Search in sources :

Example 1 with JwtAuthenticationStore

use of io.jenkins.blueocean.auth.jwt.JwtAuthenticationStore in project blueocean-plugin by jenkinsci.

the class JwtAuthenticationServiceImpl method getToken.

@Override
public JwtToken getToken(@Nullable @QueryParameter("expiryTimeInMins") Integer expiryTimeInMins, @Nullable @QueryParameter("maxExpiryTimeInMins") Integer maxExpiryTimeInMins) {
    long expiryTime = Long.getLong("EXPIRY_TIME_IN_MINS", DEFAULT_EXPIRY_IN_SEC);
    int maxExpiryTime = Integer.getInteger("MAX_EXPIRY_TIME_IN_MINS", DEFAULT_MAX_EXPIRY_TIME_IN_MIN);
    if (maxExpiryTimeInMins != null) {
        maxExpiryTime = maxExpiryTimeInMins;
    }
    if (expiryTimeInMins != null) {
        if (expiryTimeInMins > maxExpiryTime) {
            throw new ServiceException.BadRequestException(String.format("expiryTimeInMins %s can't be greater than %s", expiryTimeInMins, maxExpiryTime));
        }
        expiryTime = expiryTimeInMins * 60;
    }
    Authentication authentication = Jenkins.getAuthentication2();
    String userId = authentication.getName();
    User user = User.get(userId, false, Collections.emptyMap());
    String email = null;
    String fullName = null;
    if (user != null) {
        fullName = user.getFullName();
        userId = user.getId();
        Mailer.UserProperty p = user.getProperty(Mailer.UserProperty.class);
        if (p != null)
            email = p.getAddress();
    }
    Plugin plugin = Jenkins.get().getPlugin("blueocean-jwt");
    String issuer = "blueocean-jwt:" + ((plugin != null) ? plugin.getWrapper().getVersion() : "");
    JwtToken jwtToken = new JwtToken();
    jwtToken.claim.put("jti", UUID.randomUUID().toString().replace("-", ""));
    jwtToken.claim.put("iss", issuer);
    jwtToken.claim.put("sub", userId);
    jwtToken.claim.put("name", fullName);
    long currentTime = System.currentTimeMillis() / 1000;
    jwtToken.claim.put("iat", currentTime);
    jwtToken.claim.put("exp", currentTime + expiryTime);
    jwtToken.claim.put("nbf", currentTime - DEFAULT_NOT_BEFORE_IN_SEC);
    // set claim
    JSONObject context = new JSONObject();
    JSONObject userObject = new JSONObject();
    userObject.put("id", userId);
    userObject.put("fullName", fullName);
    userObject.put("email", email);
    JwtAuthenticationStore authenticationStore = getJwtStore(authentication);
    authenticationStore.store(authentication, context);
    context.put("user", userObject);
    jwtToken.claim.put("context", context);
    return jwtToken;
}
Also used : JwtToken(io.jenkins.blueocean.auth.jwt.JwtToken) User(hudson.model.User) JSONObject(net.sf.json.JSONObject) Authentication(org.springframework.security.core.Authentication) Mailer(hudson.tasks.Mailer) Plugin(hudson.Plugin) JwtAuthenticationStore(io.jenkins.blueocean.auth.jwt.JwtAuthenticationStore)

Example 2 with JwtAuthenticationStore

use of io.jenkins.blueocean.auth.jwt.JwtAuthenticationStore in project blueocean-plugin by jenkinsci.

the class JwtTokenVerifierImpl method validate.

