refactor(jans-cedarling): streamline token deserialization in JwtService #10018

rmarinn · 2024-11-03T07:42:29Z

Prepare

Read PR guidelines
Read license information

Description

This PR streamlines the token deserialization process in JwtService by eliminating redundant calls to jsonwebtoken::decode. Instead, it implements the From trait, providing callers with a straightforward method for converting to the required structs.

Target issue

target issue: #9967

closes #9967

Implementation Details

Macro Implementation: The addition of the impl_jwt_for_token! macro streamlines the implementation of the JsonWebToken trait for various token types. This reduces boilerplate code and ensures consistency across token definitions.
Unified Token Struct: A new Token struct has been introduced to encapsulate common claims (iss, aud, sub) across different token types. This abstraction facilitates easier management and retrieval of token claims.
Claims Trait: The Claims trait has been defined to provide a uniform interface for accessing token claims. This promotes code reusability and improves maintainability by separating claims handling from the token data structures.
Refactoring of Claim Setting: A trait-based approach for setting optional claims has been added, making parts of the code easaier to read since there's no more consecutive if-elses when setting the validation settings.
Elimination of Redundant Deserialization: The refactor optimizes the deserialize_tokens function by removing unnecessary calls to jsonwebtoken::decode, thus improving efficiency and reducing overhead.

Test and Document the changes

Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

I confirm that there is no impact on the docs due to the code changes in this PR.

…pl with DEBUG log level #8959 (#9281) Signed-off-by: YuriyZ <[email protected]>

…9037) * feat(jans-pycloudlib): add support reading configuration from file Signed-off-by: iromli <[email protected]> * tests(jans-pycloudlib): adjust testcases Signed-off-by: iromli <[email protected]> * feat(jans-pycloudlib): add CLI command to generate configuration spec Signed-off-by: iromli <[email protected]> * refactor: simplified configmaps and secrets adapters Signed-off-by: iromli <[email protected]> * fix: handle missing params Signed-off-by: iromli <[email protected]> * fix: add backward-compat for configuration and dump files Signed-off-by: iromli <[email protected]> * test(jans-pycloudlib): fix transform_data testcase Signed-off-by: iromli <[email protected]> * refactor: handle mounted password files Signed-off-by: iromli <[email protected]> * refactor: handle mounted files in OCI images Signed-off-by: iromli <[email protected]> * fix: ensure couchbase password files are exist Signed-off-by: iromli <[email protected]> * refactor: generate opendj.pkcs12 on-the-fly Signed-off-by: iromli <[email protected]> * fix: resolve required password files Signed-off-by: iromli <[email protected]> * fix: pre-populate LDAP bindDN Signed-off-by: iromli <[email protected]> * fix: remove duplicated jansAccessTknSigAlg attribute Signed-off-by: iromli <[email protected]> * chore: clarify local secrets and configmaps will be excluded if configuration.json is missing Signed-off-by: iromli <[email protected]> * refactor: remove unused backward-compat Signed-off-by: iromli <[email protected]> * refactor: bootstrap Vault RoleID and SecretID (if required) Signed-off-by: iromli <[email protected]> --------- Signed-off-by: iromli <[email protected]> Signed-off-by: Isman Firmansyah <[email protected]>

* docs: minor doc updates #9228 Signed-off-by: jgomer2001 <[email protected]> * docs: rewrite developer's guide #8852 Signed-off-by: jgomer2001 <[email protected]> * chore: rework sample credentials plugin #9228 Signed-off-by: jgomer2001 <[email protected]> * chore: rework sample credential plugin #9228 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]>

…9284) * fix(cloud-native): update jans-pycloudlib version used by OCI images Signed-off-by: iromli <[email protected]> * fix(docker-jans-all-in-one): add missing casa-agama-project.zip Signed-off-by: iromli <[email protected]> --------- Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

Signed-off-by: Arnab Dutta <[email protected]>

* docs: casa docs sweep #8852 Signed-off-by: jgomer2001 <[email protected]> * chore: minor plugin refactoring #9228 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]>

* docs: describe behavior of casa authn flow more precisely #8846 Signed-off-by: jgomer2001 <[email protected]> * fix: improve handling of assets data stored in cache #9297 Signed-off-by: jgomer2001 <[email protected]> * chore: minor project refactoring #8846 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]>

