Merge pull request #1442 from modelix/jwt-handling

fix(authorization): inconsistent usage of DecodedJWT and Payload

Author: slisson

authorization/src/main/kotlin/org/modelix/authorization/AccessTokenPrincipal.kt

@@ -22,11 +22,13 @@ import io.ktor.server.auth.AuthenticationContext
 import io.ktor.server.auth.AuthenticationProvider
 import io.ktor.server.auth.UnauthorizedResponse
 import io.ktor.server.auth.authenticate
+import io.ktor.server.auth.jwt.JWTPrincipal
 import io.ktor.server.auth.jwt.jwt
 import io.ktor.server.auth.parseAuthorizationHeader
 import io.ktor.server.auth.principal
 import io.ktor.server.plugins.forwardedheaders.XForwardedHeaders
 import io.ktor.server.plugins.statuspages.StatusPages
+import io.ktor.server.request.uri
 import io.ktor.server.response.respond
 import io.ktor.server.response.respondText
 import io.ktor.server.routing.Route
@@ -74,20 +76,18 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
                             .withIssuer("modelix")
                             .withAudience("modelix")
                             .withClaim(KeycloakTokenConstants.EMAIL, "[email protected]")
-                            .sign(Algorithm.HMAC256("unit-tests"))
-                        // The signing algorithm and key isn't relevant because the token is already considered valid
-                        // and the signature is never checked.
-                        context.principal(AccessTokenPrincipal(JWT.decode(token)))
+                            .sign(Algorithm.none())
+                        context.principal(JWTPrincipal(JWT.decode(token)))
                     }
                 })
             } else {
                 // "Authorization: Bearer ..." header is provided in the header by OAuth proxy
                 jwt(MODELIX_JWT_AUTH) {
                     realm = "modelix"
                     authHeader { call ->
-                        call.request.parseAuthorizationHeader()
-                            ?: call.request.headers["X-Forwarded-Access-Token"]
-                                ?.let { HttpAuthHeader.Single("Bearer", it) }
+                        call.request.headers["X-Forwarded-Access-Token"]
+                            ?.let { HttpAuthHeader.Single("Bearer", it) }
+                            ?: call.request.parseAuthorizationHeader()
                     }
 
                     verifier(config.getVerifier())
@@ -117,7 +117,7 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
                             accessControlPersistence.recordKnownUser(authConfig.jwtUtil.extractUserId(jwt))
                             accessControlPersistence.recordKnownRoles(authConfig.jwtUtil.extractUserRoles(jwt))
                         }
-                        AccessTokenPrincipal(jwt)
+                        JWTPrincipal(jwt)
                     }
                 }
             }
@@ -141,6 +141,7 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
                     call.respondText(text = "403: ${cause.message}", status = HttpStatusCode.Forbidden)
                 }
                 exception<Throwable> { call, cause ->
+                    LOG.error(cause) { call.request.uri }
                     call.respondText(text = "500: $cause", status = HttpStatusCode.InternalServerError)
                 }
             }
@@ -151,7 +152,7 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
                 (installedIntoRoute ?: this).apply {
                     if (config.debugEndpointsEnabled) {
                         get("/user") {
-                            val jwt = call.jwtFromHeaders()
+                            val jwt = call.getUnverifiedJwt()
                             if (jwt == null) {
                                 call.respondText("No JWT token available")
                             } else {
@@ -193,7 +194,7 @@ class ModelixAuthorizationPluginInstance(val config: ModelixAuthorizationConfig)
 
     private val permissionCache = CacheBuilder.newBuilder()
         .expireAfterWrite(5, TimeUnit.SECONDS)
-        .build<Pair<AccessTokenPrincipal, PermissionInstanceReference>, Boolean>()
+        .build<Pair<PayloadAsKey, PermissionInstanceReference>, Boolean>()
 
     fun hasPermission(call: ApplicationCall, permissionToCheck: PermissionParts): Boolean {
         return hasPermission(call, PermissionParser(config.permissionSchema).parse(permissionToCheck))
@@ -202,8 +203,8 @@ class ModelixAuthorizationPluginInstance(val config: ModelixAuthorizationConfig)
     fun hasPermission(call: ApplicationCall, permissionToCheck: PermissionInstanceReference): Boolean {
         if (!config.permissionCheckingEnabled()) return true
 
-        val principal = call.principal<AccessTokenPrincipal>() ?: throw NotLoggedInException()
-        return permissionCache.get(principal to permissionToCheck) {
+        val principal = call.principal<JWTPrincipal>() ?: throw NotLoggedInException()
+        return permissionCache.get(PayloadAsKey(principal.payload) to permissionToCheck) {
             getPermissionEvaluator(principal).hasPermission(permissionToCheck)
         }
     }
@@ -212,7 +213,7 @@ class ModelixAuthorizationPluginInstance(val config: ModelixAuthorizationConfig)
         return getPermissionEvaluator(call.principal())
     }
 
-    fun getPermissionEvaluator(principal: AccessTokenPrincipal?): PermissionEvaluator {
+    fun getPermissionEvaluator(principal: JWTPrincipal?): PermissionEvaluator {
         val evaluator = createPermissionEvaluator()
         if (principal != null) {
             loadGrantedPermissions(principal, evaluator)
@@ -226,8 +227,8 @@ class ModelixAuthorizationPluginInstance(val config: ModelixAuthorizationConfig)
 
     fun createSchemaInstance() = SchemaInstance(config.permissionSchema)
 
-    fun loadGrantedPermissions(principal: AccessTokenPrincipal, evaluator: PermissionEvaluator) {
-        config.jwtUtil.loadGrantedPermissions(principal.jwt, evaluator)
+    fun loadGrantedPermissions(principal: JWTPrincipal, evaluator: PermissionEvaluator) {
+        config.jwtUtil.loadGrantedPermissions(principal.payload, evaluator)
     }
 }
 
@@ -246,7 +247,7 @@ internal fun ModelixAuthorizationConfig.getVerifier() = object : JWTVerifier {
             if (jwt == null) {
                 throw JWTVerificationException("No JWT provided.")
             }
-            return this@getVerifier.nullIfInvalid(jwt)?.also { println("Valid token: ${jwt.token}") } ?: throw JWTVerificationException("JWT invalid.")
+            return this@getVerifier.nullIfInvalid(jwt) ?: throw JWTVerificationException("JWT invalid.")
         } catch (ex: BadJWTException) {
             throw JWTVerificationException("Invalid token: ${jwt?.token}", ex)
         }

authorization/src/main/kotlin/org/modelix/authorization/AuthorizationPlugin.kt

@@ -7,10 +7,10 @@ import io.ktor.http.auth.AuthScheme
 import io.ktor.http.auth.HttpAuthHeader
 import io.ktor.server.application.Application
 import io.ktor.server.application.ApplicationCall
-import io.ktor.server.application.call
 import io.ktor.server.application.install
 import io.ktor.server.application.plugin
 import io.ktor.server.auth.authenticate
+import io.ktor.server.auth.jwt.JWTPrincipal
 import io.ktor.server.auth.parseAuthorizationHeader
 import io.ktor.server.auth.principal
 import io.ktor.server.request.header
@@ -41,7 +41,7 @@ fun RoutingContext.checkPermission(permissionParts: PermissionParts) {
 
 fun ApplicationCall.checkPermission(permissionToCheck: PermissionParts) {
     if (!hasPermission(permissionToCheck)) {
-        val principal = principal<AccessTokenPrincipal>()
+        val principal = principal<JWTPrincipal>()
         throw NoPermissionException(principal, null, null, "${principal?.getUserName()} has no permission '$permissionToCheck'")
     }
 }
@@ -76,19 +76,17 @@ fun ApplicationCall.getBearerToken(): String? {
     return tokenString
 }
 
-fun ApplicationCall.jwtFromHeaders(): DecodedJWT? {
+fun ApplicationCall.getUnverifiedJwt(): DecodedJWT? {
     // OAuth proxy passes the ID token as the bearer token, but we need the access token.
     return (request.header("X-Forwarded-Access-Token") ?: getBearerToken())?.let { JWT.decode(it) }
 }
 
-fun ApplicationCall.jwt() = principal<AccessTokenPrincipal>()?.jwt ?: jwtFromHeaders()
-
 fun RoutingContext.getUserName(): String? {
     return call.getUserName()
 }
 
 fun ApplicationCall.getUserName(): String? {
-    return principal<AccessTokenPrincipal>()?.getUserName()
+    return principal<JWTPrincipal>()?.getUserName()
 }
 
 @Deprecated("Use ModelixAuthorizationConfig.nullIfInvalid")

authorization/src/main/kotlin/org/modelix/authorization/KtorAuthUtils.kt

@@ -1,6 +1,5 @@
 package org.modelix.authorization
 
-import com.auth0.jwt.interfaces.DecodedJWT
 import com.auth0.jwt.interfaces.Payload
 import com.nimbusds.jose.JWSAlgorithm
 import com.nimbusds.jose.JWSHeader
@@ -37,6 +36,7 @@ import io.ktor.client.HttpClient
 import io.ktor.client.request.get
 import io.ktor.client.statement.bodyAsText
 import io.ktor.http.contentType
+import io.ktor.server.auth.jwt.JWTPrincipal
 import kotlinx.coroutines.runBlocking
 import org.modelix.authorization.permissions.PermissionEvaluator
 import org.modelix.authorization.permissions.Schema
@@ -229,19 +229,19 @@ class ModelixJWTUtil {
         return JWSObject(header, payload).also { it.sign(signer) }.serialize()
     }
 
-    fun isAccessToken(token: DecodedJWT): Boolean {
+    fun isAccessToken(token: Payload): Boolean {
         return extractPermissions(token) != null
     }
 
