Google Git
Sign in
apache/apisix/refs/heads/master/./t/plugin/jwt-auth4.t
blob: c2a4822dbe5a18d2d56f90348239e1bbf718184f [file]
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';
repeat_each(1);
no_long_string();
no_root_location();
no_shuffle();
add_block_preprocessor(sub {
my ($block) = @_;
if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
$block->set_value("no_error_log", "[error]");
}
if (!defined $block->request) {
$block->set_value("request", "GET /t");
if (!$block->response_body) {
$block->set_value("response_body", "passed\n");
}
}
});
run_tests;
__DATA__
=== TEST 1: add consumer with username and plugins
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "jack",
"plugins": {
"jwt-auth": {
"key": "user-key",
"secret": "my-secret-key"
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 2: enable jwt auth plugin using admin api
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {
"key": "user-key",
"secret": "my-secret-key",
"key_claim_name": "iss"
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 3: verify (in header)
--- config
location /t {
content_by_lua_block {
local function gen_token(payload)
local buffer = require "string.buffer"
local openssl_mac = require "resty.openssl.mac"
local base64 = require "ngx.base64"
local base64_encode = base64.encode_base64url
local json = require("cjson")
local function sign(data, key)
return openssl_mac.new(key, "HMAC", nil, "sha256"):final(data)
end
local header = { typ = "JWT", alg = "HS256" }
local buf = buffer.new()
buf:put(base64_encode(json.encode(header))):put("."):put(base64_encode(json.encode(payload)))
local ok, signature = pcall(sign, buf:tostring(), "my-secret-key")
if not ok then
return nil, signature
end
buf:put("."):put(base64_encode(signature))
return buf:get()
end
local payload = {
sub = "1234567890",
iss = "user-key",
exp = 9916239022
}
local token = gen_token(payload)
local http = require("resty.http")
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
local opt = {method = "POST", headers = {["Authorization"] = "Bearer " .. token}}
local httpc = http.new()
local res = httpc:request_uri(uri, opt)
assert(res.status == 200)
ngx.print(res.body)
}
}
--- request
GET /t
--- more_headers
--- response_body
hello world
=== TEST 4: ensure secret is non empty
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local t = require("lib.test_admin").test
-- prepare consumer with a custom key claim name
local csm_code, csm_body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "mike",
"plugins": {
"jwt-auth": {
"key": "custom-user-key",
"secret": ""
}
}
}]]
)
if csm_code == 200 then
ngx.status = 500
ngx.say("error")
return
end
ngx.status = csm_code
ngx.say(csm_body)
}
}
--- error_code: 400
--- response_body eval
qr/\\"secret\\" validation failed: string too short, expected at least 1, got 0/
=== TEST 5: ensure key is non empty
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local t = require("lib.test_admin").test
-- prepare consumer with a custom key claim name
local csm_code, csm_body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "mike",
"plugins": {
"jwt-auth": {
"key": "",
"algorithm": "RS256",
"public_key": "somekey",
"private_key": "someprivkey"
}
}
}]]
)
if csm_code == 200 then
ngx.status = 500
ngx.say("error")
return
end
ngx.status = csm_code
ngx.say(csm_body)
}
}
--- error_code: 400
--- response_body eval
qr/\\"key\\" validation failed: string too short, expected at least 1, got 0/
=== TEST 6: store_in_ctx disabled
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {},
"serverless-post-function": {
"phase": "rewrite",
"functions": [
"return function(conf, ctx)
if ctx.jwt_auth_payload then
ngx.status = 200
ngx.say(\"JWT found in ctx. Payload key: \" .. ctx.jwt_auth_payload.key)
return ngx.exit(200)
else
ngx.status = 401
ngx.say(\"JWT not found in ctx.\")
return ngx.exit(401)
end
end"
]
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/jwt-auth-no-ctx"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 7: verify store_in_ctx disabled (header with bearer)
--- request
GET /jwt-auth-no-ctx
--- more_headers
Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsIm5iZiI6MTcyNzI3NDk4M30.N6ebc4U5ms976pwKZ_iQ88w_uJKqUVNtTYZ_nXhRpWo
--- error_code: 401
--- response_body
JWT not found in ctx.
=== TEST 8: store_in_ctx enabled
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/2',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {
"store_in_ctx": true
},
"serverless-post-function": {
"phase": "rewrite",
"functions": [
"return function(conf, ctx)
if ctx.jwt_auth_payload then
ngx.status = 200
ngx.say(\"JWT found in ctx. Payload key: \" .. ctx.jwt_auth_payload.key)
return ngx.exit(200)
else
ngx.status = 401
ngx.say(\"JWT not found in ctx.\")
return ngx.exit(401)
end
end"
]
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/jwt-auth-ctx"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 9: verify store_in_ctx enabled (header with bearer)
--- request
GET /jwt-auth-ctx
--- more_headers
Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsIm5iZiI6MTcyNzI3NDk4M30.N6ebc4U5ms976pwKZ_iQ88w_uJKqUVNtTYZ_nXhRpWo
--- error_code: 200
--- response_body
JWT found in ctx. Payload key: user-key
=== TEST 10: Test Ed448 signature verification with lua-resty-openssl
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local core = require("apisix.core")
local pkey = require("resty.openssl.pkey")
local base64 = require("ngx.base64")
-- Test data for Ed448 verification
local header = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6InNjTy16dnUwWWRxOEVJSmxIb25CdWNYVmN2VjVnUm1oZ1BnZXFWSzZFdVkiLCJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjkwNDIvb2lkYy9qd2tzIn0"
local payload = "eyJjbGllbnRfaWQiOiJhcHAtMDEifQ"
local signature = "kOC0UuRy3-eOSZiYWdH1izidwg1cWHsVAgvWgonOw7q1fEOXxD-AG3R1aj-heq-ENZn4hHWv3j8AabiBm6psCwrtf9C7ygDJmFT38Q2-EB3aVlbXSujXjwvWrw0o4yCZciHRVB2pNVkw36pjbQm2Lh8A"
local jwk = '{"alg": "EdDSA", "crv": "Ed448", "kty": "OKP", "use": "sig", "x": "XtrFWAUpoSzZd8OXZAP8LAUyfcGKVnAH7MNJZmqlmz-vz05pwP2q-8cOb14UmkY9nvbL1iBl1tUA"}'
local raw_signature = base64.decode_base64url(signature)
-- Test JWK import
local ed448, err = pkey.new(jwk, { format = "JWK" })
if not ed448 then
ngx.say("FAIL: Failed to create pkey from JWK: ", err)
return
end
-- Test JWK export to verify consistency
local exported_jwk, export_err = ed448:tostring("public", "JWK")
if not exported_jwk then
ngx.say("FAIL: Failed to export JWK: ", export_err)
return
end
-- Parse JWKs to compare
local original_parsed = core.json.decode(jwk)
local exported_parsed = core.json.decode(exported_jwk)
if not original_parsed or not exported_parsed then
ngx.say("FAIL: Failed to parse JWKs")
return
end
-- Verify key parameters are consistent
local jwk_consistent = (original_parsed.crv == exported_parsed.crv) and
(original_parsed.kty == exported_parsed.kty)
if not jwk_consistent then
ngx.say("FAIL: JWK parameters inconsistent - Original crv: ", original_parsed.crv,
", Exported crv: ", exported_parsed.crv)
return
end
-- Test signature verification
local data_to_verify = header .. "." .. payload
local verify, verify_err = ed448:verify(raw_signature, data_to_verify)
if verify then
ngx.say("PASS: Ed448 signature verification successful")
ngx.say("PASS: JWK import/export consistent")
else
ngx.say("FAIL: Ed448 signature verification failed - Error: ", verify_err)
ngx.say("INFO: This may be expected with older lua-resty-openssl versions")
ngx.say("INFO: Original JWK x: ", original_parsed.x)
ngx.say("INFO: Exported JWK x: ", exported_parsed.x)
end
}
}
--- request
GET /t
--- response_body_like
(PASS: Ed448 signature verification successful|FAIL: Ed448 signature verification failed)
--- no_error_log
[error]
=== TEST 11: secret is required for HS algorithms
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "jack",
"plugins": {
"jwt-auth": {
"key": "user-key",
"algorithm": "HS384"
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.log(ngx.ERR, body)
ngx.say("failed")
}
}
--- error_code: 400
--- response_body
failed
--- error_log
property \"secret\" is required when using HS based algorithms