modelix · slisson · Feb 28, 2025 · Feb 5, 2025 · Feb 18, 2025 · Feb 19, 2025
@@ -15,6 +15,7 @@ jobs:
     timeout-minutes: 60
 
     strategy:
+      fail-fast: false
       matrix:
         version:
           - "2020.3"
@@ -47,4 +48,13 @@ jobs:
           :metamodel-export:build
           :mps-model-adapters:build
           :mps-model-adapters-plugin:build
+          :mps-sync-plugin3:build
           -Pmps.version.major=${{ matrix.version }}
+      - name: Archive test report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: test-report-${{ matrix.version }}
+          path: |
+            */build/test-results
+            */build/reports
@@ -10,6 +10,7 @@ java {
 }
 
 dependencies {
+    implementation(project(":kotlin-utils"))
     implementation(libs.kotlin.serialization.json)
     implementation(libs.kotlin.serialization.yaml)
     implementation(libs.guava)

@@ -1,17 +1,16 @@
 package org.modelix.authorization
 
-import com.auth0.jwt.interfaces.DecodedJWT
-import io.ktor.server.auth.Principal
+import com.auth0.jwt.interfaces.Payload
 
-class AccessTokenPrincipal(val jwt: DecodedJWT) : Principal {
+class AccessTokenPrincipal(val jwt: Payload) {
     fun getUserName(): String? = ModelixJWTUtil.extractUserId(jwt)
 
     override fun equals(other: Any?): Boolean {
         if (other !is AccessTokenPrincipal) return false
-        return other.jwt.token.equals(jwt.token)
+        return other.jwt.claims == jwt.claims
     }
 
     override fun hashCode(): Int {
-        return jwt.token.hashCode()
+        return jwt.claims.hashCode()
     }
 }
@@ -188,7 +188,7 @@ class ModelixAuthorizationConfig : IModelixAuthorizationConfig {
      *
      * The fake token is generated so that we always have a username that can be used in the server logic.
      */
-    fun shouldGenerateFakeTokens() = generateFakeTokens ?: !jwtUtil.canVerifyTokens()
+    fun shouldGenerateFakeTokens() = generateFakeTokens ?: !permissionCheckingEnabled()
 
     /**
      * Whether permission checking should be enabled based on the configuration values provided.

@@ -7,20 +7,23 @@
 import com.auth0.jwt.interfaces.JWTVerifier
 import com.google.common.cache.CacheBuilder
 import com.nimbusds.jose.jwk.JWKSet
+import com.nimbusds.jwt.proc.BadJWTException
 import io.ktor.http.ContentType
 import io.ktor.http.HttpStatusCode
+import io.ktor.http.auth.HttpAuthHeader
 import io.ktor.server.application.Application
 import io.ktor.server.application.ApplicationCall
 import io.ktor.server.application.ApplicationCallPipeline
 import io.ktor.server.application.BaseRouteScopedPlugin
-import io.ktor.server.application.call
 import io.ktor.server.application.install
 import io.ktor.server.application.plugin
 import io.ktor.server.auth.Authentication
 import io.ktor.server.auth.AuthenticationContext
 import io.ktor.server.auth.AuthenticationProvider
+import io.ktor.server.auth.UnauthorizedResponse
 import io.ktor.server.auth.authenticate
 import io.ktor.server.auth.jwt.jwt
+import io.ktor.server.auth.parseAuthorizationHeader
 import io.ktor.server.auth.principal
 import io.ktor.server.plugins.forwardedheaders.XForwardedHeaders
 import io.ktor.server.plugins.statuspages.StatusPages
@@ -40,6 +43,7 @@
 import org.modelix.authorization.permissions.SchemaInstance
 import org.modelix.authorization.permissions.recordKnownRoles
 import org.modelix.authorization.permissions.recordKnownUser
+import org.modelix.kotlin.utils.filterNotNullValues
 import java.util.concurrent.TimeUnit
 
