Bump io.jsonwebtoken:jjwt from 0.9.1 to 0.12.3

keeps · Nov 9, 2023 · c542776 · c542776
1 parent b8942cc
commit c542776
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 40 deletions.
diff --git a/roda-common/roda-common-data/src/main/java/org/roda/core/data/common/RodaConstants.java b/roda-common/roda-common-data/src/main/java/org/roda/core/data/common/RodaConstants.java
@@ -724,7 +724,7 @@ public enum DistributedModeType {
 
   public static final DistributedModeType DEFAULT_DISTRIBUTED_MODE_TYPE = DistributedModeType.BASE;
   public static final String DISTRIBUTED_MODE_TYPE_PROPERTY = "roda.distributed.mode.type";
-  public static final String DEFAULT_API_SECRET_KEY = "changeit";
+  public static final String DEFAULT_API_SECRET_KEY = "WiJY0uxPwYwMAcjEsDKzQMEpBLiJDmPSTSfxmC06EI0=";
   public static final String API_SECRET_KEY_PROPERTY = "roda.distributed.api.secret";
 
   public static final String CENTRAL_INSTANCE_NAME_PROPERTY = "roda.distributed.localinstance.name";

diff --git a/roda-core/roda-core/pom.xml b/roda-core/roda-core/pom.xml
@@ -412,7 +412,7 @@
 		<dependency>
 			<groupId>io.jsonwebtoken</groupId>
 			<artifactId>jjwt</artifactId>
-			<version>0.9.1</version>
+			<version>0.12.3</version>
 		</dependency>
 		<dependency>
 			<groupId>dev.failsafe</groupId>

diff --git a/roda-core/roda-core/src/main/java/org/roda/core/RodaCoreFactory.java b/roda-core/roda-core/src/main/java/org/roda/core/RodaCoreFactory.java
@@ -263,26 +263,6 @@ public Messages load(Locale locale) throws Exception {
         return new Messages(locale, getConfigPath().resolve(RodaConstants.CORE_I18N_FOLDER));
       }
     });
-
-  private static LoadingCache<String, DisposalSchedule> DISPOSAL_SCHEDULE_CACHE = CacheBuilder.newBuilder()
-    .build(new CacheLoader<String, DisposalSchedule>() {
-      @Override
-      public DisposalSchedule load(String disposalScheduleId) throws Exception {
-        return model.retrieveDisposalSchedule(disposalScheduleId);
-      }
-    });
-
-  private static LoadingCache<String, DisposalHold> DISPOSAL_HOLD_CACHE = CacheBuilder.newBuilder()
-    .expireAfterWrite(10, TimeUnit.MINUTES).build(new CacheLoader<String, DisposalHold>() {
-      @Override
-      public DisposalHold load(String disposalHoldId) throws Exception {
-        return model.retrieveDisposalHold(disposalHoldId);
-      }
-    });
-
-  private static List<String> CONFIGURATIONS = new ArrayList<>(Arrays.asList("roda-core.properties",
-    "roda-roles.properties", "roda-permissions.properties", "roda-instance.properties"));
-
   /**
    * Shared configuration and message properties (cache). Includes properties from
    * {@code rodaConfiguration} and translations from ServerMessages, filtered by
@@ -322,16 +302,29 @@ public Map<String, List<String>> load(Locale locale) {
         return sharedProperties;
       }
     });
-
+  private static LoadingCache<String, DisposalSchedule> DISPOSAL_SCHEDULE_CACHE = CacheBuilder.newBuilder()
+    .build(new CacheLoader<String, DisposalSchedule>() {
+      @Override
+      public DisposalSchedule load(String disposalScheduleId) throws Exception {
+        return model.retrieveDisposalSchedule(disposalScheduleId);
+      }
+    });
+  private static LoadingCache<String, DisposalHold> DISPOSAL_HOLD_CACHE = CacheBuilder.newBuilder()
+    .expireAfterWrite(10, TimeUnit.MINUTES).build(new CacheLoader<String, DisposalHold>() {
+      @Override
+      public DisposalHold load(String disposalHoldId) throws Exception {
+        return model.retrieveDisposalHold(disposalHoldId);
+      }
+    });
+  private static List<String> CONFIGURATIONS = new ArrayList<>(Arrays.asList("roda-core.properties",
+    "roda-roles.properties", "roda-permissions.properties", "roda-instance.properties"));
   private static Map<String, Map<String, String>> rodaPropertiesCache = null;
-
   /**
    * Cache of shared configuration properties
    *
    * @see RodaCoreFactory#getRodaSharedConfigurationProperties
    */
   private static Map<String, List<String>> rodaSharedConfigurationPropertiesCache = null;
-
   private static boolean configSymbolicLinksAllowed;
 
