Core: Fix OAuthTokenResponse.addScope error to show the invalid scope#17126
Open
anxkhn wants to merge 1 commit into
Open
Core: Fix OAuthTokenResponse.addScope error to show the invalid scope#17126anxkhn wants to merge 1 commit into
anxkhn wants to merge 1 commit into
Conversation
Builder.addScope validated the scope with Preconditions.checkArgument(..., "Invalid scope: %s") but did not pass the scope argument for the %s placeholder. Guava leaves the unmatched %s in place, so an invalid scope raised IllegalArgumentException with the literal message "Invalid scope: %s", hiding the value that was actually rejected. Pass the scope as the format argument so the message reports the offending value, and add a regression test asserting the message contains the scope rather than the literal placeholder. Generated-by: opencode Signed-off-by: Anas Khan <83116240+anxkhn@users.noreply.github.com>
ebyhr
approved these changes
Jul 7, 2026
| } | ||
|
|
||
| @Test | ||
| void invalidScopeReportsScopeValue() { |
Member
There was a problem hiding this comment.
Suggested change
| void invalidScopeReportsScopeValue() { | |
| void addInvalidScope() { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OAuthTokenResponse.Builder.addScopevalidates the scope withThe message template has a
%splaceholder but no substitution argument ispassed. Guava's
Preconditions.checkArgumentleaves an unmatched%sin placewhen there is no corresponding argument, so rejecting an invalid scope throws:
The literal
%sis shown instead of the scope that was actually rejected, whichdefeats the purpose of the diagnostic. This is reachable through the public
Builder.addScope(String)/addScopes(List<String>)API.This passes
scopeas the format argument so the message reports the offendingvalue:
A scope such as
"bad scope"(a space is not permitted byOAuth2Util.VALID_SCOPE_TOKEN) now producesInvalid scope: bad scope. Thisalso matches the sibling
validate()check in the same class, which alreadyformats its value:
"Unsupported token type: %s", tokenType.Changes
core/src/main/java/org/apache/iceberg/rest/responses/OAuthTokenResponse.javapass
scopeas the format argument to the existing precondition.core/src/test/java/org/apache/iceberg/rest/responses/TestOAuthTokenResponse.javaadd a regression test asserting the thrown message is
Invalid scope: bad scoperather than the literal placeholder.
Testing
spotlessCheckis clean; the test class runs 4 tests, 0 failures. Reverting theone-line source change makes the new test fail with
expected: "Invalid scope: bad scope" but was: "Invalid scope: %s", confirming itguards the fix.
AI Disclosure
Preconditions.checkArgumentmessage template used%swithout passing the substitution argument, then add a regression test.Notes / provenance (NOT for the PR; internal only)
(commit 086a5db).
OAuthTokenResponse,"Invalid scope", andaddScopeinapache/iceberg. Only PR API, Core: Add exceptions for OAuth2 token endpoint errors #16507("API, Core: Add exceptions for OAuth2 token endpoint errors") matches, and it
touches only
OAuth2*exception classes,core/.../rest/ErrorHandlers.java, andTestErrorHandlers.java; it does not touchOAuthTokenResponse.java. It matchedpurely on the RFC
invalid_scopeclient error type, a different concern. Nocompeting or duplicate PR for this Builder-side fix.
origin/mainadvanced 3 commits since the branch base (allBuild: Bump ...dependency updates); none touchOAuthTokenResponse.javaor itstest. Clean rebase target, no drift on the changed files.
Generated-by: opencodetrailer, and the PR body carries theAI Disclosure block, per the repo AGENTS.md AI-generated-PR policy. Human Oversight
is set to "partially reviewed": the diff passed an independent adversarial review
and the tests were re-run, but Anas has not yet reviewed it. Anas should change
this to "fully reviewed" after reading the diff, or leave it as is.
the implement, verify, and draft phases.