Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ public HTTPJwtKeyByJWKSAuthenticator(Settings settings, Path configPath) {

// Initialize static JWT authenticator as fallback if jwks_uri is not configured
if (!useJwks) {
log.warn("jwks_uri is not configured, falling back to static JWT authentication");
log.info("jwks_uri is not configured, using static JWT authentication with the configured signing_key");

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both initKeyProvider and the constructor log the same message back-to-back for the same condition. Consider rewording them slightly so they're distinguishable in logs.

  • initKeyProvider: "jwks_uri is not configured, skipping JWKS key provider initialization"
  • Constructor: "jwks_uri is not configured, using static JWT authentication with the configured 'signing_key'"

this.staticJwtAuthenticator = new HTTPJwtAuthenticator(settings, configPath);
} else {
this.staticJwtAuthenticator = null;
Expand All @@ -85,7 +85,7 @@ protected KeyProvider initKeyProvider(Settings settings, Path configPath) throws

// If jwks_uri is not configured, return null (will use static JWT fallback)
if (jwksUri == null || jwksUri.isBlank()) {
log.warn("jwks_uri is not configured, will use static JWT authentication fallback");
log.info("jwks_uri is not configured, using static JWT authentication with the configured signing_key");
return null;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,18 +12,29 @@
package org.opensearch.security.auth.http.jwt.keybyoidc;

import java.util.HashMap;
import java.util.List;

import com.google.common.collect.ImmutableMap;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.ArgumentCaptor;

import org.opensearch.common.settings.Settings;
import org.opensearch.security.auth.http.jwt.keybyjwks.HTTPJwtKeyByJWKSAuthenticator;
import org.opensearch.security.user.AuthCredentials;
import org.opensearch.security.util.FakeRestRequest;

import org.apache.logging.log4j.Level;

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI is failing due to import ordering.

Can you run ./gradlew :spotlessApply to remove spotlessApply violations ?

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.core.Appender;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.Logger;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

public class HTTPJwtKeyByJWKSAuthenticatorTest {

Expand Down Expand Up @@ -243,6 +254,42 @@ public void testFallbackToStaticJwtAuthenticatorWhenJwksUriMissing() {
assertThat(jwtAuth.getType(), is("jwt"));
}

@Test
public void testStaticFallbackIsLoggedAtInfoNotWarn() {
Appender mockAppender = mock(Appender.class);
ArgumentCaptor<LogEvent> logEventCaptor = ArgumentCaptor.forClass(LogEvent.class);
when(mockAppender.getName()).thenReturn("MockAppender");
when(mockAppender.isStarted()).thenReturn(true);

Logger logger = (Logger) LogManager.getLogger(HTTPJwtKeyByJWKSAuthenticator.class);
logger.addAppender(mockAppender);
logger.setLevel(Level.INFO);

try {
Settings settings = Settings.builder()
.put("signing_key", "dGVzdC1zaWduaW5nLWtleS10aGF0LWlzLWxvbmctZW5vdWdoLWZvci1obWFjLXNoYTI1Ng==")
.build();

new HTTPJwtKeyByJWKSAuthenticator(settings, null);

org.mockito.Mockito.verify(mockAppender, atLeastOnce()).append(logEventCaptor.capture());

List<LogEvent> events = logEventCaptor.getAllValues();
boolean sawStaticInfoMessage = false;
for (LogEvent event : events) {
String message = event.getMessage().getFormattedMessage();
if (message.contains("jwks_uri is not configured")) {
// The static-key path is a supported configuration, so it must not warn.
assertThat(event.getLevel(), is(Level.INFO));
sawStaticInfoMessage = true;
}
}
Assert.assertTrue("Expected an INFO log about static JWT authentication", sawStaticInfoMessage);
} finally {
logger.removeAppender(mockAppender);
}
}

@Test
public void testFallbackToStaticJwtAuthenticatorWhenJwksUriEmpty() {
Settings settings = Settings.builder()
Expand Down
Loading