Renamed method `isSignatureValid()` to `isValid()` since it tests also other aspects (exipration, not before, etc...).

2024-04-30 12:55:04 +02:00 · 2024-04-30 12:55:04 +02:00 · 8c009b9a8d
parent 23f387f832
commit 8c009b9a8d
5 changed files with 28 additions and 14 deletions
--- a/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
+++ b/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
@ -4,6 +4,7 @@ import java.net.URL;
 import java.util.List;
 import java.util.Map;

+import org.gcube.com.fasterxml.jackson.annotation.JsonProperty;
 import org.gcube.common.keycloak.model.PublishedRealmRepresentation;
 import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
 import org.gcube.common.keycloak.model.TokenResponse;
@ -76,7 +77,8 @@ public interface KeycloakClient {
    URL getAvatarEndpointURL(URL realmBaseURL) throws KeycloakClientException;

    /**
-     * Get the realm info setup
+     * Get the realm info setup (RSA <code>public_key</code>, <code>token-service</code> URL,
+     * <code>account-service</code> URL and <code>tokens-not-before</code> setting)
     * 
     * @param realmURL the realm URL
     * @return the configured realm info
--- a/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java
+++ b/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java
@ -48,10 +48,19 @@ public class ModelUtils {
        }
    }

-    public static RSAPublicKey createRSAPublicKey(String publicKeyPem) {
+    /**
+     * Creates and {@link RSAPublicKey} instance from its string PEM representation
+     * 
+     * @param publicKeyPem the public key PEM string
+     * @return the RSA public key
+     * @throws Exception if it's not possbile to create the RSA public key from the PEM string
+     */
+    public static RSAPublicKey createRSAPublicKey(String publicKeyPem) throws Exception {
        try {
-            String publicKey = publicKeyPem.replaceFirst("-----BEGIN .+-----\n", "");
-            publicKey = publicKey.replaceFirst("-----END .+-----", "");
+            String publicKey = publicKeyPem.replaceFirst("-----BEGIN (.*)-----\n", "");
+            publicKey = publicKey.replaceFirst("-----END (.*)-----", "");
+            publicKey = publicKey.replaceAll("\r\n", "");
+            publicKey = publicKey.replaceAll("\n", "");

            byte[] encoded = Base64.getDecoder().decode(publicKey);
            KeyFactory kf = KeyFactory.getInstance("RSA");
@ -62,14 +71,14 @@ public class ModelUtils {
    }

    /**
-     * Verifies the token's digital signature
+     * Verifies the token validity
     * 
     * @param token the base64 JWT token string
     * @param publicKey the realm's public key on server
-     * @return <code>true</code> if the signature is verified, <code>false</code> otherwise
+     * @return <code>true</code> if the token is valid, <code>false</code> otherwise
     * @throws RuntimeException if an error occurs constructing the digital signature verifier
     */
-    public static boolean isSignatureValid(String token, RSAPublicKey publicKey) throws RuntimeException {
+    public static boolean isValid(String token, RSAPublicKey publicKey) throws RuntimeException {
        JWTVerifier verifier = null;
        try {
            Algorithm algorithm = Algorithm.RSA256(publicKey, null);
--- a/src/main/java/org/gcube/common/keycloak/model/PublishedRealmRepresentation.java
+++ b/src/main/java/org/gcube/common/keycloak/model/PublishedRealmRepresentation.java
@ -26,6 +26,7 @@ import org.gcube.com.fasterxml.jackson.annotation.JsonProperty;
 * @author (modified by) <a href="mailto:mauro.mugnaini@nubisware.com">Mauro Mugnaini</a>
 */
 public class PublishedRealmRepresentation {
+
    protected String realm;

    @JsonProperty("public_key")
@ -65,7 +66,11 @@ public class PublishedRealmRepresentation {
        if (publicKey != null)
            return publicKey;
        if (publicKeyPem != null) {
-            publicKey = ModelUtils.createRSAPublicKey(publicKeyPem);
+            try {
+                publicKey = ModelUtils.createRSAPublicKey(publicKeyPem);
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
        }
        return publicKey;
    }
--- a/src/test/java/org/gcube/common/keycloak/TestKeycloakClient.java
+++ b/src/test/java/org/gcube/common/keycloak/TestKeycloakClient.java
@ -133,8 +133,6 @@ public class TestKeycloakClient {

        logger.info("*** [1.0] Realm info public key PEM: {}", realmInfo.getPublicKeyPem());
        logger.info("*** [1.0] Realm info public key: {}", realmInfo.getPublicKey());
-        //        TestModels.checkTokenResponse(oidcTR);
-        //        TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(oidcTR), "service-account-" + CLIENT_ID, false);
    }

    @Test
@ -149,8 +147,8 @@ public class TestKeycloakClient {
        TokenResponse oidcTR = client.queryOIDCToken(DEV_ROOT_CONTEXT, CLIENT_ID, CLIENT_SECRET);
        logger.info("*** [1.0] OIDC access token: {}", oidcTR.getAccessToken());

-        Assert.assertTrue("Access token digital signature is not valid",
-                ModelUtils.isSignatureValid(oidcTR.getAccessToken(), realmInfo.getPublicKey()));
+        Assert.assertTrue("Access token is not valid",
+                ModelUtils.isValid(oidcTR.getAccessToken(), realmInfo.getPublicKey()));
    }

    @Test
--- a/src/test/java/org/gcube/common/keycloak/TestModelUtils.java
+++ b/src/test/java/org/gcube/common/keycloak/TestModelUtils.java
@ -39,8 +39,8 @@ public class TestModelUtils {
                TokenResponse.class);

        // Valid signature 
-        Assert.assertFalse("Token signature is valid", ModelUtils.isSignatureValid(tr.getAccessToken(),
-                ModelUtils.createRSAPublicKey(
+        Assert.assertFalse("Token signature is valid",
+                ModelUtils.isValid(tr.getAccessToken(), ModelUtils.createRSAPublicKey(
                        new String(Files.readAllBytes(Paths.get("src/test/resources/rsa-public-key.pem"))))));

    }