Change tests to expect exception

Signed-off-by: Craig Perkins <[email protected]>
cwperks · Oct 12, 2023 · 7355de4 · 7355de4
1 parent 83ab045
commit 7355de4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 9 deletions.
diff --git a/src/main/java/org/opensearch/security/util/KeyUtils.java b/src/main/java/org/opensearch/security/util/KeyUtils.java
@@ -13,6 +13,7 @@
 
 import io.jsonwebtoken.JwtParserBuilder;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.SpecialPermission;
@@ -68,10 +69,10 @@ public JwtParserBuilder run() {
                         }
 
                         if (Objects.nonNull(key)) {
-                            return Jwts.parser().setSigningKey(key);
+                            return Jwts.parser().verifyWith(Keys.hmacShaKeyFor(key.getEncoded()));
                         }
 
-                        return Jwts.parser().setSigningKey(decoded);
+                        return Jwts.parser().verifyWith(Keys.hmacShaKeyFor(decoded));
                     } catch (Throwable e) {
                         log.error("Error while creating JWT authenticator", e);
                         throw new OpenSearchSecurityException(e.toString(), e);

diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
@@ -33,10 +33,14 @@
 import org.junit.Assert;
 import org.junit.Test;
 
+import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.util.FakeRestRequest;
 
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 public class HTTPJwtAuthenticatorTest {
 
     final static byte[] secretKeyBytes = new byte[1024];
@@ -68,13 +72,15 @@ public void testEmptyKey() throws Exception {
 
     @Test
     public void testBadKey() throws Exception {
-
-        final AuthCredentials credentials = extractCredentialsFromJwtHeader(
-            Settings.builder().put("signing_key", BaseEncoding.base64().encode(new byte[] { 1, 3, 3, 4, 3, 6, 7, 8, 3, 10 })),
-            Jwts.builder().setSubject("Leonard McCoy")
-        );
-
-        Assert.assertNull(credentials);
+        try {
+            final AuthCredentials credentials = extractCredentialsFromJwtHeader(
+                Settings.builder().put("signing_key", BaseEncoding.base64().encode(new byte[] { 1, 3, 3, 4, 3, 6, 7, 8, 3, 10 })),
+                Jwts.builder().setSubject("Leonard McCoy")
+            );
+            fail("Expected WeakKeyException");
+        } catch (OpenSearchSecurityException e) {
+            assertTrue("Expected error message to contain WeakKeyException", e.getMessage().contains("WeakKeyException"));
+        }
     }
 
     @Test