test: Add integration tests for config client oauth2 support

Signed-off-by: prafsoni <prafsoni@gmail.com>

Author: prafsoni

pom.xml

@@ -107,6 +107,7 @@
 		<module>spring-cloud-config-sample</module>
 		<module>spring-cloud-starter-config</module>
 		<module>spring-cloud-config-client-tls-tests</module>
+		<module>spring-cloud-config-client-oauth2-tests</module>
 		<module>docs</module>
 	</modules>
 	<dependencyManagement>
@@ -178,6 +179,7 @@
 						<configuration>
 							<excludeArtifacts>
 								<artifact>spring-cloud-config-client-tls-tests</artifact>
+								<artifact>spring-cloud-config-client-oauth2-tests</artifact>
 								<artifact>spring-cloud-config-sample</artifact>
 							</excludeArtifacts>
 						</configuration>

spring-cloud-config-client-oauth2-tests/pom.xml

@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xmlns="http://maven.apache.org/POM/4.0.0"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>spring-cloud-config-client-oauth2-tests</artifactId>
+    <packaging>jar</packaging>
+    <name>Spring Cloud Config Client OAuth2 Tests</name>
+
+    <parent>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-config</artifactId>
+        <version>5.0.0-SNAPSHOT</version>
+        <relativePath>..</relativePath>
+    </parent>
+
+    <url>https://spring.io</url>
+    <description>Spring Cloud Config Client OAuth2 Integration Tests</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-config-client</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-autoconfigure</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+        </dependency>
+
+        <!-- Testing -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.platform</groupId>
+            <artifactId>junit-platform-launcher</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-test-support</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>testcontainers-junit-jupiter</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-testcontainers</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.github.dasniko</groupId>
+            <artifactId>testcontainers-keycloak</artifactId>
+            <version>3.4.0</version>
+            <scope>test</scope>
+        </dependency>
+		<dependency>
+			<groupId>commons-io</groupId>
+			<artifactId>commons-io</artifactId>
+			<version>2.20.0</version>
+		</dependency>
+        <!-- MockServer for simulating a protected resource server -->
+        <dependency>
+            <groupId>org.mock-server</groupId>
+            <artifactId>mockserver-netty</artifactId>
+            <version>5.15.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mock-server</groupId>
+            <artifactId>mockserver-client-java</artifactId>
+            <version>5.15.0</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <!--skip deploy (this is just a test module) -->
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
+

spring-cloud-config-client-oauth2-tests/src/test/java/org/springframework/cloud/config/client/ConfigClientRequestTemplateFactoryOAuth2Tests.java

