|
| 1 | +/* |
| 2 | + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0. |
| 3 | + * This product includes software developed at Datadog (https://www.datadoghq.com/). |
| 4 | + * Copyright 2025-Present Datadog, Inc. |
| 5 | + */ |
| 6 | + |
| 7 | +package com.datadoghq.stickerlandia.stickercatalogue.security; |
| 8 | + |
| 9 | +import jakarta.annotation.Priority; |
| 10 | +import jakarta.enterprise.context.ApplicationScoped; |
| 11 | +import jakarta.inject.Inject; |
| 12 | +import jakarta.ws.rs.Priorities; |
| 13 | +import jakarta.ws.rs.container.ContainerRequestContext; |
| 14 | +import jakarta.ws.rs.container.ContainerRequestFilter; |
| 15 | +import jakarta.ws.rs.core.Response; |
| 16 | +import jakarta.ws.rs.core.SecurityContext; |
| 17 | +import jakarta.ws.rs.ext.Provider; |
| 18 | +import java.io.IOException; |
| 19 | +import java.util.Optional; |
| 20 | +import org.eclipse.microprofile.config.inject.ConfigProperty; |
| 21 | +import org.eclipse.microprofile.jwt.JsonWebToken; |
| 22 | +import org.jboss.logging.Logger; |
| 23 | + |
| 24 | +/** |
| 25 | + * JAX-RS filter that validates JWT issuer with trailing slash normalization. This is needed because |
| 26 | + * OpenIddict adds a trailing slash to the issuer claim, but we don't want double slashes in the |
| 27 | + * JWKS URL derivation. |
| 28 | + */ |
| 29 | +@Provider |
| 30 | +@Priority(Priorities.AUTHENTICATION + 1) // Run after JWT authentication |
| 31 | +@ApplicationScoped |
| 32 | +public class IssuerValidationFilter implements ContainerRequestFilter { |
| 33 | + |
| 34 | + private static final Logger LOG = Logger.getLogger(IssuerValidationFilter.class); |
| 35 | + |
| 36 | + @Inject JsonWebToken jwt; |
| 37 | + |
| 38 | + @ConfigProperty(name = "sticker.jwt.expected-issuer") |
| 39 | + Optional<String> expectedIssuer; |
| 40 | + |
| 41 | + @ConfigProperty(name = "sticker.jwt.issuer-validation.enabled", defaultValue = "true") |
| 42 | + boolean issuerValidationEnabled; |
| 43 | + |
| 44 | + @Override |
| 45 | + public void filter(ContainerRequestContext requestContext) throws IOException { |
| 46 | + SecurityContext securityContext = requestContext.getSecurityContext(); |
| 47 | + |
| 48 | + // Skip if no authentication or no expected issuer configured |
| 49 | + if (securityContext == null || securityContext.getUserPrincipal() == null) { |
| 50 | + return; |
| 51 | + } |
| 52 | + |
| 53 | + if (expectedIssuer.isEmpty()) { |
| 54 | + LOG.debug("No expected issuer configured, skipping issuer validation"); |
| 55 | + return; |
| 56 | + } |
| 57 | + |
| 58 | + // Skip if issuer validation is explicitly disabled (test profile only) |
| 59 | + if (!issuerValidationEnabled) { |
| 60 | + LOG.debug("Issuer validation disabled by configuration"); |
| 61 | + return; |
| 62 | + } |
| 63 | + |
| 64 | + // If we have authentication but it's not a JWT, fail - unexpected state in production |
| 65 | + if (!(securityContext.getUserPrincipal() instanceof JsonWebToken)) { |
| 66 | + LOG.error("Principal is authenticated but not a JsonWebToken - unexpected state"); |
| 67 | + requestContext.abortWith( |
| 68 | + Response.status(Response.Status.INTERNAL_SERVER_ERROR) |
| 69 | + .entity( |
| 70 | + "{\"error\": \"internal error: unexpected authentication state\"}") |
| 71 | + .build()); |
| 72 | + return; |
| 73 | + } |
| 74 | + |
| 75 | + // Get the issuer from the JWT |
| 76 | + String tokenIssuer = jwt.getIssuer(); |
| 77 | + if (tokenIssuer == null) { |
| 78 | + LOG.warn("JWT has no issuer claim"); |
| 79 | + requestContext.abortWith( |
| 80 | + Response.status(Response.Status.UNAUTHORIZED) |
| 81 | + .entity("{\"error\": \"invalid token: missing issuer\"}") |
| 82 | + .build()); |
| 83 | + return; |
| 84 | + } |
| 85 | + |
| 86 | + // Normalize both issuers (strip trailing slash) for comparison |
| 87 | + String normalizedTokenIssuer = normalizeIssuer(tokenIssuer); |
| 88 | + String normalizedExpectedIssuer = normalizeIssuer(expectedIssuer.get()); |
| 89 | + |
| 90 | + if (!normalizedTokenIssuer.equals(normalizedExpectedIssuer)) { |
| 91 | + LOG.warnf( |
| 92 | + "JWT issuer mismatch: token=%s, expected=%s", |
| 93 | + tokenIssuer, expectedIssuer.get()); |
| 94 | + requestContext.abortWith( |
| 95 | + Response.status(Response.Status.UNAUTHORIZED) |
| 96 | + .entity("{\"error\": \"invalid token: issuer mismatch\"}") |
| 97 | + .build()); |
| 98 | + return; |
| 99 | + } |
| 100 | + |
| 101 | + LOG.debugf("JWT issuer validated: %s", tokenIssuer); |
| 102 | + } |
| 103 | + |
| 104 | + private String normalizeIssuer(String issuer) { |
| 105 | + if (issuer == null) { |
| 106 | + return ""; |
| 107 | + } |
| 108 | + // Remove trailing slash for consistent comparison |
| 109 | + return issuer.endsWith("/") ? issuer.substring(0, issuer.length() - 1) : issuer; |
| 110 | + } |
| 111 | +} |
0 commit comments