diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index f6f9878ea20c7..00f1caec24cf7 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -946,9 +946,11 @@ - - - + + + + + @@ -961,6 +963,11 @@ + + + + + @@ -1739,6 +1746,11 @@ + + + + + diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 07308d5d29a9a..d3697eade8b24 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -79,12 +79,19 @@ dependencies { runtimeOnly "joda-time:joda-time:2.10.10" // Dependencies for oidc - api "com.nimbusds:oauth2-oidc-sdk:9.37" - api "com.nimbusds:nimbus-jose-jwt:9.23" + api "com.nimbusds:oauth2-oidc-sdk:11.10.1" + api project(path: xpackModule('security:lib:nimbus-jose-jwt-modified'), configuration: 'shadow') + if (isEclipse) { + /* + * Eclipse can't pick up the shadow dependency so we point it at the unmodified version of the library + * so it can compile things. + */ + api "com.nimbusds:nimbus-jose-jwt:9.37.3" + } api "com.nimbusds:lang-tag:1.4.4" api "com.sun.mail:jakarta.mail:1.6.3" api "net.jcip:jcip-annotations:1.0" - api "net.minidev:json-smart:2.4.10" + api "net.minidev:json-smart:2.5.1" api "net.minidev:accessors-smart:2.4.2" api "org.ow2.asm:asm:8.0.1" @@ -103,7 +110,6 @@ dependencies { testImplementation('org.apache.kerby:kerb-crypto:1.1.1') testImplementation('org.apache.kerby:kerb-util:1.1.1') testImplementation('org.apache.kerby:token-provider:1.1.1') - testImplementation('com.nimbusds:nimbus-jose-jwt:9.23') testImplementation('net.jcip:jcip-annotations:1.0') testImplementation('org.apache.kerby:kerb-admin:1.1.1') testImplementation('org.apache.kerby:kerb-server:1.1.1') @@ -225,6 +231,9 @@ tasks.named("thirdPartyAudit").configure { 'javax.servlet.http.HttpSession', 'javax.servlet.http.HttpUpgradeHandler', 'javax.servlet.http.Part', + 'jakarta.servlet.ServletRequest', + 'jakarta.servlet.http.HttpServletRequest', + 'jakarta.servlet.http.HttpServletResponse', // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use 'org.apache.velocity.VelocityContext', 'org.apache.velocity.app.VelocityEngine', @@ -274,112 +283,103 @@ tasks.named("thirdPartyAudit").configure { // [missing classes] Http Client cache has optional ehcache support 'net.sf.ehcache.Ehcache', 'net.sf.ehcache.Element', - // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We - // acknowledge them here instead of adding bouncy castle as a compileOnly dependency - 'org.bouncycastle.asn1.ASN1Encodable', - 'org.bouncycastle.asn1.ASN1InputStream', - 'org.bouncycastle.asn1.ASN1Integer', - 'org.bouncycastle.asn1.ASN1ObjectIdentifier', - 'org.bouncycastle.asn1.ASN1OctetString', - 'org.bouncycastle.asn1.ASN1Primitive', - 'org.bouncycastle.asn1.ASN1Sequence', - 'org.bouncycastle.asn1.ASN1TaggedObject', - // 'org.bouncycastle.asn1.DEROctetString', - 'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo', - 'org.bouncycastle.asn1.pkcs.EncryptionScheme', - 'org.bouncycastle.asn1.pkcs.KeyDerivationFunc', - 'org.bouncycastle.asn1.pkcs.PBEParameter', - 'org.bouncycastle.asn1.pkcs.PBES2Parameters', - 'org.bouncycastle.asn1.pkcs.PBKDF2Params', - 'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers', - 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo', - 'org.bouncycastle.asn1.x500.AttributeTypeAndValue', - 'org.bouncycastle.asn1.x500.RDN', - 'org.bouncycastle.asn1.x500.X500Name', - 'org.bouncycastle.asn1.x509.AccessDescription', - 'org.bouncycastle.asn1.x509.AlgorithmIdentifier', - 'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier', - 'org.bouncycastle.asn1.x509.BasicConstraints', - 'org.bouncycastle.asn1.x509.DistributionPoint', - 'org.bouncycastle.asn1.x509.Extension', - 'org.bouncycastle.asn1.x509.GeneralName', - 'org.bouncycastle.asn1.x509.GeneralNames', - 'org.bouncycastle.asn1.x509.GeneralNamesBuilder', - 'org.bouncycastle.asn1.x509.KeyPurposeId', - 'org.bouncycastle.asn1.x509.KeyUsage', - 'org.bouncycastle.asn1.x509.PolicyInformation', - 'org.bouncycastle.asn1.x509.SubjectKeyIdentifier', - 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', - // 'org.bouncycastle.asn1.x9.DomainParameters', - // 'org.bouncycastle.asn1.x9.ECNamedCurveTable', - 'org.bouncycastle.asn1.x9.X9ECParameters', - 'org.bouncycastle.cert.X509v3CertificateBuilder', - 'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', - 'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils', - 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', - 'org.bouncycastle.crypto.BlockCipher', - 'org.bouncycastle.crypto.BufferedBlockCipher', - 'org.bouncycastle.crypto.CipherParameters', - 'org.bouncycastle.crypto.Digest', - 'org.bouncycastle.crypto.PBEParametersGenerator', - 'org.bouncycastle.crypto.StreamCipher', - 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', - // 