Fixes for azure jwks reader (#3201)

Signed-off-by: alexandr cumarav <alexandr.cumarav@broadcom.com>
zowe · Nov 15, 2023 · f24695e · f24695e
1 parent c059322
commit f24695e
Show file tree

Hide file tree

Showing 7 changed files with 137 additions and 52 deletions.
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/JwkKeys.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/JwkKeys.java
@@ -10,7 +10,6 @@
 
 package org.zowe.apiml.gateway.security.service.token;
 
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import lombok.AllArgsConstructor;
 import lombok.Data;
@@ -21,7 +20,6 @@
 @Data
 @AllArgsConstructor
 @NoArgsConstructor
-@JsonIgnoreProperties(ignoreUnknown = true)
 public class JwkKeys {
 
     private List<Key> keys;

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCConfig.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCConfig.java
@@ -10,6 +10,7 @@
 
 package org.zowe.apiml.gateway.security.service.token;
 
+import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import io.jsonwebtoken.Clock;
@@ -30,6 +31,7 @@ public Clock oidcJwtClock() {
     @Primary
     public ObjectMapper oidcJwkMapper() {
         return new ObjectMapper()
+            .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
             .registerModule(new JavaTimeModule());
     }
 

diff --git a/...ervice/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProvider.java b/...ervice/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProvider.java
@@ -39,7 +39,6 @@
 import org.zowe.apiml.security.common.token.TokenNotValidException;
 
 import javax.annotation.PostConstruct;
-
 import java.io.IOException;
 import java.math.BigInteger;
 import java.nio.charset.StandardCharsets;
@@ -105,7 +104,7 @@ void fetchJwksUrls() {
             return;
         }
         log.debug("Refreshing JWK endpoints {}", jwksUri);
-        HttpGet getRequest = new HttpGet(jwksUri + "?client_id=" + clientId);
+        HttpGet getRequest = new HttpGet(jwksUri);
         try {
             CloseableHttpResponse response = httpClient.execute(getRequest);
             final int statusCode = response.getStatusLine() != null ? response.getStatusLine().getStatusCode() : 0;

diff --git a/...y-service/src/test/java/org/zowe/apiml/gateway/security/service/token/OIDCConfigTest.java b/...y-service/src/test/java/org/zowe/apiml/gateway/security/service/token/OIDCConfigTest.java
@@ -0,0 +1,49 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.service.token;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.Test;
+
+import java.io.InputStream;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class OIDCConfigTest {
+    private final ObjectMapper oidcJwkMapper = new OIDCConfig().oidcJwkMapper();
+
+    @Test
+    @SneakyThrows
+    void shouldParseJwksFormatWithExtraProperties() {
+        try (InputStream is = this.getClass().getResourceAsStream("/test_samples/azure_jwks.json")) {
+            JwkKeys jwkKeys = oidcJwkMapper.readValue(is, JwkKeys.class);
+
+            assertThat(jwkKeys.getKeys()).hasSize(1);
+            JwkKeys.Key key = jwkKeys.getKeys().get(0);
+            assertThat(key.getKid()).isEqualTo("9GmnyFPkhc3hOuR22mvSvgnLo7Y");
+            assertThat(key.getKty()).isEqualTo("RSA");
+        }
+    }
+
+    @Test
+    @SneakyThrows
+    void shouldParseExpectedJwksFormat() {
+        try (InputStream is = this.getClass().getResourceAsStream("/test_samples/okta_jwks.json")) {
+            JwkKeys jwkKeys = oidcJwkMapper.readValue(is, JwkKeys.class);
+
+            assertThat(jwkKeys.getKeys()).hasSize(2);
+            JwkKeys.Key key = jwkKeys.getKeys().get(0);
+            assertThat(key.getKid()).isEqualTo("Lcxckkor94qkrunxHP7Tkib547rzmkXvsYV-nc6U-N4");
+            assertThat(key.getKty()).isEqualTo("RSA");
+        }
+    }
+}
diff --git a/...ce/src/test/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProviderTest.java b/...ce/src/test/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProviderTest.java
@@ -16,7 +16,6 @@
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpStatus;
 import org.apache.http.StatusLine;
-import org.apache.http.client.ClientProtocolException;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.entity.BasicHttpEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -45,56 +44,34 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.argThat;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 @ExtendWith(MockitoExtension.class)
 class OIDCTokenProviderTest {
 
