Fetch and validate based on well known URI

2023-12-30 17:22:22 +01:00 · 2023-12-30 17:22:22 +01:00 · 08de228a3e
commit 08de228a3e
parent 08d7983f5b
4 changed files with 1048 additions and 28 deletions
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -0,0 +1,45 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "type": "lldb",
+            "request": "launch",
+            "name": "Debug executable 'jwt-decode-test'",
+            "cargo": {
+                "args": [
+                    "build",
+                    "--bin=jwt-decode-test",
+                    "--package=jwt-decode-test"
+                ],
+                "filter": {
+                    "name": "jwt-decode-test",
+                    "kind": "bin"
+                }
+            },
+            "args": [],
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "type": "lldb",
+            "request": "launch",
+            "name": "Debug unit tests in executable 'jwt-decode-test'",
+            "cargo": {
+                "args": [
+                    "test",
+                    "--no-run",
+                    "--bin=jwt-decode-test",
+                    "--package=jwt-decode-test"
+                ],
+                "filter": {
+                    "name": "jwt-decode-test",
+                    "kind": "bin"
+                }
+            },
+            "args": [],
+            "cwd": "${workspaceFolder}"
+        }
+    ]
+}
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -8,5 +8,6 @@ edition = "2021"
 [dependencies]
 jsonwebtoken = "9.2.0"
 pem = "3.0.3"
+reqwest = {version="0.11.23", features = ["blocking"]}
 serde = {version = "1.0", features = ["derive"] }
 serde_json = "1.0.108"
--- a/src/main.rs
+++ b/src/main.rs
@ -1,5 +1,7 @@
-use jsonwebtoken::{decode, DecodingKey, Validation, Algorithm, errors::Result};
-use serde::{Deserialize};
+use jsonwebtoken::{decode, decode_header, errors::Result, Algorithm, DecodingKey, Validation, TokenData};
+use reqwest;
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;

 // Define a struct for the claims you expect in your token
 #[derive(Debug, Deserialize)]
@ -8,37 +10,164 @@ struct MyClaims {
    exp: usize,
    aud: String,
    iss: String,
-    preferred_username: Option<String>
+    preferred_username: Option<String>,
 }

+#[derive(Deserialize)]
+struct AuthorizationWellKnown {
+    issuer: String,
+    jwks_uri: String,
+    authorization_endpoint: String,
+    token_endpoint: String,
+    userinfo_endpoint: String,
+    end_session_endpoint: String,
+    introspection_endpoint: String,
+    revocation_endpoint: String,
+    device_authorization_endpoint: String,
+}

+#[derive(Deserialize)]
+struct JwksContent {
+    kid: String,
+    x5c: Vec<String>,
+}

-fn validate_jwt(token: &str, public_key_pem: String) -> Result<MyClaims> {
-    let mut validation = Validation::new(Algorithm::RS256);
-    validation.set_audience(&["CLaLr8sikEiN7NCrPMhjhbtLZgnZJ6JZVzPdVN5P"]);
-    validation.set_issuer(&["https://sso.gitgals.com/application/o/sebtest/"]);
+#[derive(Deserialize)]
+struct Jwks {
+    keys: Vec<JwksContent>,
+}

-    let token_data = decode::<MyClaims>(
+struct JwtInfo {
+    jwks_uri: String,
+    audience: Vec<String>,
+    issuer: Vec<String>,
+    public_keys: HashMap<String, String>,
+}
+
+fn validate_jwt(token: &str, jwt_info: &JwtInfo) -> Result<MyClaims> {
+    // Decode the header to give info about the crypto
+    let jwt_header = decode_header(token)?;
+
+    // Create a new validation
+    let mut validation = Validation::new(jwt_header.alg);
+    // Set the expected audience and issuer
+    validation.set_audience(&jwt_info.audience);
+    validation.set_issuer(&jwt_info.issuer);
+
+    // Fetch the JWT kid
+    let kid = jwt_header.kid.unwrap();
+    // Fetch the corresponding public key
+    let public_key_pem = jwt_info.public_keys.get(&kid).unwrap();
+
+    // Decode the JWT token
+    let token_data: TokenData<MyClaims>;
+    match jwt_header.alg {
+        Algorithm::RS256 => {
+            token_data = decode::<MyClaims>(
                token,
                &DecodingKey::from_rsa_pem(public_key_pem.as_bytes()).unwrap(),
                &validation,
                )?;
+        },
+        Algorithm::ES256 => {
+            token_data = decode::<MyClaims>(
+                token,
+                &DecodingKey::from_ec_pem(public_key_pem.as_bytes()).unwrap(),
+                &validation,
+                )?;
+        },
+        _ => {
+            eprintln!("JWT Public key algoritm not handled");
+            return Err(jsonwebtoken::errors::ErrorKind::InvalidAlgorithm.into());
+        }
+    }

