Add Test to Report Missing serialVersionUID

jzheaux · jzheaux · commit 759248365418 · 2024-12-12T18:12:11.000-07:00
Issue gh-16276
diff --git a/config/spring-security-config.gradle b/config/spring-security-config.gradle
@@ -172,6 +172,17 @@ configure(project.tasks.withType(Test)) {
 	}
 }
 
+test {
+	onOutput { descriptor, event ->
+		if (!project.hasProperty('serialization')) {
+			return
+		}
+		if (descriptor.name=='listClassesMissingSerialVersion()') {
+			logger.lifecycle(event.message)
+		}
+	}
+}
+
 tasks.register("opensaml5Test", Test) {
 	filter {
 		includeTestsMatching "org.springframework.security.config.annotation.web.configurers.saml2.*"
diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -25,6 +25,7 @@
 import java.io.ObjectOutputStream;
 import java.io.ObjectStreamClass;
 import java.io.Serializable;
+import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -36,6 +37,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import org.apereo.cas.client.validation.AssertionImpl;
@@ -44,6 +46,7 @@
 import org.instancio.Select;
 import org.instancio.generator.Generator;
 import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
 
@@ -289,6 +292,39 @@ static Stream<Path> getFilesToDeserialize() throws IOException {
 		return Files.list(previousVersionFolder);
 	}
 
+	@Test
+	void listClassesMissingSerialVersion() throws Exception {
+		ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(false);
+		provider.addIncludeFilter(new AssignableTypeFilter(Serializable.class));
+		List<Class<?>> classes = new ArrayList<>();
+
+		Set<BeanDefinition> components = provider.findCandidateComponents("org/springframework/security");
+		for (BeanDefinition component : components) {
+			Class<?> clazz = Class.forName(component.getBeanClassName());
+			boolean isAbstract = Modifier.isAbstract(clazz.getModifiers());
+			if (isAbstract) {
+				continue;
+			}
+			if (clazz.isEnum()) {
+				continue;
+			}
+			if (clazz.getName().contains("Tests")) {
+				continue;
+			}
+			boolean hasSerialVersion = Stream.of(clazz.getDeclaredFields())
+				.map(Field::getName)
+				.anyMatch((n) -> n.equals("serialVersionUID"));
+			if (!hasSerialVersion) {
+				classes.add(clazz);
+			}
+		}
+		if (!classes.isEmpty()) {
+			System.out
+				.println("Found " + classes.size() + " Serializable classes that don't declare a seriallVersionUID");
+			System.out.println(classes.stream().map(Class::getName).collect(Collectors.joining("\r\n")));
+		}
+	}
+
 	static Stream<Class<?>> getClassesToSerialize() throws Exception {
 		ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(false);
 		provider.addIncludeFilter(new AssignableTypeFilter(Serializable.class));
