feat: switch JTI validation to black-listing (#4851)

paullatzelsperger · web-flow · commit 98cbed830192 · 2025-03-10T12:17:13.000+01:00
diff --git a/extensions/common/crypto/jwt-verifiable-credentials/src/main/java/org/eclipse/edc/verifiablecredentials/jwt/rules/JtiValidationRule.java b/extensions/common/crypto/jwt-verifiable-credentials/src/main/java/org/eclipse/edc/verifiablecredentials/jwt/rules/JtiValidationRule.java
@@ -15,6 +15,7 @@
 package org.eclipse.edc.verifiablecredentials.jwt.rules;
 
 import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
+import org.eclipse.edc.jwt.validation.jti.JtiValidationEntry;
 import org.eclipse.edc.jwt.validation.jti.JtiValidationStore;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.monitor.Monitor;
@@ -43,13 +44,20 @@ public JtiValidationRule(JtiValidationStore jtiValidationStore, Monitor monitor)
     public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String, Object> additional) {
         var jti = toVerify.getStringClaim(JwtRegisteredClaimNames.JWT_ID);
         if (jti != null) {
-            var entry = jtiValidationStore.findById(jti);
+            var entry = jtiValidationStore.findById(jti); // check if existed before
+            var res = jtiValidationStore.storeEntry(new JtiValidationEntry(jti));
+            if (res.failed()) {
+                return Result.failure(res.getFailureDetail());
+            }
+
             if (entry == null) {
-                return Result.failure("The JWT id '%s' was not found".formatted(jti));
+                return Result.success();
             }
             if (entry.isExpired()) {
-                monitor.warning("JTI Validation entry with id " + jti + " is expired");
+                monitor.warning("JTI Validation entry with id '%s' is expired".formatted(jti));
+                return Result.success();
             }
+            return Result.failure("The JWT id '%s' was already used.".formatted(jti));
         }
         return Result.success();
     }
diff --git a/extensions/common/crypto/jwt-verifiable-credentials/src/test/java/org/eclipse/edc/verifiablecredentials/jwt/rules/JtiValidationRuleTest.java b/extensions/common/crypto/jwt-verifiable-credentials/src/test/java/org/eclipse/edc/verifiablecredentials/jwt/rules/JtiValidationRuleTest.java
@@ -17,43 +17,72 @@
 import org.eclipse.edc.jwt.validation.jti.JtiValidationEntry;
 import org.eclipse.edc.jwt.validation.jti.JtiValidationStore;
 import org.eclipse.edc.spi.iam.ClaimToken;
+import org.eclipse.edc.spi.result.StoreResult;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import java.time.Instant;
 import java.util.Map;
 
 import static org.eclipse.edc.junit.assertions.AbstractResultAssert.assertThat;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 class JtiValidationRuleTest {
 
     private final JtiValidationStore store = mock();
     private final JtiValidationRule rule = new JtiValidationRule(store, mock());
 
+    @BeforeEach
+    void setUp() {
+        when(store.storeEntry(any())).thenReturn(StoreResult.success());
+    }
+
     @Test
     void checkRule_noExpiration_success() {
         when(store.findById(eq("test-id"))).thenReturn(new JtiValidationEntry("test-id"));
-        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("jti", "test-id").build(), Map.of())).isSucceeded();
+        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("jti", "test-id").build(), Map.of())).isFailed()
+                .detail().isEqualTo("The JWT id 'test-id' was already used.");
+        verify(store).storeEntry(any());
     }
 
     @Test
     void checkRule_withExpiration_success() {
         when(store.findById(eq("test-id"))).thenReturn(new JtiValidationEntry("test-id", Instant.now().plusSeconds(3600).toEpochMilli()));
-        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("jti", "test-id").build(), Map.of())).isSucceeded();
+        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("jti", "test-id").build(), Map.of())).isFailed()
+                .detail().isEqualTo("The JWT id 'test-id' was already used.");
+        verify(store).storeEntry(any());
     }
 
     @Test
     void checkRule_withExpiration_alreadyExpired() {
         when(store.findById(eq("test-id"))).thenReturn(new JtiValidationEntry("test-id", Instant.now().minusSeconds(3600).toEpochMilli()));
         assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("jti", "test-id").build(), Map.of())).isSucceeded();
+        verify(store).storeEntry(any());
     }
 
     @Test
     void checkRule_entryNotFound_success() {
         when(store.findById(eq("test-id"))).thenReturn(null);
+        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("jti", "test-id").build(), Map.of())).isSucceeded();
+        verify(store).storeEntry(any());
+    }
+
+    @Test
+    void checkRule_entryNotFound_storeFails_failure() {
+        when(store.findById(eq("test-id"))).thenReturn(null);
+        when(store.storeEntry(any())).thenReturn(StoreResult.duplicateKeys("foobar"));
         assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("jti", "test-id").build(), Map.of())).isFailed()
-                .detail().isEqualTo("The JWT id 'test-id' was not found");
+                .detail().isEqualTo("foobar");
+    }
+
+    @Test
+    void checkRule_whenClaimTokenNoKid() {
+        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().build(), Map.of())).isSucceeded();
+        verify(store, never()).storeEntry(any());
     }
 }
