Skip to content

Commit

Permalink
fix fwd client cert bug with a missing cert header in HybridJwtDecoder(
Browse files Browse the repository at this point in the history 
…#1524)

Signed-off-by: liga-oz <liga.ozolina@sap.com>
  • Loading branch information
@liga-oz
liga-oz authored Apr 25, 2024
1 parent fec6ff2 commit a19a1e7
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 2 deletions.
2 changes: 1 addition & 1 deletion ...ty/src/main/java/com/sap/cloud/security/spring/token/authentication/HybridJwtDecoder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ public Jwt decode(String encodedToken) {

if (servletRequestAttributes != null) {
HttpServletRequest request = servletRequestAttributes.getRequest();
String clientCert = String.valueOf(request.getHeader(FWD_CLIENT_CERT_HEADER));
String clientCert = request.getHeader(FWD_CLIENT_CERT_HEADER);
if (clientCert != null) {
SecurityContext.setClientCertificate(X509Certificate.newCertificate(clientCert));
}
Expand Down
21 changes: 21 additions & 0 deletions ...rc/test/java/com/sap/cloud/security/spring/token/authentication/HybridJwtDecoderTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,22 @@
*/
package com.sap.cloud.security.spring.token.authentication;

import ch.qos.logback.classic.Logger;
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.core.read.ListAppender;
import com.sap.cloud.security.test.JwtGenerator;
import com.sap.cloud.security.token.SecurityContext;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.TokenClaims;
import com.sap.cloud.security.token.validation.CombiningValidator;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.x509.X509Certificate;
import org.apache.commons.io.IOUtils;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.slf4j.LoggerFactory;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
Expand Down Expand Up @@ -74,6 +80,21 @@ void decodeIasTokenWithProofToken() throws IOException {
assertNotNull(SecurityContext.getClientCertificate());
}

@Test
void decodeIasTokenWithoutFwdCert() {
ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
Logger logger = (Logger) LoggerFactory.getLogger(X509Certificate.class);
listAppender.start();
logger.addAppender(listAppender);
MockHttpServletRequest request = new MockHttpServletRequest();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));

String encodedToken = jwtGenerator.createToken().getTokenValue();
cut.decode(encodedToken);
Assertions.assertThat(listAppender.list).isEmpty();
listAppender.stop();
}

@Test
void decodeXsuaaTokenWithoutValidators() {
String encodedToken = JwtGenerator.getInstance(XSUAA, "theClientId").createToken().getTokenValue();
Expand Down
14 changes: 13 additions & 1 deletion ...y/src/test/java/com/sap/cloud/security/spring/token/authentication/IasJwtDecoderTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,22 @@
*/
package com.sap.cloud.security.spring.token.authentication;

import ch.qos.logback.classic.Logger;
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.core.read.ListAppender;
import com.sap.cloud.security.test.JwtGenerator;
import com.sap.cloud.security.token.SecurityContext;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.TokenClaims;
import com.sap.cloud.security.token.validation.CombiningValidator;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.x509.X509Certificate;
import org.apache.commons.io.IOUtils;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.slf4j.LoggerFactory;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
Expand Down Expand Up @@ -75,11 +81,17 @@ void decodeIasTokenWithProofToken() throws IOException {

@Test
void decodeIasTokenWithoutFwdCert() {
ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
Logger logger = (Logger) LoggerFactory.getLogger(X509Certificate.class);
listAppender.start();
logger.addAppender(listAppender);
MockHttpServletRequest request = new MockHttpServletRequest();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));

String encodedToken = jwtGenerator.createToken().getTokenValue();
assertEquals("theClientId", cut.decode(encodedToken).getClaim(TokenClaims.AUTHORIZATION_PARTY));
cut.decode(encodedToken);
Assertions.assertThat(listAppender.list).isEmpty();
listAppender.stop();
}

@Test
Expand Down

0 comments on commit a19a1e7

Please sign in to comment.