-    private static final String JWKS_KEYS_BODY = "\n"
-    + "{\n"
-    + "    \"keys\": [\n"
-    + "        {\n"
-    + "           \"kty\": \"RSA\",\n"
-    + "           \"alg\": \"RS256\",\n"
-    + "           \"kid\": \"Lcxckkor94qkrunxHP7Tkib547rzmkXvsYV-nc6U-N4\",\n"
-    + "           \"use\": \"sig\",\n"
-    + "           \"e\": \"AQAB\",\n"
-    + "           \"n\": \"v6wT5k7uLto_VPTV8fW9_wRqWHuqnZbyEYAwNYRdffe9WowwnzUAr0Z93-4xDvCRuVfTfvCe9orEWdjZMaYlDq_Dj5BhLAqmBAF299Kv1GymOioLRDvoVWy0aVHYXXNaqJCPsaWIDiCly-_kJBbnda_rmB28a_878TNxom0mDQ20TI5SgdebqqMBOdHEqIYH1ER9euybekeqJX24EqE9YW4Yug5BOkZ9KcUkiEsH_NPyRlozihj18Qab181PRyKHE6M40W7w67XcRq2llTy-z9RrQupcyvLD7L62KN0ey8luKWnVg4uIOldpyBYyiRX2WPM-2K00RVC0e4jQKs34Gw\"\n"
-    + "       },\n"
-    + "       {\n"
-    + "           \"kty\": \"RSA\",\n"
-    + "           \"alg\": \"RS256\",\n"
-    + "           \"kid\": \"-716sp3XBB_v30lGj2mu5MdXkdh8poa9zJQlAwC46n4\",\n"
-    + "           \"use\": \"sig\",\n"
-    + "           \"e\": \"AQAB\",\n"
-    + "           \"n\": \"5rYyqFsxel0Pv-xRDHPbg3IfumE4ks9ffLvJrfZVgrTQyiFmFfBnyD3r7y6626Yr5-68Pj0I5SHlCBPkkgTU_e9Z3tCYiegtIOeJdSdumWR2JDVAsbpwFJDG_kxP9czgX7HL0T2BPSapx7ba0ZBXd2-SfSDDL-c1Q0rJ1uQEJwDXAGZV4qy_oXuQf5DuV65Xj8y2Qn1DtVEBThxita-kis_H35CTWgW2zyyaS_08wa00R98mnQ2SHfmO5fZABITmH0DO0coDHqKZ429VNNpELLX9e95dirQ1jfngDbBCmy-XsT8yc6NpAaXmd8P2NHdsO2oK46EQEaFRyMcoDTs3-w\"\n"
-    + "       }\n"
-    + "    ]\n"
-    + "}";
-
+    private static final String OKTA_JWKS_RESOURCE = "/test_samples/okta_jwks.json";
     private static final String JWKS_KEYS_BODY_INVALID = "\n"
-    + "{\n"
-    + "    \"keys\": [\n"
-    + "        {\n"
-    + "           \"kty\": \"RSA\",\n"
-    + "           \"alg\": \"RS256\",\n"
-    + "           \"kid\": \"Lcxckkor94qkrunxHP7Tkib547rzmkXvsYV-nc6U-N4\",\n"
-    + "           \"use\": \"sig\",\n"
-    + "           \"e\": \"AQAB\",\n"
-    + "           \"n\": \"invalid\"\n"
-    + "       }\n"
-    + "    ]\n"
-    + "}";
+        + "{\n"
+        + "    \"keys\": [\n"
+        + "        {\n"
+        + "           \"kty\": \"RSA\",\n"
+        + "           \"alg\": \"RS256\",\n"
+        + "           \"kid\": \"Lcxckkor94qkrunxHP7Tkib547rzmkXvsYV-nc6U-N4\",\n"
+        + "           \"use\": \"sig\",\n"
+        + "           \"e\": \"AQAB\",\n"
+        + "           \"n\": \"invalid\"\n"
+        + "       }\n"
+        + "    ]\n"
+        + "}";
 
