You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2022/06/15 13:27:27 UTC

[trafficserver] 02/04: uri_signing plugin: Fix missing payload validation for the iss field. (#8901)

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 9.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit ab8f2f26877321f61da067328d25e1ec20a411f9
Author: Damian Meden <da...@gmail.com>
AuthorDate: Tue Jun 14 13:25:21 2022 +0100

    uri_signing plugin: Fix missing payload validation for the iss field. (#8901)
    
    (cherry picked from commit 095ae4ab9f9e18ed1c26d803a0bcdbdecf0b8cf8)
---
 plugins/experimental/uri_signing/jwt.c                      |  5 +++++
 plugins/experimental/uri_signing/parse.c                    | 12 +++++++++---
 tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py | 13 ++++++++++++-
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/plugins/experimental/uri_signing/jwt.c b/plugins/experimental/uri_signing/jwt.c
index b3b1032ef..ed5da8d67 100644
--- a/plugins/experimental/uri_signing/jwt.c
+++ b/plugins/experimental/uri_signing/jwt.c
@@ -106,6 +106,11 @@ jwt_validate(struct jwt *jwt)
     return false;
   }
 
+  if (!jwt->iss) {
+    PluginDebug("Initial JWT Failure: iss is missing, must be present");
+    return false;
+  }
+
   if (jwt->cdniv != 1) { /* Only support the very first version! */
     PluginDebug("Initial JWT Failure: wrong version");
     return false;
diff --git a/plugins/experimental/uri_signing/parse.c b/plugins/experimental/uri_signing/parse.c
index 5636c2755..72d79377a 100644
--- a/plugins/experimental/uri_signing/parse.c
+++ b/plugins/experimental/uri_signing/parse.c
@@ -208,8 +208,10 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
       PluginDebug("Cannot find key %s for issuer %s for %16p", kid, jwt->iss, jws);
       goto jwt_fail;
     }
-    if (!cjose_jws_verify(jws, jwk, NULL)) {
-      PluginDebug("Key %s for issuer %s for %16p does not validate.", kid, jwt->iss, jws);
+    cjose_err err;
+    memset(&err, 0, sizeof(cjose_err));
+    if (!cjose_jws_verify(jws, jwk, &err)) {
+      PluginDebug("Key %s for issuer %s for %16p does not validate: '%s'", kid, jwt->iss, jws, (err.message ? err.message : ""));
       goto jwt_fail;
     }
     TimerDebug("checking crypto signature for jwt");
@@ -217,8 +219,12 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
     PluginDebug("Searching all keys for issuer %s for %16p", jwt->iss, jws);
     cjose_jwk_t **jwks;
     for (jwks = find_keys(cfg, jwt->iss); jwks && *jwks; ++jwks) {
-      if (cjose_jws_verify(jws, *jwks, NULL)) {
+      cjose_err err;
+      memset(&err, 0, sizeof(cjose_err));
+      if (cjose_jws_verify(jws, *jwks, &err)) {
         break;
+      } else {
+        PluginDebug("Key validation failed: '%s'", (err.message ? err.message : ""));
       }
     }
     TimerDebug("checking the crypto signature of all possible keys for jwt");
diff --git a/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py b/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
index b77a7eae6..b85f98725 100644
--- a/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
+++ b/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
@@ -195,7 +195,7 @@ ps.Streams.stderr = "gold/403.gold"
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
 
-# 9 - multiple cookies
+# 11 - multiple cookies
 tr = Test.AddTestRun("multiple cookies, expired then good")
 ps = tr.Processes.Default
 ps.Command = curl_and_args + '"http://somehost/someasset.ts" -H "Cookie: URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjF9.GkdlOPHQc6BqS4Q6x79GeYuVFO2zuGbaPZZsJfD6ir8;URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjE5MjMwNTYwODR9.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
@@ -203,3 +203,14 @@ ps.ReturnCode = 0
 ps.Streams.stderr = "gold/200.gold"
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
+
+
+# 12 - Check missing iss from the payload
+tr = Test.AddTestRun("Missing iss field in the payload")
+ps = tr.Processes.Default
+ps.Command = curl_and_args + '"http://somehost/someasset.ts?URISigningPackage=ewogICJ0eXAiOiAiSldUIiwKICAiYWxnIjogIkhTMjU2Igp9.ewogICJleHAiOiAxOTIzMDU2MDg0Cn0.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
+ps.ReturnCode = 0
+ps.Streams.stderr = "gold/403.gold"
+ts.Streams.stderr = Testers.ContainsExpression("Initial JWT Failure: iss is missing, must be present", "should fail the validation")
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts