Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: JWKS Request should not be duplicated headers added by filters #1924

Merged
merged 2 commits into from
Feb 4, 2025
Merged

fix: JWKS Request should not be duplicated headers added by filters #1924

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bc2e4ab
fix: filter sholud not keeping adding headers to jwsk request
sdelamo Feb 3, 2025
7c8c4d4
fix
yawkat Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions security-jwt/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ dependencies {
implementation(mnReactor.micronaut.reactor)
compileOnly(mnCache.micronaut.cache.core)
testImplementation(libs.bcpkix.jdk15on)
testImplementation(mnCache.micronaut.cache.caffeine)

compileOnly(mn.micronaut.http.client.core)
compileOnly(mn.micronaut.http.server)
Expand All @@ -38,6 +39,10 @@ dependencies {
testImplementation(mnTestResources.testcontainers.core)

testImplementation(libs.system.stubs.core)

testImplementation(mnTest.micronaut.test.junit5)
testImplementation(libs.junit.jupiter.params)
testRuntimeOnly(libs.junit.jupiter.engine)
}

tasks.test {
Expand Down
12 changes: 8 additions & 4 deletions ...c/main/java/io/micronaut/security/token/jwt/signature/jwks/ReactorCacheJwkSetFetcher.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,17 +63,21 @@ public Publisher<JWKSet> fetch(@Nullable String providerName, @Nullable String u

private Mono<JwksCacheEntry> jwksCacheEntry(CacheKey cacheKey) {
return Mono.from(super.fetch(cacheKey.providerName, cacheKey.url()))
.defaultIfEmpty(new JWKSet())
.map(jwksSet -> instantiateCacheEntry(cacheKey, jwksSet))
.cacheInvalidateIf(JwksCacheEntry::isExpired);
.defaultIfEmpty(new JWKSet())
.map(jwksSet -> instantiateCacheEntry(cacheKey, jwksSet))
.doOnNext(entry -> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont think this works, it will only be called once. you should put it into the cacheInvalidateIf parameter instead

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If remove the doOnNext and I do

            .cacheInvalidateIf(entry -> {
                if (entry.isExpired()) {
                    cache.remove(cacheKey);
                }
                return entry.isExpired();
            });

The test fails 7 headers instead of the expected five.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patch doesn't work either, though. As soon as the first expires, you're going to have multiple JWKSets for the same key, defeating the point of the caching.

This class is deprecated, does it need to be fixed? A proper cache implementation with eviction here would be more complicated than this PR

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there. i found a simple solution after all

if (entry.isExpired()) {
cache.remove(cacheKey);
}
}).cacheInvalidateIf(JwksCacheEntry::isExpired);
}

private JwksCacheEntry instantiateCacheEntry(CacheKey cacheKey, JWKSet jwkSet) {
return new JwksCacheEntry(jwkSet, Instant.now().plusSeconds(jwksSignatureConfigurations.get(cacheKey.providerName) != null
? jwksSignatureConfigurations.get(cacheKey.providerName).getCacheExpiration()
: JwksSignatureConfigurationProperties.DEFAULT_CACHE_EXPIRATION));
}

private record CacheKey(String providerName, String url) {
}

Expand Down
114 changes: 114 additions & 0 deletions ...o/micronaut/security/token/jwt/signature/jwks/JwksRequestDoesNotDuplicateHeadersTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
package io.micronaut.security.token.jwt.signature.jwks;

import io.micronaut.context.ApplicationContext;
import io.micronaut.context.annotation.Requires;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.HttpResponse;
import io.micronaut.http.MutableHttpRequest;
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Filter;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.client.BlockingHttpClient;
import io.micronaut.http.client.HttpClient;
import io.micronaut.http.filter.ClientFilterChain;
import io.micronaut.http.filter.HttpClientFilter;
import io.micronaut.runtime.server.EmbeddedServer;
import io.micronaut.security.annotation.Secured;
import io.micronaut.security.rules.SecurityRule;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import org.reactivestreams.Publisher;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Stream;

import static org.junit.jupiter.api.Assertions.*;
import static org.junit.jupiter.params.provider.Arguments.arguments;

class JwksRequestDoesNotDuplicateHeadersTest {
static Stream<Arguments> paramsProvider() {
return Stream.of(
arguments(CacheableJwkSetFetcher.class, "micronaut.caches.jwks.expire-after-write", "0s"),
arguments(ReactorCacheJwkSetFetcher.class, "micronaut.security.token.jwt.signatures.jwks.google.cache-expiration", "0"));
}

@ParameterizedTest
@MethodSource("paramsProvider")
void jwksRequestDoesNotDuplicateHeadersTest(Class fetcherClass, String configName, String configValue) {
Map<String, Object> authServerConfig = Map.of("spec.name", "JwksRequestDoesNotDuplicateHeadersTestGoogle");
try (EmbeddedServer authServer = ApplicationContext.run(EmbeddedServer.class, authServerConfig)) {
Map<String, Object> serverConfig = Map.of("spec.name", "JwksRequestDoesNotDuplicateHeadersTest",
"micronaut.http.client.read-timeout", "5m",
"micronaut.security.token.jwt.signatures.jwks.google.url",
"http://localhost:" + authServer.getPort() + "/oauth2/v3/certs",
configName, configValue);
try (EmbeddedServer server = ApplicationContext.run(EmbeddedServer.class, serverConfig)) {
assertInstanceOf(fetcherClass, server.getApplicationContext().getBean(JwkSetFetcher.class));
HttpClient httpClient = server.getApplicationContext().createBean(HttpClient.class, server.getURL());
BlockingHttpClient client = httpClient.toBlocking();
assertNotNull(client);
String jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
int numberOfRequests = 5;
for (int i = 0; i < numberOfRequests; i++) {
assertEquals("{\"message\":\"Hello World\"}", client.retrieve(HttpRequest.GET("/").bearerAuth(jwt)));
}
assertEquals(5, authServer.getApplicationContext().getBean(GoogleAuthController.class).headers.size());
}
}
}

@Requires(property = "spec.name", value = "JwksRequestDoesNotDuplicateHeadersTest")
@Controller
static class HomeController {

@Secured(SecurityRule.IS_ANONYMOUS)
@Get
Map<String, String> index() {
return Collections.singletonMap("message", "Hello World");
}
}

@Requires(property = "spec.name", value = "JwksRequestDoesNotDuplicateHeadersTest")
@Filter(patterns = "/oauth2/v3/certs")
static class AddHeaderFilter implements HttpClientFilter {
public Publisher<? extends HttpResponse<?>> doFilter(MutableHttpRequest<?> request, ClientFilterChain chain) {
return chain.proceed(request.header("hdr", "a really long string ..."));
}
}

@Requires(property = "spec.name", value = "JwksRequestDoesNotDuplicateHeadersTestGoogle")
@Controller
static class GoogleAuthController {
List<String> headers = new ArrayList<>();
@Secured(SecurityRule.IS_ANONYMOUS)
@Get("/oauth2/v3/certs")
String index(HttpRequest<?> request) {
headers.addAll(request.getHeaders().getAll("hdr"));
return """
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "fa072f75784642615087c7182c101341e18f7a3a",
"n": "pleuF0RyDsETygZn89RpGVFNMxG_hdYVnvbHadvM1tYxs9ghDq93NFxejt--1QlwpLQ3yuVY_CKldkAWgzPVl8-oUBe5xh9jzpLUTqcyrS1aFLuzAe13-OTadUE18wvhz9goQf80rg5IztD_gBePOOBE7eWHGqWLghuMb7cIYjgFxqNFyPn8bF_7k8pQAeHIPua_6_GHhw3ML4msp-aU7O1io3Z4P_Bir_6_C5J9UtWAcJ0Ez0YC5FxOMkh27joO5mUas8krGnFqIJTOgDYXQC1QTu-HOCRNvi6gFMqEkDTP5oBK2cDPDq5L0T8Q0UanSPR0BuOTHesCXnDAdxdyXw",
"alg": "RS256"
},
{
"n": "5D9Xb4z8eFr-3Zh3m5GnM_KVqc6rskPL7EMa6lSxNiMJ-PhXGORU-S-QgLmMvHu3vAMfvxz6ph3JZDpdGT68wj-vWqqBudaDYCbnbkjXm6UpcrFMpGAiOS6gACNxpz80JXaO2DPtl9jTN6WyJY9tLHdqRfesfOlwzB0lmVZ8shSDh8usN3vB1KfYuR6Vytly1phaWJr92yMICKUjtXT-0SlrtqDgX_U2Swl4QyZN6rrfuG3F6Fmw-m12Ve_kyoPUb02bbJCSFDnIZsMvRlSZem5nUrs86zDPTWfNcB0LUYG8OgMzOev7r04h_RY2F6K7c8nE2EobYTrH0kw2QIf8vQ",
"alg": "RS256",
"kid": "eec534fa5b8caca201ca8d0ff96b54c562210d1e",
"e": "AQAB",
"kty": "RSA",
"use": "sig"
}
]
}
""";
}
}
}
Loading