* fix(jans-cli-tui): display error if default acr is not saved Signed-off-by: Mustafa Baser <[email protected]> * refactor(jans-cli-tui): Authn screen Signed-off-by: Mustafa Baser <[email protected]> * feat(jans-cli-tui): hide LDAP tab in authn screen if db is not ldap Signed-off-by: Mustafa Baser <[email protected]> * chore(jans-linux-setup): populate jansDbAuth only if db is LDAP Signed-off-by: Mustafa Baser <[email protected]> * fix(docs): update docs for Authn Signed-off-by: Mustafa Baser <[email protected]> * docs: proofreading changes Signed-off-by: ossdhaval <[email protected]> * docs: update default authn file name Signed-off-by: ossdhaval <[email protected]> * docs: rename the file and minor updates Signed-off-by: ossdhaval <[email protected]> * docs(jans-cli-tui): rename acr to default Signed-off-by: Mustafa Baser <[email protected]> * Revert "docs(jans-cli-tui): rename acr to default" This reverts commit d519b7b. Signed-off-by: ossdhaval <[email protected]> --------- Signed-off-by: Mustafa Baser <[email protected]> Signed-off-by: Devrim <[email protected]> Signed-off-by: ossdhaval <[email protected]> Co-authored-by: ossdhaval <[email protected]>

* fix(jans-cli-tui): check response content type in cli mode Signed-off-by: Mustafa Baser <[email protected]> * fix(jans-cli-tui): don't post metadata location after editing saml-SP Signed-off-by: Mustafa Baser <[email protected]> --------- Signed-off-by: Mustafa Baser <[email protected]>

…ken call fails (#9312) fix(jans-auth-server): if AS fails to allocate status index entire token call fails #9290 Signed-off-by: YuriyZ <[email protected]>

* feat(jans-cli-tui): config-api configuration Signed-off-by: Mustafa Baser <[email protected]> * fix(jans-cli-tui): display save info on dialog for config-api config Signed-off-by: Mustafa Baser <[email protected]> * docs(jans-cli-tui): config-api configuratios Signed-off-by: Mustafa Baser <[email protected]> * docs(jans-cli-tui): config-api swagger reference Signed-off-by: Mustafa Baser <[email protected]> * docs(config-api): update config api Signed-off-by: ossdhaval <[email protected]> * docs: edit the update section Signed-off-by: ossdhaval <[email protected]> * docs: proofreading changes Signed-off-by: ossdhaval <[email protected]> --------- Signed-off-by: Mustafa Baser <[email protected]> Signed-off-by: ossdhaval <[email protected]> Co-authored-by: ossdhaval <[email protected]>

* docs: update developer guide #8852 Signed-off-by: jgomer2001 <[email protected]> * chore: disable super gluu extension #8852 Signed-off-by: jgomer2001 <[email protected]> * chore: avoid image duplication #8847 Signed-off-by: jgomer2001 <[email protected]> * chore: revert changes in login form #8852 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

* chore: update casa gitignore #8846 Signed-off-by: jgomer2001 <[email protected]> * chore: remove unused files #9327 Signed-off-by: jgomer2001 <[email protected]> * docs: re-arrange list of plugins #8852 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]>

…records (#9334) * feat(jans-config-api): update log/telemetry/health entries Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-config-api): update log/telemetry/health entries Signed-off-by: Yuriy Movchan <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]>

* feat: remove mounted files for sql persistence Signed-off-by: iromli <[email protected]> * feat: remove mounted files for couchbase persistence Signed-off-by: iromli <[email protected]> * feat: remove mounted files for ldap persistence Signed-off-by: iromli <[email protected]> * fix: handle hybrid persistence Signed-off-by: iromli <[email protected]> * feat: remove unused ldap-cron-pass secret Signed-off-by: iromli <[email protected]> Merging but its missing docs. Auto doc generator will take care of it. --------- Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

Signed-off-by: Mustafa Baser <[email protected]>

#9343) feat(jans-config-api): add endpoint to load log/telemetery/health data for specific period Signed-off-by: Yuriy Movchan <[email protected]>