 private val LOG = mu.KotlinLogging.logger { }
@@ -79,29 +83,41 @@
             } else {
                 // "Authorization: Bearer ..." header is provided in the header by OAuth proxy
                 jwt(MODELIX_JWT_AUTH) {
+                    realm = "modelix"
+                    authHeader { call ->
+                        call.request.parseAuthorizationHeader()
+                            ?: call.request.headers["X-Forwarded-Access-Token"]
+                                ?.let { HttpAuthHeader.Single("Bearer", it) }
+                    }
+
                     verifier(config.getVerifier())
-                    challenge { _, _ ->
-                        call.respond(status = HttpStatusCode.Unauthorized, "No or invalid JWT token provided")
+                    challenge { scheme, realm ->
+                        call.respond(
+                            UnauthorizedResponse(
+                                HttpAuthHeader.Parameterized(
+                                    scheme,
+                                    mapOf(
+                                        HttpAuthHeader.Parameters.Realm to realm,
+                                        "error" to "invalid_token",
+                                        "authorization_uri" to System.getenv("MODELIX_AUTHORIZATION_URI")?.takeIf { it.isNotBlank() },
+                                        "token_uri" to System.getenv("MODELIX_TOKEN_URI")?.takeIf { it.isNotBlank() },
+                                    ).filterNotNullValues(),
+                                ),
+                            ),
+                        )
+
                         // login and token generation is done by OAuth proxy. Only validation is required here.
                     }
-                    validate {
-                        try {
+                    validate { credential ->
+                        val jwt = credential.payload
+                        application.launch(Dispatchers.IO) {
                             val authPlugin = application.plugin(ModelixAuthorization)
                             val authConfig = authPlugin.config
-                            jwtFromHeaders()
-                                ?.let { authConfig.nullIfInvalid(it) }
-                                ?.also { jwt ->
-                                    application.launch(Dispatchers.IO) {
-                                        val accessControlPersistence = authConfig.accessControlPersistence
-                                        accessControlPersistence.recordKnownUser(authConfig.jwtUtil.extractUserId(jwt))
-                                        accessControlPersistence.recordKnownRoles(authConfig.jwtUtil.extractUserRoles(jwt))
-                                    }
-                                }
-                                ?.let(::AccessTokenPrincipal)
-                        } catch (e: Exception) {
-                            LOG.warn(e) { "Failed to read JWT token" }
-                            null
+                            val accessControlPersistence = authConfig.accessControlPersistence
+                            accessControlPersistence.recordKnownUser(authConfig.jwtUtil.extractUserId(jwt))
+                            accessControlPersistence.recordKnownRoles(authConfig.jwtUtil.extractUserRoles(jwt))
                         }
+                        AccessTokenPrincipal(jwt)
                     }
                 }
             }
@@ -135,7 +151,7 @@
                 (installedIntoRoute ?: this).apply {
                     if (config.debugEndpointsEnabled) {
                         get("/user") {
-                            val jwt = call.principal<AccessTokenPrincipal>()?.jwt ?: call.jwtFromHeaders()
+                            val jwt = call.jwtFromHeaders()
                             if (jwt == null) {
                                 call.respondText("No JWT token available")
                             } else {
@@ -226,9 +242,13 @@
     }
 
     override fun verify(jwt: DecodedJWT?): DecodedJWT {
-        if (jwt == null) {
-            throw JWTVerificationException("No JWT provided.")
+        try {
+            if (jwt == null) {
+                throw JWTVerificationException("No JWT provided.")
+            }
+            return [email protected](jwt)?.also { println("Valid token: ${jwt.token}") } ?: throw JWTVerificationException("JWT invalid.")
+        } catch (ex: BadJWTException) {
+            throw JWTVerificationException("Invalid token: ${jwt?.token}", ex)
         }
-        return [email protected](jwt) ?: throw JWTVerificationException("JWT invalid.")
     }
 }
@@ -1,6 +1,7 @@
 package org.modelix.authorization
 
 import com.auth0.jwt.interfaces.DecodedJWT
+import com.auth0.jwt.interfaces.Payload
 import com.nimbusds.jose.JWSAlgorithm
 import com.nimbusds.jose.JWSHeader
 import com.nimbusds.jose.JWSObject
@@ -244,12 +245,12 @@
         return PermissionEvaluator(schema).also { loadGrantedPermissions(token, it) }
     }
 
-    fun extractPermissions(token: DecodedJWT): List<String>? {
+    fun extractPermissions(token: Payload): List<String>? {
         return token.claims[ModelixTokenConstants.PERMISSIONS]?.asList(String::class.java)
     }
 
     @Synchronized
-    fun loadGrantedPermissions(token: DecodedJWT, evaluator: PermissionEvaluator) {
+    fun loadGrantedPermissions(token: Payload, evaluator: PermissionEvaluator) {
         val permissions = extractPermissions(token)
 
         // There is a difference between access tokens and identity tokens.
@@ -271,11 +272,11 @@
         }
     }
 
-    fun extractUserId(jwt: DecodedJWT): String? {
+    fun extractUserId(jwt: Payload): String? {
         return Companion.extractUserId(jwt)
     }
 
-    fun extractUserRoles(jwt: DecodedJWT): List<String> {
+    fun extractUserRoles(jwt: Payload): List<String> {
         val keycloakRoles = jwt
             .getClaim(KeycloakTokenConstants.REALM_ACCESS)?.asMap()
             ?.get(KeycloakTokenConstants.REALM_ACCESS_ROLES)
@@ -372,7 +373,7 @@
     }
 
     companion object {
-        fun extractUserId(jwt: DecodedJWT): String? {
+        fun extractUserId(jwt: Payload): String? {
             return jwt.getClaim(KeycloakTokenConstants.EMAIL)?.asString()
                 ?: jwt.getClaim(KeycloakTokenConstants.PREFERRED_USERNAME)?.asString()
         }

@@ -287,7 +287,7 @@ class RSATest {
         privateKeyFile.writeText(privateKeyPem1)
 
         val verifyingUtil = ModelixJWTUtil()
-        verifyingUtil.fileRefreshTime = 50.milliseconds
+        verifyingUtil.fileRefreshTime = 500.milliseconds
         verifyingUtil.loadKeysFromFiles(publicKeyFile)
         run {
             val signingUtil = ModelixJWTUtil()
@@ -314,7 +314,7 @@ class RSATest {
             assertFailsWith<BadJOSEException> {
                 verifyingUtil.verifyToken(tokenString)
             }
-            Thread.sleep(50)
+            Thread.sleep(500)
             verifyingUtil.verifyToken(tokenString)
         }
     }