Merge pull request #50 from CleverCloud/gracefyllyRejectInvalid

really do authN, jdk21
CleverCloud · Oct 24, 2024 · a036003 · a036003
2 parents ab5088b + f40a6d7
commit a036003
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 13 deletions.
diff --git a/.github/workflows/deploy_to_central.yml b/.github/workflows/deploy_to_central.yml
@@ -18,8 +18,8 @@ jobs:
       - name: Set up Maven Central Repository
         uses: actions/setup-java@v2
         with:
-          java-version: "17"
-          distribution: "adopt"
+          java-version: "21"
+          distribution: "temurin"
           server-id: ossrh
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD

diff --git a/.github/workflows/java_ci.yml b/.github/workflows/java_ci.yml
@@ -19,10 +19,10 @@ jobs:
           version: "3.x"
       - name: Checkout
         uses: actions/checkout@v2
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v2
         with:
-          java-version: "17"
-          distribution: "adopt"
+          java-version: "21"
+          distribution: "temurin"
       - name: Build with Maven
         run: mvn -B package --file pom.xml
diff --git a/pom.xml b/pom.xml
@@ -12,8 +12,8 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <maven.compiler.target>17</maven.compiler.target>
-    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>21</maven.compiler.target>
+    <maven.compiler.source>21</maven.compiler.source>
 
     <!-- plugins -->
     <maven-gpg.version>1.6</maven-gpg.version>

diff --git a/src/main/java/com/clevercloud/biscuitpulsar/AuthenticationProviderBiscuit.java b/src/main/java/com/clevercloud/biscuitpulsar/AuthenticationProviderBiscuit.java
@@ -141,7 +141,7 @@ public String authenticate(AuthenticationDataSource authData) throws Authenticat
             try {
                 return parseBiscuit(bearer);
             } catch (AuthenticationException e) {
-                log.debug("Biscuit decode failed, backing up to JWT");
+                log.trace("Biscuit decode failed, backing up to JWT");
                 return jwtAuthenticator.authenticate(authData);
             }
         } else {
@@ -189,17 +189,18 @@ private static String validateBearer(final String bearer) throws AuthenticationE
     }
 
     private String parseBiscuit(final String biscuitB64Url) throws AuthenticationException {
-        log.debug("Biscuit to parse: {}", biscuitB64Url);
+        log.trace("Biscuit to parse: {}", biscuitB64Url);
         try {
-            UnverifiedBiscuit biscuit = UnverifiedBiscuit.from_b64url(biscuitB64Url);
+            Biscuit biscuit = Biscuit.from_b64url(biscuitB64Url, AuthenticationProviderBiscuit.rootKey);
             Set<String> biscuitRevocationIdentifiers = biscuit.revocation_identifiers().stream().map(RevocationIdentifier::serialize_b64url).collect(Collectors.toSet());
             if (!Sets.intersection(revokedIdentifiers, biscuitRevocationIdentifiers).isEmpty()) {
                 throw new AuthenticationException("Biscuit has been revoked.");
             }
-            log.debug("Deserialized biscuit");
+            log.trace("Deserialized biscuit");
             return "biscuit:" + biscuitB64Url;
-        } catch (IllegalArgumentException | Error e) {
-            e.printStackTrace();
+        } catch (IllegalArgumentException | NoSuchAlgorithmException | SignatureException | InvalidKeyException |
+                 Error e) {
+            log.error("Error during parsing biscuit from b64, let's convert it to AuthenticationException", e);
             throw new AuthenticationException(e.toString());
         }
     }

diff --git a/src/test/java/com/clevercloud/biscuitpulsar/AuthenticationProviderBiscuitTest.java b/src/test/java/com/clevercloud/biscuitpulsar/AuthenticationProviderBiscuitTest.java
@@ -177,4 +177,53 @@ public void testTokenFromHttpHeaders() throws Exception {
         assertThat(subject, new StringStartsWith("biscuit:"));
         provider.close();
     }
+
+    @Test
+    public void testWrongKeyPair() throws Exception {
+        KeyPair root = new KeyPair("D283C7E436D89C544CC2B20C1028A7ADDC18FCED6386A6130465C17B996CD893");
+        KeyPair wrongRoot = new KeyPair("D283C7E436D89C544CC2B20C1028A7ADDC18FCED6386A6130465C17B996CD894");
+
+        LOGGER.info("ROOT KEY");
+        LOGGER.info(root.toHex());
+
+        LOGGER.info("ROOT PUBLICKEY");
+        LOGGER.info(hex(root.public_key().key.getAbyte()));
+
+        SymbolTable symbols = Biscuit.default_symbol_table();
+
+        Block authority_builder = new Block(0, symbols);
+        authority_builder.add_fact(fact("right", Arrays.asList(s("topic"), s("public"), s("default"), s("test"), s("produce"))));
+
+        byte[] seed = {0, 0, 0, 0};
+        SecureRandom rng = new SecureRandom(seed);
+        Biscuit b = Biscuit.make(rng, wrongRoot, Biscuit.default_symbol_table(), authority_builder.build());
+
+        AuthenticationProviderBiscuit provider = new AuthenticationProviderBiscuit();
+
+        Properties properties = new Properties();
+        properties.setProperty(AuthenticationProviderBiscuit.CONF_BISCUIT_PUBLIC_ROOT_KEY, hex(root.public_key().key.getAbyte()));
+
+        ServiceConfiguration conf = new ServiceConfiguration();
+        conf.setProperties(properties);
+        provider.initialize(conf);
+
+        String biscuit = b.serialize_b64url();
+
+        // Assert that authenticate throws an exception
+        assertThrows(AuthenticationException.class, () -> {
+            provider.authenticate(new AuthenticationDataSource() {
+                @Override
+                public boolean hasDataFromCommand() {
+                    return true;
+                }
+
+                @Override
+                public String getCommandData() {
+                    return biscuit;
+                }
+            });
+        });
+
+        provider.close();
+    }
 }