Skip to content

Commit

Permalink
Support mp.jwt.verify.publickey.algorithm. (#247)
Browse files Browse the repository at this point in the history
  • Loading branch information
@radcortez @sberyozkin
radcortez authored and sberyozkin committed Jan 21, 2021
1 parent 25541c8 commit 5eb0348
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 11 deletions.
52 changes: 44 additions & 8 deletions implementation/jwt-auth/src/main/java/io/smallrye/jwt/config/JWTAuthContextInfoProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ private static JWTAuthContextInfoProvider create(String publicKey,
String issuer) {
JWTAuthContextInfoProvider provider = new JWTAuthContextInfoProvider();
provider.mpJwtPublicKey = Optional.of(publicKey);
provider.mpJwtPublicKeyAlgorithm = Optional.of(SignatureAlgorithm.RS256);
provider.mpJwtLocation = !secretKey ? Optional.of(keyLocation) : Optional.empty();
provider.verifyKeyLocation = secretKey ? Optional.of(keyLocation) : Optional.empty();
provider.verifyCertificateThumbprint = verifyCertificateThumbprint;
Expand Down Expand Up @@ -165,6 +166,12 @@ private static JWTAuthContextInfoProvider create(String publicKey,
@Inject
@ConfigProperty(name = "mp.jwt.verify.publickey", defaultValue = NONE)
private Optional<String> mpJwtPublicKey;
/**
* @since 1.2
*/
@Inject
@ConfigProperty(name = "mp.jwt.verify.publickey.algorithm")
private Optional<SignatureAlgorithm> mpJwtPublicKeyAlgorithm;
/**
* @since 1.1
*/
Expand Down Expand Up @@ -231,7 +238,7 @@ private static JWTAuthContextInfoProvider create(String publicKey,
* @since 1.2
*/
@Inject
@ConfigProperty(name = Names.AUDIENCES)
@ConfigProperty(name = "mp.jwt.verify.audiences")
Optional<Set<String>> mpJwtVerifyAudiences;

// SmallRye JWT specific properties
Expand All @@ -242,6 +249,7 @@ private static JWTAuthContextInfoProvider create(String publicKey,
*/
@Inject
@ConfigProperty(name = "smallrye.jwt.token.header")
@Deprecated
private Optional<String> tokenHeader;

/**
Expand All @@ -251,6 +259,7 @@ private static JWTAuthContextInfoProvider create(String publicKey,
*/
@Inject
@ConfigProperty(name = "smallrye.jwt.token.cookie")
@Deprecated
private Optional<String> tokenCookie;

/**
Expand Down Expand Up @@ -379,9 +388,12 @@ private static JWTAuthContextInfoProvider create(String publicKey,

/**
* Supported JSON Web Algorithm asymmetric signature algorithm (RS256 or ES256), default is RS256.
*
* @deprecated Use {@link JWTAuthContextInfoProvider#mpJwtPublicKeyAlgorithm}
*/
@Inject
@ConfigProperty(name = "smallrye.jwt.verify.algorithm", defaultValue = "RS256")
@ConfigProperty(name = "smallrye.jwt.verify.algorithm")
@Deprecated
private Optional<SignatureAlgorithm> signatureAlgorithm;

/**
Expand Down Expand Up @@ -424,6 +436,7 @@ private static JWTAuthContextInfoProvider create(String publicKey,
*/
@Inject
@ConfigProperty(name = "smallrye.jwt.verify.aud")
@Deprecated
Optional<Set<String>> expectedAudience;

/**
Expand Down Expand Up @@ -503,17 +516,17 @@ Optional<JWTAuthContextInfo> getOptionalContextInfo() {
if (mpJwtTokenHeader.isPresent()) {
contextInfo.setTokenHeader(mpJwtTokenHeader.get());
} else if (tokenHeader.isPresent()) {
ConfigLogging.log.replacedConfig("smallrye.jwt.token.header", "mp.jwt.token.header");
contextInfo.setTokenHeader(tokenHeader.get());
ConfigLogging.log.replacedConfig("smallrye.jwt.token.header", Names.TOKEN_HEADER);
} else {
contextInfo.setTokenHeader(AUTHORIZATION_HEADER);
}

if (mpJwtTokenCookie.isPresent()) {
SmallryeJwtUtils.setContextTokenCookie(contextInfo, mpJwtTokenCookie);
} else if (tokenCookie.isPresent()) {
ConfigLogging.log.replacedConfig("smallrye.jwt.token.cookie", "mp.jwt.token.cookie");
SmallryeJwtUtils.setContextTokenCookie(contextInfo, tokenCookie);
ConfigLogging.log.replacedConfig("smallrye.jwt.token.cookie", Names.TOKEN_COOKIE);
} else {
SmallryeJwtUtils.setContextTokenCookie(contextInfo, Optional.of(BEARER_SCHEME));
}
Expand All @@ -531,17 +544,31 @@ Optional<JWTAuthContextInfo> getOptionalContextInfo() {
contextInfo.setMaxTimeToLiveSecs(maxTimeToLiveSecs.orElse(null));
contextInfo.setJwksRefreshInterval(jwksRefreshInterval.orElse(null));
contextInfo.setForcedJwksRefreshInterval(forcedJwksRefreshInterval);
if (signatureAlgorithm.orElse(null) == SignatureAlgorithm.HS256 && resolvedVerifyKeyLocation == mpJwtLocation) {
throw ConfigMessages.msg.hs256NotSupported();
final Optional<SignatureAlgorithm> resolvedAlgorithm;
if (mpJwtPublicKeyAlgorithm.isPresent()) {
resolvedAlgorithm = mpJwtPublicKeyAlgorithm;
} else if (signatureAlgorithm.isPresent()) {
ConfigLogging.log.replacedConfig("smallrye.jwt.verify.algorithm", "mp.jwt.verify.publickey.algorithm");
resolvedAlgorithm = signatureAlgorithm;
} else {
resolvedAlgorithm = Optional.empty();
}
contextInfo.setSignatureAlgorithm(signatureAlgorithm.orElse(SignatureAlgorithm.RS256));
if (resolvedAlgorithm.isPresent()) {
if (resolvedAlgorithm.get() == SignatureAlgorithm.HS256 && resolvedVerifyKeyLocation == mpJwtLocation) {
throw ConfigMessages.msg.hs256NotSupported();
}
contextInfo.setSignatureAlgorithm(resolvedAlgorithm.get());
} else {
contextInfo.setSignatureAlgorithm(SignatureAlgorithm.RS256);
}

