diff options
Diffstat (limited to 'net/alcoholic_jwt/src')
| -rw-r--r-- | net/alcoholic_jwt/src/lib.rs | 74 | ||||
| -rw-r--r-- | net/alcoholic_jwt/src/tests.rs | 22 |
2 files changed, 57 insertions, 39 deletions
diff --git a/net/alcoholic_jwt/src/lib.rs b/net/alcoholic_jwt/src/lib.rs index 4acd8d1e90db..297bf2a99085 100644 --- a/net/alcoholic_jwt/src/lib.rs +++ b/net/alcoholic_jwt/src/lib.rs @@ -67,23 +67,24 @@ //! //! [JWKS]: https://tools.ietf.org/html/rfc7517 -#[macro_use] extern crate serde_derive; +#[macro_use] +extern crate serde_derive; extern crate base64; extern crate openssl; extern crate serde; extern crate serde_json; -use base64::{URL_SAFE_NO_PAD, Config, DecodeError}; +use base64::{Config, DecodeError, URL_SAFE_NO_PAD}; use openssl::bn::BigNum; use openssl::error::ErrorStack; use openssl::hash::MessageDigest; -use openssl::pkey::{Public, PKey}; +use openssl::pkey::{PKey, Public}; use openssl::rsa::Rsa; use openssl::sign::Verifier; use serde::de::DeserializeOwned; use serde_json::Value; -use std::time::{UNIX_EPOCH, Duration, SystemTime}; +use std::time::{Duration, SystemTime, UNIX_EPOCH}; #[cfg(test)] mod tests; @@ -101,12 +102,16 @@ fn jwt_forgiving() -> Config { /// JWT algorithm used. The only supported algorithm is currently /// RS256. #[derive(Clone, Deserialize, Debug)] -enum KeyAlgorithm { RS256 } +enum KeyAlgorithm { + RS256, +} /// Type of key contained in a JWT. The only supported key type is /// currently RSA. #[derive(Clone, Deserialize, Debug)] -enum KeyType { RSA } +enum KeyType { + RSA, +} /// Representation of a single JSON Web Key. See [RFC /// 7517](https://tools.ietf.org/html/rfc7517#section-4). @@ -146,7 +151,7 @@ impl JWKS { /// Representation of an undecoded JSON Web Token. See [RFC /// 7519](https://tools.ietf.org/html/rfc7519). -struct JWT<'a> (&'a str); +struct JWT<'a>(&'a str); /// Representation of a decoded and validated JSON Web Token. /// @@ -217,15 +222,21 @@ pub enum ValidationError { type JWTResult<T> = Result<T, ValidationError>; impl From<ErrorStack> for ValidationError { - fn from(err: ErrorStack) -> Self { ValidationError::OpenSSL(err) } + fn from(err: ErrorStack) -> Self { + ValidationError::OpenSSL(err) + } } impl From<serde_json::Error> for ValidationError { - fn from(err: serde_json::Error) -> Self { ValidationError::JSON(err) } + fn from(err: serde_json::Error) -> Self { + ValidationError::JSON(err) + } } impl From<DecodeError> for ValidationError { - fn from(err: DecodeError) -> Self { ValidationError::InvalidBase64(err) } + fn from(err: DecodeError) -> Self { + ValidationError::InvalidBase64(err) + } } /// Attempt to extract the `kid`-claim out of a JWT's header claims. @@ -266,9 +277,7 @@ pub fn token_kid(token: &str) -> JWTResult<Option<String>> { /// /// It is the user's task to ensure that the correct JWK is passed in /// for validation. -pub fn validate(token: &str, - jwk: &JWK, - validations: Vec<Validation>) -> JWTResult<ValidJWT> { +pub fn validate(token: &str, jwk: &JWK, validations: Vec<Validation>) -> JWTResult<ValidJWT> { let jwt = JWT(token); let public_key = public_key_from_jwk(&jwk)?; validate_jwt_signature(&jwt, public_key)?; @@ -279,7 +288,7 @@ pub fn validate(token: &str, if parts.len() != 3 { // This is unlikely considering that validation has already // been performed at this point, but better safe than sorry. - return Err(ValidationError::InvalidComponents) + return Err(ValidationError::InvalidComponents); } // Perform claim validations before constructing the valid token: @@ -351,7 +360,7 @@ fn