Renamed method `isSignatureValid()` to `isValid()` since it tests also other aspects (exipration, not before, etc...).
This commit is contained in:
parent
23f387f832
commit
8c009b9a8d
|
@ -4,6 +4,7 @@ import java.net.URL;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.gcube.com.fasterxml.jackson.annotation.JsonProperty;
|
||||||
import org.gcube.common.keycloak.model.PublishedRealmRepresentation;
|
import org.gcube.common.keycloak.model.PublishedRealmRepresentation;
|
||||||
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
|
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
|
||||||
import org.gcube.common.keycloak.model.TokenResponse;
|
import org.gcube.common.keycloak.model.TokenResponse;
|
||||||
|
@ -76,7 +77,8 @@ public interface KeycloakClient {
|
||||||
URL getAvatarEndpointURL(URL realmBaseURL) throws KeycloakClientException;
|
URL getAvatarEndpointURL(URL realmBaseURL) throws KeycloakClientException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the realm info setup
|
* Get the realm info setup (RSA <code>public_key</code>, <code>token-service</code> URL,
|
||||||
|
* <code>account-service</code> URL and <code>tokens-not-before</code> setting)
|
||||||
*
|
*
|
||||||
* @param realmURL the realm URL
|
* @param realmURL the realm URL
|
||||||
* @return the configured realm info
|
* @return the configured realm info
|
||||||
|
|
|
@ -48,10 +48,19 @@ public class ModelUtils {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static RSAPublicKey createRSAPublicKey(String publicKeyPem) {
|
/**
|
||||||
|
* Creates and {@link RSAPublicKey} instance from its string PEM representation
|
||||||
|
*
|
||||||
|
* @param publicKeyPem the public key PEM string
|
||||||
|
* @return the RSA public key
|
||||||
|
* @throws Exception if it's not possbile to create the RSA public key from the PEM string
|
||||||
|
*/
|
||||||
|
public static RSAPublicKey createRSAPublicKey(String publicKeyPem) throws Exception {
|
||||||
try {
|
try {
|
||||||
String publicKey = publicKeyPem.replaceFirst("-----BEGIN .+-----\n", "");
|
String publicKey = publicKeyPem.replaceFirst("-----BEGIN (.*)-----\n", "");
|
||||||
publicKey = publicKey.replaceFirst("-----END .+-----", "");
|
publicKey = publicKey.replaceFirst("-----END (.*)-----", "");
|
||||||
|
publicKey = publicKey.replaceAll("\r\n", "");
|
||||||
|
publicKey = publicKey.replaceAll("\n", "");
|
||||||
|
|
||||||
byte[] encoded = Base64.getDecoder().decode(publicKey);
|
byte[] encoded = Base64.getDecoder().decode(publicKey);
|
||||||
KeyFactory kf = KeyFactory.getInstance("RSA");
|
KeyFactory kf = KeyFactory.getInstance("RSA");
|
||||||
|
@ -62,14 +71,14 @@ public class ModelUtils {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verifies the token's digital signature
|
* Verifies the token validity
|
||||||
*
|
*
|
||||||
* @param token the base64 JWT token string
|
* @param token the base64 JWT token string
|
||||||
* @param publicKey the realm's public key on server
|
* @param publicKey the realm's public key on server
|
||||||
* @return <code>true</code> if the signature is verified, <code>false</code> otherwise
|
* @return <code>true</code> if the token is valid, <code>false</code> otherwise
|
||||||
* @throws RuntimeException if an error occurs constructing the digital signature verifier
|
* @throws RuntimeException if an error occurs constructing the digital signature verifier
|
||||||
*/
|
*/
|
||||||
