Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generalize public key reading in the JWT authenticator #4833

Merged
merged 2 commits into from
Oct 23, 2024
Merged

Generalize public key reading in the JWT authenticator #4833

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7bfac54
Fix public key parsing in JWT authenticator
cwperks Oct 22, 2024
f509b49
Use common method
cwperks Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/main/java/org/opensearch/security/util/KeyUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ public JwtParserBuilder run() {
} else {
try {
PublicKey key = null;

final String minimalKeyFormat = signingKey.replace("-----BEGIN PUBLIC KEY-----\n", "")
final String minimalKeyFormat = signingKey.replaceAll("\\r|\\n", "")
cwperks marked this conversation as resolved.
Show resolved Hide resolved
.replace("-----BEGIN PUBLIC KEY-----", "")
.replace("-----END PUBLIC KEY-----", "")
.trim();
final byte[] decoded = Base64.getDecoder().decode(minimalKeyFormat);
Expand Down
72 changes: 49 additions & 23 deletions src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -389,35 +389,68 @@ public void testNbf() throws Exception {

@Test
public void testRS256() throws Exception {

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv = pair.getPrivate();
PublicKey pub = pair.getPublic();

String jwsToken = Jwts.builder().setSubject("Leonard McCoy").signWith(priv, SignatureAlgorithm.RS256).compact();
Settings settings = Settings.builder()
.put(
"signing_key",
"-----BEGIN PUBLIC KEY-----\n" + BaseEncoding.base64().encode(pub.getEncoded()) + "-----END PUBLIC KEY-----"
)
.build();
String signingKey = "-----BEGIN PUBLIC KEY-----\n" + BaseEncoding.base64().encode(pub.getEncoded()) + "-----END PUBLIC KEY-----";
AuthCredentials creds = testJwtAuthenticationWithSigningKey(signingKey, jwsToken);

HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
Map<String, String> headers = new HashMap<String, String>();
headers.put("Authorization", "Bearer " + jwsToken);
Assert.assertNotNull(creds);
assertThat(creds.getUsername(), is("Leonard McCoy"));
assertThat(creds.getBackendRoles().size(), is(0));
}

AuthCredentials creds = jwtAuth.extractCredentials(
new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(),
null
);
private static String formatKeyWithNewlines(String keyAsString) {
StringBuilder result = new StringBuilder();
int lineLength = 64;
int length = keyAsString.length();

for (int i = 0; i < length; i += lineLength) {
if (i + lineLength < length) {
result.append(keyAsString, i, i + lineLength);
} else {
result.append(keyAsString.substring(i));
}
result.append("\n");
}

return result.toString().trim();
}

@Test
public void testRS256WithNewlines() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv = pair.getPrivate();
PublicKey pub = pair.getPublic();

String jwsToken = Jwts.builder().setSubject("Leonard McCoy").signWith(priv, SignatureAlgorithm.RS256).compact();

String signingKey = "-----BEGIN PUBLIC KEY-----\n"
+ formatKeyWithNewlines(BaseEncoding.base64().encode(pub.getEncoded()))
+ "\n-----END PUBLIC KEY-----";
AuthCredentials creds = testJwtAuthenticationWithSigningKey(signingKey, jwsToken);

Assert.assertNotNull(creds);
assertThat(creds.getUsername(), is("Leonard McCoy"));
assertThat(creds.getBackendRoles().size(), is(0));
}

private AuthCredentials testJwtAuthenticationWithSigningKey(String signingKey, String jwsToken) throws NoSuchAlgorithmException {
Settings settings = Settings.builder().put("signing_key", signingKey).build();

HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
Map<String, String> headers = new HashMap<String, String>();
headers.put("Authorization", "Bearer " + jwsToken);

return jwtAuth.extractCredentials(new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(), null);
}

@Test
public void testES512() throws Exception {

Expand All @@ -427,17 +460,10 @@ public void testES512() throws Exception {
PrivateKey priv = pair.getPrivate();
PublicKey pub = pair.getPublic();

Settings settings = Settings.builder().put("signing_key", BaseEncoding.base64().encode(pub.getEncoded())).build();
String signingKey = BaseEncoding.base64().encode(pub.getEncoded());
String jwsToken = Jwts.builder().setSubject("Leonard McCoy").signWith(priv, SignatureAlgorithm.ES512).compact();

HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
Map<String, String> headers = new HashMap<String, String>();
headers.put("Authorization", jwsToken);

AuthCredentials creds = jwtAuth.extractCredentials(
new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(),
null
);
AuthCredentials creds = testJwtAuthenticationWithSigningKey(signingKey, jwsToken);

Assert.assertNotNull(creds);
assertThat(creds.getUsername(), is("Leonard McCoy"));
Expand Down
Loading