Joe Grandja
parent
1ecafc9420
commit
c30488cd30
|
|
@ -32,6 +32,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
|
|||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
|
||||
import org.springframework.security.oauth2.server.authorization.web.JwkSetEndpointFilter;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
|
||||
|
|
@ -130,6 +131,9 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
|
|||
|
||||
@Override
|
||||
public void configure(B builder) {
|
||||
JwkSetEndpointFilter jwkSetEndpointFilter = new JwkSetEndpointFilter(getKeyManager(builder));
|
||||
builder.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
|
||||
|
||||
AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
|
||||
|
||||
OAuth2ClientAuthenticationFilter clientAuthenticationFilter =
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ dependencies {
|
|||
compile springCoreDependency
|
||||
compile 'com.fasterxml.jackson.core:jackson-databind'
|
||||
|
||||
testCompile project(path: ':spring-security-crypto2', configuration: 'tests')
|
||||
testCompile 'org.springframework:spring-webmvc'
|
||||
testCompile 'junit:junit'
|
||||
testCompile 'org.assertj:assertj-core'
|
||||
|
|
|
|||
|
|
@ -0,0 +1,132 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.oauth2.server.authorization.web;
|
||||
|
||||
import com.nimbusds.jose.JWSAlgorithm;
|
||||
import com.nimbusds.jose.jwk.Curve;
|
||||
import com.nimbusds.jose.jwk.ECKey;
|
||||
import com.nimbusds.jose.jwk.JWK;
|
||||
import com.nimbusds.jose.jwk.JWKSet;
|
||||
import com.nimbusds.jose.jwk.KeyUse;
|
||||
import com.nimbusds.jose.jwk.RSAKey;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.crypto.keys.KeyManager;
|
||||
import org.springframework.security.crypto.keys.ManagedKey;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import java.io.Writer;
|
||||
import java.security.interfaces.ECPublicKey;
|
||||
import java.security.interfaces.RSAPublicKey;
|
||||
import java.util.Objects;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
/**
|
||||
* A {@code Filter} that processes JWK Set requests.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 0.0.1
|
||||
* @see KeyManager
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7517">JSON Web Key (JWK)</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7517#section-5">Section 5 JWK Set Format</a>
|
||||
*/
|
||||
public class JwkSetEndpointFilter extends OncePerRequestFilter {
|
||||
/**
|
||||
* The default endpoint {@code URI} for JWK Set requests.
|
||||
*/
|
||||
public static final String DEFAULT_JWK_SET_ENDPOINT_URI = "/oauth2/jwks";
|
||||
|
||||
private final KeyManager keyManager;
|
||||
private final RequestMatcher requestMatcher;
|
||||
|
||||
/**
|
||||
* Constructs a {@code JwkSetEndpointFilter} using the provided parameters.
|
||||
*
|
||||
* @param keyManager the key manager
|
||||
*/
|
||||
public JwkSetEndpointFilter(KeyManager keyManager) {
|
||||
this(keyManager, DEFAULT_JWK_SET_ENDPOINT_URI);
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs a {@code JwkSetEndpointFilter} using the provided parameters.
|
||||
*
|
||||
* @param keyManager the key manager
|
||||
* @param jwkSetEndpointUri the endpoint {@code URI} for JWK Set requests
|
||||
*/
|
||||
public JwkSetEndpointFilter(KeyManager keyManager, String jwkSetEndpointUri) {
|
||||
Assert.notNull(keyManager, "keyManager cannot be null");
|
||||
Assert.hasText(jwkSetEndpointUri, "jwkSetEndpointUri cannot be empty");
|
||||
this.keyManager = keyManager;
|
||||
this.requestMatcher = new AntPathRequestMatcher(jwkSetEndpointUri, HttpMethod.GET.name());
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
if (!this.requestMatcher.matches(request)) {
|
||||
filterChain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
JWKSet jwkSet = buildJwkSet();
|
||||
|
||||
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
|
||||
try (Writer writer = response.getWriter()) {
|
||||
writer.write(jwkSet.toJSONObject().toString());
|
||||
}
|
||||
}
|
||||
|
||||
private JWKSet buildJwkSet() {
|
||||
return new JWKSet(
|
||||
this.keyManager.getKeys().stream()
|
||||
.filter(managedKey -> managedKey.isActive() && managedKey.isAsymmetric())
|
||||
.map(this::convert)
|
||||
.filter(Objects::nonNull)
|
||||
.collect(Collectors.toList())
|
||||
);
|
||||
}
|
||||
|
||||
private JWK convert(ManagedKey managedKey) {
|
||||
JWK jwk = null;
|
||||
if (managedKey.getPublicKey() instanceof RSAPublicKey) {
|
||||
RSAPublicKey publicKey = (RSAPublicKey) managedKey.getPublicKey();
|
||||
jwk = new RSAKey.Builder(publicKey)
|
||||
.keyUse(KeyUse.SIGNATURE)
|
||||
.algorithm(JWSAlgorithm.RS256)
|
||||
.keyID(managedKey.getKeyId())
|
||||
.build();
|
||||
} else if (managedKey.getPublicKey() instanceof ECPublicKey) {
|
||||
ECPublicKey publicKey = (ECPublicKey) managedKey.getPublicKey();
|
||||
Curve curve = Curve.forECParameterSpec(publicKey.getParams());
|
||||
jwk = new ECKey.Builder(curve, publicKey)
|
||||
.keyUse(KeyUse.SIGNATURE)
|
||||
.algorithm(JWSAlgorithm.ES256)
|
||||
.keyID(managedKey.getKeyId())
|
||||
.build();
|
||||
}
|
||||
return jwk;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,186 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.oauth2.server.authorization.web;