public static boolean isSignatureValid(String token, RSAPublicKey publicKey) throws RuntimeException {
|
public static boolean isValid(String token, RSAPublicKey publicKey) throws RuntimeException {
|
||||||
JWTVerifier verifier = null;
|
JWTVerifier verifier = null;
|
||||||
try {
|
try {
|
||||||
Algorithm algorithm = Algorithm.RSA256(publicKey, null);
|
Algorithm algorithm = Algorithm.RSA256(publicKey, null);
|
||||||
|
|
|
@ -26,6 +26,7 @@ import org.gcube.com.fasterxml.jackson.annotation.JsonProperty;
|
||||||
* @author (modified by) <a href="mailto:mauro.mugnaini@nubisware.com">Mauro Mugnaini</a>
|
* @author (modified by) <a href="mailto:mauro.mugnaini@nubisware.com">Mauro Mugnaini</a>
|
||||||
*/
|
*/
|
||||||
public class PublishedRealmRepresentation {
|
public class PublishedRealmRepresentation {
|
||||||
|
|
||||||
protected String realm;
|
protected String realm;
|
||||||
|
|
||||||
@JsonProperty("public_key")
|
@JsonProperty("public_key")
|
||||||
|
@ -65,7 +66,11 @@ public class PublishedRealmRepresentation {
|
||||||
if (publicKey != null)
|
if (publicKey != null)
|
||||||
return publicKey;
|
return publicKey;
|
||||||
if (publicKeyPem != null) {
|
if (publicKeyPem != null) {
|
||||||
publicKey = ModelUtils.createRSAPublicKey(publicKeyPem);
|
try {
|
||||||
|
publicKey = ModelUtils.createRSAPublicKey(publicKeyPem);
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return publicKey;
|
return publicKey;
|
||||||
}
|
}
|
||||||
|
|
|
@ -133,8 +133,6 @@ public class TestKeycloakClient {
|
||||||
|
|
||||||
logger.info("*** [1.0] Realm info public key PEM: {}", realmInfo.getPublicKeyPem());
|
logger.info("*** [1.0] Realm info public key PEM: {}", realmInfo.getPublicKeyPem());
|
||||||
logger.info("*** [1.0] Realm info public key: {}", realmInfo.getPublicKey());
|
logger.info("*** [1.0] Realm info public key: {}", realmInfo.getPublicKey());
|
||||||
// TestModels.checkTokenResponse(oidcTR);
|
|
||||||
// TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(oidcTR), "service-account-" + CLIENT_ID, false);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -149,8 +147,8 @@ public class TestKeycloakClient {
|
||||||
TokenResponse oidcTR = client.queryOIDCToken(DEV_ROOT_CONTEXT, CLIENT_ID, CLIENT_SECRET);
|
TokenResponse oidcTR = client.queryOIDCToken(DEV_ROOT_CONTEXT, CLIENT_ID, CLIENT_SECRET);
|
||||||
logger.info("*** [1.0] OIDC access token: {}", oidcTR.getAccessToken());
|
logger.info("*** [1.0] OIDC access token: {}", oidcTR.getAccessToken());
|
||||||
|
|
||||||
Assert.assertTrue("Access token digital signature is not valid",
|
Assert.assertTrue("Access token is not valid",
|
||||||
ModelUtils.isSignatureValid(oidcTR.getAccessToken(), realmInfo.getPublicKey()));
|
ModelUtils.isValid(oidcTR.getAccessToken(), realmInfo.getPublicKey()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
@ -39,8 +39,8 @@ public class TestModelUtils {
|
||||||
TokenResponse.class);
|
TokenResponse.class);
|
||||||
|
|
||||||
// Valid signature
|
// Valid signature
|
||||||
Assert.assertFalse("Token signature is valid", ModelUtils.isSignatureValid(tr.getAccessToken(),
|
Assert.assertFalse("Token signature is valid",
|
||||||
ModelUtils.createRSAPublicKey(
|
ModelUtils.isValid(tr.getAccessToken(), ModelUtils.createRSAPublicKey(
|
||||||
new String(Files.readAllBytes(Paths.get("src/test/resources/rsa-public-key.pem"))))));
|
new String(Files.readAllBytes(Paths.get("src/test/resources/rsa-public-key.pem"))))));
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue