fix: check for nullpointer exception when jwk key can't be retrieved (#…

…3503) * check for nullpointer ex when jwk key can't be retrieved Signed-off-by: at670475 <[email protected]> * add test Signed-off-by: at670475 <[email protected]> * address comment Signed-off-by: at670475 <[email protected]> --------- Signed-off-by: at670475 <[email protected]>
zowe · Apr 11, 2024 · 7c00dba · 7c00dba
1 parent 2228d5b
commit 7c00dba
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 19 deletions.
diff --git a/...ervice/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProvider.java b/...ervice/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProvider.java
@@ -14,6 +14,8 @@
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.KeyType;
+import com.nimbusds.jose.jwk.KeyUse;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Clock;
 import io.jsonwebtoken.JwtException;
@@ -105,7 +107,11 @@ void fetchJWKSet() {
 
     private Map<String, Key> processKeys(JWKSet jwkKeys) {
         return jwkKeys.getKeys().stream()
-            .filter(jwkKey -> "sig".equals(jwkKey.getKeyUse().getValue()) && "RSA".equals(jwkKey.getKeyType().getValue()))
+            .filter(jwkKey -> {
+                KeyUse keyUse = jwkKey.getKeyUse();
+                KeyType keyType = jwkKey.getKeyType();
+                return keyUse != null && keyType != null && "sig".equals(keyUse.getValue()) && "RSA".equals(keyType.getValue());
+            })
             .collect(Collectors.toMap(JWK::getKeyID, jwkKey -> {
                 try {
                     return jwkKey.toRSAKey().toRSAPublicKey();

diff --git a/...ce/src/test/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProviderTest.java b/...ce/src/test/java/org/zowe/apiml/gateway/security/service/token/OIDCTokenProviderTest.java
@@ -12,11 +12,7 @@
 
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.Requirement;
-import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jose.jwk.JWKSet;
-import com.nimbusds.jose.jwk.KeyType;
-import com.nimbusds.jose.jwk.KeyUse;
-import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jose.jwk.*;
 import io.jsonwebtoken.impl.DefaultClock;
 import io.jsonwebtoken.impl.FixedClock;
 import org.junit.jupiter.api.BeforeEach;
@@ -37,21 +33,12 @@
 import java.security.Key;
 import java.text.ParseException;
 import java.time.Instant;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
-
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertInstanceOf;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import java.util.*;
+
+import static org.junit.jupiter.api.Assertions.*;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;
 
 @ExtendWith(MockitoExtension.class)
 class OIDCTokenProviderTest {
@@ -217,6 +204,50 @@ void shouldNotModifyJwksUri() {
             }
         }
 
+        @Test
+        void shouldHandleNullPointer_whenJWKKeyNull() {
+
+            JWKSet mockedJwtSet = mock(JWKSet.class);
+            List<JWK> mockedKeys = new ArrayList<>();
+            JWK mockedJwk = mock(JWK.class);
+            when(mockedJwk.getKeyUse()).thenReturn(null);
+            RSAKey rsaKey = mock(RSAKey.class);
+            mockedKeys.add(mockedJwk);
+            when(mockedJwtSet.getKeys()).thenReturn(mockedKeys);
+
+            try (MockedStatic<JWKSet> mockedStatic = Mockito.mockStatic(JWKSet.class)) {
+                mockedStatic.when(() -> JWKSet.load(any(URL.class))).thenReturn(mockedJwtSet);
+
+                oidcTokenProvider.fetchJWKSet();
+
+                verify(rsaKey, never()).toRSAPublicKey();
+            } catch (JOSEException e) {
+                fail("Exception thrown: " + e.getMessage());
+            }
+        }
+
+        @Test
+        void shouldHandleNullPointer_whenJWKTypeNull() {
+
+            JWKSet mockedJwtSet = mock(JWKSet.class);
+            List<JWK> mockedKeys = new ArrayList<>();
+            JWK mockedJwk = mock(JWK.class);
+            when(mockedJwk.getKeyType()).thenReturn(null);
+            RSAKey rsaKey = mock(RSAKey.class);
+            mockedKeys.add(mockedJwk);
+            when(mockedJwtSet.getKeys()).thenReturn(mockedKeys);
+
+            try (MockedStatic<JWKSet> mockedStatic = Mockito.mockStatic(JWKSet.class)) {
+                mockedStatic.when(() -> JWKSet.load(any(URL.class))).thenReturn(mockedJwtSet);
+
+                oidcTokenProvider.fetchJWKSet();
+
+                verify(rsaKey, never()).toRSAPublicKey();
+            } catch (JOSEException e) {
+                fail("Exception thrown: " + e.getMessage());
+            }
+        }
+
         @Test
         void throwsCorrectException() throws JOSEException {