jwt: Additional test

* Added JWT scenarios to the negiotiation test
* Updated the security-itest with JWT expiration scenario
* Updated MiniOidc to set expires_at and not_before properties of the
generated JWTs
* Added methods to be able to manually create JWT and JWKS files

Change-Id: I1977c80b70fd9628ac800671f6cf16e9fa96c0f0
Reviewed-on: http://gerrit.cloudera.org:8080/19156
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <[email protected]>

src/kudu/integration-tests/security-itest.cc

@@ -513,28 +513,34 @@ void GetFullBinaryPath(string* binary) {
 }
 
 TEST_F(SecurityITest, TestJwtMiniCluster) {
+  SKIP_IF_SLOW_NOT_ALLOWED();
+
   cluster_opts_.enable_kerberos = false;
   cluster_opts_.num_tablet_servers = 0;
   cluster_opts_.enable_client_jwt = true;
   MiniOidcOptions oidc_opts;
   const auto* const kValidAccount = "valid";
   const auto* const kInvalidAccount = "invalid";
+  const uint64_t kLifetimeMs = 1000;
   oidc_opts.account_ids = {
     { kValidAccount, true },
     { kInvalidAccount, false },
   };
-
+  oidc_opts.lifetime_ms = kLifetimeMs;
   cluster_opts_.mini_oidc_options = std::move(oidc_opts);
   ASSERT_OK(StartCluster());
   const auto* const kSubject = "kudu-user";
-  const auto configure_builder_for = [&] (const string& account_id, KuduClientBuilder* b) {
+  const auto configure_builder_for =
+      [&] (const string& account_id, KuduClientBuilder* b, const uint64_t delay_ms) {
     client::AuthenticationCredentialsPB pb;
     security::JwtRawPB jwt = security::JwtRawPB();
-    *jwt.mutable_jwt_data() = MiniOidc::CreateJwt(account_id, kSubject, true);
+    *jwt.mutable_jwt_data() = cluster_->oidc()->CreateJwt(account_id, kSubject, true);
     *pb.mutable_jwt() = std::move(jwt);
     string creds;
     CHECK(pb.SerializeToString(&creds));
 
+    SleepFor(MonoDelta::FromMilliseconds(delay_ms));
+
     for (auto i = 0; i < cluster_->num_masters(); ++i) {
       b->add_master_server_addr(cluster_->master(i)->bound_rpc_addr().ToString());
     }
@@ -545,19 +551,27 @@ TEST_F(SecurityITest, TestJwtMiniCluster) {
   {
     KuduClientBuilder valid_builder;
     shared_ptr<KuduClient> client;
-    configure_builder_for(kValidAccount, &valid_builder);
+    configure_builder_for(kValidAccount, &valid_builder, 0);
     ASSERT_OK(valid_builder.Build(&client));
     vector<string> tables;
     ASSERT_OK(client->ListTables(&tables));
   }
   {
     KuduClientBuilder invalid_builder;
     shared_ptr<KuduClient> client;
-    configure_builder_for(kInvalidAccount, &invalid_builder);
+    configure_builder_for(kInvalidAccount, &invalid_builder, 0);
     Status s = invalid_builder.Build(&client);
-    ASSERT_FALSE(s.ok()) << s.ToString();
+    ASSERT_TRUE(s.IsRuntimeError());
     ASSERT_STR_CONTAINS(s.ToString(), "FATAL_INVALID_JWT");
   }
+  {
+    KuduClientBuilder timeout_builder;
+    shared_ptr<KuduClient> client;
+    configure_builder_for(kValidAccount, &timeout_builder, 3 * kLifetimeMs);
+    Status s = timeout_builder.Build(&client);
+    ASSERT_TRUE(s.IsRuntimeError());
+    ASSERT_STR_CONTAINS(s.ToString(), "token expired");
+  }
   {
     KuduClientBuilder no_jwt_builder;
     shared_ptr<KuduClient> client;
@@ -566,7 +580,7 @@ TEST_F(SecurityITest, TestJwtMiniCluster) {
     }
     no_jwt_builder.require_authentication(true);
     Status s = no_jwt_builder.Build(&client);
-    ASSERT_FALSE(s.ok()) << s.ToString();
+    ASSERT_TRUE(s. IsNotAuthorized());
     ASSERT_STR_CONTAINS(s.ToString(), "Not authorized");
   }
 }

src/kudu/mini-cluster/external_mini_cluster.cc

@@ -84,6 +84,10 @@
 #include "kudu/util/subprocess.h"
 #include "kudu/util/test_util.h"
 
+namespace kudu {
+class JwtVerifier;
+}  // namespace kudu
+
 using kudu::client::internal::ConnectToClusterRpc;
 #if !defined(NO_CHRONY)
 using kudu::clock::MiniChronyd;
@@ -269,7 +273,7 @@ Status ExternalMiniCluster::Start() {
   gflags::FlagSaver saver;
   FLAGS_dns_addr_resolution_override = dns_overrides_;
 
-  std::shared_ptr<PerAccountKeyBasedJwtVerifier> jwt_verifier = nullptr;
+  std::shared_ptr<JwtVerifier> jwt_verifier = nullptr;
   if (opts_.enable_client_jwt) {
     oidc_.reset(new MiniOidc(opts_.mini_oidc_options));
     RETURN_NOT_OK_PREPEND(oidc_->Start(), "Failed to start OIDC endpoints");

src/kudu/rpc/CMakeLists.txt

@@ -124,7 +124,9 @@ SET_KUDU_TEST_LINK_LIBS(
   mini_kdc
   rpc_header_proto
   rtest_krpc
-  security_test_util)
+  security_test_util
+  kudu_jwt_util
+  jwt_test_certs)
 ADD_KUDU_TEST(exactly_once_rpc-test PROCESSORS 10)
 ADD_KUDU_TEST(mt-rpc-test RUN_SERIAL true)
 ADD_KUDU_TEST(negotiation-test)