From: Benoît Gianinetti <benoit.gianinetti@sonarsource.com>
Date: Mon, 30 Nov 2020 15:20:10 +0000 (+0100)
Subject: SSF-134 Fail to parse jwt using 'none' algorithm
X-Git-Tag: 8.6.0.39681~36
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=346d2c41b28c15d99cc092ac792f36b6d3ffd9da;p=sonarqube.git

SSF-134 Fail to parse jwt using 'none' algorithm
---

diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java
index 8450f173151..b4516093e16 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java
@@ -24,6 +24,7 @@ import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.UnsupportedJwtException;
 import io.jsonwebtoken.security.SignatureException;
 import java.util.Base64;
 import java.util.Collections;
@@ -95,17 +96,17 @@ public class JwtSerializer implements Startable {
     checkIsStarted();
     Claims claims = null;
     try {
-      claims = (Claims) Jwts.parserBuilder()
+      claims = Jwts.parserBuilder()
         .setSigningKey(secretKey)
         .build()
-        .parse(token)
+        .parseClaimsJws(token)
         .getBody();
       requireNonNull(claims.getId(), "Token id hasn't been found");
       requireNonNull(claims.getSubject(), "Token subject hasn't been found");
       requireNonNull(claims.getExpiration(), "Token expiration date hasn't been found");
       requireNonNull(claims.getIssuedAt(), "Token creation date hasn't been found");
       return Optional.of(claims);
-    } catch (ExpiredJwtException | SignatureException e) {
+    } catch (UnsupportedJwtException | ExpiredJwtException | SignatureException e) {
       return Optional.empty();
     } catch (Exception e) {
       throw AuthenticationException.newBuilder()
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java
index e4938aa9561..049e1fd8dc6 100644
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java
@@ -153,6 +153,21 @@ public class JwtSerializerTest {
     assertThat(underTest.decode(token)).isEmpty();
   }
 
+  @Test
+  public void return_no_token_if_none_algorithm() {
+    setSecretKey(A_SECRET_KEY);
+    underTest.start();
+
+    String token = Jwts.builder()
+      .setId("123")
+      .setSubject(USER_LOGIN)
+      .setIssuedAt(new Date(system2.now()))
+      .setExpiration(addMinutes(new Date(), 20))
+      .compact();
+
+    assertThat(underTest.decode(token)).isEmpty();
+  }
+
   @Test
   public void fail_to_decode_token_when_no_id() {
     setSecretKey(A_SECRET_KEY);