rmanach/simple-auth
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 5 Wiki Activity

feat: #13 impl the JWT validation + some fixes

Browse Source
This commit is contained in:
landrigun 2022-10-14 14:45:03 +00:00
parent 6c79c3d708
commit b73add00c5
11 changed files with 214 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -48,6 +48,10 @@ expiration_time = 2 # in hours
curl http://<ip>:<port>/get/ -d '{"username":"<user>", "password":"<password>"}'
# should returned
{"token":"<header>.<payload>.<signature>"}
curl http://<ip>:<port>/validate/ -d '{"token":"<header>.<payload>.<signature>"}'
# should returned (if valid)
{"valid":"true"}
```
## Test
@ -58,7 +62,13 @@ cargo test
```
### integration tests
* run the server locally or remotly (the URL must be changed if needed in `curling.bash` and `test_requests.py`)
* do the **configuration** step for your env tests
* set the following env variables:
```bash
export SIMPLE_AUTH_URL="http://<url>:<port>"
export SIMPLE_AUTH_PUB_KEY="<path_to_pem_pub_key>" # DO NOT USE THE ONE IN PRODUCTION !
```
* run the server (if no one is running remotly)
* run curl tests
```bash
cd tests/bash/
@ -75,7 +85,7 @@ source venv/bin/activate
pip install -r requirements
# launch the tests
python -m unitest
python -m unittest
```
## Documentation

42
src/http/request.rs
View File

@ -8,6 +8,8 @@ use lazy_static::lazy_static;
use regex::Regex;
use std::collections::VecDeque;
use crate::utils::extract_json_value;
type RequestParts = (String, VecDeque<String>, String);
const HTTP_REQUEST_SEPARATOR: &'static str = "\r\n";
@ -205,6 +207,17 @@ impl HTTPRequest {
}
}
/// retrieve value in `HTTPBody` (returns None if empty or does not exist)
pub fn get_body_value(&self, key: &str) -> Option<String> {
match self.body {
Some(ref b) => match &b.data {
json::JsonValue::Object(d) => extract_json_value(&d, key),
_ => None,
},
None => None,
}
}
#[allow(dead_code)]
pub fn is_valid(&self) -> bool {
return self.start_line.is_valid();
@ -238,15 +251,17 @@ fn test_request() {
start_line: String,
body: Option<String>,
is_valid: bool,
has_token: bool,
}
let test_cases: [(String, Expect); 11] = [
let test_cases: [(String, Expect); 12] = [
(
"POST /get/ HTTP/1.1\r\n\r\n".to_string(),
Expect {
start_line: "POST /get/ HTTP/1.1".to_string(),
body: None,
is_valid: true,
has_token: false,
},
),
(
@ -255,6 +270,7 @@ fn test_request() {
start_line: "POST /refresh/ HTTP/2".to_string(),
body: None,
is_valid: true,
has_token: false,
},
),
(
@ -263,6 +279,7 @@ fn test_request() {
start_line: "POST /validate/ HTTP/1.0".to_string(),
body: None,
is_valid: true,
has_token: false,
},
),
(
@ -271,6 +288,7 @@ fn test_request() {
start_line: "GET / HTTP/1.1".to_string(),
body: None,
is_valid: true,
has_token: false,
},
),
// intentionally add HTTP with no version number
@ -280,6 +298,7 @@ fn test_request() {
start_line: " UNKNOWN".to_string(),
body: None,
is_valid: false,
has_token: false,
},
),
(
@ -288,6 +307,7 @@ fn test_request() {
start_line: " UNKNOWN".to_string(),
body: None,
is_valid: false,
has_token: false
}
),
(
@ -296,6 +316,7 @@ fn test_request() {
start_line: " UNKNOWN".to_string(),
body: None,
is_valid: false,
has_token: false
}
),
(
@ -304,6 +325,7 @@ fn test_request() {
start_line: "fjlqskjd /oks?id=65 HTTP/2".to_string(),
body: None,
is_valid: true,
has_token: false
}
),
(
@ -312,6 +334,7 @@ fn test_request() {
start_line: " UNKNOWN".to_string(),
body: None,
is_valid: false,
has_token: false,
}
),
(
@ -320,6 +343,7 @@ fn test_request() {
start_line: " UNKNOWN".to_string(),
body: Some(r#"{"access_token":"AAAAAAAAAAAA.BBBBBBBBBB.CCCCCCCCCC","refresh_token": "DDDDDDDDDDD.EEEEEEEEEEE.FFFFF"}"#.to_string()),
is_valid: false,
has_token: false
}
),
(
@ -328,6 +352,16 @@ fn test_request() {
start_line: "POST /refresh/ HTTP/1.1".to_string(),
body: Some(r#"{"access_token":"toto","refresh_token":"tutu"}"#.to_string()),
is_valid: true,
has_token: false
}
),
(
format!("{}\r\nuselessheaders\r\n{}", "POST /get/ HTTP/1.1", r#"{"token": "toto", "refresh_token": "tutu"}"#),
Expect {
start_line: "POST /get/ HTTP/1.1".to_string(),
body: Some(r#"{"token":"toto","refresh_token":"tutu"}"#.to_string()),
is_valid: true,
has_token: true
}
),
];
@ -336,6 +370,7 @@ fn test_request() {
let http_request = HTTPRequest::from(request.as_str());
assert_eq!(expect.is_valid, http_request.is_valid());
let token = http_request.get_body_value("token");
let start_line: String = http_request.start_line.into();
assert_eq!(expect.start_line, start_line);
@ -345,6 +380,11 @@ fn test_request() {
}
None => continue,
}
match expect.has_token {
true => assert!(token.is_some()),
false => assert!(token.is_none()),
}
}
}

49
src/http/router.rs
View File

@ -1,11 +1,12 @@
//! router aims to handle correctly the request corresponding to the target
//! it implements all the logic to build an `HTTPResponse`
use json;
use super::{HTTPMessage, HTTPRequest, HTTPResponse};
use crate::config::Config;
use crate::jwt::JWTSigner;
use crate::stores::FileStore;
use crate::stores::Store;
use crate::stores::{FileStore, Store};
// TODO: must be mapped with corresponding handler
const GET_ROUTE: &'static str = "/get/";
@ -44,14 +45,46 @@ async fn handle_get(request: HTTPRequest, config: Config) -> HTTPResponse {
/// validates the token by checking:
/// * expiration time
async fn handle_validate(request: HTTPRequest, _config: Config) -> HTTPResponse {
match &request.body {
Some(ref _b) => {
// TODO: impl the JWT validation
HTTPResponse::send_token("header.payload.signature")
/// * signature
async fn handle_validate(request: HTTPRequest, config: Config) -> HTTPResponse {
let token = {
match request.get_body_value("token") {
Some(t) => t,
None => {
let mut message = HTTPMessage::default();
message.put("valid", "false");
message.put("reason", "no token provided in the request body");
let json = message.try_into().unwrap();
return HTTPResponse::as_200(Some(json));
}
}
};
let jwt_signer = {
match JWTSigner::new(config).await {
Ok(s) => s,
Err(e) => {
let message = HTTPMessage::error(&e);
let json = message.try_into().unwrap();
return HTTPResponse::as_500(Some(json));
}
}
};
let mut message = HTTPMessage::default();
match jwt_signer.validate(&token) {
Ok(()) => {
message.put("valid", "true");
}
Err(e) => {
message.put("valid", "false");
message.put("reason", &e);
}
None => HTTPResponse::as_400(),
}
let json: json::JsonValue = message.try_into().unwrap();
HTTPResponse::as_200(Some(json))
}
pub struct Router;

