GH-1751: JsonDeser. Trust Mapped Class Packages

Resolves #1751

Always trust packages for classes in the id class mappings, even
with an externally injected type mapper.

We don't normally reconfigure mappers when injected, but in this case
it makes sense and provides an easier user experience.

Author: garyrussell

spring-kafka/src/main/java/org/springframework/kafka/support/serializer/JsonDeserializer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2020 the original author or authors.
+ * Copyright 2015-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -296,14 +296,18 @@ public Jackson2JavaTypeMapper getTypeMapper() {
 	}
 
 	/**
-	 * Set a customized type mapper.
+	 * Set a customized type mapper. If the mapper is an {@link AbstractJavaTypeMapper},
+	 * any class mappings configured in the mapper will be added to the trusted packages.
 	 * @param typeMapper the type mapper.
 	 * @since 2.1
 	 */
 	public void setTypeMapper(Jackson2JavaTypeMapper typeMapper) {
 		Assert.notNull(typeMapper, "'typeMapper' cannot be null");
 		this.typeMapper = typeMapper;
 		this.typeMapperExplicitlySet = true;
+		if (typeMapper instanceof AbstractJavaTypeMapper) {
+			addMappingsToTrusted(((AbstractJavaTypeMapper) typeMapper).getIdClassMapping());
+		}
 	}
 
 	/**
@@ -375,15 +379,21 @@ public void configure(Map<String, ?> configs, boolean isKey) {
 		}
 		if (configs.containsKey(TYPE_MAPPINGS) && !this.typeMapperExplicitlySet
 				&& this.typeMapper instanceof AbstractJavaTypeMapper) {
-			((AbstractJavaTypeMapper) this.typeMapper).setIdClassMapping(
-					JsonSerializer.createMappings(configs.get(JsonSerializer.TYPE_MAPPINGS).toString()));
+			((AbstractJavaTypeMapper) this.typeMapper).setIdClassMapping(createMappings(configs));
 		}
 		if (configs.containsKey(REMOVE_TYPE_INFO_HEADERS)) {
 			this.removeTypeHeaders = Boolean.parseBoolean(configs.get(REMOVE_TYPE_INFO_HEADERS).toString());
 		}
 		setUpTypeMethod(configs, isKey);
 	}
 
+	private Map<String, Class<?>> createMappings(Map<String, ?> configs) {
+		Map<String, Class<?>> mappings =
+				JsonSerializer.createMappings(configs.get(JsonSerializer.TYPE_MAPPINGS).toString());
+		addMappingsToTrusted(mappings);
+		return mappings;
+	}
+
 	private void setUpTypeMethod(Map<String, ?> configs, boolean isKey) {
 		if (isKey && configs.containsKey(KEY_TYPE_METHOD)) {
 			setUpTypeResolver((String) configs.get(KEY_TYPE_METHOD));
@@ -471,6 +481,13 @@ public void addTrustedPackages(String... packages) {
 		doAddTrustedPackages(packages);
 	}
 
+	private void addMappingsToTrusted(Map<String, Class<?>> mappings) {
+		mappings.values().forEach(clazz -> {
+			doAddTrustedPackages(clazz.getPackageName());
+			doAddTrustedPackages(clazz.getPackageName() + ".*");
+		});
+	}
+
 	private void addTargetPackageToTrusted() {
 		String targetPackageName = getTargetPackageName();
 		if (targetPackageName != null) {

spring-kafka/src/main/java/org/springframework/kafka/support/serializer/JsonSerializer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2020 the original author or authors.
+ * Copyright 2016-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -167,7 +167,7 @@ protected static Map<String, Class<?>> createMappings(String mappings) {
 						ClassUtils.forName(split[1].trim(), ClassUtils.getDefaultClassLoader()));
 			}
 			catch (ClassNotFoundException | LinkageError e) {
-				throw new IllegalArgumentException(e);
+				throw new IllegalArgumentException("Failed to load: " + split[1] + " for " + split[0], e);
 			}
 		}
 		return mappingsMap;

spring-kafka/src/test/java/org/springframework/kafka/support/serializer/JsonSerializationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2020 the original author or authors.
+ * Copyright 2016-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -291,6 +291,32 @@ void testParseTrustedPackages() {
 				.contains("foo", "bar", "baz");
 	}
 
+	@SuppressWarnings("unchecked")
+	@Test
+	void testTrustMappingPackages() {
+		JsonDeserializer<Object> deser = new JsonDeserializer<>();
+		Map<String, Object> props = Collections.singletonMap(JsonDeserializer.TYPE_MAPPINGS,
+				"foo:" + Foo.class.getName());
+		deser.configure(props, false);
+		assertThat(KafkaTestUtils.getPropertyValue(deser, "typeMapper.trustedPackages", Set.class))
+				.contains(Foo.class.getPackageName());
+		assertThat(KafkaTestUtils.getPropertyValue(deser, "typeMapper.trustedPackages", Set.class))
+			.contains(Foo.class.getPackageName() + ".*");
+	}
+
+	@SuppressWarnings("unchecked")
+	@Test
+	void testTrustMappingPackagesMapper() {
+		JsonDeserializer<Object> deser = new JsonDeserializer<>();
+		DefaultJackson2JavaTypeMapper mapper = new DefaultJackson2JavaTypeMapper();
+		mapper.setIdClassMapping(Collections.singletonMap("foo", Foo.class));
+		deser.setTypeMapper(mapper);
+		assertThat(KafkaTestUtils.getPropertyValue(deser, "typeMapper.trustedPackages", Set.class))
+				.contains(Foo.class.getPackageName());
+		assertThat(KafkaTestUtils.getPropertyValue(deser, "typeMapper.trustedPackages", Set.class))
+			.contains(Foo.class.getPackageName() + ".*");
+	}
+
 	@Test
 	void testTypeFunctionViaProperties() {
 		JsonDeserializer<Object> deser = new JsonDeserializer<>();