contextInfo.setKeyEncryptionAlgorithm(keyEncryptionAlgorithm);
contextInfo.setKeyFormat(keyFormat);
if (mpJwtVerifyAudiences.isPresent()) {
contextInfo.setExpectedAudience(mpJwtVerifyAudiences.get());
} else if (expectedAudience.isPresent()) {
ConfigLogging.log.replacedConfig("smallrye.jwt.verify.aud", "mp.jwt.verify.audiences");
contextInfo.setExpectedAudience(expectedAudience.get());
ConfigLogging.log.replacedConfig("smallrye.jwt.verify.aud", Names.AUDIENCES);
} else {
contextInfo.setExpectedAudience(null);
}
Expand Down Expand Up @@ -581,6 +608,14 @@ public Optional<String> getMpJwtPublicKey() {
return mpJwtPublicKey;
}

public Optional<SignatureAlgorithm> getMpJwtPublicKeyAlgorithm() {
return mpJwtPublicKeyAlgorithm;
}

public Optional<String> getMpJwtDecryptKeyLocation() {
return mpJwtDecryptKeyLocation;
}

public String getMpJwtIssuer() {
return mpJwtIssuer;
}
Expand Down Expand Up @@ -668,6 +703,7 @@ public Optional<String> getWhitelistAlgorithms() {
return whitelistAlgorithms;
}

@Deprecated
public Optional<SignatureAlgorithm> getSignatureAlgorithm() {
return signatureAlgorithm;
}
Expand Down
29 changes: 29 additions & 0 deletions implementation/src/test/java/io/smallrye/jwt/config/JWTAuthContextInfoProviderTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
import org.junit.Test;

import io.smallrye.config.inject.ConfigExtension;
import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;

public class JWTAuthContextInfoProviderTest {
Expand All @@ -36,9 +37,11 @@ public void tearDown() throws Exception {
System.clearProperty("mp.jwt.token.header");
System.clearProperty("mp.jwt.token.cookie");
System.clearProperty("mp.jwt.verify.audiences");
System.clearProperty("mp.jwt.verify.publickey.algorithm");
System.clearProperty("smallrye.jwt.token.header");
System.clearProperty("smallrye.jwt.token.cookie");
System.clearProperty("smallrye.jwt.verify.aud");
System.clearProperty("smallrye.jwt.verify.algorithm");
}

@Test
Expand Down Expand Up @@ -108,4 +111,30 @@ public void mpAudienceConfigPriority() {
assertEquals(1, contextInfo.getExpectedAudience().size());
assertTrue(contextInfo.getExpectedAudience().contains("1234"));
}

@Test
public void algorithmsConfigs() {
System.setProperty("mp.jwt.verify.publickey.algorithm", "ES256");
JWTAuthContextInfo contextInfo = context.get().getOptionalContextInfo().get();
assertEquals(SignatureAlgorithm.ES256, contextInfo.getSignatureAlgorithm());
assertThrows(NoSuchElementException.class,
() -> ConfigProvider.getConfig().getValue("smallrye.jwt.verify.algorithm", String.class));
}

@Test
public void smallryeAlgorithmsConfigs() {
System.setProperty("smallrye.jwt.verify.algorithm", "ES256");
JWTAuthContextInfo contextInfo = context.get().getOptionalContextInfo().get();
assertEquals(SignatureAlgorithm.ES256, contextInfo.getSignatureAlgorithm());
assertThrows(NoSuchElementException.class,
() -> ConfigProvider.getConfig().getValue("mp.jwt.verify.publickey.algorithm", String.class));
}

@Test
public void mpAlgorithmsConfigPriority() {
System.setProperty("mp.jwt.verify.publickey.algorithm", "ES256");
System.setProperty("smallrye.jwt.verify.aud", "RS256");
JWTAuthContextInfo contextInfo = context.get().getOptionalContextInfo().get();
assertEquals(SignatureAlgorithm.ES256, contextInfo.getSignatureAlgorithm());
}
}
6 changes: 3 additions & 3 deletions testsuite/tck/src/test/resources/tck-base-suite.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,9 @@
<class name="org.eclipse.microprofile.jwt.tck.config.PublicKeyAsJWKSLocationTest" />
<class name="org.eclipse.microprofile.jwt.tck.config.PublicKeyAsBase64JWKTest" />
<class name="org.eclipse.microprofile.jwt.tck.config.PublicKeyAsFileLocationURLTest" />
<!--<class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMTest" />-->
<!--<class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMLocationTest" />-->
<!--<class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsJWKLocationTest" />-->
<class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMTest" />
<class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMLocationTest" />
<class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsJWKLocationTest" />
<class name="org.eclipse.microprofile.jwt.tck.config.IssValidationTest" />
<class name="org.eclipse.microprofile.jwt.tck.config.IssValidationFailTest" />
<class name="org.eclipse.microprofile.jwt.tck.container.jaxrs.CookieTokenTest" />
Expand Down

0 comments on commit 5eb0348

Please sign in to comment.