Added support for JWT generated by IDPs like Keycloak #871
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,21 @@ | ||
| package config | ||
|
|
||
| import ( | ||
| "context" | ||
| "encoding/json" | ||
| "fmt" | ||
| "net/url" | ||
| "os" | ||
| "path/filepath" | ||
| "strconv" | ||
| "strings" | ||
|
|
||
| "github.com/lestrrat-go/jwx/v2/jwk" | ||
| "github.com/prest/prest/adapters" | ||
| "github.com/prest/prest/cache" | ||
|
|
||
| "net/http" | ||
|
|
||
| homedir "github.com/mitchellh/go-homedir" | ||
| "github.com/spf13/viper" | ||
| "github.com/structy/log" | ||
|
|
@@ -82,6 +88,8 @@ type Prest struct { | |
| PGCache bool | ||
| JWTKey string | ||
| JWTAlgo string | ||
| JWTWellKnown string | ||
| JWTJWKS string | ||
| JWTWhiteList []string | ||
| JSONAggType string | ||
| MigrationsPath string | ||
|
|
@@ -171,6 +179,8 @@ func viperCfg() { | |
|
|
||
| viper.SetDefault("jwt.default", true) | ||
| viper.SetDefault("jwt.algo", "HS256") | ||
| viper.SetDefault("jwt.wellknown", "") | ||
| viper.SetDefault("jwt.jwks", "") | ||
| viper.SetDefault("jwt.whitelist", []string{"/auth"}) | ||
|
|
||
| viper.SetDefault("json.agg.type", "jsonb_agg") | ||
|
|
@@ -271,7 +281,10 @@ func Parse(cfg *Prest) { | |
| cfg.SingleDB = viper.GetBool("pg.single") | ||
| cfg.JWTKey = viper.GetString("jwt.key") | ||
| cfg.JWTAlgo = viper.GetString("jwt.algo") | ||
| cfg.JWTWellKnown = viper.GetString("jwt.wellknown") | ||
| cfg.JWTJWKS = viper.GetString("jwt.jwks") | ||
| cfg.JWTWhiteList = viper.GetStringSlice("jwt.whitelist") | ||
| fetchJWKS(cfg) | ||
|
|
||
| cfg.JSONAggType = getJSONAgg() | ||
|
|
||
|
|
@@ -358,6 +371,50 @@ func parseDatabaseURL(cfg *Prest) { | |
| } | ||
| } | ||
|
|
||
| // fetchJWKS tries to get the JWKS from the URL in the config | ||
| func fetchJWKS(cfg *Prest) { | ||
| if cfg.JWTWellKnown == "" { | ||
| log.Debugln("no JWT WellKnown url found, skipping") | ||
| return | ||
| } | ||
| if cfg.JWTJWKS != "" { | ||
| log.Debugln("JWKS already set, skipping") | ||
| return | ||
| } | ||
|
|
||
| // Call provider to obtain .well-known config | ||
| r, err := http.Get(cfg.JWTWellKnown) | ||
|
There was a problem hiding this comment. please add context to this call with a 5s timeout There was a problem hiding this comment. Done in latest commit. |
||
| if err != nil { | ||
| log.Errorf("Cannot get .well-known configuration from '%s'. err: %v\n", cfg.JWTWellKnown, err) | ||
| return | ||
| } | ||
| defer r.Body.Close() | ||
|
|
||
| var wellKnown map[string]interface{} | ||
| err = json.NewDecoder(r.Body).Decode(&wellKnown) | ||
| if err != nil { | ||
| log.Errorf("Failed to decode JSON: %v\n", err) | ||
| return | ||
| } | ||
|
|
||
| //Retrieve the JWKS from the endpoint | ||
| JWKSet, err := jwk.Fetch(context.Background(), wellKnown["jwks_uri"].(string)) | ||
|
There was a problem hiding this comment. can you split this conversion into a variable? just to make sure that it never panics: uri, ok := wellKnown["jwks_uri"].(string)
...
