1029905495

Committed 09 Oct 2023 04:24AM UTC coverage: 83.929% (-3.9%) from 87.856%

Build # 1029905495

Build Type

Pull #674

gitlab-ci

Committed by

tranchitella

Commit Message

feat: support for ED25519 server keys for signing the JWT tokens

Ticket: MEN-6775
Changelog: Title

Signed-off-by: Fabio Tranchitella <fabio.tranchitella@northern.tech>

Pull Request Pull Request #674: feat: support for ED25519 server keys for signing the JWT tokens

Run Details

139 of 148 new or added lines in 4 files covered. (93.92%)

88 existing lines in 3 files now uncovered.

4721 of 5625 relevant lines covered (83.93%)

46.83 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.0

/jwt/jwt_rsa.go

// Copyright 2023 Northern.tech AS
//
//        Licensed under the Apache License, Version 2.0 (the "License");
//        you may not use this file except in compliance with the License.
//        You may obtain a copy of the License at
//
//            http://www.apache.org/licenses/LICENSE-2.0
//
//        Unless required by applicable law or agreed to in writing, software
//        distributed under the License is distributed on an "AS IS" BASIS,
//        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//        See the License for the specific language governing permissions and
//        limitations under the License.
package jwt

import (
        "crypto/rsa"

        "github.com/golang-jwt/jwt/v4"
        "github.com/pkg/errors"
)

// JWTHandlerRS256 is an RS256-specific JWTHandler
type JWTHandlerRS256 struct {
        privKey         *rsa.PrivateKey
        fallbackPrivKey *rsa.PrivateKey
}

func NewJWTHandlerRS256(privKey *rsa.PrivateKey, fallbackPrivKey *rsa.PrivateKey) *JWTHandlerRS256 {
        return &JWTHandlerRS256{
                privKey:         privKey,
                fallbackPrivKey: fallbackPrivKey,
        }
}

func (j *JWTHandlerRS256) ToJWT(token *Token) (string, error) {
        //generate
        jt := jwt.NewWithClaims(jwt.SigningMethodRS256, &token.Claims)

        //sign
        data, err := jt.SignedString(j.privKey)
        return data, err
}

func (j *JWTHandlerRS256) FromJWT(tokstr string) (*Token, error) {
        parser := jwt.NewParser(jwt.WithoutClaimsValidation())
        jwttoken, _, err := parser.ParseUnverified(tokstr, &Claims{})
        if err == nil {
                token := Token{}
                if claims, ok := jwttoken.Claims.(*Claims); ok {
                        token.Claims = *claims
                        return &token, nil
                }
        }

        return nil, ErrTokenInvalid
}

func (j *JWTHandlerRS256) Validate(tokstr string) error {
        var err error
        var jwttoken *jwt.Token
        for _, privKey := range []*rsa.PrivateKey{
                j.privKey,
                j.fallbackPrivKey,
        } {
                if privKey != nil {
                        jwttoken, err = jwt.ParseWithClaims(tokstr, &Claims{},
                                func(token *jwt.Token) (interface{}, error) {
                                        if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
                                                return nil, errors.New("unexpected signing method: " + token.Method.Alg())
                                        }
                                        return &privKey.PublicKey, nil
                                },
                        )
                        if jwttoken != nil && err == nil {
                                break
                        }
                }
        }

        // our Claims return Mender-specific validation errors
        // go-jwt will wrap them in a generic ValidationError - unwrap and return directly
        if jwttoken != nil && !jwttoken.Valid {
                return ErrTokenInvalid
        } else if err != nil {
                err, ok := err.(*jwt.ValidationError)
                if ok && err.Inner != nil {
                        return err.Inner
                } else {
                        return err
                }
        }

        return nil
}

1	// Copyright 2023 Northern.tech AS
2	//
3	// Licensed under the Apache License, Version 2.0 (the "License");
4	// you may not use this file except in compliance with the License.
5	// You may obtain a copy of the License at
6	//
7	// http://www.apache.org/licenses/LICENSE-2.0
8	//
9	// Unless required by applicable law or agreed to in writing, software
10	// distributed under the License is distributed on an "AS IS" BASIS,
11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	// See the License for the specific language governing permissions and
13	// limitations under the License.
14	package jwt
15
16	import (
17	"crypto/rsa"
18
19	"github.com/golang-jwt/jwt/v4"
20	"github.com/pkg/errors"
21	)
22
23	// JWTHandlerRS256 is an RS256-specific JWTHandler
24	type JWTHandlerRS256 struct {
25	privKey *rsa.PrivateKey
26	fallbackPrivKey *rsa.PrivateKey
27	}
28
29	func NewJWTHandlerRS256(privKey rsa.PrivateKey, fallbackPrivKey rsa.PrivateKey) *JWTHandlerRS256 {	16✔
30	return &JWTHandlerRS256{	16✔
31	privKey: privKey,	16✔
32	fallbackPrivKey: fallbackPrivKey,	16✔
33	}	16✔
34	}	16✔
35
36	func (j JWTHandlerRS256) ToJWT(token Token) (string, error) {	3✔
37	//generate	3✔
38	jt := jwt.NewWithClaims(jwt.SigningMethodRS256, &token.Claims)	3✔
39		3✔
40	//sign	3✔
41	data, err := jt.SignedString(j.privKey)	3✔
42	return data, err	3✔
43	}	3✔
44
45	func (j JWTHandlerRS256) FromJWT(tokstr string) (Token, error) {	6✔
46	parser := jwt.NewParser(jwt.WithoutClaimsValidation())	6✔
47	jwttoken, _, err := parser.ParseUnverified(tokstr, &Claims{})	6✔
48	if err == nil {	11✔
49	token := Token{}	5✔
50	if claims, ok := jwttoken.Claims.(*Claims); ok {	10✔
51	token.Claims = *claims	5✔
52	return &token, nil	5✔
53	}	5✔
54	}
55
56	return nil, ErrTokenInvalid	2✔
57	}
58
59	func (j *JWTHandlerRS256) Validate(tokstr string) error {	8✔
60	var err error	8✔
61	var jwttoken *jwt.Token	8✔
62	for _, privKey := range []*rsa.PrivateKey{	8✔
63	j.privKey,	8✔
64	j.fallbackPrivKey,	8✔
65	} {	20✔
66	if privKey != nil {	23✔
67	jwttoken, err = jwt.ParseWithClaims(tokstr, &Claims{},	11✔
68	func(token *jwt.Token) (interface{}, error) {	21✔
69	if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {	10✔
NEW 70	return nil, errors.New("unexpected signing method: " + token.Method.Alg())	×
NEW 71	}	×
72	return &privKey.PublicKey, nil	10✔
73	},
74	)
75	if jwttoken != nil && err == nil {	16✔
76	break	5✔
77	}
78	}
79	}
80
81	// our Claims return Mender-specific validation errors
82	// go-jwt will wrap them in a generic ValidationError - unwrap and return directly
83	if jwttoken != nil && !jwttoken.Valid {	11✔
84	return ErrTokenInvalid	3✔
85	} else if err != nil {	10✔
86	err, ok := err.(*jwt.ValidationError)	1✔
87	if ok && err.Inner != nil {	1✔
NEW 88	return err.Inner	×
89	} else {	1✔
90	return err	1✔
91	}	1✔
92	}
93
94	return nil	5✔
95	}

mendersoftware / deviceauth / 1029905495

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous