deniskuzZ commented on code in PR #6086:
URL: https://github.com/apache/hive/pull/6086#discussion_r2376166953
##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/auth/jwt/JWTValidator.java:
##########
@@ -46,64 +47,35 @@
* This is cloned from JWTValidator in HS2 so as to NOT have any dependency on
HS2 code.
*/
public class JWTValidator {
- private static final Logger LOG =
LoggerFactory.getLogger(JWTValidator.class.getName());
- private static final DefaultJWSVerifierFactory JWS_VERIFIER_FACTORY = new
DefaultJWSVerifierFactory();
- private final URLBasedJWKSProvider jwksProvider;
- public JWTValidator(Configuration conf) throws IOException, ParseException {
- this.jwksProvider = new URLBasedJWKSProvider(conf);
- }
-
- public String validateJWTAndExtractUser(String signedJwt) throws
ParseException, AuthenticationException {
- Preconditions.checkNotNull(jwksProvider);
- Preconditions.checkNotNull(signedJwt, "No token found");
- final SignedJWT parsedJwt = SignedJWT.parse(signedJwt);
- List<JWK> matchedJWKS = jwksProvider.getJWKs(parsedJwt.getHeader());
- if (matchedJWKS.isEmpty()) {
- throw new AuthenticationException("Failed to find matched JWKs with the
JWT header: " + parsedJwt.getHeader());
- }
+ // Accept asymmetric cryptography based algorithms only
+ private static final Set<JWSAlgorithm> ACCEPTABLE_ALGORITHMS = new
HashSet<>(Family.SIGNATURE);
- // verify signature
- Exception lastException = null;
- for (JWK matchedJWK : matchedJWKS) {
- String keyID = matchedJWK.getKeyID() == null ? "null" :
matchedJWK.getKeyID();
- try {
- JWSVerifier verifier = getVerifier(parsedJwt.getHeader(), matchedJWK);
- if (parsedJwt.verify(verifier)) {
- LOG.debug("Verified JWT {} by JWK {}", parsedJwt.getPayload(),
keyID);
- break;
- }
- } catch (Exception e) {
- lastException = e;
- LOG.warn("Failed to verify JWT {} by JWK {}", parsedJwt.getPayload(),
keyID, e);
- }
- }
- // We use only the last seven characters to let a user can differentiate
exceptions for different JWT
- int startIndex = Math.max(0, signedJwt.length() - 7);
- String lastSevenChars = signedJwt.substring(startIndex);
- if (parsedJwt.getState() != JWSObject.State.VERIFIED) {
- throw new AuthenticationException("Failed to verify the JWT signature
(ends with " + lastSevenChars + ")",
- lastException);
- }
+ private final ConfigurableJWTProcessor<SecurityContext> jwtProcessor;
- // verify claims
- JWTClaimsSet claimsSet = parsedJwt.getJWTClaimsSet();
- Date expirationTime = claimsSet.getExpirationTime();
- if (expirationTime != null) {
- Date now = new Date();
- if (now.after(expirationTime)) {
- LOG.warn("Rejecting an expired JWT: {}", parsedJwt.getPayload());
- throw new AuthenticationException("JWT (ends with " + lastSevenChars +
") has been expired");
- }
+ public JWTValidator(Set<JOSEObjectType> acceptableTypes, List<URL> jwksURLs,
String expectedIssuer,
Review Comment:
cc @dengzhhu653, @henrib
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
