diff --git a/apps/emqx_auth/test/data/bad_public_key_file.pem b/apps/emqx_auth/test/data/bad_public_key_file.pem new file mode 100644 index 000000000..526dbf577 --- /dev/null +++ b/apps/emqx_auth/test/data/bad_public_key_file.pem @@ -0,0 +1,3 @@ +-----BEGIN PUBLIC KEY----- +XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +-----END PUBLIC KEY----- diff --git a/apps/emqx_auth_jwt/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_auth_jwt/test/emqx_authn_jwt_SUITE.erl index 8bf0cc68a..48b6d3887 100644 --- a/apps/emqx_auth_jwt/test/emqx_authn_jwt_SUITE.erl +++ b/apps/emqx_auth_jwt/test/emqx_authn_jwt_SUITE.erl @@ -178,6 +178,7 @@ t_public_key(_) -> from => password, acl_claim_name => <<"acl">>, use_jwks => false, + enable => true, algorithm => 'public-key', public_key => PublicKey, verify_claims => [], @@ -199,6 +200,51 @@ t_public_key(_) -> ?assertEqual(ok, emqx_authn_jwt:destroy(State)), ok. +t_bad_public_keys(_) -> + BaseConfig = #{ + mechanism => jwt, + from => password, + acl_claim_name => <<"acl">>, + use_jwks => false, + algorithm => 'public-key', + verify_claims => [], + disconnect_after_expire => false + }, + + %% try create with invalid public key + ?assertMatch( + {error, invalid_public_key}, + emqx_authn_jwt:create(?AUTHN_ID, BaseConfig#{ + enable => true, + public_key => <<"bad_public_key">> + }) + ), + + %% no such file + ?assertMatch( + {error, invalid_public_key}, + emqx_authn_jwt:create(?AUTHN_ID, BaseConfig#{ + enable => true, + public_key => data_file("bad_flie_path.pem") + }) + ), + + %% bad public key file content + ?assertMatch( + {error, invalid_public_key}, + emqx_authn_jwt:create(?AUTHN_ID, BaseConfig#{ + enable => true, + public_key => data_file("bad_public_key_file.pem") + }) + ), + + %% assume jwk authenticator is disabled + {ok, State} = + emqx_authn_jwt:create(?AUTHN_ID, BaseConfig#{public_key => <<"bad_public_key">>}), + + ?assertEqual(ok, emqx_authn_jwt:destroy(State)), + ok. + t_jwt_in_username(_) -> Secret = <<"abcdef">>, Config = #{