Remove JWT validation from production code (apache#547)

Signed-off-by: Jonathan Leitschuh <[email protected]>
streamnative · Feb 7, 2024 · 4476f5e · 4476f5e
1 parent f8304b4
commit 4476f5e
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 29 deletions.
diff --git a/src/main/java/org/apache/pulsar/manager/service/JwtService.java b/src/main/java/org/apache/pulsar/manager/service/JwtService.java
@@ -13,10 +13,6 @@
  */
 package org.apache.pulsar.manager.service;
 
-import io.jsonwebtoken.Claims;
-import org.springframework.stereotype.Service;
-
-import java.security.Key;
 import java.util.Optional;
 
 public interface JwtService {
@@ -27,8 +23,6 @@ public interface JwtService {
 
     String createBrokerToken(String role, String expiryTime);
 
-    Claims validateBrokerToken(String token);
-
     void setToken(String key, String value);
 
     String getToken(String key);

diff --git a/src/main/java/org/apache/pulsar/manager/service/impl/JwtServiceImpl.java b/src/main/java/org/apache/pulsar/manager/service/impl/JwtServiceImpl.java
@@ -13,6 +13,7 @@
  */
 package org.apache.pulsar.manager.service.impl;
 
+import com.google.common.annotations.VisibleForTesting;
 import io.jsonwebtoken.*;
 import io.jsonwebtoken.security.Keys;
 import org.apache.pulsar.manager.service.JwtService;
@@ -24,6 +25,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
+import javax.annotation.Nullable;
 import java.io.IOException;
 import java.security.Key;
 import java.util.Date;
@@ -111,16 +113,21 @@ private Key decodeBySecretKey() {
         }
     }
 
-    public String createBrokerToken(String role, String expiryTime) {
-        Key signingKey;
+    @VisibleForTesting
+    @Nullable
+    Key getSigningKey() {
         if (jwtBrokerTokenMode.equals("SECRET")) {
-            signingKey = decodeBySecretKey();
+            return decodeBySecretKey();
         } else if (jwtBrokerTokenMode.equals("PRIVATE")){
-            signingKey = decodeByPrivateKey();
+            return decodeByPrivateKey();
         } else {
             log.info("Default disable JWT auth, please set jwt.broker.token.mode.");
             return null;
         }
+    }
+
+    public String createBrokerToken(String role, String expiryTime) {
+        Key signingKey = getSigningKey();
         if (signingKey == null) {
             log.error("JWT Auth failed, signingKey is not empty");
             return null;
@@ -144,20 +151,4 @@ private Key decodeByPrivateKey() {
             return null;
         }
     }
-
-    public Claims validateBrokerToken(String token) {
-        Key validationKey;
-        if (jwtBrokerTokenMode.equals("SECRET")) {
-            validationKey = decodeBySecretKey();
-        } else if (jwtBrokerTokenMode.equals("PRIVATE")){
-            validationKey = decodeByPrivateKey();
-        } else {
-            log.info("Default disable JWT auth, please set jwt.broker.token.mode.");
-            return null;
-        }
-        Jwt<?, Claims> jwt = Jwts.parser()
-                .setSigningKey(validationKey)
-                .parse(token);
-        return jwt.getBody();
-    }
 }
diff --git a/.../service/BrokerTokensServiceImplTest.java → ...ice/impl/BrokerTokensServiceImplTest.java b/.../service/BrokerTokensServiceImplTest.java → ...ice/impl/BrokerTokensServiceImplTest.java
@@ -11,11 +11,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.pulsar.manager.service;
+package org.apache.pulsar.manager.service.impl;
 
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwt;
+import io.jsonwebtoken.Jwts;
 import org.apache.pulsar.manager.PulsarManagerApplication;
 import org.apache.pulsar.manager.profiles.HerdDBTestProfile;
+import org.apache.pulsar.manager.service.impl.JwtServiceImpl;
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -28,6 +31,8 @@
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit4.SpringRunner;
 
+import java.security.Key;
+
 @RunWith(PowerMockRunner.class)
 @PowerMockRunnerDelegate(SpringRunner.class)
 @PowerMockIgnore( {"javax.*", "sun.*", "com.sun.*", "org.xml.*", "org.w3c.*"})
@@ -47,13 +52,21 @@
 public class BrokerTokensServiceImplTest {
 
     @Autowired
-    private JwtService jwtService;
+    private JwtServiceImpl jwtService;
+
+    public Claims validateBrokerToken(String token) {
+        Key validationKey = jwtService.getSigningKey();
+        Jwt jwt = Jwts.parser()
+                .setSigningKey(validationKey)
+                .parse(token);
+        return (Claims) jwt.getBody();
+    }
 
     @Test
     public void createBrokerTokenTest() {
         String role = "test";
         String token = jwtService.createBrokerToken(role, null);
-        Claims jwtBody = jwtService.validateBrokerToken(token);
+        Claims jwtBody = validateBrokerToken(token);
         Assert.assertEquals(role, jwtBody.getSubject());
     }
 }