public ApiScopingFilter(AddonScopeManager addonScopeManager, UserManager userManager, EventPublisher eventPublisher, AddonKeyExtractor addonKeyExtractor) { this(addonScopeManager, userManager, eventPublisher, addonKeyExtractor, new SystemClock()); }
/** * Canonicalize the given {@link CanonicalHttpRequest} and hash it. * This request hash can be included as a JWT claim to verify that request components are genuine. * @param request {@link CanonicalHttpRequest} to be canonicalized and hashed * @return {@link String} hash suitable for use as a JWT claim value * @throws UnsupportedEncodingException if the {@link java.net.URLEncoder} cannot encode the request's field's characters * @throws NoSuchAlgorithmException if the hashing algorithm does not exist at runtime */ public static String computeCanonicalRequestHash(CanonicalHttpRequest request) throws UnsupportedEncodingException, NoSuchAlgorithmException { // prevent the code in this method being repeated in every call site that needs a request hash, // encapsulate the knowledge of the type of hash that we are using return JwtUtil.computeSha256Hash(canonicalize(request)); }
public static long currentTimePlusNSeconds(long n) { return currentTimeSeconds() + n; } }
public JsonSmartJwtJsonBuilder() { issuedAt(TimeUtil.currentTimeSeconds()); expirationTime(TimeUtil.currentTimePlusNSeconds(180)); // default JWT lifetime is 3 minutes }
@Override protected boolean shouldProcess(HttpServletRequest request) { String jwtToken = JwtUtil.extractJwt(request); if (!StringUtils.isEmpty(jwtToken)) { try { Jwt jwt = new SimpleJwtParser().parse(jwtToken); boolean wasIssuedByHost = jwtWasIssuedByHost(jwt.getIssuer()); log.debug("wasIssuedByHost={}", wasIssuedByHost); return wasIssuedByHost; } catch (Exception e) { // one of the many possible JWT reading exceptions was thrown - log for debugging and let the invoking test fail log.error(String.format("Failed to read JWT token '%s' due to exception: ", jwtToken), e); } } log.debug("JWT token was empty: should not process request"); return false; }
/** * Encapsulate the building of requirements that we place upon JWTs in incoming requests. * @param request incoming request * @return {@link Map} of claim name to verifier for claims upon which we place requirements * @throws UnsupportedEncodingException if {@link java.net.URLEncoder} cannot encode the request's characters * @throws NoSuchAlgorithmException if the hashing algorithm does not exist at runtime */ public static Map<String, ? extends JwtClaimVerifier> build(CanonicalHttpRequest request) throws UnsupportedEncodingException, NoSuchAlgorithmException { return Collections.singletonMap(JwtConstants.Claims.QUERY_HASH, new JwtClaimEqualityVerifier(JwtConstants.Claims.QUERY_HASH, HttpRequestCanonicalizer.computeCanonicalRequestHash(request))); } }
@Nonnull @Override public JwtReader getReader(@Nonnull String jwt) throws JwtParseException, JwsUnsupportedAlgorithmException, JwtUnknownIssuerException, JwtIssuerLacksSharedSecretException { return getReader(jwt, SystemClock.getInstance()); }
/** * Assemble the components of the HTTP request into the correct format so that they can be signed or hashed. * @param request {@link CanonicalHttpRequest} that provides the necessary components * @return {@link String} encoding the canonical form of this request as required for constructing {@link JwtConstants.Claims#QUERY_HASH} values * @throws UnsupportedEncodingException {@link UnsupportedEncodingException} if the {@link java.net.URLEncoder} cannot encode the request's field's characters */ public static String canonicalize(CanonicalHttpRequest request) throws UnsupportedEncodingException { return String.format("%s%s%s%s%s", canonicalizeMethod(request), CANONICAL_REQUEST_PART_SEPARATOR, canonicalizeUri(request), CANONICAL_REQUEST_PART_SEPARATOR, canonicalizeQueryParameters(request)); }
/** * Convenience method for building and appending JWT claims related to a {@link com.atlassian.jwt.CanonicalHttpRequest}. * Encapsulates the knowledge of what claims we make regarding the request. * @param jsonBuilder {@link com.atlassian.jwt.writer.JwtJsonBuilder} that constructs the JWT payload * @param request {@link com.atlassian.jwt.CanonicalHttpRequest} representing the incoming or outgoing HTTP request * @throws UnsupportedEncodingException if {@link java.net.URLEncoder} cannot encode the request's characters * @throws NoSuchAlgorithmException if the hashing algorithm does not exist at runtime */ public static void appendHttpRequestClaims(JwtJsonBuilder jsonBuilder, CanonicalHttpRequest request) throws UnsupportedEncodingException, NoSuchAlgorithmException { jsonBuilder.queryHash(HttpRequestCanonicalizer.computeCanonicalRequestHash(request)); } }
public static boolean requestContainsJwt(HttpServletRequest request) { return extractJwt(request) != null; }
@Nonnull @Override public Jwt parse(String jwt) throws JwtParseException { JWSObject jwsObject = parseJWSObject(jwt); try { JWTClaimsSet claims = JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject()); return new SimpleJwt(claims.getIssuer(), claims.getSubject(), jwsObject.getPayload().toString()); } catch (ParseException e) { throw new JwtParseException(e); } }
public NimbusMacJwtReader(String issuer, String sharedSecret) { this(issuer, sharedSecret, SystemClock.getInstance()); }
public NimbusJwtWriter(SigningAlgorithm algorithm, JWSSigner signer) { this(NimbusUtil.asNimbusJWSAlgorithm(algorithm), signer); }
public static StaticClock at(Date nowDate) { return new StaticClock(nowDate.getTime()); }
private static String canonicalizeUri(CanonicalHttpRequest request) throws UnsupportedEncodingException { String path = StringUtils.defaultIfBlank(StringUtils.removeEnd(request.getRelativePath(), "/"), "/"); final String separatorAsString = String.valueOf(CANONICAL_REQUEST_PART_SEPARATOR); // If the separator is not URL encoded then the following URLs have the same query-string-hash: // https://djtest9.jira-dev.com/rest/api/2/project&a=b?x=y // https://djtest9.jira-dev.com/rest/api/2/project?a=b&x=y path = path.replaceAll(separatorAsString, JwtUtil.percentEncode(separatorAsString)); return path.startsWith("/") ? path : "/" + path; }
@Nonnull @Override public JwtReader getReader(@Nonnull String jwt, RSAPublicKey publicKey) throws JwsUnsupportedAlgorithmException, JwtParseException, JwtUnknownIssuerException { return getReader(jwt, publicKey, SystemClock.getInstance()); }
public ApiScopingFilter(AddonScopeManager addonScopeManager, UserManager userManager, EventPublisher eventPublisher, AddonKeyExtractor addonKeyExtractor) { this(addonScopeManager, userManager, eventPublisher, addonKeyExtractor, new SystemClock()); }
public NimbusRsJwtReader(String issuer, RSAPublicKey publicKey) { this(issuer, publicKey, SystemClock.getInstance()); }