Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/jetty-9.4.x' into jetty-10.0.x

This commit is contained in:
Lachlan Roberts 2020-07-28 13:39:50 +10:00
parent 7e4f32b56c c307c95887
commit 7ea35d78c5
3 changed files with 68 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
.github/workflows/maven.yml vendored Normal file
View File

@ -0,0 +1,38 @@
name: GitHub CI
on: [push, pull_request]
jobs:
build:
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macOS-latest]
java: [11, 14, 15-ea]
fail-fast: false
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up cache for ~./m2/repository
uses: actions/cache@v1
with:
path: ~/.m2/repository
key: maven-${{ matrix.os }}-java${{ matrix.java }}-${{ hashFiles('**/pom.xml') }}
restore-keys: |
maven-${{ matrix.os }}-java${{ matrix.java }}-
maven-${{ matrix.os }}-
- name: Set up JDK
uses: actions/setup-java@v1
with:
java-version: ${{ matrix.java }}
- name: Build with Maven
run: mvn verify -e -B -V -Premote-session-tests -Pci -fae "-Dmaven.test.failure.ignore=true" "-Djetty.testtracker.log=true"
- name: Javadoc with Maven
run: mvn -e -B -V package source:jar javadoc:jar javadoc:aggregate-jar -Peclipse-release -DskipTests -Dpmd.skip=true -Dcheckstyle.skip=true

56
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
View File

@ -72,24 +72,6 @@ public class OpenIdCredentials implements Serializable
return response; return response;
} }
public boolean isExpired()
{
if (authCode != null || claims == null)
return true;
// Check expiry
long expiry = (Long)claims.get("exp");
long currentTimeSeconds = (long)(System.currentTimeMillis() / 1000F);
if (currentTimeSeconds > expiry)
{
if (LOG.isDebugEnabled())
LOG.debug("OpenId Credentials expired {}", this);
return true;
}
return false;
}
public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception
{ {
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
@ -105,15 +87,15 @@ public class OpenIdCredentials implements Serializable
String idToken = (String)response.get("id_token"); String idToken = (String)response.get("id_token");
if (idToken == null) if (idToken == null)
throw new IllegalArgumentException("no id_token"); throw new AuthenticationException("no id_token");
String accessToken = (String)response.get("access_token"); String accessToken = (String)response.get("access_token");
if (accessToken == null) if (accessToken == null)
throw new IllegalArgumentException("no access_token"); throw new AuthenticationException("no access_token");
String tokenType = (String)response.get("token_type"); String tokenType = (String)response.get("token_type");
if (!"Bearer".equalsIgnoreCase(tokenType)) if (!"Bearer".equalsIgnoreCase(tokenType))
throw new IllegalArgumentException("invalid token_type"); throw new AuthenticationException("invalid token_type");
claims = JwtDecoder.decode(idToken); claims = JwtDecoder.decode(idToken);
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
@ -128,11 +110,11 @@ public class OpenIdCredentials implements Serializable
} }
} }
private void validateClaims(OpenIdConfiguration configuration) private void validateClaims(OpenIdConfiguration configuration) throws Exception
{ {
// Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim. // Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim.
if (!configuration.getIssuer().equals(claims.get("iss"))) if (!configuration.getIssuer().equals(claims.get("iss")))
throw new IllegalArgumentException("Issuer Identifier MUST exactly match the iss Claim"); throw new AuthenticationException("Issuer Identifier MUST exactly match the iss Claim");
// The aud (audience) Claim MUST contain the client_id value. // The aud (audience) Claim MUST contain the client_id value.
validateAudience(configuration); validateAudience(configuration);
@ -140,10 +122,16 @@ public class OpenIdCredentials implements Serializable
// If an azp (authorized party) Claim is present, verify that its client_id is the Claim Value. // If an azp (authorized party) Claim is present, verify that its client_id is the Claim Value.
Object azp = claims.get("azp"); Object azp = claims.get("azp");
if (azp != null && !configuration.getClientId().equals(azp)) if (azp != null && !configuration.getClientId().equals(azp))
throw new IllegalArgumentException("Authorized party claim value should be the client_id"); throw new AuthenticationException("Authorized party claim value should be the client_id");
// Check that the ID token has not expired by checking the exp claim.
long expiry = (Long)claims.get("exp");
long currentTimeSeconds = (long)(System.currentTimeMillis() / 1000F);
if (currentTimeSeconds > expiry)
throw new AuthenticationException("ID Token has expired");
} }
private void validateAudience(OpenIdConfiguration configuration) private void validateAudience(OpenIdConfiguration configuration) throws AuthenticationException
{ {
Object aud = claims.get("aud"); Object aud = claims.get("aud");
String clientId = configuration.getClientId(); String clientId = configuration.getClientId();
@ -152,17 +140,17 @@ public class OpenIdCredentials implements Serializable
boolean isValidType = isString || isList; boolean isValidType = isString || isList;
if (isString && !clientId.equals(aud)) if (isString && !clientId.equals(aud))
throw new IllegalArgumentException("Audience Claim MUST contain the client_id value"); throw new AuthenticationException("Audience Claim MUST contain the client_id value");
else if (isList) else if (isList)
{ {
if (!Arrays.asList((Object[])aud).contains(clientId)) if (!Arrays.asList((Object[])aud).contains(clientId))
throw new IllegalArgumentException("Audience Claim MUST contain the client_id value"); throw new AuthenticationException("Audience Claim MUST contain the client_id value");
if (claims.get("azp") == null) if (claims.get("azp") == null)
throw new IllegalArgumentException("A multi-audience ID token needs to contain an azp claim"); throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
} }
else if (!isValidType) else if (!isValidType)
throw new IllegalArgumentException("Audience claim was not valid"); throw new AuthenticationException("Audience claim was not valid");
} }
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
@ -185,7 +173,15 @@ public class OpenIdCredentials implements Serializable
Object parsedResponse = new JSON().fromJSON(responseBody); Object parsedResponse = new JSON().fromJSON(responseBody);
if (!(parsedResponse instanceof Map)) if (!(parsedResponse instanceof Map))
throw new IllegalStateException("Malformed response from OpenID Provider"); throw new AuthenticationException("Malformed response from OpenID Provider");
return (Map<String, Object>)parsedResponse; return (Map<String, Object>)parsedResponse;
} }
public static class AuthenticationException extends Exception
{
public AuthenticationException(String message)
{
super(message);
}
}
} }

