Skip to content

Commit 97ce7f9

Browse files
jkakavasjkakavas
authored
[7.x] Update oidc related dependencies (elastic#71521) (elastic#71546)
Update: Non-issue, no notable changes. - json-smart from 2.3 to 2.4.2 - accessors-smart from 1.2 to 2.4.2 - asm from 7.1 to 8.0.1 - nimbus-jose-jwt from 8.6 to 9.8.1 - oauth2-oidc-sdk from 7.0.2 to 9.3.1
1 parent 8015c23 commit 97ce7f9

14 files changed

+335
-326
lines changed

x-pack/plugin/security/build.gradle

Lines changed: 290 additions & 283 deletions
Large diffs are not rendered by default.

x-pack/plugin/security/licenses/accessors-smart-1.2.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.

x-pack/plugin/security/licenses/accessors-smart-2.4.2.jar.sha1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
4f09981a3c80f0766998c68d83bfd060812d5bcd

x-pack/plugin/security/licenses/asm-7.3.1.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.

x-pack/plugin/security/licenses/asm-8.0.1.jar.sha1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
3f5199523fb95304b44563f5d56d9f5a07270669

x-pack/plugin/security/licenses/json-smart-2.3.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.

x-pack/plugin/security/licenses/json-smart-2.4.2.jar.sha1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
a7fcd0f985696c37cd3546f19c85c2ff367f2e85

x-pack/plugin/security/licenses/nimbus-jose-jwt-8.6.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.

x-pack/plugin/security/licenses/nimbus-jose-jwt-9.8.1.jar.sha1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
2af7f734313320e4b156522d22ce32b775633909

x-pack/plugin/security/licenses/oauth2-oidc-sdk-7.0.2.jar.sha1

Lines changed: 0 additions & 1 deletion
This file was deleted.

x-pack/plugin/security/licenses/oauth2-oidc-sdk-9.3.1.jar.sha1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
85891e8c391911ee1073f5e1737689cd804f1a9b

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java

Lines changed: 16 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@
4141
import com.nimbusds.openid.connect.sdk.validators.AccessTokenValidator;
4242
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
4343
import net.minidev.json.JSONArray;
44-
import net.minidev.json.JSONObject;
4544
import org.apache.commons.codec.Charsets;
4645
import org.apache.http.Header;
4746
import org.apache.http.HttpEntity;
@@ -234,9 +233,9 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce
234233
LOGGER.trace("Received and validated the Id Token for the user: [{}]", verifiedIdTokenClaims);
235234
}
236235
// Add the Id Token string as a synthetic claim
237-
final JSONObject verifiedIdTokenClaimsObject = verifiedIdTokenClaims.toJSONObject();
236+
final Map<String, Object> verifiedIdTokenClaimsObject = verifiedIdTokenClaims.toJSONObject();
238237
final JWTClaimsSet idTokenClaim = new JWTClaimsSet.Builder().claim("id_token_hint", idToken.serialize()).build();
239-
verifiedIdTokenClaimsObject.merge(idTokenClaim.toJSONObject());
238+
mergeObjects(verifiedIdTokenClaimsObject, idTokenClaim.toJSONObject());
240239
final JWTClaimsSet enrichedVerifiedIdTokenClaims = JWTClaimsSet.parse(verifiedIdTokenClaimsObject);
241240
if (accessToken != null && opConfig.getUserinfoEndpoint() != null) {
242241
getAndCombineUserInfoClaims(accessToken, enrichedVerifiedIdTokenClaims, claimsListener);
@@ -413,9 +412,9 @@ private void handleUserinfoResponse(HttpResponse httpResponse, JWTClaimsSet veri
413412
final JWTClaimsSet userInfoClaims = JWTClaimsSet.parse(contentAsString);
414413
validateUserInfoResponse(userInfoClaims, verifiedIdTokenClaims.getSubject(), claimsListener);
415414
if (LOGGER.isTraceEnabled()) {
416-
LOGGER.trace("Successfully retrieved user information: [{}]", userInfoClaims.toJSONObject().toJSONString());
415+
LOGGER.trace("Successfully retrieved user information: [{}]", userInfoClaims);
417416
}
418-
final JSONObject combinedClaims = verifiedIdTokenClaims.toJSONObject();
417+
final Map<String, Object> combinedClaims = verifiedIdTokenClaims.toJSONObject();
419418
mergeObjects(combinedClaims, userInfoClaims.toJSONObject());
420419
claimsListener.onResponse(JWTClaimsSet.parse(combinedClaims));
421420
} else if (ContentType.parse(contentHeader.getValue()).getMimeType().equals("application/jwt")) {
@@ -664,22 +663,21 @@ private void setMetadataFileWatcher(String jwkSetPath) throws IOException {
664663
}
665664

