Integration tests of public-keys variable

cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature

@@ -369,6 +369,31 @@ Feature: JWT Authenticator - Check registered claim
     CONJ00011E Failed to discover Identity Provider (Provider URI: 'incorrect.com'). Reason: '#<AttrRequired::AttrMissing: 'host' required.>'
     """
 
+  @skip
+  Scenario: ONYX-15323: public-keys with invalid issuer variable
+    Given I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/public-keys
+    - !variable conjur/authn-jwt/raw/issuer
+    """
+    And I successfully set authn-jwt public-keys variable to value from remote JWKS endpoint "authn-jwt-check-standard-claims" and alg "RS256"
+    And I successfully set authn-jwt "issuer" variable to value "invalid-issuer"
+    And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token:
+    """
+    {
+      "host":"myapp",
+      "project_id": "myproject",
+      "iss": "valid-issuer"
+    }
+    """
+    And I save my place in the audit log file
+    When I authenticate via authn-jwt with the JWT token
+    Then the HTTP response status code is 401
+    And The following appears in the log after my savepoint:
+    """
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected invalid-issuer, received valid-issuer>')>
+    """
+
   @sanity
   Scenario Outline: Audience tests
     Given I extend the policy with:

cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature

@@ -658,3 +658,72 @@ Feature: JWT Authenticator - Fetch signing key
     """
     CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::DecodeError: No key id (kid) found from token headers>')
     """
+
+  @skip
+  @sanity
+  Scenario: ONYX-15322: public-keys happy path
+    Given I load a policy:
+    """
+    - !policy
+      id: conjur/authn-jwt/raw
+      body:
+      - !webservice
+      - !variable public-keys
+      - !variable issuer
+      - !variable token-app-property
+
+      - !group hosts
+
+      - !permit
+        role: !group hosts
+        privilege: [ read, authenticate ]
+        resource: !webservice
+
+    - !host
+      id: myapp
+      annotations:
+        authn-jwt/raw/project_id: myproject
+
+    - !grant
+      role: !group conjur/authn-jwt/raw/hosts
+      member: !host myapp
+    """
+    And I am the super-user
+    And I initialize remote JWKS endpoint with file "public-key-1" and alg "RS256"
+    And I successfully set authn-jwt public-keys variable to value from remote JWKS endpoint "public-key-1" and alg "RS256"
+    And I successfully set authn-jwt "issuer" variable to value "valid-issuer"
+    And I successfully set authn-jwt "token-app-property" variable to value "host"
+    And I am using file "public-key-1" and alg "RS256" for remotely issue token:
+    """
+    {
+      "host":"myapp",
+      "project_id": "myproject",
+      "iss": "valid-issuer"
+    }
+    """
+    And I save my place in the log file
+    When I authenticate via authn-jwt with the JWT token
+    Then host "myapp" has been authorized by Conjur
+    And The following appears in the log after my savepoint:
+    """
+    cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw
+    """
+
+  @skip
+  Scenario: ONYX-15325: public-keys value is in invalid format
+    Given I load a policy:
+     """
+     - !policy
+       id: conjur/authn-jwt/raw
+       body:
+       - !webservice
+       - !variable public-keys
+       - !variable issuer
+       - !webservice status
+     """
+    And I am the super-user
+    And I successfully set authn-jwt "public-keys" variable to value "{ }"
+    And I successfully set authn-jwt "issuer" variable to value "valid-issuer"
+    When I GET "/authn-jwt/raw/cucumber/status"
+    Then the HTTP response status code is 500
+    And the authenticator status check fails with error "CONJ00120E Failed to parse 'public-keys': Type can't be blank, Type '' is not a valid public-keys type, and Value can't be blank"

cucumber/authenticators_jwt/features/authn_jwt_validate_and_decode.feature

@@ -10,9 +10,6 @@ Feature: JWT Authenticator - Validate And Decode
       body:
       - !webservice
 
-      - !variable
-        id: jwks-uri
-
       - !variable
         id: token-app-property
 
@@ -37,7 +34,11 @@ Feature: JWT Authenticator - Validate And Decode
     And I initialize JWKS endpoint with file "myJWKs.json"
 
   Scenario: ONYX-8732: Signature error, kid not found
-    Given I issue unknown kid JWT token:
+    Given I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/jwks-uri
+    """
+    And I issue unknown kid JWT token:
     """
     {
       "host":"myapp",
@@ -56,7 +57,11 @@ Feature: JWT Authenticator - Validate And Decode
 
   @sanity
   Scenario: ONYX-8733: Signature error ,sign on a valid token header and content with your own key
-    Given I issue another key JWT token:
+    Given I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/jwks-uri
+    """
+    And I issue another key JWT token:
     """
     {
       "host":"myapp",
@@ -72,3 +77,27 @@ Feature: JWT Authenticator - Validate And Decode
     CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')>
     """
 
+  @skip
+  Scenario: ONYX-15324: public-keys with valid issuer, token is signed by other key
+    Given I extend the policy with:
+    """
+    - !variable conjur/authn-jwt/raw/public-keys
+    - !variable conjur/authn-jwt/raw/issuer
+    """
+    And I successfully set authn-jwt public-keys variable with value from "myJWKs.json" endpoint
+    And I successfully set authn-jwt "issuer" variable to value "valid-issuer"
+    And I issue another key JWT token:
+    """
+    {
+      "host":"myapp",
+      "project_id": "myproject",
+      "iss": "valid-issuer"
+    }
+    """
+    And I save my place in the audit log file
+    When I authenticate via authn-jwt with raw service ID
+    Then the HTTP response status code is 401
+    And The following appears in the log after my savepoint:
+    """
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')>
+    """

cucumber/authenticators_jwt/features/step_definitions/authn_jwt_steps.rb

@@ -22,6 +22,16 @@
   create_jwt_secret_with_oidc_as_provider_uri(variable_name: variable, value: value)
 end
 
+Given(/I successfully set authn-jwt public-keys variable with value from "([^"]*)" endpoint/) do |filename|
+  get("#{JwtJwksHelper::JWKS_BASE_URI}/#{filename}")
+  create_public_keys_from_response_body
+end
+
+Given(/^I successfully set authn-jwt public-keys variable to value from remote JWKS endpoint "([^"]*)" and alg "([^"]*)"$/) do |file_name, alg|
+  init_jwks_remote_file(file_name, alg)
+  create_public_keys_from_response_body
+end
+
 When(/I authenticate via authn-jwt using given ([^"]*) service ID and without account in url/) do |service_id|
   authenticate_jwt_token(jwt_token, service_id)
 end

cucumber/authenticators_jwt/features/support/authn_jwt_helper.rb

@@ -43,6 +43,17 @@ def create_jwt_secret(variable_name:, value:, service_id: DEFAULT_SERVICE_ID)
     Secret.create(resource_id: "#{path}/#{variable_name}", value: value)
   end
 
+  def create_public_keys_from_response_body(type: "jwks")
+    public_keys = {
+      "type" => type,
+      "value" => JSON.parse(@response_body)
+    }
+    create_jwt_secret(
+      variable_name: "public-keys",
+      value: JSON.dump(public_keys)
+    )
+  end
+
 end
 
 World(AuthnJwtHelper)