GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix NPE with exp claim in NimbusJwtDecoderJwkSupport 

Fixes gh-5168
pull/5217/head
Joe Grandja 8 years ago
parent
bc2a7ac394
commit
e6d68acfd6
7 changed files with 70 additions and 54 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AbstractOAuth2Token.java
  2. 10
      oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/OAuth2AccessTokenTests.java
  3. 10
      oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/OidcIdTokenTests.java
  4. 2
      oauth2/oauth2-jose/spring-security-oauth2-jose.gradle
  5. 11
      oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupport.java
  6. 10
      oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTests.java
  7. 57
      oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupportTests.java

24
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AbstractOAuth2Token.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2018 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -38,14 +38,14 @@ public abstract class AbstractOAuth2Token implements Serializable {
* Sub-class constructor. * Sub-class constructor.
* *
* @param tokenValue the token value * @param tokenValue the token value
* @param issuedAt the time at which the token was issued * @param issuedAt the time at which the token was issued, may be null
* @param expiresAt the expiration time on or after which the token MUST NOT be accepted * @param expiresAt the expiration time on or after which the token MUST NOT be accepted, may be null
*/ */
protected AbstractOAuth2Token(String tokenValue, Instant issuedAt, Instant expiresAt) { protected AbstractOAuth2Token(String tokenValue, Instant issuedAt, Instant expiresAt) {
Assert.hasText(tokenValue, "tokenValue cannot be empty"); Assert.hasText(tokenValue, "tokenValue cannot be empty");
Assert.notNull(issuedAt, "issuedAt cannot be null"); if (issuedAt != null && expiresAt != null) {
Assert.notNull(expiresAt, "expiresAt cannot be null"); Assert.isTrue(expiresAt.isAfter(issuedAt), "expiresAt must be after issuedAt");
Assert.isTrue(expiresAt.isAfter(issuedAt), "expiresAt must be after issuedAt"); }
this.tokenValue = tokenValue; this.tokenValue = tokenValue;
this.issuedAt = issuedAt; this.issuedAt = issuedAt;
this.expiresAt = expiresAt; this.expiresAt = expiresAt;
@ -63,7 +63,7 @@ public abstract class AbstractOAuth2Token implements Serializable {
/** /**
* Returns the time at which the token was issued. * Returns the time at which the token was issued.
* *
* @return the time the token was issued * @return the time the token was issued or null
*/ */
public Instant getIssuedAt() { public Instant getIssuedAt() {
return this.issuedAt; return this.issuedAt;
@ -72,7 +72,7 @@ public abstract class AbstractOAuth2Token implements Serializable {
/** /**
* Returns the expiration time on or after which the token MUST NOT be accepted. * Returns the expiration time on or after which the token MUST NOT be accepted.
* *
* @return the expiration time of the token * @return the expiration time of the token or null
*/ */
public Instant getExpiresAt() { public Instant getExpiresAt() {
return this.expiresAt; return this.expiresAt;
@ -92,17 +92,17 @@ public abstract class AbstractOAuth2Token implements Serializable {
if (!this.getTokenValue().equals(that.getTokenValue())) { if (!this.getTokenValue().equals(that.getTokenValue())) {
return false; return false;
} }
if (!this.getIssuedAt().equals(that.getIssuedAt())) { if (this.getIssuedAt() != null ? !this.getIssuedAt().equals(that.getIssuedAt()) : that.getIssuedAt() != null) {
return false; return false;
} }
return this.getExpiresAt().equals(that.getExpiresAt()); return this.getExpiresAt() != null ? this.getExpiresAt().equals(that.getExpiresAt()) : that.getExpiresAt() == null;
} }
@Override @Override
public int hashCode() { public int hashCode() {
int result = this.getTokenValue().hashCode(); int result = this.getTokenValue().hashCode();
result = 31 * result + this.getIssuedAt().hashCode(); result = 31 * result + (this.getIssuedAt() != null ? this.getIssuedAt().hashCode() : 0);
result = 31 * result + this.getExpiresAt().hashCode(); result = 31 * result + (this.getExpiresAt() != null ? this.getExpiresAt().hashCode() : 0);
return result; return result;
} }
} }

10
oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/OAuth2AccessTokenTests.java
Unescape View File

@ -51,16 +51,6 @@ public class OAuth2AccessTokenTests {
new OAuth2AccessToken(TOKEN_TYPE, null, ISSUED_AT, EXPIRES_AT); new OAuth2AccessToken(TOKEN_TYPE, null, ISSUED_AT, EXPIRES_AT);
} }
@Test(expected = IllegalArgumentException.class)
public void constructorWhenIssuedAtIsNullThenThrowIllegalArgumentException() {
new OAuth2AccessToken(TOKEN_TYPE, TOKEN_VALUE, null, EXPIRES_AT);
}
@Test(expected = IllegalArgumentException.class)
public void constructorWhenExpiresAtIsNullThenThrowIllegalArgumentException() {
new OAuth2AccessToken(TOKEN_TYPE, TOKEN_VALUE, ISSUED_AT, null);
}
@Test(expected = IllegalArgumentException.class) @Test(expected = IllegalArgumentException.class)
public void constructorWhenIssuedAtAfterExpiresAtThenThrowIllegalArgumentException() { public void constructorWhenIssuedAtAfterExpiresAtThenThrowIllegalArgumentException() {
new OAuth2AccessToken(TOKEN_TYPE, TOKEN_VALUE, Instant.from(EXPIRES_AT).plusSeconds(1), EXPIRES_AT); new OAuth2AccessToken(TOKEN_TYPE, TOKEN_VALUE, Instant.from(EXPIRES_AT).plusSeconds(1), EXPIRES_AT);

10
oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/OidcIdTokenTests.java
Unescape View File

@ -82,16 +82,6 @@ public class OidcIdTokenTests {
new OidcIdToken(null, Instant.ofEpochMilli(IAT_VALUE), Instant.ofEpochMilli(EXP_VALUE), CLAIMS); new OidcIdToken(null, Instant.ofEpochMilli(IAT_VALUE), Instant.ofEpochMilli(EXP_VALUE), CLAIMS);
} }
@Test(expected = IllegalArgumentException.class)
public void constructorWhenIssuedAtIsNullThenThrowIllegalArgumentException() {
new OidcIdToken(ID_TOKEN_VALUE, null, Instant.ofEpochMilli(EXP_VALUE), CLAIMS);
}
@Test(expected = IllegalArgumentException.class)
public void constructorWhenExpiresAtIsNullThenThrowIllegalArgumentException() {
new OidcIdToken(ID_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE), null, CLAIMS);
}
@Test(expected = IllegalArgumentException.class) @Test(expected = IllegalArgumentException.class)
public void constructorWhenClaimsIsEmptyThenThrowIllegalArgumentException() { public void constructorWhenClaimsIsEmptyThenThrowIllegalArgumentException() {
new OidcIdToken(ID_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE), new OidcIdToken(ID_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE),

2
oauth2/oauth2-jose/spring-security-oauth2-jose.gradle
Unescape View File

@ -5,4 +5,6 @@ dependencies {
compile project(':spring-security-oauth2-core') compile project(':spring-security-oauth2-core')
compile springCoreDependency compile springCoreDependency
compile 'com.nimbusds:nimbus-jose-jwt' compile 'com.nimbusds:nimbus-jose-jwt'
testCompile powerMock2Dependencies
} }

11
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupport.java
Unescape View File

@ -103,12 +103,15 @@ public final class NimbusJwtDecoderJwkSupport implements JwtDecoder {
// Verify the signature // Verify the signature
JWTClaimsSet jwtClaimsSet = this.jwtProcessor.process(parsedJwt, null); JWTClaimsSet jwtClaimsSet = this.jwtProcessor.process(parsedJwt, null);
Instant expiresAt = jwtClaimsSet.getExpirationTime().toInstant(); Instant expiresAt = null;
Instant issuedAt; if (jwtClaimsSet.getExpirationTime() != null) {
expiresAt = jwtClaimsSet.getExpirationTime().toInstant();
}
Instant issuedAt = null;
if (jwtClaimsSet.getIssueTime() != null) { if (jwtClaimsSet.getIssueTime() != null) {
issuedAt = jwtClaimsSet.getIssueTime().toInstant(); issuedAt = jwtClaimsSet.getIssueTime().toInstant();
} else { } else if (expiresAt != null) {
// issuedAt is required in AbstractOAuth2Token so let's default to expiresAt - 1 second // Default to expiresAt - 1 second
issuedAt = Instant.from(expiresAt).minusSeconds(1); issuedAt = Instant.from(expiresAt).minusSeconds(1);
} }

10
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTests.java
Unescape View File

@ -72,16 +72,6 @@ public class JwtTests {
new Jwt(null, Instant.ofEpochMilli(IAT_VALUE), Instant.ofEpochMilli(EXP_VALUE), HEADERS, CLAIMS); new Jwt(null, Instant.ofEpochMilli(IAT_VALUE), Instant.ofEpochMilli(EXP_VALUE), HEADERS, CLAIMS);
} }
@Test(expected = IllegalArgumentException.class)
public void constructorWhenIssuedAtIsNullThenThrowIllegalArgumentException() {
new Jwt(JWT_TOKEN_VALUE, null, Instant.ofEpochMilli(EXP_VALUE), HEADERS, CLAIMS);
}
@Test(expected = IllegalArgumentException.class)
public void constructorWhenExpiresAtIsNullThenThrowIllegalArgumentException() {
new Jwt(JWT_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE), null, HEADERS, CLAIMS);
}
@Test(expected = IllegalArgumentException.class) @Test(expected = IllegalArgumentException.class)
public void constructorWhenHeadersIsEmptyThenThrowIllegalArgumentException() { public void constructorWhenHeadersIsEmptyThenThrowIllegalArgumentException() {
new Jwt(JWT_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE), new Jwt(JWT_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE),