* feat(jans-auth-server): AS supports acr aliasing but it's not published on discovery. It should be added to discovery. #9166 Signed-off-by: YuriyZ <[email protected]> * feat(jans-auth-server): added acr_mappings to doc sample #9166 Signed-off-by: YuriyZ <[email protected]> --------- Signed-off-by: YuriyZ <[email protected]>

Signed-off-by: Yuriy Movchan <[email protected]>

Signed-off-by: moabu <[email protected]>

…in id_token (#9358) Signed-off-by: Arnab Dutta <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

* ci: forces download each time on packaging Signed-off-by: moabu <[email protected]> * ci: forces download each time on packaging Signed-off-by: moabu <[email protected]> --------- Signed-off-by: moabu <[email protected]> Signed-off-by: Mohammad Abudayyeh <[email protected]>

…ly if using ldap persistence (#9323) Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

…iat #9320 (#9375) Signed-off-by: YuriyZ <[email protected]>

… /jans-bom (#9308) chore(deps): bump com.mysql:mysql-connector-j in /jans-bom Bumps [com.mysql:mysql-connector-j](https://github.com/mysql/mysql-connector-j) from 8.0.32 to 8.2.0. - [Changelog](https://github.com/mysql/mysql-connector-j/blob/release/9.x/CHANGES) - [Commits](mysql/mysql-connector-j@8.0.32...8.2.0) --- updated-dependencies: - dependency-name: com.mysql:mysql-connector-j dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /jans-casa/app-fips (#8514) chore(deps): bump org.bouncycastle:bc-fips in /jans-casa/app-fips Bumps org.bouncycastle:bc-fips from 1.0.2.4 to 1.0.2.5. --- updated-dependencies: - dependency-name: org.bouncycastle:bc-fips dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#9969) Bumps `jackson.version` from 2.18.0 to 2.18.1. Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.core:jackson-core` from 2.18.0 to 2.18.1 - [Commits](FasterXML/jackson-core@jackson-core-2.18.0...jackson-core-2.18.1) Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.0 to 2.18.1 - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.core:jackson-core dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.core:jackson-annotations dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jose Gonzalez <[email protected]>

#9970) Bumps [io.grpc:grpc-bom](https://github.com/grpc/grpc-java) from 1.43.1 to 1.68.1. - [Release notes](https://github.com/grpc/grpc-java/releases) - [Commits](grpc/grpc-java@v1.43.1...v1.68.1) --- updated-dependencies: - dependency-name: io.grpc:grpc-bom dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jose Gonzalez <[email protected]>

…s-casa (#9971) chore(deps): bump com.fasterxml:aalto-xml in /jans-casa Bumps [com.fasterxml:aalto-xml](https://github.com/FasterXML/aalto-xml) from 1.3.2 to 1.3.3. - [Commits](FasterXML/aalto-xml@aalto-xml-1.3.2...aalto-xml-1.3.3) --- updated-dependencies: - dependency-name: com.fasterxml:aalto-xml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jose Gonzalez <[email protected]>

* fix(jans-lock): add health-check plugiun form jans-auth Signed-off-by: Yuriy Movchan <[email protected]> * fix(jans-lock): add health-check plugiun form jans-auth Signed-off-by: Yuriy Movchan <[email protected]> * fix(jans-lock): add health-check plugiun form jans-auth Signed-off-by: Yuriy Movchan <[email protected]> * feat(oxauth): ignore uid case when auth server is AD Signed-off-by: Yuriy Movchan <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]>

* refactor(cloud-native): remove ldap occurences in cloud-native Signed-off-by: iromli <[email protected]> * docs(cloud-native): remove ldap occurences in cloud-native Signed-off-by: iromli <[email protected]> --------- Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

chore: misc descriptor updates #9978 Signed-off-by: jgomer2001 <[email protected]>

