From 7355de43fae57e48e380afbac435754006f0a9fa Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 12 Oct 2023 16:58:07 -0400 Subject: [PATCH] Change tests to expect exception Signed-off-by: Craig Perkins --- .../opensearch/security/util/KeyUtils.java | 5 +++-- .../http/jwt/HTTPJwtAuthenticatorTest.java | 20 ++++++++++++------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/src/main/java/org/opensearch/security/util/KeyUtils.java b/src/main/java/org/opensearch/security/util/KeyUtils.java index d205d9ad01..4504acb421 100644 --- a/src/main/java/org/opensearch/security/util/KeyUtils.java +++ b/src/main/java/org/opensearch/security/util/KeyUtils.java @@ -13,6 +13,7 @@ import io.jsonwebtoken.JwtParserBuilder; import io.jsonwebtoken.Jwts; +import io.jsonwebtoken.security.Keys; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchSecurityException; import org.opensearch.SpecialPermission; @@ -68,10 +69,10 @@ public JwtParserBuilder run() { } if (Objects.nonNull(key)) { - return Jwts.parser().setSigningKey(key); + return Jwts.parser().verifyWith(Keys.hmacShaKeyFor(key.getEncoded())); } - return Jwts.parser().setSigningKey(decoded); + return Jwts.parser().verifyWith(Keys.hmacShaKeyFor(decoded)); } catch (Throwable e) { log.error("Error while creating JWT authenticator", e); throw new OpenSearchSecurityException(e.toString(), e); diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java index 4a28c0a752..7760a5f2bf 100644 --- a/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java +++ b/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java @@ -33,10 +33,14 @@ import org.junit.Assert; import org.junit.Test; +import org.opensearch.OpenSearchSecurityException; import org.opensearch.common.settings.Settings; import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.util.FakeRestRequest; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + public class HTTPJwtAuthenticatorTest { final static byte[] secretKeyBytes = new byte[1024]; @@ -68,13 +72,15 @@ public void testEmptyKey() throws Exception { @Test public void testBadKey() throws Exception { - - final AuthCredentials credentials = extractCredentialsFromJwtHeader( - Settings.builder().put("signing_key", BaseEncoding.base64().encode(new byte[] { 1, 3, 3, 4, 3, 6, 7, 8, 3, 10 })), - Jwts.builder().setSubject("Leonard McCoy") - ); - - Assert.assertNull(credentials); + try { + final AuthCredentials credentials = extractCredentialsFromJwtHeader( + Settings.builder().put("signing_key", BaseEncoding.base64().encode(new byte[] { 1, 3, 3, 4, 3, 6, 7, 8, 3, 10 })), + Jwts.builder().setSubject("Leonard McCoy") + ); + fail("Expected WeakKeyException"); + } catch (OpenSearchSecurityException e) { + assertTrue("Expected error message to contain WeakKeyException", e.getMessage().contains("WeakKeyException")); + } } @Test