From 2bdd1de5d6e2350ed0ece7093c9864efbebfa052 Mon Sep 17 00:00:00 2001 From: Ryan Liang Date: Tue, 24 Oct 2023 08:52:07 -0700 Subject: [PATCH] Add tests and relocate KeyPaddingUtil Signed-off-by: Ryan Liang --- .../http/saml/AuthTokenProcessorHandler.java | 16 +------ .../authtoken/jwt/KeyPaddingUtil.java | 33 +++++++++++++++ .../authtoken/jwt/KeyPaddingUtilTest.java | 42 +++++++++++++++++++ 3 files changed, 76 insertions(+), 15 deletions(-) create mode 100644 src/main/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtil.java create mode 100644 src/test/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtilTest.java diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java index 4cafe3f86c..9f9e654b69 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java @@ -32,14 +32,12 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.node.ObjectNode; -import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory; import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.KeyUse; import com.nimbusds.jose.jwk.OctetSequenceKey; -import com.nimbusds.jose.util.ByteUtils; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; import com.onelogin.saml2.authn.SamlResponse; @@ -66,7 +64,7 @@ import org.opensearch.security.dlic.rest.api.AuthTokenProcessorAction; import org.opensearch.security.filter.SecurityResponse; -import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength; +import static org.opensearch.security.authtoken.jwt.KeyPaddingUtil.padSecret; class AuthTokenProcessorHandler { private static final Logger log = LogManager.getLogger(AuthTokenProcessorHandler.class); @@ -121,18 +119,6 @@ class AuthTokenProcessorHandler { this.jwsHeader = this.createJwsHeaderFromSettings(); } - public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) { - int requiredSecretLength; - try { - requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm); - } catch (JOSEException e) { - throw new RuntimeException(e); - } - int requiredByteLength = ByteUtils.byteLength(requiredSecretLength); - // padding the signing key with 0s to meet the minimum required length - return StringUtils.rightPad(signingKey, requiredByteLength, "\0"); - } - @SuppressWarnings("removal") Optional handle(RestRequest restRequest) throws Exception { try { diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtil.java b/src/main/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtil.java new file mode 100644 index 0000000000..41bf2955f2 --- /dev/null +++ b/src/main/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtil.java @@ -0,0 +1,33 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.authtoken.jwt; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.util.ByteUtils; +import org.apache.commons.lang3.StringUtils; + +import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength; + +public class KeyPaddingUtil { + public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) { + int requiredSecretLength; + try { + requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm); + } catch (JOSEException e) { + throw new RuntimeException(e); + } + int requiredByteLength = ByteUtils.byteLength(requiredSecretLength); + // padding the signing key with 0s to meet the minimum required length + return StringUtils.rightPad(signingKey, requiredByteLength, "\0"); + } +} diff --git a/src/test/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtilTest.java b/src/test/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtilTest.java new file mode 100644 index 0000000000..78bd950964 --- /dev/null +++ b/src/test/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtilTest.java @@ -0,0 +1,42 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.authtoken.jwt; + +import com.nimbusds.jose.JWSAlgorithm; +import org.junit.Test; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +public class KeyPaddingUtilTest { + + private String signingKey = "testKey"; + + @Test + public void testPadSecretForHS256() { + JWSAlgorithm jwsAlgorithm = JWSAlgorithm.HS256; + String paddedKey = KeyPaddingUtil.padSecret(signingKey, jwsAlgorithm); + + // For HS256, HMAC using SHA-256, typical key length is 256 bits or 32 bytes + int expectedLength = 32; + assertEquals(expectedLength, paddedKey.length()); + } + + @Test + public void testPadSecretForHS384() { + JWSAlgorithm jwsAlgorithm = JWSAlgorithm.HS384; + String paddedKey = KeyPaddingUtil.padSecret(signingKey, jwsAlgorithm); + + // For HS384, HMAC using SHA-384, typical key length is 384 bits or 48 bytes + int expectedLength = 48; + assertEquals(expectedLength, paddedKey.length()); + } +}