GEN-1492 - Decrypt JWT internally for system health check

open-metadata · Sep 16, 2024 · 4b048e6 · 4b048e6
1 parent 4fd2b24
commit 4b048e6
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/SystemRepository.java b/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/SystemRepository.java
@@ -18,6 +18,7 @@
 import org.openmetadata.api.configuration.UiThemePreference;
 import org.openmetadata.schema.email.SmtpSettings;
 import org.openmetadata.schema.entity.services.ingestionPipelines.PipelineServiceClientResponse;
+import org.openmetadata.schema.security.client.OpenMetadataJWTClientConfig;
 import org.openmetadata.schema.service.configuration.slackApp.SlackAppConfiguration;
 import org.openmetadata.schema.services.connections.metadata.OpenMetadataConnection;
 import org.openmetadata.schema.settings.Settings;
@@ -35,6 +36,8 @@
 import org.openmetadata.service.migration.MigrationValidationClient;
 import org.openmetadata.service.resources.settings.SettingsCache;
 import org.openmetadata.service.search.SearchRepository;
+import org.openmetadata.service.secrets.SecretsManager;
+import org.openmetadata.service.secrets.SecretsManagerFactory;
 import org.openmetadata.service.security.JwtFilter;
 import org.openmetadata.service.util.JsonUtils;
 import org.openmetadata.service.util.OpenMetadataConnectionBuilder;
@@ -432,11 +435,13 @@ private StepValidation getPipelineServiceClientValidation(
 
  private StepValidation getJWKsValidation(
  OpenMetadataApplicationConfig applicationConfig, JwtFilter jwtFilter) {
+ SecretsManager secretsManager = SecretsManagerFactory.getSecretsManager();
  OpenMetadataConnection openMetadataServerConnection =
  new OpenMetadataConnectionBuilder(applicationConfig).build();
+ OpenMetadataJWTClientConfig realJWTConfig =
+ secretsManager.decryptJWTConfig(openMetadataServerConnection.getSecurityConfig());
  try {
- jwtFilter.validateJwtAndGetClaims(
- openMetadataServerConnection.getSecurityConfig().getJwtToken());
+ jwtFilter.validateJwtAndGetClaims(realJWTConfig.getJwtToken());
  return new StepValidation()
  .withDescription(ValidationStepDescription.JWT_TOKEN.key)
  .withPassed(Boolean.TRUE)

diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/secrets/SecretsManager.java b/openmetadata-service/src/main/java/org/openmetadata/service/secrets/SecretsManager.java
@@ -180,6 +180,20 @@ public AuthenticationMechanism decryptAuthenticationMechanism(
  return null;
  }
 
+ public OpenMetadataJWTClientConfig decryptJWTConfig(OpenMetadataJWTClientConfig jwtConfig) {
+ if (jwtConfig != null) {
+ try {
+ OpenMetadataJWTClientConfig decrypted =
+ (OpenMetadataJWTClientConfig) decryptPasswordFields(jwtConfig);
+ return (OpenMetadataJWTClientConfig) getSecretFields(decrypted);
+ } catch (Exception e) {
+ throw new SecretsManagerException(
+ Response.Status.BAD_REQUEST, "Failed to decrypt JWT Client Config instance.");
+ }
+ }
+ return null;
+ }
+
  public void encryptIngestionPipeline(IngestionPipeline ingestionPipeline) {
  OpenMetadataConnection openMetadataConnection =
  encryptOpenMetadataConnection(ingestionPipeline.getOpenMetadataServerConnection(), true);