fix crash when key id not found, fix failing tests

Author: zvonand

src/Access/TokenProcessorsJWT.cpp

@@ -322,6 +322,12 @@ bool JwksJwtProcessor::resolveAndValidate(TokenCredentials & credentials) const
         return false;
     }
 
+    if (!decoded_jwt.has_key_id())
+    {
+        LOG_ERROR(getLogger("TokenAuthentication"), "{}: 'kid' (key ID) claim not found in token", processor_name);
+        return false;
+    }
+
     auto jwk = provider->getJWKS().get_jwk(decoded_jwt.get_key_id());
     auto username = decoded_jwt.get_payload_claim(username_claim).as_string();
 

tests/integration/test_jwt_auth/configs/validators.xml

@@ -1,24 +1,23 @@
 <clickhouse>
-    <jwt_validators>
+    <token_processors>
 
-        <single_key_validator>
+        <single_key_processor>
+            <type>jwt</type>
             <algo>HS256</algo>
             <static_key>my_secret</static_key>
             <static_key_in_base64>false</static_key_in_base64>
-        </single_key_validator>
+        </single_key_processor>
 
-        <another_single_key_validator>
+        <another_single_key_processor>
+            <type>jwt</type>
             <algo>hs256</algo>
             <static_key>other_secret</static_key>
             <static_key_in_base64>false</static_key_in_base64>
-        </another_single_key_validator>
+        </another_single_key_processor>
 
-        <static_jwks_validator>
-            <static_jwks>{"keys": [{"kty": "RSA", "alg": "rs256", "kid": "mykid", "n": "lICGC8S5pObyASih5qfmwuclG0oKsbzY2z9vgwqyhTYQOWcqYcTjVV4aQ30qb6E0-5W6rJ-jx9zx6GuAEGMiG_aWJEdbUAMGp-L1kz4lrw5U6GlwoZIvk4wqoRwsiyc-mnDMQAmiZLBNyt3wU6YnKgYmb4O1cSzcZ5HMbImJpj4tpYjqnIazvYMn_9Pxjkl0ezLCr52av0UkWHro1H4QMVfuEoNmHuWPww9jgHn-I-La0xdOhRpAa0XnJi65dXZd4330uWjeJwt413yz881uS4n1OLOGKG8ImDcNlwU_guyvk0n0aqT0zkOAPp9_yYo13MPWmiRCfOX8ozdN7VDIJw", "e": "AQAB"}]}</static_jwks>
-        </static_jwks_validator>
-
-        <jwks_server>
-            <uri>http://resolver:8080/.well-known/jwks.json</uri>
-        </jwks_server>
-    </jwt_validators>
+        <remote_jwks_processor>
+            <type>jwt</type>
+            <jwks_uri>http://resolver:8080/.well-known/jwks.json</jwks_uri>
+        </remote_jwks_processor>
+    </token_processors>
 </clickhouse>

tests/integration/test_jwt_auth/test.py

@@ -63,25 +63,6 @@ def test_static_key(started_cluster):
     assert res == "jwt_user\n"
 
 
-def test_static_jwks(started_cluster):
-    res = client.exec_in_container(
-        [
-            "bash",
-            "-c",
-            curl_with_jwt(
-                token="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Im15a2lkIn0."
-                "eyJzdWIiOiJqd3RfdXNlciIsImlzcyI6InRlc3RfaXNzIn0."
-                "CUioyRc_ms75YWkUwvPgLvaVk2Wmj8RzgqDALVd9LWUzCL5aU4yc_YaA3qnG_NoHd0uUF4FUjLxiocRoKNEgsE2jj7g_"
-                "wFMC5XHSHuFlfIZjovObXQEwGcKpXO2ser7ANu3k2jBC2FMpLfr_sZZ_GYSnqbp2WF6-l0uVQ0AHVwOy4x1Xkawiubkg"
-                "W2I2IosaEqT8QNuvvFWLWc1k-dgiNp8k6P-K4D4NBQub0rFlV0n7AEKNdV-_AEzaY_IqQT0sDeBSew_mdR0OH_N-6-"
-                "FmWWIroIn2DQ7pq93BkI7xdkqnxtt8RCWkCG8JLcoeJt8sHh7uTKi767loZJcPPNaxKA",
-                ip=cluster.get_instance_ip(instance.name),
-            ),
-        ]
-    )
-    assert res == "jwt_user\n"
-
-
 def test_jwks_server(started_cluster):
     res = client.exec_in_container(
         [