SSF-134 Fail to parse jwt using 'none' algorithm

author Benoît Gianinetti <benoit.gianinetti@sonarsource.com>

Mon, 30 Nov 2020 15:20:10 +0000 (16:20 +0100)

committer sonartech <sonartech@sonarsource.com>

Wed, 2 Dec 2020 20:06:58 +0000 (20:06 +0000)
author Benoît Gianinetti <benoit.gianinetti@sonarsource.com>
Mon, 30 Nov 2020 15:20:10 +0000 (16:20 +0100)
committer sonartech <sonartech@sonarsource.com>
Wed, 2 Dec 2020 20:06:58 +0000 (20:06 +0000)
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java

index 8450f17315169a8d1e71bf0663fee75802349ff6..b4516093e1604ba9ba506991a2f6464a5ba647f8 100644 (file)
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java
@@ -24,6 +24,7 @@ import io.jsonwebtoken.Claims;
  import io.jsonwebtoken.ExpiredJwtException;
  import io.jsonwebtoken.Jwts;
  import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.UnsupportedJwtException;
  import io.jsonwebtoken.security.SignatureException;
  import java.util.Base64;
  import java.util.Collections;
@@ -95,17 +96,17 @@ public class JwtSerializer implements Startable {
      checkIsStarted();
      Claims claims = null;
      try {
-      claims = (Claims) Jwts.parserBuilder()
+      claims = Jwts.parserBuilder()
          .setSigningKey(secretKey)
          .build()
-        .parse(token)
+        .parseClaimsJws(token)
          .getBody();
        requireNonNull(claims.getId(), "Token id hasn't been found");
        requireNonNull(claims.getSubject(), "Token subject hasn't been found");
        requireNonNull(claims.getExpiration(), "Token expiration date hasn't been found");
        requireNonNull(claims.getIssuedAt(), "Token creation date hasn't been found");
        return Optional.of(claims);
-    } catch (ExpiredJwtException | SignatureException e) {
+    } catch (UnsupportedJwtException | ExpiredJwtException | SignatureException e) {
        return Optional.empty();
      } catch (Exception e) {
        throw AuthenticationException.newBuilder()
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java

index e4938aa95619ec236b40a7ad2ce57bc7c930532a..049e1fd8dc6e1758a3f6ceed67e2a40e1d334489 100644 (file)
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java
@@ -153,6 +153,21 @@ public class JwtSerializerTest {
      assertThat(underTest.decode(token)).isEmpty();
    }
  
+  @Test
+  public void return_no_token_if_none_algorithm() {
+    setSecretKey(A_SECRET_KEY);
+    underTest.start();
+
+    String token = Jwts.builder()
+      .setId("123")
+      .setSubject(USER_LOGIN)
+      .setIssuedAt(new Date(system2.now()))
+      .setExpiration(addMinutes(new Date(), 20))
+      .compact();
+
+    assertThat(underTest.decode(token)).isEmpty();
+  }
+
    @Test
    public void fail_to_decode_token_when_no_id() {
      setSecretKey(A_SECRET_KEY);
author	Benoît Gianinetti <benoit.gianinetti@sonarsource.com>
	Mon, 30 Nov 2020 15:20:10 +0000 (16:20 +0100)
committer	sonartech <sonartech@sonarsource.com>
	Wed, 2 Dec 2020 20:06:58 +0000 (20:06 +0000)
server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java		patch \| blob \| history
server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java		patch \| blob \| history