Revert "SOLR-14799: JWT authentication plugin only requires sub claim when principalClaim=sub"

This reverts commit bc0c9ffee3.
This commit is contained in:
Erik Hatcher 2020-09-16 12:45:03 -04:00
parent bc0c9ffee3
commit c63684f93b
2 changed files with 8 additions and 18 deletions

View File

@ -71,6 +71,7 @@ import org.slf4j.LoggerFactory;
public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider, ConfigEditablePlugin { public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider, ConfigEditablePlugin {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
private static final String PARAM_BLOCK_UNKNOWN = "blockUnknown"; private static final String PARAM_BLOCK_UNKNOWN = "blockUnknown";
private static final String PARAM_REQUIRE_SUBJECT = "requireSub";
private static final String PARAM_REQUIRE_ISSUER = "requireIss"; private static final String PARAM_REQUIRE_ISSUER = "requireIss";
private static final String PARAM_PRINCIPAL_CLAIM = "principalClaim"; private static final String PARAM_PRINCIPAL_CLAIM = "principalClaim";
private static final String PARAM_ROLES_CLAIM = "rolesClaim"; private static final String PARAM_ROLES_CLAIM = "rolesClaim";
@ -91,7 +92,7 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider,
static final String PRIMARY_ISSUER = "PRIMARY"; static final String PRIMARY_ISSUER = "PRIMARY";
private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN, private static final Set<String> PROPS = ImmutableSet.of(PARAM_BLOCK_UNKNOWN,
PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_WHITELIST, PARAM_REQUIRE_SUBJECT, PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_WHITELIST,
PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM, PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, PARAM_SCOPE, PARAM_REALM, PARAM_ROLES_CLAIM,
PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS, PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS,
// These keys are supported for now to enable PRIMARY issuer config through top-level keys // These keys are supported for now to enable PRIMARY issuer config through top-level keys
@ -136,6 +137,10 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider,
blockUnknown = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN, false))); blockUnknown = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN, false)));
requireIssuer = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_ISSUER, "true"))); requireIssuer = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_ISSUER, "true")));
requireExpirationTime = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_EXPIRATIONTIME, "true"))); requireExpirationTime = Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_EXPIRATIONTIME, "true")));
if (pluginConfig.get(PARAM_REQUIRE_SUBJECT) != null) {
log.warn("Parameter {} is no longer used and may generate error in a later version. A subject claim is now always required",
PARAM_REQUIRE_SUBJECT);
}
principalClaim = (String) pluginConfig.getOrDefault(PARAM_PRINCIPAL_CLAIM, "sub"); principalClaim = (String) pluginConfig.getOrDefault(PARAM_PRINCIPAL_CLAIM, "sub");
rolesClaim = (String) pluginConfig.get(PARAM_ROLES_CLAIM); rolesClaim = (String) pluginConfig.get(PARAM_ROLES_CLAIM);
@ -495,6 +500,7 @@ public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider,
} else { } else {
jwtConsumerBuilder.setSkipDefaultAudienceValidation(); jwtConsumerBuilder.setSkipDefaultAudienceValidation();
} }
jwtConsumerBuilder.setRequireSubject();
if (requireExpirationTime) if (requireExpirationTime)
jwtConsumerBuilder.setRequireExpirationTime(); jwtConsumerBuilder.setRequireExpirationTime();
if (algWhitelist != null) if (algWhitelist != null)

View File

@ -93,7 +93,6 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
claims.unsetClaim("iss"); claims.unsetClaim("iss");
claims.unsetClaim("aud"); claims.unsetClaim("aud");
claims.unsetClaim("exp"); claims.unsetClaim("exp");
claims.setSubject(null);
jws.setPayload(claims.toJson()); jws.setPayload(claims.toJson());
String slimJwt = jws.getCompactSerialization(); String slimJwt = jws.getCompactSerialization();
slimHeader = "Bearer" + " " + slimJwt; slimHeader = "Bearer" + " " + slimJwt;
@ -128,7 +127,6 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
testConfig = new HashMap<>(); testConfig = new HashMap<>();
testConfig.put("class", "org.apache.solr.security.JWTAuthPlugin"); testConfig.put("class", "org.apache.solr.security.JWTAuthPlugin");
testConfig.put("principalClaim", "customPrincipal");
testConfig.put("jwk", testJwk); testConfig.put("jwk", testJwk);
plugin.init(testConfig); plugin.init(testConfig);
@ -218,25 +216,11 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
public void authenticateOk() { public void authenticateOk() {
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader); JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);
assertTrue(resp.isAuthenticated()); assertTrue(resp.isAuthenticated());
assertEquals("custom", resp.getPrincipal().getName()); // principalClaim = customPrincipal, not sub here assertEquals("solruser", resp.getPrincipal().getName());
} }
@Test @Test
public void authFailedMissingSubject() { public void authFailedMissingSubject() {
minimalConfig.put("principalClaim","sub"); // minimalConfig has no subject specified
plugin.init(minimalConfig);
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);
assertFalse(resp.isAuthenticated());
assertEquals(JWTAuthPlugin.JWTAuthenticationResponse.AuthCode.JWT_VALIDATION_EXCEPTION, resp.getAuthCode());
testConfig.put("principalClaim","sub"); // testConfig has subject = solruser
plugin.init(testConfig);
resp = plugin.authenticate(testHeader);
assertTrue(resp.isAuthenticated());
}
@Test
public void authFailedMissingIssuer() {
testConfig.put("iss", "NA"); testConfig.put("iss", "NA");
plugin.init(testConfig); plugin.init(testConfig);
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader); JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(testHeader);