hotfix cache key header mutability in AbstractOAuth2TokenService (#745)

* hotfix cache key mutability in AbstractOAuth2TokenService * fix implementation Co-authored-by: Nena Raab <nena.raab@sap.com>
SAP · Dec 7, 2021 · 6c4896e · 6c4896e
1 parent 9a62a4c
commit 6c4896e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/...n-client/src/main/java/com/sap/cloud/security/xsuaa/client/DefaultOAuth2TokenService.java b/...n-client/src/main/java/com/sap/cloud/security/xsuaa/client/DefaultOAuth2TokenService.java
@@ -74,8 +74,11 @@ public DefaultOAuth2TokenService(@Nonnull CloseableHttpClient httpClient,
 	@Override
 	protected OAuth2TokenResponse requestAccessToken(URI tokenEndpointUri, HttpHeaders headers,
 			Map<String, String> parameters) throws OAuth2ServiceException {
-		headers.withHeader(MDCHelper.CORRELATION_HEADER, MDCHelper.getOrCreateCorrelationId());
-		HttpPost httpPost = createHttpPost(tokenEndpointUri, headers, parameters);
+		HttpHeaders requestHeaders = new HttpHeaders();
+		headers.getHeaders().forEach(h -> requestHeaders.withHeader(h.getName(), h.getValue()));
+		requestHeaders.withHeader(MDCHelper.CORRELATION_HEADER, MDCHelper.getOrCreateCorrelationId());
+
+		HttpPost httpPost = createHttpPost(tokenEndpointUri, requestHeaders, parameters);
 		LOGGER.debug("access token request {} - {}", headers, parameters);
 		return executeRequest(httpPost);
 	}

diff --git a/...ient/src/test/java/com/sap/cloud/security/xsuaa/client/DefaultOAuth2TokenServiceTest.java b/...ient/src/test/java/com/sap/cloud/security/xsuaa/client/DefaultOAuth2TokenServiceTest.java
@@ -9,6 +9,7 @@
 import ch.qos.logback.classic.Logger;
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.core.read.ListAppender;
+import com.sap.cloud.security.config.ClientCredentials;
 import com.sap.cloud.security.servlet.MDCHelper;
 import com.sap.cloud.security.xsuaa.http.HttpHeaders;
 import com.sap.cloud.security.xsuaa.http.HttpHeadersFactory;
@@ -136,6 +137,20 @@ public void httpResponseWithErrorStatusCode_throwsExceptionContainingMessage() t
 				.extracting("httpStatusCode").isEqualTo(HttpStatus.SC_UNAUTHORIZED);
 	}
 
+	@Test
+	public void retrieveToken_testCache() throws IOException {
+		CloseableHttpResponse response = HttpClientTestFactory.createHttpResponse(VALID_JSON_RESPONSE);
+		when(mockHttpClient.execute(any(HttpPost.class)))
+				.thenReturn(response);
+
+		cut.retrieveAccessTokenViaClientCredentialsGrant(TOKEN_ENDPOINT_URI,
+				new ClientCredentials("myClientId", "mySecret"), null, null, emptyMap(), false);
+		cut.retrieveAccessTokenViaClientCredentialsGrant(TOKEN_ENDPOINT_URI,
+				new ClientCredentials("myClientId", "mySecret"), null, null, emptyMap(), false);
+
+		verify(mockHttpClient, times(1)).execute(any(HttpPost.class));
+	}
+
 	private OAuth2TokenResponse requestAccessToken(Map<String, String> optionalParameters)
 			throws OAuth2ServiceException {
 		HttpHeaders withoutAuthorizationHeader = HttpHeadersFactory.createWithoutAuthorizationHeader();