test(jans-cedarling): add tests and fix bugs caught in testing #9999

rmarinn · 2024-10-31T13:17:51Z

Prepare

Read PR guidelines
Read license information

Description

This PR adds tests for JwtService to improve test coverage. Please see the target issue for the tests covered.

Target issue

target issue: #9995

closes #9995

Implementation Details

Test and Document the changes

[x Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

I confirm that there is no impact on the docs due to the code changes in this PR.

…able types - replace token structs in test utils with generic serializable types for greater test flexibility Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the access_token has an invalid signature. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the id_token has an invalid signature. - Add test for when the id_token has a different iss with access_token. - Add test for when the id_token has a different aud with access_token. - Add test for when the id_token is expired. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the userinfo_token has an invalid signature. - Add test for when the userinfo_token has a different iss with the access_token. - Add test for when the userinfo_token has a different aud with the access_token. - Add test for when the userinfo_token has a different sub with the id_token. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- fixed a bug where the validation for the `aud` and `iss` of the userinfo_token is mixed up Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

…ecodingArgs` - This change consolidates the parameters for the `decode` function into a single `DecodingArgs` struct, for easier code readability and maintainability. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

…validation Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

… variant - renamed decoding_strategy::Error::JwkMissingKid to decoding_strategy::Error::JwtMissingKeyId Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- add test expecting to error when using access_token before nbf - add test expecting to error when using id_token before nbf - add test expecting to error when using userinfo_token nbf Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

dryrunsecurity · 2024-10-31T13:18:28Z

DryRun Security Summary

The pull request focuses on improving the security and robustness of the JWT (JSON Web Token) handling in the cedarling application, including implementing comprehensive validation rules, introducing a configurable decoding strategy, enhancing error handling, and adding extensive test coverage.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and robustness of the JWT (JSON Web Token) handling in the cedarling application. The changes include:

Implementing comprehensive validation rules for access tokens, ID tokens, and userinfo tokens, ensuring the integrity, authenticity, and proper relationships between the different token types.
Introducing a configurable decoding strategy that allows the application to either perform full token validation or decode tokens without validation, providing flexibility in the application's security posture.
Enhancing error handling by introducing a more comprehensive JwtServiceError enum, which provides detailed information about the specific errors that can occur during the token decoding and validation process.
Adding extensive test coverage, including negative test cases that simulate various invalid token scenarios, to ensure the JwtService implementation can correctly identify and reject malformed or compromised tokens.

These changes demonstrate a strong focus on application security, as they help mitigate potential vulnerabilities related to the misuse or tampering of JWT tokens. The attention to detail in the token validation process and the robust error handling mechanisms contribute to the overall security and reliability of the cedarling application.

Files Changed:

jans-cedarling/cedarling/src/common/policy_store.rs: This file contains changes related to the PolicyStore struct, including the addition of a new token_metadata field in the TrustedIssuer struct. While this field is currently unused, it may be introduced in the future to provide additional metadata about the tokens issued by trusted issuers.
jans-cedarling/cedarling/src/authz/mod.rs: The changes in this file update the AuthorizeError enum to use the jwt::JwtServiceError instead of the jwt::JwtDecodingError, which provides more detailed and informative error messages.
jans-cedarling/cedarling/examples/tokens.json: This new file contains sample JSON objects representing different types of tokens, including an access token, an ID token, and a userinfo token. The file should be properly secured and access to it should be restricted to authorized personnel or processes.
jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs: This file demonstrates the implementation of JWT validation in the Cedarling application, including the setup of the JwtConfig, token parsing and inspection, and the authorization evaluation process.
jans-cedarling/cedarling/src/jwt/decoding_strategy.rs: This file introduces two decoding strategies, WithoutValidation and WithValidation, which provide flexibility in the JWT decoding and validation process.
jans-cedarling/cedarling/src/jwt/decoding_strategy/error.rs: This file defines the JwtDecodingError enum, which handles various error scenarios that can occur during the JWT decoding and validation process.
jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service.rs: This file contains the implementation of the KeyService, which is responsible for fetching and managing the decoding keys (JWKS) for various OpenID Connect (OIDC) identity providers.
jans-cedarling/cedarling/src/jwt/error.rs: This file is a refactoring of the JwtDecodingError enum, which has been renamed to JwtServiceError to better reflect its purpose as an error type for the JWT service.
jans-cedarling/cedarling/src/jwt/test.rs: This file has been reorganized, with the removal of several test modules and the addition of three new modules: utils, with_validation, and without_validation.
jans-cedarling/cedarling/src/jwt/mod.rs: This file includes changes to the JwtService module, which now enforces a set of validation rules for the access_token, id_token, and userinfo_token.

