SOLR-15423 JWTAuthPlugin support for custom truststore #139
Conversation
Signed-off-by: Jan Høydahl <jan.git@cominvent.com>
…erts to trust when talking to IdPs Signed-off-by: Jan Høydahl <jan.git@cominvent.com>
Signed-off-by: Jan Høydahl <jan.git@cominvent.com>
|
Feedback welcome. I could not think of a good way to actually test that the certificates are used (do we have a mock HTTPS server somewhere?). |
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
solr/core/src/java/org/apache/solr/security/JWTIssuerConfig.java
Outdated
Show resolved
Hide resolved
|
Committed latest changes. Please resolve outstanding conversations if you're happy. Still would like some integration test to check the actual certificate usage. Think I'll try to spin up a MockIdp listening on some SSL socket... |
|
I'm trying to integrate https://github.com/navikt/mock-oauth2-server into the tests (actually open-sourced by a Norwegian government entity). Quite simple, you initialize a If this ends up working, we can also add several other end-to-end integration tests for JWT auth (in separate issues). |
|
I just integrated mock-oauth2-server, and finally was able to verify that you can configure JWTAuthPlugin with a PEM file and it is accepted by the mock server. Still have some cleanup to do
|
solr/core/src/test/org/apache/solr/security/JWTAuthPluginIntegrationTest.java
Outdated
Show resolved
Hide resolved
Add negative test
…jcip, content-type, lang-tag, numbus-jose-jwt, okhttp, freemarker, okio, mockwebserver, oauth2-oidc-sdk
|
I have now addressed my two points
I have also added license and sha files for all new test dependencies and made precommit pass. |
solr/core/src/java/org/apache/solr/security/JWTVerificationkeyResolver.java
Outdated
Show resolved
Hide resolved
solr/core/src/test/org/apache/solr/security/JWTAuthPluginIntegrationTest.java
Outdated
Show resolved
Hide resolved
| public void infoRequestWithoutToken() throws Exception { | ||
| get(baseUrl + "/admin/info/system", null); | ||
| @Test | ||
| public void extractCertificateFromPem() throws IOException { |
There was a problem hiding this comment.
Can we have a test where the pen file or directly supplied string is improperly formatted? I'd like to see what kind of error message users can expect in that case (and maybe we should document that, because I suspect it will be cryptic otherwise)
There was a problem hiding this comment.
I added two tests to JWTAuthPluginTest, verifying that init() fails. No need for integration test of all these?
If you load a security.json to ZK with bogous trustedCertsFile or trustedCerts (or other config) while Solr is running, the JWT plugin init() will throw and exception and auth will not be enabled/changed. Here are log messages you can expect to see prior to exception:
Reading trustedCerts from file {}
or
Reading trustedCerts PEM from configuration string
In the exception stacktrace itself you'll see either
Wrong type of certificates. Must be DER or PEM format
or
Failed loading certificate(s) from input stream
If you start Solr from scratch with a bogous config, I think the server will fail during CoreContainer init and not start at all. The fact that users need to monitor Solr logs when pushing new security.json is unfortunate. It is easy to make mistakes when automating this with scripts. You may start Solr, then apply security.json which fails, and then you have an unsecured cluster without even knowing :(
|
https://issues.apache.org/jira/browse/SOLR-15423