yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-07-08 17:53:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): require signed/encrypted jwt tokens (#6565)

Browse Source 
* fix(security): require unsigned/encrypted jwt tokens

* Add import

Co-authored-by: Pedro Silva <pedro@acryl.io>
This commit is contained in:
david-leifker 2022-12-26 13:45:32 -06:00 committed by GitHub
parent 1bec1d87bd
commit 10ea10ce85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java
View File

@ -1,8 +1,19 @@
package auth.sso.oidc;
import java.text.ParseException;
import java.util.Map.Entry;
import java.util.Optional;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.Header;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.JSONObjectUtils;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import net.minidev.json.JSONObject;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.profile.AttributeLocation;
@ -14,7 +25,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
public class OidcAuthorizationGenerator implements AuthorizationGenerator {
@ -54,4 +64,31 @@ public class OidcAuthorizationGenerator implements AuthorizationGenerator {
return Optional.ofNullable(profile);
}
private static JWT parse(final String s) throws ParseException {
final int firstDotPos = s.indexOf(".");
if (firstDotPos == -1) {
throw new ParseException("Invalid JWT serialization: Missing dot delimiter(s)", 0);
}
Base64URL header = new Base64URL(s.substring(0, firstDotPos));
JSONObject jsonObject;
try {
jsonObject = JSONObjectUtils.parse(header.decodeToString());
} catch (ParseException e) {
throw new ParseException("Invalid unsecured/JWS/JWE header: " + e.getMessage(), 0);
}
Algorithm alg = Header.parseAlgorithm(jsonObject);
if (alg instanceof JWSAlgorithm) {
return SignedJWT.parse(s);
} else if (alg instanceof JWEAlgorithm) {
return EncryptedJWT.parse(s);
} else {
throw new AssertionError("Unexpected algorithm type: " + alg);
}
}
}