CMSgov · MEspositoE14s · Dec 16, 2024 · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
diff --git a/dpc-api/pom.xml b/dpc-api/pom.xml
@@ -14,7 +14,7 @@
 
     <properties>
         <mainClass>gov.cms.dpc.api.DPCAPIService</mainClass>
-        <jjwt.version>0.12.6</jjwt.version>
+        <jjwt.version>0.11.4</jjwt.version>
         <mockserverVersion>5.15.0</mockserverVersion>
     </properties>
 

diff --git a/dpc-api/src/main/java/gov/cms/dpc/api/DPCAPIModule.java b/dpc-api/src/main/java/gov/cms/dpc/api/DPCAPIModule.java
@@ -8,7 +8,6 @@
 import com.google.inject.Provides;
 import com.google.inject.name.Named;
 import gov.cms.dpc.api.auth.jwt.IJTICache;
-import gov.cms.dpc.api.auth.jwt.KeyResolverAdapter;
 import gov.cms.dpc.api.converters.ChecksumConverterProvider;
 import gov.cms.dpc.api.converters.HttpRangeHeaderParamConverterProvider;
 import gov.cms.dpc.api.core.FileManager;
@@ -37,6 +36,7 @@
 import gov.cms.dpc.macaroons.thirdparty.MemoryThirdPartyKeyStore;
 import gov.cms.dpc.queue.service.DataService;
 import io.dropwizard.hibernate.UnitOfWorkAwareProxyFactory;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 import org.hibernate.SessionFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -103,13 +103,13 @@ public KeyResource provideKeyResource(PublicKeyDAO dao) {
     }
 
     @Provides
-    public TokenResource provideTokenResource(TokenDAO dao, MacaroonBakery bakery, KeyResolverAdapter resolver, IJTICache cache, @APIV1 String publicURL) {
+    public TokenResource provideTokenResource(TokenDAO dao, MacaroonBakery bakery, SigningKeyResolverAdapter resolver, IJTICache cache, @APIV1 String publicURL) {
         return new UnitOfWorkAwareProxyFactory(authHibernateBundle)
                 .create(TokenResource.class,
                         new Class<?>[]{TokenDAO.class,
                                 MacaroonBakery.class,
                                 TokenPolicy.class,
-                                KeyResolverAdapter.class,
+                                SigningKeyResolverAdapter.class,
                                 IJTICache.class,
                                 String.class},
                         new Object[]{dao,

diff --git a/dpc-api/src/main/java/gov/cms/dpc/api/auth/AuthModule.java b/dpc-api/src/main/java/gov/cms/dpc/api/auth/AuthModule.java
@@ -7,14 +7,14 @@
 import gov.cms.dpc.api.auth.jwt.CaffeineJTICache;
 import gov.cms.dpc.api.auth.jwt.IJTICache;
 import gov.cms.dpc.api.auth.jwt.JwtKeyResolver;
-import gov.cms.dpc.api.auth.jwt.KeyResolverAdapter;
 import gov.cms.dpc.api.auth.macaroonauth.MacaroonsAuthenticator;
 import gov.cms.dpc.api.auth.staticauth.StaticAuthFactory;
 import gov.cms.dpc.api.auth.staticauth.StaticAuthFilter;
 import gov.cms.dpc.api.auth.staticauth.StaticAuthenticator;
 import gov.cms.dpc.macaroons.thirdparty.BakeryKeyPair;
 import io.dropwizard.auth.Authenticator;
 import io.dropwizard.auth.UnauthorizedHandler;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import ru.vyarus.dropwizard.guice.module.support.DropwizardAwareModule;
@@ -49,7 +49,7 @@ public void configure() {
             binder.bind(authenticatorTypeLiteral).to(MacaroonsAuthenticator.class);
         }
         binder.bind(DPCAuthDynamicFeature.class);
-        binder.bind(KeyResolverAdapter.class).to(JwtKeyResolver.class);
+        binder.bind(SigningKeyResolverAdapter.class).to(JwtKeyResolver.class);
         binder.bind(IJTICache.class).to(CaffeineJTICache.class);
         binder.bind(BakeryKeyPair.class).toProvider(new BakeryKeyPairProvider(this.configuration()));
     }

diff --git a/dpc-api/src/main/java/gov/cms/dpc/api/auth/jwt/JwtKeyResolver.java b/dpc-api/src/main/java/gov/cms/dpc/api/auth/jwt/JwtKeyResolver.java
@@ -9,6 +9,7 @@
 import gov.cms.dpc.macaroons.MacaroonCaveat;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.slf4j.MDC;
@@ -22,7 +23,7 @@
 
 import static gov.cms.dpc.api.auth.MacaroonHelpers.ORGANIZATION_CAVEAT_KEY;
 