Code Analysis

We ran 9 analyzers against 23 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

- references to `JwtService::decode_claims` updated to `JwtService::decode_tokens` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- add test that should error when a key with a given `kid` that should be used for validating a token can't be found. - add a test that panics when the openid configuration cannot be fetched at JwtService's initialization. the openid configuration cannot be fetched - add a test that panics when the JWKS cannot be fetched at JwtService's initialization. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

…_jwt_validation.rs Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- moved `can_update_local_jwks` from `with_validation.rs` to `key_service.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- updated docstrings on some test files to more accurately indicate what they contain. - remove unnecessary "unexpected" data checks on tests and just have it on one. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- improve code readability in tests by returning a List<EncodingKey> instead of a List<(String, jwt::EncodingKey)> when generating keys Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

- Modified `invalidate_token` to handle cases where the first two characters in the signature are identical and swapping them won't invalidate the token. This change introduces a loop to assign a distinct character to the first position if characters match, ensuring the token is reliably invalidated without unintended duplication. - Moved `invalidate_token` to `utils.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

refactor(jans-cedarling): replace token structs with generic serializable types - replace token structs in test utils with generic serializable types for greater test flexibility Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): add negative tests for access_token validation - Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the access_token has an invalid signature. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): add negative tests for id_token validation - Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the id_token has an invalid signature. - Add test for when the id_token has a different iss with access_token. - Add test for when the id_token has a different aud with access_token. - Add test for when the id_token is expired. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): add test for checking access_token's expiration Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): add negative tests for userinfo_token validation - Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the userinfo_token has an invalid signature. - Add test for when the userinfo_token has a different iss with the access_token. - Add test for when the userinfo_token has a different aud with the access_token. - Add test for when the userinfo_token has a different sub with the id_token. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): move files around for better organization Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> fix(jans-cedarling): fix userinfo_token validation bug - fixed a bug where the validation for the `aud` and `iss` of the userinfo_token is mixed up Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> refactor(jans-cedarling): replace parameters in `decode(...)` with `DecodingArgs` - This change consolidates the parameters for the `decode` function into a single `DecodingArgs` struct, for easier code readability and maintainability. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> refactor(jans-cedarling): remove requirment for `iat` claim in token validation Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> fix(jans-cedarling): fix incorrect test fixture Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): add detailed assertions for improved test accuracy Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> refactor(jans-cedarling): improve Error organization in jwt module Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): update outdated docstrings and rename an Error variant - renamed decoding_strategy::Error::JwkMissingKid to decoding_strategy::Error::JwtMissingKeyId Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): add unit tests for validating `nbf` - add test expecting to error when using access_token before nbf - add test expecting to error when using id_token before nbf - add test expecting to error when using userinfo_token nbf Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): update incorrect docstrings - references to `JwtService::decode_claims` updated to `JwtService::decode_tokens` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): add tests relating to KeyService - add test that should error when a key with a given `kid` that should be used for validating a token can't be found. - add a test that panics when the openid configuration cannot be fetched at JwtService's initialization. the openid configuration cannot be fetched - add a test that panics when the JWKS cannot be fetched at JwtService's initialization. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): increase specificity of asserts on errors Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): update token claims in examples/authroize_with_jwt_validation.rs Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> refactor(jans-cedarling): move test into a different file - moved `can_update_local_jwks` from `with_validation.rs` to `key_service.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): update docstrings and remove unnecessary checks - updated docstrings on some test files to more accurately indicate what they contain. - remove unnecessary "unexpected" data checks on tests and just have it on one. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> refactor(jans-cedarling): improve code readability in tests - improve code readability in tests by returning a List<EncodingKey> instead of a List<(String, jwt::EncodingKey)> when generating keys Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> fix(jans-cedarling): improve token invalidation robustness in tests - Modified `invalidate_token` to handle cases where the first two characters in the signature are identical and swapping them won't invalidate the token. This change introduces a loop to assign a distinct character to the first position if characters match, ensuring the token is reliably invalidated without unintended duplication. - Moved `invalidate_token` to `utils.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

olehbozhok

I don`t like when function panic. But it should be refactored in further issue. As I know..

jans-cedarling/cedarling/src/jwt/decoding_strategy.rs

jans-cedarling/cedarling/src/jwt/decoding_strategy/error.rs

jans-cedarling/cedarling/src/jwt/test/with_validation/key_service.rs

olehbozhok · 2024-11-02T08:51:44Z

Also For me not really understandable renaming of errors. And usage of same name of error in different places confuse me.

