClientRegistration createDefaultClient() {
         return new AzureClientRegistration(client, accessTokenScopes);
     }
 
-    private int resourceServerCount(Set<String> scopes) {
+    public static int resourceServerCount(Set<String> scopes) {
         return (int) scopes.stream()
-                           .filter(scope -> scope.startsWith("http"))
+                           .filter(scope -> scope.contains("/"))
+                           .map(scope -> scope.substring(0, scope.lastIndexOf('/')))
+                           .distinct()
                            .count();
     }
 
diff --git a/sdk/spring/azure-spring-boot/src/test/java/com/azure/spring/aad/webapp/AADWebAppConfigurationTest.java b/sdk/spring/azure-spring-boot/src/test/java/com/azure/spring/aad/webapp/AADWebAppConfigurationTest.java
@@ -11,8 +11,11 @@
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
+import static com.azure.spring.aad.webapp.AADWebAppConfiguration.resourceServerCount;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -206,12 +209,12 @@ public void clientRequiresOnDemandPermissions() {
 
     @Test
     public void groupConfiguration() {
-        WebApplicationContextRunnerUtils.getContextRunnerWithRequiredProperties()
-            .withPropertyValues(
-            "azure.activedirectory.user-group.allowed-groups = group1, group2"
-            )
+        WebApplicationContextRunnerUtils
+            .getContextRunnerWithRequiredProperties()
+            .withPropertyValues("azure.activedirectory.user-group.allowed-groups = group1, group2")
             .run(context -> {
-                AADWebAppClientRegistrationRepository clientRepo = context.getBean(AADWebAppClientRegistrationRepository.class);
+                AADWebAppClientRegistrationRepository clientRepo =
+                    context.getBean(AADWebAppClientRegistrationRepository.class);
                 assertDefaultScopes(
                     clientRepo.getAzureClient(),
                     "openid", "profile", "https://graph.microsoft.com/User.Read",
@@ -220,6 +223,48 @@ public void groupConfiguration() {
             });
     }
 
+    @Test
+    public void haveResourceServerScopeInAccessTokenWhenThereAreMultiResourceServerScopesInAuthCode() {
+        WebApplicationContextRunnerUtils
+            .getContextRunnerWithRequiredProperties()
+            .withPropertyValues(
+                "azure.activedirectory.authorization-clients.office.scopes ="
+                    + " https://manage.office.com/ActivityFeed.Read",
+                "azure.activedirectory.authorization-clients.arm.scopes = "
+                    + "https://management.core.windows.net/user_impersonation"
+            )
+            .run(context -> {
+                AADWebAppClientRegistrationRepository repo =
+                    context.getBean(AADWebAppClientRegistrationRepository.class);
+                AzureClientRegistration azure = repo.getAzureClient();
+                assertNotNull(azure);
+                int resourceServerCountInAuthCode = resourceServerCount(azure.getClient().getScopes());
+                assertTrue(resourceServerCountInAuthCode > 1);
+                int resourceServerCountInAccessToken = resourceServerCount(azure.getAccessTokenScopes());
+                assertTrue(resourceServerCountInAccessToken != 0);
+            });
+    }
+
+    @Test
+    public void resourceServerCountTest() {
+        Set<String> scopes = new HashSet<>();
+        assertEquals(resourceServerCount(scopes), 0);
+        scopes.add("openid");
+        scopes.add("profile");
+        scopes.add("offline_access");
+        assertEquals(resourceServerCount(scopes), 0);
+        scopes.add("https://graph.microsoft.com/User.Read");
+        assertEquals(resourceServerCount(scopes), 1);
+        scopes.add("https://graph.microsoft.com/Directory.AccessAsUser.All");
+        assertEquals(resourceServerCount(scopes), 1);
+        scopes.add("https://manage.office.com/ActivityFeed.Read");
+        assertEquals(resourceServerCount(scopes), 2);
+        scopes.add("https://manage.office.com/ActivityFeed.ReadDlp");
+        assertEquals(resourceServerCount(scopes), 2);
+        scopes.add("https://manage.office.com/ServiceHealth.Read");
+        assertEquals(resourceServerCount(scopes), 2);
+    }
+
     private void assertDefaultScopes(ClientRegistration client, String... scopes) {
         assertEquals(scopes.length, client.getScopes().size());
         for (String s : scopes) {

Original file line number	Diff line number	Diff line change
`@@ -86,9 +86,11 @@ private AzureClientRegistration createDefaultClient() {`
`86`	`86`	`return new AzureClientRegistration(client, accessTokenScopes);`
`87`	`87`	`}`
`88`	`88`
`89`		`- private int resourceServerCount(Set<String> scopes) {`
	`89`	`+ public static int resourceServerCount(Set<String> scopes) {`
`90`	`90`	`return (int) scopes.stream()`
`91`		`- .filter(scope -> scope.startsWith("http"))`
	`91`	`+ .filter(scope -> scope.contains("/"))`
	`92`	`+ .map(scope -> scope.substring(0, scope.lastIndexOf('/')))`
	`93`	`+ .distinct()`
`92`	`94`	`.count();`
`93`	`95`	`}`
`94`	`96`