diff options
| author | Anh Thi Lan Nguyen <lananhnt@outlook.com.vn> | 2021-12-10 17:17:58 +0700 |
|---|---|---|
| committer | mergify-bot <noreply@mergify.com> | 2021-12-19 11:51:13 +0000 |
| commit | 810fa4b160ae9f7e084b79a92df2bfe84392e93a (patch) | |
| tree | ec6b62284d7e3de7430e21d8ab5dda36b362a879 | |
| parent | 228f949a0c0846097146a9ec0223335c18a6d6fe (diff) | |
| download | rabbitmq-server-git-810fa4b160ae9f7e084b79a92df2bfe84392e93a.tar.gz | |
Add wildcard configuration
A "wildcard" configuration is added to enable key server verification with wildcard certificate
(cherry picked from commit 118e44c10eacd64cec879b9d7d14881ce14de729)
4 files changed, 19 insertions, 5 deletions
diff --git a/deps/rabbitmq_auth_backend_oauth2/README.md b/deps/rabbitmq_auth_backend_oauth2/README.md index b29208996f..e11b2dd358 100644 --- a/deps/rabbitmq_auth_backend_oauth2/README.md +++ b/deps/rabbitmq_auth_backend_oauth2/README.md @@ -151,6 +151,7 @@ NOTE: `jwks_url` takes precedence over `signing_keys` if both are provided. | `auth_oauth2.https.cacertfile` | Path to a file containing PEM-encoded CA certificates. The CA certificates are used during key server authentication | `auth_oauth2.https.depth` | Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. Default is 10. Please see: https://www.erlang.org/doc/man/ssl.html#type-allowed_cert_chain_length for more details | `auth_oauth2.https.peer_verification` | Identify if the verification should be performed towards key server. Available values: `verify_none`, `verify_peer`. Default is `verify_none`. It is recommended to configure `verify_peer` +| `auth_oauth2.https.wildcard` | Enable wildcard-aware hostname verification for key server. Available values: `true`, `false`. Default is `false`. | `auth_oauth2.algorithms` | Restrict the usable algorithms For example: @@ -172,6 +173,7 @@ auth_oauth2.jwks_url = https://my-jwt-issuer/jwks.json auth_oauth2.https.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem auth_oauth2.https.peer_verification = verify_peer auth_oauth2.https.depth = 5 +auth_oauth2.https.wildcard = true auth_oauth2.algorithms.1 = HS256 auth_oauth2.algorithms.2 = RS256 ``` diff --git a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema index 5748bf5642..420de4f232 100644 --- a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema +++ b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema @@ -98,6 +98,11 @@ "rabbitmq_auth_backend_oauth2.key_config.depth", [{datatype, integer}]}. +{mapping, + "auth_oauth2.https.wildcard", + "rabbitmq_auth_backend_oauth2.key_config.wildcard", + [{datatype, {enum, [true, false]}}]}. + {validator, "https_uri", "According to the JWT Specification, Key Server URL must be https.", fun(Uri) -> string:nth_lexeme(Uri, 1, "://") == "https" end}. diff --git a/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl b/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl index e9cc5541c5..e2cc7aee56 100644 --- a/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl +++ b/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl @@ -58,7 +58,7 @@ update_jwks_signing_keys() -> undefined -> {error, no_jwks_url}; JwksUrl -> - case fetch_keys(JwksUrl) of + case httpc:request(get, {JwksUrl, []}, [{ssl, ssl_options()}], []) of {ok, {_, _, JwksBody}} -> KeyList = maps:get(<<"keys">>, jose:decode(erlang:iolist_to_binary(JwksBody)), []), Keys = maps:from_list(lists:map(fun(Key) -> {maps:get(<<"kid">>, Key, undefined), {json, Key}} end, KeyList)), @@ -68,14 +68,19 @@ update_jwks_signing_keys() -> end end. --spec fetch_keys(binary() | list()) -> {ok, term()} | {error, term()}. -fetch_keys(JwksUrl) -> +-spec ssl_options() -> list(). +ssl_options() -> UaaEnv = application:get_env(?APP, key_config, []), PeerVerification = proplists:get_value(peer_verification, UaaEnv, verify_none), CaCertFile = proplists:get_value(cacertfile, UaaEnv), Depth = proplists:get_value(depth, UaaEnv, 10), - SslOpts = [{verify, PeerVerification}, {cacertfile, CaCertFile}, {depth, Depth}], - httpc:request(get, {JwksUrl, []}, [{ssl, SslOpts}], []). + SslOpts0 = [{verify, PeerVerification}, {cacertfile, CaCertFile}, {depth, Depth}], + case proplists:get_value(wildcard, UaaEnv, false) of + true -> + [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]} | SslOpts0]; + false -> + SslOpts0 + end. -spec decode_and_verify(binary()) -> {boolean(), map()} | {error, term()}. decode_and_verify(Token) -> diff --git a/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets b/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets index 13969db284..0e47259b99 100644 --- a/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets +++ b/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets @@ -9,6 +9,7 @@ auth_oauth2.https.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem auth_oauth2.https.peer_verification = verify_none auth_oauth2.https.depth = 5 + auth_oauth2.https.wildcard = true auth_oauth2.algorithms.1 = HS256 auth_oauth2.algorithms.2 = RS256", [ @@ -27,6 +28,7 @@ {cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, {peer_verification, verify_none}, {depth, 5}, + {wildcard, true}, {algorithms, [<<"HS256">>, <<"RS256">>]} ] } |