11
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdLoginService.java
View File

@ -18,7 +18,6 @@
package org.eclipse.jetty.security.openid; package org.eclipse.jetty.security.openid;
import java.security.Principal;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import javax.servlet.ServletRequest; import javax.servlet.ServletRequest;
@ -86,8 +85,6 @@ public class OpenIdLoginService extends ContainerLifeCycle implements LoginServi
try try
{ {
openIdCredentials.redeemAuthCode(configuration); openIdCredentials.redeemAuthCode(configuration);
if (openIdCredentials.isExpired())
return null;
} }
catch (Throwable e) catch (Throwable e)
{ {
@ -138,12 +135,10 @@ public class OpenIdLoginService extends ContainerLifeCycle implements LoginServi
@Override @Override
public boolean validate(UserIdentity user) public boolean validate(UserIdentity user)
{ {
Principal userPrincipal = user.getUserPrincipal(); if (!(user.getUserPrincipal() instanceof OpenIdUserPrincipal))
if (!(userPrincipal instanceof OpenIdUserPrincipal))
return false; return false;
OpenIdCredentials credentials = ((OpenIdUserPrincipal)userPrincipal).getCredentials(); return loginService == null || loginService.validate(user);
return !credentials.isExpired();
} }
@Override @Override
@ -167,5 +162,7 @@ public class OpenIdLoginService extends ContainerLifeCycle implements LoginServi
@Override @Override
public void logout(UserIdentity user) public void logout(UserIdentity user)
{ {
if (loginService != null)
loginService.logout(user);
} }
} }