From 033f5e91c0ca254b88a7c1d0ec0ffb9e560891d2 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 2 Nov 2020 01:05:41 +0800 Subject: [PATCH 1/8] example for #2523 --- apisix/plugins/jwt-auth.lua | 10 +++- t/plugin/jwt-auth.t | 104 ++++++++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+), 1 deletion(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index a594e6f46575..86dac5361034 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -41,6 +41,8 @@ local consumer_schema = { properties = { key = {type = "string"}, secret = {type = "string"}, + public_key = {type = "string"}, + private_key= {type = "string"}, algorithm = { type = "string", enum = {"HS256", "HS512", "RS256"}, @@ -98,7 +100,7 @@ function _M.check_schema(conf, schema_type) end if schema_type == core.schema.TYPE_CONSUMER then - if not conf.secret then + if conf.algorithm ~= "RS256" and not conf.secret then conf.secret = ngx_encode_base64(resty_random.bytes(32, true)) end @@ -183,6 +185,9 @@ function _M.rewrite(conf, ctx) core.log.info("consumer: ", core.json.delay_encode(consumer)) local auth_secret = get_secret(consumer.auth_conf) + if consumer.auth_conf.algorithm and consumer.auth_conf.algorithm == "RS256" then + auth_secret = consumer.auth_conf.public_key + end jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) core.log.info("jwt object: ", core.json.delay_encode(jwt_obj)) if not jwt_obj.verified then @@ -222,6 +227,9 @@ local function gen_token() core.log.info("consumer: ", core.json.delay_encode(consumer)) local auth_secret = get_secret(consumer.auth_conf) + if consumer.auth_conf.algorithm and consumer.auth_conf.algorithm == "RS256" then + auth_secret = consumer.auth_conf.private_key + end local jwt_token = jwt:sign( auth_secret, { diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 0a041b04d334..d521823bc45b 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -519,3 +519,107 @@ GET /t \{"error_msg":"failed to check the configuration of plugin jwt-auth err: additional properties forbidden, found key"\} --- no_error_log [error] + + + +=== TEST 25: add consumer with username and plugins with public_key, private_key +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + }]], + [[{ + "node": { + "value": { + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + } + }, + "action": "set" + }]] + ) + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 26: JWT sign and verify RS256 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 27: sign +--- request +GET /apisix/plugin/jwt/sign?key=user-key-rs256 +--- response_body_like eval +qr/eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.\w+.\w+/ +--- no_error_log +[error] + + + +=== TEST 28: verify (in argument) +--- request +GET /hello?jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTYwNDMzNjQ4N30.U3TMjJjuHBH5mqOEyvh3WGy08DP0FHq_H62XprcOZfpywTByLCxK_bTKQf5jrXQlCudW_azIm4qV_TQJ2IFIag +--- response_body +hello world +--- no_error_log +[error] From e0acc051c60e39b6ac4a14c9bdd1953836609439 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 2 Nov 2020 02:19:23 +0800 Subject: [PATCH 2/8] fix CI errors --- t/plugin/jwt-auth.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 7d60155afd0a..f369b5b747c3 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -526,7 +526,7 @@ GET /t --- request GET /apisix/admin/schema/plugins/jwt-auth?schema_type=consumer --- response_body -{"required":["key"],"properties":{"exp":{"minimum":1,"type":"integer"},"algorithm":{"type":"string","default":"HS256","enum":["HS256","HS512","RS256"]},"base64_secret":{"default":false,"type":"boolean"},"secret":{"type":"string"},"key":{"type":"string"}},"additionalProperties":false,"type":"object"} +{"required":["key"],"properties":{"exp":{"minimum":1,"type":"integer"},"private_key":{"type":"string"},"public_key":{"type":"string"},"algorithm":{"type":"string","default":"HS256","enum":["HS256","HS512","RS256"]},"base64_secret":{"default":false,"type":"boolean"},"secret":{"type":"string"},"key":{"type":"string"}},"additionalProperties":false,"type":"object"} --- no_error_log [error] From 6630ae1452d37486404d00d3c5b15b133b37893d Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 4 Nov 2020 02:24:10 +0800 Subject: [PATCH 3/8] fix: jwt-auth plugin RS256 algorithm is not easy to use. (#2523) fix: add more test cases for jwt plugin. (#2355) fix #2523 fix #2355 --- apisix/plugins/jwt-auth.lua | 86 +++++-- doc/plugins/jwt-auth.md | 37 ++- doc/zh-cn/plugins/jwt-auth.md | 36 ++- t/plugin/jwt-auth.t | 472 +++++++++++++++++++++++++++++++++- 4 files changed, 589 insertions(+), 42 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index a539b38b2f5c..be9437f7bf93 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -27,6 +27,7 @@ local ngx = ngx local ngx_time = ngx.time local sub_str = string.sub local plugin_name = "jwt-auth" +local pcall = pcall local schema = { @@ -105,6 +106,12 @@ function _M.check_schema(conf, schema_type) conf.secret = ngx_encode_base64(resty_random.bytes(32, true)) end + if conf.algorithm == "RS256" then + if not conf.public_key or not conf.private_key then + return false, "when using RS256 algorithm, the parameter 'public_key' and 'private_key' is both required." + end + end + if not conf.exp then conf.exp = 60 * 60 * 24 end @@ -185,11 +192,14 @@ function _M.rewrite(conf, ctx) end core.log.info("consumer: ", core.json.delay_encode(consumer)) - local auth_secret = get_secret(consumer.auth_conf) + if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256" + or consumer.auth_conf.algorithm == "HS512" then + local auth_secret = get_secret(consumer.auth_conf) + jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) + end if consumer.auth_conf.algorithm and consumer.auth_conf.algorithm == "RS256" then - auth_secret = consumer.auth_conf.public_key + jwt_obj = jwt:verify_jwt_obj(consumer.auth_conf.public_key, jwt_obj) end - jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) core.log.info("jwt object: ", core.json.delay_encode(jwt_obj)) if not jwt_obj.verified then return 401, {message = jwt_obj.reason} @@ -202,6 +212,48 @@ function _M.rewrite(conf, ctx) end +local function sign_jwt_with_HS(key, auth_conf) + local auth_secret = get_secret(auth_conf) + local jwt_token = jwt:sign( + auth_secret, + { + header = { + typ = "JWT", + alg = auth_conf.algorithm + }, + payload = { + key = key, + exp = ngx_time() + auth_conf.exp + } + } + ) + return jwt_token +end + + +local function sign_jwt_with_RS256(key, auth_conf) + local ok, jwt_token = pcall(jwt.sign, self, auth_conf.private_key, + { + header = { + typ = "JWT", + alg = auth_conf.algorithm, + x5c={ + auth_conf.public_key, + } + }, + payload = { + key = key, + exp = ngx_time() + auth_conf.exp + } + }) + if not ok then + core.log.warn("failed to sign jwt, check the private key and public key of the consumer to whom the key belongs.") + core.response.exit(500, "failed to sign jwt") + end + return jwt_token +end + + local function gen_token() local args = ngx.req.get_uri_args() if not args or not args.key then @@ -218,7 +270,6 @@ local function gen_token() local consumers = core.lrucache.plugin(plugin_name, "consumers_key", consumer_conf.conf_version, create_consume_cache, consumer_conf) - core.log.info("consumers: ", core.json.delay_encode(consumers)) local consumer = consumers[key] if not consumer then @@ -227,25 +278,18 @@ local function gen_token() core.log.info("consumer: ", core.json.delay_encode(consumer)) - local auth_secret = get_secret(consumer.auth_conf) - if consumer.auth_conf.algorithm and consumer.auth_conf.algorithm == "RS256" then - auth_secret = consumer.auth_conf.private_key + if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256" + or consumer.auth_conf.algorithm == "HS512" then + local jwt_token = sign_jwt_with_HS(key,consumer.auth_conf) + core.response.exit(200, jwt_token) + end + + if consumer.auth_conf.algorithm == "RS256" then + local jwt_token = sign_jwt_with_RS256(key,consumer.auth_conf) + core.response.exit(200, jwt_token) end - local jwt_token = jwt:sign( - auth_secret, - { - header = { - typ = "JWT", - alg = consumer.auth_conf.algorithm - }, - payload = { - key = key, - exp = ngx_time() + consumer.auth_conf.exp - } - } - ) - core.response.exit(200, jwt_token) + return core.response.exit(404) end diff --git a/doc/plugins/jwt-auth.md b/doc/plugins/jwt-auth.md index 19cda31b98db..53f60e639078 100644 --- a/doc/plugins/jwt-auth.md +++ b/doc/plugins/jwt-auth.md @@ -20,6 +20,7 @@ - [中文](../zh-cn/plugins/jwt-auth.md) # Summary + - [**Name**](#name) - [**Attributes**](#attributes) - [**How To Enable**](#how-to-enable) @@ -37,13 +38,15 @@ For more information on JWT, refer to [JWT](https://jwt.io/) for more informatio ## Attributes -| Name | Type | Requirement | Default | Valid | Description | -| ------------- | ------- | ----------- | ------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -| key | string | required | | | different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception. | -| secret | string | optional | | | encryption key. if you do not specify, the value is auto-generated in the background. | +| Name | Type | Requirement | Default | Valid | Description | +|:--------------|:--------|:------------|:--------|:----------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------| +| key | string | required | | | different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception. | +| secret | string | optional | | | encryption key. if you do not specify, the value is auto-generated in the background. | +| public_key | string | optional | | | RSA public key, required when `algorithm` attribute selects `RS256` algorithm. | +| private_key | string | optional | | | RSA private key, required when `algorithm` attribute selects `RS256` algorithm. | | algorithm | string | optional | "HS256" | ["HS256", "HS512", "RS256"] | encryption algorithm. | -| exp | integer | optional | 86400 | [1,...] | token's expire time, in seconds | -| base64_secret | boolean | optional | false | | whether secret is base64 encoded | +| exp | integer | optional | 86400 | [1,...] | token's expire time, in seconds | +| base64_secret | boolean | optional | false | | whether secret is base64 encoded | ## API @@ -67,6 +70,23 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1 }' ``` +`jwt-auth` uses the `HS256` algorithm by default, and if you use the `RS256` algorithm, you need to specify the algorithm and configure the public key and private key, as follows: + +```shell +curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key", + "public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----", + "algorithm": "RS256" + } + } +}' +``` + you can visit Dashboard `http://127.0.0.1:9080/apisix/dashboard/` and add a Consumer through the web console: ![](../images/plugin/jwt-auth-1.png) @@ -168,8 +188,8 @@ Accept-Ranges: bytes ## Disable Plugin When you want to disable the `jwt-auth` plugin, it is very simple, - you can delete the corresponding json configuration in the plugin configuration, - no need to restart the service, it will take effect immediately: +you can delete the corresponding json configuration in the plugin configuration, +no need to restart the service, it will take effect immediately: ```shell $ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' @@ -186,3 +206,4 @@ $ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' } }' ``` + diff --git a/doc/zh-cn/plugins/jwt-auth.md b/doc/zh-cn/plugins/jwt-auth.md index 8047a700e17f..f3bae245b7f5 100644 --- a/doc/zh-cn/plugins/jwt-auth.md +++ b/doc/zh-cn/plugins/jwt-auth.md @@ -20,6 +20,7 @@ - [English](../../plugins/jwt-auth.md) # 目录 + - [**名字**](#名字) - [**属性**](#属性) - [**如何启用**](#如何启用) @@ -38,13 +39,15 @@ ## 属性 -| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 | -| ------------- | ------- | ------ | ------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | -| key | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key` ,将会出现请求匹配异常。 | -| secret | string | 可选 | | | 加密秘钥。如果您未指定,后台将会自动帮您生成。 | -| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 | -| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 | -| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 | +| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 | +|:--------------|:--------|:------|:--------|:----------------------------|:-----------------------------------------------------------------------------------------------| +| key | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key` ,将会出现请求匹配异常。 | +| secret | string | 可选 | | | 加密秘钥。如果您未指定,后台将会自动帮您生成。 | +| public_key | string | 可选 | | | RSA公钥, `algorithm` 属性选择 `RS256` 算法时必填 | +| private_key | string | 可选 | | | RSA私钥, `algorithm` 属性选择 `RS256` 算法时必填 | +| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 | +| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 | +| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 | ## 接口 @@ -67,6 +70,24 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1 } }' ``` + +`jwt-auth` 默认使用 `HS256` 算法,如果使用 `RS256` 算法,需要指定算法,并配置公钥与私钥,示例如下: + +```shell +curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key", + "public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----", + "algorithm": "RS256" + } + } +}' +``` + 你可以使用浏览器打开 dashboard:`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 consumer: ![](../../images/plugin/jwt-auth-1.png) @@ -183,3 +204,4 @@ $ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' } }' ``` + diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index f369b5b747c3..600f80bd622d 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -552,7 +552,7 @@ GET /apisix/admin/schema/plugins/jwt-auth -=== TEST 28: add consumer with username and plugins with public_key, private_key +=== TEST 28: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -600,7 +600,7 @@ passed -=== TEST 29: JWT sign and verify RS256 +=== TEST 29: JWT sign and verify use RS256 algorithm(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -636,20 +636,480 @@ passed -=== TEST 30: sign +=== TEST 30: sign use RS256 algorithm(private_key numbits = 512) --- request GET /apisix/plugin/jwt/sign?key=user-key-rs256 --- response_body_like eval -qr/eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.\w+.\w+/ +qr/eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Gd3dEUVlKS29aSWh2Y05BUUVCQlFBRFN3QXdTQUpCQUtlYkR4bHZRTUd5RWVzQUwxcjFuSUpCa1NkcXUzSHJcbjdub3FcLzB1a2lacVZRTFNKUE1PdjBveFFTdXR2dkszaG9pYndHYWtET3phK3hSSVRCN2NzMmNFQ0F3RUFBUT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.\w+.\w+/ --- no_error_log [error] -=== TEST 31: verify (in argument) +=== TEST 31: verify (in argument) use RS256 algorithm(private_key numbits = 512) --- request -GET /hello?jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTYwNDMzNjQ4N30.U3TMjJjuHBH5mqOEyvh3WGy08DP0FHq_H62XprcOZfpywTByLCxK_bTKQf5jrXQlCudW_azIm4qV_TQJ2IFIag +GET /hello?jwt=eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Gd3dEUVlKS29aSWh2Y05BUUVCQlFBRFN3QXdTQUpCQUtlYkR4bHZRTUd5RWVzQUwxcjFuSUpCa1NkcXUzSHJcbjdub3FcLzB1a2lacVZRTFNKUE1PdjBveFFTdXR2dkszaG9pYndHYWtET3phK3hSSVRCN2NzMmNFQ0F3RUFBUT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTkxOTY5Mjg3OX0.S7XMbZjl3HAm_r9xlXaKGnvQgMA6-G9RZ-3esJM3B3gDuTeyPr_JvWzou-9aDVCArr0ogcSa2dx7EwiwKaOwIA --- response_body hello world --- no_error_log [error] + + + +=== TEST 32: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + ]] .. [[ + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + } + } + } + ]], + [[{ + "node": { + "value": { + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + ]] .. [[ + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + } + } + } + }, + "action": "set" + }]] + ) + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 33: JWT sign and verify use RS256 algorithm(private_key numbits = 1024) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 34: sign use RS256 algorithm(private_key numbits = 1024) +--- request +GET /apisix/plugin/jwt/sign?key=user-key-rs256 +--- response_body_like eval +qr/eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRREd4T2ZWZVwvc2VQNVRcL1Y4cGtTNVlOQVBSQ1xuM0ZmeHhlZGk3djBweVpoXC80ZDRwOVF4MFA5d09tQUx3bE9xNEZ0Z2tzMzExcHhHMHpMMExjVEpZNGlrYmMzcjBcbmg4U00weWhqOVVWMVZHdHVpYTRZYWtvYnZwTTlVK2txM2x5SU1POVpQUmV6MGNQM0FKSVlDdDV5ZjhFN2JOWUpcbmpiSk5qbDhXeHZNMXRESHFWUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIl0sImFsZyI6IlJTMjU2IiwidHlwIjoiSldUIn0.\w+.\w+/ +--- no_error_log +[error] + + + +=== TEST 35: verify (in argument) use RS256 algorithm(private_key numbits = 1024) +--- request +GET /hello?jwt=eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRREd4T2ZWZVwvc2VQNVRcL1Y4cGtTNVlOQVBSQ1xuM0ZmeHhlZGk3djBweVpoXC80ZDRwOVF4MFA5d09tQUx3bE9xNEZ0Z2tzMzExcHhHMHpMMExjVEpZNGlrYmMzcjBcbmg4U00weWhqOVVWMVZHdHVpYTRZYWtvYnZwTTlVK2txM2x5SU1POVpQUmV6MGNQM0FKSVlDdDV5ZjhFN2JOWUpcbmpiSk5qbDhXeHZNMXRESHFWUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIl0sImFsZyI6IlJTMjU2IiwidHlwIjoiSldUIn0.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTkxOTc4MjQ0MH0.ExLbD7bMUw4117DTXwdxOJ2cfJajSX0VzINkKzjvr7-4sod9q2gpLbemoXH_IBIcdKF2raC8k6OVxRUAJa_Nlk4NIdbjEWk4Z9zfdjWK_t7QED-5nfoYflwGVOpNh-q8zdXsZRhPnBWuPB9yGJLpI_NfqdRdlRQrQ3JaCIgvYBg +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 36: add consumer with username and plugins with public_key, private_key(private_key numbits = 2048) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----", + ]] .. [[ + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" + } + } + } + ]], + [[{ + "node": { + "value": { + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----", + ]] .. [[ + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" + } + } + } + }, + "action": "set" + }]] + ) + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 37: JWT sign and verify use RS256 algorithm(private_key numbits = 2048) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 38: sign use RS256 algorithm(private_key numbits = 2048) +--- request +GET /apisix/plugin/jwt/sign?key=user-key-rs256 +--- response_body_like eval +qr/eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdjVMSGpaNEZ4UTlqazZlUUdEUnRcbm9Sd0ZWa0xxK2RVQmViczk3aHJ6aXJva1ZyMkIrUm94cWRMZktBTStBc04yRGFkYXdaMkdxbENWOURMMFwvZ3o2XG5uV1NxVFFwV2JROGM3Q3JGMzFFa0lIVVlSelp2V3kxN0szV0M5T2RrXC9nTTFGVmQwSGJaMlJqdXFqOUFEZWVxeFxubmo5bnBEcUtyTU9ET0VOeTMxU3FaTmVyV1pzZGdHa01MNUpZYlg1aGJJMkw5TFJFdlJVMjFmRGdTZkdMNk13NFxuTmF4bm56Y3ZsbDR5cXdyQkVMU2VEWkVBdDArZVwvcDFkTzdtb3hGK2IxcEZraDl2UWw2ekd2bnZmOGZPcW41RXhcbnRMSFhWemd4NzUyUEhNd211ajltTzFrbzZwOEZPTTBKSERub29JKzVyd0s0ajNJMjdIbzVubmF0VldVYXhLNFVcbjh3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.\w+.\w+/ +--- no_error_log +[error] + + + +=== TEST 39: verify (in argument) use RS256 algorithm(private_key numbits = 2048) +--- request +GET /hello?jwt=eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdjVMSGpaNEZ4UTlqazZlUUdEUnRcbm9Sd0ZWa0xxK2RVQmViczk3aHJ6aXJva1ZyMkIrUm94cWRMZktBTStBc04yRGFkYXdaMkdxbENWOURMMFwvZ3o2XG5uV1NxVFFwV2JROGM3Q3JGMzFFa0lIVVlSelp2V3kxN0szV0M5T2RrXC9nTTFGVmQwSGJaMlJqdXFqOUFEZWVxeFxubmo5bnBEcUtyTU9ET0VOeTMxU3FaTmVyV1pzZGdHa01MNUpZYlg1aGJJMkw5TFJFdlJVMjFmRGdTZkdMNk13NFxuTmF4bm56Y3ZsbDR5cXdyQkVMU2VEWkVBdDArZVwvcDFkTzdtb3hGK2IxcEZraDl2UWw2ekd2bnZmOGZPcW41RXhcbnRMSFhWemd4NzUyUEhNd211ajltTzFrbzZwOEZPTTBKSERub29JKzVyd0s0ajNJMjdIbzVubmF0VldVYXhLNFVcbjh3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTkxOTc3MTQ3Mn0.m8n0iq0FthBGuCP4IOzIi9J0aHJeBKGhV0A7_DI0QqdXDxFjImGZSsDrNa77_3_gQonLY9xwWO0eobBzcpXuBQKVjl7fEn1brY4m1SKMB0xxWn525khzWe4aN3Yf101fCXd-8rKfZoCOMs_KS9YLTpEGbHJJ3nPiJdN9Btlt-jqCfbQvTT_zogITxJBcUiwz_ikttDTCLVrAvE5M7Xmck245MayOhSvu0f1df1XcmdrnKV4fHypl3UPhQNdb0Up4IBao0lJsKF2QCrvn_rP_oXrViurnpJDv6nP_46woWvnS74_WWGmVg2BptlQ7p8IYF4yAoXW8gsjcgoixbYTOGg +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 40: JWT sign with the public key when using the RS256 algorithm +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "private_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + "public_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + }]], + [[{ + "node": { + "value": { + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "private_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + "public_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + } + }, + "action": "set" + }]] + ) + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 41: JWT sign and verify RS256 +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 42: sign +--- request +GET /apisix/plugin/jwt/sign?key=user-key-rs256 +--- error_code: 500 +--- response_body eval +qr/failed to sign jwt/ + + + +=== TEST 43: sanity(algorithm = HS512) +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.jwt-auth") + local core = require("apisix.core") + local conf = {key = "123", algorithm = "HS512"} + + local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER) + if not ok then + ngx.say(err) + end + + ngx.say(require("cjson").encode(conf)) + } + } +--- request +GET /t +--- response_body_like eval +qr/{"algorithm":"HS512","secret":"[a-zA-Z0-9+\\\/]+={0,2}","key":"123","exp":86400}/ +--- no_error_log +[error] + + + +=== TEST 44: add consumer with username and plugins use HS256 algorithm +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-HS512", + "algorithm": "HS512", + "secret": "my-secret-key" + } + } + }]], + [[{ + "node": { + "value": { + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-HS512", + "algorithm": "HS512", + "secret": "my-secret-key" + } + } + } + }, + "action": "set" + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 45: JWT sign and verify use HS256 algorithm +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 46: sign(algorithm = HS512) +--- request +GET /apisix/plugin/jwt/sign?key=user-key-HS512 +--- response_body_like eval +qr/eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.\w+.\w+/ +--- no_error_log +[error] + + + +=== TEST 47: verify (in argument) use HS512 algorithm +--- request +GET /hello?jwt=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1IUzUxMiIsImV4cCI6MTkxOTc4NzU5OH0.zJAE-BDs6QtMvGbBmQL6hNbZ9seYSfZ9SDH3R3VSiOhY3UAjdrl3SUStTeCirlVzIV1eoEiW2jd_xHpKNw7nWA +--- response_body +hello world +--- no_error_log +[error] + + + +=== TEST 48: test for unsupported algorithm +--- request +PATCH /apisix/plugin/jwt/sign?key=user-key +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.jwt-auth") + local core = require("apisix.core") + local conf = {key = "123", algorithm = "ES256"} + + local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER) + if not ok then + ngx.say(err) + end + + ngx.say(require("cjson").encode(conf)) + } + } +--- request +GET /t +--- response_body_like eval +qr/property "algorithm" validation failed/ From 008fe7b3f37f4eedd8f5190a8b706daa1d37b285 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 4 Nov 2020 02:45:11 +0800 Subject: [PATCH 4/8] fix CI error --- apisix/plugins/jwt-auth.lua | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 22b03db80056..647d1f9cf988 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -112,7 +112,8 @@ function _M.check_schema(conf, schema_type) if conf.algorithm == "RS256" then if not conf.public_key or not conf.private_key then - return false, "when using RS256 algorithm, the parameter 'public_key' and 'private_key' is both required." + return false, "when using RS256 algorithm, " + .."the parameter 'public_key' and 'private_key' is both required." end end @@ -235,7 +236,7 @@ end local function sign_jwt_with_RS256(key, auth_conf) - local ok, jwt_token = pcall(jwt.sign, self, auth_conf.private_key, + local ok, jwt_token = pcall(jwt.sign, _M, auth_conf.private_key, { header = { typ = "JWT", @@ -250,7 +251,8 @@ local function sign_jwt_with_RS256(key, auth_conf) } }) if not ok then - core.log.warn("failed to sign jwt, check the private key and public key of the consumer to whom the key belongs.") + core.log.warn("failed to sign jwt, " .. + "check the private key and public key of the consumer to whom the key belongs.") core.response.exit(500, "failed to sign jwt") end return jwt_token From f8d76e25923f24638b9eea2774d082cbf2ad34d5 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 4 Nov 2020 10:04:13 +0800 Subject: [PATCH 5/8] resolve conversation --- apisix/plugins/jwt-auth.lua | 7 ------- t/plugin/jwt-auth.t | 6 +++--- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 647d1f9cf988..62d49f0ee8a2 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -110,13 +110,6 @@ function _M.check_schema(conf, schema_type) conf.secret = ngx_encode_base64(resty_random.bytes(32, true)) end - if conf.algorithm == "RS256" then - if not conf.public_key or not conf.private_key then - return false, "when using RS256 algorithm, " - .."the parameter 'public_key' and 'private_key' is both required." - end - end - if not conf.exp then conf.exp = 60 * 60 * 24 end diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 600f80bd622d..af051e18eb87 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -954,7 +954,7 @@ passed -=== TEST 42: sign +=== TEST 42: sign failed --- request GET /apisix/plugin/jwt/sign?key=user-key-rs256 --- error_code: 500 @@ -988,7 +988,7 @@ qr/{"algorithm":"HS512","secret":"[a-zA-Z0-9+\\\/]+={0,2}","key":"123","exp":864 -=== TEST 44: add consumer with username and plugins use HS256 algorithm +=== TEST 44: add consumer with username and plugins use HS512 algorithm --- config location /t { content_by_lua_block { @@ -1035,7 +1035,7 @@ passed -=== TEST 45: JWT sign and verify use HS256 algorithm +=== TEST 45: JWT sign and verify use HS512 algorithm --- config location /t { content_by_lua_block { From 8cd9c1bfc19c0dd08a633f2f7be28c3e919326f4 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Thu, 5 Nov 2020 12:46:24 +0800 Subject: [PATCH 6/8] resolve conversation --- apisix/plugins/jwt-auth.lua | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 62d49f0ee8a2..0e9154745c70 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -194,10 +194,12 @@ function _M.rewrite(conf, ctx) local auth_secret = get_secret(consumer.auth_conf) jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) end - if consumer.auth_conf.algorithm and consumer.auth_conf.algorithm == "RS256" then + + if consumer.auth_conf.algorithm == "RS256" then jwt_obj = jwt:verify_jwt_obj(consumer.auth_conf.public_key, jwt_obj) end core.log.info("jwt object: ", core.json.delay_encode(jwt_obj)) + if not jwt_obj.verified then return 401, {message = jwt_obj.reason} end @@ -229,20 +231,22 @@ end local function sign_jwt_with_RS256(key, auth_conf) - local ok, jwt_token = pcall(jwt.sign, _M, auth_conf.private_key, + local ok, jwt_token = pcall(jwt.sign, _M, + auth_conf.private_key, { - header = { - typ = "JWT", - alg = auth_conf.algorithm, - x5c={ - auth_conf.public_key, + header = { + typ = "JWT", + alg = auth_conf.algorithm, + x5c={ + auth_conf.public_key, + } + }, + payload = { + key = key, + exp = ngx_time() + auth_conf.exp + } } - }, - payload = { - key = key, - exp = ngx_time() + auth_conf.exp - } - }) + ) if not ok then core.log.warn("failed to sign jwt, " .. "check the private key and public key of the consumer to whom the key belongs.") From d7c49943b803e5e21e2f6bfa9e7b443b29c5365f Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Thu, 5 Nov 2020 22:47:03 +0800 Subject: [PATCH 7/8] resolve conversation --- apisix/plugins/jwt-auth.lua | 134 +++++++++++++++++++----------------- 1 file changed, 72 insertions(+), 62 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 0e9154745c70..8c189897e6d5 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -110,6 +110,15 @@ function _M.check_schema(conf, schema_type) conf.secret = ngx_encode_base64(resty_random.bytes(32, true)) end + if conf.algorithm == "RS256" then + if not conf.public_key then + return false, "missing valid public key" + end + if not conf.private_key then + return false, "missing valid private key" + end + end + if not conf.exp then conf.exp = 60 * 60 * 24 end @@ -154,6 +163,64 @@ local function get_secret(conf) end +local function sign_jwt_with_HS(key, auth_conf) + local auth_secret = get_secret(auth_conf) + local ok, jwt_token = pcall(jwt.sign, _M, + auth_secret, + { + header = { + typ = "JWT", + alg = auth_conf.algorithm + }, + payload = { + key = key, + exp = ngx_time() + auth_conf.exp + } + } + ) + if not ok then + core.log.warn("failed to sign jwt, err: ", jwt_token.reason) + core.response.exit(500, "failed to sign jwt") + end + return jwt_token +end + + +local function sign_jwt_with_RS256(key, auth_conf) + local ok, jwt_token = pcall(jwt.sign, _M, + auth_conf.private_key, + { + header = { + typ = "JWT", + alg = auth_conf.algorithm, + x5c = { + auth_conf.public_key, + } + }, + payload = { + key = key, + exp = ngx_time() + auth_conf.exp + } + } + ) + if not ok then + core.log.warn("failed to sign jwt, err: ", jwt_token.reason) + core.response.exit(500, "failed to sign jwt") + end + return jwt_token +end + + +local function algorithm_handler(consumer) + if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256" + or consumer.auth_conf.algorithm == "HS512" then + return sign_jwt_with_HS, get_secret(consumer.auth_conf) + elseif consumer.auth_conf.algorithm == "RS256" then + return sign_jwt_with_RS256, consumer.auth_conf.public_key + end +end + + function _M.rewrite(conf, ctx) local jwt_token, err = fetch_jwt_token(ctx) if not jwt_token then @@ -189,15 +256,8 @@ function _M.rewrite(conf, ctx) end core.log.info("consumer: ", core.json.delay_encode(consumer)) - if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256" - or consumer.auth_conf.algorithm == "HS512" then - local auth_secret = get_secret(consumer.auth_conf) - jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) - end - - if consumer.auth_conf.algorithm == "RS256" then - jwt_obj = jwt:verify_jwt_obj(consumer.auth_conf.public_key, jwt_obj) - end + local _, auth_secret = algorithm_handler(consumer) + jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) core.log.info("jwt object: ", core.json.delay_encode(jwt_obj)) if not jwt_obj.verified then @@ -211,51 +271,6 @@ function _M.rewrite(conf, ctx) end -local function sign_jwt_with_HS(key, auth_conf) - local auth_secret = get_secret(auth_conf) - local jwt_token = jwt:sign( - auth_secret, - { - header = { - typ = "JWT", - alg = auth_conf.algorithm - }, - payload = { - key = key, - exp = ngx_time() + auth_conf.exp - } - } - ) - return jwt_token -end - - -local function sign_jwt_with_RS256(key, auth_conf) - local ok, jwt_token = pcall(jwt.sign, _M, - auth_conf.private_key, - { - header = { - typ = "JWT", - alg = auth_conf.algorithm, - x5c={ - auth_conf.public_key, - } - }, - payload = { - key = key, - exp = ngx_time() + auth_conf.exp - } - } - ) - if not ok then - core.log.warn("failed to sign jwt, " .. - "check the private key and public key of the consumer to whom the key belongs.") - core.response.exit(500, "failed to sign jwt") - end - return jwt_token -end - - local function gen_token() local args = ngx.req.get_uri_args() if not args or not args.key then @@ -280,14 +295,9 @@ local function gen_token() core.log.info("consumer: ", core.json.delay_encode(consumer)) - if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256" - or consumer.auth_conf.algorithm == "HS512" then - local jwt_token = sign_jwt_with_HS(key,consumer.auth_conf) - core.response.exit(200, jwt_token) - end - - if consumer.auth_conf.algorithm == "RS256" then - local jwt_token = sign_jwt_with_RS256(key,consumer.auth_conf) + local sign_handler, _ = algorithm_handler(consumer) + local jwt_token = sign_handler(key, consumer.auth_conf) + if jwt_token then core.response.exit(200, jwt_token) end From 4b775c07e97e5ddc0e1c53c6ab6f14664cb63f91 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Fri, 6 Nov 2020 09:12:39 +0800 Subject: [PATCH 8/8] resolve conversation --- apisix/plugins/jwt-auth.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 8c189897e6d5..720462dbdcfa 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -298,7 +298,7 @@ local function gen_token() local sign_handler, _ = algorithm_handler(consumer) local jwt_token = sign_handler(key, consumer.auth_conf) if jwt_token then - core.response.exit(200, jwt_token) + return core.response.exit(200, jwt_token) end return core.response.exit(404)