]> granicus.if.org Git - ejabberd/commitdiff
Improve robustness of reading jwt_key option
authorEvgeny Khramtsov <ekhramtsov@process-one.net>
Thu, 18 Jul 2019 19:31:08 +0000 (22:31 +0300)
committerEvgeny Khramtsov <ekhramtsov@process-one.net>
Thu, 18 Jul 2019 19:31:08 +0000 (22:31 +0300)
src/econf.erl
src/ejabberd_auth_jwt.erl
src/ejabberd_option.erl
src/ejabberd_options.erl

index b150056ca767a4a6f51de0aaaf177ad247f247ea..ec127c4e18f7210202ae45aa1456f5249b9f5d2a 100644 (file)
@@ -159,6 +159,8 @@ format_error({bad_pem, Why, Path}) ->
           [Path, pkix:format_error(Why)]);
 format_error({bad_cert, Why, Path}) ->
     format_error({bad_pem, Why, Path});
+format_error({bad_jwt_key, Path}) ->
+    format("No valid JWT key found in file: ~s", [Path]);
 format_error({bad_jid, Bad}) ->
     format("Invalid XMPP address: ~s", [Bad]);
 format_error({bad_user, Bad}) ->
index 7b14835d2906c106209d46ca28566af721372dfa..4d52b11d05557e3e728273f6b8cd2f245521f8ea 100644 (file)
@@ -64,7 +64,7 @@ check_password(User, AuthzId, Server, Token) ->
 %%% Internal functions
 %%%----------------------------------------------------------------------
 check_jwt_token(User, Server, Token) ->
-    JWK = get_jwk(Server),
+    JWK = ejabberd_option:jwt_key(Server),
     try jose_jwt:verify(JWK, Token) of
         {true, {jose_jwt, Fields}, Signature} ->
             ?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]),
@@ -100,9 +100,6 @@ check_jwt_token(User, Server, Token) ->
             false
     end.
 
-get_jwk(Host) ->
-    jose_jwk:from_binary(ejabberd_option:jwt_key(Host)).
-
 %% TODO: auth0 username is defined in 'jid' field, but we should
 %% allow customizing the name of the field containing the username
 %% to adapt to custom claims.
index 7ba1db170cf41728f43db3ae9d171d7faf48df52..82a03491c1b432c7a501bd020dd04d1e1393a1c7 100644 (file)
@@ -424,10 +424,10 @@ include_config_file() ->
 include_config_file(Host) ->
     ejabberd_config:get_option({include_config_file, Host}).
 
--spec jwt_key() -> binary().
+-spec jwt_key() -> jose_jwk:key().
 jwt_key() ->
     jwt_key(global).
--spec jwt_key(global | binary()) -> binary().
+-spec jwt_key(global | binary()) -> jose_jwk:key().
 jwt_key(Host) ->
     ejabberd_config:get_option({jwt_key, Host}).
 
index cbd36cca666ffeba64a2add42c7a61e821350376..a9b435dfbcb4d806e7256afd9e6090f9bcacfb81 100644 (file)
@@ -399,7 +399,13 @@ opt_type(jwt_key) ->
       econf:file(),
       fun(Path) ->
               case file:read_file(Path) of
-                  {ok, Binary} -> Binary;
+                  {ok, Data} ->
+                     try jose_jwk:from_binary(Data) of
+                         {error, _} -> econf:fail({bad_jwt_key, Path});
+                         Ret -> Ret
+                     catch _:_ ->
+                             econf:fail({bad_jwt_key, Path})
+                     end;
                   {error, Reason} ->
                       econf:fail({read_file, Reason, Path})
               end
@@ -422,7 +428,7 @@ opt_type(jwt_key) ->
                    {shaper, #{atom() => ejabberd_shaper:shaper_rate()}} |
                    {shaper_rules, [{atom(), [ejabberd_shaper:shaper_rule()]}]} |
                    {api_permissions, [ejabberd_access_permissions:permission()]} |
-                   {jwt_key, binary()} |
+                   {jwt_key, jose_jwk:key()} |
                    {append_host_config, [{binary(), any()}]} |
                    {host_config, [{binary(), any()}]} |
                    {define_macro, any()} |