Authn jwt all signing key settings #2461
Conversation
app/domain/authentication/authn_jwt/signing_key/signing_key_settings_builder.rb
Show resolved
Hide resolved
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
| return provider_uri if provider_uri | ||
| end | ||
|
|
||
| def signing_key_settings_type |
There was a problem hiding this comment.
Method signing_key_settings_type has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
| @@ -0,0 +1,52 @@ | |||
| module Authentication | |||
| module AuthnJwt | |||
| module SigningKey | |||
There was a problem hiding this comment.
Authentication::AuthnJwt::SigningKey has no descriptive comment
sashaCher
force-pushed
the
authn-jwt-all-signing-key-settings
branch
from
8354e5e to
54d0c93
Compare
| return unless !jwks_uri && !provider_uri && !public_keys | ||
|
|
||
| raise Errors::Authentication::AuthnJwt::InvalidSigningKeySettings, | ||
| "One of #{JWKS_URI_RESOURCE_NAME}, #{PUBLIC_KEYS_RESOURCE_NAME}, and #{PROVIDER_URI_RESOURCE_NAME} have to be defined" |
There was a problem hiding this comment.
actually this raises a good question if to leave the provider uri, as the customer will see it in the error, and will wonder what it is...
maybe we can remove it from the error?
will verify with Sharon.
There was a problem hiding this comment.
I think that we cannot remove it because it may turn troubleshooting to a nightmare...
| return unless jwks_uri && public_keys && provider_uri | ||
|
|
||
| raise Errors::Authentication::AuthnJwt::InvalidSigningKeySettings, | ||
| "#{JWKS_URI_RESOURCE_NAME}, #{PUBLIC_KEYS_RESOURCE_NAME}, and #{PROVIDER_URI_RESOURCE_NAME} cannot be define simultaneously" |
There was a problem hiding this comment.
@shulifink can you pls review the text?
these variables cannot be defined togethe.
| return unless jwks_uri && provider_uri | ||
|
|
||
| raise Errors::Authentication::AuthnJwt::InvalidSigningKeySettings, | ||
| "#{JWKS_URI_RESOURCE_NAME} and #{PROVIDER_URI_RESOURCE_NAME} cannot be define simultaneously" |
There was a problem hiding this comment.
Cant we move this template to errors.rb?
There was a problem hiding this comment.
Actually errors.rb contains only TrackableErrorClass instances so moving plain text messages to it feels me not right.
But I'll move those texts to consts of the same class
sashaCher
force-pushed
the
authn-jwt-all-signing-key-settings
branch
from
54d0c93 to
3d446df
Compare
The class validates signing key parameters and creates a valid SigningKeySettings object from them Two new parameters cert_store and signing_keys are added to the SigningKeySettings class
sashaCher
force-pushed
the
authn-jwt-all-signing-key-settings
branch
from
3d446df to
ba79c6f
Compare
| @@ -0,0 +1,133 @@ | |||
| module Authentication | |||
| module AuthnJwt | |||
| module SigningKey | |||
There was a problem hiding this comment.
Authentication::AuthnJwt::SigningKey has 8 constants
| check_authenticator_secret_exists: Authentication::Util::CheckAuthenticatorSecretExists.new, | ||
| fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new | ||
| }, | ||
| inputs: %i[authenticator_input] |
There was a problem hiding this comment.
Maybe consider using delgators for
accout, service_id, authenticator_name
There was a problem hiding this comment.
From one point of view let it be.
From other do we have some rule of thumb when to use delegators?
| module AuthnJwt | ||
| module SigningKey | ||
|
|
||
| NO_SIGNING_KEYS_SOURCE = "One of #{JWKS_URI_RESOURCE_NAME}, #{PUBLIC_KEYS_RESOURCE_NAME}, and #{PROVIDER_URI_RESOURCE_NAME} have to be defined".freeze |
There was a problem hiding this comment.
Can it sit in consts or errors.rb?
There was a problem hiding this comment.
It's too specific from my point of view.
Nobody else is using the same consts so there's no reason to split it to other files.
As I mentioned before errors.rb is a container for exceptions, not for error messages.
Variables values related to signing keys fetching from one side and values validation and the settings object creation are split to two classes (parameters fetcher and settings builder) both classes are used by CreateSigningKeyProvider class
sashaCher
force-pushed
the
authn-jwt-all-signing-key-settings
branch
from
ba79c6f to
5fabe9a
Compare
|
Code Climate has analyzed commit 5fabe9a and detected 3 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 91.2% (0.1% change). View more on Code Climate. |
Desired Outcome
JWT Authenticator is able to relate to two new variables
ca-certandpublic-keys. Both variables are related to signing keys settings area. Authenticator validates validity of variables permutations.It's not full variables integration yet, so this PR does not change the behavior in this matter.
Implemented Changes
Responsibility for fetching variables values and validating and building signing key settings object is now split between two classes:
FetchSigningKeyParametersFromVariablesandSigningKeySettingsBuilder.Both classes are dependency of the
CreateSigningKeyProviderclass, signing key providers are using signing key settings.General and non informative
InvalidUriConfiguration(CONJ00086E) error is replaced by informativeInvalidSigningKeySettings(CONJ00122E) one, seespec/app/domain/authentication/authn-jwt/signing_key/signing_key_settings_builder_spec.rbfile for the list of inputs and output error messages.Connected Issue/Story
ONYX-15140
Definition of Done
Changelog
CHANGELOG update
Test coverage
changes, or
Documentation
READMEs) were updated in this PRBehavior
Security