This is an automated email from the ASF dual-hosted git repository.
epugh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new d430226 SOLR-15203: remove deprecated jwk url (#31)
d430226 is described below
commit d4302260a22e3400815776e541405b20ae000716
Author: Eric Pugh <[email protected]>
AuthorDate: Thu Mar 18 20:11:43 2021 -0400
SOLR-15203: remove deprecated jwk url (#31)
* Remove deprecated parameter jwkUrl
---
solr/CHANGES.txt | 2 ++
.../org/apache/solr/security/JWTAuthPlugin.java | 7 ++-----
.../org/apache/solr/security/JWTIssuerConfig.java | 8 +-------
.../org/apache/solr/security/JWTAuthPluginTest.java | 21 +++++----------------
.../src/jwt-authentication-plugin.adoc | 2 --
.../solr-ref-guide/src/major-changes-in-solr-9.adoc | 2 ++
6 files changed, 12 insertions(+), 30 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 30759b9..6bd4e42 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -98,6 +98,8 @@ when told to. The admin UI now tells it to. (Nazerke Seidan,
David Smiley)
* SOLR-15161: Don't encourage users to hack JSON response mimetype by
documenting in examples how to
specify wt=json use mimetype of text/plain. (Eric Pugh)
+* SOLR-15203: remove deprecated parameter name jwkUrl in favour of jwksUrl for
the JWK Url. (Eric Pugh)
+
Other Changes
----------------------
* SOLR-14656: Autoscaling framework removed (Ishan Chattopadhyaya, noble, Ilan
Ginzburg)
diff --git a/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java
b/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java
index 8b9271a..5306701 100644
--- a/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java
@@ -95,7 +95,7 @@ public class JWTAuthPlugin extends AuthenticationPlugin
implements SpecProvider,
PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM,
PARAM_ROLES_CLAIM,
PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER,
PARAM_ISSUERS,
// These keys are supported for now to enable PRIMARY issuer config
through top-level keys
- JWTIssuerConfig.PARAM_JWK_URL, JWTIssuerConfig.PARAM_JWKS_URL,
JWTIssuerConfig.PARAM_JWK, JWTIssuerConfig.PARAM_ISSUER,
+ JWTIssuerConfig.PARAM_JWKS_URL, JWTIssuerConfig.PARAM_JWK,
JWTIssuerConfig.PARAM_ISSUER,
JWTIssuerConfig.PARAM_CLIENT_ID, JWTIssuerConfig.PARAM_WELL_KNOWN_URL,
JWTIssuerConfig.PARAM_AUDIENCE,
JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT);
@@ -202,13 +202,10 @@ public class JWTAuthPlugin extends AuthenticationPlugin
implements SpecProvider,
@SuppressWarnings("unchecked")
private Optional<JWTIssuerConfig> parseIssuerFromTopLevelConfig(Map<String,
Object> conf) {
try {
- if (conf.get(JWTIssuerConfig.PARAM_JWK_URL) != null) {
- log.warn("Configuration uses deprecated key {}. Please use {}
instead", JWTIssuerConfig.PARAM_JWK_URL, JWTIssuerConfig.PARAM_JWKS_URL);
- }
JWTIssuerConfig primary = new JWTIssuerConfig(PRIMARY_ISSUER)
.setIss((String) conf.get(JWTIssuerConfig.PARAM_ISSUER))
.setAud((String) conf.get(JWTIssuerConfig.PARAM_AUDIENCE))
- .setJwksUrl(conf.get(JWTIssuerConfig.PARAM_JWKS_URL) != null ?
conf.get(JWTIssuerConfig.PARAM_JWKS_URL) :
conf.get(JWTIssuerConfig.PARAM_JWK_URL))
+ .setJwksUrl(conf.get(JWTIssuerConfig.PARAM_JWKS_URL))
.setAuthorizationEndpoint((String)
conf.get(JWTIssuerConfig.PARAM_AUTHORIZATION_ENDPOINT))
.setClientId((String) conf.get(JWTIssuerConfig.PARAM_CLIENT_ID))
.setWellKnownUrl((String)
conf.get(JWTIssuerConfig.PARAM_WELL_KNOWN_URL));
diff --git a/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java
b/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java
index 4e0e107..79781e5 100644
--- a/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java
+++ b/solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java
@@ -46,8 +46,6 @@ import org.slf4j.LoggerFactory;
public class JWTIssuerConfig {
private static final Logger log =
LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
static final String PARAM_ISS_NAME = "name";
- @Deprecated(since = "8.3") // Remove this option at some point
- static final String PARAM_JWK_URL = "jwkUrl";
static final String PARAM_JWKS_URL = "jwksUrl";
static final String PARAM_JWK = "jwk";
static final String PARAM_ISSUER = "iss";
@@ -128,10 +126,7 @@ public class JWTIssuerConfig {
setIss((String) conf.get(PARAM_ISSUER));
setClientId((String) conf.get(PARAM_CLIENT_ID));
setAud((String) conf.get(PARAM_AUDIENCE));
- if (conf.get(PARAM_JWK_URL) != null) {
- log.warn("Configuration uses deprecated key {}. Please use {} instead",
PARAM_JWK_URL, PARAM_JWKS_URL);
- }
- Object confJwksUrl = conf.get(PARAM_JWKS_URL) != null ?