- renamed decoding_strategy::Error to decoding_strategy::DecodingError - renamed key_service::Error to key_service::KeyServiceError Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

duttarnab · 2024-11-03T09:13:24Z

jans-cedarling/cedarling/src/jwt/test/with_validation.rs

+    });
+
+    // generate the signed token strings
+    let access_token = generate_token_using_claims(&access_token_claims, &encoding_keys[0]);


Like the way the token is generated using claims and then used in test cases. Now there should be no issue in understanding the token content.

duttarnab · 2024-11-03T09:23:25Z

jans-cedarling/cedarling/src/jwt/decoding_strategy/error.rs

+/// and processing of JWTs, including issues with the key service and unsupported
+/// algorithms.
+#[derive(thiserror::Error, Debug)]
+pub enum DecodingError {


Do you think TokenDecodingError or JWTDecodingError would be a better name? It should clearly indicate the types of errors represented within the enum.

renamed jwt::decoding_error::DecodingError to jwt::decoding_error::JwtDecodingError here: f4f20be

duttarnab · 2024-11-03T09:27:44Z

jans-cedarling/cedarling/src/jwt/error.rs

 #[allow(clippy::enum_variant_names)]
-pub enum JwtDecodingError {
+pub enum Error {


Can we use a more specific name instead of just Error? Error is too generic. Since it’s related to JWT, the enum name should reflect that.

renamed jwt::Error to jwt::JwtServiceError here: f4f20be

duttarnab

Please see inline comments.

djellemah

Looks good to me.

wrt the Error naming - my opinion is that something like keyservice::Error is fine, provided that the qualified name is used in the code, eg

fn turn_key() -> Result<(),keyservice::Error>

tells me exactly what's going on, but

use keyservice::Error;
.
.
.
fn turn_key() -> Result<(),Error>

is much less clear.

- rename `jwt::Error` to `jwt::JwtServiceError` - rename `decoding_strategy::DecodingError` to `decoding_strategy::toJwtDecodingError` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

* refactor(jans-cedarling): replace token structs with generic serializable types - replace token structs in test utils with generic serializable types for greater test flexibility Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): add negative tests for access_token validation - Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the access_token has an invalid signature. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): add negative tests for id_token validation - Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the id_token has an invalid signature. - Add test for when the id_token has a different iss with access_token. - Add test for when the id_token has a different aud with access_token. - Add test for when the id_token is expired. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): add test for checking access_token's expiration Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): add negative tests for userinfo_token validation - Implement tests to verify error handling when required claims are missing (iss, aud, sub, iat, exp). - Add test for when the userinfo_token has an invalid signature. - Add test for when the userinfo_token has a different iss with the access_token. - Add test for when the userinfo_token has a different aud with the access_token. - Add test for when the userinfo_token has a different sub with the id_token. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): move files around for better organization Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * fix(jans-cedarling): fix userinfo_token validation bug - fixed a bug where the validation for the `aud` and `iss` of the userinfo_token is mixed up Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * refactor(jans-cedarling): replace parameters in `decode(...)` with `DecodingArgs` - This change consolidates the parameters for the `decode` function into a single `DecodingArgs` struct, for easier code readability and maintainability. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * refactor(jans-cedarling): remove requirment for `iat` claim in token validation Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * fix(jans-cedarling): fix incorrect test fixture Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): add detailed assertions for improved test accuracy Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * refactor(jans-cedarling): improve Error organization in jwt module Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): update outdated docstrings and rename an Error variant - renamed decoding_strategy::Error::JwkMissingKid to decoding_strategy::Error::JwtMissingKeyId Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): add unit tests for validating `nbf` - add test expecting to error when using access_token before nbf - add test expecting to error when using id_token before nbf - add test expecting to error when using userinfo_token nbf Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): update incorrect docstrings - references to `JwtService::decode_claims` updated to `JwtService::decode_tokens` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): add tests relating to KeyService - add test that should error when a key with a given `kid` that should be used for validating a token can't be found. - add a test that panics when the openid configuration cannot be fetched at JwtService's initialization. the openid configuration cannot be fetched - add a test that panics when the JWKS cannot be fetched at JwtService's initialization. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): increase specificity of asserts on errors Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): update token claims in examples/authroize_with_jwt_validation.rs Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * refactor(jans-cedarling): move test into a different file - moved `can_update_local_jwks` from `with_validation.rs` to `key_service.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): update docstrings and remove unnecessary checks - updated docstrings on some test files to more accurately indicate what they contain. - remove unnecessary "unexpected" data checks on tests and just have it on one. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * refactor(jans-cedarling): improve code readability in tests - improve code readability in tests by returning a List<EncodingKey> instead of a List<(String, jwt::EncodingKey)> when generating keys Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * fix(jans-cedarling): improve token invalidation robustness in tests - Modified `invalidate_token` to handle cases where the first two characters in the signature are identical and swapping them won't invalidate the token. This change introduces a loop to assign a distinct character to the first position if characters match, ensuring the token is reliably invalidated without unintended duplication. - Moved `invalidate_token` to `utils.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): change error naming convention - renamed decoding_strategy::Error to decoding_strategy::DecodingError - renamed key_service::Error to key_service::KeyServiceError Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * test(jans-cedarling): remove tests that expects to panic Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): change error naming in JWT module - rename `jwt::Error` to `jwt::JwtServiceError` - rename `decoding_strategy::DecodingError` to `decoding_strategy::toJwtDecodingError` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> * chore(jans-cedarling): move `test/mod.rs` to `test.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> --------- Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> Former-commit-id: 32c21ea

