Feedback

tvernum · Aug 31, 2023 · ed8f746 · ed8f746
1 parent a1ca624
commit ed8f746
Showing 1 changed file with 17 additions and 18 deletions.
diff --git a/...jwt-realm/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRestIT.java b/...jwt-realm/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRestIT.java
@@ -80,6 +80,7 @@ public class JwtRestIT extends ESRestTestCase {
             {"kty":"oct","kid":"test-hmac-512","k":"U4kMAa7tBwKOD4ggab4ZRGeHlFTILgNbescS1b5nambKJPmrB7QjeTryvfrE8zjYSvLxW2-tzFJUpk38a6FjPA"}
         ]}""".replaceAll("\\s", "");
     public static final String HMAC_PASSPHRASE = "test-HMAC/secret passphrase-value";
+    private static final String VALID_SHARED_SECRET = "test-secret";
 
     @ClassRule
     public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
@@ -104,27 +105,25 @@ public class JwtRestIT extends ESRestTestCase {
         .setting("xpack.security.http.ssl.certificate_authorities", "ca.crt")
         .setting("xpack.security.http.ssl.client_authentication", "optional")
         .settings(JwtRestIT::realmSettings)
-        .keystore("xpack.security.authc.realms.jwt.jwt2.client_authentication.shared_secret", "test-secret")
+        .keystore("xpack.security.authc.realms.jwt.jwt2.client_authentication.shared_secret", VALID_SHARED_SECRET)
         .keystore("xpack.security.authc.realms.jwt.jwt2.hmac_key", HMAC_PASSPHRASE)
         .keystore("xpack.security.authc.realms.jwt.jwt3.hmac_jwkset", HMAC_JWKSET)
-        .keystore("xpack.security.authc.realms.jwt.jwt3.client_authentication.shared_secret", "test-secret")
+        .keystore("xpack.security.authc.realms.jwt.jwt3.client_authentication.shared_secret", VALID_SHARED_SECRET)
         .user("admin_user", "admin-password")
         .user("test_file_user", "test-password", "viewer", false)
         .build();
 
-    private static SetOnce<String> serviceSubject = new SetOnce<>();
-    private static final Optional<String> VALID_SHARED_SECRET = Optional.of("test-secret");
+    private static final SetOnce<String> SERVICE_SUBJECT = new SetOnce<>();
     private static Path httpCertificateAuthority;
     private TestSecurityClient adminSecurityClient;
 
     private static Map<String, String> realmSettings(LocalClusterSpec.LocalNodeSpec localNodeSpec) {
         final boolean explicitIdTokenType = randomBoolean();
-        serviceSubject.trySet("service_" + randomIntBetween(1, 9) + "@app" + randomIntBetween(1, 9) + ".example.com");
+        SERVICE_SUBJECT.trySet("service_" + randomIntBetween(1, 9) + "@app" + randomIntBetween(1, 9) + ".example.com");
 
         final Map<String, String> settings = new HashMap<>();
         settings.put("xpack.security.authc.realms.file.admin_file.order", "0");
 
-        // These realm settings are generated by JwtRealmGenerateTests
         settings.put("xpack.security.authc.realms.jwt.jwt1.order", "1");
         if (explicitIdTokenType) {
             settings.put("xpack.security.authc.realms.jwt.jwt1.token_type", "id_token");
@@ -150,7 +149,7 @@ private static Map<String, String> realmSettings(LocalClusterSpec.LocalNodeSpec
         settings.put("xpack.security.authc.realms.jwt.jwt2.fallback_claims.sub", "email");
         settings.put("xpack.security.authc.realms.jwt.jwt2.fallback_claims.aud", "scope");
         settings.put("xpack.security.authc.realms.jwt.jwt2.allowed_issuer", "my-issuer");
-        settings.put("xpack.security.authc.realms.jwt.jwt2.allowed_subjects", serviceSubject.get());
+        settings.put("xpack.security.authc.realms.jwt.jwt2.allowed_subjects", SERVICE_SUBJECT.get());
         settings.put("xpack.security.authc.realms.jwt.jwt2.allowed_audiences", "es01,es02,es03");
         settings.put("xpack.security.authc.realms.jwt.jwt2.allowed_signature_algorithms", "HS256,HS384");
         // Both email or sub works because of fallback
@@ -394,15 +393,15 @@ public void testFailureOnNonMatchingRsaSignature() throws Exception {
      * - uses a shared-secret for client authentication
      */
     public void testAuthenticateWithHmacSignedJWTAndDelegatedAuthorization() throws Exception {
-        final String principal = serviceSubject.get();
+        final String principal = SERVICE_SUBJECT.get();
         final String username = getUsernameFromPrincipal(principal);
         final List<String> roles = randomRoles();
         final String randomMetadata = randomAlphaOfLengthBetween(6, 18);
         createUser(username, roles, Map.of("test_key", randomMetadata));
 
         try {
             final SignedJWT jwt = buildAndSignJwtForRealm2(principal);
-            final TestSecurityClient client = getSecurityClient(jwt, VALID_SHARED_SECRET);
+            final TestSecurityClient client = getSecurityClient(jwt, Optional.of(VALID_SHARED_SECRET));
 
             final Map<String, Object> response = client.authenticate();
 