) * feat(jans-cedarling): implement KeyService for JwtService - implemented a `KeyService` for `JwtService` that manages decoding keys which are used to validate Json Web Tokens (JWTs). Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement GetKey for KeyService Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): integrate jwt::KeyService with jwt::DecodingStrategy Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): replace custom mockhttp with mockito and refactor services - Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests. - Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait. `KeyService` can now be initialized directly, simplifying the code and improving clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): restructure folder layout, improve documentation, and simplify services - restructured the folder structure in the /jwt module for better organization. - added comprehensive docstrings to enhance code readability and maintainability. - simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication. Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): move mockito from dependencies to dev-dependencies for cleaner build Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): add trusted_issuers field to the PolicyStore Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): reuse HTTP client and switch to eprintln for error logging - reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency - replaced `println!` with `eprintln!` for better error logging Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement custom error handling for lock acquisition failure - added error handling for cases where acquiring a lock on decoding keys fails - replaced `unwrap()` with a custom error to handle poisoned locks gracefully Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement validation for `userinfo_token` - validate the `userinfo_token` to ensure its integrity and correctness - verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token` - verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token` Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): update token examples in `/examples` directory - revise example tokens to reflect current requirements Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused fields from tokens in `jwt::token` - clean up the `jwt::token` module by removing fields that are unused. Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement specific error messages for invalid token types - introduced `InvalidAccessToken` error for invalid access tokens - introduced `InvalidIdToken` error for invalid ID tokens - introduced `InvalidUserinfoToken` error for invalid userinfo tokens - this change provides clearer feedback based on the type of invalid token encountered Signed-off-by: rmarinn <[email protected]> * docs: changes in policy store docs Signed-off-by: Arnab Dutta <[email protected]> * feat(jans-cedarling): implement Deserialize for TokenKind - implement Deserialize for TokenKind instead of using the derialize_with macro Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move test mod from init/test.rs into init/policy_store.rs Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): remove redundant assert in errors_on_multiple_mappings Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement Copy trait for TokenKind enum - added the Copy trait implementation to TokenKind for more efficient value handling Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): remove unnecessary .clone() calls on TokenKind Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): change MultipleRoleMappings error to use Vec<String> - updated the MultipleRoleMappings error variant to store a Vec<String> instead of a single String, allowing it to capture multiple tokens with role mappings. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename fields in PolicyStore to be more descriptive - rename `schema` field in `PolicyStore` to `cedar_schema` - rename `policies` field in `PolicyStore` to `cedar_policies` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): improve naming and deserialization for PolicyStore - policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json - renamed and simplified field and function names for better clarity in policy deserialization - updated docstrings to enhance understanding of PolicyStore fields and deserialization process - updated test cases to reflect new naming conventions and improve error handling Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): introduce cedar_version field in policy_store.json - added support for the cedar_version field to specify the version of Cedar being used. - this enhancement allows for version-specific parsing of schemas and policies during deserialization. - updated relevant structures and deserialization logic to validate the cedar_version format. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move deserialization logic for multiple roles to PolicyStore - checking for multiple roles now occurs during the deserialization of PolicyStore - the corresponding test has been relocated from `init/policy_store.rs` to `common/policy_store.rs` for better organization and clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename parse_policy to parse_single_policy - rename `parse_policy` to `parse_single_policy` to make the intent of calling the function clearer Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * docs(jans-cedarling): add missing docstrings in common/policy_store.rs Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/cedarling/cedarling-policy-store.md Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/dedarling/cedarling-jwt.md Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): uncomment previously commented functions Signed-off-by: rmarinn <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): remove unused commented code Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix docstrings in PolicyStore Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): renamed `check_token_metadata` to `parse_and_check_token_metadata` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): replace custom version parsing with the semver crate Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): simplify TokenKind parsing - removed the need for a Visitor in parsing logic - users now pass `access_token`, `id_token`, `userinfo_token`, or `transaction_token` (case-insensitive) as the token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): simplify policy parsing by removing unnecessary Ok wrapper Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add unit test for handling invalid token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace string with JSON macro for invalid token metadata test Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): enhance policy deserialization error handling - updated the deserialization logic to collect and report multiple errors encountered during policy parsing Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): move tests to a separate file and enhance input clarity - reorganized tests into a dedicated file for better structure - improved readability of policy and schema inputs in the tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve Clippy warnings - fixed needless borrows to improve code efficiency Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add specific error assertion in unit tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): add comments to the tokens in the examples - added comments so it's obvious what's in the claims in the tokens string in the examples directory Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): fix broken example with jwt validation Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): update incorrect docstrings Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <[email protected]> * refactor(jwt): convert extract_claims to an associated function - moved the `extract_claims` function out of the method that uses `self`, making it an associated function to avoid unnecessary usage of `self` while preserving organization within the impl block. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): revert to custom Error for unsupported algorithm parsing - manually reverted to returning a custom Error when parsing an unsupported algorithm, preserving previous error reporting behavior Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): fix clippy warnings Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix wrong example in the docs - renamed `person_id` to `user_id` in the example Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace `person_id` with `user_id` Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused traits file Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): update examples to align with schema changes Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update README.md - update README to show how to run the new tests Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): improve error handling Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): revert unintended change to the docs by a merge Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): fix python unit tests Signed-off-by: Oleh Bohzok <[email protected]> * chore(jans-cedarling): fix misspelled test function name Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): improve test assertion and specificity Signed-off-by: rmarinn <[email protected]> --------- Signed-off-by: rmarinn <[email protected]> Signed-off-by: Arnab Dutta <[email protected]> Signed-off-by: Oleh Bohzok <[email protected]> Co-authored-by: Arnab Dutta <[email protected]> Co-authored-by: Oleh Bohzok <[email protected]>

Signed-off-by: Yuriy Movchan <[email protected]>

…/benchmarking/docker-jans-loadtesting-jmeter (#9988) chore(deps): bump blazemeter/taurus Bumps blazemeter/taurus from 1.16.33 to 1.16.35. --- updated-dependencies: - dependency-name: blazemeter/taurus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mohammad Abudayyeh <[email protected]>

…9701) * feat(jans-core): integrate document store manager into applications Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-core): integrate document store manager into applications Signed-off-by: Yuriy Movchan <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]> Co-authored-by: YuriyZ <[email protected]>

Signed-off-by: Mustafa Baser <[email protected]>

#10002) fix(jans-core): document store manager should have not null supported list by default Signed-off-by: Yuriy Movchan <[email protected]>

) Signed-off-by: Mustafa Baser <[email protected]>

* feat(jans-cedarling): Encoding and ContentType for cedar_schema and policy_content values Signed-off-by: John Anderson <[email protected]> * feat(jans-cedarling): deserialize from schema field with metadata in policy.json Signed-off-by: John Anderson <[email protected]> * feat(jans-cedarling): deserialize from policy_content field with metadata in policy.json Signed-off-by: John Anderson <[email protected]> * feat(jans-cedarling): Ensure that policies are only ever encoded in cedar, because parsing cedar-json is currently not handled by cedar-policy crate. Signed-off-by: John Anderson <[email protected]> * feat(jans-cedarling): for very human-readable tests, you can now do test file fixtures in yaml Signed-off-by: John Anderson <[email protected]> * feat(jans-cedarling): rectify clippy complaints Signed-off-by: John Anderson <[email protected]> * feat(jans-cedarling): local use for std::collections::HashSet Signed-off-by: John Anderson <[email protected]> --------- Signed-off-by: John Anderson <[email protected]>

* feat(jans-pycloudlib): detect JSON data format Signed-off-by: iromli <[email protected]> * refactor(jans-pycloudlib): preconfigure MYSQL_SIMPLE_JSON Signed-off-by: iromli <[email protected]> --------- Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

…serialize_tokens Signed-off-by: rmarinn <[email protected]>

…exible claim setting Signed-off-by: rmarinn <[email protected]>

- Add a macro `impl_jwt_for_token!` to streamline the implementation of the `JsonWebToken` trait for different token types. - Introduce a `Token` struct to hold common claims. - Define a `Claims` trait for unified access to token claims. - Implement macros for `AccessToken`, `IdToken`, and `UserinfoToken`. Signed-off-by: rmarinn <[email protected]>

dryrunsecurity · 2024-11-03T07:43:07Z

DryRun Security Summary

The provided code changes focus on improving the handling and validation of JSON Web Tokens (JWTs) in the Cedarling application, introducing a robust JWT service with comprehensive token validation, flexible decoding strategies, secure key handling, and extensive test coverage, demonstrating a well-designed and secure approach to JWT handling.

Expand for full summary

Summary:

The provided code changes focus on improving the handling and validation of JSON Web Tokens (JWTs) in the Cedarling application. The changes introduce a robust JWT service with support for decoding and validating access tokens, ID tokens, and userinfo tokens. The key security-related aspects include:

Comprehensive Token Validation: The JwtService performs thorough validation of the token claims, including checks for the correct issuer, audience, and subject. This helps mitigate common security vulnerabilities, such as token replay attacks and impersonation attacks.
Flexible Decoding Strategies: The JwtService supports two decoding strategies: one with validation and one without. This allows the application to use the appropriate strategy based on the security requirements of the specific use case.
Secure Key Handling: The code includes the implementation of a KeyService that fetches the necessary public keys from the JWKS endpoint, ensuring that the correct keys are used for token verification.
Extensive Test Coverage: The provided test cases cover a wide range of scenarios, including handling of unsupported algorithms, audience validation, and JWKS updates. This helps ensure the security and reliability of the JWT handling functionality.
Separation of Concerns: The code separates the token handling logic from the authorization-specific data structures, promoting better maintainability and security by limiting the exposure of sensitive information.

Overall, the code changes demonstrate a well-designed and secure approach to JWT handling in the Cedarling application, with a focus on implementing best practices for authentication and authorization.

Files Changed:

jans-cedarling/cedarling/src/jwt/mod.rs: This file introduces the JwtService struct, which is responsible for decoding and validating JWTs based on a specified decoding strategy.
jans-cedarling/cedarling/src/authz/mod.rs: The changes in this file simplify the JWT token decoding process and improve the handling of the decoded token data.
jans-cedarling/cedarling/src/authz/token_data.rs: This file defines structures and utility functions for working with token payloads, including access tokens, ID tokens, and userinfo tokens.
jans-cedarling/cedarling/src/jwt/decoding_strategy.rs: The changes in this file introduce two decoding strategies: one with validation and one without, allowing for more flexible token handling.
Several test files, such as can_decode_claims_with_validation.rs, can_decode_claims_without_validation.rs, errors_on_invalid_aud.rs, can_update_local_jwks.rs, and errors_on_unsupported_alg.rs, which demonstrate the comprehensive testing of the JWT handling functionality.
jans-cedarling/cedarling/src/jwt/token.rs and jans-cedarling/cedarling/src/jwt/test/utils.rs, which introduce new structures and functions for handling and generating JWT claims and tokens.

Code Analysis

We ran 9 analyzers against 11 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

jans-cedarling/cedarling/src/jwt/decoding_strategy.rs

jans-cedarling/cedarling/src/jwt/token.rs

Signed-off-by: rmarinn <[email protected]>

yuriyz and others added 30 commits August 27, 2024 13:26

fix(jans-auth): plaintext passwords logged from TokenRestWebServiceIm…

7db1a2b

…pl with DEBUG log level #8959 (#9281) Signed-off-by: YuriyZ <[email protected]>

feat: changing format of access token and user-info to JWT (#9293)

ed24927

Signed-off-by: Arnab Dutta <[email protected]>

fix: remove unrecognized manifest key #9301 (#9302)

56116fc

Signed-off-by: Arnab Dutta <[email protected]>

chore: project refactoring and docs (#9304)

d99bd55

* docs: casa docs sweep #8852 Signed-off-by: jgomer2001 <[email protected]> * chore: minor plugin refactoring #9228 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]>

fix(jans-auth-server): if AS fails to allocate status index entire to…

ba78a74

…ken call fails (#9312) fix(jans-auth-server): if AS fails to allocate status index entire token call fails #9290 Signed-off-by: YuriyZ <[email protected]>

fix(cloud-native): toggle rendering truststore based on env var (#9311)

7360cdf

Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

fix(jans-cli-tui): authn page for non-ldap backend (#9339)

1addd62

Signed-off-by: Mustafa Baser <[email protected]>

feat(jans-config-api): add endpoint to load log/telemetery/health dat… (

47f2d04

#9343) feat(jans-config-api): add endpoint to load log/telemetery/health data for specific period Signed-off-by: Yuriy Movchan <[email protected]>

feat(jans-core): fix javadocs generation (#9347)

098ac14

Signed-off-by: Yuriy Movchan <[email protected]>

feat(jans-scim): fix javadocs generation (#9349)

