4.x: Validate that header has at least one value when list is used. (#8489)

* Validate that header has at least one value when list is used.
* Fix usage where we may have called it with empty list.

Author: tomas-langer

http/http/src/main/java/io/helidon/http/HeaderValues.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2023, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -290,9 +290,10 @@ public static Header create(String name, long value) {
      * Create a new header. This header is considered unchanging and not sensitive.
      *
      * @param name   name of the header
-     * @param values values of the header
+     * @param values values of the header, must contain at least one value (which may be an empty String)
      * @return a new header
      * @see #create(io.helidon.http.HeaderName, boolean, boolean, String...)
+     * @throws java.lang.IllegalArgumentException in case the collection is empty
      */
     public static Header create(HeaderName name, String... values) {
         if (values.length == 0) {
@@ -305,9 +306,10 @@ public static Header create(HeaderName name, String... values) {
      * Create a new header. This header is considered unchanging and not sensitive.
      *
      * @param name   name of the header
-     * @param values values of the header
+     * @param values values of the header, must contain at least one value (which may be an empty String)
      * @return a new header
      * @see #create(io.helidon.http.HeaderName, boolean, boolean, String...)
+     * @throws java.lang.IllegalArgumentException in case the collection is empty
      */
     public static Header create(String name, String... values) {
         return create(HeaderNames.create(name), values);
@@ -317,21 +319,26 @@ public static Header create(String name, String... values) {
      * Create a new header. This header is considered unchanging and not sensitive.
      *
      * @param name   name of the header
-     * @param values values of the header
+     * @param values values of the header, must contain at least one value (which may be an empty String)
      * @return a new header
      * @see #create(io.helidon.http.HeaderName, boolean, boolean, String...)
+     * @throws java.lang.IllegalArgumentException in case the collection is empty
      */
     public static Header create(HeaderName name, Collection<String> values) {
+        if (values.isEmpty()) {
+            throw new IllegalArgumentException("Cannot create a header without a value. Header: " + name);
+        }
         return new HeaderValueList(name, false, false, values);
     }
 
     /**
      * Create a new header. This header is considered unchanging and not sensitive.
      *
      * @param name   name of the header
-     * @param values values of the header
+     * @param values values of the header, must contain at least one value (which may be an empty String)
      * @return a new header
      * @see #create(io.helidon.http.HeaderName, boolean, boolean, String...)
+     * @throws java.lang.IllegalArgumentException in case the collection is empty
      */
     public static Header create(String name, Collection<String> values) {
         return create(HeaderNames.create(name), values);

http/http/src/main/java/io/helidon/http/ServerRequestHeaders.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2022, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

http/http/src/test/java/io/helidon/http/HeaderValuesTest.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2024 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.http;
+
+import java.util.List;
+import java.util.Locale;
+
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class HeaderValuesTest {
+    @Test
+    void testEmptyValuesFail() {
+        assertThrows(IllegalArgumentException.class, () -> HeaderValues.create("Name", List.of()));
+        assertThrows(IllegalArgumentException.class, () -> HeaderValues.create("Name"));
+        assertThrows(IllegalArgumentException.class, () -> HeaderValues.create(HeaderNames.CONTENT_DISPOSITION, List.of()));
+        assertThrows(IllegalArgumentException.class, () -> HeaderValues.create(HeaderNames.CONTENT_DISPOSITION));
+    }
+
+    @Test
+    void testConstantValue() {
+        // test a value to make sure we do not have a problem with initialization
+        Header connectionClose = HeaderValues.CONNECTION_CLOSE;
+        assertThat(connectionClose.name().toLowerCase(Locale.ROOT), is("connection"));
+        assertThat(connectionClose.headerName(), is(HeaderNames.CONNECTION));
+        assertThat(connectionClose.get(), is("close"));
+    }
+}

security/providers/oidc/src/main/java/io/helidon/security/providers/oidc/TenantAuthenticationHandler.java

@@ -718,11 +718,17 @@ private AuthenticationResponse processValidationResult(ProviderRequest providerR
             }
 
             if (missingScopes.isEmpty()) {
-                return AuthenticationResponse.builder()
+                AuthenticationResponse.Builder response = AuthenticationResponse.builder()
                         .status(SecurityResponse.SecurityStatus.SUCCESS)
-                        .user(subject)
-                        .responseHeader(HeaderNames.SET_COOKIE.defaultCase(), cookies)
-                        .build();
+                        .user(subject);
+
+                if (cookies.isEmpty()) {
+                    return response.build();
+                } else {
+                    return response
+                            .responseHeader(HeaderNames.SET_COOKIE.defaultCase(), cookies)
+                            .build();
+                }
             } else {
                 return errorResponse(providerRequest,
                                      Status.FORBIDDEN_403,

security/security/src/main/java/io/helidon/security/SecurityResponse.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -232,6 +232,12 @@ public T throwable(Throwable exception) {
          * @return updated builder instance
          */
         public T requestHeaders(Map<String, List<String>> headers) {
+            headers.forEach((header, values) -> {
+                if (values.isEmpty()) {
+                    throw new IllegalArgumentException("Header values cannot be empty, at least one value is required."
+                                                               + "Request header name: " + header);
+                }
+            });
             this.requestHeaders.clear();
             this.requestHeaders.putAll(headers);
             return identity();
@@ -259,6 +265,10 @@ public T requestHeader(String header, String value) {
          * @return this instance
          */
         public T requestHeader(String header, List<String> values) {
+            if (values.isEmpty()) {
+                throw new IllegalArgumentException("Header values cannot be empty, at least one value is required."
+                                                           + "Request header name: " + header);
+            }
             requestHeaders.put(header, values);
             return identity();
         }
@@ -270,6 +280,12 @@ public T requestHeader(String header, List<String> values) {
          * @return updated builder instance
          */
         public T responseHeaders(Map<String, List<String>> headers) {
+            headers.forEach((header, values) -> {
+                if (values.isEmpty()) {
+                    throw new IllegalArgumentException("Header values cannot be empty, at least one value is required."
+                                                               + "Response header name: " + header);
+                }
+            });
             this.responseHeaders.clear();
             this.responseHeaders.putAll(headers);
             return identity();
@@ -297,6 +313,10 @@ public T responseHeader(String header, String value) {
          * @return this instance
          */
         public T responseHeader(String header, List<String> values) {
+            if (values.isEmpty()) {
+                throw new IllegalArgumentException("Header values cannot be empty, at least one value is required."
+                                                           + "Response header name: " + header);
+            }
             responseHeaders.put(header, values);
             return identity();
         }