Skip to content

Commit

Permalink
ginjwt/Validate config (#206)
Browse files Browse the repository at this point in the history
* jwt/NewAuthMiddleware: verify Audience and Issuer is defined in config

When auth is enabled, we'd like to make sure this returns an error if
its a misconfiguration

* ginjwt/multitoken: return error if configuration is not defined

* make lint
  • Loading branch information
joelrebel authored Mar 27, 2024
1 parent 6d1c821 commit ca363be
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 3 deletions.
2 changes: 2 additions & 0 deletions events/nats_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ func TestNatsOptions_ValidatePrereqs(t *testing.T) {
CredsFile: tt.fields.CredsFile,
ConnectTimeout: tt.fields.ConnectTimeout,
}

err := o.validatePrereqs()
if tt.errorContains != "" {
assert.True(t, errors.Is(err, ErrNatsConfig))
Expand Down Expand Up @@ -180,6 +181,7 @@ func TestNatsConsumerOptions_Validate(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &NatsConsumerOptions{Name: tt.fields.Name}

err := c.validate()
if tt.errorContains != "" {
assert.True(t, errors.Is(err, ErrNatsConfig))
Expand Down
9 changes: 9 additions & 0 deletions ginjwt/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"time"

"github.com/gin-gonic/gin"
"github.com/pkg/errors"
"golang.org/x/net/context"
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
Expand Down Expand Up @@ -73,6 +74,14 @@ func NewAuthMiddleware(cfg AuthConfig) (*Middleware, error) {
return mw, nil
}

if cfg.Audience == "" {
return nil, errors.Wrap(ErrInvalidAudience, "empty value")
}

if cfg.Issuer == "" {
return nil, errors.Wrap(ErrInvalidIssuer, "empty value")
}

uriProvided := (cfg.JWKSURI != "")
jwksProvided := len(cfg.JWKS.Keys) > 0

Expand Down
30 changes: 28 additions & 2 deletions ginjwt/jwt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,9 @@ func TestMiddlewareValidatesTokensWithScopes(t *testing.T) {
for _, tt := range testCases {
t.Run(tt.testName, func(t *testing.T) {
var jwksURI string

var jwks jose.JSONWebKeySet

if tt.jwksFromURI {
jwksURI = ginjwt.TestHelperJWKSProvider(ginjwt.TestPrivRSAKey1ID, ginjwt.TestPrivRSAKey2ID)
} else {
Expand Down Expand Up @@ -719,7 +721,7 @@ func TestAuthMiddlewareConfig(t *testing.T) {
JWKS: jwks,
RoleValidationStrategy: "all",
},
checkFn: func(t *testing.T, mw ginauth.GenericAuthMiddleware, err error) {
checkFn: func(t *testing.T, _ ginauth.GenericAuthMiddleware, err error) {
assert.ErrorIs(t, err, ginjwt.ErrInvalidAuthConfig)
},
},
Expand All @@ -731,10 +733,34 @@ func TestAuthMiddlewareConfig(t *testing.T) {
Issuer: "example-iss",
RoleValidationStrategy: "all",
},
checkFn: func(t *testing.T, mw ginauth.GenericAuthMiddleware, err error) {
checkFn: func(t *testing.T, _ ginauth.GenericAuthMiddleware, err error) {
assert.ErrorIs(t, err, ginjwt.ErrInvalidAuthConfig)
},
},
{
name: "MissingAudience",
input: ginjwt.AuthConfig{
Enabled: true,
Audience: "",
Issuer: "example-iss",
RoleValidationStrategy: "all",
},
checkFn: func(t *testing.T, _ ginauth.GenericAuthMiddleware, err error) {
assert.ErrorIs(t, err, ginjwt.ErrInvalidAudience)
},
},
{
name: "MissingIssuer",
input: ginjwt.AuthConfig{
Enabled: true,
Audience: "example-aud",
Issuer: "",
RoleValidationStrategy: "all",
},
checkFn: func(t *testing.T, _ ginauth.GenericAuthMiddleware, err error) {
assert.ErrorIs(t, err, ginjwt.ErrInvalidIssuer)
},
},
}

for _, tc := range testCases {
Expand Down
10 changes: 9 additions & 1 deletion ginjwt/multitokenmiddleware.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,17 @@
package ginjwt

import "go.hollow.sh/toolbox/ginauth"
import (
"github.com/pkg/errors"

"go.hollow.sh/toolbox/ginauth"
)

// NewMultiTokenMiddlewareFromConfigs builds a MultiTokenMiddleware object from multiple AuthConfigs.
func NewMultiTokenMiddlewareFromConfigs(cfgs ...AuthConfig) (*ginauth.MultiTokenMiddleware, error) {
if len(cfgs) == 0 {
return nil, errors.Wrap(ErrInvalidAuthConfig, "configuration empty")
}

mtm := &ginauth.MultiTokenMiddleware{}

for _, cfg := range cfgs {
Expand Down

0 comments on commit ca363be

Please sign in to comment.