refactoring, make more JWT parameters configurable

src/main/java/io/cryostat/discovery/Discovery.java

@@ -434,22 +434,12 @@ static String requireNonBlank(String in, String name) {
     private InetAddress getRemoteAddress(RoutingContext ctx) {
         InetAddress addr = null;
         if (ctx.request() != null && ctx.request().remoteAddress() != null) {
-            addr = tryResolveAddress(addr, ctx.request().remoteAddress().host());
+            addr = jwtValidator.tryResolveAddress(addr, ctx.request().remoteAddress().host());
         }
         if (ctx.request() != null && ctx.request().headers() != null) {
-            addr = tryResolveAddress(addr, ctx.request().headers().get(X_FORWARDED_FOR));
-        }
-        return addr;
-    }
-
-    static InetAddress tryResolveAddress(InetAddress addr, String host) {
-        if (StringUtils.isBlank(host)) {
-            return addr;
-        }
-        try {
-            return InetAddress.getByName(host);
-        } catch (UnknownHostException e) {
-            Logger.getLogger(Discovery.class).error("Address resolution exception", e);
+            addr =
+                    jwtValidator.tryResolveAddress(
+                            addr, ctx.request().headers().get(X_FORWARDED_FOR));
         }
         return addr;
     }

src/main/java/io/cryostat/discovery/DiscoveryJwtFactory.java

@@ -65,6 +65,15 @@ public class DiscoveryJwtFactory {
     @ConfigProperty(name = "cryostat.discovery.plugins.ping-period")
     Duration discoveryPingPeriod;
 
+    @ConfigProperty(name = "cryostat.discovery.plugins.jwt.signature.algorithm")
+    String signatureAlgorithm;
+
+    @ConfigProperty(name = "cryostat.discovery.plugins.jwt.encryption.algorithm")
+    String encryptionAlgorithm;
+
+    @ConfigProperty(name = "cryostat.discovery.plugins.jwt.encryption.method")
+    String encryptionMethod;
+
     @ConfigProperty(name = "cryostat.http.proxy.tls-enabled")
     boolean tlsEnabled;
 
@@ -100,11 +109,16 @@ public String createDiscoveryPluginJwt(
                         .claim(REALM_CLAIM, plugin.realm.name)
                         .build();
 
-        SignedJWT jwt = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.HS256).build(), claims);
+        SignedJWT jwt =
+                new SignedJWT(
+                        new JWSHeader.Builder(JWSAlgorithm.parse(signatureAlgorithm)).build(),
+                        claims);
         jwt.sign(signer);
 
         JWEHeader header =
-                new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM)
+                new JWEHeader.Builder(
+                                JWEAlgorithm.parse(encryptionAlgorithm),
+                                EncryptionMethod.parse(encryptionMethod))
                         .contentType("JWT")
                         .build();
         JWEObject jwe = new JWEObject(header, new Payload(jwt));
@@ -176,7 +190,6 @@ public JWT parseDiscoveryPluginJwt(
         return jwt;
     }
 
-    // TODO refactor this
     public URI getPluginLocation(DiscoveryPlugin plugin) throws URISyntaxException {
         URI hostUri =
                 new URI(

src/main/java/io/cryostat/discovery/DiscoveryJwtValidator.java

@@ -69,10 +69,10 @@ public JWT validateJwt(
         InetAddress addr = null;
         HttpServerRequest req = ctx.request();
         if (req.remoteAddress() != null) {
-            addr = Discovery.tryResolveAddress(addr, req.remoteAddress().host());
+            addr = tryResolveAddress(addr, req.remoteAddress().host());
         }
         MultiMap headers = req.headers();
-        addr = Discovery.tryResolveAddress(addr, headers.get(Discovery.X_FORWARDED_FOR));
+        addr = tryResolveAddress(addr, headers.get(Discovery.X_FORWARDED_FOR));
 
         URI hostUri =
                 new URI(
@@ -127,4 +127,16 @@ public JWT validateJwt(
 
         return parsed;
     }
+
+    public InetAddress tryResolveAddress(InetAddress addr, String host) {
+        if (StringUtils.isBlank(host)) {
+            return addr;
+        }
+        try {
+            return InetAddress.getByName(host);
+        } catch (UnknownHostException e) {
+            logger.error("Address resolution exception", e);
+        }
+        return addr;
+    }
 }

src/main/java/io/cryostat/discovery/DiscoveryProducers.java

@@ -39,8 +39,8 @@ public class DiscoveryProducers {
     @Produces
     @ApplicationScoped
     static SecretKey provideSecretKey(
-            @ConfigProperty(name = "cryostat.discovery.plugins.jwt.algorithm") String alg,
-            @ConfigProperty(name = "cryostat.discovery.plugins.jwt.keysize") int keysize)
+            @ConfigProperty(name = "cryostat.discovery.plugins.jwt.secret.algorithm") String alg,
+            @ConfigProperty(name = "cryostat.discovery.plugins.jwt.secret.keysize") int keysize)
             throws NoSuchAlgorithmException {
         KeyGenerator generator = KeyGenerator.getInstance(alg);
         generator.init(keysize);

src/main/resources/application.properties

@@ -5,8 +5,11 @@ cryostat.discovery.containers.request-timeout=2s
 cryostat.discovery.podman.enabled=false
 cryostat.discovery.docker.enabled=false
 cryostat.discovery.plugins.ping-period=5m
-cryostat.discovery.plugins.jwt.algorithm=AES
-cryostat.discovery.plugins.jwt.keysize=256
+cryostat.discovery.plugins.jwt.secret.algorithm=AES
+cryostat.discovery.plugins.jwt.secret.keysize=256
+cryostat.discovery.plugins.jwt.signature.algorithm=HS256
+cryostat.discovery.plugins.jwt.encryption.algorithm=dir
+cryostat.discovery.plugins.jwt.encryption.method=A256GCM
 quarkus.test.integration-test-profile=test
 
 cryostat.connections.max-open=0