This is an automated email from the ASF dual-hosted git repository.
more pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 18bf8b4fc KNOX-3040 - Some followup minor fixes (#916)
18bf8b4fc is described below
commit 18bf8b4fca796056eb0137d9ab26c16e44c5e255
Author: Sandeep Moré <[email protected]>
AuthorDate: Thu Jun 13 11:34:37 2024 -0400
KNOX-3040 - Some followup minor fixes (#916)
---
.../provider/federation/jwt/JWTMessages.java | 12 ++---
.../federation/jwt/filter/AbstractJWTFilter.java | 6 +--
.../provider/federation/AbstractJWTFilterTest.java | 57 +++++++++++++++++++++-
3 files changed, 64 insertions(+), 11 deletions(-)
diff --git
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
index 38604aa6e..d41ca2d0a 100644
---
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
+++
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
@@ -115,12 +115,12 @@ public interface JWTMessages {
@Message(level = MessageLevel.ERROR, text = "Error while fetching grant type
and client secret from the request: {0}")
void errorFetchingClientSecret(String errorMessage, @StackTrace(level =
MessageLevel.DEBUG) Exception e);
- @Message( level = MessageLevel.INFO, text = "Token verification using
provided PEM, verified: {0}" )
- void publicKeyVerification(boolean verified);
+ @Message( level = MessageLevel.INFO, text = "Token verification result using
provided PEM, verified: {0}" )
+ void pemVerificationResultMessage(boolean verified);
- @Message( level = MessageLevel.INFO, text = "Token verification using
provided JWKS Url, verified: {0}" )
- void jwksVerification(boolean verified);
+ @Message( level = MessageLevel.INFO, text = "Token verification result using
provided JWKS Url, verified: {0}" )
+ void jwksVerificationResultMessage(boolean verified);
- @Message( level = MessageLevel.INFO, text = "Token verification using knox
signing cert, verified: {0}" )
- void signingKeyVerification(boolean verified);
+ @Message( level = MessageLevel.INFO, text = "Token verification result using
knox signing cert, verified: {0}" )
+ void signingKeyVerificationResultMessage(boolean verified);
}
diff --git
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index 81d6ae5e4..e9daff9b1 100644
---
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -513,17 +513,17 @@ public abstract class AbstractJWTFilter implements Filter
{
try {
if (publicKey != null) {
verified = authority.verifyToken(token, publicKey);
- log.publicKeyVerification(verified);
+ log.pemVerificationResultMessage(verified);
}
if (!verified && expectedJWKSUrl != null) {
verified = authority.verifyToken(token, expectedJWKSUrl,
expectedSigAlg, allowedJwsTypes);
- log.jwksVerification(verified);
+ log.jwksVerificationResultMessage(verified);
}
if(!verified) {
verified = authority.verifyToken(token);
- log.signingKeyVerification(verified);
+ log.signingKeyVerificationResultMessage(verified);
}
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
diff --git
a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
index 73ec4c35b..384468a3a 100644
---
a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
+++
b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
@@ -622,10 +622,10 @@ public abstract class AbstractJWTFilterTest {
String failingPem = new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
props.put(getAudienceProperty(), "bar");
- /* Add a failing PEN */
+ /* Add a failing PEM */
props.put(getVerificationPemProperty(), failingPem);
- /* This handler is setup with a publicKey, corresponding privateKey is
used to sign tje JWT below */
+ /* This handler is setup with a publicKey, corresponding privateKey is
used to sign the JWT below */
handler.init(new TestFilterConfig(props));
SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice",
@@ -654,6 +654,59 @@ public abstract class AbstractJWTFilterTest {
}
}
+ /**
+ * This will test the signature verification chain.
+ * Specifically the flow when provided PEM is not invalid and
+ * knox signing key is valid.
+ *
+ * NOTE: here valid means can validate JWT.
+ * @throws Exception
+ */
+ @Test
+ public void testSignatureVerificationChainWithPEMandSignature() throws
Exception {
+ try {
+ Properties props = getProperties();
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+ kpg.initialize(2048);
+
+ KeyPair KPair = kpg.generateKeyPair();
+ String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
+ Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, "SHA1withRSA");
+ byte[] data = cert.getEncoded();
+ Base64 encoder = new Base64( 76, "\n".getBytes(
StandardCharsets.US_ASCII ) );
+ String failingPem = new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
+
+ props.put(getAudienceProperty(), "bar");
+ props.put(getVerificationPemProperty(), failingPem);
+
+ handler.init(new TestFilterConfig(props));
+
+ SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice",
+ new Date(new Date().getTime() + TimeUnit.MINUTES.toMillis(10)),
privateKey);
+
+ HttpServletRequest request =
EasyMock.createNiceMock(HttpServletRequest.class);
+ setTokenOnRequest(request, jwt);
+
+ EasyMock.expect(request.getRequestURL()).andReturn(new
StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getPathInfo()).andReturn("resource").anyTimes();
+ EasyMock.expect(request.getQueryString()).andReturn(null);
+ HttpServletResponse response =
EasyMock.createNiceMock(HttpServletResponse.class);
+
EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(SERVICE_URL);
+
EasyMock.expect(response.getOutputStream()).andAnswer(DummyServletOutputStream::new).anyTimes();
+ EasyMock.replay(request, response);
+
+ TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+
+ Set<PrimaryPrincipal> principals =
chain.subject.getPrincipals(PrimaryPrincipal.class);
+ Assert.assertFalse("No PrimaryPrincipal", principals.isEmpty());
+ Assert.assertEquals("Not the expected principal", "alice",
((Principal)principals.toArray()[0]).getName());
+
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
@Test
public void testInvalidIssuer() throws Exception {
try {
