yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(jwt): support based encoded secret

This commit is contained in:
zhouzb 2021-06-08 15:56:13 +08:00
parent f297c36929
commit 0c237bf797
1 changed files with 27 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
apps/emqx_authentication/src/emqx_authentication_jwt.erl
View File

@ -46,28 +46,32 @@
order => 4, order => 4,
type => string type => string
}, },
jwt_certfile => #{ secret_base64_encoded => #{
order => 5, order => 5,
type => file type => boolean
}, },
cacertfile => #{ jwt_certfile => #{
order => 6, order => 6,
type => file type => file
}, },
keyfile => #{ cacertfile => #{
order => 7, order => 7,
type => file type => file
}, },
certfile => #{ keyfile => #{
order => 8, order => 8,
type => file type => file
}, },
verify => #{ certfile => #{
order => 9, order => 9,
type => file
},
verify => #{
order => 10,
type => boolean type => boolean
}, },
server_name_indication => #{ server_name_indication => #{
order => 10, order => 11,
type => string type => string
} }
} }
@ -80,6 +84,7 @@
refresh_interval => [use_jwks], refresh_interval => [use_jwks],
algorithm => [use_jwks], algorithm => [use_jwks],
secret => [algorithm], secret => [algorithm],
secret_base64_encoded => [algorithm],
jwt_certfile => [algorithm], jwt_certfile => [algorithm],
cacertfile => [jwks_endpoint], cacertfile => [jwks_endpoint],
keyfile => [jwks_endpoint], keyfile => [jwks_endpoint],
@ -132,8 +137,15 @@ destroy(#{jwks_connector := Connector}) ->
do_create(#{use_jwks := false, do_create(#{use_jwks := false,
algorithm := 'hmac-based', algorithm := 'hmac-based',
secret := Secret, secret := Secret0,
secret_base64_encoded := Base64Encoded,
verify_claims := VerifyClaims}) -> verify_claims := VerifyClaims}) ->
Secret = case Base64Encoded of
true ->
base64:decode(Secret0);
false ->
Secret0
end,
JWK = jose_jwk:from_oct(Secret), JWK = jose_jwk:from_oct(Secret),
{ok, #{jwk => JWK, {ok, #{jwk => JWK,
jwks_connector => undefined, jwks_connector => undefined,
@ -295,6 +307,9 @@ handle_option(secret = Opt, unbound, #{algorithm := 'hmac-based'}) ->
throw({error, {options, {Opt, unbound}}}); throw({error, {options, {Opt, unbound}}});
handle_option(secret = Opt, Value, #{algorithm := 'hmac-based'} = OptsMap) -> handle_option(secret = Opt, Value, #{algorithm := 'hmac-based'} = OptsMap) ->
OptsMap#{Opt => Value}; OptsMap#{Opt => Value};
handle_option(secret_base64_encoded = Opt, Value0, #{algorithm := 'hmac-based'} = OptsMap) ->
Value = validate_option(Opt, Value0),
OptsMap#{Opt => Value};
handle_option(jwt_certfile = Opt, unbound, #{algorithm := 'public-key'}) -> handle_option(jwt_certfile = Opt, unbound, #{algorithm := 'public-key'}) ->
throw({error, {options, {Opt, unbound}}}); throw({error, {options, {Opt, unbound}}});
handle_option(jwt_certfile = Opt, Value, #{algorithm := 'public-key'} = OptsMap) -> handle_option(jwt_certfile = Opt, Value, #{algorithm := 'public-key'} = OptsMap) ->
@ -330,6 +345,10 @@ validate_option(algorithm, <<"hmac-based">>) ->
'hmac-based'; 'hmac-based';
validate_option(algorithm, <<"public-key">>) -> validate_option(algorithm, <<"public-key">>) ->
'public-key'; 'public-key';
validate_option(secret_base64_encoded, unbound) ->
false;
validate_option(secret_base64_encoded, Value) when is_boolean(Value) ->
Value;
validate_option(verify, unbound) -> validate_option(verify, unbound) ->
verify_none; verify_none;
validate_option(verify, true) -> validate_option(verify, true) ->