Merge pull request #230 from ray66rus/ray66rus/issue-229-pass-decrypt…

…ed-token-to-jwt-javascript-backend

Add option for sending decrypted claims to JWT Javascript backend

README.md

@@ -880,22 +880,27 @@ The `jwt` backend is for auth with a JWT remote API, a local DB, a JavaScript VM
 
 The following `auth_opt_` options are supported by the `jwt` backend when remote is set to true:
 
-| Option | default | Mandatory | Meaning |
-| ----------------- | --------- | :-------: | ---------------------------------- |
-| jwt_host | | Y | API server host name or ip |
-| jwt_port | | Y | TCP port number |
-| jwt_getuser_uri | | Y | URI for check username/password |
-| jwt_superuser_uri | | N | URI for check superuser |
-| jwt_aclcheck_uri | | Y | URI for check acl |
-| jwt_with_tls | false | N | Use TLS on connect |
-| jwt_verify_peer | false | N | Whether to verify peer for tls |
-| jwt_response_mode | status | N | Response type (status, json, text) |
-| jwt_params_mode | json | N | Data type (json, form) |
-| jwt_user_agent | mosquitto | N | User agent for requests |
-| jwt_http_method | POST | N | Http method used (POST, GET, PUT) |
+| Option | default | Mandatory | Meaning |
+| ------------------ | --------- | :-------: | ------------------------------------------------------------- |
+| jwt_host | | Y/N | API server host name or ip |
+| jwt_port | | Y | TCP port number |
+| jwt_getuser_uri | | Y | URI for check username/password |
+| jwt_superuser_uri | | N | URI for check superuser |
+| jwt_aclcheck_uri | | Y | URI for check acl |
+| jwt_with_tls | false | N | Use TLS on connect |
+| jwt_verify_peer | false | N | Whether to verify peer for tls |
+| jwt_response_mode | status | N | Response type (status, json, text) |
+| jwt_params_mode | json | N | Data type (json, form) |
+| jwt_user_agent | mosquitto | N | User agent for requests |
+| jwt_http_method | POST | N | Http method used (POST, GET, PUT) |
+| jwt_host_whitelist | | Y/N | List of hosts that are eligible to be an authoritative server |
 
 URIs (like jwt_getuser_uri) are expected to be in the form `/path`. For example, if jwt_with_tls is `false`, jwt_host is `localhost`, jwt_port `3000` and jwt_getuser_uri is `/user`, mosquitto will send a http request to `http:https://localhost:3000/user` to get a response to check against. How data is sent (either json encoded or as form values) and received (as a simple http status code, a json encoded response or plain text), is given by options jwt_response_mode and jwt_params_mode.
 
+if the option `jwt_parse_token` is set to `true`, `jwt_host` can be omitted and the host will be taken from the `Issuer` (`iss` field) claim of the JWT token. In this case the option `jwt_host_whitelist` is mandatory and must contain
+either a comma-separated list of the valid hostnames/ip addresses (with or without `:<port>` part) or the `*` (asterisk) symbol. If the `Issuer` claim is not contained in this list of valid hosts, the authorization will fail. Special
+value `*` means "any host" and is intended for testing/development purposes only - NEVER use this in production!
+
 If the option `jwt_superuser_uri` is not set then `superuser` checks are disabled for this mode.
 
 For all URIs, the backend will send a request with the `Authorization` header set to `Bearer token`, where token should be a correct JWT token and corresponds to the `username` received from Mosquitto.
@@ -1488,13 +1493,16 @@ The `javascript` backend allows to run a JavaScript interpreter VM to conduct ch
 | js_user_script_path | | Y | Relative or absolute path to user check script |
 | js_superuser_script_path | | Y | Relative or absolute path to superuser check script |
 | js_acl_script_path | | Y | Relative or absolute path to ACL check script |
+| js_pass_claims | false | N | Pass all claims extracted from the token to check scripts |
 
 This backend expects the user to define JS scripts that return a boolean result to the check in question.
 
