This is an automated email from the ASF dual-hosted git repository. epugh pushed a commit to branch SOLR-15203 in repository https://gitbox.apache.org/repos/asf/solr.git
commit cc337a7f177b6d4c0762d5e1568f21caf116bdd9 Author: [email protected] <> AuthorDate: Thu Mar 18 19:49:30 2021 -0400 Remove deprecated parameter --- .../org/apache/solr/security/JWTAuthPlugin.java | 7 ++----- .../org/apache/solr/security/JWTIssuerConfig.java | 8 +------- .../org/apache/solr/security/JWTAuthPluginTest.java | 21 +++++---------------- .../src/jwt-authentication-plugin.adoc | 2 -- .../solr-ref-guide/src/major-changes-in-solr-9.adoc | 2 ++ 5 files changed, 10 insertions(+), 30 deletions(-) diff --git a/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java b/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java index 8b9271a..5306701 100644 --- a/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java @@ -95,7 +95,7 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider, PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM, PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS, // These keys are supported for now to enable PRIMARY issuer config through top-level keys - JWTIssuerConfig.PARAM_JWK_URL, JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER, + JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER, JWTIssuerConfig.PARAM_CLIENT_ID, JWTIssuerConfig.PARAM_WELL_KNOWN_URL, JWTIssuerConfig.PARAM_AUDIENCE, JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT); @@ -202,13 +202,10 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider, @SuppressWarnings("unchecked") private Optional<JWTIssuerConfig> parseIssuerFromTopLevelConfig(Map<String, Object> conf) { try { - if (conf.get(JWTIssuerConfig.PARAM_JWK_URL) != null) { - log.warn("Configuration uses deprecated key {}. Please use {} instead", JWTIssuerConfig.PARAM_JWK_URL, JWTIssuerConfig.PARAM_JWKS_URL); - } JWTIssuerConfig primary = new JWTIssuerConfig(PRIMARY_ISSUER) .setIss((String) conf.get(JWTIssuerConfig.PARAM_ISSUER)) .setAud((String) conf.get(JWTIssuerConfig.PARAM_AUDIENCE)) - .setJwksUrl(conf.get(JWTIssuerConfig.PARAM_JWKS_URL) != null ? conf.get(JWTIssuerConfig.PARAM_JWKS_URL) : conf.get(JWTIssuerConfig.PARAM_JWK_URL)) + .setJwksUrl(conf.get(JWTIssuerConfig.PARAM_JWKS_URL)) .setAuthorizationEndpoint((String) conf.get(JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT)) .setClientId((String) conf.get(JWTIssuerConfig.PARAM_CLIENT_ID)) .setWellKnownUrl((String) conf.get(JWTIssuerConfig.PARAM_WELL_KNOWN_URL)); diff --git a/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java b/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java index 4e0e107..79781e5 100644 --- a/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java +++ b/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java @@ -46,8 +46,6 @@ import org.slf4j.LoggerFactory; public class JWTIssuerConfig { private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); static final String PARAM_ISS_NAME = "name"; - @Deprecated(since = "8.3") // Remove this option at some point - static final String PARAM_JWK_URL = "jwkUrl"; static final String PARAM_JWKS_URL = "jwksUrl"; static final String PARAM_JWK = "jwk"; static final String PARAM_ISSUER = "iss"; @@ -128,10 +126,7 @@ public class JWTIssuerConfig { setIss((String) conf.get(PARAM_ISSUER)); setClientId((String) conf.get(PARAM_CLIENT_ID)); setAud((String) conf.get(PARAM_AUDIENCE)); - if (conf.get(PARAM_JWK_URL) != null) { - log.warn("Configuration uses deprecated key {}. Please use {} instead", PARAM_JWK_URL, PARAM_JWKS_URL); - } - Object confJwksUrl = conf.get(PARAM_JWKS_URL) != null ? conf.get(PARAM_JWKS_URL) : conf.get(PARAM_JWK_URL); + Object confJwksUrl = conf.get(PARAM_JWKS_URL); setJwksUrl(confJwksUrl); setJsonWebKeySet(conf.get(PARAM_JWK)); setAuthorizationEndpoint((String) conf.get(PARAM_AUTHORIZATION_ENDPOINT)); @@ -142,7 +137,6 @@ public class JWTIssuerConfig { conf.remove(PARAM_CLIENT_ID); conf.remove(PARAM_AUDIENCE); conf.remove(PARAM_JWKS_URL); - conf.remove(PARAM_JWK_URL); conf.remove(PARAM_JWK); conf.remove(PARAM_AUTHORIZATION_ENDPOINT); diff --git a/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java b/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java index 9071341..2b1ce60 100644 --- a/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java +++ b/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java @@ -108,7 +108,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 { claims.setIssuedAtToNow(); // when the token was issued/created (now) claims.setNotBeforeMinutesInThePast(2); // time before which the token is not yet valid (2 minutes ago) claims.setSubject("solruser"); // the subject/principal is whom the token is about - claims.setStringClaim("scope", "solr:read"); + claims.setStringClaim("scope", "solr:read"); claims.setClaim("name", "Solr User"); // additional claims/attributes about the subject can be added claims.setClaim("customPrincipal", "custom"); // additional claims/attributes about the subject can be added claims.setClaim("claim1", "foo"); // additional claims/attributes about the subject can be added @@ -131,7 +131,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 { testConfig.put("principalClaim", "customPrincipal"); testConfig.put("jwk", testJwk); plugin.init(testConfig); - + minimalConfig = new HashMap<>(); minimalConfig.put("class", "org.apache.solr.security.JWTAuthPlugin"); } @@ -183,17 +183,6 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 { } @Test - @Deprecated(since = "8.3") - public void initWithJwkUrlForBackwardsCompat() { - HashMap<String, Object> authConf = new HashMap<>(); - authConf.put("jwkUrl", "https://127.0.0.1:9999/foo.jwk";); - plugin = new JWTAuthPlugin(); - plugin.init(authConf); - assertEquals(1, plugin.getIssuerConfigs().size()); - assertEquals(1, plugin.getIssuerConfigs().get(0).getJwksUrls().size()); - } - - @Test public void initWithJwksUrl() { HashMap<String, Object> authConf = new HashMap<>(); authConf.put("jwksUrl", "https://127.0.0.1:9999/foo.jwk";); @@ -204,7 +193,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 { } @Test - public void initWithJwkUrlArray() { + public void initWithJwksUrlArray() { HashMap<String, Object> authConf = new HashMap<>(); authConf.put("jwksUrl", Arrays.asList("https://127.0.0.1:9999/foo.jwk";, "https://127.0.0.1:9999/foo2.jwk";)); authConf.put("iss", "myIssuer"); @@ -375,7 +364,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 { assertNull(resp.getPrincipal()); assertEquals(SCOPE_MISSING, resp.getAuthCode()); } - + @Test public void noHeaderBlockUnknown() { testConfig.put("blockUnknown", true); @@ -399,7 +388,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 { JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(null); assertEquals(JWTAuthPlugin.JWTAuthenticationResponse.AuthCode.PASS_THROUGH, resp.getAuthCode()); } - + @Test public void wellKnownConfigNoHeaderPassThrough() { String wellKnownUrl = TEST_PATH().resolve("security").resolve("jwt_well-known-config.json").toAbsolutePath().toUri().toString(); diff --git a/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc b/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc index 8eaadc3..00db978 100644 --- a/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc +++ b/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc @@ -90,8 +90,6 @@ To start enforcing authentication for all users, requiring a valid JWT in the `A } ---- -TIP: The configuration key `jwkUrl` is also supported as an alternative to `jwksUrl` for backwards compatibility with early versions of the plugin. - === With Admin UI Support The next example shows configuring using https://openid.net/specs/openid-connect-discovery-1_0.html[OpenID Connect Discovery] with a well-known URI for automatic configuration of many common settings, including ability to use the Admin UI with an OpenID Connect enabled Identity Provider. diff --git a/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc b/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc index f889fab..4a4ff60 100644 --- a/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc +++ b/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc @@ -153,6 +153,8 @@ _(raw; not yet edited)_ * SOLR-15156: Child Doc Transformer's `childFilter` param no longer applies query syntax escaping because it's inconsistent with the rest of Solr and was limiting. This refers to `[child childFilter='field:value']`. +* SOLR-15203: Remove the deprecated `jwkUrl` in favour of `jwksUrl` when configuring JWT authentication. + === Upgrade Prerequisites in Solr 9 * Upgrade all collections in stateFormat=1 to stateFormat=2 *before* upgrading to Solr 9, as Solr 9 does not support the
