summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Newson <rnewson@apache.org>2020-03-30 11:07:24 +0100
committerRobert Newson <rnewson@apache.org>2020-03-30 21:04:07 +0100
commitd291847c97576c28ed4996ad06e09bb0c905d036 (patch)
tree8b20dd48c79cdfa7471207d5f5e66e169c22f83c
parent2212c31468b5e55180ab5dfd251bc6b265335b69 (diff)
downloadcouchdb-d291847c97576c28ed4996ad06e09bb0c905d036.tar.gz
Remove enhanced alg check
This mechanism is replaced by the much stronger tying of verification algorithm to the key directly in the server config.
-rw-r--r--rel/overlay/etc/default.ini2
-rw-r--r--src/couch/src/couch_httpd_auth.erl6
-rw-r--r--src/jwtf/src/jwtf.erl7
-rw-r--r--src/jwtf/test/jwtf_tests.erl12
4 files changed, 5 insertions, 22 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 25f1027d2..24f504726 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -143,8 +143,6 @@ max_db_number_for_dbs_info_req = 100
;[jwt_auth]
; List of claims to validate
; required_claims = exp
-; List of algorithms to accept during checks
-; allowed_algorithms = HS256
;
; [jwt_keys]
; Configure at least one key here if using the JWT auth handler.
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index 43fb4161c..4f19728e9 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -192,8 +192,7 @@ jwt_authentication_handler(Req) ->
case header_value(Req, "Authorization") of
"Bearer " ++ Jwt ->
RequiredClaims = get_configured_claims(),
- AllowedAlgorithms = get_configured_algorithms(),
- case jwtf:decode(?l2b(Jwt), [{alg, AllowedAlgorithms} | RequiredClaims], fun jwtf_keystore:get/2) of
+ case jwtf:decode(?l2b(Jwt), [alg | RequiredClaims], fun jwtf_keystore:get/2) of
{ok, {Claims}} ->
case lists:keyfind(<<"sub">>, 1, Claims) of
false -> throw({unauthorized, <<"Token missing sub claim.">>});
@@ -208,9 +207,6 @@ jwt_authentication_handler(Req) ->
_ -> Req
end.
-get_configured_algorithms() ->
- re:split(config:get("jwt_auth", "allowed_algorithms", "HS256"), "\s*,\s*", [{return, binary}]).
-
get_configured_claims() ->
re:split(config:get("jwt_auth", "required_claims", ""), "\s*,\s*", [{return, binary}]).
diff --git a/src/jwtf/src/jwtf.erl b/src/jwtf/src/jwtf.erl
index b558bdc63..098a41d24 100644
--- a/src/jwtf/src/jwtf.erl
+++ b/src/jwtf/src/jwtf.erl
@@ -158,11 +158,10 @@ validate_alg(Props, Checks) ->
case {Required, Alg} of
{undefined, _} ->
ok;
- {Required, undefined} when Required /= undefined ->
+ {true, undefined} ->
throw({bad_request, <<"Missing alg header parameter">>});
- {Required, Alg} when Required == true; is_list(Required) ->
- AllowedAlg = if Required == true -> true; true -> lists:member(Alg, Required) end,
- case AllowedAlg andalso lists:member(Alg, valid_algorithms()) of
+ {true, Alg} ->
+ case lists:member(Alg, valid_algorithms()) of
true ->
ok;
false ->
diff --git a/src/jwtf/test/jwtf_tests.erl b/src/jwtf/test/jwtf_tests.erl
index e445e5fc9..df3866f23 100644
--- a/src/jwtf/test/jwtf_tests.erl
+++ b/src/jwtf/test/jwtf_tests.erl
@@ -82,16 +82,6 @@ invalid_alg_test() ->
?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
jwtf:decode(Encoded, [alg], nil)).
-not_allowed_alg_test() ->
- Encoded = encode({[{<<"alg">>, <<"HS256">>}]}, []),
- ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
- jwtf:decode(Encoded, [{alg, [<<"RS256">>]}], nil)).
-
-reject_unknown_alg_test() ->
- Encoded = encode({[{<<"alg">>, <<"NOPE">>}]}, []),
- ?assertEqual({error, {bad_request,<<"Invalid alg header parameter">>}},
- jwtf:decode(Encoded, [{alg, [<<"NOPE">>]}], nil)).
-
missing_iss_test() ->
Encoded = encode(valid_header(), {[]}),
@@ -190,7 +180,7 @@ hs256_test() ->
"6MTAwMDAwMDAwMDAwMDAsImtpZCI6ImJhciJ9.iS8AH11QHHlczkBn"
"Hl9X119BYLOZyZPllOVhSBZ4RZs">>,
KS = fun(<<"HS256">>, <<"123456">>) -> <<"secret">> end,
- Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, {alg, [<<"HS256">>]}, kid],
+ Checks = [{iss, <<"https://foo.com">>}, iat, exp, typ, alg, kid],
?assertMatch({ok, _}, catch jwtf:decode(EncodedToken, Checks, KS)).