Generalize public key reading in the JWT authenticator (#4833)

Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit eb7f821) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-project · Oct 23, 2024 · 2fd9612 · 2fd9612
1 parent 193a291
commit 2fd9612
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 25 deletions.
diff --git a/src/main/java/org/opensearch/security/util/KeyUtils.java b/src/main/java/org/opensearch/security/util/KeyUtils.java
@@ -51,8 +51,8 @@ public JwtParserBuilder run() {
                 } else {
                     try {
                         PublicKey key = null;
-
-                        final String minimalKeyFormat = signingKey.replace("-----BEGIN PUBLIC KEY-----\n", "")
+                        final String minimalKeyFormat = signingKey.replaceAll("\\r|\\n", "")
+                            .replace("-----BEGIN PUBLIC KEY-----", "")
                             .replace("-----END PUBLIC KEY-----", "")
                             .trim();
 

diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
@@ -389,35 +389,68 @@ public void testNbf() throws Exception {
 
     @Test
     public void testRS256() throws Exception {
-
         KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
         keyGen.initialize(2048);
         KeyPair pair = keyGen.generateKeyPair();
         PrivateKey priv = pair.getPrivate();
         PublicKey pub = pair.getPublic();
 
         String jwsToken = Jwts.builder().setSubject("Leonard McCoy").signWith(priv, SignatureAlgorithm.RS256).compact();
-        Settings settings = Settings.builder()
-            .put(
-                "signing_key",
-                "-----BEGIN PUBLIC KEY-----\n" + BaseEncoding.base64().encode(pub.getEncoded()) + "-----END PUBLIC KEY-----"
-            )
-            .build();
+        String signingKey = "-----BEGIN PUBLIC KEY-----\n" + BaseEncoding.base64().encode(pub.getEncoded()) + "-----END PUBLIC KEY-----";
+        AuthCredentials creds = testJwtAuthenticationWithSigningKey(signingKey, jwsToken);
 
-        HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
-        Map<String, String> headers = new HashMap<String, String>();
-        headers.put("Authorization", "Bearer " + jwsToken);
+        Assert.assertNotNull(creds);
+        assertThat(creds.getUsername(), is("Leonard McCoy"));
+        assertThat(creds.getBackendRoles().size(), is(0));
+    }
 
-        AuthCredentials creds = jwtAuth.extractCredentials(
-            new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(),
-            null
-        );
+    private static String formatKeyWithNewlines(String keyAsString) {
+        StringBuilder result = new StringBuilder();
+        int lineLength = 64;
+        int length = keyAsString.length();
+
+        for (int i = 0; i < length; i += lineLength) {
+            if (i + lineLength < length) {
+                result.append(keyAsString, i, i + lineLength);
+            } else {
+                result.append(keyAsString.substring(i));
+            }
+            result.append("\n");
+        }
+
+        return result.toString().trim();
+    }
+
+    @Test
+    public void testRS256WithNewlines() throws Exception {
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+        keyGen.initialize(2048);
+        KeyPair pair = keyGen.generateKeyPair();
+        PrivateKey priv = pair.getPrivate();
+        PublicKey pub = pair.getPublic();
+
+        String jwsToken = Jwts.builder().setSubject("Leonard McCoy").signWith(priv, SignatureAlgorithm.RS256).compact();
+
+        String signingKey = "-----BEGIN PUBLIC KEY-----\n"
+            + formatKeyWithNewlines(BaseEncoding.base64().encode(pub.getEncoded()))
+            + "\n-----END PUBLIC KEY-----";
+        AuthCredentials creds = testJwtAuthenticationWithSigningKey(signingKey, jwsToken);
 
         Assert.assertNotNull(creds);
         assertThat(creds.getUsername(), is("Leonard McCoy"));
         assertThat(creds.getBackendRoles().size(), is(0));
     }
 
+    private AuthCredentials testJwtAuthenticationWithSigningKey(String signingKey, String jwsToken) throws NoSuchAlgorithmException {
+        Settings settings = Settings.builder().put("signing_key", signingKey).build();
+
+        HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
+        Map<String, String> headers = new HashMap<String, String>();
+        headers.put("Authorization", "Bearer " + jwsToken);
+
+        return jwtAuth.extractCredentials(new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(), null);
+    }
+
     @Test
     public void testES512() throws Exception {
 
@@ -427,17 +460,10 @@ public void testES512() throws Exception {
         PrivateKey priv = pair.getPrivate();
         PublicKey pub = pair.getPublic();
 
-        Settings settings = Settings.builder().put("signing_key", BaseEncoding.base64().encode(pub.getEncoded())).build();
+        String signingKey = BaseEncoding.base64().encode(pub.getEncoded());
         String jwsToken = Jwts.builder().setSubject("Leonard McCoy").signWith(priv, SignatureAlgorithm.ES512).compact();
 
-        HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
-        Map<String, String> headers = new HashMap<String, String>();
-        headers.put("Authorization", jwsToken);
-
-        AuthCredentials creds = jwtAuth.extractCredentials(
-            new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(),
-            null
-        );
+        AuthCredentials creds = testJwtAuthenticationWithSigningKey(signingKey, jwsToken);
 
         Assert.assertNotNull(creds);
         assertThat(creds.getUsername(), is("Leonard McCoy"));