feat(jans-cedarling): implement validation for userinfo_token JWT #9939
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- implemented a `KeyService` for `JwtService` that manages decoding keys which are used to validate Json Web Tokens (JWTs). Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
…ategy Signed-off-by: rmarinn <[email protected]>
…or services - Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests. - Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait. `KeyService` can now be initialized directly, simplifying the code and improving clarity. Signed-off-by: rmarinn <[email protected]>
…ation, and simplify services - restructured the folder structure in the /jwt module for better organization. - added comprehensive docstrings to enhance code readability and maintainability. - simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication. Signed-off-by: rmarinn <[email protected]>
…cies for cleaner build Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
…ror logging - reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency - replaced `println!` with `eprintln!` for better error logging Signed-off-by: rmarinn <[email protected]>
…ition failure - added error handling for cases where acquiring a lock on decoding keys fails - replaced `unwrap()` with a custom error to handle poisoned locks gracefully Signed-off-by: rmarinn <[email protected]>
- validate the `userinfo_token` to ensure its integrity and correctness - verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token` - verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token` Signed-off-by: rmarinn <[email protected]>
- revise example tokens to reflect current requirements Signed-off-by: rmarinn <[email protected]>
- clean up the `jwt::token` module by removing fields that are unused. Signed-off-by: rmarinn <[email protected]>
…oken types - introduced `InvalidAccessToken` error for invalid access tokens - introduced `InvalidIdToken` error for invalid ID tokens - introduced `InvalidUserinfoToken` error for invalid userinfo tokens - this change provides clearer feedback based on the type of invalid token encountered Signed-off-by: rmarinn <[email protected]>
Signed-off-by: Arnab Dutta <[email protected]>
- implement Deserialize for TokenKind instead of using the derialize_with macro Signed-off-by: rmarinn <[email protected]>
…olicy_store.rs Signed-off-by: rmarinn <[email protected]>
…appings Signed-off-by: rmarinn <[email protected]>
- added the Copy trait implementation to TokenKind for more efficient value handling Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
…c<String> - updated the MultipleRoleMappings error variant to store a Vec<String> instead of a single String, allowing it to capture multiple tokens with role mappings. Signed-off-by: rmarinn <[email protected]>
…criptive - rename `schema` field in `PolicyStore` to `cedar_schema` - rename `policies` field in `PolicyStore` to `cedar_policies` Signed-off-by: rmarinn <[email protected]>
…cyStore - policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json - renamed and simplified field and function names for better clarity in policy deserialization - updated docstrings to enhance understanding of PolicyStore fields and deserialization process - updated test cases to reflect new naming conventions and improve error handling Signed-off-by: rmarinn <[email protected]>
- added support for the cedar_version field to specify the version of Cedar being used. - this enhancement allows for version-specific parsing of schemas and policies during deserialization. - updated relevant structures and deserialization logic to validate the cedar_version format. Signed-off-by: rmarinn <[email protected]>
…es to PolicyStore - checking for multiple roles now occurs during the deserialization of PolicyStore - the corresponding test has been relocated from `init/policy_store.rs` to `common/policy_store.rs` for better organization and clarity. Signed-off-by: rmarinn <[email protected]>
- rename `parse_policy` to `parse_single_policy` to make the intent of calling the function clearer Signed-off-by: rmarinn <[email protected]>
Signed-off-by: Arnab Dutta <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
yes, I think we need integration test cases (if not now then later once the roadmap is almost completed). |
duttarnab
previously approved these changes
Oct 29, 2024
nynymike
previously approved these changes
Oct 29, 2024
Signed-off-by: Oleh Bohzok <[email protected]>
olehbozhok
previously approved these changes
Oct 29, 2024
djellemah
reviewed
Oct 29, 2024
abaghinyan
reviewed
Oct 29, 2024
| @@ -29,27 +31,42 @@ fn errors_on_unsuppored_alg() { | |||
| let (encoding_keys, jwks) = generate_keys(); | |||
|
|
|||
There was a problem hiding this comment.
It's not on these changes, but the function there is a typo on the function name.
It should be errors_on_unsupported_alg not errors_on_unsuppored_alg
| validation_result, | ||
| Err(jwt::JwtDecodingError::InvalidAccessToken( | ||
| jwt::TokenValidationError::TokenSignedWithUnsupportedAlgorithm(_) | ||
| )) |
There was a problem hiding this comment.
It's better to write an error message like "Expected validation to fail due to unsupported algorithm".
assert!(
matches!(
validation_result,
Err(jwt::JwtDecodingError::InvalidAccessToken(
jwt::TokenValidationError::TokenSignedWithUnsupportedAlgorithm(_)
))
),
"Expected validation to fail due to unsupported algorithm"
);
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
djellemah
approved these changes
Oct 30, 2024
olehbozhok
approved these changes
Oct 30, 2024
duttarnab
approved these changes
Oct 30, 2024
olevacho
pushed a commit
that referenced
this pull request
Nov 1, 2024
) * feat(jans-cedarling): implement KeyService for JwtService - implemented a `KeyService` for `JwtService` that manages decoding keys which are used to validate Json Web Tokens (JWTs). Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement GetKey for KeyService Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): integrate jwt::KeyService with jwt::DecodingStrategy Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): replace custom mockhttp with mockito and refactor services - Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests. - Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait. `KeyService` can now be initialized directly, simplifying the code and improving clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): restructure folder layout, improve documentation, and simplify services - restructured the folder structure in the /jwt module for better organization. - added comprehensive docstrings to enhance code readability and maintainability. - simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication. Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): move mockito from dependencies to dev-dependencies for cleaner build Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): add trusted_issuers field to the PolicyStore Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): reuse HTTP client and switch to eprintln for error logging - reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency - replaced `println!` with `eprintln!` for better error logging Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement custom error handling for lock acquisition failure - added error handling for cases where acquiring a lock on decoding keys fails - replaced `unwrap()` with a custom error to handle poisoned locks gracefully Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement validation for `userinfo_token` - validate the `userinfo_token` to ensure its integrity and correctness - verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token` - verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token` Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): update token examples in `/examples` directory - revise example tokens to reflect current requirements Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused fields from tokens in `jwt::token` - clean up the `jwt::token` module by removing fields that are unused. Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement specific error messages for invalid token types - introduced `InvalidAccessToken` error for invalid access tokens - introduced `InvalidIdToken` error for invalid ID tokens - introduced `InvalidUserinfoToken` error for invalid userinfo tokens - this change provides clearer feedback based on the type of invalid token encountered Signed-off-by: rmarinn <[email protected]> * docs: changes in policy store docs Signed-off-by: Arnab Dutta <[email protected]> * feat(jans-cedarling): implement Deserialize for TokenKind - implement Deserialize for TokenKind instead of using the derialize_with macro Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move test mod from init/test.rs into init/policy_store.rs Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): remove redundant assert in errors_on_multiple_mappings Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement Copy trait for TokenKind enum - added the Copy trait implementation to TokenKind for more efficient value handling Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): remove unnecessary .clone() calls on TokenKind Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): change MultipleRoleMappings error to use Vec<String> - updated the MultipleRoleMappings error variant to store a Vec<String> instead of a single String, allowing it to capture multiple tokens with role mappings. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename fields in PolicyStore to be more descriptive - rename `schema` field in `PolicyStore` to `cedar_schema` - rename `policies` field in `PolicyStore` to `cedar_policies` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): improve naming and deserialization for PolicyStore - policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json - renamed and simplified field and function names for better clarity in policy deserialization - updated docstrings to enhance understanding of PolicyStore fields and deserialization process - updated test cases to reflect new naming conventions and improve error handling Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): introduce cedar_version field in policy_store.json - added support for the cedar_version field to specify the version of Cedar being used. - this enhancement allows for version-specific parsing of schemas and policies during deserialization. - updated relevant structures and deserialization logic to validate the cedar_version format. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move deserialization logic for multiple roles to PolicyStore - checking for multiple roles now occurs during the deserialization of PolicyStore - the corresponding test has been relocated from `init/policy_store.rs` to `common/policy_store.rs` for better organization and clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename parse_policy to parse_single_policy - rename `parse_policy` to `parse_single_policy` to make the intent of calling the function clearer Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * docs(jans-cedarling): add missing docstrings in common/policy_store.rs Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/cedarling/cedarling-policy-store.md Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/dedarling/cedarling-jwt.md Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): uncomment previously commented functions Signed-off-by: rmarinn <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): remove unused commented code Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix docstrings in PolicyStore Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): renamed `check_token_metadata` to `parse_and_check_token_metadata` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): replace custom version parsing with the semver crate Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): simplify TokenKind parsing - removed the need for a Visitor in parsing logic - users now pass `access_token`, `id_token`, `userinfo_token`, or `transaction_token` (case-insensitive) as the token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): simplify policy parsing by removing unnecessary Ok wrapper Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add unit test for handling invalid token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace string with JSON macro for invalid token metadata test Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): enhance policy deserialization error handling - updated the deserialization logic to collect and report multiple errors encountered during policy parsing Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): move tests to a separate file and enhance input clarity - reorganized tests into a dedicated file for better structure - improved readability of policy and schema inputs in the tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve Clippy warnings - fixed needless borrows to improve code efficiency Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add specific error assertion in unit tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): add comments to the tokens in the examples - added comments so it's obvious what's in the claims in the tokens string in the examples directory Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): fix broken example with jwt validation Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): update incorrect docstrings Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <[email protected]> * refactor(jwt): convert extract_claims to an associated function - moved the `extract_claims` function out of the method that uses `self`, making it an associated function to avoid unnecessary usage of `self` while preserving organization within the impl block. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): revert to custom Error for unsupported algorithm parsing - manually reverted to returning a custom Error when parsing an unsupported algorithm, preserving previous error reporting behavior Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): fix clippy warnings Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix wrong example in the docs - renamed `person_id` to `user_id` in the example Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace `person_id` with `user_id` Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused traits file Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): update examples to align with schema changes Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update README.md - update README to show how to run the new tests Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): improve error handling Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): revert unintended change to the docs by a merge Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): fix python unit tests Signed-off-by: Oleh Bohzok <[email protected]> * chore(jans-cedarling): fix misspelled test function name Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): improve test assertion and specificity Signed-off-by: rmarinn <[email protected]> --------- Signed-off-by: rmarinn <[email protected]> Signed-off-by: Arnab Dutta <[email protected]> Signed-off-by: Oleh Bohzok <[email protected]> Co-authored-by: Arnab Dutta <[email protected]> Co-authored-by: Oleh Bohzok <[email protected]> Signed-off-by: Olevacho <[email protected]>
olevacho
pushed a commit
that referenced
this pull request
Nov 1, 2024
) * feat(jans-cedarling): implement KeyService for JwtService - implemented a `KeyService` for `JwtService` that manages decoding keys which are used to validate Json Web Tokens (JWTs). Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement GetKey for KeyService Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): integrate jwt::KeyService with jwt::DecodingStrategy Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): replace custom mockhttp with mockito and refactor services - Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests. - Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait. `KeyService` can now be initialized directly, simplifying the code and improving clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): restructure folder layout, improve documentation, and simplify services - restructured the folder structure in the /jwt module for better organization. - added comprehensive docstrings to enhance code readability and maintainability. - simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication. Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): move mockito from dependencies to dev-dependencies for cleaner build Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): add trusted_issuers field to the PolicyStore Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): reuse HTTP client and switch to eprintln for error logging - reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency - replaced `println!` with `eprintln!` for better error logging Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement custom error handling for lock acquisition failure - added error handling for cases where acquiring a lock on decoding keys fails - replaced `unwrap()` with a custom error to handle poisoned locks gracefully Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement validation for `userinfo_token` - validate the `userinfo_token` to ensure its integrity and correctness - verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token` - verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token` Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): update token examples in `/examples` directory - revise example tokens to reflect current requirements Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused fields from tokens in `jwt::token` - clean up the `jwt::token` module by removing fields that are unused. Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement specific error messages for invalid token types - introduced `InvalidAccessToken` error for invalid access tokens - introduced `InvalidIdToken` error for invalid ID tokens - introduced `InvalidUserinfoToken` error for invalid userinfo tokens - this change provides clearer feedback based on the type of invalid token encountered Signed-off-by: rmarinn <[email protected]> * docs: changes in policy store docs Signed-off-by: Arnab Dutta <[email protected]> * feat(jans-cedarling): implement Deserialize for TokenKind - implement Deserialize for TokenKind instead of using the derialize_with macro Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move test mod from init/test.rs into init/policy_store.rs Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): remove redundant assert in errors_on_multiple_mappings Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement Copy trait for TokenKind enum - added the Copy trait implementation to TokenKind for more efficient value handling Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): remove unnecessary .clone() calls on TokenKind Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): change MultipleRoleMappings error to use Vec<String> - updated the MultipleRoleMappings error variant to store a Vec<String> instead of a single String, allowing it to capture multiple tokens with role mappings. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename fields in PolicyStore to be more descriptive - rename `schema` field in `PolicyStore` to `cedar_schema` - rename `policies` field in `PolicyStore` to `cedar_policies` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): improve naming and deserialization for PolicyStore - policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json - renamed and simplified field and function names for better clarity in policy deserialization - updated docstrings to enhance understanding of PolicyStore fields and deserialization process - updated test cases to reflect new naming conventions and improve error handling Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): introduce cedar_version field in policy_store.json - added support for the cedar_version field to specify the version of Cedar being used. - this enhancement allows for version-specific parsing of schemas and policies during deserialization. - updated relevant structures and deserialization logic to validate the cedar_version format. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move deserialization logic for multiple roles to PolicyStore - checking for multiple roles now occurs during the deserialization of PolicyStore - the corresponding test has been relocated from `init/policy_store.rs` to `common/policy_store.rs` for better organization and clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename parse_policy to parse_single_policy - rename `parse_policy` to `parse_single_policy` to make the intent of calling the function clearer Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * docs(jans-cedarling): add missing docstrings in common/policy_store.rs Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/cedarling/cedarling-policy-store.md Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/dedarling/cedarling-jwt.md Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): uncomment previously commented functions Signed-off-by: rmarinn <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): remove unused commented code Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix docstrings in PolicyStore Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): renamed `check_token_metadata` to `parse_and_check_token_metadata` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): replace custom version parsing with the semver crate Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): simplify TokenKind parsing - removed the need for a Visitor in parsing logic - users now pass `access_token`, `id_token`, `userinfo_token`, or `transaction_token` (case-insensitive) as the token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): simplify policy parsing by removing unnecessary Ok wrapper Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add unit test for handling invalid token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace string with JSON macro for invalid token metadata test Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): enhance policy deserialization error handling - updated the deserialization logic to collect and report multiple errors encountered during policy parsing Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): move tests to a separate file and enhance input clarity - reorganized tests into a dedicated file for better structure - improved readability of policy and schema inputs in the tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve Clippy warnings - fixed needless borrows to improve code efficiency Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add specific error assertion in unit tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): add comments to the tokens in the examples - added comments so it's obvious what's in the claims in the tokens string in the examples directory Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): fix broken example with jwt validation Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): update incorrect docstrings Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <[email protected]> * refactor(jwt): convert extract_claims to an associated function - moved the `extract_claims` function out of the method that uses `self`, making it an associated function to avoid unnecessary usage of `self` while preserving organization within the impl block. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): revert to custom Error for unsupported algorithm parsing - manually reverted to returning a custom Error when parsing an unsupported algorithm, preserving previous error reporting behavior Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): fix clippy warnings Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix wrong example in the docs - renamed `person_id` to `user_id` in the example Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace `person_id` with `user_id` Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused traits file Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): update examples to align with schema changes Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update README.md - update README to show how to run the new tests Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): improve error handling Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): revert unintended change to the docs by a merge Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): fix python unit tests Signed-off-by: Oleh Bohzok <[email protected]> * chore(jans-cedarling): fix misspelled test function name Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): improve test assertion and specificity Signed-off-by: rmarinn <[email protected]> --------- Signed-off-by: rmarinn <[email protected]> Signed-off-by: Arnab Dutta <[email protected]> Signed-off-by: Oleh Bohzok <[email protected]> Co-authored-by: Arnab Dutta <[email protected]> Co-authored-by: Oleh Bohzok <[email protected]> Signed-off-by: Olevacho <[email protected]>
yuriyz
pushed a commit
that referenced
this pull request
Nov 7, 2024
) * feat(jans-cedarling): implement KeyService for JwtService - implemented a `KeyService` for `JwtService` that manages decoding keys which are used to validate Json Web Tokens (JWTs). Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement GetKey for KeyService Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): integrate jwt::KeyService with jwt::DecodingStrategy Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): replace custom mockhttp with mockito and refactor services - Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests. - Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait. `KeyService` can now be initialized directly, simplifying the code and improving clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): restructure folder layout, improve documentation, and simplify services - restructured the folder structure in the /jwt module for better organization. - added comprehensive docstrings to enhance code readability and maintainability. - simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication. Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): move mockito from dependencies to dev-dependencies for cleaner build Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): add trusted_issuers field to the PolicyStore Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): reuse HTTP client and switch to eprintln for error logging - reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency - replaced `println!` with `eprintln!` for better error logging Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement custom error handling for lock acquisition failure - added error handling for cases where acquiring a lock on decoding keys fails - replaced `unwrap()` with a custom error to handle poisoned locks gracefully Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement validation for `userinfo_token` - validate the `userinfo_token` to ensure its integrity and correctness - verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token` - verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token` Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): update token examples in `/examples` directory - revise example tokens to reflect current requirements Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused fields from tokens in `jwt::token` - clean up the `jwt::token` module by removing fields that are unused. Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement specific error messages for invalid token types - introduced `InvalidAccessToken` error for invalid access tokens - introduced `InvalidIdToken` error for invalid ID tokens - introduced `InvalidUserinfoToken` error for invalid userinfo tokens - this change provides clearer feedback based on the type of invalid token encountered Signed-off-by: rmarinn <[email protected]> * docs: changes in policy store docs Signed-off-by: Arnab Dutta <[email protected]> * feat(jans-cedarling): implement Deserialize for TokenKind - implement Deserialize for TokenKind instead of using the derialize_with macro Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move test mod from init/test.rs into init/policy_store.rs Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): remove redundant assert in errors_on_multiple_mappings Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement Copy trait for TokenKind enum - added the Copy trait implementation to TokenKind for more efficient value handling Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): remove unnecessary .clone() calls on TokenKind Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): change MultipleRoleMappings error to use Vec<String> - updated the MultipleRoleMappings error variant to store a Vec<String> instead of a single String, allowing it to capture multiple tokens with role mappings. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename fields in PolicyStore to be more descriptive - rename `schema` field in `PolicyStore` to `cedar_schema` - rename `policies` field in `PolicyStore` to `cedar_policies` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): improve naming and deserialization for PolicyStore - policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json - renamed and simplified field and function names for better clarity in policy deserialization - updated docstrings to enhance understanding of PolicyStore fields and deserialization process - updated test cases to reflect new naming conventions and improve error handling Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): introduce cedar_version field in policy_store.json - added support for the cedar_version field to specify the version of Cedar being used. - this enhancement allows for version-specific parsing of schemas and policies during deserialization. - updated relevant structures and deserialization logic to validate the cedar_version format. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move deserialization logic for multiple roles to PolicyStore - checking for multiple roles now occurs during the deserialization of PolicyStore - the corresponding test has been relocated from `init/policy_store.rs` to `common/policy_store.rs` for better organization and clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename parse_policy to parse_single_policy - rename `parse_policy` to `parse_single_policy` to make the intent of calling the function clearer Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * docs(jans-cedarling): add missing docstrings in common/policy_store.rs Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/cedarling/cedarling-policy-store.md Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/dedarling/cedarling-jwt.md Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): uncomment previously commented functions Signed-off-by: rmarinn <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): remove unused commented code Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix docstrings in PolicyStore Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): renamed `check_token_metadata` to `parse_and_check_token_metadata` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): replace custom version parsing with the semver crate Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): simplify TokenKind parsing - removed the need for a Visitor in parsing logic - users now pass `access_token`, `id_token`, `userinfo_token`, or `transaction_token` (case-insensitive) as the token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): simplify policy parsing by removing unnecessary Ok wrapper Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add unit test for handling invalid token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace string with JSON macro for invalid token metadata test Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): enhance policy deserialization error handling - updated the deserialization logic to collect and report multiple errors encountered during policy parsing Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): move tests to a separate file and enhance input clarity - reorganized tests into a dedicated file for better structure - improved readability of policy and schema inputs in the tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve Clippy warnings - fixed needless borrows to improve code efficiency Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add specific error assertion in unit tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): add comments to the tokens in the examples - added comments so it's obvious what's in the claims in the tokens string in the examples directory Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): fix broken example with jwt validation Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): update incorrect docstrings Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <[email protected]> * refactor(jwt): convert extract_claims to an associated function - moved the `extract_claims` function out of the method that uses `self`, making it an associated function to avoid unnecessary usage of `self` while preserving organization within the impl block. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): revert to custom Error for unsupported algorithm parsing - manually reverted to returning a custom Error when parsing an unsupported algorithm, preserving previous error reporting behavior Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): fix clippy warnings Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix wrong example in the docs - renamed `person_id` to `user_id` in the example Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace `person_id` with `user_id` Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused traits file Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): update examples to align with schema changes Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update README.md - update README to show how to run the new tests Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): improve error handling Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): revert unintended change to the docs by a merge Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): fix python unit tests Signed-off-by: Oleh Bohzok <[email protected]> * chore(jans-cedarling): fix misspelled test function name Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): improve test assertion and specificity Signed-off-by: rmarinn <[email protected]> --------- Signed-off-by: rmarinn <[email protected]> Signed-off-by: Arnab Dutta <[email protected]> Signed-off-by: Oleh Bohzok <[email protected]> Co-authored-by: Arnab Dutta <[email protected]> Co-authored-by: Oleh Bohzok <[email protected]> Former-commit-id: a1d343b
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
IMPORTANT: merge #9855 before this one
Prepare
Description
This PR implements validation for
Userinfo tokens.Note: this has merges from #9910 which is why there's so many files changed... hopefully if that merges, the number of files changed will decrease
Target issue
target issue: #9832
closes #9832
Implementation Details
For a
Userinfo tokento be valid, it has to adhere to the following rules:client_idmatches with theaudfrom anaccess_token.submatches with the sub from anid_token.Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.