java.lang.Object
org.elasticsearch.xpack.security.authc.jwt.JwtUtil

public class JwtUtil extends Object
Utilities for JWT realm.
  • Constructor Details

    • JwtUtil

      public JwtUtil()
  • Method Details

    • getHeaderValue

      public static SecureString getHeaderValue(ThreadContext threadContext, String headerName, String schemeName, boolean ignoreSchemeNameCase)
      Get header from threadContext, look for the scheme name, and extract the value after it.
      Parameters:
      threadContext - Contains the request parameters.
      headerName - Header name to look for.
      schemeName - Scheme name to look for
      ignoreSchemeNameCase - Ignore case of scheme name.
      Returns:
      If found, the trimmed value after the scheme name. Null if parameter not found, or scheme mismatch.
    • validateClientAuthenticationSettings

      public static void validateClientAuthenticationSettings(String clientAuthenticationTypeConfigKey, JwtRealmSettings.ClientAuthenticationType clientAuthenticationType, String clientAuthenticationSharedSecretConfigKey, RotatableSecret clientAuthenticationSharedSecret) throws SettingsException
      Throws:
      SettingsException
    • validateClientAuthentication

      public static void validateClientAuthentication(JwtRealmSettings.ClientAuthenticationType type, RotatableSecret expectedSecret, SecureString actualSecret, String tokenPrincipal) throws Exception
      Throws:
      Exception
    • parseHttpsUri

      public static URI parseHttpsUri(String uriString)
    • readUriContents

      public static void readUriContents(String jwkSetConfigKeyPkc, URI jwkSetPathPkcUri, org.apache.http.impl.nio.client.CloseableHttpAsyncClient httpClient, ActionListener<byte[]> listener)
    • readFileContents

      public static byte[] readFileContents(String jwkSetConfigKeyPkc, String jwkSetPathPkc, Environment environment) throws SettingsException
      Throws:
      SettingsException
    • serializeJwkSet

      public static String serializeJwkSet(com.nimbusds.jose.jwk.JWKSet jwkSet, boolean publicKeysOnly)
    • serializeJwkHmacOidc

      public static String serializeJwkHmacOidc(com.nimbusds.jose.jwk.JWK key)
    • createHttpClient

      public static org.apache.http.impl.nio.client.CloseableHttpAsyncClient createHttpClient(RealmConfig realmConfig, SSLService sslService)
      Creates a CloseableHttpAsyncClient that uses a PoolingNHttpClientConnectionManager
      Parameters:
      realmConfig - Realm config for a JWT realm.
      sslService - Realm config for SSL.
      Returns:
      Initialized HTTPS client.
    • readBytes

      public static void readBytes(org.apache.http.impl.nio.client.CloseableHttpAsyncClient httpClient, URI uri, ActionListener<byte[]> listener)
      Use the HTTP Client to get URL content bytes.
      Parameters:
      httpClient - Configured HTTP/HTTPS client.
      uri - URI to download.
    • resolvePath

      public static Path resolvePath(Environment environment, String jwkSetPath)
    • join

      public static SecureString join(CharSequence delimiter, CharSequence... secureStrings)
      Concatenate values with separator strings. Same method signature as String.join(CharSequence, CharSequence...).
      Parameters:
      delimiter - Separator string between the concatenated values.
      secureStrings - SecureString values to concatenate.
      Returns:
      SecureString of the concatenated values with separator strings.
    • sha256

      public static byte[] sha256(CharSequence charSequence)
    • parseSignedJWT

      public static com.nimbusds.jwt.SignedJWT parseSignedJWT(SecureString token)
    • toStringRedactSignature

      public static Supplier<String> toStringRedactSignature(com.nimbusds.jwt.JWT jwt)
      Parameters:
      jwt - The signed JWT
      Returns:
      A print safe supplier to describe a JWT that redacts the signature. While the signature is not generally sensitive, we don't want to leak the entire JWT to the log to avoid a possible replay.