Add JWK Set Endpoint Filter

Closes gh-82
This commit is contained in:
Joe Grandja 2020-08-17 06:34:42 -04:00
parent 1ecafc9420
commit c30488cd30
4 changed files with 323 additions and 0 deletions

View File

@ -32,6 +32,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.web.JwkSetEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter; import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
@ -130,6 +131,9 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
@Override @Override
public void configure(B builder) { public void configure(B builder) {
JwkSetEndpointFilter jwkSetEndpointFilter = new JwkSetEndpointFilter(getKeyManager(builder));
builder.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class); AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
OAuth2ClientAuthenticationFilter clientAuthenticationFilter = OAuth2ClientAuthenticationFilter clientAuthenticationFilter =

View File

@ -9,6 +9,7 @@ dependencies {
compile springCoreDependency compile springCoreDependency
compile 'com.fasterxml.jackson.core:jackson-databind' compile 'com.fasterxml.jackson.core:jackson-databind'
testCompile project(path: ':spring-security-crypto2', configuration: 'tests')
testCompile 'org.springframework:spring-webmvc' testCompile 'org.springframework:spring-webmvc'
testCompile 'junit:junit' testCompile 'junit:junit'
testCompile 'org.assertj:assertj-core' testCompile 'org.assertj:assertj-core'

View File

@ -0,0 +1,132 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.web;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.security.crypto.keys.KeyManager;
import org.springframework.security.crypto.keys.ManagedKey;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.Writer;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Objects;
import java.util.stream.Collectors;
/**
* A {@code Filter} that processes JWK Set requests.
*
* @author Joe Grandja
* @since 0.0.1
* @see KeyManager
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7517">JSON Web Key (JWK)</a>
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7517#section-5">Section 5 JWK Set Format</a>
*/
public class JwkSetEndpointFilter extends OncePerRequestFilter {
/**
* The default endpoint {@code URI} for JWK Set requests.
*/
public static final String DEFAULT_JWK_SET_ENDPOINT_URI = "/oauth2/jwks";
private final KeyManager keyManager;
private final RequestMatcher requestMatcher;
/**
* Constructs a {@code JwkSetEndpointFilter} using the provided parameters.
*
* @param keyManager the key manager
*/
public JwkSetEndpointFilter(KeyManager keyManager) {
this(keyManager, DEFAULT_JWK_SET_ENDPOINT_URI);
}
/**
* Constructs a {@code JwkSetEndpointFilter} using the provided parameters.
*
* @param keyManager the key manager
* @param jwkSetEndpointUri the endpoint {@code URI} for JWK Set requests
*/
public JwkSetEndpointFilter(KeyManager keyManager, String jwkSetEndpointUri) {
Assert.notNull(keyManager, "keyManager cannot be null");
Assert.hasText(jwkSetEndpointUri, "jwkSetEndpointUri cannot be empty");
this.keyManager = keyManager;
this.requestMatcher = new AntPathRequestMatcher(jwkSetEndpointUri, HttpMethod.GET.name());
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (!this.requestMatcher.matches(request)) {
filterChain.doFilter(request, response);
return;
}
JWKSet jwkSet = buildJwkSet();
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
try (Writer writer = response.getWriter()) {
writer.write(jwkSet.toJSONObject().toString());
}
}
private JWKSet buildJwkSet() {
return new JWKSet(
this.keyManager.getKeys().stream()
.filter(managedKey -> managedKey.isActive() && managedKey.isAsymmetric())
.map(this::convert)
.filter(Objects::nonNull)
.collect(Collectors.toList())
);
}
private JWK convert(ManagedKey managedKey) {
JWK jwk = null;
if (managedKey.getPublicKey() instanceof RSAPublicKey) {
RSAPublicKey publicKey = (RSAPublicKey) managedKey.getPublicKey();
jwk = new RSAKey.Builder(publicKey)
.keyUse(KeyUse.SIGNATURE)
.algorithm(JWSAlgorithm.RS256)
.keyID(managedKey.getKeyId())
.build();
} else if (managedKey.getPublicKey() instanceof ECPublicKey) {
ECPublicKey publicKey = (ECPublicKey) managedKey.getPublicKey();
Curve curve = Curve.forECParameterSpec(publicKey.getParams());
jwk = new ECKey.Builder(curve, publicKey)
.keyUse(KeyUse.SIGNATURE)
.algorithm(JWSAlgorithm.ES256)
.keyID(managedKey.getKeyId())
.build();
}
return jwk;
}
}