     private static final String EXPIRED_TOKEN = "eyJraWQiOiJMY3hja2tvcjk0cWtydW54SFA3VGtpYjU0N3J6bWtYdnNZVi1uYzZVLU40IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlExakp2UkZ0dUhFUFpGTXNmM3A0enQ5aHBRRHZrSU1CQ3RneU9IcTdlaEkiLCJpc3MiOiJodHRwczovL2Rldi05NTcyNzY4Ni5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2OTcwNjA3NzMsImV4cCI6MTY5NzA2NDM3MywiY2lkIjoiMG9hNmE0OG1uaVhBcUVNcng1ZDciLCJ1aWQiOiIwMHU5OTExOGgxNmtQT1dBbTVkNyIsInNjcCI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNjk3MDYwMDY0LCJzdWIiOiJzajg5NTA5MkBicm9hZGNvbS5uZXQiLCJncm91cHMiOlsiRXZlcnlvbmUiXX0.Cuf1JVq_NnfBxaCwiLsR5O6DBmVV1fj9utAfKWIF1hlek2hCJsDLQM4ii_ucQ0MM1V3nVE1ZatPB-W7ImWPlGz7NeNBv7jEV9DkX70hchCjPHyYpaUhAieTG75obdufiFpI55bz3qH5cPRvsKv0OKKI9T8D7GjEWsOhv6CevJJZZvgCFLGFfnacKLOY5fEBN82bdmCulNfPVrXF23rOregFjOBJ1cKWfjmB0UGWgI8VBGGemMNm3ACX3OYpTOek2PBfoCIZWOSGnLZumFTYA0F_3DsWYhIJNoFv16_EBBJcp_C0BYE_fiuXzeB0fieNUXASsKp591XJMflDQS_Zt1g";
 
     private static final String TOKEN = "token";
 
     private OIDCTokenProvider oidcTokenProvider;
-
-    @Mock
-    private OIDCTokenProvider underTest;
     @Mock
     private CloseableHttpClient httpClient;
     @Mock
@@ -109,7 +86,7 @@ void setup() throws CachingServiceClientException, IOException {
         responseEntity = new BasicHttpEntity();
         responseEntity.setContent(IOUtils.toInputStream("", StandardCharsets.UTF_8));
         oidcTokenProvider = new OIDCTokenProvider(httpClient, new DefaultClock(), new ObjectMapper());
-        ReflectionTestUtils.setField(oidcTokenProvider, "jwkRefreshInterval",1);
+        ReflectionTestUtils.setField(oidcTokenProvider, "jwkRefreshInterval", 1);
         ReflectionTestUtils.setField(oidcTokenProvider, "jwksUri", "https://jwksurl");
         oidcTokenProvider.clientId = "client_id";
         oidcTokenProvider.clientSecret = "client_secret";
@@ -119,8 +96,9 @@ void setup() throws CachingServiceClientException, IOException {
     class GivenInitializationWithJwks {
 
         @BeforeEach
-        void setup() throws IOException {
-            responseEntity.setContent(IOUtils.toInputStream(JWKS_KEYS_BODY, StandardCharsets.UTF_8));
+        void setup() {
+
+            responseEntity.setContent(getClass().getResourceAsStream(OKTA_JWKS_RESOURCE));
         }
 
         @Test
@@ -141,7 +119,7 @@ void initialized_thenJwksFullfilled() throws IOException {
 
         @Test
         @SuppressWarnings("unchecked")
-        void whenRequestFails_thenNotInitialized() throws ClientProtocolException, IOException {
+        void whenRequestFails_thenNotInitialized() throws IOException {
             Map<String, JwkKeys> jwks = (Map<String, JwkKeys>) ReflectionTestUtils.getField(oidcTokenProvider, "jwks");
             when(responseStatusLine.getStatusCode()).thenReturn(HttpStatus.SC_INTERNAL_SERVER_ERROR);
             when(response.getStatusLine()).thenReturn(responseStatusLine);
@@ -162,7 +140,7 @@ void whenUriNotProvided_thenNotInitialized() {
 
         @Test
         @SuppressWarnings("unchecked")
-        void whenInvalidKey_thenNotInitialized() throws ClientProtocolException, IOException {
+        void whenInvalidKey_thenNotInitialized() throws IOException {
             responseEntity.setContent(IOUtils.toInputStream(JWKS_KEYS_BODY_INVALID, StandardCharsets.UTF_8));
             Map<String, JwkKeys> jwks = (Map<String, JwkKeys>) ReflectionTestUtils.getField(oidcTokenProvider, "jwks");
             when(responseStatusLine.getStatusCode()).thenReturn(HttpStatus.SC_OK);
@@ -178,9 +156,9 @@ void whenInvalidKey_thenNotInitialized() throws ClientProtocolException, IOExcep
     class GivenTokenForValidation {
 