    Ok(token_data.claims)
 }

+fn fetch_jwt_certificates(jwt_info: &JwtInfo) -> Option<HashMap<String, String>> {
+    // Fetch the JWKS endpoint
+    let jwks_body = reqwest::blocking::get(&jwt_info.jwks_uri)
+        .unwrap()
+        .text()
+        .unwrap();
+    // Parse the data into the struct
+    let jwks_data: Jwks = serde_json::from_str(&jwks_body).unwrap();
+
+    // Create the output hashmap
+    let mut output_map: HashMap<String, String> = HashMap::new();
+
+    // Go through each pair of keys and add them to the output jwt info
+    for key in jwks_data.keys {
+        // Extract the x5c key data
+        let x5c = key.x5c.get(0).unwrap();
+
+        // Append the PEM info in to the x5c
+        let pem_data = format!(
+            "-----BEGIN CERTIFICATE-----\n{}\n-----END CERTIFICATE-----",
+            x5c
+        );
+
+        // Add the resulting key to the hashmap
+        output_map.insert(key.kid, pem_data);
+    }
+
+    // Check that we got any keys
+    if output_map.is_empty() {
+        eprintln!("Failed to fetch any public keys");
+        return None;
+    }
+
+    Some(output_map)
+}
+
+fn fetch_jwt_info(well_known_uri: &str, expected_issuer: Vec<String>) -> Result<JwtInfo> {
+    // Fetch the info from the well known endpoint
+    let well_known_body = reqwest::blocking::get(well_known_uri)
+        .unwrap()
+        .text()
+        .unwrap();
+    // Parse the data into the well known struct
+    let well_known_data: AuthorizationWellKnown = serde_json::from_str(&well_known_body).unwrap();
+
+    // Validate the issuer
+    if !expected_issuer.contains(&well_known_data.issuer) {
+        eprintln!(
+            "Expected issuer does not contain fetched issuer.\n{} ∉ {:?}",
+            well_known_data.issuer, expected_issuer
+        );
+        // TODO: Return Err properly
+        //Err("Invalid issuer");
+    }
+
+    // Create a JwtInfo variable
+    let mut jwt_info: JwtInfo = JwtInfo {
+        jwks_uri: well_known_data.jwks_uri,
+        audience: Vec::new(),
+        issuer: expected_issuer,
+        public_keys: HashMap::new(),
+    };
+
+    // Fetch the valid public keys
+    match fetch_jwt_certificates(&jwt_info) {
+        Some(map) => jwt_info.public_keys = map,
+        None => {
+            // TODO: Return err properly
+        }
+    }
+
+    Ok(jwt_info)
+}
+
 fn main() {