'org.bouncycastle.crypto.ec.CustomNamedCurves', - 'org.bouncycastle.crypto.engines.AESEngine', - 'org.bouncycastle.crypto.generators.BCrypt', - 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', - 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', - 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', - 'org.bouncycastle.crypto.macs.HMac', - 'org.bouncycastle.crypto.modes.AEADBlockCipher', - 'org.bouncycastle.crypto.modes.GCMBlockCipher', - 'org.bouncycastle.crypto.paddings.BlockCipherPadding', - 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', - 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', - 'org.bouncycastle.crypto.params.DSAKeyParameters', - 'org.bouncycastle.crypto.params.DSAParameters', - 'org.bouncycastle.crypto.params.DSAPrivateKeyParameters', - 'org.bouncycastle.crypto.params.DSAPublicKeyParameters', - 'org.bouncycastle.crypto.params.ECDomainParameters', - 'org.bouncycastle.crypto.params.ECKeyParameters', - 'org.bouncycastle.crypto.params.ECPrivateKeyParameters', - 'org.bouncycastle.crypto.params.ECPublicKeyParameters', - // 'org.bouncycastle.crypto.params.KDFParameters', - 'org.bouncycastle.crypto.params.KeyParameter', - 'org.bouncycastle.crypto.params.RSAKeyParameters', - 'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters', - 'org.bouncycastle.crypto.prng.EntropySource', - 'org.bouncycastle.crypto.prng.SP800SecureRandom', - 'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder', - 'org.bouncycastle.crypto.prng.drbg.SP80090DRBG', - 'org.bouncycastle.crypto.signers.DSASigner', - 'org.bouncycastle.crypto.signers.ECDSASigner', - 'org.bouncycastle.crypto.signers.RSADigestSigner', - 'org.bouncycastle.crypto.util.PrivateKeyFactory', - 'org.bouncycastle.crypto.util.PrivateKeyInfoFactory', - 'org.bouncycastle.crypto.util.PublicKeyFactory', - 'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory', - 'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi', - 'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC', - 'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi', - 'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util', - 'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil', - // 'org.bouncycastle.jce.ECNamedCurveTable', - // 'org.bouncycastle.jce.spec.ECNamedCurveParameterSpec', - 'org.bouncycastle.math.ec.ECFieldElement', - 'org.bouncycastle.math.ec.ECPoint', - 'org.bouncycastle.openssl.jcajce.JcaPEMWriter', - 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', - 'org.bouncycastle.util.Arrays', - 'org.bouncycastle.util.io.Streams', - 'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder', - 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider', - 'org.bouncycastle.cert.X509CertificateHolder', - 'org.bouncycastle.openssl.PEMKeyPair', - 'org.bouncycastle.openssl.PEMParser', - 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter', - 'org.bouncycastle.crypto.InvalidCipherTextException', - 'org.bouncycastle.jce.provider.BouncyCastleProvider', + // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We + // acknowledge them here instead of adding bouncy castle as a compileOnly dependency + 'org.bouncycastle.asn1.ASN1Encodable', + 'org.bouncycastle.asn1.ASN1InputStream', + 'org.bouncycastle.asn1.ASN1Integer', + 'org.bouncycastle.asn1.ASN1ObjectIdentifier', + 'org.bouncycastle.asn1.ASN1OctetString', + 'org.bouncycastle.asn1.ASN1Primitive', + 'org.bouncycastle.asn1.ASN1Sequence', + 'org.bouncycastle.asn1.ASN1TaggedObject', + // 'org.bouncycastle.asn1.DEROctetString', + 'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo', + 'org.bouncycastle.asn1.pkcs.EncryptionScheme', + 'org.bouncycastle.asn1.pkcs.KeyDerivationFunc', + 'org.bouncycastle.asn1.pkcs.PBEParameter', + 'org.bouncycastle.asn1.pkcs.PBES2Parameters', + 'org.bouncycastle.asn1.pkcs.PBKDF2Params', + 'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers', + 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo', + 'org.bouncycastle.asn1.x500.AttributeTypeAndValue', + 'org.bouncycastle.asn1.x500.RDN', + 'org.bouncycastle.asn1.x500.X500Name', + 'org.bouncycastle.asn1.x509.AccessDescription', + 'org.bouncycastle.asn1.x509.AlgorithmIdentifier', + 'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier', + 'org.bouncycastle.asn1.x509.BasicConstraints', + 'org.bouncycastle.asn1.x509.DistributionPoint', + 'org.bouncycastle.asn1.x509.Extension', + 'org.bouncycastle.asn1.x509.GeneralName', + 'org.bouncycastle.asn1.x509.GeneralNames', + 'org.bouncycastle.asn1.x509.GeneralNamesBuilder', + 'org.bouncycastle.asn1.x509.KeyPurposeId', + 'org.bouncycastle.asn1.x509.KeyUsage', + 'org.bouncycastle.asn1.x509.PolicyInformation', + 