         @SuppressWarnings("unchecked")
-        private void initJwks() throws ClientProtocolException, IOException {
+        private void initJwks() throws IOException {
             Map<String, JwkKeys> jwks = (Map<String, JwkKeys>) ReflectionTestUtils.getField(oidcTokenProvider, "jwks");
-            responseEntity.setContent(IOUtils.toInputStream(JWKS_KEYS_BODY, StandardCharsets.UTF_8));
+            responseEntity.setContent(getClass().getResourceAsStream(OKTA_JWKS_RESOURCE));
             when(responseStatusLine.getStatusCode()).thenReturn(HttpStatus.SC_OK);
             when(response.getStatusLine()).thenReturn(responseStatusLine);
             when(response.getEntity()).thenReturn(responseEntity);
@@ -190,20 +168,20 @@ private void initJwks() throws ClientProtocolException, IOException {
         }
 
         @Test
-        void whenValidTokenExpired_thenReturnInvalid() throws ClientProtocolException, IOException {
+        void whenValidTokenExpired_thenReturnInvalid() throws IOException {
             initJwks();
             assertFalse(oidcTokenProvider.isValid(EXPIRED_TOKEN));
         }
 
         @Test
-        void whenValidtoken_thenReturnValid() throws ClientProtocolException, IOException {
+        void whenValidtoken_thenReturnValid() throws IOException {
             initJwks();
             ReflectionTestUtils.setField(oidcTokenProvider, "clock", new FixedClock(new Date(Instant.ofEpochSecond(1697060773 + 1000L).toEpochMilli())));
             assertTrue(oidcTokenProvider.isValid(EXPIRED_TOKEN));
         }
 
         @Test
-        void whenInvalidToken_thenReturnInvalid() throws ClientProtocolException, IOException {
+        void whenInvalidToken_thenReturnInvalid() throws IOException {
             initJwks();
             assertFalse(oidcTokenProvider.isValid(TOKEN));
         }
@@ -230,6 +208,7 @@ void whenTokenIsEmpty_thenReturnInvalid() {
             assertFalse(oidcTokenProvider.isValid(""));
         }
     }
+
     @Nested
     class GivenInvalidConfiguration {
 
@@ -250,4 +229,26 @@ void whenInvalidClientSecret_thenReturnInvalid(String secret) {
         }
     }
 
+    @Nested
+    class JwksUriLoad {
+        @Mock
+        private CloseableHttpClient httpClientMock;
+        @Mock
+        CloseableHttpResponse httpResponse;
+
+        @BeforeEach
+        public void setUp() {
+            oidcTokenProvider = new OIDCTokenProvider(httpClientMock, new DefaultClock(), new ObjectMapper());
+            ReflectionTestUtils.setField(oidcTokenProvider, "jwksUri", "https://jwksurl");
+        }
+
+        @Test
+        void shouldNotModifyJwksUri() throws IOException {
+            when(httpClientMock.execute(any())).thenReturn(httpResponse);
+
+            oidcTokenProvider.fetchJwksUrls();
+
+            verify(httpClientMock).execute(argThat((getJwksRequest) -> getJwksRequest.getURI().toString().equals("https://jwksurl")));
+        }
+    }
 }
diff --git a/gateway-service/src/test/resources/test_samples/azure_jwks.json b/gateway-service/src/test/resources/test_samples/azure_jwks.json
@@ -0,0 +1,16 @@
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "use": "sig",
+            "kid": "9GmnyFPkhc3hOuR22mvSvgnLo7Y",
+            "x5t": "9GmnyFPkhc3hOuR22mvSvgnLo7Y",
+            "n": "z_w-5U4eZwenXYnEgt2rCN-753YQ7RN8ykiNprNiLl4ilpwAGLWF1cssoRflsSiBVZcCSwUzUwsifG7sbRq9Vc8RFs72Gg0AUwPsJFUqNttMg3Ot-wTqsZtE5GNSBUSqnI-iWoZfjw-uLsS0u4MfzP8Fpkd-rzRlifuIAYK8Ffi1bldkszeBzQbBZbXFwiw5uTf8vEAkH_IAdB732tQAsNXpWWYDV74nKAiwLlDS5FWVs2S2T-MPNAg28MLxYfRhW2bUpd693inxI8WTSLRncouzMImJF4XeMG2ZRZ0z_KJra_uzzMCLbILtpnLA95ysxWw-4ygm3MxN2iBM2IaJeQ",
+            "e": "AQAB",
+            "x5c": [
+                "MIIC/jCCAeagAwIBAgIJAOCJOVRxNKcNMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMjMwODI4MjAwMjQwWhcNMjgwODI4MjAwMjQwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/w+5U4eZwenXYnEgt2rCN+753YQ7RN8ykiNprNiLl4ilpwAGLWF1cssoRflsSiBVZcCSwUzUwsifG7sbRq9Vc8RFs72Gg0AUwPsJFUqNttMg3Ot+wTqsZtE5GNSBUSqnI+iWoZfjw+uLsS0u4MfzP8Fpkd+rzRlifuIAYK8Ffi1bldkszeBzQbBZbXFwiw5uTf8vEAkH/IAdB732tQAsNXpWWYDV74nKAiwLlDS5FWVs2S2T+MPNAg28MLxYfRhW2bUpd693inxI8WTSLRncouzMImJF4XeMG2ZRZ0z/KJra/uzzMCLbILtpnLA95ysxWw+4ygm3MxN2iBM2IaJeQIDAQABoyEwHzAdBgNVHQ4EFgQU/wzRzxsifMCz54SZ3HuF4P4jtzowDQYJKoZIhvcNAQELBQADggEBACaWlbJTObDai8+wmskHedKYb3FCfTwvH/sCRsygHIeDIi23CpoWeKt5FwXsSeqDMd0Hb6IMtYDG5rfGvhkNfunt3sutK0VpZZMNdSBmIXaUx4mBRRUsG4hpeWRrHRgTnxweDDVw4Mv+oYCmpY7eZ4SenISkSd/4qrXzFaI9NeZCY7Jg9vg1bev+NaUtD3C4As6GQ+mN8Rm2NG9vzgTDlKf4Wb5Exy7u9dMW1TChiy28ieVkETKdqwXcbhqM8GOLBUFicdmgP2y9aDGjb89BuaeoHJCGpWWCi3UZth14clVzC6p7ZD6fFx5tKMOL/hQvs3ugGtvFDWCsvcT8bB84RO8="
+            ],
+            "issuer": "https://login.microsoftonline.com/d10ec64d-2698-489f-8a03-7e77cdca82d7/v2.0"
+        }
+    ]
+}
diff --git a/gateway-service/src/test/resources/test_samples/okta_jwks.json b/gateway-service/src/test/resources/test_samples/okta_jwks.json
@@ -0,0 +1,20 @@
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "alg": "RS256",
+            "kid": "Lcxckkor94qkrunxHP7Tkib547rzmkXvsYV-nc6U-N4",
+            "use": "sig",
+            "e": "AQAB",
+            "n": "v6wT5k7uLto_VPTV8fW9_wRqWHuqnZbyEYAwNYRdffe9WowwnzUAr0Z93-4xDvCRuVfTfvCe9orEWdjZMaYlDq_Dj5BhLAqmBAF299Kv1GymOioLRDvoVWy0aVHYXXNaqJCPsaWIDiCly-_kJBbnda_rmB28a_878TNxom0mDQ20TI5SgdebqqMBOdHEqIYH1ER9euybekeqJX24EqE9YW4Yug5BOkZ9KcUkiEsH_NPyRlozihj18Qab181PRyKHE6M40W7w67XcRq2llTy-z9RrQupcyvLD7L62KN0ey8luKWnVg4uIOldpyBYyiRX2WPM-2K00RVC0e4jQKs34Gw"
+        },
+        {
+            "kty": "RSA",
+            "alg": "RS256",
+            "kid": "-716sp3XBB_v30lGj2mu5MdXkdh8poa9zJQlAwC46n4",
+            "use": "sig",
+            "e": "AQAB",
+            "n": "5rYyqFsxel0Pv-xRDHPbg3IfumE4ks9ffLvJrfZVgrTQyiFmFfBnyD3r7y6626Yr5-68Pj0I5SHlCBPkkgTU_e9Z3tCYiegtIOeJdSdumWR2JDVAsbpwFJDG_kxP9czgX7HL0T2BPSapx7ba0ZBXd2-SfSDDL-c1Q0rJ1uQEJwDXAGZV4qy_oXuQf5DuV65Xj8y2Qn1DtVEBThxita-kis_H35CTWgW2zyyaS_08wa00R98mnQ2SHfmO5fZABITmH0DO0coDHqKZ429VNNpELLX9e95dirQ1jfngDbBCmy-XsT8yc6NpAaXmd8P2NHdsO2oK46EQEaFRyMcoDTs3-w"
+        }
+    ]
+}