Add test coverage for jwt-auth module#4338
Merged
janhoy merged 3 commits intoapache:mainfrom Apr 26, 2026
Merged
Conversation
Increases test coverage for key resolution, issuer fallback, clock skew tolerance, scope handling, and JWK parsing — all using the existing jose4j API so tests pass on main before the nimbus migration is merged. New tests in JWTVerificationkeyResolverTest: - noIssRequireIssuerFalseSingleIssuerFallback: null iss + single issuer falls back - noIssRequireIssuerFalseMultipleIssuersThrows: null iss + multiple issuers → SolrException - issMismatchSingleIssuerBackCompatFallback: unrecognised iss + single issuer falls back - issMismatchMultipleIssuersThrows: unrecognised iss + multiple issuers → UnresolvableKeyException - ecKeyTypeMaterialisedCorrectly: EC key resolves as ECPublicKey New tests in JWTAuthPluginTest: - requireIssuerFalseButIssPresentAndMismatches: mismatched iss → JWT_VALIDATION_EXCEPTION - requireIssuerFalseNoIssInTokenOrConfig: absent iss + requireIss=false → authenticated - scopeClaimAsJsonArray: scope as JSON array is parsed and filtered correctly - tokenExpiredWithinClockSkewIsAuthenticated: exp=now-25s → authenticated (30s skew) - tokenExpiredBeyondClockSkewIsRejected: exp=now-35s → JWT_EXPIRED New test in JWTIssuerConfigTest: - parseJwkSetSingleBareJwk: bare JWK map (no "keys" wrapper) → JWKSet with 1 key
Contributor
There was a problem hiding this comment.
Pull request overview
Adds additional unit tests to improve branch/edge-case coverage in the jwt-auth module, helping reduce risk ahead of the planned JWT library migration in #4334.
Changes:
- Extend
JWTVerificationkeyResolverTestto cover issuer-selection edge cases (missing/unknowniss) and EC key materialization. - Extend
JWTAuthPluginTestto coverrequireIss=falsebehavior nuances,scopeclaim as JSON array, and clock-skew tolerance around expiry. - Extend
JWTIssuerConfigTestto cover parsing a single bare JWK map (no"keys"wrapper).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTVerificationkeyResolverTest.java | Adds resolver tests for missing/unknown issuer handling and EC key type resolution. |
| solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTIssuerConfigTest.java | Adds test for parseJwkSet bare single-JWK map branch. |
| solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginTest.java | Adds tests for requireIss=false semantics, scope-as-array parsing, and expiry clock-skew behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ew tests Avoids forbidden API (System#currentTimeMillis) flagged by forbiddenApisTest.
janhoy
added a commit
that referenced
this pull request
Apr 26, 2026
(cherry picked from commit a7056c0)
janhoy
added a commit
that referenced
this pull request
Apr 26, 2026
(cherry picked from commit a7056c0)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Used AI coding assistant to find gaps in test coverage for the jwt-auth module. With this PR we cover more code paths with tests. This makes us more prepared to migrate to a new JWT library in #4334 (which has the same tests added)