New jwt_auth rule

I’m currently using a proxy to authenticate the user with a JSON Web Token and pass the X-Forwarded-User header to a ‘proxy_auth’ configured ES server.

It would be great if a new rule were implemented to cover this use case

And I believe I could give a try to this. Looks easy enough.

Example

The config would look something like this:

jwt_auth:
   # For symmetric encryption
   secret: "string"
   # The JWT claim used as replacement of
   # the @user placeholder
   user_claim: "user.claim"

I think that covers my current needs. But some other features like asymmetric JWT would be cool too.

The token may also include extra information that could be made available to subsequent rules. That would be awesome.

Let’s do this?

I’ve submitted PR 218 Mainly to see if the integration tests are OK, I still need to setup docker.

Also, there were some issues with the transitive dependencies (jackson-databind) of the JWT library I’ve used. For some reason they were not included in the classpath unless I listed them explicitly in build.gradle. Not sure why…

So, today I’ve set up docker and newman. But I’m having an issue with Java security stuff. Apparently jackson-databind wants the “accessDeclaredMembers” runtime permission and the JVM is not granting it access.

I’ve checked src/main/plugin-metadata/plugin-security.policy and the permission is already requested there. @sscarduzio, do you know what’s going on?

[2017-05-19T03:44:24,396][WARN ][r.suppressed             ] path: /_cat/indices, params: {}
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_131]
    at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_131]
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_131]
    at java.lang.Class.checkMemberAccess(Class.java:2348) ~[?:1.8.0_131]
    at java.lang.Class.getDeclaredConstructors(Class.java:2019) ~[?:1.8.0_131]
    at com.fasterxml.jackson.databind.util.ClassUtil$ClassMetadata.getConstructors(ClassUtil.java:1186) ~[?:?]
    ...
    at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[?:?]
    at org.elasticsearch.plugin.readonlyrest.acl.blocks.rules.impl.JwtAuthSyncRule.match(JwtAuthSyncRule.java:64) ~[?:?]
    ...

Oh, nevermind. I think it’s solved by wrapping the token parsing in doPrivileged like below:

diff --git a/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/rules/impl/JwtAuthSyncRule.java b/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/rules/impl/JwtAuthSyncRule.java
index fabe065..8320ea9 100644
--- a/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/rules/impl/JwtAuthSyncRule.java
+++ b/src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/rules/impl/JwtAuthSyncRule.java
@@ -16,6 +16,8 @@
  */
 package org.elasticsearch.plugin.readonlyrest.acl.blocks.rules.impl;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Optional;
 
 import org.apache.logging.log4j.Logger;
@@ -59,9 +61,11 @@ public class JwtAuthSyncRule extends UserRule implements Authentication {
     }
 
     try {
-      Jws<Claims> jws = Jwts.parser()
-        .setSigningKey(settings.getKey())
-        .parseClaimsJws(token.get());
+      Jws<Claims> jws = AccessController.doPrivileged(
+        (PrivilegedAction<Jws<Claims>>) () ->
+          Jwts.parser()
+            .setSigningKey(settings.getKey())
+            .parseClaimsJws(token.get()));
 
       Optional<String> user = settings.getUserClaim().map(claim -> jws.getBody().get(claim, String.class));
       if (settings.getUserClaim().isPresent())

Hey @diegonc, this feature now is merged to master!
Thanks for this PR. Well done and very useful

Can I add you to the significant contributors in the about page in the website?

Sure, no problem.

it’s there About us | ReadonlyREST