Skip to content

Add JwtClaimValidator #7962

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
/*
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.jwt;

import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert;

import java.util.function.Predicate;

/**
* Validates a claim in a {@link Jwt} against a provided {@link java.util.function.Predicate}
*
* @author Zeeshan Adnan
* @since 5.3
*/
public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {

private final String claim;
private final Predicate<T> test;
private final OAuth2Error error;

/**
* Constructs a {@link JwtClaimValidator} using the provided parameters
*
* @param claim - is the name of the claim in {@link Jwt} to validate.
* @param test - is the predicate function for the claim to test against.
*/
public JwtClaimValidator(String claim, Predicate<T> test) {
Assert.notNull(claim, "claim can not be null");
Assert.notNull(test, "test can not be null");
this.claim = claim;
this.test = test;
this.error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
"The " + this.claim + " claim is not valid",
"https://tools.ietf.org/html/rfc6750#section-3.1");
}

/**
* {@inheritDoc}
*/
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
Assert.notNull(token, "token cannot be null");
T claimValue = token.getClaim(this.claim);
if (test.test(claimValue)) {
return OAuth2TokenValidatorResult.success();
} else {
return OAuth2TokenValidatorResult.failure(error);
}
}
}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 the original author or authors.
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -15,26 +15,21 @@
*/
package org.springframework.security.oauth2.jwt;

import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert;

import static org.springframework.security.oauth2.jwt.JwtClaimNames.ISS;

/**
* Validates the "iss" claim in a {@link Jwt}, that is matches a configured value
*
* @author Josh Cummings
* @since 5.1
*/
public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
private static OAuth2Error INVALID_ISSUER =
new OAuth2Error(
OAuth2ErrorCodes.INVALID_REQUEST,
"This iss claim is not equal to the configured issuer",
"https://tools.ietf.org/html/rfc6750#section-3.1");

private final String issuer;
private final JwtClaimValidator<String> validator;

/**
* Constructs a {@link JwtIssuerValidator} using the provided parameters
Expand All @@ -43,7 +38,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
*/
public JwtIssuerValidator(String issuer) {
Assert.notNull(issuer, "issuer cannot be null");
this.issuer = issuer;
this.validator = new JwtClaimValidator(ISS, issuer::equals);
}

/**
Expand All @@ -52,12 +47,6 @@ public JwtIssuerValidator(String issuer) {
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
Assert.notNull(token, "token cannot be null");

String tokenIssuer = token.getClaimAsString(JwtClaimNames.ISS);
if (this.issuer.equals(tokenIssuer)) {
return OAuth2TokenValidatorResult.success();
} else {
return OAuth2TokenValidatorResult.failure(INVALID_ISSUER);
}
return this.validator.validate(token);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
/*
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.jwt;

import org.junit.Test;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;

import java.util.function.Predicate;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.springframework.security.oauth2.jwt.JwtClaimNames.ISS;
import static org.springframework.security.oauth2.jwt.TestJwts.jwt;

/**
* Tests for {@link JwtClaimValidator}.
*
* @author Zeeshan Adnan
*/
public class JwtClaimValidatorTests {

private static final Predicate<String> test = claim -> claim.equals("http://test");
private final JwtClaimValidator<String> validator = new JwtClaimValidator<>(ISS, test);

@Test
public void validateWhenClaimPassesTheTestThenReturnsSuccess() {
Jwt jwt = jwt().claim(ISS, "http://test").build();
assertThat(validator.validate(jwt))
.isEqualTo(OAuth2TokenValidatorResult.success());
}

@Test
public void validateWhenClaimFailsTheTestThenReturnsFailure() {
Jwt jwt = jwt().claim(ISS, "http://abc").build();
assertThat(validator.validate(jwt).getErrors().isEmpty())
.isFalse();
}

@Test
public void validateWhenClaimIsNullThenThrowsIllegalArgumentException() {
assertThatThrownBy(() -> new JwtClaimValidator<String>(null, test))
.isInstanceOf(IllegalArgumentException.class);
}

@Test
public void validateWhenTestIsNullThenThrowsIllegalArgumentException(){
assertThatThrownBy(() -> new JwtClaimValidator<>(ISS, null))
.isInstanceOf(IllegalArgumentException.class);
}

@Test
public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() {
assertThatThrownBy(() -> validator.validate(null))
.isInstanceOf(IllegalArgumentException.class);
}
}