Merge pull request #372 from trepel/jwt-ttl-test

Add TTL test for JWT verification

testsuite/oidc/rhsso/__init__.py

@@ -110,3 +110,36 @@ def token_params(self) -> str:
             f"client_secret={self.oidc_client.client_secret_key}&username={self.test_username}&"
             f"password={self.test_password}"
         )
+
+    def delete_signing_rs256_jwks_key(self):
+        """Deletes signing RS256 key from JWKS"""
+
+        jwks = self.realm.admin.get_keys()["keys"]
+        assert jwks is not None
+
+        provider_id = None
+        for key in jwks:
+            if key["use"] == "SIG" and key["algorithm"] == "RS256" and key["status"] == "ACTIVE":
+                provider_id = key["providerId"]
+                break
+        assert provider_id is not None
+
+        self.realm.admin.delete_component(provider_id)
+
+    def create_signing_rs256_jwks_key(self):
+        """Creates a new signing RS256 key in JWKS"""
+
+        payload = {
+            "name": "rsa-generated",
+            "providerId": "rsa-generated",
+            "providerType": "org.keycloak.keys.KeyProvider",
+            "config": {
+                "keySize": ["2048"],
+                "active": ["true"],
+                "priority": ["100"],
+                "enabled": ["true"],
+                "algorithm": ["RS256"],
+            },
+        }
+
+        self.realm.admin.create_component(payload)

testsuite/tests/kuadrant/authorino/identity/rhsso/conftest.py

@@ -2,6 +2,8 @@
 
 import pytest
 
+from testsuite.httpx.auth import HttpxOidcClientAuth
+
 
 @pytest.fixture(scope="session")
 def oidc_provider(rhsso):
@@ -10,13 +12,37 @@ def oidc_provider(rhsso):
 
 
 @pytest.fixture(scope="module")
-def authorization(authorization, rhsso):
+def authorization(authorization, rhsso, jwt_ttl):
     """Add RHSSO identity to AuthConfig"""
-    authorization.identity.add_oidc("rhsso", rhsso.well_known["issuer"])
+    authorization.identity.add_oidc(
+        "rhsso",
+        rhsso.well_known["issuer"],
+        ttl=jwt_ttl,
+    )
     return authorization
 
 
 @pytest.fixture(scope="module")
 def realm_role(rhsso, blame):
     """Creates new realm role"""
     return rhsso.realm.create_realm_role(blame("role"))
+
+
+@pytest.fixture(scope="module")
+def jwt_ttl():
+    """
+    Returns TTL in seconds for Authorino to trigger OIDC discovery and update its cache.
+    Some tests might sleep for this long to make sure TTL is reached so keep this number reasonably low.
+    """
+    return 30
+
+
+@pytest.fixture(scope="module")
+def create_jwt_auth(rhsso, auth):
+    """Creates a new Auth using a new JWT (JSON Web Token)"""
+
+    def _create_jwt_auth():
+        new_token = rhsso.get_token(auth.username, auth.password)
+        return HttpxOidcClientAuth(new_token)
+
+    return _create_jwt_auth

testsuite/tests/kuadrant/authorino/identity/rhsso/test_jwt_ttl.py

@@ -0,0 +1,66 @@
+"""
+Test for JWT TTL (time to live), see
+https://github.com/Kuadrant/authorino/blob/main/docs/features.md#jwt-verification-authenticationjwt
+"""
+
+from time import sleep
+
+import pytest
+
+pytestmark = [pytest.mark.authorino]
+
+
+def test_jwt_ttl(client, auth, rhsso, create_jwt_auth, jwt_ttl):
+    """
+    Note that similar test exists also in test_dinosaur.py. If modifying this test update the test there too.
+
+    Test:
+        - send request using user with valid middle name
+        - assert that response status code is 200
+        - delete the signing RS256 key from JWKS - the one associated with the JWT for user with valid middle name
+        - assert that response status code is still 200 due to deleted key being cached by Authorino
+        - sleep to allow for Authorino to update the cache as part of OIDC discovery
+        - assert that response status is 401 after cache update
+        - create a new signing RS256 key in JWKS to be used for generating new JWTs
+        - generate a new JWT
+        - assert that response status code is 200 if using new JWT
+        - assert that response status is still 401 for old JWT - ie old JWT does not work with new signing RS256 key
+
+    """
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    # delete the current signing RS256 JWKS key
+    rhsso.delete_signing_rs256_jwks_key()
+
+    # 200 OK expected since Authorino should have the deleted JWKS key still cached.
+    # Potentially unstable if Authorino triggers OIDC discovery in between the JWKS key deletion just above
+    # and the client.get call just below.
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    # Sleeping for jwt_ttl seconds to ensure Authorino triggers the OIDC discovery during the sleep.
+    # OIDC discovery detects that the signing RS256 JWKS key has been removed and updates the Authorino cache.
+    sleep(jwt_ttl)
+
+    # 401 Unauthorized expected now since JWT is associated with the deleted JWKS key and Authorino cache is up-to-date.
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 401
+
+    # Create a new signing RS256 JWKS key and add it into JWKS
+    rhsso.create_signing_rs256_jwks_key()
+
+    # Generate a new JWT and create an Auth object. This needs to be done only after a new signing JWKS key is added
+    # into JWKS hence the Auth object cannot be created via fixture mechanism before the test as usual.
+    new_token_auth = create_jwt_auth()
+
+    # 200 OK expected since new JWT (associated with new signing RS256 JWKS key) is used.
+    # There is no need to sleep for jwt_ttl seconds because JWKS keys are refreshed regardless the .jwt.ttl value,
+    # see https://github.com/Kuadrant/authorino/issues/463
+    response = client.get("/get", auth=new_token_auth)
+    assert response.status_code == 200
+
+    # Check that old JWT is not re-validated
+    # ie that new signing RS256 JWKS key did not make the old JWT work again
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 401