KNOX-3040 - Some followup minor fixes (#916)

gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java

@@ -115,12 +115,12 @@ public interface JWTMessages {
   @Message(level = MessageLevel.ERROR, text = "Error while fetching grant type and client secret from the request: {0}")
   void errorFetchingClientSecret(String errorMessage, @StackTrace(level = MessageLevel.DEBUG) Exception e);
 
-  @Message( level = MessageLevel.INFO, text = "Token verification using provided PEM, verified: {0}" )
-  void publicKeyVerification(boolean verified);
+  @Message( level = MessageLevel.INFO, text = "Token verification result using provided PEM, verified: {0}" )
+  void pemVerificationResultMessage(boolean verified);
 
-  @Message( level = MessageLevel.INFO, text = "Token verification using provided JWKS Url, verified: {0}" )
-  void jwksVerification(boolean verified);
+  @Message( level = MessageLevel.INFO, text = "Token verification result using provided JWKS Url, verified: {0}" )
+  void jwksVerificationResultMessage(boolean verified);
 
-  @Message( level = MessageLevel.INFO, text = "Token verification using knox signing cert, verified: {0}" )
-  void signingKeyVerification(boolean verified);
+  @Message( level = MessageLevel.INFO, text = "Token verification result using knox signing cert, verified: {0}" )
+  void signingKeyVerificationResultMessage(boolean verified);
 }

gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java

@@ -513,17 +513,17 @@ protected boolean verifyTokenSignature(final JWT token) {
       try {
         if (publicKey != null) {
           verified = authority.verifyToken(token, publicKey);
-          log.publicKeyVerification(verified);
+          log.pemVerificationResultMessage(verified);
         }
 
         if (!verified && expectedJWKSUrl != null) {
           verified = authority.verifyToken(token, expectedJWKSUrl, expectedSigAlg, allowedJwsTypes);
-          log.jwksVerification(verified);
+          log.jwksVerificationResultMessage(verified);
         }
 
         if(!verified) {
           verified = authority.verifyToken(token);
-          log.signingKeyVerification(verified);
+          log.signingKeyVerificationResultMessage(verified);
         }
       } catch (TokenServiceException e) {
         log.unableToVerifyToken(e);

gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java

@@ -622,10 +622,10 @@ public void testSignatureVerificationChain() throws Exception {
       String failingPem = new String(encoder.encodeToString( data ).getBytes( StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
 
       props.put(getAudienceProperty(), "bar");
-      /* Add a failing PEN */
+      /* Add a failing PEM */
       props.put(getVerificationPemProperty(), failingPem);
 
-      /* This handler is setup with a publicKey, corresponding privateKey is used to sign tje JWT below */
+      /* This handler is setup with a publicKey, corresponding privateKey is used to sign the JWT below */
       handler.init(new TestFilterConfig(props));
 
       SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice",
@@ -654,6 +654,59 @@ public void testSignatureVerificationChain() throws Exception {
     }
   }
 
+  /**
+   * This will test the signature verification chain.
+   * Specifically the flow when provided PEM is not invalid and
+   * knox signing key is valid.
+   *
+   * NOTE: here valid means can validate JWT.
+   * @throws Exception
+   */
+  @Test
+  public void testSignatureVerificationChainWithPEMandSignature() throws Exception {
+    try {
+      Properties props = getProperties();
+      KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+      kpg.initialize(2048);
+
+      KeyPair KPair = kpg.generateKeyPair();
+      String dn = buildDistinguishedName(InetAddress.getLocalHost().getHostName());
+      Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair, 365, "SHA1withRSA");
+      byte[] data = cert.getEncoded();
+      Base64 encoder = new Base64( 76, "\n".getBytes( StandardCharsets.US_ASCII ) );
+      String failingPem = new String(encoder.encodeToString( data ).getBytes( StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
+
+      props.put(getAudienceProperty(), "bar");
+      props.put(getVerificationPemProperty(), failingPem);
+
+      handler.init(new TestFilterConfig(props));
+
+      SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice",
+              new Date(new Date().getTime() + TimeUnit.MINUTES.toMillis(10)), privateKey);
+
+      HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+      setTokenOnRequest(request, jwt);
+
+      EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes();
+      EasyMock.expect(request.getPathInfo()).andReturn("resource").anyTimes();
+      EasyMock.expect(request.getQueryString()).andReturn(null);
+      HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+      EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(SERVICE_URL);
+      EasyMock.expect(response.getOutputStream()).andAnswer(DummyServletOutputStream::new).anyTimes();
+      EasyMock.replay(request, response);
+
+      TestFilterChain chain = new TestFilterChain();
+      handler.doFilter(request, response, chain);
+
+      Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
+      Assert.assertFalse("No PrimaryPrincipal", principals.isEmpty());
+      Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
+
+    } catch (ServletException se) {
+      fail("Should NOT have thrown a ServletException.");
+    }
+  }
+
   @Test
   public void testInvalidIssuer() throws Exception {
     try {