-    let token = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjExOTMxYjliMjVhZjJmNjYyZjQ4NjNkYjAwZTJhMjg5IiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby5naXRnYWxzLmNvbS9hcHBsaWNhdGlvbi9vL3NlYnRlc3QvIiwic3ViIjoiZjJiNzIwOGY2MTcwYWI0NWNlZGM1OGUzMTM0NGNjNGY3MGQzZWRjMjhkYWZkMmJlNDZkNzIxMzM1ZDQxZDk2NCIsImF1ZCI6IkNMYUxyOHNpa0VpTjdOQ3JQTWhqaGJ0TFpnblpKNkpaVnpQZFZONVAiLCJleHAiOjE3MDM5NTgxMTgsImlhdCI6MTcwMzk0MDExOCwiYXV0aF90aW1lIjoxNzAzODU3NzMwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6IiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiSW5zb21uaWEiLCJnaXZlbl9uYW1lIjoiSW5zb21uaWEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbnNvbW5pYS10ZXN0Iiwibmlja25hbWUiOiJpbnNvbW5pYS10ZXN0IiwiZ3JvdXBzIjpbXSwiYXpwIjoiQ0xhTHI4c2lrRWlON05DclBNaGpoYnRMWmduWko2SlpWelBkVk41UCIsInVpZCI6IjFpRnoySmVvV0IyMFlBOWpzcEZSdDJLTUVsQXJhZ0NtRnJwVUJhVE0ifQ.QWW2A4NGE3SGVLZsAYW0mVpopud3Pd-fua2F__0g7BHO7B6IDCSQGM786cOgk4E07Eq2dP8m2xM4O2Ok18ayyek2gYbg4uCHzZv3F1097njPspRfrJZH-MpExobV_6oBtAeAuQKopaSfGIPQE4cWJh32TKZFGHRPEMBz8W7GTPqDZcnzbu8zGHzb7tXhEUybjQFRKWU8jRIu8AiVDC8jyyqzTGJClVVd_gNUHY1vDB86lcJQHhJw2sEY9LjMv3O_ok9nJ-abzb2bJK133C1zWw9whrYOKeYCBNDC37I03m9eMnTi1YPPzi1woak_qC2JFcmCrcCbalrrruHdDwyWtyabH9s_YueZAEGyKZvLSLadx05xEAQ-aUHkKqr6hIYzPBw9vCmfhJ-UouRjFFP9FCxkNKTZ00_QUY-LQoYizTd0jENmjLZCRf8xo4iVmL5RtVwtJNoL8g_Mdpyn9JfKnPrhRQE3SqMVYQbF43XNInmVCP-acrezvOG5nwHZ4lWNgsjhYguhRM4eTx-B7IYx6x2Kqpbnj6Qte19FHfTS7cClGZ0eRpV55mUohSxdvEYGWsB-F_rprV4vxdcmw7kEpk8wtt6Nb4xX-NmTHiFUkKw2sio3wg-u5EziHhTqHZaldSTefnweoBJ1PB439Xww5a-x6xN6mE8DkEcc3xfAuXM";
+    let token = "eyJhbGciOiJFUzI1NiIsImtpZCI6IjVkM2JkMDcxOGQ4ZWM3NWQ3ZDg1MjlmNDQwMzRiYTc1IiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby5naXRnYWxzLmNvbS9hcHBsaWNhdGlvbi9vL3NlYnRlc3QvIiwic3ViIjoiZjJiNzIwOGY2MTcwYWI0NWNlZGM1OGUzMTM0NGNjNGY3MGQzZWRjMjhkYWZkMmJlNDZkNzIxMzM1ZDQxZDk2NCIsImF1ZCI6IkNMYUxyOHNpa0VpTjdOQ3JQTWhqaGJ0TFpnblpKNkpaVnpQZFZONVAiLCJleHAiOjE3MDM5NjUxNjIsImlhdCI6MTcwMzk0NzE2MiwiYXV0aF90aW1lIjoxNzAzODU3NzMwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6IiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiSW5zb21uaWEiLCJnaXZlbl9uYW1lIjoiSW5zb21uaWEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbnNvbW5pYS10ZXN0Iiwibmlja25hbWUiOiJpbnNvbW5pYS10ZXN0IiwiZ3JvdXBzIjpbXSwiYXpwIjoiQ0xhTHI4c2lrRWlON05DclBNaGpoYnRMWmduWko2SlpWelBkVk41UCIsInVpZCI6IkdPQTNRdTBIOW5TUUx4WHJZVXJ4RHUzTTVkVDhmNTZIQ0l5QlhZdnYifQ.AuVjuJXApMq1vPS48gK5htGSv8KzcCQZlerc82adiCNVb789w2lBoiLjbKotHvAPQOLTQ3qWv2yHNPgBE3dhVA";
    let well_known_uri = "https://sso.gitgals.com/application/o/sebtest/.well-known/openid-configuration";