@@ -423,7 +422,7 @@ public void testAuthenticateWithHmacSignedJWTAndDelegatedAuthorization() throws
     }
 
     public void testFailureOnInvalidHMACSignature() throws Exception {
-        final String principal = serviceSubject.get();
+        final String principal = SERVICE_SUBJECT.get();
         final String username = getUsernameFromPrincipal(principal);
         final List<String> roles = randomRoles();
         createUser(username, roles, Map.of());
@@ -434,13 +433,13 @@ public void testFailureOnInvalidHMACSignature() throws Exception {
             {
                 // This is the correct HMAC passphrase (from build.gradle)
                 final SignedJWT jwt = signHmacJwt(claimsSet, HMAC_PASSPHRASE);
-                final TestSecurityClient client = getSecurityClient(jwt, VALID_SHARED_SECRET);
+                final TestSecurityClient client = getSecurityClient(jwt, Optional.of(VALID_SHARED_SECRET));
                 assertThat(client.authenticate(), hasEntry(User.Fields.USERNAME.getPreferredName(), username));
             }
             {
                 // This is not the correct HMAC passphrase
                 final SignedJWT invalidJwt = signHmacJwt(claimsSet, "invalid-HMAC-passphrase-" + randomAlphaOfLength(12));
-                final TestSecurityClient client = getSecurityClient(invalidJwt, VALID_SHARED_SECRET);
+                final TestSecurityClient client = getSecurityClient(invalidJwt, Optional.of(VALID_SHARED_SECRET));
                 // This fails because the HMAC is wrong
                 final ResponseException exception = expectThrows(ResponseException.class, client::authenticate);
                 assertThat(exception.getResponse(), hasStatusCode(RestStatus.UNAUTHORIZED));
@@ -452,7 +451,7 @@ public void testFailureOnInvalidHMACSignature() throws Exception {
     }
 
     public void testFailureOnRequiredClaims() throws JOSEException, IOException {
-        final String principal = serviceSubject.get();
+        final String principal = SERVICE_SUBJECT.get();
         final String username = getUsernameFromPrincipal(principal);
         final List<String> roles = randomRoles();
         createUser(username, roles, Map.of());
@@ -465,7 +464,7 @@ public void testFailureOnRequiredClaims() throws JOSEException, IOException {
             }
             final JWTClaimsSet claimsSet = buildJwt(data, Instant.now(), false, false);
             final SignedJWT jwt = signHmacJwt(claimsSet, "test-HMAC/secret passphrase-value");
-            final TestSecurityClient client = getSecurityClient(jwt, VALID_SHARED_SECRET);
+            final TestSecurityClient client = getSecurityClient(jwt, Optional.of(VALID_SHARED_SECRET));
             final ResponseException exception = expectThrows(ResponseException.class, client::authenticate);
             assertThat(exception.getResponse(), hasStatusCode(RestStatus.UNAUTHORIZED));
         } finally {
@@ -474,10 +473,10 @@ public void testFailureOnRequiredClaims() throws JOSEException, IOException {
     }
 
     public void testAuthenticationFailureIfDelegatedAuthorizationFails() throws Exception {
-        final String principal = serviceSubject.get();
+        final String principal = SERVICE_SUBJECT.get();
         final String username = getUsernameFromPrincipal(principal);
         final SignedJWT jwt = buildAndSignJwtForRealm2(principal);
-        final TestSecurityClient client = getSecurityClient(jwt, VALID_SHARED_SECRET);
+        final TestSecurityClient client = getSecurityClient(jwt, Optional.of(VALID_SHARED_SECRET));
 
         // This fails because we didn't create a native user
         final ResponseException exception = expectThrows(ResponseException.class, client::authenticate);
@@ -493,7 +492,7 @@ public void testAuthenticationFailureIfDelegatedAuthorizationFails() throws Exce
     }
 
     public void testFailureOnInvalidClientAuthentication() throws Exception {
-        final String principal = serviceSubject.get();
+        final String principal = SERVICE_SUBJECT.get();
         final String username = getUsernameFromPrincipal(principal);
         final List<String> roles = randomRoles();
         createUser(username, roles, Map.of());
@@ -522,7 +521,7 @@ public void testFailureOnInvalidClientAuthentication() throws Exception {
     public void testAuthenticateWithHmacSignedJWTAndMissingRoleMapping() throws Exception {
         final String principal = randomPrincipal();
         final SignedJWT jwt = buildAndSignJwtForRealm3(principal);
-        final TestSecurityClient client = getSecurityClient(jwt, VALID_SHARED_SECRET);
+        final TestSecurityClient client = getSecurityClient(jwt, Optional.of(VALID_SHARED_SECRET));
 
         final Map<String, Object> response = client.authenticate();