validate_jwt_signature(jwt: &JWT, key: Rsa<Public>) -> JWTResult<()> { verifier.update(data.as_bytes())?; match verifier.verify(&sig)? { - true => Ok(()), + true => Ok(()), false => Err(ValidationError::InvalidSignature), } } @@ -362,7 +371,7 @@ fn validate_jwt_signature(jwt: &JWT, key: Rsa<Public>) -> JWTResult<()> { #[serde(untagged)] enum Audience { Single(String), - Multi(Vec<String>) + Multi(Vec<String>), } /// Internal helper struct for claims that are relevant for claim @@ -376,15 +385,14 @@ struct PartialClaims { } /// Apply a single validation to the claim set of a token. -fn apply_validation(claims: &PartialClaims, - validation: Validation) -> Result<(), &'static str> { +fn apply_validation(claims: &PartialClaims, validation: Validation) -> Result<(), &'static str> { match validation { // Validate that an 'iss' claim is present and matches the // supplied value. - Validation::Issuer(iss) => { - match claims.iss { - None => Err("'iss' claim is missing"), - Some(ref claim) => if *claim == iss { + Validation::Issuer(iss) => match claims.iss { + None => Err("'iss' claim is missing"), + Some(ref claim) => { + if *claim == iss { Ok(()) } else { Err("'iss' claim does not match") @@ -394,15 +402,17 @@ fn apply_validation(claims: &PartialClaims, // Validate that an 'aud' claim is present and matches the // supplied value. - Validation::Audience(aud) => { - match claims.aud { - None => Err("'aud' claim is missing"), - Some(Audience::Single(ref claim)) => if *claim == aud { + Validation::Audience(aud) => match claims.aud { + None => Err("'aud' claim is missing"), + Some(Audience::Single(ref claim)) => { + if *claim == aud { Ok(()) } else { Err("'aud' claim does not match") - }, - Some(Audience::Multi(ref claims)) => if claims.contains(&aud) { + } + } + Some(Audience::Multi(ref claims)) => { + if claims.contains(&aud) { Ok(()) } else { Err("'aud' claim does not match") @@ -447,12 +457,12 @@ fn apply_validation(claims: &PartialClaims, } /// Apply all requested validations to a partial claim set. -fn validate_claims(claims: PartialClaims, - validations: Vec<Validation>) -> JWTResult<()> { - let validation_errors: Vec<_> = validations.into_iter() +fn validate_claims(claims: PartialClaims, validations: Vec<Validation>) -> JWTResult<()> { + let validation_errors: Vec<_> = validations + .into_iter() .map(|v| apply_validation(&claims, v)) .filter_map(|result| match result { - Ok(_) => None, + Ok(_) => None, Err(err) => Some(err), }) .collect(); diff --git a/net/alcoholic_jwt/src/tests.rs b/net/alcoholic_jwt/src/tests.rs index 81890986f8a2..295d304ac98d 100644 --- a/net/alcoholic_jwt/src/tests.rs +++ b/net/alcoholic_jwt/src/tests.rs @@ -21,14 +21,19 @@ fn test_fragment_decoding() { let bignum = decode_fragment(fragment).expect("Failed to decode fragment"); let expected = "19947781743618558124649689124245117083485690334420160711273532766920651190711502679542723943527557680293732686428091794139998732541701457212387600480039297092835433997837314251024513773285252960725418984381935183495143908023024822433135775773958512751261112853383693442999603704969543668619221464654540065497665889289271044207667765128672709218996183649696030570183970367596949687544839066873508106034650634722970893169823917299050098551447676778961773465887890052852528696684907153295689693676910831376066659456592813140662563597179711588277621736656871685099184755908108451080261403193680966083938080206832839445289"; - assert_eq!(expected, format!("{}", bignum), "Decoded fragment should match "); + assert_eq!( + expected, + format!("{}", bignum), + "Decoded fragment should match " + ); } #[test] fn test_decode_find_jwks() { let json = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"kid\":\"mUjI\\/rIMLLtung35BKZfdbrqtlEAAYJ4JX\\/SKvnLxJc=\",\"n\":\"ngRRjNbXgPW29oNtF0JgsyyfTwPyEL0u_X16s453X2AOc33XGFxVKLEQ7R_TiMenaKcr-tPifYqgps_deyi0XOr4I3SOdOMtAVKDZJCANe--CANOHZb-meIfjKhCHisvT90fm5Apd6qPRVsXsZ7A8pmClZHKM5fwZUkBv8NsPLm2Xy2sGOZIiwP_7z8m3j0abUzniPQsx2b3xcWimB9vRtshFHN1KgPUf1ALQ5xzLfJnlFkCxC7kmOxKC7_NpQ4kJR_DKzKFV_r3HxTqf-jddHcXIrrMcLQXCSyeLQtLaz7whQ4F-EfL42z4XgwPr4ji3sct2gWL13EqlbE5DDxLKQ\",\"e\":\"GK7oLCDbNPAF59LhvyseqcG04hDnPs58qGYolr_HHmaR4lulWJ90ozx6e4Ut363yKG2p9vwvivR5UIC-aLPtqT2qr-OtjhBFzUFVaMGZ6mPCvMKk0AgMYdOHvWTgBSqQtNJTvl1yYLnhcWyoE2fLQhoEbY9qUyCBCEOScXOZRDpnmBtz5I8q5yYMV6a920J24T_IYbxHgkGcEU2SGg-b1cOMD7Rja7vCfV---CQ2pR4leQ0jufzudDoe7z3mziJm-Ihcdrz2Ujy5kPEMdz6R55prJ-ENKrkD_X4u5aSlSRaetwmHS3oAVkjr1JwUNbqnpM-kOqieqHEp8LUmez-Znw\"}]}"; let jwks: JWKS = serde_json::from_str(json).expect("Failed to decode JWKS"); - let jwk = jwks.find("mUjI/rIMLLtung35BKZfdbrqtlEAAYJ4JX/SKvnLxJc=") + let jwk = jwks + .find("mUjI/rIMLLtung35BKZfdbrqtlEAAYJ4JX/SKvnLxJc=") .expect("Failed to find required JWK"); public_key_from_jwk(&jwk).expect("Failed to construct public key from JWK"); @@ -39,18 +44,21 @@ fn test_token_kid() { let jwt = "eyJraWQiOiI4ckRxOFB3MEZaY2FvWFdURVZRbzcrVGYyWXpTTDFmQnhOS1BDZWJhYWk0PSIsImFsZyI6IlJTMjU2IiwidHlwIjoiSldUIn0.eyJpc3MiOiJhdXRoLnRlc3QuYXByaWxhLm5vIiwiaWF0IjoxNTM2MDUwNjkzLCJleHAiOjE1MzYwNTQyOTMsInN1YiI6IjQyIiwiZXh0Ijoic21va2V0ZXN0IiwicHJ2IjoiYXJpc3RpIiwic2NwIjoicHJvY2VzcyJ9.gOLsv98109qLkmRK6Dn7WWRHLW7o8W78WZcWvFZoxPLzVO0qvRXXRLYc9h5chpfvcWreLZ4f1cOdvxv31_qnCRSQQPOeQ7r7hj_sPEDzhKjk-q2aoNHaGGJg1vabI--9EFkFsGQfoS7UbMMssS44dgR68XEnKtjn0Vys-Vzbvz_CBSCH6yQhRLik2SU2jR2L7BoFvh4LGZ6EKoQWzm8Z-CHXLGLUs4Hp5aPhF46dGzgAzwlPFW4t9G4DciX1uB4vv1XnfTc5wqJch6ltjKMde1GZwLR757a8dJSBcmGWze3UNE2YH_VLD7NCwH2kkqr3gh8rn7lWKG4AUIYPxsw9CB"; let kid = token_kid(&jwt).expect("Failed to extract token KID"); - assert_eq!(Some("8rDq8Pw0FZcaoXWTEVQo7+Tf2YzSL1fBxNKPCebaai4=".into()), - kid, "Extracted KID did not match expected KID"); + assert_eq!( + Some("8rDq8Pw0FZcaoXWTEVQo7+Tf2YzSL1fBxNKPCebaai4=".into()), + kid, + "Extracted KID did not match expected KID" + ); } #[test] fn test_validate_jwt() { let jwks_json = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"kid\":\"8rDq8Pw0FZcaoXWTEVQo7+Tf2YzSL1fBxNKPCebaai4=\",\"n\":\"l4UTgk1zr-8C8utt0E57DtBV6qqAPWzVRrIuQS2j0_hp2CviaNl5XzGRDnB8gwk0Hx95YOhJupAe6RNq5ok3fDdxL7DLvppJNRLz3Ag9CsmDLcbXgNEQys33fBJaPw1v3GcaFC4tisU5p-o1f5RfWwvwdBtdBfGiwT1GRvbc5sFx6M4iYjg9uv1lNKW60PqSJW4iDYrfqzZmB0zF1SJ0BL_rnQZ1Wi_UkFmNe9arM8W9tI9T3Ie59HITFuyVSTCt6qQEtSfa1e5PiBaVuV3qoFI2jPBiVZQ6LPGBWEDyz4QtrHLdECPPoTF30NN6TSVwwlRbCuUUrdNdXdjYe2dMFQ\",\"e\":\"DhaD5zC7mzaDvHO192wKT_9sfsVmdy8w8T8C9VG17_b1jG2srd3cmc6Ycw-0blDf53Wrpi9-KGZXKHX6_uIuJK249WhkP7N1SHrTJxO0sUJ8AhK482PLF09Qtu6cUfJqY1X1y1S2vACJZItU4Vjr3YAfiVGQXeA8frAf7Sm4O1CBStCyg6yCcIbGojII0jfh2vSB-GD9ok1F69Nmk-R-bClyqMCV_Oq-5a0gqClVS8pDyGYMgKTww2RHgZaFSUcG13KeLMQsG2UOB2OjSC8FkOXK00NBlAjU3d0Vv-IamaLIszO7FQBY3Oh0uxNOvIE9ofQyCOpB-xIK6V9CTTphxw\"}]}"; - let jwks: JWKS = serde_json::from_str(jwks_json) - .expect("Failed to decode JWKS"); + let jwks: JWKS = serde_json::from_str(jwks_json).expect("Failed to decode JWKS"); - let jwk = jwks.find("8rDq8Pw0FZcaoXWTEVQo7+Tf2YzSL1fBxNKPCebaai4=") + let jwk = jwks + .find("8rDq8Pw0FZcaoXWTEVQo7+Tf2YzSL1fBxNKPCebaai4=") .expect("Failed to find required JWK"); let pkey = public_key_from_jwk(&jwk).expect("Failed to construct public key"); |