38
src/jwt/jwt.rs
View File

@ -1,7 +1,9 @@
//! simple module to read `.pem` files and sign the token
use crate::config::Config;
use jwt_simple::common::VerificationOptions;
use jwt_simple::prelude::*;
use std::collections::HashSet;
use tokio::fs;
pub struct JWTSigner {
@ -26,7 +28,7 @@ impl JWTSigner {
jwt_signer.private_key = c;
}
Err(e) => {
return Err(format!("unable to read the private key, err={}", e));
return Err(format!("unable to read the private key err={}", e));
}
}
@ -35,20 +37,30 @@ impl JWTSigner {
jwt_signer.public_key = c;
}
Err(e) => {
return Err(format!("unable to read the public key, err={}", e));
return Err(format!("unable to read the public key err={}", e));
}
}
Ok(jwt_signer)
}
fn get_verification_options(&self) -> VerificationOptions {
let mut verification_options = VerificationOptions::default();
let mut issuers: HashSet<String> = HashSet::new();
issuers.insert(self.issuer.clone());
verification_options.allowed_issuers = Some(issuers);
verification_options
}
/// builds and signs the token
pub fn sign(&self) -> Result<String, String> {
let jwt_key = {
match RS384KeyPair::from_pem(&self.private_key) {
Ok(k) => k,
Err(e) => {
return Err(format!("unable to load the private key, err={}", e));
return Err(format!("unable to load the private key err={}", e));
}
}
};
@ -58,10 +70,28 @@ impl JWTSigner {
match jwt_key.sign(claims) {
Ok(token) => Ok(token),
Err(e) => {
return Err(format!("unable to sign the token, err={}", e));
return Err(format!("unable to sign the token err={}", e));
}
}
}
pub fn validate(&self, token: &str) -> Result<(), String> {
let verification_options = self.get_verification_options();
match RS384PublicKey::from_pem(&self.public_key) {
Ok(key) => {
if let Err(e) =
key.verify_token::<NoCustomClaims>(token, Some(verification_options))
{
return Err(format!("token validation failed err={}", e));
}
Ok(())
}
Err(e) => Err(format!(
"token validation failed can't read the public key err={}",
e
)),
}
}
}
#[tokio::test]

1
src/main.rs
View File

@ -2,6 +2,7 @@ mod config;
mod http;
mod jwt;
mod stores;
mod utils;
use clap::Parser;
use configparser::ini::Ini;

18
src/stores/store.rs
View File

@ -1,23 +1,13 @@
use async_trait::async_trait;
use json;
use json::object::Object;
use crate::utils::extract_json_value;
#[async_trait]
pub trait Store {
async fn is_auth(&mut self, data: &json::JsonValue) -> bool;
}
/// extracts `String` json value from a key
fn extract_json_value(data: &Object, key: &str) -> String {
if let Some(u) = data.get(key) {
match u.as_str() {
Some(s) => return s.to_string(),
None => return "".to_string(),
}
};
"".to_string()
}
#[derive(Default, Debug)]
pub struct Credentials {
pub username: String,
@ -39,8 +29,8 @@ impl From<&json::JsonValue> for Credentials {
let mut credentials = Credentials::default();
match data {
json::JsonValue::Object(ref d) => {
credentials.username = extract_json_value(&d, "username");
credentials.password = extract_json_value(&d, "password");
credentials.username = extract_json_value(&d, "username").unwrap_or("".to_string());
credentials.password = extract_json_value(&d, "password").unwrap_or("".to_string());
}
_ => return credentials,
}

3
src/utils/mod.rs Normal file
View File

@ -0,0 +1,3 @@
mod utils;
pub use utils::extract_json_value;

30
src/utils/utils.rs Normal file
View File

@ -0,0 +1,30 @@
use json::object::Object;
/// extracts JSON value from a key
pub fn extract_json_value(data: &Object, key: &str) -> Option<String> {
match data.get(key) {
Some(u) => match u.as_str() {
Some(s) => return Some(s.to_string()),
None => None,
},
None => None,
}
}
#[test]
fn test_extract_json_value() {
let test_cases: [(json::JsonValue, bool, bool); 3] = [
(json::parse(r#"{"test": ""}"#).unwrap(), true, true),
(json::parse(r#"{}"#).unwrap(), true, false),
(json::parse(r#"[]"#).unwrap(), false, false),
];
for (value, is_valid, has_key) in test_cases {
match value {
json::JsonValue::Object(d) => {
assert_eq!(has_key, extract_json_value(&d, "test").is_some());
}
_ => assert!(!is_valid),
}
}
}

6
tests/bash/curling.bash
View File

@ -6,7 +6,11 @@
#
#######################################
URL="http://localhost:9001"
if [ -z ${SIMPLE_AUTH_URL} ]
then
echo "[WARN]: SIMPLE_AUTH_URL is empty, set to http://localhost:9001"
URL="http://localhost:9001"
fi
for i in {0..10}
do

5
tests/python/requirements.txt
View File

@ -1,8 +1,10 @@
attrs==22.1.0
black==22.8.0
certifi==2022.9.14
cffi==1.15.1
charset-normalizer==2.1.1
click==8.1.3
cryptography==38.0.1
idna==3.4
iniconfig==1.1.1
mypy-extensions==0.4.3
@ -11,7 +13,10 @@ pathspec==0.10.1
platformdirs==2.5.2
pluggy==1.0.0
py==1.11.0
pycparser==2.21
PyJWT==2.5.0
pyparsing==3.0.9
requests==2.28.1
tomli==2.0.1
types-cryptography==3.3.23
urllib3==1.26.12

44
tests/python/test_requests.py
View File

@ -1,14 +1,19 @@
import jwt
import os
import requests
from datetime import datetime
from unittest import TestCase
URL = "http://127.0.0.1:9001"
URL = os.getenv("SIMPLE_AUTH_URL", "http://127.0.0.1:9001")
PUB_KEY_PATH = os.getenv("SIMPLE_AUTH_PUB_KEY", "")
class TestResponse(TestCase):
def setUp(self):
with open(PUB_KEY_PATH, "r") as f:
self.pub_key = f.read()
def test_get_target(self):
resp = requests.post(
URL + "/get/", json={"username": "toto", "password": "tata"}
@ -17,25 +22,52 @@ class TestResponse(TestCase):
self.assertIsNotNone(resp.json(), "response data can't be empty")
token = resp.json()["token"]
jwt_decoded = jwt.decode(token, options={"verify_signature": False})
jwt_decoded = jwt.decode(
token,
self.pub_key,
algorithms=["RS384"],
options={
"verify_signature": True,
"verify_claims": True,
"verify_iss": True,
},
)
self.assertEqual("thegux.fr", jwt_decoded["iss"])
jwt_exp = datetime.fromtimestamp(jwt_decoded["exp"])
jwt_iat = datetime.fromtimestamp(jwt_decoded["iat"])
date_exp = datetime.strptime(str(jwt_exp - jwt_iat), "%H:%M:%S")
self.assertEqual(2, date_exp.hour)
return token
def test_validate_target(self):
def test_validate_target_no_token(self):
resp = requests.post(
URL + "/validate/", json={"username": "toto", "password": "tata"}
)
self.assertEqual(resp.status_code, 200, "bad status code returned")
self.assertIsNotNone(resp.json(), "response data can't be empty")
self.assertEqual(resp.json()["valid"], "false", "bad status returned")
self.assertEqual(resp.json()["reason"], "no token provided in the request body")
def test_validate_target_empty_token(self):
resp = requests.post(URL + "/validate/", json={"tutu": "tutu", "token": ""})
self.assertEqual(resp.status_code, 200, "bad status code returned")
self.assertIsNotNone(resp.json(), "response data can't be empty")
self.assertEqual(resp.json()["valid"], "false", "bad status returned")
self.assertEqual(
resp.json()["token"], "header.payload.signature", "bad status returned"
resp.json()["reason"],
"token validation failed err=JWT compact encoding error",
)
# TODO: must be updated after implmenting `/refresh/` url handler
def test_validate_target(self):
token = self.test_get_target()
resp = requests.post(URL + "/validate/", json={"token": token})
self.assertEqual(resp.status_code, 200, "bad status code returned")
self.assertIsNotNone(resp.json(), "response data can't be empty")
self.assertEqual(resp.json()["valid"], "true", "bad status returned")
# TODO: must be updated after implementing `/refresh/` url handler
def test_refresh_target(self):
resp = requests.post(
URL + "/refresh/", json={"username": "toto", "password": "tata"}