/**
 * @return
 *      null if the JWT token is not present
 * @throws Exception
 *      if the JWT token is present but invalid
 */
@CheckForNull
private Authentication validate(HttpServletRequest request) {
    String authHeader = request.getHeader("Authorization");
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
        return null;
    }
    String token = authHeader.substring("Bearer ".length());
    JsonWebStructure jws = parse(token);
    if (jws == null) {
        return null;
    }
    try {
        String alg = jws.getAlgorithmHeaderValue();
        if (alg == null || !alg.equals(RSA_USING_SHA256)) {
            logger.error(String.format("Invalid JWT token: unsupported algorithm in header, found %s, expected %s", alg, RSA_USING_SHA256));
            throw new ServiceException.UnauthorizedException("Invalid JWT token");
        }
        String kid = jws.getKeyIdHeaderValue();
        if (kid == null) {
            logger.error("Invalid JWT token: missing kid");
            throw new ServiceException.UnauthorizedException("Invalid JWT token");
        }
        SigningPublicKey publicKey = JwtSigningKeyProvider.toPublicKey(kid);
        if (publicKey == null) {
            throw new ServiceException.UnexpectedErrorException("Invalid kid=" + kid);
        }
        JwtConsumer jwtConsumer = new JwtConsumerBuilder().setRequireExpirationTime().setRequireJwtId().setAllowedClockSkewInSeconds(// allow some leeway in validating time based claims to account for clock skew
        30).setRequireSubject().setVerificationKey(// verify the sign with the public key
        publicKey.getKey()).build();
        try {
            JwtContext context = jwtConsumer.process(token);
            JwtClaims claims = context.getJwtClaims();
            String subject = claims.getSubject();
            if (subject.equals("anonymous")) {
                // if anonymous, we do not bother checking expiration
                return Jenkins.ANONYMOUS2;
            } else {
                // If not anonymous user, get Authentication object associated with this claim
                // We give a change to the authentication store to inspect the claims and if expired it might
                // do cleanup of associated Authentication object for example.
                JwtAuthenticationStore authenticationStore = getJwtStore(claims.getClaimsMap());
                Authentication authentication = authenticationStore.getAuthentication(claims.getClaimsMap());
                // Now check if token expired
                NumericDate expirationTime = claims.getExpirationTime();
                if (expirationTime.isBefore(NumericDate.now())) {
                    throw new ServiceException.UnauthorizedException("Invalid JWT token: expired");
                }
                return authentication;
            }
        } catch (InvalidJwtException e) {
            logger.error("Invalid JWT token: " + e.getMessage(), e);
            throw new ServiceException.UnauthorizedException("Invalid JWT token");
        } catch (MalformedClaimException e) {
            logger.error(String.format("Error reading sub header for token %s", jws.getPayload()), e);
            throw new ServiceException.UnauthorizedException("Invalid JWT token: malformed claim");
        }
    } catch (JoseException e) {
        logger.error("Error parsing JWT token: " + e.getMessage(), e);
        throw new ServiceException.UnauthorizedException("Invalid JWT Token: " + e.getMessage());
    }
}
Also used : InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException) SigningPublicKey(io.jenkins.blueocean.auth.jwt.SigningPublicKey) NumericDate(org.jose4j.jwt.NumericDate) JwtClaims(org.jose4j.jwt.JwtClaims) JwtConsumerBuilder(org.jose4j.jwt.consumer.JwtConsumerBuilder) JoseException(org.jose4j.lang.JoseException) JwtContext(org.jose4j.jwt.consumer.JwtContext) JwtAuthenticationStore(io.jenkins.blueocean.auth.jwt.JwtAuthenticationStore) MalformedClaimException(org.jose4j.jwt.MalformedClaimException) ServiceException(io.jenkins.blueocean.commons.ServiceException) Authentication(org.springframework.security.core.Authentication) JwtConsumer(org.jose4j.jwt.consumer.JwtConsumer) JsonWebStructure(org.jose4j.jwx.JsonWebStructure) CheckForNull(javax.annotation.CheckForNull)

Aggregations

JwtAuthenticationStore (io.jenkins.blueocean.auth.jwt.JwtAuthenticationStore)2 Authentication (org.springframework.security.core.Authentication)2 Plugin (hudson.Plugin)1 User (hudson.model.User)1 Mailer (hudson.tasks.Mailer)1 JwtToken (io.jenkins.blueocean.auth.jwt.JwtToken)1 SigningPublicKey (io.jenkins.blueocean.auth.jwt.SigningPublicKey)1 ServiceException (io.jenkins.blueocean.commons.ServiceException)1 CheckForNull (javax.annotation.CheckForNull)1 JSONObject (net.sf.json.JSONObject)1 JwtClaims (org.jose4j.jwt.JwtClaims)1 MalformedClaimException (org.jose4j.jwt.MalformedClaimException)1 NumericDate (org.jose4j.jwt.NumericDate)1 InvalidJwtException (org.jose4j.jwt.consumer.InvalidJwtException)1 JwtConsumer (org.jose4j.jwt.consumer.JwtConsumer)1 JwtConsumerBuilder (org.jose4j.jwt.consumer.JwtConsumerBuilder)1 JwtContext (org.jose4j.jwt.consumer.JwtContext)1 JsonWebStructure (org.jose4j.jwx.JsonWebStructure)1 JoseException (org.jose4j.lang.JoseException)1