mirror of https://github.com/apache/lucene.git
Revert "SOLR-14799: JWT authentication plugin only requires sub claim when principalClaim=sub"
This reverts commit bc0c9ffee3
.
This commit is contained in:
parent
bc0c9ffee3
commit
c63684f93b
|
@ -71,6 +71,7 @@ import org.slf4j.LoggerFactory;
|
||||||
public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider, ConfigEditablePlugin {
|
public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider, ConfigEditablePlugin {
|
||||||
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
|
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
|
||||||
private static final String PARAM_BLOCK_UNKNOWN = "blockUnknown";
|
private static final String PARAM_BLOCK_UNKNOWN = "blockUnknown";
|
||||||
|
private static final String PARAM_REQUIRE_SUBJECT = "requireSub";
|
||||||
private static final String PARAM_REQUIRE_ISSUER = "requireIss";
|
private static final String PARAM_REQUIRE_ISSUER = "requireIss";
|
||||||
private static final String PARAM_PRINCIPAL_CLAIM = "principalClaim";
|
private static final String PARAM_PRINCIPAL_CLAIM = "principalClaim";
|
||||||
private static final String PARAM_ROLES_CLAIM = "rolesClaim";
|
private static final String PARAM_ROLES_CLAIM = "rolesClaim";
|
||||||
|
@ -91,7 +92,7 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider,
|
||||||
static final String PRIMARY_ISSUER = "PRIMARY";
|
static final String PRIMARY_ISSUER = "PRIMARY";
|
||||||
|
|
||||||
private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
|
private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
|
||||||
PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_WHITELIST,
|
PARAM_REQUIRE_SUBJECT, PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_WHITELIST,
|
||||||
PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
|
PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
|
||||||
PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
|
PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
|
||||||
// These keys are supported for now to enable PRIMARY issuer config through top-level keys
|
// These keys are supported for now to enable PRIMARY issuer config through top-level keys
|
||||||
|
@ -136,6 +137,10 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider,
|
||||||
blockUnknown = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN, false)));
|
blockUnknown = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN, false)));
|
||||||
requireIssuer = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_ISSUER, "true")));
|
requireIssuer = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_ISSUER, "true")));
|
||||||
requireExpirationTime = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_EXPIRATIONTIME, "true")));
|
requireExpirationTime = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_EXPIRATIONTIME, "true")));
|
||||||
|
if (pluginConfig.get(PARAM_REQUIRE_SUBJECT) != null) {
|
||||||
|
log.warn("Parameter {} is no longer used and may generate error in a later version. A subject claim is now always required",
|
||||||
|
PARAM_REQUIRE_SUBJECT);
|
||||||
|
}
|
||||||
principalClaim = (String) pluginConfig.getOrDefault(PARAM_PRINCIPAL_CLAIM, "sub");
|
principalClaim = (String) pluginConfig.getOrDefault(PARAM_PRINCIPAL_CLAIM, "sub");
|
||||||
|
|
||||||
rolesClaim = (String) pluginConfig.get(PARAM_ROLES_CLAIM);
|
rolesClaim = (String) pluginConfig.get(PARAM_ROLES_CLAIM);
|
||||||
|
@ -495,6 +500,7 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider,
|
||||||
} else {
|
} else {
|
||||||
jwtConsumerBuilder.setSkipDefaultAudienceValidation();
|
jwtConsumerBuilder.setSkipDefaultAudienceValidation();
|
||||||
}
|
}
|
||||||
|
jwtConsumerBuilder.setRequireSubject();
|
||||||
if (requireExpirationTime)
|
if (requireExpirationTime)
|
||||||
jwtConsumerBuilder.setRequireExpirationTime();
|
jwtConsumerBuilder.setRequireExpirationTime();
|
||||||
if (algWhitelist != null)
|
if (algWhitelist != null)
|
||||||
|
|
|
@ -93,7 +93,6 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
|
||||||
claims.unsetClaim("iss");
|
claims.unsetClaim("iss");
|
||||||
claims.unsetClaim("aud");
|
claims.unsetClaim("aud");
|
||||||
claims.unsetClaim("exp");
|
claims.unsetClaim("exp");
|
||||||
claims.setSubject(null);
|
|
||||||
jws.setPayload(claims.toJson());
|
jws.setPayload(claims.toJson());
|
||||||
String slimJwt = jws.getCompactSerialization();
|
String slimJwt = jws.getCompactSerialization();
|
||||||
slimHeader = "Bearer" + " " + slimJwt;
|
slimHeader = "Bearer" + " " + slimJwt;
|
||||||
|
@ -128,7 +127,6 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
|
||||||
|
|
||||||
testConfig = new HashMap<>();
|
testConfig = new HashMap<>();
|
||||||
testConfig.put("class", "org.apache.solr.security.JWTAuthPlugin");
|
testConfig.put("class", "org.apache.solr.security.JWTAuthPlugin");
|
||||||
testConfig.put("principalClaim", "customPrincipal");
|
|
||||||
testConfig.put("jwk", testJwk);
|
testConfig.put("jwk", testJwk);
|
||||||
plugin.init(testConfig);
|
plugin.init(testConfig);
|
||||||
|
|
||||||
|
@ -218,25 +216,11 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
|
||||||
public void authenticateOk() {
|
public void authenticateOk() {
|
||||||
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);
|
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);
|
||||||
assertTrue(resp.isAuthenticated());
|
assertTrue(resp.isAuthenticated());
|
||||||
assertEquals("custom", resp.getPrincipal().getName()); // principalClaim = customPrincipal, not sub here
|
assertEquals("solruser", resp.getPrincipal().getName());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void authFailedMissingSubject() {
|
public void authFailedMissingSubject() {
|
||||||
minimalConfig.put("principalClaim","sub"); // minimalConfig has no subject specified
|
|
||||||
plugin.init(minimalConfig);
|
|
||||||
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);
|
|
||||||
assertFalse(resp.isAuthenticated());
|
|
||||||
assertEquals(JWTAuthPlugin.JWTAuthenticationResponse.AuthCode.JWT_VALIDATION_EXCEPTION, resp.getAuthCode());
|
|
||||||
|
|
||||||
testConfig.put("principalClaim","sub"); // testConfig has subject = solruser
|
|
||||||
plugin.init(testConfig);
|
|
||||||
resp = plugin.authenticate(testHeader);
|
|
||||||
assertTrue(resp.isAuthenticated());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void authFailedMissingIssuer() {
|
|
||||||
testConfig.put("iss", "NA");
|
testConfig.put("iss", "NA");
|
||||||
plugin.init(testConfig);
|
plugin.init(testConfig);
|
||||||
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);
|
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);
|
||||||
|
|
Loading…
Reference in New Issue