bump to biscuit 2.0

CleverCloud · Mar 2, 2022 · 209be06 · 209be06
1 parent 383aad6
commit 209be06
Show file tree

Hide file tree

Showing 11 changed files with 343 additions and 918 deletions.
diff --git a/pom.xml b/pom.xml
@@ -26,7 +26,6 @@
     <logback-classic.version>1.2.10</logback-classic.version>
     <protobuf.version>3.16.1</protobuf.version>
     <pulsar.version>2.9.1</pulsar.version>
-    <slf4j-api.version>1.7.32</slf4j-api.version>
     <vavr.version>0.10.2</vavr.version>
 
     <!-- test dependencies -->
@@ -196,11 +195,6 @@
       </exclusions>
     </dependency>
 
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>${slf4j-api.version}</version>
-    </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>

diff --git a/src/main/java/com/clevercloud/biscuitpulsar/AuthenticationProviderBiscuit.java b/src/main/java/com/clevercloud/biscuitpulsar/AuthenticationProviderBiscuit.java
@@ -1,9 +1,9 @@
 package com.clevercloud.biscuitpulsar;
 
+import biscuit.format.schema.Schema;
 import com.clevercloud.biscuit.crypto.PublicKey;
 import com.clevercloud.biscuit.error.Error;
 import com.clevercloud.biscuit.token.Biscuit;
-import io.vavr.control.Either;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.pulsar.broker.ServiceConfiguration;
 import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
@@ -14,6 +14,9 @@
 
 import javax.naming.AuthenticationException;
 import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
 import java.util.Base64;
 
 public class AuthenticationProviderBiscuit implements AuthenticationProvider {
@@ -24,12 +27,10 @@ public class AuthenticationProviderBiscuit implements AuthenticationProvider {
 
     final static String BISCUIT = "token";
 
-    final static String CONF_BISCUIT_SEALING_KEY = "biscuitSealingKey";
     final static String CONF_BISCUIT_PUBLIC_ROOT_KEY = "biscuitPublicRootKey";
     final static String CONF_BISCUIT_SUPPORT_JWT = "biscuitSupportJWT";
 
-    private PublicKey rootKey;
-    static String SEALING_KEY;
+    static PublicKey rootKey;
 
     private AuthenticationProviderToken jwtAuthenticator;
     private Boolean isJWTSupported;
@@ -55,10 +56,8 @@ public void initialize(ServiceConfiguration serviceConfiguration) throws IOExcep
         log.info("Biscuit authentication configuration...");
         String key = (String) serviceConfiguration.getProperty(CONF_BISCUIT_PUBLIC_ROOT_KEY);
         log.debug("Got biscuit root public key: {}", key);
-        SEALING_KEY = (String) serviceConfiguration.getProperty(CONF_BISCUIT_SEALING_KEY);
-        log.debug("Got biscuit sealing key: {}", SEALING_KEY);
         try {
-            rootKey = new PublicKey(hexStringToByteArray(key));
+            rootKey = new PublicKey(Schema.PublicKey.Algorithm.Ed25519, hexStringToByteArray(key));
             log.info("Biscuit authentication initialized.");
         } catch (Exception e) {
             log.error("Could not decode Biscuit root public key: {}", e);
@@ -113,27 +112,14 @@ private static String validateBearer(final String bearer) throws AuthenticationE
         }
     }
 
-    private String parseBiscuit(final String biscuit) throws AuthenticationException {
-        log.debug("Biscuit to parse: {}", biscuit);
+    private String parseBiscuit(final String biscuitB64Url) throws AuthenticationException {
+        log.debug("Biscuit to parse: {}", biscuitB64Url);
         try {
-            Either<Error, Biscuit> deser = Biscuit.from_b64(biscuit);
-
-            if (deser.isLeft()) {
-                throw new AuthenticationException("Could not deserialize biscuit");
-            } else {
-                Biscuit realBiscuit = deser.get();
-                log.debug("Deserialized biscuit");
-
-                if (realBiscuit.check_root_key(rootKey).isLeft()) {
-                    throw new AuthenticationException("This biscuit was not generated with the expected root key");
-                }
-                log.debug("Root key is valid");
-
-                byte[] sealed = realBiscuit.seal(SEALING_KEY.getBytes()).get();
-                log.debug("Biscuit deserialized and sealed");
-                return "biscuit:" + Base64.getUrlEncoder().encodeToString(sealed);
-            }
-        } catch (IllegalArgumentException e) {
+            Biscuit biscuit = Biscuit.from_b64url(biscuitB64Url, rootKey);
+            log.debug("Deserialized biscuit");
+            byte[] sealed = biscuit.seal();
+            return "biscuit:" + Base64.getUrlEncoder().encodeToString(sealed);
+        } catch (IllegalArgumentException | NoSuchAlgorithmException | SignatureException | InvalidKeyException | Error e) {
             throw new AuthenticationException(e.getMessage());
         }
     }