'org.bouncycastle.asn1.x509.SubjectKeyIdentifier', + 'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo', + // 'org.bouncycastle.asn1.x9.DomainParameters', + // 'org.bouncycastle.asn1.x9.ECNamedCurveTable', + 'org.bouncycastle.asn1.x9.X9ECParameters', + 'org.bouncycastle.cert.X509v3CertificateBuilder', + 'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', + 'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils', + 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', + 'org.bouncycastle.crypto.BlockCipher', + 'org.bouncycastle.crypto.BufferedBlockCipher', + 'org.bouncycastle.crypto.CipherParameters', + 'org.bouncycastle.crypto.Digest', + 'org.bouncycastle.crypto.PBEParametersGenerator', + 'org.bouncycastle.crypto.StreamCipher', + 'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator', + // 'org.bouncycastle.crypto.ec.CustomNamedCurves', + 'org.bouncycastle.crypto.generators.BCrypt', + 'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator', + 'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator', + 'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator', + 'org.bouncycastle.crypto.macs.HMac', + 'org.bouncycastle.crypto.modes.AEADBlockCipher', + 'org.bouncycastle.crypto.paddings.BlockCipherPadding', + 'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher', + 'org.bouncycastle.crypto.params.AsymmetricKeyParameter', + 'org.bouncycastle.crypto.params.DSAKeyParameters', + 'org.bouncycastle.crypto.params.DSAParameters', + 'org.bouncycastle.crypto.params.DSAPrivateKeyParameters', + 'org.bouncycastle.crypto.params.DSAPublicKeyParameters', + 'org.bouncycastle.crypto.params.ECDomainParameters', + 'org.bouncycastle.crypto.params.ECKeyParameters', + 'org.bouncycastle.crypto.params.ECPrivateKeyParameters', + 'org.bouncycastle.crypto.params.ECPublicKeyParameters', + // 'org.bouncycastle.crypto.params.KDFParameters', + 'org.bouncycastle.crypto.params.KeyParameter', + 'org.bouncycastle.crypto.params.RSAKeyParameters', + 'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters', + 'org.bouncycastle.crypto.prng.EntropySource', + 'org.bouncycastle.crypto.prng.SP800SecureRandom', + 'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder', + 'org.bouncycastle.crypto.prng.drbg.SP80090DRBG', + 'org.bouncycastle.crypto.signers.DSASigner', + 'org.bouncycastle.crypto.signers.ECDSASigner', + 'org.bouncycastle.crypto.signers.RSADigestSigner', + 'org.bouncycastle.crypto.util.PrivateKeyFactory', + 'org.bouncycastle.crypto.util.PrivateKeyInfoFactory', + 'org.bouncycastle.crypto.util.PublicKeyFactory', + 'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory', + 'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi', + 'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC', + 'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi', + 'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util', + 'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil', + // 'org.bouncycastle.jce.ECNamedCurveTable', + // 'org.bouncycastle.jce.spec.ECNamedCurveParameterSpec', + 'org.bouncycastle.math.ec.ECFieldElement', + 'org.bouncycastle.math.ec.ECPoint', + 'org.bouncycastle.openssl.jcajce.JcaPEMWriter', + 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', + 'org.bouncycastle.util.Arrays', + 'org.bouncycastle.util.io.Streams', + 'org.bouncycastle.cert.X509CertificateHolder', ) ignoreViolations( @@ -402,26 +402,21 @@ tasks.named("thirdPartyAudit").configure { tasks.named("thirdPartyAudit").configure { ignoreMissingClasses( - 'javax.xml.bind.JAXBContext', - 'javax.xml.bind.JAXBElement', - 'javax.xml.bind.JAXBException', - 'javax.xml.bind.Unmarshaller', - 'javax.xml.bind.UnmarshallerHandler', - // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE - 'org.cryptomator.siv.SivMode', - // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037) - 'com.google.crypto.tink.subtle.Ed25519Sign', - 'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair', - 'com.google.crypto.tink.subtle.Ed25519Verify', - 'com.google.crypto.tink.subtle.X25519', - 'com.google.crypto.tink.subtle.XChaCha20Poly1305', - 'com.nimbusds.common.contenttype.ContentType', - 'javax.activation.ActivationDataFlavor', - 'javax.activation.DataContentHandler', - 'javax.activation.DataHandler', - 'javax.activation.DataSource', - 'javax.activation.FileDataSource', - 'javax.activation.FileTypeMap' + 'javax.xml.bind.JAXBContext', + 'javax.xml.bind.JAXBElement', + 'javax.xml.bind.JAXBException', + 'javax.xml.bind.Unmarshaller', + 'javax.xml.bind.UnmarshallerHandler', + // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE + 'org.cryptomator.siv.SivMode', + 'com.nimbusds.common.contenttype.ContentType', + 