|
||||
|
||||
import com.nimbusds.jose.JWSAlgorithm;
|
||||
import com.nimbusds.jose.jwk.ECKey;
|
||||
import com.nimbusds.jose.jwk.JWKSet;
|
||||
import com.nimbusds.jose.jwk.KeyUse;
|
||||
import com.nimbusds.jose.jwk.RSAKey;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.crypto.keys.KeyManager;
|
||||
import org.springframework.security.crypto.keys.ManagedKey;
|
||||
import org.springframework.security.crypto.keys.TestManagedKeys;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.time.Instant;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.stream.Collectors;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
/**
|
||||
* Tests for {@link JwkSetEndpointFilter}.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
*/
|
||||
public class JwkSetEndpointFilterTests {
|
||||
private KeyManager keyManager;
|
||||
private JwkSetEndpointFilter filter;
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
this.keyManager = mock(KeyManager.class);
|
||||
this.filter = new JwkSetEndpointFilter(this.keyManager);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenKeyManagerNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new JwkSetEndpointFilter(null))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("keyManager cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenJwkSetEndpointUriNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new JwkSetEndpointFilter(this.keyManager, null))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("jwkSetEndpointUri cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenNotJwkSetRequestThenNotProcessed() throws Exception {
|
||||
String requestUri = "/path";
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
this.filter.doFilter(request, response, filterChain);
|
||||
|
||||
verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenJwkSetRequestPostThenNotProcessed() throws Exception {
|
||||
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
this.filter.doFilter(request, response, filterChain);
|
||||
|
||||
verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenAsymmetricKeysThenJwkSetResponse() throws Exception {
|
||||
ManagedKey rsaManagedKey = TestManagedKeys.rsaManagedKey().build();
|
||||
ManagedKey ecManagedKey = TestManagedKeys.ecManagedKey().build();
|
||||
when(this.keyManager.getKeys()).thenReturn(
|
||||
Stream.of(rsaManagedKey, ecManagedKey).collect(Collectors.toSet()));
|
||||
|
||||
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
this.filter.doFilter(request, response, filterChain);
|
||||
|
||||
verifyNoInteractions(filterChain);
|
||||
|
||||
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
|
||||
|
||||
JWKSet jwkSet = JWKSet.parse(response.getContentAsString());
|
||||
assertThat(jwkSet.getKeys()).hasSize(2);
|
||||
|
||||
RSAKey rsaJwk = (RSAKey) jwkSet.getKeyByKeyId(rsaManagedKey.getKeyId());
|
||||
assertThat(rsaJwk).isNotNull();
|
||||
assertThat(rsaJwk.toRSAPublicKey()).isEqualTo(rsaManagedKey.getPublicKey());
|
||||
assertThat(rsaJwk.toRSAPrivateKey()).isNull();
|
||||
assertThat(rsaJwk.getKeyUse()).isEqualTo(KeyUse.SIGNATURE);
|
||||
assertThat(rsaJwk.getAlgorithm()).isEqualTo(JWSAlgorithm.RS256);
|
||||
|
||||
ECKey ecJwk = (ECKey) jwkSet.getKeyByKeyId(ecManagedKey.getKeyId());
|
||||
assertThat(ecJwk).isNotNull();
|
||||
assertThat(ecJwk.toECPublicKey()).isEqualTo(ecManagedKey.getPublicKey());
|
||||
assertThat(ecJwk.toECPublicKey()).isEqualTo(ecManagedKey.getPublicKey());
|
||||
assertThat(ecJwk.toECPrivateKey()).isNull();
|
||||
assertThat(ecJwk.getKeyUse()).isEqualTo(KeyUse.SIGNATURE);
|
||||
assertThat(ecJwk.getAlgorithm()).isEqualTo(JWSAlgorithm.ES256);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenSymmetricKeysThenJwkSetResponseEmpty() throws Exception {
|
||||
ManagedKey secretManagedKey = TestManagedKeys.secretManagedKey().build();
|
||||
when(this.keyManager.getKeys()).thenReturn(
|
||||
new HashSet<>(Collections.singleton(secretManagedKey)));
|
||||
|
||||
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
this.filter.doFilter(request, response, filterChain);
|
||||
|
||||
verifyNoInteractions(filterChain);
|
||||
|
||||
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
|
||||
|
||||
JWKSet jwkSet = JWKSet.parse(response.getContentAsString());
|
||||
assertThat(jwkSet.getKeys()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenNoActiveKeysThenJwkSetResponseEmpty() throws Exception {
|
||||
ManagedKey rsaManagedKey = TestManagedKeys.rsaManagedKey().deactivatedOn(Instant.now()).build();
|
||||
ManagedKey ecManagedKey = TestManagedKeys.ecManagedKey().deactivatedOn(Instant.now()).build();
|
||||
when(this.keyManager.getKeys()).thenReturn(
|
||||
Stream.of(rsaManagedKey, ecManagedKey).collect(Collectors.toSet()));
|
||||
|
||||
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
this.filter.doFilter(request, response, filterChain);
|
||||
|
||||
verifyNoInteractions(filterChain);
|
||||
|
||||
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
|
||||
|
||||
JWKSet jwkSet = JWKSet.parse(response.getContentAsString());
|
||||
assertThat(jwkSet.getKeys()).isEmpty();
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user