diff options
author | Robert Newson <rnewson@apache.org> | 2020-03-30 11:07:24 +0100 |
---|---|---|
committer | Robert Newson <rnewson@apache.org> | 2020-03-30 21:04:07 +0100 |
commit | d291847c97576c28ed4996ad06e09bb0c905d036 (patch) | |
tree | 8b20dd48c79cdfa7471207d5f5e66e169c22f83c | |
parent | 2212c31468b5e55180ab5dfd251bc6b265335b69 (diff) | |
download | couchdb-d291847c97576c28ed4996ad06e09bb0c905d036.tar.gz |
Remove enhanced alg check
This mechanism is replaced by the much stronger tying of verification
algorithm to the key directly in the server config.
-rw-r--r-- | rel/overlay/etc/default.ini | 2 | ||||
-rw-r--r-- | src/couch/src/couch_httpd_auth.erl | 6 | ||||
-rw-r--r-- | src/jwtf/src/jwtf.erl | 7 | ||||
-rw-r--r-- | src/jwtf/test/jwtf_tests.erl | 12 |
4 files changed, 5 insertions, 22 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 25f1027d2..24f504726 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -143,8 +143,6 @@ max_db_number_for_dbs_info_req = 100 ;[jwt_auth] ; List of claims to validate ; required_claims = exp -; List of algorithms to accept during checks -; allowed_algorithms = HS256 ; ; [jwt_keys] ; Configure at least one key here if using the JWT auth handler. diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index 43fb4161c..4f19728e9 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -192,8 +192,7 @@ jwt_authentication_handler(Req) -> case header_value(Req, "Authorization") of "Bearer " ++ Jwt -> RequiredClaims = get_configured_claims(), - AllowedAlgorithms = get_configured_algorithms(), - case jwtf:decode(?l2b(Jwt), [{alg, AllowedAlgorithms} | RequiredClaims], fun jwtf_keystore:get/2) of + case jwtf:decode(?l2b(Jwt), [alg | RequiredClaims], fun jwtf_keystore:get/2) of {ok, {Claims}} -> case lists:keyfind(<<"sub">>, 1, Claims) of false -> throw({unauthorized, <<"Token missing sub claim.">>}); @@ -208,9 +207,6 @@ jwt_authentication_handler(Req) -> _ -> Req end. -get_configured_algorithms() -> - re:split(config:get("jwt_auth", "allowed_algorithms", "HS256"), "\s*,\s*", [{return, binary}]). - get_configured_claims() -> re:split(config:get("jwt_auth", "required_claims", ""), "\s*,\s*", [{return, binary}]). diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl index b558bdc63..098a41d24 100644 --- a/src/jwtf/src/jwtf.erl +++ b/src/jwtf/src/jwtf.erl @@ -158,11 +158,10 @@ validate_alg(Props, Checks) -> case {Required, Alg} of {undefined, _} -> ok; - {Required, undefined} when Required /= undefined -> + {true, undefined} -> throw({bad_request, <<"Missing alg header parameter">>}); - {Required, Alg} when Required == true; is_list(Required) -> - AllowedAlg = if Required == true -> true; true -> lists:member(Alg, Required) end, - case AllowedAlg andalso lists:member(Alg, valid_algorithms()) of + {true, Alg} -> + case lists:member(Alg, valid_algorithms()) of true -> ok; false -> diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl index e445e5fc9..df3866f23 100644 --- a/src/jwtf/test/jwtf_tests.erl +++ b/src/jwtf/test/jwtf_tests.erl @@ -82,16 +82,6 @@ invalid_alg_test() -> ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}}, jwtf:decode(Encoded, [alg], nil)). -not_allowed_alg_test() -> - Encoded = encode({[{<<"alg">>, <<"HS256">>}]}, []), - ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}}, - jwtf:decode(Encoded, [{alg, [<<"RS256">>]}], nil)). - -reject_unknown_alg_test() -> - Encoded = encode({[{<<"alg">>, <<"NOPE">>}]}, []), - ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}}, - jwtf:decode(Encoded, [{alg, [<<"NOPE">>]}], nil)). - missing_iss_test() -> Encoded = encode(valid_header(), {[]}), @@ -190,7 +180,7 @@ hs256_test() -> "6MTAwMDAwMDAwMDAwMDAsImtpZCI6ImJhciJ9.iS8AH11QHHlczkBn" "Hl9X119BYLOZyZPllOVhSBZ4RZs">>, KS = fun(<<"HS256">>, <<"123456">>) -> <<"secret">> end, - Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, {alg, [<<"HS256">>]}, kid], + Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, alg, kid], ?assertMatch({ok, _}, catch jwtf:decode(EncodedToken, Checks, KS)). |