JWKSet, err := jwk.Fetch(context.Background(),uri)There was a problem hiding this comment. Done in latest commit. |
||
| if err != nil { | ||
| err := fmt.Errorf("failed to parse JWK: %s", err) | ||
| log.Errorf("Failed to fetch JWK: %v\n", err) | ||
| return | ||
| } | ||
|
|
||
| //Convert set to json string | ||
| jwkSetJSON, err := json.Marshal(JWKSet) | ||
| if err != nil { | ||
| log.Errorf("Failed to marshal JWKSet to JSON: %v\n", err) | ||
| return | ||
| } | ||
|
|
||
| cfg.JWTJWKS = string(jwkSetJSON) | ||
| } | ||
|
There was a problem hiding this comment. The
Refactor the |
||
|
|
||
| func portFromEnv(cfg *Prest) { | ||
| if os.Getenv("PORT") == "" { | ||
| log.Debugln("could not find PORT in env") | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -94,6 +94,23 @@ func TestParse(t *testing.T) { | |
| require.Equal(t, "HS512", cfg.JWTAlgo) | ||
| }) | ||
|
|
||
| t.Run("PREST_JWT_WELLKNOWN", func(t *testing.T) { | ||
| //todo: Mock well-known config response | ||
| t.Setenv("PREST_JWT_WELLKNOWN", "https://accounts.google.com/.well-known/openid-configuration") | ||
| viperCfg() | ||
| cfg := &Prest{} | ||
| Parse(cfg) | ||
| require.Equal(t, "https://accounts.google.com/.well-known/openid-configuration", cfg.JWTWellKnown) | ||
| }) | ||
|
There was a problem hiding this comment. The test case for Consider adding an assertion to verify that the JWKS is fetched and correctly parsed into the configuration. There was a problem hiding this comment. I would have to mock a well-known URL response. Which I might need help with. There was a problem hiding this comment. @mcharest-mcn: To mock a well-known URL response in your tests, you can use the package config_test
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/stretchr/testify/require"
)
func TestParseWithMockWellKnown(t *testing.T) {
// Start a mock HTTP server
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Respond with a mock JWKS JSON when the well-known URL is called
w.WriteHeader(http.StatusOK)
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"keys": [{"kty": "RSA", ...}]}`)) // Simplified JWKS response
}))
defer server.Close()
// Use the mock server's URL as the well-known URL
t.Setenv("PREST_JWT_WELLKNOWN", server.URL)
// Continue with your test setup and assertions...
}This example demonstrates how to start a mock HTTP server that listens for requests and responds with a predefined JWKS JSON. You replace the This approach allows you to test the functionality that fetches and parses the JWKS without making actual HTTP requests to external services, ensuring your tests are fast and reliable. |
||
|
|
||
| t.Run("PREST_JWT_JWKS", func(t *testing.T) { | ||
| t.Setenv("PREST_JWT_JWKS", `{"keys":[{"kid":"lmjNOucrGdRiN7XlpWJbQRIzSeKBS7OD-92xrhch6kw","kty":"RSA","alg":"RS256","use":"sig","n":"9GPbUNJ_7dgq8k0eTbcCZtFMn-oTVpFHjzIi7nuyMm9TvIZNyu0q0O3buSIVTUWWhlakSgTp7hrRbldvxLmA4RSSs8oUw2Pm64q9oCdr0eXcnhL6mnfHASwpVed-aKMbM1Zlh1buDjPU0Ah_6D8sZaxqfOtMfrhT9LySbi91k2Hu16YJ6QK_RTj5BNjLZZSs2ns8-JdZKA-oL0RQwkEqO_QJrRvTWUhwguzpx4zACWc5zAQSWvDImbynH3N9L-rt2KoK3p2Zd0YZlCnZzK0iyYUHkVtTVixTFkYc-itceyZD64Z49q8vu478gIvu4dI8m3GIYeisZkKWBE5sjczvvw","e":"AQAB","x5c":["MIICmzCCAYMCBgGOLghSADANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwMzExMTQ1OTQxWhcNMzQwMzExMTUwMTIxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0Y9tQ0n/t2CryTR5NtwJm0Uyf6hNWkUePMiLue7Iyb1O8hk3K7SrQ7du5IhVNRZaGVqRKBOnuGtFuV2/EuYDhFJKzyhTDY+brir2gJ2vR5dyeEvqad8cBLClV535ooxszVmWHVu4OM9TQCH/oPyxlrGp860x+uFP0vJJuL3WTYe7XpgnpAr9FOPkE2MtllKzaezz4l1koD6gvRFDCQSo79AmtG9NZSHCC7OnHjMAJZznMBBJa8MiZvKcfc30v6u3YqgrenZl3RhmUKdnMrSLJhQeRW1NWLFMWRhz6K1x7JkPrhnj2ry+7jvyAi+7h0jybcYhh6KxmQpYETmyNzO+/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAIDB54QwrWSQPou8UlGkpA8D3/Ws0ZGNiFutyIAQU0bzhzSB99AMsPl/4OJm5CGqpZMVyuLFgQHlMaArzeQJK7/8qN6piDZPP6A2lSRYuMJ/a8ciIVvjnepSUF+xx7PqeAnoarH8lxbdwhloBswnxn4iNcWTTMnxo73Ak9jpabj1m1a4e9+li6S8xCyA1AHxFXbjjAp5GxRvcUV2o3rMsDqdjM0IoU/+NNuCGtKApdTZNpFuk71AoKpM2/oxjuexEpOggyF30Pk5IdAgNtFMfD+pwcqzvSACbtKvk6VnSx4UtsFPWuizhWefWIkuV+7ml60NFMyD3eo28U9BQs2veU="],"x5t":"tUcTw0bM8ciXw9zIMlalEfyxdd8","x5t#S256":"eF-XsrHWa6gw8qC4W8RXJgA49xvac_7V-Tz7fdpS7ZM"},{"kid":"V3rRzf_j1beZjEmQnDeT8r8ZVnXpjW1Gk3635CTCEGk","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"1q1Iz-eyhnCWCBRKgq0xKm6cF2zHAi_a-L99OdwgnUgoGfut5bBTU2hGx9R1IGKn0loDjICtU64DVFpOaT7jY7oIG4BsQN3Et5H6O3XlVim5NQgMYVC6hKAreqnnVylUk-XfVvrQOotVkGfMFdARuBaLx1ubFxIHUONi2Mjgl2nZ8mmKg_GCsd5uKfJJ965zqSQu1CFn26YccTPp2doih4rykTGPVJdL5PVp3z4t9rTlahHbgCvv3E50yVK7LCNgtS9nmcZbD0meLqIZi3MoV0dBB_9C-qrEsevAIlPuXUmwtcbyDXOb1m7Xq_MPV_EASzoPYYjmk3k09zJ_p1EUTQ","e":"AQAB","x5c":["MIICmzCCAYMCBgGOLghSlzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwMzExMTQ1OTQxWhcNMzQwMzExMTUwMTIxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWrUjP57KGcJYIFEqCrTEqbpwXbMcCL9r4v3053CCdSCgZ+63lsFNTaEbH1HUgYqfSWgOMgK1TrgNUWk5pPuNjuggbgGxA3cS3kfo7deVWKbk1CAxhULqEoCt6qedXKVST5d9W+tA6i1WQZ8wV0BG4FovHW5sXEgdQ42LYyOCXadnyaYqD8YKx3m4p8kn3rnOpJC7UIWfbphxxM+nZ2iKHivKRMY9Ul0vk9WnfPi32tOVqEduAK+/cTnTJUrssI2C1L2eZxlsPSZ4uohmLcyhXR0EH/0L6qsSx68AiU+5dSbC1xvINc5vWbter8w9X8QBLOg9hiOaTeTT3Mn+nURRNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIKBZNe4GmyfqRW6Ee8ai1umbstAmyK3W1kP2i0xxINTlvY2rwblV8UCrdyi3laD7zvZy1midZmpKqtZqWpiNigeZ5aUt76paYvdSl5TAuvZGDGoEAhmmECbnDSQKLp36rCn7NlrgiTDfZZ2PvIKZ3cXClzqXLF/iC6uGiKOgY5yOFOa5QgsfItpJmmxHtTzrRF70RVsbZCexB1Lt4bcId6Y3x2w7JNUjKIhf1RZ3QZx8+3xBM4cJ83h2J4nE0+IlFeAJL3VLGdeOk+z+FGMu2mYkxJwkxd9Wl2ubqrRcNy0t61Bgp3s40BgD10pzvawTXl7lEgabc/jzN2R0lcXmLo="],"x5t":"n5Y_Obidr330txi13j50zHzVbfg","x5t#S256":"f-Hrw_t_qUq86Ux0J2EckWVycuM3L_IjdOK6DW0DFoc"}]}`) | ||
| viperCfg() | ||
| cfg := &Prest{} | ||
| Parse(cfg) | ||
| require.Equal(t, `{"keys":[{"kid":"lmjNOucrGdRiN7XlpWJbQRIzSeKBS7OD-92xrhch6kw","kty":"RSA","alg":"RS256","use":"sig","n":"9GPbUNJ_7dgq8k0eTbcCZtFMn-oTVpFHjzIi7nuyMm9TvIZNyu0q0O3buSIVTUWWhlakSgTp7hrRbldvxLmA4RSSs8oUw2Pm64q9oCdr0eXcnhL6mnfHASwpVed-aKMbM1Zlh1buDjPU0Ah_6D8sZaxqfOtMfrhT9LySbi91k2Hu16YJ6QK_RTj5BNjLZZSs2ns8-JdZKA-oL0RQwkEqO_QJrRvTWUhwguzpx4zACWc5zAQSWvDImbynH3N9L-rt2KoK3p2Zd0YZlCnZzK0iyYUHkVtTVixTFkYc-itceyZD64Z49q8vu478gIvu4dI8m3GIYeisZkKWBE5sjczvvw","e":"AQAB","x5c":["MIICmzCCAYMCBgGOLghSADANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwMzExMTQ1OTQxWhcNMzQwMzExMTUwMTIxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0Y9tQ0n/t2CryTR5NtwJm0Uyf6hNWkUePMiLue7Iyb1O8hk3K7SrQ7du5IhVNRZaGVqRKBOnuGtFuV2/EuYDhFJKzyhTDY+brir2gJ2vR5dyeEvqad8cBLClV535ooxszVmWHVu4OM9TQCH/oPyxlrGp860x+uFP0vJJuL3WTYe7XpgnpAr9FOPkE2MtllKzaezz4l1koD6gvRFDCQSo79AmtG9NZSHCC7OnHjMAJZznMBBJa8MiZvKcfc30v6u3YqgrenZl3RhmUKdnMrSLJhQeRW1NWLFMWRhz6K1x7JkPrhnj2ry+7jvyAi+7h0jybcYhh6KxmQpYETmyNzO+/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAIDB54QwrWSQPou8UlGkpA8D3/Ws0ZGNiFutyIAQU0bzhzSB99AMsPl/4OJm5CGqpZMVyuLFgQHlMaArzeQJK7/8qN6piDZPP6A2lSRYuMJ/a8ciIVvjnepSUF+xx7PqeAnoarH8lxbdwhloBswnxn4iNcWTTMnxo73Ak9jpabj1m1a4e9+li6S8xCyA1AHxFXbjjAp5GxRvcUV2o3rMsDqdjM0IoU/+NNuCGtKApdTZNpFuk71AoKpM2/oxjuexEpOggyF30Pk5IdAgNtFMfD+pwcqzvSACbtKvk6VnSx4UtsFPWuizhWefWIkuV+7ml60NFMyD3eo28U9BQs2veU="],"x5t":"tUcTw0bM8ciXw9zIMlalEfyxdd8","x5t#S256":"eF-XsrHWa6gw8qC4W8RXJgA49xvac_7V-Tz7fdpS7ZM"},{"kid":"V3rRzf_j1beZjEmQnDeT8r8ZVnXpjW1Gk3635CTCEGk","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"1q1Iz-eyhnCWCBRKgq0xKm6cF2zHAi_a-L99OdwgnUgoGfut5bBTU2hGx9R1IGKn0loDjICtU64DVFpOaT7jY7oIG4BsQN3Et5H6O3XlVim5NQgMYVC6hKAreqnnVylUk-XfVvrQOotVkGfMFdARuBaLx1ubFxIHUONi2Mjgl2nZ8mmKg_GCsd5uKfJJ965zqSQu1CFn26YccTPp2doih4rykTGPVJdL5PVp3z4t9rTlahHbgCvv3E50yVK7LCNgtS9nmcZbD0meLqIZi3MoV