'com.nimbusds.common.contenttype.ContentType$Parameter', + 'javax.activation.ActivationDataFlavor', + 'javax.activation.DataContentHandler', + 'javax.activation.DataHandler', + 'javax.activation.DataSource', + 'javax.activation.FileDataSource', + 'javax.activation.FileTypeMap' ) } diff --git a/x-pack/plugin/security/lib/build.gradle b/x-pack/plugin/security/lib/build.gradle new file mode 100644 index 0000000000000..7bc94f348e781 --- /dev/null +++ b/x-pack/plugin/security/lib/build.gradle @@ -0,0 +1,13 @@ +// This build deserves an explanation. Nimbus-jose-jwt uses gson internally, which is unfriendly +// to our usage of the security manager, to a degree that it makes the library extremely difficult +// to work with safely. The purpose of this build is to create a version of nimbus-jose-jwt with +// a couple classes replaced with wrappers which work with the security manager, the source files +// in this directory. + +// Because we want to include the original class files so that we can reference them without +// modification, there are a couple intermediate steps: +// nimbus-jose-jwt-modified-part1: Create a version of the JAR in which the relevant class files are moved to a different package. +// This is not immediately usable as this process rewrites the rest of the JAR to "correctly" reference the new classes. So, we need to... +// nimbus-jose-jwt-modified-part2: Create a JAR from the result of part 1 which contains *only* the relevant class files by removing everything else. +// nimbus-jose-jwt-modified: Use the result of part 2 here, combined with the original library, so that we can use our +// replacement classes which wrap the original class files. diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle new file mode 100644 index 0000000000000..f751fcd0a655d --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +apply plugin: 'elasticsearch.build' +apply plugin: 'com.github.johnrengelman.shadow' + +// See the build.gradle file in the parent directory for an explanation of this unusual build + +dependencies { + implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" +} + +tasks.named('shadowJar').configure { + // Attempting to exclude all of the classes we *don't* move here ought to be possible per the + // shadowJar docs, but actually attempting to do so results in an empty JAR. May be a bug in the shadowJar plugin. + relocate 'com.nimbusds.jose.util.JSONObjectUtils', 'org.elasticsearch.nimbus.jose.util.JSONObjectUtils' + relocate 'com.nimbusds.jose.util.JSONStringUtils', 'org.elasticsearch.nimbus.jose.util.JSONStringUtils' +} + +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { + tasks.named(it).configure { + enabled = false + } +} + diff --git a/x-pack/plugin/security/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-LICENSE.txt similarity index 100% rename from x-pack/plugin/security/licenses/nimbus-jose-jwt-LICENSE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-LICENSE.txt diff --git a/x-pack/plugin/security/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-NOTICE.txt similarity index 100% rename from x-pack/plugin/security/licenses/nimbus-jose-jwt-NOTICE.txt rename to x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/licenses/nimbus-jose-jwt-NOTICE.txt diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part2/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part2/build.gradle new file mode 100644 index 0000000000000..c4c0f2ebd2fe1 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part2/build.gradle @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +apply plugin: 'elasticsearch.build' +apply plugin: 'com.github.johnrengelman.shadow' + +// See the build.gradle file in the parent directory for an explanation of this unusual build + +dependencies { + implementation project(path: xpackModule('security:lib:nimbus-jose-jwt-modified-part1'), configuration: 'shadow') +} + +tasks.named('shadowJar').configure { + // Drop everything in the original namespace, as the classes we want to modify have already been moved to another package by part 1 + exclude 'com/nimbusds/' +} + +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { + tasks.named(it).configure { + enabled = false + } +} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle new file mode 100644 index 0000000000000..3438c067d8ab5 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +apply plugin: 'elasticsearch.build' +apply plugin: 'com.github.johnrengelman.shadow' + +// See the build.gradle file in the parent directory for an explanation of this unusual build + +dependencies { + implementation "com.nimbusds:nimbus-jose-jwt:9.37.3" + implementation project(path: xpackModule('security:lib:nimbus-jose-jwt-modified-part2'), configuration: 'shadow') +} + +tasks.named('shadowJar').configure { + manifest { + // The original library uses this and it gets stripped by shadowJar + attributes 'Automatic-Module-Name': 'com.nimbusds.jose.jwt' + } +} + +['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each { + tasks.named(it).configure { + enabled = false + } +} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-LICENSE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-LICENSE.txt new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-NOTICE.txt b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-NOTICE.txt new file mode 100644 index 0000000000000..cb9ad94f662a6 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/licenses/nimbus-jose-jwt-NOTICE.txt @@ -0,0 +1,14 @@ +Nimbus JOSE + JWT + +Copyright 2012 - 2018, Connect2id Ltd. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed +under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the +specific language governing permissions and limitations under the License. diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java new file mode 100644 index 0000000000000..1ea11f5c280ef --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java @@ -0,0 +1,208 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package com.nimbusds.jose.util; + +import java.net.URI; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.text.ParseException; +import java.util.List; +import java.util.Map; + +/** + * This class wraps {@link org.elasticsearch.nimbus.jose.util.JSONObjectUtils}, which is copied directly from the source + * library, and delegates to that class as quickly as possible. This layer is only here to provide a point at which we + * can insert {@link java.security.AccessController#doPrivileged(PrivilegedAction)} calls as necessary. We don't do + * anything here other than ensure gson has the proper security manager permissions. + */ +public class JSONObjectUtils { + + public static Map parse(final String s) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parse(s) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static Map parse(final String s, final int sizeLimit) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parse( + s, + sizeLimit + ) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + @Deprecated + public static Map parseJSONObject(final String s) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.parseJSONObject(s) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static boolean getBoolean(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBoolean(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static int getInt(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getInt(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static long getLong(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getLong(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static float getFloat(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getFloat(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static double getDouble(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getDouble(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static String getString(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getString(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static URI getURI(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getURI(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static List getJSONArray(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getJSONArray(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static String[] getStringArray(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringArray(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static Map[] getJSONObjectArray(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction[]>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils + .getJSONObjectArray(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static List getStringList(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getStringList(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static Map getJSONObject(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getJSONObject( + o, + key + ) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static Base64URL getBase64URL(final Map o, final String key) throws ParseException { + try { + return AccessController.doPrivileged( + (PrivilegedExceptionAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getBase64URL(o, key) + ); + } catch (PrivilegedActionException e) { + throw (ParseException) e.getException(); + } + } + + public static String toJSONString(final Map o) { + return