gtully commented on code in PR #6304: URL: https://github.com/apache/artemis/pull/6304#discussion_r2996478347
########## artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/OIDCLoginModule.java: ########## @@ -0,0 +1,491 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.spi.core.security.jaas; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.jwk.source.JWKSecurityContextJWKSet; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.proc.JWKSecurityContext; +import com.nimbusds.jose.proc.JWSKeySelector; +import com.nimbusds.jose.proc.JWSVerificationKeySelector; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimNames; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.JWTParser; +import com.nimbusds.jwt.PlainJWT; +import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; +import com.nimbusds.jwt.proc.DefaultJWTProcessor; +import com.nimbusds.jwt.proc.JWTProcessor; +import org.apache.activemq.artemis.spi.core.security.jaas.oidc.OIDCSupport; +import org.apache.activemq.artemis.spi.core.security.jaas.oidc.OIDCSupport.ConfigKey; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import java.io.IOException; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.text.ParseException; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.LinkedHashSet; +import java.util.Map; +import java.util.Set; + +public class OIDCLoginModule implements AuditLoginModule { + + public static final Logger logger = LoggerFactory.getLogger(OIDCLoginModule.class); + + // static configuration + + /** + * JWT claims (fields) that must be present in JWT token + */ + private static final Set<String> defaultRequiredClaims = Set.of( + JWTClaimNames.AUDIENCE, + JWTClaimNames.ISSUER, + JWTClaimNames.SUBJECT, + "azp", + JWTClaimNames.EXPIRATION_TIME + ); + + /** + * JWT claims (fields) that must not be present in JWT token + */ + private static final Set<String> prohibitedClaims = Collections.emptySet(); + + /** + * JWT claims with specific values that must be present in JWT token + */ + private static final JWTClaimsSet exactMatchClaims = new JWTClaimsSet.Builder().build(); + + /** + * Set of JWT signature algorithms we support + */ + private static final Set<JWSAlgorithm> supportedJWSAlgorithms = new HashSet<>(); + + /** + * Key selector for JWT signature validation - crated once, because keys are fetched from the context + */ + private static final JWSKeySelector<JWKSecurityContext> jwsKeySelector; + + // options from the configuration + + /** + * Well known {@code debug} flag for the login module + */ + private boolean debug; + + // JAAS state from initialization + + /** + * Helper object instantiated in each {@link #initialize} to support with the OpenID Connect/OAuth2 login + * process according to JAAS lifecycle + */ + private OIDCSupport oidcSupport; + + /** + * Discovered constructor to create instances of {@link Principal} representing user "identities" + */ + private Constructor<Principal> userPrincipalConstructor; + + /** + * Discovered constructor to create instances of {@link Principal} representing user "roles" (or "groups") + */ + private Constructor<Principal> rolePrincipalConstructor; + + // Nimbus JOSE + JWT state and config from initialization + + private Subject subject; + private CallbackHandler handler; + + /** + * {@link JWTProcessor} created for each login process reusing some "services" for key and claim management + */ + private ConfigurableDefaultJWTProcessor processor = null; + + /** + * Set of required JWT claims that should be present (with any value - to be validated by different means) + * in each processed JWT token. + */ + private final Set<String> requiredClaims; + + /** + * "JSON paths" to claims (possibly nested) which should point to JSON strings or JSON string arrays, which + * contain user "identities" + */ + private String[] identityPaths; + + /** + * "JSON paths" to claims (possibly nested) which should point to JSON strings or JSON string arrays, which + * contain user "roles" (or "groups") + */ + private String[] rolesPaths; + + /** + * <p>Flag which turns on OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens + * (RFC 8705).</p> + * <p>{@code cnf} claim itself comes from RFC 7800 (Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)) + * and represents a proof that the token was issued for the actual sender (and was not stolen). {@code x5t#256} + * is a specific type of proof from RFC 7515 (JSON Web Signature (JWS)) and represents an SHA-256 digest + * of DER encoded certificate ("x5" = X.509, "t" = thumbprint).</p> + */ + private boolean requireOAuth2MTLS; Review Comment: the 2 is doing a lot of heavy lifting I think. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
