You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ez...@apache.org on 2022/06/14 21:47:55 UTC

[trafficserver] branch 8.1.x updated: uri_signing plugin: Fix missing payload validation for the iss field. (#8901) (#8912)

This is an automated email from the ASF dual-hosted git repository.

eze pushed a commit to branch 8.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/8.1.x by this push:
     new bcb4c5625 uri_signing plugin: Fix missing payload validation for the iss field. (#8901) (#8912)
bcb4c5625 is described below

commit bcb4c5625620408a763046cd57a83b9d01be9808
Author: Dylan Souza <dy...@gmail.com>
AuthorDate: Tue Jun 14 14:47:49 2022 -0700

    uri_signing plugin: Fix missing payload validation for the iss field. (#8901) (#8912)
    
    Co-authored-by: Damian Meden <da...@gmail.com>
---
 plugins/experimental/uri_signing/jwt.c                      |  5 +++++
 plugins/experimental/uri_signing/parse.c                    | 12 +++++++++---
 tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py | 13 ++++++++++++-
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/plugins/experimental/uri_signing/jwt.c b/plugins/experimental/uri_signing/jwt.c
index f14ecb6e2..173f3cea0 100644
--- a/plugins/experimental/uri_signing/jwt.c
+++ b/plugins/experimental/uri_signing/jwt.c
@@ -106,6 +106,11 @@ jwt_validate(struct jwt *jwt)
     return false;
   }
 
+  if (!jwt->iss) {
+    PluginDebug("Initial JWT Failure: iss is missing, must be present");
+    return false;
+  }
+
   if (jwt->cdniv != 1) { /* Only support the very first version! */
     PluginDebug("Initial JWT Failure: wrong version");
     return false;
diff --git a/plugins/experimental/uri_signing/parse.c b/plugins/experimental/uri_signing/parse.c
index f577e740a..6f52a6d80 100644
--- a/plugins/experimental/uri_signing/parse.c
+++ b/plugins/experimental/uri_signing/parse.c
@@ -204,8 +204,10 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
       PluginDebug("Cannot find key %s for issuer %s for %16p", kid, jwt->iss, jws);
       goto jwt_fail;
     }
-    if (!cjose_jws_verify(jws, jwk, NULL)) {
-      PluginDebug("Key %s for issuer %s for %16p does not validate.", kid, jwt->iss, jws);
+    cjose_err err;
+    memset(&err, 0, sizeof(cjose_err));
+    if (!cjose_jws_verify(jws, jwk, &err)) {
+      PluginDebug("Key %s for issuer %s for %16p does not validate: '%s'", kid, jwt->iss, jws, (err.message ? err.message : ""));
       goto jwt_fail;
     }
     TimerDebug("checking crypto signature for jwt");
@@ -213,8 +215,12 @@ validate_jws(cjose_jws_t *jws, struct config *cfg, const char *uri, size_t uri_c
     PluginDebug("Searching all keys for issuer %s for %16p", jwt->iss, jws);
     cjose_jwk_t **jwks;
     for (jwks = find_keys(cfg, jwt->iss); jwks && *jwks; ++jwks) {
-      if (cjose_jws_verify(jws, *jwks, NULL)) {
+      cjose_err err;
+      memset(&err, 0, sizeof(cjose_err));
+      if (cjose_jws_verify(jws, *jwks, &err)) {
         break;
+      } else {
+        PluginDebug("Key validation failed: '%s'", (err.message ? err.message : ""));
       }
     }
     TimerDebug("checking the crypto signature of all possible keys for jwt");
diff --git a/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py b/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
index 0fb29e2d2..14f8bc440 100644
--- a/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
+++ b/tests/gold_tests/pluginTest/uri_signing/uri_signing.test.py
@@ -202,7 +202,7 @@ ps.Streams.stderr = "gold/403.gold"
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
 
-# 9 - multiple cookies
+# 11 - multiple cookies
 tr = Test.AddTestRun("multiple cookies, expired then good")
 ps = tr.Processes.Default
 ps.Command = curl_and_args + '"http://somehost/someasset.ts" -H "Cookie: URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjF9.GkdlOPHQc6BqS4Q6x79GeYuVFO2zuGbaPZZsJfD6ir8;URISigningPackage=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJleHAiOjE5MjMwNTYwODR9.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
@@ -210,3 +210,14 @@ ps.ReturnCode = 0
 ps.Streams.stderr = "gold/200.gold"
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
+
+
+# 12 - Check missing iss from the payload
+tr = Test.AddTestRun("Missing iss field in the payload")
+ps = tr.Processes.Default
+ps.Command = curl_and_args + '"http://somehost/someasset.ts?URISigningPackage=ewogICJ0eXAiOiAiSldUIiwKICAiYWxnIjogIkhTMjU2Igp9.ewogICJleHAiOiAxOTIzMDU2MDg0Cn0.zw_wFQ-wvrWmfPLGj3hAUWn-GOHkiJZi2but4KV0paY"'
+ps.ReturnCode = 0
+ps.Streams.stderr = "gold/403.gold"
+ts.Streams.stderr = Testers.ContainsExpression("Initial JWT Failure: iss is missing, must be present", "should fail the validation")
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts