Added JwtUnavailableException

Author: artem-v

tests/src/test/java/io/scalecube/security/tokens/jwt/JsonwebtokenResolverTests.java

@@ -1,6 +1,9 @@
 package io.scalecube.security.tokens.jwt;
 
 import static io.scalecube.security.environment.VaultEnvironment.getRootCause;
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.StringStartsWith.startsWith;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -14,7 +17,6 @@
 import java.time.Duration;
 import java.util.concurrent.TimeUnit;
 import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
@@ -50,8 +52,8 @@ void testResolveTokenSuccessfully() throws Exception {
             .get(3, TimeUnit.SECONDS);
 
     assertNotNull(jwtToken, "jwtToken");
-    Assertions.assertTrue(jwtToken.header().size() > 0, "jwtToken.header: " + jwtToken.header());
-    Assertions.assertTrue(jwtToken.payload().size() > 0, "jwtToken.payload: " + jwtToken.payload());
+    assertTrue(jwtToken.header().size() > 0, "jwtToken.header: " + jwtToken.header());
+    assertTrue(jwtToken.payload().size() > 0, "jwtToken.payload: " + jwtToken.payload());
   }
 
   @Test
@@ -66,9 +68,25 @@ void testJwksKeyLocatorThrowsError() {
       fail("Expected exception");
     } catch (Exception e) {
       final var ex = getRootCause(e);
-      assertNotNull(ex);
-      assertNotNull(ex.getMessage());
-      assertTrue(ex.getMessage().startsWith("Cannot get key"), "Exception: " + ex);
+      assertThat(ex, instanceOf(RuntimeException.class));
+      assertThat(ex.getMessage(), startsWith("Cannot get key"));
+    }
+  }
+
+  @Test
+  void testJwksKeyLocatorThrowsRetryableError() {
+    final var token = generateToken();
+
+    Locator<Key> keyLocator = mock(Locator.class);
+    when(keyLocator.locate(any())).thenThrow(new JwtUnavailableException("JWKS timeout"));
+
+    try {
+      new JsonwebtokenResolver(keyLocator).resolve(token).get(3, TimeUnit.SECONDS);
+      fail("Expected exception");
+    } catch (Exception e) {
+      final var ex = getRootCause(e);
+      assertThat(ex, instanceOf(JwtUnavailableException.class));
+      assertThat(ex.getMessage(), startsWith("JWKS timeout"));
     }
   }
 

tests/src/test/java/io/scalecube/security/vault/VaultServiceTokenTests.java

@@ -2,6 +2,8 @@
 
 import static io.scalecube.security.environment.VaultEnvironment.getRootCause;
 import static java.util.concurrent.CompletableFuture.completedFuture;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.StringStartsWith.startsWith;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -18,7 +20,6 @@
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
@@ -54,9 +55,7 @@ void testGetServiceTokenUsingWrongCredentials() throws Exception {
     } catch (ExecutionException e) {
       final var ex = getRootCause(e);
       assertNotNull(ex);
-      assertNotNull(ex.getMessage());
-      assertTrue(
-          ex.getMessage().contains("Failed to get service token, status=403"), "Exception: " + ex);
+      assertThat(ex.getMessage(), startsWith("Failed to get service token, status=403"));
     }
   }
 
@@ -78,9 +77,7 @@ void testGetNonExistingServiceToken() throws Exception {
     } catch (ExecutionException e) {
       final var ex = getRootCause(e);
       assertNotNull(ex);
-      assertNotNull(ex.getMessage());
-      assertTrue(
-          ex.getMessage().contains("Failed to get service token, status=400"), "Exception: " + ex);
+      assertThat(ex.getMessage(), startsWith("Failed to get service token, status=400"));
     }
   }
 
@@ -122,9 +119,7 @@ void testGetServiceTokenByWrongServiceRole() throws Exception {
     } catch (ExecutionException e) {
       final var ex = getRootCause(e);
       assertNotNull(ex);
-      assertNotNull(ex.getMessage());
-      assertTrue(
-          ex.getMessage().contains("Failed to get service token, status=400"), "Exception: " + ex);
+      assertThat(ex.getMessage(), startsWith("Failed to get service token, status=400"));
     }
   }
 
