feat: Remove XSUAA binding dependency from destination retrieval flow (#5879)

Author: KavithaSiva

.changeset/early-rocks-dip.md

@@ -0,0 +1,5 @@
+---
+'@sap-cloud-sdk/connectivity': minor
+---
+
+[Compatibility Note] The `getDestinationFromDestinationService()` function no longer verifies the incoming XSUAA JWT against the application's bound XSUAA instance. Consequently, the `cacheVerificationKeys` option is now deprecated and has no effect.

.changeset/early-rocks-work.md

@@ -0,0 +1,5 @@
+---
+'@sap-cloud-sdk/connectivity': minor
+---
+
+[Improvement] Remove dependency on XSUAA service binding while retrieving destinations using `getDestinationFromDestinationService()` and `getAllDestinationsFromDestinationService()` functions.

packages/connectivity/src/scp-cf/destination/destination-accessor-authentication-type.spec.ts

@@ -11,8 +11,7 @@ import {
 } from '../../../../../test-resources/test/test-util/token-accessor-mocks';
 import {
   mockFetchDestinationCalls,
-  mockFetchDestinationCallsNotFound,
-  mockVerifyJwt
+  mockFetchDestinationCallsNotFound
 } from '../../../../../test-resources/test/test-util/destination-service-mocks';
 import {
   onlyIssuerServiceToken,
@@ -48,7 +47,6 @@ import {
 describe('authentication types', () => {
   beforeEach(() => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
   });
 
@@ -412,7 +410,6 @@ describe('authentication types', () => {
 
     it('returns a destination without authTokens if its authenticationType is Basic', async () => {
       mockServiceBindings();
-      mockVerifyJwt();
       const serviceTokenSpy = mockServiceToken();
 
       const httpMocks = mockFetchDestinationCalls(basicMultipleResponse[0], {
@@ -500,7 +497,6 @@ describe('authentication types', () => {
 
   it('works for onPremise Basic and issuer JWT', async () => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
 
     const httpMocks = mockFetchDestinationCalls(

packages/connectivity/src/scp-cf/destination/destination-accessor-failure-cases.spec.ts

@@ -14,8 +14,7 @@ import {
   mockFetchDestinationCalls,
   mockFetchDestinationCallsNotFound,
   mockInstanceDestinationsCall,
-  mockSubaccountDestinationsCall,
-  mockVerifyJwt
+  mockSubaccountDestinationsCall
 } from '../../../../../test-resources/test/test-util/destination-service-mocks';
 import {
   basicMultipleResponse,
@@ -33,8 +32,6 @@ describe('Failure cases', () => {
       xsuaa: [xsuaaBindingMock]
     });
 
-    mockVerifyJwt();
-
     await expect(
       getDestination({
         destinationName,
@@ -48,8 +45,6 @@ describe('Failure cases', () => {
 
   it('throws an error when the provide userJwt is invalid', async () => {
     mockServiceBindings();
-    mockVerifyJwt();
-
     await expect(
       getDestination({
         destinationName,
@@ -63,9 +58,7 @@ describe('Failure cases', () => {
 
   it('throws an error if the subaccount/instance destinations call fails', async () => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
-
     const httpMocks = [
       mockInstanceDestinationsCall(
         {
@@ -96,7 +89,6 @@ describe('Failure cases', () => {
 
   it('returns an error if the single destination call fails for OAuth2SAMLBearerAssertion destinations', async () => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
     mockJwtBearerToken();
 
@@ -130,7 +122,6 @@ describe('Failure cases', () => {
 
   it('returns null if no destinations are found', async () => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
 
     const httpMocks = [
@@ -152,9 +143,7 @@ describe('Failure cases', () => {
 
   it('should throw an error when neither userJwt nor SystemUser are defined', async () => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
-
     const [httpMock] = mockFetchDestinationCalls(oauthMultipleResponse[0], {
       mockWithTokenRetrievalCall: false
     });

packages/connectivity/src/scp-cf/destination/destination-accessor-provider-subscriber-lookup.spec.ts

