[GitHub] [solr] muse-dev[bot] commented on a change in pull request #139: SOLR-15423 JWTAuthPlugin support for custom truststore

Fri, 28 May 2021 07:47:24 -0700 


muse-dev[bot] commented on a change in pull request #139:
URL: https://github.com/apache/solr/pull/139#discussion_r641608294



##########
File path: 
solr/core/src/test/org/apache/solr/security/JWTAuthPluginIntegrationTest.java
##########
@@ -328,4 +406,56 @@ private void executeCommand(String url, HttpClient cl, 
String payload, JsonWebSi
                     });
     
   }
+
+  /**
+   * Creates a security.json string which points to the MockOAuth server using 
it's well-known URL and trusting its SSL
+   */
+  private static String createMockOAuthSecurityJson(Path pemFilePath) throws 
IOException {
+    String wellKnown = mockOAuth2Server.wellKnownUrl("default").toString();
+    String pemCert = extractCertificateFromPem(pemFilePath);
+    return "{\n" +
+        "  \"authentication\" : {\n" +
+        "    \"class\": \"solr.JWTAuthPlugin\",\n" +
+        "    \"wellKnownUrl\": \"" + wellKnown + "\",\n" +
+        "    \"blockUnknown\": true\n" +
+        "    \"trustedCerts\": \"" + pemCert + "\"\n" +
+        "  }\n" +
+        "}";
+  }
+
+  private static String extractCertificateFromPem(Path pemFilePath) throws 
IOException {
+    String raw = Files.readString(pemFilePath).replaceAll("\n", "\\\\n");
+    int from = raw.indexOf("-----BEGIN CERTIFICATE-----");
+    int end = raw.lastIndexOf("-----END CERTIFICATE-----") + 25;
+    return raw.substring(from, end);
+  }
+
+  /**
+   * Create and return a MockOAuth2Server with given SSL certificate
+   * @param pemFilepath path to a pem certificate file
+   * @param secretKeyPass password to secret key
+   */
+  private static MockOAuth2Server createMockOAuthServer(Path pemFilepath, 
String secretKeyPass) {
+    X509ExtendedKeyManager keyManager = 
PemUtils.loadIdentityMaterial(pemFilepath, secretKeyPass.toCharArray());
+    X509ExtendedTrustManager trustManager = 
PemUtils.loadTrustMaterial(pemFilepath);
+    SSLFactory sslFactory = SSLFactory.builder()
+        .withIdentityMaterial(keyManager)
+        .withTrustMaterial(trustManager)
+        .build();
+
+    MockWebServerWrapper mockWebServerWrapper = new MockWebServerWrapper();
+    MockWebServer mockWebServer = mockWebServerWrapper.getMockWebServer();
+    try {
+      SSLContext sslContext = SSLContext.getInstance("TLS");

Review comment:
       
*opt.semgrep.java.lang.security.audit.weak-ssl-context.weak-ssl-context:*  An 
insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions
   are considered weak encryption and are deprecated.
   Use SSLContext.getInstance("TLSv1.2") for the best security.
   
   (at-me [in a reply](https://docs.muse.dev/docs/talk-to-muse/) with `help` or 
`ignore`)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to