rmarinn added 15 commits October 31, 2024 12:08

refactor(jans-cedarling): replace token structs with generic serializ…

ed09558

…able types - replace token structs in test utils with generic serializable types for greater test flexibility Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

test(jans-cedarling): add test for checking access_token's expiration

075ca3d

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

chore(jans-cedarling): move files around for better organization

f3f5158

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

fix(jans-cedarling): fix userinfo_token validation bug

2d5016d

- fixed a bug where the validation for the `aud` and `iss` of the userinfo_token is mixed up Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

refactor(jans-cedarling): remove requirment for iat claim in token …

9b3c0de

…validation Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

fix(jans-cedarling): fix incorrect test fixture

c25466e

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

test(jans-cedarling): add detailed assertions for improved test accuracy

e413d56

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

refactor(jans-cedarling): improve Error organization in jwt module

fe9255a

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

chore(jans-cedarling): update outdated docstrings and rename an Error…

c46bf43

… variant - renamed decoding_strategy::Error::JwkMissingKid to decoding_strategy::Error::JwtMissingKeyId Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

chore(jans-cedarling): resolve clippy warnings

557ab30

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

rmarinn added the comp-jans-cedarling Touching folder /jans-cedarling label Oct 31, 2024

rmarinn self-assigned this Oct 31, 2024

rmarinn linked an issue Oct 31, 2024 that may be closed by this pull request

test(jans-cedarling): add tests and fix bugs caught in testing #9995

Closed

28 tasks

mo-auto added the area-CI Issue or changes required in automatic builds or CI infrastructure label Oct 31, 2024

rmarinn marked this pull request as draft October 31, 2024 13:32

abaghinyan self-requested a review October 31, 2024 19:41

rmarinn added 6 commits November 1, 2024 11:52

chore(jans-cedarling): update incorrect docstrings

48851ab

- references to `JwtService::decode_claims` updated to `JwtService::decode_tokens` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

test(jans-cedarling): increase specificity of asserts on errors

4b12687

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

chore(jans-cedarling): update token claims in examples/authroize_with…

0b77932

…_jwt_validation.rs Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

refactor(jans-cedarling): move test into a different file

ddced48

- moved `can_update_local_jwks` from `with_validation.rs` to `key_service.rs` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

rmarinn marked this pull request as ready for review November 1, 2024 07:38

rmarinn requested a review from djellemah November 1, 2024 07:38

rmarinn requested review from olehbozhok, nynymike and duttarnab November 1, 2024 07:38

rmarinn added 2 commits November 2, 2024 13:37

refactor(jans-cedarling): improve code readability in tests

8b37179

- improve code readability in tests by returning a List<EncodingKey> instead of a List<(String, jwt::EncodingKey)> when generating keys Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

rmarinn force-pushed the jans-cedarling-9995 branch from 5329133 to f2012ad Compare November 2, 2024 05:39

rmarinn mentioned this pull request Nov 2, 2024

feat(jans-cedarling): improve error handling for JWKS responses #9982

Merged

6 tasks

olehbozhok reviewed Nov 2, 2024

View reviewed changes

jans-cedarling/cedarling/src/jwt/decoding_strategy.rs Outdated Show resolved Hide resolved

jans-cedarling/cedarling/src/jwt/decoding_strategy/error.rs Outdated Show resolved Hide resolved

jans-cedarling/cedarling/src/jwt/test/with_validation/key_service.rs Outdated Show resolved Hide resolved

rmarinn added 2 commits November 2, 2024 17:58

chore(jans-cedarling): change error naming convention

b431062

- renamed decoding_strategy::Error to decoding_strategy::DecodingError - renamed key_service::Error to key_service::KeyServiceError Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

test(jans-cedarling): remove tests that expects to panic

8adf70e

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

rmarinn force-pushed the jans-cedarling-9995 branch from 7887aa5 to 8adf70e Compare November 2, 2024 11:05

duttarnab approved these changes Nov 3, 2024

View reviewed changes

duttarnab requested changes Nov 3, 2024

View reviewed changes

djellemah previously approved these changes Nov 3, 2024

View reviewed changes

olehbozhok previously approved these changes Nov 3, 2024

View reviewed changes

rmarinn added 2 commits November 4, 2024 23:50

chore(jans-cedarling): change error naming in JWT module

f4f20be

- rename `jwt::Error` to `jwt::JwtServiceError` - rename `decoding_strategy::DecodingError` to `decoding_strategy::toJwtDecodingError` Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

chore(jans-cedarling): move test/mod.rs to test.rs

b1f8cb5

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

rmarinn dismissed stale reviews from olehbozhok and djellemah via b1f8cb5 November 4, 2024 15:55

rmarinn requested a review from duttarnab November 4, 2024 15:59

duttarnab approved these changes Nov 4, 2024

View reviewed changes

duttarnab enabled auto-merge (squash) November 4, 2024 16:03

olehbozhok approved these changes Nov 4, 2024

View reviewed changes

Merge branch 'main' into jans-cedarling-9995

b933ef5

duttarnab merged commit 32c21ea into main Nov 4, 2024
1 check passed

duttarnab deleted the jans-cedarling-9995 branch November 4, 2024 16:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

test(jans-cedarling): add tests and fix bugs caught in testing #9999

test(jans-cedarling): add tests and fix bugs caught in testing #9999

Uh oh!

rmarinn commented Oct 31, 2024

Uh oh!

dryrunsecurity bot commented Oct 31, 2024 •

edited

Loading

Uh oh!

olehbozhok left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

olehbozhok commented Nov 2, 2024

Uh oh!

duttarnab Nov 3, 2024

Uh oh!

duttarnab Nov 3, 2024

Uh oh!

rmarinn Nov 4, 2024

Uh oh!

duttarnab Nov 3, 2024

Uh oh!

rmarinn Nov 4, 2024

Uh oh!

duttarnab left a comment

Uh oh!

djellemah left a comment

Uh oh!

Uh oh!

Uh oh!

test(jans-cedarling): add tests and fix bugs caught in testing #9999

test(jans-cedarling): add tests and fix bugs caught in testing #9999

Uh oh!

Conversation

rmarinn commented Oct 31, 2024

Prepare

Description

Target issue

Implementation Details

Test and Document the changes

Uh oh!

dryrunsecurity bot commented Oct 31, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DryRun Security Summary

Code Analysis

Riskiness

Uh oh!

olehbozhok left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

olehbozhok commented Nov 2, 2024

Uh oh!

duttarnab Nov 3, 2024

Choose a reason for hiding this comment

Uh oh!

duttarnab Nov 3, 2024

Choose a reason for hiding this comment

Uh oh!

rmarinn Nov 4, 2024

Choose a reason for hiding this comment

Uh oh!

duttarnab Nov 3, 2024

Choose a reason for hiding this comment

Uh oh!

rmarinn Nov 4, 2024

Choose a reason for hiding this comment

Uh oh!

duttarnab left a comment

Choose a reason for hiding this comment

Uh oh!

djellemah left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

dryrunsecurity bot commented Oct 31, 2024 •

edited

Loading