666665
/**
667-
* Merges the JsonObject with the claims of the ID Token with the JsonObject with the claims of the UserInfo response. This is
668-
* necessary as some OPs return slightly different values for some claims (i.e. Google for the profile picture) and
669-
* {@link JSONObject#merge(Object)} would throw a runtime exception. The merging is performed based on the following rules:
666+
* Merges the Map with the claims of the ID Token with the Map with the claims of the UserInfo response.
667+
* The merging is performed based on the following rules:
670668
* <ul>
671669
* <li>If the values for a given claim are primitives (of the same type), the value from the ID Token is retained</li>
672670
* <li>If the values for a given claim are Objects, the values are merged</li>
673671
* <li>If the values for a given claim are Arrays, the values are merged without removing duplicates</li>
674672
* <li>If the values for a given claim are of different types, an exception is thrown</li>
675673
* </ul>
676674
*
677-
* @param userInfo The JsonObject with the ID Token claims
678-
* @param idToken The JsonObject with the UserInfo Response claims
679-
* @return the merged JsonObject
675+
* @param userInfo The Map with the ID Token claims
676+
* @param idToken The Map with the UserInfo Response claims
677+
* @return the merged Map
680678
*/
681679
// pkg protected for testing
682-
static JSONObject mergeObjects(JSONObject idToken, JSONObject userInfo) {
680+
static Map<String, Object> mergeObjects(Map<String, Object> idToken, Map<String, Object> userInfo) {
683681
for (Map.Entry<String, Object> entry : idToken.entrySet()) {
684682
Object value1 = entry.getValue();
685683
Object value2 = userInfo.get(entry.getKey());
@@ -688,8 +686,8 @@ static JSONObject mergeObjects(JSONObject idToken, JSONObject userInfo) {
688686
}
689687
if (value1 instanceof JSONArray) {
690688
idToken.put(entry.getKey(), mergeArrays((JSONArray) value1, value2));
691-
} else if (value1 instanceof JSONObject) {
692-
idToken.put(entry.getKey(), mergeObjects((JSONObject) value1, value2));
689+
} else if (value1 instanceof Map) {
690+
idToken.put(entry.getKey(), mergeObjects((Map<String, Object>) value1, value2));
693691
} else if (value1.getClass().equals(value2.getClass()) == false) {
694692
// A special handling for certain OPs that mix the usage of true and "true"
695693
if (value1 instanceof Boolean && value2 instanceof String && String.valueOf(value1).equals(value2)) {
@@ -710,15 +708,15 @@ static JSONObject mergeObjects(JSONObject idToken, JSONObject userInfo) {
710708
return idToken;
711709
}
712710

713-
private static JSONObject mergeObjects(JSONObject jsonObject1, Object jsonObject2) {
711+
private static Map<String, Object> mergeObjects(Map<String, Object> jsonObject1, Object jsonObject2) {
714712
if (jsonObject2 == null) {
715713
return jsonObject1;
716714
}
717-
if (jsonObject2 instanceof JSONObject) {
718-
return mergeObjects(jsonObject1, (JSONObject) jsonObject2);
715+
if (jsonObject2 instanceof Map) {
716+
return mergeObjects(jsonObject1, (Map<String, Object>) jsonObject2);
719717
}
720718
throw new IllegalStateException("Error while merging ID token and userinfo claims. " +
721-
"Cannot merge JSONObject with [" + jsonObject2.getClass().getName() + "]");
719+
"Cannot merge a Map with a [" + jsonObject2.getClass().getName() + "]");
722720
}
723721

724722
private static JSONArray mergeArrays(JSONArray jsonArray1, Object jsonArray2) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticatorTests.java

Lines changed: 23 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@
4141
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
4242
import com.nimbusds.openid.connect.sdk.validators.InvalidHashException;
4343
import net.minidev.json.JSONArray;
44-
import net.minidev.json.JSONObject;
4544
import org.elasticsearch.ElasticsearchSecurityException;
4645
import org.elasticsearch.action.ActionListener;
4746
import org.elasticsearch.action.support.PlainActionFuture;
@@ -75,6 +74,7 @@
7574
import java.util.Base64;
7675
import java.util.Collections;
7776
import java.util.Date;
77+
import java.util.Map;
7878
import java.util.UUID;
7979