-public class JwtKeyResolver extends KeyResolverAdapter {
+public class JwtKeyResolver extends SigningKeyResolverAdapter {
 
     private static final Logger logger = LoggerFactory.getLogger(JwtKeyResolver.class);
 

diff --git a/dpc-api/src/main/java/gov/cms/dpc/api/auth/jwt/KeyResolverAdapter.java b/dpc-api/src/main/java/gov/cms/dpc/api/auth/jwt/KeyResolverAdapter.java
diff --git a/dpc-api/src/main/java/gov/cms/dpc/api/auth/jwt/ValidatingKeyResolver.java b/dpc-api/src/main/java/gov/cms/dpc/api/auth/jwt/ValidatingKeyResolver.java
@@ -11,22 +11,21 @@
 import java.time.Instant;
 import java.time.OffsetDateTime;
 import java.time.ZoneOffset;
-import java.util.Set;
 import java.util.UUID;
 
 /**
- * Implementation of {@link LocatorAdapter} that simply verifies whether the required claims and values are present.
+ * Implementation of {@link SigningKeyResolverAdapter} that simply verifies whether the required claims and values are present.
  * As far as I can tell, this is the only way to get access to the JWS claims without actually verifying the signature.
- * See: <a href="https://github.com/jwtk/jjwt/issues/205"></a>
+ * See: https://github.com/jwtk/jjwt/issues/205
  * <p>
  * The downside is that this method will always return a null {@link Key}, which means the {@link Jwts#parser()} method will always throw an {@link IllegalArgumentException}, which we need to catch.
  */
-public class ValidatingKeyResolver extends KeyResolverAdapter {
+public class ValidatingKeyResolver extends SigningKeyResolverAdapter {
 
     private final IJTICache cache;
-    private final Set<String> audClaim;
+    private final String audClaim;
 
-    public ValidatingKeyResolver(IJTICache cache, Set<String> audClaim) {
+    public ValidatingKeyResolver(IJTICache cache, String audClaim) {
         this.cache = cache;
         this.audClaim = audClaim;
     }
@@ -107,7 +106,7 @@ void validateClaims(String issuer, Claims claims) {
         }
 
         // Test correct aud claim
-        final Set<String> audience = getClaimIfPresent("audience", claims.getAudience());
+        final String audience = getClaimIfPresent("audience", claims.getAudience());
         if (!audience.equals(this.audClaim)) {
             throw new WebApplicationException("Audience claim value is incorrect", Response.Status.BAD_REQUEST);
         }

diff --git a/dpc-api/src/main/java/gov/cms/dpc/api/resources/v1/TokenResource.java b/dpc-api/src/main/java/gov/cms/dpc/api/resources/v1/TokenResource.java
@@ -6,18 +6,17 @@
 import gov.cms.dpc.api.auth.MacaroonHelpers;
 import gov.cms.dpc.api.auth.OrganizationPrincipal;
 import gov.cms.dpc.api.auth.annotations.Authorizer;
+import gov.cms.dpc.common.annotations.Public;
 import gov.cms.dpc.api.auth.jwt.IJTICache;
-import gov.cms.dpc.api.auth.jwt.KeyResolverAdapter;
 import gov.cms.dpc.api.auth.jwt.ValidatingKeyResolver;
 import gov.cms.dpc.api.entities.TokenEntity;
 import gov.cms.dpc.api.jdbi.TokenDAO;
 import gov.cms.dpc.api.models.CollectionResponse;
-import gov.cms.dpc.api.models.CreateTokenRequest;
 import gov.cms.dpc.api.models.JWTAuthResponse;
+import gov.cms.dpc.api.models.CreateTokenRequest;
 import gov.cms.dpc.api.resources.AbstractTokenResource;
 import gov.cms.dpc.common.annotations.APIV1;
 import gov.cms.dpc.common.annotations.NoHtml;
-import gov.cms.dpc.common.annotations.Public;
 import gov.cms.dpc.macaroons.CaveatSupplier;
 import gov.cms.dpc.macaroons.MacaroonBakery;
 import gov.cms.dpc.macaroons.MacaroonCaveat;
@@ -68,15 +67,15 @@ public class TokenResource extends AbstractTokenResource {
     private final TokenDAO dao;
     private final MacaroonBakery bakery;
     private final TokenPolicy policy;
-    private final KeyResolverAdapter resolver;
+    private final SigningKeyResolverAdapter resolver;
     private final IJTICache cache;
     private final String authURL;
 
