Merge branch 'release-1.5.1-temp' into release-1.5.1-temp

Signed-off-by: ase-101 <[email protected]>
mosip · Jan 15, 2025 · e1093d6 · e1093d6
2 parents d898563 + 3952e55
commit e1093d6
Show file tree

Hide file tree

Showing 21 changed files with 9,271 additions and 14,371 deletions.
diff --git a/...-api/src/main/java/io/mosip/esignet/api/validator/AuthChallengeFactorFormatValidator.java b/...-api/src/main/java/io/mosip/esignet/api/validator/AuthChallengeFactorFormatValidator.java
@@ -47,7 +47,7 @@ public boolean isValid(AuthChallenge authChallenge, ConstraintValidatorContext c
     	String authFactor = authChallenge.getAuthFactorType();
         String format = environment.getProperty(String.format(FORMAT_KEY_PREFIX, authFactor),
                 String.class);
-        if( !StringUtils.hasText(authFactor) || !StringUtils.hasText(format)) {
+        if( !StringUtils.hasText(authFactor) || !StringUtils.hasText(format) || !authChallenge.getAuthFactorType().equals(authFactor.toUpperCase()) ) {
         	context.disableDefaultConstraintViolation();
 			context.buildConstraintViolationWithTemplate(ErrorConstants.INVALID_AUTH_FACTOR_TYPE).addConstraintViolation();
 			return false;

diff --git a/esignet-integration-api/src/test/java/io/mosip/esignet/api/validator/ValidatorTest.java b/esignet-integration-api/src/test/java/io/mosip/esignet/api/validator/ValidatorTest.java
@@ -97,6 +97,19 @@ public void authChallengeFactorFormatValidator_invalidAuthFactorType_thenFail()
         assertFalse(isValid);
     }
 
+    @Test
+    public void authChallengeFactorFormatValidator_lowerCaseAuthFactorType_thenFail() {
+        AuthChallenge authChallenge = new AuthChallenge();
+        authChallenge.setAuthFactorType("otp");
+        authChallenge.setFormat("alpha-numeric");
+        authChallenge.setChallenge("111111");
+        Mockito.when(constraintValidatorContext.buildConstraintViolationWithTemplate(anyString()))
+                .thenReturn(mock(ConstraintValidatorContext.ConstraintViolationBuilder.class));
+        boolean isValid = authChallengeFactorFormatValidator.isValid(authChallenge, constraintValidatorContext);
+        Mockito.verify(constraintValidatorContext).buildConstraintViolationWithTemplate(ErrorConstants.INVALID_AUTH_FACTOR_TYPE);
+        assertFalse(isValid);
+    }
+
     @Test
     public void authChallengeFactorFormatValidator_invalidChallengeLength_theFail() {
         AuthChallenge authChallenge = new AuthChallenge();

diff --git a/esignet-service/pom.xml b/esignet-service/pom.xml
@@ -46,7 +46,7 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
-			<version>3.2.7</version>
+			<version>3.2.12</version>
 		</dependency>
 		<dependency>
 			<groupId>org.postgresql</groupId>

diff --git a/esignet-service/src/main/resources/application-default.properties b/esignet-service/src/main/resources/application-default.properties
@@ -413,3 +413,8 @@ mosip.esignet.ui.config.key-values={'sbi.env': '${mosip.esignet.authenticator.id
 
 #mosip.esignet.integration.audit-plugin=LoggerAuditService
 #mosip.esignet.integration.key-binder=NoOpKeyBinder
+
+mosip.esignet.jwt.leeway-seconds=5
+
+## Validation schema files
+mosip.esignet.claims.schema.url=classpath:/verified_claims_request_schema.json
diff --git a/oidc-service-impl/src/main/java/io/mosip/esignet/services/TokenServiceImpl.java b/oidc-service-impl/src/main/java/io/mosip/esignet/services/TokenServiceImpl.java
@@ -75,6 +75,9 @@ public class TokenServiceImpl implements TokenService {
 
     @Value("#{${mosip.esignet.credential.scope-resource-mapping}}")
     private Map<String, String> scopesResourceMapping;
+
+    @Value("${mosip.esignet.jwt.leeway-seconds:5}")
+    private int maxClockSkew;
 
     private static Set<String> REQUIRED_CLIENT_ASSERTION_CLAIMS;
 
@@ -139,15 +142,15 @@ public void verifyClientAssertionToken(String clientId, String jwk, String clien
             throw new EsignetException(ErrorConstants.INVALID_ASSERTION);
 
         try {
-      
+
             JWSKeySelector keySelector = new JWSVerificationKeySelector(JWSAlgorithm.RS256,
                     new ImmutableJWKSet(new JWKSet(RSAKey.parse(jwk))));
             DefaultJWTClaimsVerifier claimsSetVerifier = new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder()
                     .audience(Collections.singletonList(audience))
                     .issuer(clientId)
                     .subject(clientId)
                     .build(), REQUIRED_CLIENT_ASSERTION_CLAIMS);
-            claimsSetVerifier.setMaxClockSkew(0);
+            claimsSetVerifier.setMaxClockSkew(maxClockSkew);
 
             ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
             jwtProcessor.setJWSKeySelector(keySelector);

diff --git a/oidc-service-impl/src/test/java/io/mosip/esignet/services/TokenServiceTest.java b/oidc-service-impl/src/test/java/io/mosip/esignet/services/TokenServiceTest.java
@@ -61,6 +61,7 @@ public void setup() {
         ReflectionTestUtils.setField(tokenService, "signatureService", getSignatureService());
         ReflectionTestUtils.setField(tokenService, "objectMapper", new ObjectMapper());
         ReflectionTestUtils.setField(tokenService, "issuerId", "test-issuer");
+        ReflectionTestUtils.setField(tokenService, "maxClockSkew", 5);
     }
 
     @Test
@@ -128,6 +129,37 @@ public void getAccessTokenWithNonce_test() throws JSONException {
         Assert.assertNotNull(jsonObject.get(C_NONCE_EXPIRES_IN));
     }
 
+    @Test(expected = InvalidRequestException.class)
+    public void verifyClientAssertionToken_withExpiredTokenNotWithinClockSkew_thenException() throws JOSEException {
+        ReflectionTestUtils.setField(tokenService, "maxClockSkew", 0);
+        JWSSigner signer = new RSASSASigner(RSA_JWK.toRSAPrivateKey());
+        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                .subject("client-id")
+                .audience("audience")
+                .issueTime(new Date(System.currentTimeMillis()))
+                .expirationTime(new Date(System.currentTimeMillis() - 3000))
+                .issuer("client-id")
+                .build();
+        SignedJWT jwt = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
+        jwt.sign(signer);
+        tokenService.verifyClientAssertionToken("client-id", RSA_JWK.toPublicJWK().toJSONString(), jwt.serialize(),"audience");
+    }
+
+    @Test
+    public void verifyClientAssertionToken_withExpiredTokenWithinClockSkew_thenPass() throws JOSEException {
+        JWSSigner signer = new RSASSASigner(RSA_JWK.toRSAPrivateKey());
+        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                .subject("client-id")
+                .audience("audience")
+                .issueTime(new Date(System.currentTimeMillis()))
+                .expirationTime(new Date(System.currentTimeMillis() - 3000))
+                .issuer("client-id")
+                .build();
+        SignedJWT jwt = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
+        jwt.sign(signer);
+        tokenService.verifyClientAssertionToken("client-id", RSA_JWK.toPublicJWK().toJSONString(), jwt.serialize(),"audience");
+    }
+
     @Test(expected = EsignetException.class)
     public void verifyClientAssertionToken_withNullAssertion_thenFail() {
         tokenService.verifyClientAssertionToken("client-id", RSA_JWK.toPublicJWK().toJSONString(), null,"audience");