-    // Extract the x5c field from the JWKS
-    let x5c = "MIIFVDCCAzygAwIBAgIRAN2g0n7Cqki0kP4aDM1ON50wDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAwwTYXV0aGVudGlrIDIwMjMuMTAuNDAeFw0yMzEyMjcxNDEwNDlaFw0yNDEyMjcxNDEwNDlaMFYxKjAoBgNVBAMMIWF1dGhlbnRpayBTZWxmLXNpZ25lZCBDZXJ0aWZpY2F0ZTESMBAGA1UECgwJYXV0aGVudGlrMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM2BP7UtRaTlM/KvE7E2S5GPdV88f/IUqxANoWS+JnWFSpRUXkkCorEUWo7LTrhNaaQni3FIdo2m2ouF9/+NlHj2038l1pNj/FPiZe8EyRbriQe/maKejq02CNW2rmD4cjWMK4h228o8QqeNSFxG11DEku4mN6Kz6X8Mi9iQWwTx0h8cl1Rxo/S6iBK9DZA1005DSkMskXGsN172O1cHZaG55WhmL6lKOcvvKyGwbccrrl9AufBz1SCoFZ/ERN/D5yRwehwjChP1mm3G4jzhiK/8LkmmnnfzNB01WoxZFzL9a+BXjEWWFyfRm+1rwEhrZ9DFqmPKA43XuPeRVijr3pZGUxH45WqSoXDv0luLLi0dTOUvgDETtj5ugVd+0Qi2cZX0W5Sh8ecEK6FwICRVYoRcd5fv4MfUwMlqT9S4+16B0TrEWkc6brfg9V3xGgNFRG3axCd68LAzP7ezPVGheubdNNnA/4HplxsFH8pjoyRiORSiK77IlLQ/MhngpJ9ExW/8xRkbl9o5bSAYTqtPPIOsSciMAlsipSLx+eUE4/VDcfhuaGf7Z2FSHfHvETwFhr+CDfaDHdgNbk2+ZXWWIqFbLxevrbHwj9YMtIuxagGrNTaAx1ZEizf9tZco5JDDsywFGvcL7oaHo4zx579gGGPgoWvHvzLejjg4hJL74vIzAgMBAAGjVTBTMFEGA1UdEQEB/wRHMEWCQ1JNa3diMFFMeDI5eXlManRvT0Zod1NPU1dEQVJhR3NjWmNvMk96NnMuc2VsZi1zaWduZWQuZ29hdXRoZW50aWsuaW8wDQYJKoZIhvcNAQELBQADggIBAKKSS0rA4gjn/g+LvSSoSr8H8PErLYQyHHTP4VfRXvk/o0drM2YJTrH53biHxXL92Ej9SRXKrrGcQlkVrucB79w6WHQUUmIVmm/CvYFbEKk7j2IbfR9CzKMMGzY7jrtf9YFyPPVQK5tIwA8uCaqXBu0zz5KSHTrXZLXXVV/xoikBTf1s5GN9MrnDK442xzf5cRBzQjpsa750MM2o5vEfRf2n9+HOuesAC56EaMiVQFGKELsx9Gmrjgley1X72H/5qgkLZb1o5+m4+9BAM8xSaowxC/DmH5ROryB8ctx7BGVZX4IEwHE9Q1G/6bfIeLr6bU/P+AgSzJv5Qan3e1jzmqB/2rmVxECfLEy5Pxmsa1FZNjleFK+8jj4qSKF+jiEMnmtv6V18EvIj5m4YcOjJpPjfq2saw0u9mP45wFERuEGpb7tWBEVLj+HirrmounCvaMr+m++oxaWaT3ECCwN8Sw5EtfXRZovzbW52Qj3HK0f8ip+EzurnWO+EJt6xBXgR0eRzNKSxPpGpZLuF8KUGLwOubMsDIO/+jRy3se/9jG9b9dz2rjgIxSYgnvSl55vqw0WMp6qoCqnXBB8+50Sn4Znc+/nApExFAgY7T5cE/q17CaryfmF2nkqANkYeCcduZ1qtSPnEsyxTaL9aerxyi9GMpfvriPdhNlwc1cos9CV3";
-
-    // Convert to PEM format
-    let public_key_pem = format!("-----BEGIN CERTIFICATE-----\n{}\n-----END CERTIFICATE-----", x5c);
+    let mut jwt_info = fetch_jwt_info(well_known_uri, vec!("https://sso.gitgals.com/application/o/sebtest/".into())).unwrap();
+    jwt_info.audience = vec!("CLaLr8sikEiN7NCrPMhjhbtLZgnZJ6JZVzPdVN5P".to_string());

    let result: MyClaims;
-    match validate_jwt(token, public_key_pem) {
+    match validate_jwt(token, &jwt_info) {
        Ok(claims) => result = claims,
        Err(err) => panic!("Error validating token: {:?}", err),
    }