-    fun isIdentityToken(token: DecodedJWT): Boolean {
+    fun isIdentityToken(token: Payload): Boolean {
         return !isAccessToken(token)
     }
 
-    fun createPermissionEvaluator(token: DecodedJWT, schema: Schema): PermissionEvaluator {
+    fun createPermissionEvaluator(token: Payload, schema: Schema): PermissionEvaluator {
         return createPermissionEvaluator(token, SchemaInstance(schema))
     }
 
-    fun createPermissionEvaluator(token: DecodedJWT, schema: SchemaInstance): PermissionEvaluator {
+    fun createPermissionEvaluator(token: Payload, schema: SchemaInstance): PermissionEvaluator {
         return PermissionEvaluator(schema).also { loadGrantedPermissions(token, it) }
     }
 
@@ -388,3 +388,5 @@ class KtorResourceRetriever(val client: HttpClient) : AbstractRestrictedResource
         }
     }
 }
+
+fun JWTPrincipal.getUserName(): String? = ModelixJWTUtil.extractUserId(payload)

authorization/src/main/kotlin/org/modelix/authorization/ModelixJWTUtil.kt

@@ -1,10 +1,12 @@
 package org.modelix.authorization
 
-class NoPermissionException(val user: AccessTokenPrincipal?, val resourceId: String?, val scope: String?, message: String) :
+import io.ktor.server.auth.jwt.JWTPrincipal
+
+class NoPermissionException(val user: JWTPrincipal?, val resourceId: String?, val scope: String?, message: String) :
     RuntimeException(message) {
 
     constructor(message: String) :
         this(null, null, null, message)
-    constructor(user: AccessTokenPrincipal, permissionId: String, type: String) :
+    constructor(user: JWTPrincipal, permissionId: String, type: String) :
         this(user, permissionId, type, "${user.getUserName()} has no $type permission on '$permissionId'")
 }

authorization/src/main/kotlin/org/modelix/authorization/NoPermissionException.kt

@@ -0,0 +1,18 @@
+package org.modelix.authorization
+
+import com.auth0.jwt.interfaces.Payload
+
+/**
+ * Payload implementations usually don't implement equals/hashCode
+ */
+class PayloadAsKey(val payload: Payload) {
+
+    override fun equals(other: Any?): Boolean {
+        if (other !is PayloadAsKey) return false
+        return other.payload.claims == payload.claims
+    }
+
+    override fun hashCode(): Int {
+        return payload.claims.hashCode()
+    }
+}

authorization/src/main/kotlin/org/modelix/authorization/PayloadAsKey.kt

@@ -2,17 +2,15 @@ package org.modelix.authorization
 
 import io.ktor.http.encodeURLPathPart
 import io.ktor.server.application.ApplicationCall
-import io.ktor.server.application.application
-import io.ktor.server.application.call
 import io.ktor.server.application.plugin
+import io.ktor.server.auth.jwt.JWTPrincipal
 import io.ktor.server.auth.principal
 import io.ktor.server.html.respondHtml
 import io.ktor.server.request.receiveParameters
 import io.ktor.server.response.respond
 import io.ktor.server.response.respondRedirect
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.RoutingContext
-import io.ktor.server.routing.application
 import io.ktor.server.routing.get
 import io.ktor.server.routing.post
 import io.ktor.server.routing.route
@@ -359,7 +357,7 @@ fun ApplicationCall.canManagePermissions(resourceRef: ResourceInstanceReference)
 
 fun ApplicationCall.checkCanGranPermission(id: String) {
     if (!canGrantPermission(id)) {
-        val principal = principal<AccessTokenPrincipal>()
+        val principal = principal<JWTPrincipal>()
         throw NoPermissionException(principal, null, null, "${principal?.getUserName()} has no permission '$id'")
     }
 }

authorization/src/main/kotlin/org/modelix/authorization/PermissionManagementPage.kt

@@ -1,13 +1,11 @@
 package org.modelix.authorization.permissions
 
-import com.auth0.jwt.interfaces.DecodedJWT
+import com.auth0.jwt.interfaces.Payload
 import kotlinx.serialization.Serializable
-import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
 import org.modelix.authorization.IAccessControlDataProvider
 import org.modelix.authorization.ModelixJWTUtil
 import java.io.File
-import kotlin.collections.get
 
 @Serializable
 data class AccessControlData(
@@ -30,7 +28,7 @@ data class AccessControlData(
      * Identity tokens, unlike access tokens, don't have any permissions encoded in the token.
      * The resource server then is expected to know which permissions the user has.
      */
-    fun load(jwt: DecodedJWT, permissionEvaluator: PermissionEvaluator) {
+    fun load(jwt: Payload, permissionEvaluator: PermissionEvaluator) {
         val util = ModelixJWTUtil()
         if (util.isAccessToken(jwt)) {
             // The purpose of an access token is to restrict the permissions to the ones specified in the token.