(nifi) branch main updated: NIFI-13225 Replaced most of the deprecated elements in Registry JwtService

Wed, 15 May 2024 05:11:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 4ccf3a288c NIFI-13225 Replaced most of the deprecated elements in 
Registry JwtService
4ccf3a288c is described below

commit 4ccf3a288c5bea758f0e1d59b0385cdeb47aeef3
Author: dan-s1 <dsti...@gmail.com>
AuthorDate: Mon May 13 22:38:36 2024 +0000

    NIFI-13225 Replaced most of the deprecated elements in Registry JwtService
    
    This closes #8827
    
    Signed-off-by: David Handermann <exceptionfact...@apache.org>
---
 .../security/authentication/jwt/JwtService.java    | 27 +++++++++++-----------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git 
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
 
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
index f75966b3bb..2daf267aca 100644
--- 
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
+++ 
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
@@ -23,10 +23,11 @@ import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.MalformedJwtException;
-import io.jsonwebtoken.SignatureAlgorithm;
-import io.jsonwebtoken.SignatureException;
 import io.jsonwebtoken.SigningKeyResolverAdapter;
 import io.jsonwebtoken.UnsupportedJwtException;
+import io.jsonwebtoken.security.Keys;
+import io.jsonwebtoken.security.MacAlgorithm;
+import io.jsonwebtoken.security.SignatureException;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.registry.security.authentication.AuthenticationResponse;
 import org.apache.nifi.registry.security.key.Key;
@@ -44,7 +45,7 @@ public class JwtService {
 
     private static final org.slf4j.Logger logger = 
LoggerFactory.getLogger(JwtService.class);
 
-    private static final SignatureAlgorithm SIGNATURE_ALGORITHM = 
SignatureAlgorithm.HS256;
+    private static final MacAlgorithm SIGNATURE_ALGORITHM = Jwts.SIG.HS256;
     private static final String KEY_ID_CLAIM = "kid";
     private static final String USERNAME_CLAIM = "preferred_username";
 
@@ -65,15 +66,15 @@ public class JwtService {
             }
 
             // Additional validation that subject is present
-            if (StringUtils.isEmpty(jws.getBody().getSubject())) {
+            if (StringUtils.isEmpty(jws.getPayload().getSubject())) {
                 throw new JwtException("No subject available in token");
             }
 
             // TODO: Validate issuer against active IdentityProvider?
-            if (StringUtils.isEmpty(jws.getBody().getIssuer())) {
+            if (StringUtils.isEmpty(jws.getPayload().getIssuer())) {
                 throw new JwtException("No issuer available in token");
             }
-            return jws.getBody().getSubject();
+            return jws.getPayload().getSubject();
         } catch (JwtException e) {
             logger.debug("The Base64 encoded JWT: " + base64EncodedToken);
             final String errorMessage = "There was an error validating the 
JWT";
@@ -100,7 +101,7 @@ public class JwtService {
 
                     return key.getKey().getBytes(StandardCharsets.UTF_8);
                 }
-            }).build().parseClaimsJws(base64EncodedToken);
+            }).build().parseSignedClaims(base64EncodedToken);
         } catch (final MalformedJwtException | UnsupportedJwtException | 
SignatureException | ExpiredJwtException | IllegalArgumentException e) {
             // TODO: Exercise all exceptions to ensure none leak key material 
to logs
             final String errorMessage = "Unable to validate the access token.";
@@ -152,14 +153,14 @@ public class JwtService {
 
             // TODO: Implement "jti" claim with nonce to prevent replay 
attacks and allow blacklisting of revoked tokens
             // Build the token
-            return Jwts.builder().setSubject(identity)
-                    .setIssuer(issuer)
-                    .setAudience(audience)
+            return Jwts.builder().subject(identity)
+                    .issuer(issuer)
+                    .audience().add(audience).and()
                     .claim(USERNAME_CLAIM, preferredUsername)
                     .claim(KEY_ID_CLAIM, key.getId())
-                    .setIssuedAt(now.getTime())
-                    .setExpiration(expiration.getTime())
-                    .signWith(SIGNATURE_ALGORITHM, keyBytes).compact();
+                    .issuedAt(now.getTime())
+                    .expiration(expiration.getTime())
+                    .signWith(Keys.hmacShaKeyFor(keyBytes), 
SIGNATURE_ALGORITHM).compact();
         } catch (NullPointerException e) {
             final String errorMessage = "Could not retrieve the signing key 
for JWT for " + identity;
             logger.error(errorMessage, e);

Reply via email to