[GitHub] [syncope] github-code-scanning[bot] commented on a diff in pull request #418: [SYNCOPE-1737] Managing releaseAttrs via DefaultAttrReleasePolicyConf

via GitHub Thu, 02 Mar 2023 05:17:24 -0800


github-code-scanning[bot] commented on code in PR #418:
URL: https://github.com/apache/syncope/pull/418#discussion_r1123082222



##########
wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java:
##########
@@ -91,12 +93,25 @@
             }
 
             chain.addPolicies(new OidcProfileScopeAttributeReleasePolicy(),
-                new OidcEmailScopeAttributeReleasePolicy(),
-                new OidcAddressScopeAttributeReleasePolicy(),
-                new OidcPhoneScopeAttributeReleasePolicy());
+                    new OidcEmailScopeAttributeReleasePolicy(),
+                    new OidcAddressScopeAttributeReleasePolicy(),
+                    new OidcPhoneScopeAttributeReleasePolicy());
 
-            Set<String> customClaims = 
clientApp.getReleaseAttrs().values().stream().
-                    
map(Objects::toString).collect(Collectors.toCollection(HashSet::new));
+            Set<String> customClaims = new HashSet<>();
+            if (attributeReleasePolicy instanceof 
ReturnMappedAttributeReleasePolicy) {
+                customClaims.addAll(((ReturnMappedAttributeReleasePolicy) 
attributeReleasePolicy).
+                        getAllowedAttributes().values().stream().
+                        map(Objects::toString).collect(Collectors.toSet()));
+            } else if (attributeReleasePolicy instanceof 
ReturnAllowedAttributeReleasePolicy) {
+                customClaims.addAll(((ReturnAllowedAttributeReleasePolicy) 
attributeReleasePolicy).
+                        
getAllowedAttributes().stream().collect(Collectors.toSet()));
+            } else if (attributeReleasePolicy instanceof 
ChainingAttributeReleasePolicy) {

Review Comment:
   ## Contradictory type checks
   
   This access of [attributeReleasePolicy](1) cannot be of type 
[ChainingAttributeReleasePolicy](2), since [this expression](3) ensures that it 
is not of type [ChainingAttributeReleasePolicy](2).
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/1226)



##########
common/am/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultAttrReleasePolicyConf.java:
##########
@@ -119,6 +123,10 @@
 
     private final PrincipalAttrRepoConf principalAttrRepoConf = new 
PrincipalAttrRepoConf();
 
+    public Map<String, Object> getReleaseAttrs() {

Review Comment:
   ## Exposing internal representation
   
   getReleaseAttrs exposes the internal representation stored in field 
releaseAttrs. The value may be modified [after this call to getReleaseAttrs](1).
   getReleaseAttrs exposes the internal representation stored in field 
releaseAttrs. The value may be modified [after this call to getReleaseAttrs](2).
   getReleaseAttrs exposes the internal representation stored in field 
releaseAttrs. The value may be modified [after this call to getReleaseAttrs](3).
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/1229)



##########
wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java:
##########
@@ -91,12 +93,25 @@
             }
 
             chain.addPolicies(new OidcProfileScopeAttributeReleasePolicy(),
-                new OidcEmailScopeAttributeReleasePolicy(),
-                new OidcAddressScopeAttributeReleasePolicy(),
-                new OidcPhoneScopeAttributeReleasePolicy());
+                    new OidcEmailScopeAttributeReleasePolicy(),
+                    new OidcAddressScopeAttributeReleasePolicy(),
+                    new OidcPhoneScopeAttributeReleasePolicy());
 
-            Set<String> customClaims = 
clientApp.getReleaseAttrs().values().stream().
-                    
map(Objects::toString).collect(Collectors.toCollection(HashSet::new));
+            Set<String> customClaims = new HashSet<>();
+            if (attributeReleasePolicy instanceof 
ReturnMappedAttributeReleasePolicy) {
+                customClaims.addAll(((ReturnMappedAttributeReleasePolicy) 
attributeReleasePolicy).
+                        getAllowedAttributes().values().stream().
+                        map(Objects::toString).collect(Collectors.toSet()));
+            } else if (attributeReleasePolicy instanceof 
ReturnAllowedAttributeReleasePolicy) {
+                customClaims.addAll(((ReturnAllowedAttributeReleasePolicy) 
attributeReleasePolicy).
+                        
getAllowedAttributes().stream().collect(Collectors.toSet()));
+            } else if (attributeReleasePolicy instanceof 
ChainingAttributeReleasePolicy) {
+                ((ChainingAttributeReleasePolicy) 
attributeReleasePolicy).getPolicies().stream().

Review Comment:
   ## Contradictory type checks
   
   This access of [attributeReleasePolicy](1) cannot be of type 
[ChainingAttributeReleasePolicy](2), since [this expression](3) ensures that it 
is not of type [ChainingAttributeReleasePolicy](2).
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/1227)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [syncope] github-code-scanning[bot] commented on a diff in pull request #418: [SYNCOPE-1737] Managing releaseAttrs via DefaultAttrReleasePolicyConf

Reply via email to