public Optional validateForClientCredentialsFlow()

in service/common/src/main/java/org/apache/polaris/service/auth/TokenRequestValidator.java [47:77]

• 30 lines of code
• 13 McCabe index (conditional complexity)

  public Optional<OAuthTokenErrorResponse.Error> validateForClientCredentialsFlow(
      final String clientId,
      final String clientSecret,
      final String grantType,
      final String scope) {
    if (clientId == null || clientId.isEmpty() || clientSecret == null || clientSecret.isEmpty()) {
      // TODO: Figure out how to get the authorization header from `securityContext`
      LOGGER.info("Missing Client ID or Client Secret in Request Body");
      return Optional.of(OAuthTokenErrorResponse.Error.invalid_client);
    }
    if (grantType == null || grantType.isEmpty() || !ALLOWED_GRANT_TYPES.contains(grantType)) {
      LOGGER.info("Invalid grant type: " + grantType);
      return Optional.of(OAuthTokenErrorResponse.Error.invalid_grant);
    }
    if (scope == null || scope.isEmpty()) {
      LOGGER.info("Missing scope in Request Body");
      return Optional.of(OAuthTokenErrorResponse.Error.invalid_scope);
    }
    String[] scopes = scope.split(" ");
    for (String s : scopes) {
      if (!s.startsWith(OAuthUtils.POLARIS_ROLE_PREFIX)) {
        LOGGER.info("Invalid scope provided. scopes=" + s + "scopes=" + scope);
        return Optional.of(OAuthTokenErrorResponse.Error.invalid_scope);
      }
      if (s.replaceFirst(OAuthUtils.POLARIS_ROLE_PREFIX, "").isEmpty()) {
        LOGGER.info("Invalid scope provided. scopes=" + s + "scopes=" + scope);
        return Optional.of(OAuthTokenErrorResponse.Error.invalid_scope);
      }
    }
    return Optional.empty();
  }