0dBB_9C-qrEsevAIlPuXUmwtcbyDXOb1m7Xq_MPV_EASzoPYYjmk3k09zJ_p1EUTQ","e":"AQAB","x5c":["MIICmzCCAYMCBgGOLghSlzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwMzExMTQ1OTQxWhcNMzQwMzExMTUwMTIxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWrUjP57KGcJYIFEqCrTEqbpwXbMcCL9r4v3053CCdSCgZ+63lsFNTaEbH1HUgYqfSWgOMgK1TrgNUWk5pPuNjuggbgGxA3cS3kfo7deVWKbk1CAxhULqEoCt6qedXKVST5d9W+tA6i1WQZ8wV0BG4FovHW5sXEgdQ42LYyOCXadnyaYqD8YKx3m4p8kn3rnOpJC7UIWfbphxxM+nZ2iKHivKRMY9Ul0vk9WnfPi32tOVqEduAK+/cTnTJUrssI2C1L2eZxlsPSZ4uohmLcyhXR0EH/0L6qsSx68AiU+5dSbC1xvINc5vWbter8w9X8QBLOg9hiOaTeTT3Mn+nURRNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIKBZNe4GmyfqRW6Ee8ai1umbstAmyK3W1kP2i0xxINTlvY2rwblV8UCrdyi3laD7zvZy1midZmpKqtZqWpiNigeZ5aUt76paYvdSl5TAuvZGDGoEAhmmECbnDSQKLp36rCn7NlrgiTDfZZ2PvIKZ3cXClzqXLF/iC6uGiKOgY5yOFOa5QgsfItpJmmxHtTzrRF70RVsbZCexB1Lt4bcId6Y3x2w7JNUjKIhf1RZ3QZx8+3xBM4cJ83h2J4nE0+IlFeAJL3VLGdeOk+z+FGMu2mYkxJwkxd9Wl2ubqrRcNy0t61Bgp3s40BgD10pzvawTXl7lEgabc/jzN2R0lcXmLo="],"x5t":"n5Y_Obidr330txi13j50zHzVbfg","x5t#S256":"f-Hrw_t_qUq86Ux0J2EckWVycuM3L_IjdOK6DW0DFoc"}]}`, cfg.JWTJWKS) | ||
|
Comment on lines
+124
to
+129
There was a problem hiding this comment. This test case for To improve test coverage, consider adding a test case that validates a JWT using the JWKS set through this configuration. There was a problem hiding this comment. This test is done in the middleware tests. There was a problem hiding this comment. @mcharest-mcn: Thank you for the clarification. I found the relevant middleware test files ( Analysis chainScripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Search for test files related to JWT middleware that might include JWT validation using JWKS.
rg --files-with-matches 'JWT' | grep 'middleware.*_test.go'
Length of output: 144 |
||
| }) | ||
|
|
||
| t.Run("PREST_JSON_AGG_TYPE", func(t *testing.T) { | ||
| t.Setenv("PREST_JSON_AGG_TYPE", "invalid") | ||
| viperCfg() | ||
|
|
@@ -212,6 +229,11 @@ func Test_parseDatabaseURL(t *testing.T) { | |
| require.Equal(t, "", c.PGUser) | ||
| } | ||
|
|
||
| func Test_fetchJWKS(t *testing.T) { | ||
| //todo: mock call to provider to get .well-known config | ||
| //todo: mock call to jwks endpoint to get JWKS | ||
| } | ||
mcharest-mcn marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| func Test_portFromEnv_Error(t *testing.T) { | ||
| c := &Prest{} | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you rename this to
JWTWellKnownURL?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in latest commit.
fee30e7