   private static HTTPServer prometheusMetricsServer;
@@ -1518,8 +1511,14 @@ private static void instantiateNodeSpecificObjects(NodeType nodeType) {
     }
   }
 
-  private static void instantiateAccessTokens(){
+  private static void instantiateAccessTokens() {
     apiSecretKey = getProperty(RodaConstants.API_SECRET_KEY_PROPERTY, RodaConstants.DEFAULT_API_SECRET_KEY);
+
+    if (apiSecretKey.equals(RodaConstants.DEFAULT_API_SECRET_KEY)) {
+      LOGGER.warn("It is HIGHLY recommend to change the default JWT secret key. \n"
+        + "In order to do that please set the following environment variable with your secret key: RODA_DISTRIBUTED_API_SECRET");
+    }
+
     accessKeyValidity = RodaCoreFactory.getRodaConfiguration().getLong(RodaConstants.ACCESS_KEY_VALIDITY,
       RodaConstants.DEFAULT_ACCESS_KEY_VALIDITY);
     accessTokenValidity = RodaCoreFactory.getRodaConfiguration().getLong(RodaConstants.ACCESS_TOKEN_VALIDITY,
@@ -2616,8 +2615,9 @@ private static void mainConfigsTasks(final List<String> args) {
   }
 
   private static void generatePluginsMarkdownTask(final List<String> args) {
-    if (args.size() == 5 && StringUtils.isNotBlank(args.get(1)) && StringUtils.isNotBlank(args.get(2)) && StringUtils.isNotBlank(args.get(3))
-      && StringUtils.isNotBlank(args.get(4)) && Files.exists(Paths.get(FilenameUtils.normalize(args.get(4))))) {
+    if (args.size() == 5 && StringUtils.isNotBlank(args.get(1)) && StringUtils.isNotBlank(args.get(2))
+      && StringUtils.isNotBlank(args.get(3)) && StringUtils.isNotBlank(args.get(4))
+      && Files.exists(Paths.get(FilenameUtils.normalize(args.get(4))))) {
 
       List<Pair<String, String>> pluginsNameAndState = new ArrayList<>();
 
@@ -2646,8 +2646,8 @@ private static void generatePluginsMarkdownTask(final List<String> args) {
   }
 
   private static void generatePluginsMarketInformationTask(final List<String> args) {
-    if (args.size() == 3 && StringUtils.isNotBlank(args.get(1))
-      && StringUtils.isNotBlank(args.get(2)) && Files.exists(Paths.get(FilenameUtils.normalize(args.get(2))))) {
+    if (args.size() == 3 && StringUtils.isNotBlank(args.get(1)) && StringUtils.isNotBlank(args.get(2))
+      && Files.exists(Paths.get(FilenameUtils.normalize(args.get(2))))) {
       String pluginFolder = args.get(1);
       try {
         String pluginsJson = PluginManager.getPluginsMarketInformationAsJsonLines(pluginFolder);
@@ -2666,8 +2666,8 @@ private static void generatePluginsMarketInformationTask(final List<String> args
   private static void printConfigsUsage() {
     System.err.println("Configs command parameters:");
     System.err.println(
-      "\tgeneratePluginsMarkdown PLUGIN_OR_PLUGINS DEVELOPMENT_STATUS_PER_PLUGIN OUTPUT_FOLDER - generates plugin representation in markdown format. Development status if many please separate with ;\n" +
-      "\tgeneratePluginsMarketInformation PLUGIN_DIR OUTPUT_FOLDER - generates plugin market information in jsonlines format.");
+      "\tgeneratePluginsMarkdown PLUGIN_OR_PLUGINS DEVELOPMENT_STATUS_PER_PLUGIN OUTPUT_FOLDER - generates plugin representation in markdown format. Development status if many please separate with ;\n"
+        + "\tgeneratePluginsMarketInformation PLUGIN_DIR OUTPUT_FOLDER - generates plugin market information in jsonlines format.");
   }
 
   public static void main(final String[] argsArray)

diff --git a/roda-core/roda-core/src/main/java/org/roda/core/common/JwtUtils.java b/roda-core/roda-core/src/main/java/org/roda/core/common/JwtUtils.java
@@ -7,30 +7,37 @@
  */
 package org.roda.core.common;
 