@@ -0,0 +1,151 @@
+/*
+ * Copyright 2013-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.config.client;
+
+import java.net.URI;
+
+import dasniko.testcontainers.keycloak.KeycloakContainer;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.mockserver.client.MockServerClient;
+import org.mockserver.integration.ClientAndServer;
+import org.mockserver.model.HttpRequest;
+import org.mockserver.model.MediaType;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import org.springframework.boot.security.oauth2.client.autoconfigure.OAuth2ClientProperties;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.client.RestTemplate;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockserver.model.HttpRequest.request;
+import static org.mockserver.model.HttpResponse.response;
+
+/**
+ * IntegrationTest for OAuth2 support in ConfigClientRequestTemplateFactory using Keycloak
+ * Test container as the Authorization Server and MockServer as a protected resource
+ * server.
+ */
+@Tag("DockerRequired")
+@Testcontainers
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+class ConfigClientRequestTemplateFactoryOAuth2Tests {
+
+	private static final Log log = LogFactory.getLog(ConfigClientRequestTemplateFactoryOAuth2Tests.class);
+
+	@Container
+	static KeycloakContainer keycloak = new KeycloakContainer().withRealmImportFile("test-realm.json"); // classpath
+																										// resource
+
+	private ClientAndServer mockServer;
+
+	private MockServerClient mockClient;
+
+	@BeforeAll
+	void startMockServer() {
+		mockServer = ClientAndServer.startClientAndServer(0);
+		mockClient = new MockServerClient("localhost", mockServer.getLocalPort());
+	}
+
+	@BeforeEach
+	void resetExpectations() {
+		mockClient.clear(request().withPath("/secure"));
+		mockClient.when(request().withMethod("GET").withPath("/secure")).respond(request -> {
+			if (request.containsHeader("Authorization")) {
+				String authHeader = request.getFirstHeader("Authorization");
+				if (authHeader != null && authHeader.startsWith("Bearer ")) {
+					return response().withStatusCode(200).withContentType(MediaType.TEXT_PLAIN).withBody("ok");
+				}
+			}
+			return response().withStatusCode(401);
+		});
+	}
+
+	@AfterAll
+	void tearDown() {
+		if (mockClient != null) {
+			mockClient.close();
+		}
+		if (mockServer != null) {
+			mockServer.stop();
+		}
+	}
+
+	@Test
+	void restTemplateAddsBearerTokenFromKeycloakUsingClientCredentials() {
+		// given OAuth2 client configuration pointing to Keycloak token endpoint
+		String tokenUri = keycloak.getAuthServerUrl() + "/realms/test-realm/protocol/openid-connect/token";
+
+		ConfigClientProperties props = new ConfigClientProperties();
+		props.getOauth2().setEnabled(true);
+
+		OAuth2ClientProperties.Provider provider = props.getOauth2().getProvider();
+		provider.setTokenUri(tokenUri);
+
+		OAuth2ClientProperties.Registration registration = props.getOauth2().getRegistration();
+		registration.setClientId("config-client");
+		registration.setClientSecret("my-client-secret");
+		registration.setAuthorizationGrantType("client_credentials");
+
+		ConfigClientRequestTemplateFactory factory = new ConfigClientRequestTemplateFactory(log, props);
+		RestTemplate restTemplate = factory.create();
+
+		// when
+		String url = "http://localhost:" + mockServer.getLocalPort() + "/secure";
+		ResponseEntity<String> response = restTemplate.getForEntity(URI.create(url), String.class);
+
+		// then
+		assertThat(response.getStatusCode().is2xxSuccessful()).isTrue();
+		assertThat(response.getBody()).isEqualTo("ok");
+
+		HttpRequest[] recorded = mockClient.retrieveRecordedRequests(request().withPath("/secure"));
+		assertThat(recorded).hasSize(1);
+		String authHeader = recorded[0].getFirstHeader("Authorization");
+		assertThat(authHeader).isNotNull().startsWith("Bearer ");
+	}
+
+	@Test
+	void restTemplateDoesNotAddAuthorizationHeaderWhenOauth2Disabled() {
+		// given ConfigClientProperties with OAuth2 disabled
+		ConfigClientProperties props = new ConfigClientProperties();
+		props.getOauth2().setEnabled(false); // explicitly disabled
+
+		ConfigClientRequestTemplateFactory factory = new ConfigClientRequestTemplateFactory(log, props);
+		RestTemplate restTemplate = factory.create();
+
+		// when
+		String url = "http://localhost:" + mockServer.getLocalPort() + "/secure";
+
+		assertThatThrownBy(() -> restTemplate.getForEntity(URI.create(url), String.class))
+			.isInstanceOf(org.springframework.web.client.HttpClientErrorException.Unauthorized.class);
+
+		// then
+
+		HttpRequest[] recorded = mockClient.retrieveRecordedRequests(request().withPath("/secure"));
+		assertThat(recorded).hasSize(1); // only this test's request
+		assertThat(recorded[0].containsHeader("Authorization")).isFalse();
+	}
+
+}

spring-cloud-config-client-oauth2-tests/src/test/resources/test-realm.json

@@ -0,0 +1,18 @@
+{
+  "realm": "test-realm",
+  "enabled": true,
+  "clients": [
+    {
+      "clientId": "config-client",
+      "secret": "my-client-secret",
+      "name": "Config Client",
+      "protocol": "openid-connect",
+      "publicClient": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": true,
+      "redirectUris": ["*"],
+      "webOrigins": ["*"]
+    }
+  ]
+}
+