57
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupportTests.java
Unescape View File

@ -15,36 +15,77 @@
*/ */
package org.springframework.security.oauth2.jwt; package org.springframework.security.oauth2.jwt;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithms; import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
import static org.assertj.core.api.AssertionsForClassTypes.assertThatCode;
import static org.assertj.core.api.AssertionsForClassTypes.assertThatThrownBy;
import static org.mockito.ArgumentMatchers.*;
import static org.mockito.Mockito.mock;
import static org.powermock.api.mockito.PowerMockito.*;
/** /**
* Tests for {@link NimbusJwtDecoderJwkSupport}. * Tests for {@link NimbusJwtDecoderJwkSupport}.
* *
* @author Joe Grandja * @author Joe Grandja
*/ */
@RunWith(PowerMockRunner.class)
@PrepareForTest({NimbusJwtDecoderJwkSupport.class, JWTParser.class})
public class NimbusJwtDecoderJwkSupportTests { public class NimbusJwtDecoderJwkSupportTests {
private static final String JWK_SET_URL = "https://provider.com/oauth2/keys"; private static final String JWK_SET_URL = "https://provider.com/oauth2/keys";
private static final String JWS_ALGORITHM = JwsAlgorithms.RS256; private static final String JWS_ALGORITHM = JwsAlgorithms.RS256;
@Test(expected = IllegalArgumentException.class) @Test
public void constructorWhenJwkSetUrlIsNullThenThrowIllegalArgumentException() { public void constructorWhenJwkSetUrlIsNullThenThrowIllegalArgumentException() {
new NimbusJwtDecoderJwkSupport(null); assertThatThrownBy(() -> new NimbusJwtDecoderJwkSupport(null))
.isInstanceOf(IllegalArgumentException.class);
} }
@Test(expected = IllegalArgumentException.class) @Test
public void constructorWhenJwkSetUrlInvalidThenThrowIllegalArgumentException() { public void constructorWhenJwkSetUrlInvalidThenThrowIllegalArgumentException() {
new NimbusJwtDecoderJwkSupport("invalid.com"); assertThatThrownBy(() -> new NimbusJwtDecoderJwkSupport("invalid.com"))
.isInstanceOf(IllegalArgumentException.class);
} }
@Test(expected = IllegalArgumentException.class) @Test
public void constructorWhenJwsAlgorithmIsNullThenThrowIllegalArgumentException() { public void constructorWhenJwsAlgorithmIsNullThenThrowIllegalArgumentException() {
new NimbusJwtDecoderJwkSupport(JWK_SET_URL, null); assertThatThrownBy(() -> new NimbusJwtDecoderJwkSupport(JWK_SET_URL, null))
.isInstanceOf(IllegalArgumentException.class);
} }
@Test(expected = JwtException.class) @Test
public void decodeWhenJwtInvalidThenThrowJwtException() { public void decodeWhenJwtInvalidThenThrowJwtException() {
NimbusJwtDecoderJwkSupport jwtDecoder = new NimbusJwtDecoderJwkSupport(JWK_SET_URL, JWS_ALGORITHM); NimbusJwtDecoderJwkSupport jwtDecoder = new NimbusJwtDecoderJwkSupport(JWK_SET_URL, JWS_ALGORITHM);
jwtDecoder.decode("invalid"); assertThatThrownBy(() -> jwtDecoder.decode("invalid"))
.isInstanceOf(JwtException.class);
}
// gh-5168
@Test
public void decodeWhenExpClaimNullThenDoesNotThrowException() throws Exception {
JWT jwt = mock(JWT.class);
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.parse(JWS_ALGORITHM)).build();
when(jwt.getHeader()).thenReturn(header);
mockStatic(JWTParser.class);
when(JWTParser.parse(anyString())).thenReturn(jwt);
DefaultJWTProcessor jwtProcessor = mock(DefaultJWTProcessor.class);
whenNew(DefaultJWTProcessor.class).withAnyArguments().thenReturn(jwtProcessor);
JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder().audience("resource1").build();
when(jwtProcessor.process(any(JWT.class), eq(null))).thenReturn(jwtClaimsSet);
NimbusJwtDecoderJwkSupport jwtDecoder = new NimbusJwtDecoderJwkSupport(JWK_SET_URL, JWS_ALGORITHM);
assertThatCode(() -> jwtDecoder.decode("encoded-jwt")).doesNotThrowAnyException();
} }
} }

Write Preview
Loading…
Cancel
Save