AccessController.doPrivileged( + (PrivilegedAction) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.toJSONString(o) + ); + } + + public static Map newJSONObject() { + return AccessController.doPrivileged( + (PrivilegedAction>) org.elasticsearch.nimbus.jose.util.JSONObjectUtils::newJSONObject + ); + } + + private JSONObjectUtils() {} +} diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java new file mode 100644 index 0000000000000..e9e34d21ce7d6 --- /dev/null +++ b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONStringUtils.java @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package com.nimbusds.jose.util; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +/** + * This class wraps {@link JSONStringUtils}, which is copied directly from the source library, and delegates to + * that class as quickly as possible. This layer is only here to provide a point at which we can insert + * {@link java.security.AccessController#doPrivileged(PrivilegedAction)} calls as necessary. We don't do anything here + * other than ensure gson has the proper security manager permissions. + */ +public class JSONStringUtils { + + public static String toJSONString(final String string) { + return AccessController.doPrivileged((PrivilegedAction) () -> JSONStringUtils.toJSONString(string)); + } + + private JSONStringUtils() {} +} diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java index 928ecd7fa265d..b345178e205c3 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java @@ -11,7 +11,6 @@ import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.util.Base64URL; -import com.nimbusds.jose.util.JSONObjectUtils; import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.SignedJWT; @@ -33,6 +32,7 @@ import org.apache.http.nio.reactor.ConnectingIOReactor; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.SpecialPermission; import org.elasticsearch.action.ActionListener; @@ -45,11 +45,14 @@ import org.elasticsearch.common.ssl.SslConfiguration; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; +import org.elasticsearch.xcontent.XContentBuilder; +import org.elasticsearch.xcontent.XContentFactory; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings; import org.elasticsearch.xpack.core.ssl.SSLService; +import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.nio.charset.StandardCharsets; @@ -64,6 +67,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.Map; import java.util.Objects; import java.util.function.Supplier; @@ -237,7 +241,13 @@ public static String serializeJwkSet(final JWKSet jwkSet, final boolean publicKe if (jwkSet == null) { return null; } - return JSONObjectUtils.toJSONString(jwkSet.toJSONObject(publicKeysOnly)); + Map jwkJson = jwkSet.toJSONObject(publicKeysOnly); + try (XContentBuilder builder = XContentFactory.jsonBuilder()) { + builder.map(jwkJson); + return Strings.toString(builder); + } catch (IOException e) { + throw new ElasticsearchException(e); + } } public static String serializeJwkHmacOidc(final JWK key) { diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy index 2c9d38e5ae55e..b3d5e80e09dcd 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy @@ -51,3 +51,9 @@ grant codeBase "${codebase.netty-transport}" { // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely! permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write"; }; + +grant codeBase "${codebase.nimbus-jose-jwt-modified}" { + // for JSON serialization based on a shaded GSON dependency + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java index 3732573b2f03d..f1927876eba5f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidatorTests.java @@ -266,7 +266,7 @@ public void testJwtSignVerifyPassedForAllSupportedAlgorithms() { try { helpTestSignatureAlgorithm(signatureAlgorithm, false); } catch (Exception e) { - fail("signature validation with algorithm [" + signatureAlgorithm + "] should have succeeded"); + throw new RuntimeException("signature validation with algorithm [" + signatureAlgorithm + "] should have succeeded", e); } } // Fail: "ES256K" diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java index be45394b01ec6..a95ecd88f6a8e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java @@ -6,12 +6,13 @@ */ package org.elasticsearch.xpack.security.authc.oidc; +import net.minidev.json.JSONStyle; +import net.minidev.json.JSONValue; +import net.minidev.json.reader.JsonWriterI; + import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.crypto.RSASSASigner; -import com.nimbusds.jose.shaded.json.JSONStyle; -import com.nimbusds.jose.shaded.json.JSONValue; -import com.nimbusds.jose.shaded.json.reader.JsonWriterI; import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT;