require override for insecure JWT key verification

I've done a few things with this commit. 1. Added more documentation to the pod. 2. made a new flag OAUTH_JWT_INSECURE which is required if the client doesn't want to verify JWT tokens 3. Added a sample config I wanted to add the INSECURE flag so that we would no longer fall through to ignoring the signature. It should be someones decision to do this only when needed.
rfdrake · Jan 9, 2020 · e9b06b5 · e9b06b5
1 parent 90f4000
commit e9b06b5
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 5 deletions.
diff --git a/MANIFEST b/MANIFEST
@@ -10,4 +10,5 @@ bin/mavis_tacplus_aad.pl
 dist.ini
 t/Mavis.pm
 t/everything.t
+tac_plus.cfg.sample
 xt/author/pod-syntax.t
diff --git a/Makefile.PL b/Makefile.PL
@@ -2,7 +2,7 @@
 use strict;
 use warnings;
 
-use 5.010000;
+use 5.016000;
 
 use ExtUtils::MakeMaker;
 
@@ -17,7 +17,7 @@ my %WriteMakefileArgs = (
     "bin/mavis_tacplus_aad.pl"
   ],
   "LICENSE" => "perl",
-  "MIN_PERL_VERSION" => "5.010000",
+  "MIN_PERL_VERSION" => "5.016000",
   "NAME" => "App::mavis::tacplus::aad",
   "PREREQ_PM" => {
     "Crypt::JWT" => 0,

diff --git a/bin/mavis_tacplus_aad.pl b/bin/mavis_tacplus_aad.pl
@@ -65,10 +65,27 @@
         Default: unset
 
 OAUTH_OPENID_CONFIG_URL
+        This is the openid configuration URI which gives you information about the OAuth/openID provider.  This is one of the ways we can fetch the JWT signing key for verification.
+        Example: https://login.microsoftonline.com/common/.well-known/openid-configuration
+        Default: unset
+
 OAUTH_KEYSERVER
+        This is the server that provides keys for JWT signature verification.  It can be read from the OPENID_CONFIG_URL if one is provided.  You can choose between providing an OPENID_CONFIG_URL or a KEYSERVER URL, or specify the key.
+        Example: https://login.windows.net/common/discovery/keys
+        Default: unset
+
 OAUTH_KEY
-OAUTH_GROUP_ID
+        If you have the exact key used to encode the JWT token, you can specify it here for verification.  I do not recommend this option unless you know what you're doing because of the possibility of the key changing later.
+        Default: unset
 
+OAUTH_JWT_INSECURE
+        This flag allows you to bypass the 3 configuration variables above and specify no signature verification for JWT.  This might be safe for some people since the transport is usually HTTPS.  This is to be considered a last resort if you can't get the other methods working.
+        Default: unset
+
+OAUTH_GROUP_ID
+        If you elect to not use the extended API permissions to load group names, you can hard code a group ID.  If the ID specified here matches one of the groups in the token from the OAuth server then the user is allowed to connect.
+        Example: a2810867-f89c-4fcc-b20d-eb3f3f22c651
+        Default: unset
 
 ########
 
@@ -168,6 +185,7 @@ sub setup_env {
                 'OAUTH_CLIENT_ID'             => $env->{'OAUTH_CLIENT_ID'},
                 'OAUTH_SECRET'                => $env->{'OAUTH_SECRET'},
                 'OAUTH_DOMAIN'                => $env->{'OAUTH_DOMAIN'},
+                'OAUTH_JWT_INSECURE'          => $env->{'OAUTH_JWT_INSECURE'},
                 'OAUTH_OPENID_CONFIG_URL'     => $env->{'OAUTH_OPENID_CONFIG_URL'},
                 'OAUTH_KEYSERVER'             => $env->{'OAUTH_KEYSERVER'},
                 'OAUTH_KEY'                   => $env->{'OAUTH_KEY'},
@@ -225,6 +243,10 @@ sub parse_jwt {
                     return decode_jwt(token => $token, kid_keys => $keys);
             }
 
+            if ( $opts->{OAUTH_JWT_INSECURE} ) {
+                return decode_jwt(token => $token, ignore_signature => 1);
+            }
+
             # if OAUTH_KEYSERVER or OAUTH_OPENID_CONFIG_URL or OAUTH_KEY is defined then perform a lookup of these values, then cache them?
             # if none of these are defined then we will set ignore_signature and read the JWT response without validating it.  This may be enough for some people since the session is validated over HTTPS
             if ($opts->{OAUTH_KEY}) {
@@ -242,8 +264,7 @@ sub parse_jwt {
                     return decode_jwt(token => $token, kid_keys => $keys);
             }
 
-            # if we get here then decode_jwt with no validation
-            return decode_jwt(token => $token, ignore_signature => 1);
+            die "No JWT signature verification method defined.";
         } catch {
             $keys = undef;
             return { exception_error => $@ };

diff --git a/tac_plus.cfg.sample b/tac_plus.cfg.sample
@@ -0,0 +1,70 @@
+id = spawnd {
+        listen = {
+                port = 49
+        }
+        spawn = {
+                instances min = 1
+                instances max = 10
+        }
+        background = no
+}
+
+id = tac_plus {
+        access log = /var/log/tacacs/%Y/%m/%d/access.log
+        accounting log = /var/log/tacacs/%Y/%m/%d/acct.log
+
+        mavis module = external {
+                setenv OAUTH_ENDPOINT = "https://login.microsoftonline.com/06ab1719-d1f8-4cae-87fa-824768230090/oauth2/v2.0/token"
+                setenv OAUTH_CLIENT_ID = "c45aecee-71fa-4c6e-96c5-7397df677112"
+                setenv OAUTH_CLIENT_SECRET = "secretkey"
+                setenv OAUTH_DOMAIN = "example.com"
+                setenv FLAG_USE_MEMBEROF = 1
+                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
+                setenv AD_GROUP_PREFIX = "tacacs"
+                setenv OAUTH_OPENID_CONFIG_URL = https://login.microsoftonline.com/common/.well-known/openid-configuration
+                exec = /usr/local/lib/mavis/mavis_tacplus_aad.pl
+        }
+
+        user backend = mavis    # query backend for users
+        login backend = mavis   # authenticate login via backend
+        pap backend = mavis             # authenticate PAP via backend
+
+        host = world {
+                address = ::/0
+                prompt = "Welcome\n"
+                key = cisco
+        }
+
+        host = helpdesklab {
+                        address = 192.168.34.16/28
+        }
+
+# A user will be in the "admin" group if he's member of the
+# corresponding "tacacsadmin" AD group. See $tacacsGroupPrefix
+# and $require_tacacsGroupPrefix in the code.
+
+        group = admin {
+                default service = permit
+                service = shell {
+                        default command = permit
+                        default attribute = permit
+                        set priv-lvl = 15
+                }
+        }
+
+# A user will be in the "helpdesk" group if he's member of the
+# corresponding "tacacshelpdesk" AD group:
+
+        group = helpdesk {
+                default service = permit
+                service = shell {
+                        default command = permit
+                        default attribute = permit
+                        set priv-lvl = 1
+                }
+                enable = deny
+                member = admin@helpdesklab
+        }
+}
+
+