+import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.crypto.SecretKey;
+
 import org.roda.core.RodaCoreFactory;
 import org.roda.core.data.exceptions.AuthenticationDeniedException;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
 
 /**
  * @author Gabriel Barros <[email protected]>
  */
 public class JwtUtils {
 
+  private JwtUtils() {
+    // empty constructor
+  }
+
   public static String generateToken(String subject, Date expirationDate) {
     return generateToken(subject, expirationDate, new HashMap<>());
   }
 
   public static String generateToken(String subject, Date expirationDate, Map<String, Object> claims) {
-    return Jwts.builder().signWith(SignatureAlgorithm.HS256, RodaCoreFactory.getApiSecretKey())
-      .setIssuedAt(new Date(System.currentTimeMillis())).setSubject(subject).setExpiration(expirationDate)
-      .addClaims(claims).compact();
+    SecretKey secretKey = Keys.hmacShaKeyFor(RodaCoreFactory.getApiSecretKey().getBytes(StandardCharsets.UTF_8));
+    return Jwts.builder().signWith(secretKey, Jwts.SIG.HS256).issuedAt(new Date(System.currentTimeMillis()))
+      .subject(subject).expiration(expirationDate).claims(claims).compact();
   }
 
   public static String regenerateToken(String token) throws AuthenticationDeniedException {
@@ -43,7 +50,8 @@ public static String regenerateToken(String token) throws AuthenticationDeniedEx
 
   private static Claims getClaimsFromToken(String token) throws AuthenticationDeniedException {
     try {
-      return Jwts.parser().setSigningKey(RodaCoreFactory.getApiSecretKey()).parseClaimsJws(token).getBody();
+      SecretKey secretKey = Keys.hmacShaKeyFor(RodaCoreFactory.getApiSecretKey().getBytes(StandardCharsets.UTF_8));
+      return Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(token).getPayload();
     } catch (Exception e) {
       throw new AuthenticationDeniedException("invalid token");
     }

diff --git a/roda-ui/roda-wui/pom.xml b/roda-ui/roda-wui/pom.xml
@@ -643,7 +643,7 @@
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt</artifactId>
-            <version>0.9.1</version>
+            <version>0.12.3</version>
         </dependency>
         <dependency>
             <groupId>org.fusesource.restygwt</groupId>

diff --git a/roda-ui/roda-wui/src/main/java/org/roda/wui/api/controllers/ApplicationAuth.java b/roda-ui/roda-wui/src/main/java/org/roda/wui/api/controllers/ApplicationAuth.java
@@ -7,8 +7,10 @@
  */
 package org.roda.wui.api.controllers;
 
+import java.nio.charset.StandardCharsets;
 import java.util.Date;
 
+import io.jsonwebtoken.security.Keys;
 import org.roda.core.RodaCoreFactory;
 import org.roda.core.common.JwtUtils;
 import org.roda.core.data.common.RodaConstants;
@@ -32,6 +34,8 @@
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 
+import javax.crypto.SecretKey;
+
 /**
  * @author Gabriel Barros <[email protected]>
  */
@@ -230,8 +234,8 @@ public static AccessToken authenticate(AccessKey accessKey)
 
     Claims claims;
     try {
-      claims = Jwts.parser().setSigningKey(RodaCoreFactory.getApiSecretKey()).parseClaimsJws(accessKey.getKey())
-        .getBody();
+      SecretKey secretKey = Keys.hmacShaKeyFor(RodaCoreFactory.getApiSecretKey().getBytes(StandardCharsets.UTF_8));
+      claims = Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(accessKey.getKey()).getPayload();
     } catch (JwtException e) {
       throw new AuthorizationDeniedException("Expired token");
     }