New ca_cert parameter in FetchJwksUriSigningKey class

Expected parameter type is OpenSSL::X509::Store The parameter will allow to invoke http requests to endpoints providing self-signed certificate or certificate signed by 3rd party CA
cyberark · Jan 5, 2022 · 4c33c48 · 4c33c48
1 parent 58c454a
commit 4c33c48
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 3 deletions.
diff --git a/app/domain/authentication/authn_jwt/signing_key/fetch_jwks_uri_signing_key.rb b/app/domain/authentication/authn_jwt/signing_key/fetch_jwks_uri_signing_key.rb
@@ -11,6 +11,7 @@ class FetchJwksUriSigningKey
  def initialize(
  authenticator_input:,
  fetch_signing_key:,
+ ca_cert: nil,
  fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new,
  http_lib: Net::HTTP,
  create_jwks_from_http_response: CreateJwksFromHttpResponse.new,
@@ -22,6 +23,7 @@ def initialize(
  @fetch_authenticator_secrets = fetch_authenticator_secrets
 
  @authenticator_input = authenticator_input
+ @ca_cert = ca_cert
  @fetch_signing_key = fetch_signing_key
  end
 
@@ -57,11 +59,34 @@ def jwks_uri_secret
  )[JWKS_URI_RESOURCE_NAME]
  end
 
+ def net_http_start(host, port, use_ssl, &block)
+ if @ca_cert
+ @http_lib.start(
+ host,
+ port,
+ use_ssl: use_ssl,
+ cert_store: @ca_cert,
+ &block
+ )
+ else
+ @http_lib.start(
+ host,
+ port,
+ use_ssl: use_ssl,
+ &block
+ )
+ end
+ end
+
  def fetch_jwks_keys
  begin
  uri = URI(jwks_uri)
  @logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(jwks_uri))
- response = @http_lib.get_response(uri)
+ response = net_http_start(
+ uri.host,
+ uri.port,
+ uri.scheme == 'https'
+ ) { |http| http.get(uri) }
  @logger.debug(LogMessages::Authentication::AuthnJwt::FetchJwtUriKeysSuccess.new)
  rescue => e
  raise Errors::Authentication::AuthnJwt::FetchJwksKeysFailed.new(

diff --git a/spec/app/domain/authentication/authn-jwt/signing_key/fetch_jwks_signing_key_spec.rb b/spec/app/domain/authentication/authn-jwt/signing_key/fetch_jwks_signing_key_spec.rb
@@ -30,13 +30,17 @@
  let(:mocked_fetch_authenticator_secrets_empty_values) { double("MockedFetchAuthenticatorSecrets") }
  let(:mocked_bad_http_response) { double("Mocked bad http response") }
  let(:mocked_good_http_response) { double("Mocked good http response") }
+ let(:mocked_http_response_ca_cert_present) { double("MockedNet::HTTP.startCertStorePresent") }
  let(:mocked_bad_response) { double("Mocked bad http body") }
  let(:mocked_good_response) { double("Mocked good http body") }
  let(:mocked_create_jwks_from_http_response) { double("Mocked good jwks") }
+ let(:mocked_create_jwks_from_http_responce_http_response) { double("MockedDummyJwks") }
 
  let(:good_response) { "good-response"}
  let(:bad_response) { "bad-response"}
  let(:valid_jwks) { "valid-jwls" }
+ let(:cert_store_present) { "present" }
+ let(:cert_store_absent) { "absent" }
 
  before(:each) do
  allow(mocked_logger).to(
@@ -63,11 +67,28 @@
  )
 
  allow(mocked_bad_http_response).to(
- receive(:get_response).and_return(bad_response)
+ receive(:start).and_return(bad_response)
  )
 
  allow(mocked_good_http_response).to(
- receive(:get_response).and_return(good_response)
+ receive(:start).and_return(good_response)
+ )
+
+ allow(mocked_http_response_ca_cert_present).to(
+ receive(:start).with(
+ anything,
+ anything,
+ use_ssl: anything,
+ cert_store: cert_store_present
+ ).and_return(cert_store_present)
+ )
+
+ allow(mocked_http_response_ca_cert_present).to(
+ receive(:start).with(
+ anything,
+ anything,
+ use_ssl: anything
+ ).and_return(cert_store_absent)
  )
 
  allow(mocked_create_jwks_from_http_response).to(
@@ -77,6 +98,8 @@
  allow(mocked_create_jwks_from_http_response).to(
  receive(:call).with(http_response: bad_response).and_raise(bad_response_error)
  )
+
+ allow(mocked_create_jwks_from_http_responce_http_response).to receive(:call) { |params| params[:http_response] }
  end
 
  # ____ _ _ ____ ____ ____ ___ ____ ___
@@ -117,6 +140,41 @@
  end
  end
 
+ context "processes ca_cert parameter" do
+ context "when it present" do
+ subject do
+ ::Authentication::AuthnJwt::SigningKey::FetchJwksUriSigningKey.new(authenticator_input: mocked_authenticator_input,
+ ca_cert: cert_store_present,
+ fetch_signing_key: mocked_fetch_signing_key,
+ logger: mocked_logger,
+ fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_exist_values,
+ http_lib: mocked_http_response_ca_cert_present,
+ create_jwks_from_http_response: mocked_create_jwks_from_http_responce_http_response
+ ).call(force_fetch: false)
+ end
+
+ it "returns valid value" do
+ expect(subject).to eql(cert_store_present)
+ end
+ end
+
+ context "when it's absent" do
+ subject do
+ ::Authentication::AuthnJwt::SigningKey::FetchJwksUriSigningKey.new(authenticator_input: mocked_authenticator_input,
+ fetch_signing_key: mocked_fetch_signing_key,
+ logger: mocked_logger,
+ fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_exist_values,
+ http_lib: mocked_http_response_ca_cert_present,
+ create_jwks_from_http_response: mocked_create_jwks_from_http_responce_http_response
+ ).call(force_fetch: false)
+ end
+
+ it "returns valid value" do
+ expect(subject).to eql(cert_store_absent)
+ end
+ end
+ end
+
  context "'jwks-uri' secret is not valid" do
  subject do
  ::Authentication::AuthnJwt::SigningKey::FetchJwksUriSigningKey.new(authenticator_input: mocked_authenticator_input,