8080
import static java.time.Instant.now;
@@ -704,14 +704,14 @@ public void testJsonObjectMerging() throws Exception {
704704
final JWK jwk = keyMaterial.v2().getKeys().get(0);
705705
RelyingPartyConfiguration rpConfig = getRpConfig(jwk.getAlgorithm().getName());
706706
OpenIdConnectProviderConfiguration opConfig = getOpConfig();
707-
JSONObject address = new JWTClaimsSet.Builder()
707+
Map<String, Object> address = new JWTClaimsSet.Builder()
708708
.claim("street_name", "12, Test St.")
709709
.claim("locality", "New York")
710710
.claim("region", "NY")
711711
.claim("country", "USA")
712712
.build()
713713
.toJSONObject();
714-
JSONObject idTokenObject = new JWTClaimsSet.Builder()
714+
Map<String, Object> idTokenObject = new JWTClaimsSet.Builder()
715715
.jwtID(randomAlphaOfLength(8))
716716
.audience(rpConfig.getClientId().getValue())
717717
.expirationTime(Date.from(now().plusSeconds(3600)))
@@ -730,7 +730,7 @@ public void testJsonObjectMerging() throws Exception {
730730
.build()
731731
.toJSONObject();
732732

733-
JSONObject userinfoObject = new JWTClaimsSet.Builder()
733+
Map<String, Object> userinfoObject = new JWTClaimsSet.Builder()
734734
.claim("given_name", "Jane Doe")
735735
.claim("family_name", "Doe")
736736
.claim("profile", "https://test-profiles.com/jane.doe")
@@ -758,7 +758,7 @@ public void testJsonObjectMerging() throws Exception {
758758
assertTrue(idTokenObject.containsKey("email"));
759759

760760
// Claims with different types throw an error
761-
JSONObject wrongTypeInfo = new JWTClaimsSet.Builder()
761+
Map<String, Object> wrongTypeInfo = new JWTClaimsSet.Builder()
762762
.claim("given_name", "Jane Doe")
763763
.claim("family_name", 123334434)
764764
.claim("profile", "https://test-profiles.com/jane.doe")
@@ -773,7 +773,7 @@ public void testJsonObjectMerging() throws Exception {
773773
});
774774

775775
// Userinfo Claims overwrite ID Token claims
776-
JSONObject overwriteUserInfo = new JWTClaimsSet.Builder()
776+
Map<String, Object> overwriteUserInfo = new JWTClaimsSet.Builder()
777777
.claim("given_name", "Jane Doe")
778778
.claim("family_name", "Doe")
779779
.claim("profile", "https://test-profiles.com/jane.doe2")
@@ -784,11 +784,11 @@ public void testJsonObjectMerging() throws Exception {
784784
.toJSONObject();
785785

786786
OpenIdConnectAuthenticator.mergeObjects(idTokenObject, overwriteUserInfo);
787-
assertThat(idTokenObject.getAsString("email"), equalTo("[email protected]"));
788-
assertThat(idTokenObject.getAsString("profile"), equalTo("https://test-profiles.com/jane.doe"));
787+
assertThat(idTokenObject.get("email"), equalTo("[email protected]"));
788+
assertThat(idTokenObject.get("profile"), equalTo("https://test-profiles.com/jane.doe"));
789789

790790
// Merging Arrays
791-
JSONObject userInfoWithRoles = new JWTClaimsSet.Builder()
791+
Map<String, Object> userInfoWithRoles = new JWTClaimsSet.Builder()
792792
.claim("given_name", "Jane Doe")
793793
.claim("family_name", "Doe")
794794
.claim("profile", "https://test-profiles.com/jane.doe")
@@ -803,13 +803,13 @@ public void testJsonObjectMerging() throws Exception {
803803
assertThat((JSONArray) idTokenObject.get("roles"), containsInAnyOrder("role1", "role2", "role3", "role4", "role5"));
804804

805805
// Merging nested objects
806-
JSONObject addressUserInfo = new JWTClaimsSet.Builder()
806+
Map<String, Object> addressUserInfo = new JWTClaimsSet.Builder()
807807
.claim("street_name", "12, Test St.")
808808
.claim("locality", "New York")
809809
.claim("postal_code", "10024")
810810
.build()
811811
.toJSONObject();
812-
JSONObject userInfoWithAddress = new JWTClaimsSet.Builder()
812+
Map<String, Object> userInfoWithAddress = new JWTClaimsSet.Builder()
813813
.claim("given_name", "Jane Doe")
814814
.claim("family_name", "Doe")
815815
.claim("profile", "https://test-profiles.com/jane.doe")
@@ -822,7 +822,7 @@ public void testJsonObjectMerging() throws Exception {
822822
.toJSONObject();
823823
OpenIdConnectAuthenticator.mergeObjects(idTokenObject, userInfoWithAddress);
824824
assertTrue(idTokenObject.containsKey("address"));
825-
JSONObject combinedAddress = (JSONObject) idTokenObject.get("address");
825+
Map<String, Object> combinedAddress = (Map<String, Object>) idTokenObject.get("address");
826826
assertTrue(combinedAddress.containsKey("street_name"));
827827
assertTrue(combinedAddress.containsKey("locality"));
828828
assertTrue(combinedAddress.containsKey("street_name"));
@@ -832,14 +832,14 @@ public void testJsonObjectMerging() throws Exception {
832832
}
833833