2ea5a98

Signed-off-by: Yuriy Movchan <[email protected]>

feat(jans-config-api): fix javadocs generation (#9351)

27b5345

Signed-off-by: Yuriy Movchan <[email protected]>

ci: forces download each time on packaging (#9356)

ee5ee53

Signed-off-by: moabu <[email protected]>

feat: add parameter in client registration request to include claims …

6ddff0f

…in id_token (#9358) Signed-off-by: Arnab Dutta <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

fix(docker-jans-persistence-loader): populate jansDbAuth attribute on…

47414c2

…ly if using ldap persistence (#9323) Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>

feat(jans-auth-server): added nbf claims to tokens which is equal to …

2d5f003

…iat #9320 (#9375) Signed-off-by: YuriyZ <[email protected]>

dependabot bot and others added 18 commits October 29, 2024 10:53

chore: misc descriptor updates (#9990)

a8e7ed1

chore: misc descriptor updates #9978 Signed-off-by: jgomer2001 <[email protected]>

fix(jans-core): document store manager load filePath attribute (#9992)

a0c05d9

Signed-off-by: Yuriy Movchan <[email protected]>

feat(jans-cli-tui): responsive navigation bar (#9998)

9f0d9e4

Signed-off-by: Mustafa Baser <[email protected]>

fix(jans-core): document store manager should have not null supported… (

462d814

#10002) fix(jans-core): document store manager should have not null supported list by default Signed-off-by: Yuriy Movchan <[email protected]>

feat(jans-linux-setup): status script optionally accepts service (#10010

88dc7a1

) Signed-off-by: Mustafa Baser <[email protected]>

refactor(jans-cedarling): eliminate redundant deserialization from de…

ba4667f

…serialize_tokens Signed-off-by: rmarinn <[email protected]>

refactor(jans-cedarling): add trait-based set_optional_claim for fl…

7b3db00

…exible claim setting Signed-off-by: rmarinn <[email protected]>

rmarinn added the comp-jans-cedarling Touching folder /jans-cedarling label Nov 3, 2024

rmarinn requested a review from abaghinyan November 3, 2024 07:42

rmarinn self-assigned this Nov 3, 2024

rmarinn linked an issue Nov 3, 2024 that may be closed by this pull request

refactor(jans-cedarling): streamline token deserialization in JwtService #9967

Open

mo-auto added the kind-enhancement Issue or PR is an enhancement to an existing functionality label Nov 3, 2024

nynymike previously approved these changes Nov 4, 2024

View reviewed changes

abaghinyan requested changes Nov 4, 2024

View reviewed changes

jans-cedarling/cedarling/src/jwt/decoding_strategy.rs Outdated Show resolved Hide resolved

jans-cedarling/cedarling/src/jwt/decoding_strategy.rs Outdated Show resolved Hide resolved

jans-cedarling/cedarling/src/jwt/token.rs Outdated Show resolved Hide resolved

refactor(jans-cedarling): replace if statement with match

59612b9

Signed-off-by: rmarinn <[email protected]>

rmarinn dismissed nynymike’s stale review via 59612b9 November 6, 2024 09:31

chore(jans-cedarling): improve code comments

aeb925e

Signed-off-by: rmarinn <[email protected]>

moabu force-pushed the main branch from cdfd022 to 04af3b4 Compare November 6, 2024 15:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor(jans-cedarling): streamline token deserialization in JwtService #10018

refactor(jans-cedarling): streamline token deserialization in JwtService #10018

rmarinn commented Nov 3, 2024 •

edited

Loading

dryrunsecurity bot commented Nov 3, 2024 •

edited

Loading

refactor(jans-cedarling): streamline token deserialization in JwtService #10018

Are you sure you want to change the base?

refactor(jans-cedarling): streamline token deserialization in JwtService #10018

Conversation

rmarinn commented Nov 3, 2024 • edited Loading

Prepare

Description

Target issue

Implementation Details

Test and Document the changes

dryrunsecurity bot commented Nov 3, 2024 • edited Loading

DryRun Security Summary

Code Analysis

Riskiness

rmarinn commented Nov 3, 2024 •

edited

Loading

dryrunsecurity bot commented Nov 3, 2024 •

edited

Loading