@@ -4,8 +4,7 @@ import {
   mockFetchDestinationCalls,
   mockFetchDestinationCallsNotFound,
   mockInstanceDestinationsCall,
-  mockSubaccountDestinationsCall,
-  mockVerifyJwt
+  mockSubaccountDestinationsCall
 } from '../../../../../test-resources/test/test-util/destination-service-mocks';
 import {
   destinationServiceUri,
@@ -26,7 +25,7 @@ import {
   subscriberUserToken
 } from '../../../../../test-resources/test/test-util/mocked-access-tokens';
 import { mockServiceToken } from '../../../../../test-resources/test/test-util/token-accessor-mocks';
-import * as identityService from '../identity-service';
+import * as tokenAccessor from '../token-accessor';
 import { decodeJwt } from '../jwt';
 import { parseDestination } from './destination';
 import {
@@ -166,7 +165,6 @@ function assertMockUsed(mock: nock.Scope, used: boolean) {
 describe('JWT type and selection strategies', () => {
   beforeEach(() => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
   });
 
@@ -256,7 +254,7 @@ describe('JWT type and selection strategies', () => {
       mockServiceToken();
 
       jest
-        .spyOn(identityService, 'exchangeToken')
+        .spyOn(tokenAccessor, 'jwtBearerToken')
         .mockImplementationOnce(() => Promise.resolve(subscriberUserToken));
 
       mockFetchDestinationCalls(samlAssertionMultipleResponse[0], {
@@ -334,7 +332,6 @@ describe('JWT type and selection strategies', () => {
 describe('call getAllDestinations with and without subscriber token', () => {
   beforeEach(() => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
     destinationServiceCache.clear();
   });

packages/connectivity/src/scp-cf/destination/destination-accessor-proxy-configuration.spec.ts

@@ -11,7 +11,6 @@ import {
 } from '../../../../../test-resources/test/test-util/token-accessor-mocks';
 import {
   mockCertificateCall,
-  mockVerifyJwt,
   mockFetchDestinationCalls
 } from '../../../../../test-resources/test/test-util/destination-service-mocks';
 import {
@@ -34,7 +33,6 @@ import type { Destination } from './destination-service-types';
 describe('proxy configuration', () => {
   beforeEach(() => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
   });
 
@@ -88,7 +86,6 @@ describe('proxy configuration', () => {
 describe('get destination with PrivateLink proxy type', () => {
   beforeEach(() => {
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
     mockJwtBearerToken();
 
@@ -171,7 +168,6 @@ describe('truststore configuration', () => {
     };
     mockCertificateCall('my-cert.pem', providerServiceToken, 'subaccount');
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
     mockJwtBearerToken();
 

packages/connectivity/src/scp-cf/destination/destination-accessor.ts

@@ -1,7 +1,8 @@
 import { createLogger, ErrorWithCause } from '@sap-cloud-sdk/util';
-import { exchangeToken, shouldExchangeToken } from '../identity-service';
+import { shouldExchangeToken } from '../identity-service';
 import { getDestinationServiceCredentials } from '../environment-accessor';
 import { getSubdomain } from '../jwt';
+import { jwtBearerToken } from '../token-accessor';
 import { sanitizeDestination, toDestinationNameUrl } from './destination';
 import { searchEnvVariablesForDestination } from './destination-from-env';
 import { searchServiceBindingForDestination } from './destination-from-vcap';
@@ -130,7 +131,8 @@ export async function getAllDestinationsFromDestinationService(
     'Attempting to retrieve all destinations from destination service.'
   );
   if (shouldExchangeToken(options) && options.jwt) {
-    options.jwt = await exchangeToken(options.jwt);
+    // Exchange the IAS token to a XSUAA token using the destination service credentials
+    options.jwt = await jwtBearerToken(options.jwt, 'destination');
   }
 
   const token =

packages/connectivity/src/scp-cf/destination/destination-cache.spec.ts

@@ -3,8 +3,7 @@ import nock from 'nock';
 import { decodeJwt } from '../jwt';
 import {
   mockFetchDestinationCalls,
-  mockFetchDestinationCallsNotFound,
-  mockVerifyJwt
+  mockFetchDestinationCallsNotFound
 } from '../../../../../test-resources/test/test-util/destination-service-mocks';
 import {
   connectivityProxyConfigMock,
@@ -120,7 +119,6 @@ describe('destination cache', () => {
 
   describe('caching', () => {
     beforeEach(() => {
-      mockVerifyJwt();
       mockServiceBindings();
       mockServiceToken();
 
@@ -234,7 +232,6 @@ describe('destination cache', () => {
     });
 
     it('caches only subscriber if selection strategy always subscriber', async () => {
-      mockVerifyJwt();
       await getDestination({
         destinationName: 'SubscriberDest',
         jwt: subscriberUserToken,
@@ -251,7 +248,6 @@ describe('destination cache', () => {
     });
 
     it('caches nothing if the destination is not found', async () => {
-      mockVerifyJwt();
       mockFetchDestinationCallsNotFound('ANY', {
         serviceToken: subscriberServiceToken,
         mockWithTokenRetrievalCall: false
@@ -273,7 +269,6 @@ describe('destination cache', () => {
     });
 
     it('caches only the found destination not other ones received from the service', async () => {
-      mockVerifyJwt();
       await getDestination({
         destinationName: 'SubscriberDest2',
         jwt: subscriberUserToken,
@@ -305,7 +300,6 @@ describe('destination cache', () => {
     beforeEach(() => {
       mockServiceBindings({ xsuaaBinding: false });
       mockServiceToken();
-      mockVerifyJwt();
     });
 
     const destName = destinationOne.name!;
@@ -414,7 +408,6 @@ describe('destination cache', () => {
   describe('caching of destinations with special information (e.g. authTokens, certificates)', () => {
     it('destinations with certificates are cached ', async () => {
       mockServiceBindings();
-      mockVerifyJwt();
       mockServiceToken();
       mockJwtBearerToken();
 
@@ -456,7 +449,6 @@ describe('destination cache', () => {
 
     it('destinations with authTokens are cached correctly', async () => {
       mockServiceBindings();
-      mockVerifyJwt();
       mockServiceToken();
       mockJwtBearerToken();
 
@@ -507,7 +499,6 @@ describe('destination cache', () => {
 
     it('destinations with proxy configuration are cached correctly', async () => {
       mockServiceBindings();
-      mockVerifyJwt();
       mockServiceToken();
       mockJwtBearerToken();
 
@@ -568,8 +559,6 @@ describe('destination cache', () => {
     it('retrieves subscriber cached destination', async () => {
       mockServiceBindings();
       mockServiceToken();
-      mockVerifyJwt();
-
       const authType = 'NoAuthentication' as AuthenticationType;
       const subscriberDest = {
         URL: 'https://subscriber.example',
@@ -597,7 +586,6 @@ describe('destination cache', () => {
 
     it('retrieves provider cached destination', async () => {
       mockServiceBindings();
-      mockVerifyJwt();
       mockServiceToken();
 
       const authType = 'NoAuthentication' as AuthenticationType;
@@ -627,7 +615,6 @@ describe('destination cache', () => {
 
     it('should return cached provider destination from cache after checking for remote subscriber destination when subscriberFirst is specified and destinations are tenant isolated', async () => {
       mockServiceBindings();
-      mockVerifyJwt();
       mockServiceToken();
 
       const authType = 'NoAuthentication' as AuthenticationType;

packages/connectivity/src/scp-cf/destination/destination-from-service.spec.ts

@@ -2,7 +2,6 @@ import {
   mockServiceBindings,
   mockServiceToken,
   mockFetchDestinationCalls,
-  mockVerifyJwt,
   providerServiceToken
 } from '../../../../../test-resources/test/test-util';
 import { getDestinationFromDestinationService } from './destination-from-service';
@@ -11,7 +10,6 @@ describe('getDestinationFromDestinationService', () => {
   beforeEach(() => {
     jest.clearAllMocks();
     mockServiceBindings();
-    mockVerifyJwt();
     mockServiceToken();
   });
 

packages/connectivity/src/scp-cf/destination/destination-from-service.ts

@@ -4,7 +4,7 @@ import {
   getDestinationServiceCredentials,
   getServiceBinding
 } from '../environment-accessor';
-import { exchangeToken, shouldExchangeToken } from '../identity-service';
+import { shouldExchangeToken } from '../identity-service';
 import { getSubdomain, isXsuaaToken } from '../jwt';
 import { isIdenticalTenant } from '../tenant';
 import { jwtBearerToken } from '../token-accessor';
@@ -90,10 +90,10 @@ export class DestinationFromServiceRetriever {
     options: DestinationFetchOptions
   ): Promise<Destination | null> {
     // TODO: This is currently always skipped for tokens issued by XSUAA
-    // in the XSUAA case no exchange takes place, but instead the JWT is verified
-    // in the future we should just let it verify here, but skip it later (get-subscriber-token)
+    // in the XSUAA case no exchange takes place
     if (shouldExchangeToken(options) && options.jwt) {
-      options.jwt = await exchangeToken(options.jwt);
+      // Exchange the IAS token to a XSUAA token using the destination service credentials
+      options.jwt = await jwtBearerToken(options.jwt, 'destination');
     }
 
     const subscriberToken = await getSubscriberToken(options);