834834
public void testJsonObjectMergingWithBooleanLeniency() {
835-
final JSONObject idTokenObject = new JWTClaimsSet.Builder()
835+
final Map<String, Object> idTokenObject = new JWTClaimsSet.Builder()
836836
.claim("email_verified", true)
837837
.claim("email_verified_1", "true")
838838
.claim("email_verified_2", false)
839839
.claim("email_verified_3", "false")
840840
.build()
841841
.toJSONObject();
842-
final JSONObject userInfoObject = new JWTClaimsSet.Builder()
842+
final Map<String, Object> userInfoObject = new JWTClaimsSet.Builder()
843843
.claim("email_verified", "true")
844844
.claim("email_verified_1", true)
845845
.claim("email_verified_2", "false")
@@ -852,23 +852,23 @@ public void testJsonObjectMergingWithBooleanLeniency() {
852852
assertSame(Boolean.FALSE, idTokenObject.get("email_verified_2"));
853853
assertSame(Boolean.FALSE, idTokenObject.get("email_verified_3"));
854854

855-
final JSONObject idTokenObject1 = new JWTClaimsSet.Builder()
855+
final Map<String, Object> idTokenObject1 = new JWTClaimsSet.Builder()
856856
.claim("email_verified", true)
857857
.build()
858858
.toJSONObject();
859-
final JSONObject userInfoObject1 = new JWTClaimsSet.Builder()
859+
final Map<String, Object> userInfoObject1 = new JWTClaimsSet.Builder()
860860
.claim("email_verified", "false")
861861
.build()
862862
.toJSONObject();
863863
IllegalStateException e =
864864
expectThrows(IllegalStateException.class, () -> OpenIdConnectAuthenticator.mergeObjects(idTokenObject1, userInfoObject1));
865865
assertThat(e.getMessage(), containsString("Cannot merge [java.lang.Boolean] with [java.lang.String]"));
866866

867-
final JSONObject idTokenObject2 = new JWTClaimsSet.Builder()
867+
final Map<String, Object> idTokenObject2 = new JWTClaimsSet.Builder()
868868
.claim("email_verified", true)
869869
.build()
870870
.toJSONObject();
871-
final JSONObject userInfoObject2 = new JWTClaimsSet.Builder()
871+
final Map<String, Object> userInfoObject2 = new JWTClaimsSet.Builder()
872872
.claim("email_verified", "yes")
873873
.build()
874874
.toJSONObject();
@@ -957,7 +957,11 @@ private Tuple<AccessToken, JWT> buildTokens(JWTClaimsSet idToken, Key key, Strin
957957
if (withAccessToken) {
958958
accessToken = new BearerAccessToken(Base64.getUrlEncoder().encodeToString(randomByteArrayOfLength(32)));
959959
AccessTokenHash expectedHash = AccessTokenHash.compute(accessToken, JWSAlgorithm.parse(alg));
960-
idToken = JWTClaimsSet.parse(idToken.toJSONObject().appendField("at_hash", expectedHash.getValue()));
960+
Map<String, Object> idTokenMap = idToken.toJSONObject();
961+
idTokenMap.put("at_hash", expectedHash.getValue());
962+
// This is necessary as if nonce claim is of type Nonce, the library won't take it into consideration when serializing the JWT
963+
idTokenMap.put("nonce", idTokenMap.get("nonce").toString());
964+
idToken = JWTClaimsSet.parse(idTokenMap);
961965
}
962966
SignedJWT jwt = new SignedJWT(
963967
new JWSHeader.Builder(JWSAlgorithm.parse(alg)).keyID(keyId).build(),

x-pack/test/feature-aware/build.gradle

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apply plugin: 'elasticsearch.build'
22

33
dependencies {
4-
api 'org.ow2.asm:asm:7.3.1'
4+
api 'org.ow2.asm:asm:8.0.1'
55
api project(':server')
66
api project(':x-pack:plugin:core')
77
testImplementation project(':test:framework')

0 commit comments

Comments
 (0)