membphis commented on code in PR #12944: URL: https://github.com/apache/apisix/pull/12944#discussion_r2760189566
########## apisix/plugins/jwt-auth/parser.lua: ########## @@ -0,0 +1,293 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local buffer = require "string.buffer" +local openssl_digest = require "resty.openssl.digest" +local openssl_mac = require "resty.openssl.mac" +local openssl_pkey = require "resty.openssl.pkey" +local base64 = require "ngx.base64" +local core = require "apisix.core" +local jwt = require("resty.jwt") + +local ngx_time = ngx.time +local http_time = ngx.http_time +local string_fmt = string.format +local assert = assert +local setmetatable = setmetatable +local ipairs = ipairs +local type = type +local error = error +local pcall = pcall + +local alg_sign = { + HS256 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha256"):final(data) + end, + HS384 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha384"):final(data) + end, + HS512 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha512"):final(data) + end, + RS256 = function(data, key) + local digest = openssl_digest.new("sha256") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + RS384 = function(data, key) + local digest = openssl_digest.new("sha384") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + RS512 = function(data, key) + local digest = openssl_digest.new("sha512") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + ES256 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha256", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + ES384 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha384", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + ES512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + PS256 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS384 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + EdDSA = function(data, key) + local pkey = assert(openssl_pkey.new(key)) + return assert(pkey:sign(data)) + end +} + +local alg_verify = { + HS256 = function(data, signature, key) + return signature == alg_sign.HS256(data, key) + end, + HS384 = function(data, signature, key) + return signature == alg_sign.HS384(data, key) + end, + HS512 = function(data, signature, key) + return signature == alg_sign.HS512(data, key) + end, + RS256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha256") + end, + RS384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha384") + end, + RS512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha512") + end, + ES256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 64, "Signature must be 64 bytes.") + return pkey:verify(signature, data, "sha256", nil, {ecdsa_use_raw = true}) + end, + ES384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 96, "Signature must be 96 bytes.") + return pkey:verify(signature, data, "sha384", nil, {ecdsa_use_raw = true}) + end, + ES512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 132, "Signature must be 132 bytes.") + return pkey:verify(signature, data, "sha512", nil, {ecdsa_use_raw = true}) + end, + PS256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + EdDSA = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data) + end +} + +local claims_checker = { + nbf = { + type = "number", + check = function(nbf, conf) + local clock_leeway = conf and conf.lifetime_grace_period or 0 + if nbf < ngx_time() + clock_leeway then + return true + end + return false, string_fmt("'nbf' claim not valid until %s", http_time(nbf)) + end + }, + exp = { + type = "number", + check = function(exp, conf) + local clock_leeway = conf and conf.lifetime_grace_period or 0 + if exp > ngx_time() - clock_leeway then + return true + end + return false, string_fmt("'exp' claim expired at %s", http_time(exp)) + end + } +} + +local base64_encode = base64.encode_base64url +local base64_decode = base64.decode_base64url + +local _M = {} + +function _M.new(token) + local jwt_obj = jwt:load_jwt(token) + if not jwt_obj.valid then + return nil, jwt_obj.reason + end + return setmetatable(jwt_obj, {__index = _M}) +end + + +function _M.verify_signature(self, key) + return alg_verify[self.header.alg](self.raw_header .. "." .. + self.raw_payload, base64_decode(self.signature), key) +end + + +function _M.get_default_claims(self) + return { Review Comment: use a global lua variable, then we can reuse this table ########## apisix/plugins/jwt-auth/parser.lua: ########## @@ -0,0 +1,293 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local buffer = require "string.buffer" +local openssl_digest = require "resty.openssl.digest" +local openssl_mac = require "resty.openssl.mac" +local openssl_pkey = require "resty.openssl.pkey" +local base64 = require "ngx.base64" +local core = require "apisix.core" +local jwt = require("resty.jwt") + +local ngx_time = ngx.time +local http_time = ngx.http_time +local string_fmt = string.format +local assert = assert +local setmetatable = setmetatable +local ipairs = ipairs +local type = type +local error = error +local pcall = pcall + +local alg_sign = { + HS256 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha256"):final(data) + end, + HS384 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha384"):final(data) + end, + HS512 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha512"):final(data) + end, + RS256 = function(data, key) + local digest = openssl_digest.new("sha256") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + RS384 = function(data, key) + local digest = openssl_digest.new("sha384") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + RS512 = function(data, key) + local digest = openssl_digest.new("sha512") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + ES256 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha256", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + ES384 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha384", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + ES512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + PS256 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS384 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + EdDSA = function(data, key) + local pkey = assert(openssl_pkey.new(key)) + return assert(pkey:sign(data)) + end +} + +local alg_verify = { + HS256 = function(data, signature, key) + return signature == alg_sign.HS256(data, key) + end, + HS384 = function(data, signature, key) + return signature == alg_sign.HS384(data, key) + end, + HS512 = function(data, signature, key) + return signature == alg_sign.HS512(data, key) + end, + RS256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha256") + end, + RS384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha384") + end, + RS512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha512") + end, + ES256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 64, "Signature must be 64 bytes.") + return pkey:verify(signature, data, "sha256", nil, {ecdsa_use_raw = true}) + end, + ES384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 96, "Signature must be 96 bytes.") + return pkey:verify(signature, data, "sha384", nil, {ecdsa_use_raw = true}) + end, + ES512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 132, "Signature must be 132 bytes.") + return pkey:verify(signature, data, "sha512", nil, {ecdsa_use_raw = true}) + end, + PS256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + EdDSA = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data) + end +} + +local claims_checker = { + nbf = { + type = "number", + check = function(nbf, conf) + local clock_leeway = conf and conf.lifetime_grace_period or 0 + if nbf < ngx_time() + clock_leeway then + return true + end + return false, string_fmt("'nbf' claim not valid until %s", http_time(nbf)) + end + }, + exp = { + type = "number", + check = function(exp, conf) + local clock_leeway = conf and conf.lifetime_grace_period or 0 + if exp > ngx_time() - clock_leeway then + return true + end + return false, string_fmt("'exp' claim expired at %s", http_time(exp)) + end + } +} + +local base64_encode = base64.encode_base64url +local base64_decode = base64.decode_base64url + +local _M = {} + +function _M.new(token) + local jwt_obj = jwt:load_jwt(token) + if not jwt_obj.valid then Review Comment: pls confirm the `jwt_obj` is a table always ########## apisix/plugins/jwt-auth/parser.lua: ########## @@ -0,0 +1,293 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local buffer = require "string.buffer" +local openssl_digest = require "resty.openssl.digest" +local openssl_mac = require "resty.openssl.mac" +local openssl_pkey = require "resty.openssl.pkey" +local base64 = require "ngx.base64" +local core = require "apisix.core" +local jwt = require("resty.jwt") + +local ngx_time = ngx.time +local http_time = ngx.http_time +local string_fmt = string.format +local assert = assert +local setmetatable = setmetatable +local ipairs = ipairs +local type = type +local error = error +local pcall = pcall + +local alg_sign = { + HS256 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha256"):final(data) + end, + HS384 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha384"):final(data) + end, + HS512 = function(data, key) + return openssl_mac.new(key, "HMAC", nil, "sha512"):final(data) + end, + RS256 = function(data, key) + local digest = openssl_digest.new("sha256") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + RS384 = function(data, key) + local digest = openssl_digest.new("sha384") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + RS512 = function(data, key) + local digest = openssl_digest.new("sha512") + assert(digest:update(data)) + return assert(openssl_pkey.new(key):sign(digest)) + end, + ES256 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha256", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + ES384 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha384", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + ES512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", nil, {ecdsa_use_raw = true})) + if not sig then + return nil + end + return sig + end, + PS256 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS384 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + EdDSA = function(data, key) + local pkey = assert(openssl_pkey.new(key)) + return assert(pkey:sign(data)) + end +} + +local alg_verify = { + HS256 = function(data, signature, key) + return signature == alg_sign.HS256(data, key) + end, + HS384 = function(data, signature, key) + return signature == alg_sign.HS384(data, key) + end, + HS512 = function(data, signature, key) + return signature == alg_sign.HS512(data, key) + end, + RS256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha256") + end, + RS384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha384") + end, + RS512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data, "sha512") + end, + ES256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 64, "Signature must be 64 bytes.") + return pkey:verify(signature, data, "sha256", nil, {ecdsa_use_raw = true}) + end, + ES384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 96, "Signature must be 96 bytes.") + return pkey:verify(signature, data, "sha384", nil, {ecdsa_use_raw = true}) + end, + ES512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 132, "Signature must be 132 bytes.") + return pkey:verify(signature, data, "sha512", nil, {ecdsa_use_raw = true}) + end, + PS256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + EdDSA = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data) + end +} + +local claims_checker = { + nbf = { + type = "number", + check = function(nbf, conf) + local clock_leeway = conf and conf.lifetime_grace_period or 0 + if nbf < ngx_time() + clock_leeway then + return true + end + return false, string_fmt("'nbf' claim not valid until %s", http_time(nbf)) + end + }, + exp = { + type = "number", + check = function(exp, conf) + local clock_leeway = conf and conf.lifetime_grace_period or 0 + if exp > ngx_time() - clock_leeway then + return true + end + return false, string_fmt("'exp' claim expired at %s", http_time(exp)) + end + } +} + +local base64_encode = base64.encode_base64url +local base64_decode = base64.decode_base64url + +local _M = {} + +function _M.new(token) + local jwt_obj = jwt:load_jwt(token) + if not jwt_obj.valid then + return nil, jwt_obj.reason + end + return setmetatable(jwt_obj, {__index = _M}) +end + + +function _M.verify_signature(self, key) + return alg_verify[self.header.alg](self.raw_header .. "." .. + self.raw_payload, base64_decode(self.signature), key) Review Comment: pls add 4 spaces -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