@@ -164,8 +159,8 @@ void testGetServiceTokenSuccessfully() throws Exception {
             .get(3, TimeUnit.SECONDS);
 
     assertNotNull(jwtToken, "jwtToken");
-    Assertions.assertTrue(jwtToken.header().size() > 0, "jwtToken.header: " + jwtToken.header());
-    Assertions.assertTrue(jwtToken.payload().size() > 0, "jwtToken.payload: " + jwtToken.payload());
+    assertTrue(jwtToken.header().size() > 0, "jwtToken.header: " + jwtToken.header());
+    assertTrue(jwtToken.payload().size() > 0, "jwtToken.payload: " + jwtToken.payload());
   }
 
   private static String toQualifiedName(String role, Map<String, String> tags) {

tokens/src/main/java/io/scalecube/security/tokens/jwt/JwksKeyLocator.java

@@ -17,6 +17,7 @@
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.net.http.HttpResponse.BodyHandlers;
+import java.net.http.HttpTimeoutException;
 import java.security.Key;
 import java.security.KeyFactory;
 import java.security.PublicKey;
@@ -55,13 +56,11 @@ protected Key locate(JwsHeader header) {
               kid -> {
                 final var key = findKeyById(computeKeyList(), kid);
                 if (key == null) {
-                  throw new RuntimeException("Cannot find key by kid: " + kid);
+                  throw new JwtUnavailableException("Cannot find key by kid: " + kid);
                 }
                 return new CachedKey(key, System.currentTimeMillis() + keyTtl);
               })
           .key();
-    } catch (Exception ex) {
-      throw new JwtTokenException(ex);
     } finally {
       tryCleanup();
     }
@@ -77,8 +76,13 @@ private JwkInfoList computeKeyList() {
               .send(
                   HttpRequest.newBuilder(jwksUri).GET().timeout(requestTimeout).build(),
                   BodyHandlers.ofInputStream());
-    } catch (Exception e) {
-      throw new RuntimeException("Failed to retrive jwk keys", e);
+    } catch (HttpTimeoutException e) {
+      throw new JwtUnavailableException("Failed to retrive jwk keys", e);
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    } catch (InterruptedException e) {
+      Thread.currentThread().interrupt();
+      throw new RuntimeException(e);
     }
 
     final var statusCode = httpResponse.statusCode();

tokens/src/main/java/io/scalecube/security/tokens/jwt/JwtTokenException.java

@@ -2,6 +2,10 @@
 
 import java.util.StringJoiner;
 
+/**
+ * Generic exception type for JWT token resolution errors. Used as part {@link JwtTokenResolver}
+ * mechanism, and responsible to abstract token resolution problems.
+ */
 public class JwtTokenException extends RuntimeException {
 
   public JwtTokenException(String message) {

tokens/src/main/java/io/scalecube/security/tokens/jwt/JwtUnavailableException.java

@@ -0,0 +1,26 @@
+package io.scalecube.security.tokens.jwt;
+
+/**
+ * Special JWT exception type indicating transient error during token resolution. For example such
+ * transient errors are:
+ *
+ * <ul>
+ *   <li>Key Rotation: JWKS endpoints often implement key rotation policies where keys are
+ *       periodically changed for security reasons. If the JWT was issued with a "kid" that
+ *       corresponds to a key that has since been rotated out, that key won't be available in the
+ *       JWKS anymore.
+ *   <li>Network or Server Issues: if the JWKS URI is temporarily down, inaccessible, or
+ *       experiencing issues, cleint might not be able to retrieve the keys, or the list of keys
+ *       might be incomplete or outdated.
+ * </ul>
+ */
+public class JwtUnavailableException extends JwtTokenException {
+
+  public JwtUnavailableException(String message) {
+    super(message);
+  }
+
+  public JwtUnavailableException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}