Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(jans-cedarling): implement validation for userinfo_token JWT (#9939
) * feat(jans-cedarling): implement KeyService for JwtService - implemented a `KeyService` for `JwtService` that manages decoding keys which are used to validate Json Web Tokens (JWTs). Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement GetKey for KeyService Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): integrate jwt::KeyService with jwt::DecodingStrategy Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): replace custom mockhttp with mockito and refactor services - Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests. - Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait. `KeyService` can now be initialized directly, simplifying the code and improving clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): restructure folder layout, improve documentation, and simplify services - restructured the folder structure in the /jwt module for better organization. - added comprehensive docstrings to enhance code readability and maintainability. - simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication. Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): move mockito from dependencies to dev-dependencies for cleaner build Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): add trusted_issuers field to the PolicyStore Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): reuse HTTP client and switch to eprintln for error logging - reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency - replaced `println!` with `eprintln!` for better error logging Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement custom error handling for lock acquisition failure - added error handling for cases where acquiring a lock on decoding keys fails - replaced `unwrap()` with a custom error to handle poisoned locks gracefully Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement validation for `userinfo_token` - validate the `userinfo_token` to ensure its integrity and correctness - verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token` - verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token` Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): update token examples in `/examples` directory - revise example tokens to reflect current requirements Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused fields from tokens in `jwt::token` - clean up the `jwt::token` module by removing fields that are unused. Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement specific error messages for invalid token types - introduced `InvalidAccessToken` error for invalid access tokens - introduced `InvalidIdToken` error for invalid ID tokens - introduced `InvalidUserinfoToken` error for invalid userinfo tokens - this change provides clearer feedback based on the type of invalid token encountered Signed-off-by: rmarinn <[email protected]> * docs: changes in policy store docs Signed-off-by: Arnab Dutta <[email protected]> * feat(jans-cedarling): implement Deserialize for TokenKind - implement Deserialize for TokenKind instead of using the derialize_with macro Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move test mod from init/test.rs into init/policy_store.rs Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): remove redundant assert in errors_on_multiple_mappings Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement Copy trait for TokenKind enum - added the Copy trait implementation to TokenKind for more efficient value handling Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): remove unnecessary .clone() calls on TokenKind Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): change MultipleRoleMappings error to use Vec<String> - updated the MultipleRoleMappings error variant to store a Vec<String> instead of a single String, allowing it to capture multiple tokens with role mappings. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename fields in PolicyStore to be more descriptive - rename `schema` field in `PolicyStore` to `cedar_schema` - rename `policies` field in `PolicyStore` to `cedar_policies` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): improve naming and deserialization for PolicyStore - policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json - renamed and simplified field and function names for better clarity in policy deserialization - updated docstrings to enhance understanding of PolicyStore fields and deserialization process - updated test cases to reflect new naming conventions and improve error handling Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): introduce cedar_version field in policy_store.json - added support for the cedar_version field to specify the version of Cedar being used. - this enhancement allows for version-specific parsing of schemas and policies during deserialization. - updated relevant structures and deserialization logic to validate the cedar_version format. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move deserialization logic for multiple roles to PolicyStore - checking for multiple roles now occurs during the deserialization of PolicyStore - the corresponding test has been relocated from `init/policy_store.rs` to `common/policy_store.rs` for better organization and clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename parse_policy to parse_single_policy - rename `parse_policy` to `parse_single_policy` to make the intent of calling the function clearer Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * docs(jans-cedarling): add missing docstrings in common/policy_store.rs Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/cedarling/cedarling-policy-store.md Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/dedarling/cedarling-jwt.md Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): uncomment previously commented functions Signed-off-by: rmarinn <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): remove unused commented code Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix docstrings in PolicyStore Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): renamed `check_token_metadata` to `parse_and_check_token_metadata` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): replace custom version parsing with the semver crate Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): simplify TokenKind parsing - removed the need for a Visitor in parsing logic - users now pass `access_token`, `id_token`, `userinfo_token`, or `transaction_token` (case-insensitive) as the token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): simplify policy parsing by removing unnecessary Ok wrapper Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add unit test for handling invalid token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace string with JSON macro for invalid token metadata test Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): enhance policy deserialization error handling - updated the deserialization logic to collect and report multiple errors encountered during policy parsing Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): move tests to a separate file and enhance input clarity - reorganized tests into a dedicated file for better structure - improved readability of policy and schema inputs in the tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve Clippy warnings - fixed needless borrows to improve code efficiency Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add specific error assertion in unit tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): add comments to the tokens in the examples - added comments so it's obvious what's in the claims in the tokens string in the examples directory Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): fix broken example with jwt validation Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): update incorrect docstrings Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <[email protected]> * refactor(jwt): convert extract_claims to an associated function - moved the `extract_claims` function out of the method that uses `self`, making it an associated function to avoid unnecessary usage of `self` while preserving organization within the impl block. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): revert to custom Error for unsupported algorithm parsing - manually reverted to returning a custom Error when parsing an unsupported algorithm, preserving previous error reporting behavior Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): fix clippy warnings Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix wrong example in the docs - renamed `person_id` to `user_id` in the example Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace `person_id` with `user_id` Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused traits file Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): update examples to align with schema changes Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update README.md - update README to show how to run the new tests Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): improve error handling Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): revert unintended change to the docs by a merge Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): fix python unit tests Signed-off-by: Oleh Bohzok <[email protected]> * chore(jans-cedarling): fix misspelled test function name Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): improve test assertion and specificity Signed-off-by: rmarinn <[email protected]> --------- Signed-off-by: rmarinn <[email protected]> Signed-off-by: Arnab Dutta <[email protected]> Signed-off-by: Oleh Bohzok <[email protected]> Co-authored-by: Arnab Dutta <[email protected]> Co-authored-by: Oleh Bohzok <[email protected]> Signed-off-by: Olevacho <[email protected]>
- Loading branch information