 The backend will pass `mosquitto` provided arguments along, that is:
 - `username`, `password` and `clientid` for `user` checks.
 - `username` for `superuser` checks.
 - `username`, `topic`, `clientid` and `acc` for `ACL` checks.
+If `js_pass_claims` option is set, an additional argument `claims` containing the claims data extracted
+from the JWT token is passed to all checks.
 
 
 This is a valid, albeit pretty useless, example script for ACL checks (see `test-files/jwt` dir for test scripts):

backends/jwt.go

@@ -17,7 +17,7 @@ type tokenOptions struct {
  skipUserExpiration bool
  skipACLExpiration bool
  secret string
- userField  string
+ userFieldKey string
 }
 
 type jwtChecker interface {
@@ -27,19 +27,14 @@ type jwtChecker interface {
  Halt()
 }
 
-// Claims defines the struct containing the token claims.
-// StandardClaim's Subject field should contain the username, unless an opt is set to support Username field.
-type Claims struct {
- jwtGo.StandardClaims
- // If set, Username defines the identity of the user.
- Username string `json:"username"`
-}
-
 const (
- remoteMode = "remote"
- localMode = "local"
- jsMode = "js"
- filesMode = "files"
+ remoteMode = "remote"
+ localMode = "local"
+ jsMode = "js"
+ filesMode = "files"
+ claimsSubjectKey = "sub"
+ claimsUsernameKey = "username"
+ claimsIssKey = "iss"
 )
 
 func NewJWT(authOpts map[string]string, logLevel log.Level, hasher hashing.HashComparer, version string) (*JWT, error) {
@@ -69,9 +64,9 @@ func NewJWT(authOpts map[string]string, logLevel log.Level, hasher hashing.HashC
  }
 
  if userField, ok := authOpts["jwt_userfield"]; ok && userField == "Username" {
- options.userField = userField
+ options.userFieldKey = claimsUsernameKey
  } else {
- options.userField = "Subject"
+ options.userFieldKey = claimsSubjectKey
  }
 
  switch authOpts["jwt_mode"] {
@@ -125,9 +120,9 @@ func (o *JWT) Halt() {
  o.checker.Halt()
 }
 
-func getJWTClaims(secret string, tokenStr string, skipExpiration bool) (*Claims, error) {
+func getJWTClaims(secret string, tokenStr string, skipExpiration bool) (*jwtGo.MapClaims, error) {
 
- jwtToken, err := jwtGo.ParseWithClaims(tokenStr, &Claims{}, func(token *jwtGo.Token) (interface{}, error) {
+ jwtToken, err := jwtGo.ParseWithClaims(tokenStr, &jwtGo.MapClaims{}, func(token *jwtGo.Token) (interface{}, error) {
  return []byte(secret), nil
  })
 
@@ -147,29 +142,62 @@ func getJWTClaims(secret string, tokenStr string, skipExpiration bool) (*Claims,
  return nil, errors.New("jwt invalid token")
  }
 
- claims, ok := jwtToken.Claims.(*Claims)
+ claims, ok := jwtToken.Claims.(*jwtGo.MapClaims)
  if !ok {
- log.Debugf("jwt error: expected *Claims, got %T", jwtToken.Claims)
+ log.Debugf("jwt error: expected *MapClaims, got %T", jwtToken.Claims)
  return nil, errors.New("got strange claims")
  }
 
  return claims, nil
 }
 
-func getUsernameFromClaims(options tokenOptions, claims *Claims) string {
- if options.userField == "Username" {
- return claims.Username
+func getUsernameForToken(options tokenOptions, tokenStr string, skipExpiration bool) (string, error) {
+ claims, err := getJWTClaims(options.secret, tokenStr, skipExpiration)
+
+ if err != nil {
+ return "", err
+ }
+
+ username, found := (*claims)[options.userFieldKey]
+ if !found {
+ return "", nil
+ }
+
+ usernameString, ok := username.(string)
+ if !ok {
+ log.Debugf("jwt error: username expected to be string, got %T", username)
+ return "", errors.New("got strange username")
+ }
+
+ return usernameString, nil
+}
+
+func getClaimsForToken(options tokenOptions, tokenStr string, skipExpiration bool) (map[string]interface{}, error) {
+ claims, err := getJWTClaims(options.secret, tokenStr, skipExpiration)
+ if err != nil {
+ return make(map[string]interface{}), err
  }
 
- return claims.Subject
+ return map[string]interface{}(*claims), nil
 }
 
-func getUsernameForToken(options tokenOptions, tokenStr string, skipExpiration bool) (string, error) {
+func getIssForToken(options tokenOptions, tokenStr string, skipExpiration bool) (string, error) {
  claims, err := getJWTClaims(options.secret, tokenStr, skipExpiration)
 
  if err != nil {
  return "", err
  }
 
- return getUsernameFromClaims(options, claims), nil
+ iss, found := (*claims)[claimsIssKey]
+ if !found {
+ return "", nil
+ }
+
+ issString, ok := iss.(string)
+ if !ok {
+ log.Debugf("jwt error: iss expected to be string, got %T", iss)
+ return "", errors.New("got strange iss")
+ }
+
+ return issString, nil
 }

backends/jwt_javascript.go

@@ -16,6 +16,8 @@ type jsJWTChecker struct {
  superuserScript string
  aclScript string
 
+ passClaims bool
+
  options tokenOptions
 
  runner *js.Runner
@@ -79,6 +81,10 @@ func NewJsJWTChecker(authOpts map[string]string, options tokenOptions) (jwtCheck
  return nil, errors.New("missing jwt_js_acl_script_path")
  }
 
+ if passClaims, ok := authOpts["jwt_js_pass_claims"]; ok && passClaims == "true" {
+ checker.passClaims = true
+ }
+
  checker.runner = js.NewRunner(checker.stackDepthLimit, checker.msMaxDuration)
 
  return checker, nil
@@ -90,14 +96,10 @@ func (o *jsJWTChecker) GetUser(token string) (bool, error) {
  }
 
  if o.options.parseToken {
- username, err := getUsernameForToken(o.options, token, o.options.skipUserExpiration)
-
- if err != nil {
- log.Printf("jwt get user error: %s", err)
+ var err error
+ if params, err = o.addDataFromJWT(params, token, o.options.skipUserExpiration); err != nil {
  return false, err
  }
-
- params["username"] = username
  }
 
  granted, err := o.runner.RunScript(o.userScript, params)
@@ -108,20 +110,37 @@ func (o *jsJWTChecker) GetUser(token string) (bool, error) {
  return granted, err
 }
 
+func (o *jsJWTChecker) addDataFromJWT(params map[string]interface{}, token string, skipExpiration bool) (map[string]interface{}, error) {
+ claims, err := getClaimsForToken(o.options, token, skipExpiration)
+
+ if err != nil {
+ log.Printf("jwt get claims error: %s", err)
+ return nil, err
+ }
+
+ if o.passClaims {
+ params["claims"] = claims
+ }
+
+ if username, found := claims[o.options.userFieldKey]; found {
+ params["username"] = username.(string)
+ } else {
+ params["username"] = ""
+ }
+
+ return params, nil
+}
+
 func (o *jsJWTChecker) GetSuperuser(token string) (bool, error) {
  params := map[string]interface{}{
  "token": token,
  }
 
  if o.options.parseToken {
- username, err := getUsernameForToken(o.options, token, o.options.skipUserExpiration)
-
- if err != nil {
- log.Printf("jwt get user error: %s", err)
+ var err error
+ if params, err = o.addDataFromJWT(params, token, o.options.skipUserExpiration); err != nil {
  return false, err
  }
-
- params["username"] = username
  }
 
  granted, err := o.runner.RunScript(o.superuserScript, params)
@@ -141,14 +160,10 @@ func (o *jsJWTChecker) CheckAcl(token, topic, clientid string, acc int32) (bool,
  }
 
  if o.options.parseToken {
- username, err := getUsernameForToken(o.options, token, o.options.skipACLExpiration)
-
- if err != nil {
- log.Printf("jwt get user error: %s", err)
+ var err error
+ if params, err = o.addDataFromJWT(params, token, o.options.skipACLExpiration); err != nil {
  return false, err
  }
-
- params["username"] = username
  }
 
  granted, err := o.runner.RunScript(o.aclScript, params)