Refactor the KeyUtils OBOAuthenticator and JwtAuthenticator with jwtP…

…arserBuilder

Signed-off-by: Ryan Liang <jiallian@amazon.com>

src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java

@@ -20,6 +20,7 @@
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.JwtParserBuilder;
 import io.jsonwebtoken.security.WeakKeyException;
 import org.apache.hc.core5.http.HttpHeaders;
 import org.apache.logging.log4j.LogManager;
@@ -57,7 +58,8 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) {
         super();
 
         String signingKey = settings.get("signing_key");
-        JwtParser _jwtParser = KeyUtils.createJwtParserFromSigningKey(signingKey, log);
+
+        JwtParserBuilder jwtParserBuilder = KeyUtils.createJwtParserBuilderFromSigningKey(signingKey, log);
 
         jwtUrlParameter = settings.get("jwt_url_parameter");
         jwtHeaderName = settings.get("jwt_header", HttpHeaders.AUTHORIZATION);
@@ -68,14 +70,18 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) {
         requireIssuer = settings.get("required_issuer");
 
         if (requireAudience != null) {
-            _jwtParser.requireAudience(requireAudience);
+            jwtParserBuilder = jwtParserBuilder.require("aud", requireAudience);
         }
 
         if (requireIssuer != null) {
-            _jwtParser.requireIssuer(requireIssuer);
+            jwtParserBuilder = jwtParserBuilder.require("iss", requireIssuer);
         }
 
-        jwtParser = _jwtParser;
+        if (jwtParserBuilder != null) {
+            jwtParser = jwtParserBuilder.build();
+        } else {
+            jwtParser = null;
+        }
     }
 
     @Override

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

@@ -22,6 +22,7 @@
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.JwtParserBuilder;
 import io.jsonwebtoken.security.WeakKeyException;
 import org.apache.hc.core5.http.HttpHeaders;
 import org.apache.logging.log4j.LogManager;
@@ -66,19 +67,21 @@ public OnBehalfOfAuthenticator(Settings settings, String clusterName) {
         String oboEnabledSetting = settings.get("enabled", "true");
         oboEnabled = Boolean.parseBoolean(oboEnabledSetting);
         encryptionKey = settings.get("encryption_key");
-        jwtParser = initParser(settings.get("signing_key"));
+        JwtParserBuilder builder = initParserBuilder(settings.get("signing_key"));
+        jwtParser = builder.build();
+
         this.clusterName = clusterName;
         this.encryptionUtil = new EncryptionDecryptionUtil(encryptionKey);
     }
 
-    private JwtParser initParser(final String signingKey) {
-        JwtParser _jwtParser = KeyUtils.createJwtParserFromSigningKey(signingKey, log);
+    private JwtParserBuilder initParserBuilder(final String signingKey) {
+        JwtParserBuilder jwtParserBuilder = KeyUtils.createJwtParserBuilderFromSigningKey(signingKey, log);
 
-        if (_jwtParser == null) {
+        if (jwtParserBuilder == null) {
             throw new RuntimeException("Unable to find on behalf of authenticator signing key");
         }
 
-        return _jwtParser;
+        return jwtParserBuilder;
     }
 
     private List<String> extractSecurityRolesFromClaims(Claims claims) {

src/main/java/org/opensearch/security/util/KeyUtils.java

@@ -11,36 +11,31 @@
 
 package org.opensearch.security.util;
 
-import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.JwtParserBuilder;
 import io.jsonwebtoken.Jwts;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.SpecialPermission;
 
-import java.security.AccessController;
-import java.security.Key;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedAction;
-import java.security.PublicKey;
+import java.security.*;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 import java.util.Objects;
 
 public class KeyUtils {
 
-    public static JwtParser createJwtParserFromSigningKey(final String signingKey, final Logger log) {
+    public static JwtParserBuilder createJwtParserBuilderFromSigningKey(final String signingKey, final Logger log) {
         final SecurityManager sm = System.getSecurityManager();
 
-        JwtParser jwtParser = null;
+        JwtParserBuilder jwtParserBuilder = null;
 
         if (sm != null) {
             sm.checkPermission(new SpecialPermission());
         }
 
-        jwtParser = AccessController.doPrivileged(new PrivilegedAction<JwtParser>() {
+        jwtParserBuilder = AccessController.doPrivileged(new PrivilegedAction<JwtParserBuilder>() {
             @Override
-            public JwtParser run() {
+            public JwtParserBuilder run() {
                 if (signingKey == null || signingKey.length() == 0) {
                     log.error("Unable to find signing key");
                     return null;
@@ -66,10 +61,10 @@ public JwtParser run() {
                         }
 
                         if (Objects.nonNull(key)) {
-                            return Jwts.parser().setSigningKey(key);
+                            return Jwts.parserBuilder().setSigningKey(key);
                         }
 
-                        return Jwts.parser().setSigningKey(decoded);
+                        return Jwts.parserBuilder().setSigningKey(decoded);
                     } catch (Throwable e) {
                         log.error("Error while creating JWT authenticator", e);
                         throw new RuntimeException(e);
@@ -78,7 +73,7 @@ public JwtParser run() {
             }
         });
 
-        return jwtParser;
+        return jwtParserBuilder;
     }
 
     private static PublicKey getPublicKey(final byte[] keyBytes, final String algo) throws NoSuchAlgorithmException,