janhoy commented on a change in pull request #139:
URL: https://github.com/apache/solr/pull/139#discussion_r646390578
##########
File path: solr/core/src/java/org/apache/solr/security/JWTAuthPlugin.java
##########
@@ -155,8 +175,38 @@ public void init(Map<String, Object> pluginConfig) {
requiredScopes = Arrays.asList(requiredScopesStr.split("\\s+"));
}
+ // Parse custom IDP SSL Cert from either path or string
+ InputStream trustedCertsStream = null;
+ String trustedCertsFile = (String)
pluginConfig.get(PARAM_TRUSTED_CERTS_FILE);
+ String trustedCerts = (String) pluginConfig.get(PARAM_TRUSTED_CERTS);
+ if (trustedCertsFile != null && trustedCerts != null) {
+ throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Found
both " + PARAM_TRUSTED_CERTS_FILE + " and " + PARAM_TRUSTED_CERTS + ", please
use only one");
+ }
+ if (trustedCertsFile != null) {
+ try {
+ Path trustedCertsPath = Paths.get(trustedCertsFile);
+ if (coreContainer != null) {
+ coreContainer.assertPathAllowed(trustedCertsPath);
+ }
+ trustedCertsStream = Files.newInputStream(trustedCertsPath);
+ log.info("Reading trustedCerts from file {}", trustedCertsFile);
+ } catch (IOException e) {
+ throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed
to read file " + trustedCertsFile, e);
+ }
+ }
+ if (trustedCerts != null) {
+ trustedCertsStream = IOUtils.toInputStream(trustedCerts,
StandardCharsets.UTF_8);
Review comment:
Is there a problem using IOUtils for this?
##########
File path:
solr/core/src/test/org/apache/solr/security/JWTAuthPluginIntegrationTest.java
##########
@@ -70,54 +89,43 @@
protected static final int NUM_SERVERS = 2;
protected static final int NUM_SHARDS = 2;
protected static final int REPLICATION_FACTOR = 1;
+ private static String mockOAuthToken;
+ private static Path pemFilePath;
+ private static Path wrongPemFilePath;
private final String COLLECTION = "jwtColl";
- private String jwtTestToken;
+ private static String jwtStaticTestToken;
private String baseUrl;
- private JsonWebSignature jws;
- private String jwtTokenWrongSignature;
+ private static JsonWebSignature jws;
+ private static String jwtTokenWrongSignature;
- @Override
- @Before
- public void setUp() throws Exception {
- super.setUp();
-
- configureCluster(NUM_SERVERS)// nodes
-
.withSecurityJson(TEST_PATH().resolve("security").resolve("jwt_plugin_jwk_security.json"))
- .addConfig("conf1",
TEST_PATH().resolve("configsets").resolve("cloud-minimal").resolve("conf"))
- .withDefaultClusterProperty("useLegacyReplicaAssignment", "false")
- .configure();
- baseUrl = cluster.getRandomJetty(random()).getBaseUrl().toString();
+ private static MockOAuth2Server mockOAuth2Server;
- String jwkJSON = "{\n" +
- " \"kty\": \"RSA\",\n" +
- " \"d\":
\"i6pyv2z3o-MlYytWsOr3IE1olu2RXZBzjPRBNgWAP1TlLNaphHEvH5aHhe_CtBAastgFFMuP29CFhaL3_tGczkvWJkSveZQN2AHWHgRShKgoSVMspkhOt3Ghha4CvpnZ9BnQzVHnaBnHDTTTfVgXz7P1ZNBhQY4URG61DKIF-JSSClyh1xKuMoJX0lILXDYGGcjVTZL_hci4IXPPTpOJHV51-pxuO7WU5M9252UYoiYyCJ56ai8N49aKIMsqhdGuO4aWUwsGIW4oQpjtce5eEojCprYl-9rDhTwLAFoBtjy6LvkqlR2Ae5dKZYpStljBjK8PJrBvWZjXAEMDdQ8PuQ\",\n"
+
- " \"e\": \"AQAB\",\n" +
- " \"use\": \"sig\",\n" +
- " \"kid\": \"test\",\n" +
- " \"alg\": \"RS256\",\n" +
- " \"n\":
\"jeyrvOaZrmKWjyNXt0myAc_pJ1hNt3aRupExJEx1ewPaL9J9HFgSCjMrYxCB1ETO1NDyZ3nSgjZis-jHHDqBxBjRdq_t1E2rkGFaYbxAyKt220Pwgme_SFTB9MXVrFQGkKyjmQeVmOmV6zM3KK8uMdKQJ4aoKmwBcF5Zg7EZdDcKOFgpgva1Jq-FlEsaJ2xrYDYo3KnGcOHIt9_0NQeLsqZbeWYLxYni7uROFncXYV5FhSJCeR4A_rrbwlaCydGxE0ToC_9HNYibUHlkJjqyUhAgORCbNS8JLCJH8NUi5sDdIawK9GTSyvsJXZ-QHqo4cMUuxWV5AJtaRGghuMUfqQ\"\n"
+
- "}";
+ @BeforeClass
+ public static void beforeClass() throws Exception {
+ // Setup an OAuth2 mock server with SSL
+ Path p12Cert =
SolrTestCaseJ4.TEST_PATH().resolve("security").resolve("jwt_plugin_idp_certs.p12");
+ pemFilePath =
SolrTestCaseJ4.TEST_PATH().resolve("security").resolve("jwt_plugin_idp_cert.pem");
+ wrongPemFilePath =
SolrTestCaseJ4.TEST_PATH().resolve("security").resolve("jwt_plugin_idp_wrongcert.pem");
- PublicJsonWebKey jwk = RsaJsonWebKey.Factory.newPublicJwk(jwkJSON);
- JwtClaims claims = JWTAuthPluginTest.generateClaims();
- jws = new JsonWebSignature();
- jws.setPayload(claims.toJson());
- jws.setKey(jwk.getPrivateKey());
- jws.setKeyIdHeaderValue(jwk.getKeyId());
- jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
+ mockOAuth2Server = createMockOAuthServer(p12Cert,"secret");
+ mockOAuth2Server.start();
+ mockOAuthToken = mockOAuth2Server.issueToken("default",
+ "myClientId",
+ new DefaultOAuth2TokenCallback()).serialize();
+ initStaticJwt();
+ }
- jwtTestToken = jws.getCompactSerialization();
-
- PublicJsonWebKey jwk2 = RsaJwkGenerator.generateJwk(2048);
- jwk2.setKeyId("k2");
- JsonWebSignature jws2 = new JsonWebSignature();
- jws2.setPayload(claims.toJson());
- jws2.setKey(jwk2.getPrivateKey());
- jws2.setKeyIdHeaderValue(jwk2.getKeyId());
- jws2.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
- jwtTokenWrongSignature = jws2.getCompactSerialization();
+ @AfterClass
+ public static void afterClass() throws Exception {
+ if (mockOAuth2Server != null) {
+ mockOAuth2Server.shutdown();
+ }
+ }
- cluster.waitForAllNodes(10);
+ @Override
+ @Before
+ public void setUp() throws Exception {
+ super.setUp();
Review comment:
Agree, removed it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