conf.get(PARAM_JWKS_URL) : conf.get(PARAM_JWK_URL);
+ Object confJwksUrl = conf.get(PARAM_JWKS_URL);
setJwksUrl(confJwksUrl);
setJsonWebKeySet(conf.get(PARAM_JWK));
setAuthorizationEndpoint((String) conf.get(PARAM_AUTHORIZATION_ENDPOINT));
@@ -142,7 +137,6 @@ public class JWTIssuerConfig {
conf.remove(PARAM_CLIENT_ID);
conf.remove(PARAM_AUDIENCE);
conf.remove(PARAM_JWKS_URL);
- conf.remove(PARAM_JWK_URL);
conf.remove(PARAM_JWK);
conf.remove(PARAM_AUTHORIZATION_ENDPOINT);
diff --git a/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java
b/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java
index 9071341..2b1ce60 100644
--- a/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java
+++ b/solr/core/src/test/org/apache/solr/security/JWTAuthPluginTest.java
@@ -108,7 +108,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
claims.setIssuedAtToNow(); // when the token was issued/created (now)
claims.setNotBeforeMinutesInThePast(2); // time before which the token is
not yet valid (2 minutes ago)
claims.setSubject("solruser"); // the subject/principal is whom the token
is about
- claims.setStringClaim("scope", "solr:read");
+ claims.setStringClaim("scope", "solr:read");
claims.setClaim("name", "Solr User"); // additional claims/attributes
about the subject can be added
claims.setClaim("customPrincipal", "custom"); // additional
claims/attributes about the subject can be added
claims.setClaim("claim1", "foo"); // additional claims/attributes about
the subject can be added
@@ -131,7 +131,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
testConfig.put("principalClaim", "customPrincipal");
testConfig.put("jwk", testJwk);
plugin.init(testConfig);
-
+
minimalConfig = new HashMap<>();
minimalConfig.put("class", "org.apache.solr.security.JWTAuthPlugin");
}
@@ -183,17 +183,6 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
}
@Test
- @Deprecated(since = "8.3")
- public void initWithJwkUrlForBackwardsCompat() {
- HashMap<String, Object> authConf = new HashMap<>();
- authConf.put("jwkUrl", "https://127.0.0.1:9999/foo.jwk";);
- plugin = new JWTAuthPlugin();
- plugin.init(authConf);
- assertEquals(1, plugin.getIssuerConfigs().size());
- assertEquals(1, plugin.getIssuerConfigs().get(0).getJwksUrls().size());
- }
-
- @Test
public void initWithJwksUrl() {
HashMap<String, Object> authConf = new HashMap<>();
authConf.put("jwksUrl", "https://127.0.0.1:9999/foo.jwk";);
@@ -204,7 +193,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
}
@Test
- public void initWithJwkUrlArray() {
+ public void initWithJwksUrlArray() {
HashMap<String, Object> authConf = new HashMap<>();
authConf.put("jwksUrl", Arrays.asList("https://127.0.0.1:9999/foo.jwk";,
"https://127.0.0.1:9999/foo2.jwk";));
authConf.put("iss", "myIssuer");
@@ -375,7 +364,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
assertNull(resp.getPrincipal());
assertEquals(SCOPE_MISSING, resp.getAuthCode());
}
-
+
@Test
public void noHeaderBlockUnknown() {
testConfig.put("blockUnknown", true);
@@ -399,7 +388,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(null);
assertEquals(JWTAuthPlugin.JWTAuthenticationResponse.AuthCode.PASS_THROUGH,
resp.getAuthCode());
}
-
+
@Test
public void wellKnownConfigNoHeaderPassThrough() {
String wellKnownUrl =
TEST_PATH().resolve("security").resolve("jwt_well-known-config.json").toAbsolutePath().toUri().toString();
diff --git a/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc
b/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc
index 8eaadc3..00db978 100644
--- a/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc
+++ b/solr/solr-ref-guide/src/jwt-authentication-plugin.adoc
@@ -90,8 +90,6 @@ To start enforcing authentication for all users, requiring a
valid JWT in the `A
}
----
-TIP: The configuration key `jwkUrl` is also supported as an alternative to
`jwksUrl` for backwards compatibility with early versions of the plugin.
-
=== With Admin UI Support
The next example shows configuring using
https://openid.net/specs/openid-connect-discovery-1_0.html[OpenID Connect
Discovery] with a well-known URI for automatic configuration of many common
settings, including ability to use the Admin UI with an OpenID Connect enabled
Identity Provider.
diff --git a/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc
b/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc
index f889fab..4a4ff60 100644
--- a/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc
+++ b/solr/solr-ref-guide/src/major-changes-in-solr-9.adoc
@@ -153,6 +153,8 @@ _(raw; not yet edited)_
* SOLR-15156: Child Doc Transformer's `childFilter` param no longer applies
query syntax
escaping because it's inconsistent with the rest of Solr and was limiting.
This refers to `[child childFilter='field:value']`.
+* SOLR-15203: Remove the deprecated `jwkUrl` in favour of `jwksUrl` when
configuring JWT authentication.
+
=== Upgrade Prerequisites in Solr 9
* Upgrade all collections in stateFormat=1 to stateFormat=2 *before* upgrading
to Solr 9, as Solr 9 does not support the
