From 6bbba5619914bfb3b4f41d56b1aaa73ffed5b5d3 Mon Sep 17 00:00:00 2001 From: Thijs Lemmens Date: Fri, 26 Jul 2024 14:03:31 +0200 Subject: [PATCH] ACC-1512 Cleanup Exception handling, handling sonar remarks --- .../security/jwt/issuer/JwtClaimsSigner.java | 3 +- .../PropertiesBasedJwtClaimsSigner.java | 33 ++++++++----------- .../security/jwt/issuer/SignedJwtIssuer.java | 8 +---- .../jwk/source/FilebasedJWKSetSource.java | 2 +- .../jwt/SingleKeyJwtClaimsSigner.java | 3 +- 5 files changed, 18 insertions(+), 31 deletions(-) diff --git a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/JwtClaimsSigner.java b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/JwtClaimsSigner.java index a782c8c0..84c32233 100644 --- a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/JwtClaimsSigner.java +++ b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/JwtClaimsSigner.java @@ -1,11 +1,10 @@ package com.contentgrid.gateway.security.jwt.issuer; -import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; public interface JwtClaimsSigner { JWKSet getSigningKeys(); - SignedJWT sign(JWTClaimsSet jwtClaimsSet) throws JOSEException; + SignedJWT sign(JWTClaimsSet jwtClaimsSet); } diff --git a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/PropertiesBasedJwtClaimsSigner.java b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/PropertiesBasedJwtClaimsSigner.java index 0eeb52f2..ea41a8c2 100644 --- a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/PropertiesBasedJwtClaimsSigner.java +++ b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/PropertiesBasedJwtClaimsSigner.java @@ -6,41 +6,29 @@ import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.JWSSigner; import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory; -import com.nimbusds.jose.jwk.ECKey; import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.JWKMatcher; import com.nimbusds.jose.jwk.JWKSelector; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.KeyUse; -import com.nimbusds.jose.jwk.OctetKeyPair; -import com.nimbusds.jose.jwk.RSAKey; -import com.nimbusds.jose.jwk.source.CachingJWKSetSource; -import com.nimbusds.jose.jwk.source.JWKSetSource; import com.nimbusds.jose.jwk.source.JWKSource; -import com.nimbusds.jose.jwk.source.JWKSourceBuilder; -import com.nimbusds.jose.jwk.source.URLBasedJWKSetSource; import com.nimbusds.jose.proc.SecurityContext; import com.nimbusds.jose.proc.SimpleSecurityContext; import com.nimbusds.jose.produce.JWSSignerFactory; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; -import java.nio.charset.StandardCharsets; -import java.time.Instant; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Random; import java.util.Set; -import java.util.stream.Stream; import lombok.RequiredArgsConstructor; import lombok.SneakyThrows; -import org.springframework.core.io.Resource; -import org.springframework.core.io.support.ResourcePatternResolver; import org.springframework.util.ConcurrentLruCache; + @RequiredArgsConstructor public class PropertiesBasedJwtClaimsSigner implements JwtClaimsSigner { @@ -55,8 +43,11 @@ public PropertiesBasedJwtClaimsSigner(JWKSource jwkSource, Set< } public interface JwtClaimsSignerProperties { + String getActiveKeys(); + String getRetiredKeys(); + Set getAlgorithms(); } @@ -74,7 +65,8 @@ public JWKSet getSigningKeys() { } @Override - public SignedJWT sign(JWTClaimsSet jwtClaimsSet) throws JOSEException { + @SneakyThrows + public SignedJWT sign(JWTClaimsSet jwtClaimsSet) { var jwks = new ArrayList<>(getAllSigningKeys()); Collections.shuffle(jwks, this.random); // Randomly shuffle our active keys, so we pick an arbitrary one first @@ -93,7 +85,7 @@ public SignedJWT sign(JWTClaimsSet jwtClaimsSet) throws JOSEException { .stream() .filter(selectedSigner.supportedJWSAlgorithms()::contains) .findFirst(); - if(firstSupportedAlgorithm.isEmpty()) { + if (firstSupportedAlgorithm.isEmpty()) { // Signer does not support any of the signing algorithms; continue to a next key continue; } @@ -106,15 +98,16 @@ public SignedJWT sign(JWTClaimsSet jwtClaimsSet) throws JOSEException { signedJwt.sign(selectedSigner); return signedJwt; } - throw new IllegalStateException("No active signing keys support any of the configured algorithms (%s); algorithms that can be used by these keys are %s".formatted( - algorithms, - algorithmsSupportedByKeys - )); + throw new IllegalStateException( + "No active signing keys support any of the configured algorithms (%s); algorithms that can be used by these keys are %s".formatted( + algorithms, + algorithmsSupportedByKeys + )); } private ConcurrentLruCache signerCache; - private JWSSigner getJwsSigner(JWK jwk) throws JOSEException { + private JWSSigner getJwsSigner(JWK jwk) { if (signerCache == null) { signerCache = new ConcurrentLruCache<>(100, key -> { diff --git a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/SignedJwtIssuer.java b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/SignedJwtIssuer.java index 24d3ee13..1b3cc3b5 100644 --- a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/SignedJwtIssuer.java +++ b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/SignedJwtIssuer.java @@ -47,13 +47,7 @@ public Mono issueSubstitutionToken(ServerWebExchange exchange) { } return Mono.empty(); }) - .flatMap(claims -> { - try { - return Mono.just(claimsSigner.sign(claims)); - } catch (JOSEException e) { - return Mono.error(e); - } - }) + .flatMap(claims -> Mono.just(claimsSigner.sign(claims))) .flatMap(signedJwt -> { try { var signedJwtClaims = signedJwt.getJWTClaimsSet().getClaims(); diff --git a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/jwk/source/FilebasedJWKSetSource.java b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/jwk/source/FilebasedJWKSetSource.java index 29da0bcc..1c5f3af6 100644 --- a/src/main/java/com/contentgrid/gateway/security/jwt/issuer/jwk/source/FilebasedJWKSetSource.java +++ b/src/main/java/com/contentgrid/gateway/security/jwt/issuer/jwk/source/FilebasedJWKSetSource.java @@ -103,6 +103,6 @@ private static JWK createFromSigningKey(Resource resource, Date expirationTime) @Override public void close() throws IOException { - + // Nothing to close } } diff --git a/src/testFixtures/java/com/contentgrid/gateway/test/security/jwt/SingleKeyJwtClaimsSigner.java b/src/testFixtures/java/com/contentgrid/gateway/test/security/jwt/SingleKeyJwtClaimsSigner.java index 69953c84..7b488b8e 100644 --- a/src/testFixtures/java/com/contentgrid/gateway/test/security/jwt/SingleKeyJwtClaimsSigner.java +++ b/src/testFixtures/java/com/contentgrid/gateway/test/security/jwt/SingleKeyJwtClaimsSigner.java @@ -46,7 +46,8 @@ public JWKSet getSigningKeys() { } @Override - public SignedJWT sign(JWTClaimsSet jwtClaimsSet) throws JOSEException { + @SneakyThrows + public SignedJWT sign(JWTClaimsSet jwtClaimsSet) { var jwt = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(key.getKeyID()).build(), jwtClaimsSet); jwt.sign(new DefaultJWSSignerFactory().createJWSSigner(key)); return jwt;