     @Inject
     public TokenResource(TokenDAO dao,
                          MacaroonBakery bakery,
                          TokenPolicy policy,
-                         KeyResolverAdapter resolver,
+                         SigningKeyResolverAdapter resolver,
                          IJTICache cache,
                          @APIV1 String publicURL) {
         this.dao = dao;
@@ -244,11 +243,11 @@ public JWTAuthResponse authorizeJWT(
     public Response validateJWT(@NoHtml @NotEmpty(message = "Must submit JWT") String jwt) {
 
         try {
-            Jwts.parser()
+            Jwts.parserBuilder()
                     .requireAudience(this.authURL)
-                    .keyLocator(new ValidatingKeyResolver(this.cache, Set.of(this.authURL)))
+                    .setSigningKeyResolver(new ValidatingKeyResolver(this.cache, this.authURL))
                     .build()
-                    .parseSignedClaims(jwt);
+                    .parseClaimsJws(jwt);
         } catch (IllegalArgumentException e) {
             // This is fine, we just want the body
         } catch (MalformedJwtException e) {
@@ -277,14 +276,14 @@ private void validateJWTQueryParams(String grantType, String clientAssertionType
     }
 
     private JWTAuthResponse handleJWT(String jwtBody, String requestedScope) {
-        final Jws<Claims> claims = Jwts.parser()
-                .keyLocator(this.resolver)
+        final Jws<Claims> claims = Jwts.parserBuilder()
+                .setSigningKeyResolver(this.resolver)
                 .requireAudience(this.authURL)
                 .build()
-                .parseSignedClaims(jwtBody);
+                .parseClaimsJws(jwtBody);
 
         // Extract the Client Macaroon from the subject field (which is the same as the issuer)
-        final String clientMacaroon = claims.getPayload().getSubject();
+        final String clientMacaroon = claims.getBody().getSubject();
         final List<Macaroon> macaroons = MacaroonBakery.deserializeMacaroon(clientMacaroon);
 
         // Get org id from macaroon caveats
@@ -355,20 +354,20 @@ private OffsetDateTime handleExpirationTime(Optional<OffsetDateTimeParam> expire
     @SuppressWarnings("JdkObsolete") // Date class is used by Jwt
     private void handleJWTClaims(UUID organizationID, Jws<Claims> claims) {
         // Issuer and Sub must be present and identical
-        final String issuer = getClaimIfPresent("issuer", claims.getPayload().getIssuer());
-        final String subject = getClaimIfPresent("subject", claims.getPayload().getSubject());
+        final String issuer = getClaimIfPresent("issuer", claims.getBody().getIssuer());
+        final String subject = getClaimIfPresent("subject", claims.getBody().getSubject());
         if (!issuer.equals(subject)) {
             throw new WebApplicationException("Issuer and Subject must be identical", Response.Status.BAD_REQUEST);
         }
 
         // JTI must be present and have not been used in the past 5 minutes.
-        if (!this.cache.isJTIOk(getClaimIfPresent("id", claims.getPayload().getId()), true)) {
+        if (!this.cache.isJTIOk(getClaimIfPresent("id", claims.getBody().getId()), true)) {
             logger.warn("JWT being replayed for organization {}", organizationID);
             throw new WebApplicationException(INVALID_JWT_MSG, Response.Status.UNAUTHORIZED);
         }
 
         // Ensure the expiration time for the token is not more than 5 minutes in the future
-        final Date expiration = getClaimIfPresent("expiration", claims.getPayload().getExpiration());
+        final Date expiration = getClaimIfPresent("expiration", claims.getBody().getExpiration());
         if (OffsetDateTime.now(ZoneOffset.UTC).plusMinutes(5).isBefore(expiration.toInstant().atOffset(ZoneOffset.UTC))) {
             throw new WebApplicationException("Not authorized", Response.Status.UNAUTHORIZED);
         }