View File

@ -0,0 +1,186 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.web;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import org.junit.Before;
import org.junit.Test;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.crypto.keys.KeyManager;
import org.springframework.security.crypto.keys.ManagedKey;
import org.springframework.security.crypto.keys.TestManagedKeys;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.time.Instant;
import java.util.Collections;
import java.util.HashSet;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when;
/**
* Tests for {@link JwkSetEndpointFilter}.
*
* @author Joe Grandja
*/
public class JwkSetEndpointFilterTests {
private KeyManager keyManager;
private JwkSetEndpointFilter filter;
@Before
public void setUp() {
this.keyManager = mock(KeyManager.class);
this.filter = new JwkSetEndpointFilter(this.keyManager);
}
@Test
public void constructorWhenKeyManagerNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new JwkSetEndpointFilter(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("keyManager cannot be null");
}
@Test
public void constructorWhenJwkSetEndpointUriNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new JwkSetEndpointFilter(this.keyManager, null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("jwkSetEndpointUri cannot be empty");
}
@Test
public void doFilterWhenNotJwkSetRequestThenNotProcessed() throws Exception {
String requestUri = "/path";
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
}
@Test
public void doFilterWhenJwkSetRequestPostThenNotProcessed() throws Exception {
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
}
@Test
public void doFilterWhenAsymmetricKeysThenJwkSetResponse() throws Exception {
ManagedKey rsaManagedKey = TestManagedKeys.rsaManagedKey().build();
ManagedKey ecManagedKey = TestManagedKeys.ecManagedKey().build();
when(this.keyManager.getKeys()).thenReturn(
Stream.of(rsaManagedKey, ecManagedKey).collect(Collectors.toSet()));
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
verifyNoInteractions(filterChain);
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
JWKSet jwkSet = JWKSet.parse(response.getContentAsString());
assertThat(jwkSet.getKeys()).hasSize(2);
RSAKey rsaJwk = (RSAKey) jwkSet.getKeyByKeyId(rsaManagedKey.getKeyId());
assertThat(rsaJwk).isNotNull();
assertThat(rsaJwk.toRSAPublicKey()).isEqualTo(rsaManagedKey.getPublicKey());
assertThat(rsaJwk.toRSAPrivateKey()).isNull();
assertThat(rsaJwk.getKeyUse()).isEqualTo(KeyUse.SIGNATURE);
assertThat(rsaJwk.getAlgorithm()).isEqualTo(JWSAlgorithm.RS256);
ECKey ecJwk = (ECKey) jwkSet.getKeyByKeyId(ecManagedKey.getKeyId());
assertThat(ecJwk).isNotNull();
assertThat(ecJwk.toECPublicKey()).isEqualTo(ecManagedKey.getPublicKey());
assertThat(ecJwk.toECPublicKey()).isEqualTo(ecManagedKey.getPublicKey());
assertThat(ecJwk.toECPrivateKey()).isNull();
assertThat(ecJwk.getKeyUse()).isEqualTo(KeyUse.SIGNATURE);
assertThat(ecJwk.getAlgorithm()).isEqualTo(JWSAlgorithm.ES256);
}
@Test
public void doFilterWhenSymmetricKeysThenJwkSetResponseEmpty() throws Exception {
ManagedKey secretManagedKey = TestManagedKeys.secretManagedKey().build();
when(this.keyManager.getKeys()).thenReturn(
new HashSet<>(Collections.singleton(secretManagedKey)));
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
verifyNoInteractions(filterChain);
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
JWKSet jwkSet = JWKSet.parse(response.getContentAsString());
assertThat(jwkSet.getKeys()).isEmpty();
}
@Test
public void doFilterWhenNoActiveKeysThenJwkSetResponseEmpty() throws Exception {
ManagedKey rsaManagedKey = TestManagedKeys.rsaManagedKey().deactivatedOn(Instant.now()).build();
ManagedKey ecManagedKey = TestManagedKeys.ecManagedKey().deactivatedOn(Instant.now()).build();
when(this.keyManager.getKeys()).thenReturn(
Stream.of(rsaManagedKey, ecManagedKey).collect(Collectors.toSet()));
String requestUri = JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
verifyNoInteractions(filterChain);
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
JWKSet jwkSet = JWKSet.parse(response.getContentAsString());
assertThat(jwkSet.getKeys()).isEmpty();
}
}