matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

Add equality claim validator

Browse Source
This commit is contained in:
Kévin Commaille
2022-11-28 11:39:38 +01:00
committed by Quentin Gliech
parent db25574a96
commit a2a3b3954e
7 changed files with 82 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
crates/jose/src/claims.rs
View File

@ -293,6 +293,38 @@ impl<'a> Validator<String> for TokenHash<'a> {
}
}
#[derive(Debug, Clone)]
pub struct Equality<'a, T: ?Sized> {
value: &'a T,
}
impl<'a, T: ?Sized> Equality<'a, T> {
/// Creates a new `Equality` validator for the given value.
#[must_use]
pub fn new(value: &'a T) -> Self {
Self { value }
}
}
impl<'a, T1, T2: ?Sized> Validator<T1> for Equality<'a, T2>
where
T2: PartialEq<T1>,
{
fn validate(&self, value: &T1) -> Result<(), anyhow::Error> {
if *self.value == *value {
Ok(())
} else {
Err(anyhow::anyhow!("values don't match"))
}
}
}
impl<'a, T: ?Sized> From<&'a T> for Equality<'a, T> {
fn from(value: &'a T) -> Self {
Self::new(value)
}
}
#[derive(Deserialize, Serialize, Debug, Clone, PartialEq, Eq)]
#[serde(transparent)]
pub struct Timestamp(#[serde(with = "chrono::serde::ts_seconds")] chrono::DateTime<chrono::Utc>);
@ -349,9 +381,9 @@ impl<T> From<T> for OneOrMany<T> {
/// Claims defined in RFC7519 sec. 4.1
/// <https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1>
mod rfc7519 {
use super::{Claim, OneOrMany, TimeNotAfter, TimeNotBefore, Timestamp};
use super::{Claim, Equality, OneOrMany, TimeNotAfter, TimeNotBefore, Timestamp};
pub const ISS: Claim<String> = Claim::new("iss");
pub const ISS: Claim<String, Equality<str>> = Claim::new("iss");
pub const SUB: Claim<String> = Claim::new("sub");
pub const AUD: Claim<OneOrMany<String>> = Claim::new("aud");
pub const NBF: Claim<Timestamp, TimeNotBefore> = Claim::new("nbf");
@ -366,10 +398,10 @@ mod rfc7519 {
mod oidc_core {
use url::Url;
use super::{Claim, Timestamp, TokenHash};
use super::{Claim, Equality, Timestamp, TokenHash};
pub const AUTH_TIME: Claim<Timestamp> = Claim::new("auth_time");
pub const NONCE: Claim<String> = Claim::new("nonce");
pub const NONCE: Claim<String, Equality<str>> = Claim::new("nonce");
pub const AT_HASH: Claim<String, TokenHash> = Claim::new("at_hash");
pub const C_HASH: Claim<String, TokenHash> = Claim::new("c_hash");
@ -466,7 +498,9 @@ mod tests {
});
let mut claims = serde_json::from_value(claims).unwrap();
let iss = ISS.extract_required(&mut claims).unwrap();
let iss = ISS
.extract_required_with_options(&mut claims, "https://foo.com")
.unwrap();
let sub = SUB.extract_optional(&mut claims).unwrap();
let aud = AUD.extract_optional(&mut claims).unwrap();
let nbf = NBF
@ -617,7 +651,7 @@ mod tests {
let mut claims = serde_json::from_value(claims).unwrap();
assert!(matches!(
ISS.extract_required(&mut claims),
ISS.extract_required_with_options(&mut claims, "https://foo.com"),
Err(ClaimError::InvalidClaim("iss"))
));
assert!(matches!(
@ -652,7 +686,7 @@ mod tests {
let mut claims = HashMap::new();
assert!(matches!(
ISS.extract_required(&mut claims),
ISS.extract_required_with_options(&mut claims, "https://foo.com"),
Err(ClaimError::MissingClaim("iss"))
));
assert!(matches!(
@ -664,8 +698,28 @@ mod tests {
Err(ClaimError::MissingClaim("aud"))
));
assert!(matches!(ISS.extract_optional(&mut claims), Ok(None)));
assert!(matches!(
ISS.extract_optional_with_options(&mut claims, "https://foo.com"),
Ok(None)
));
assert!(matches!(SUB.extract_optional(&mut claims), Ok(None)));
assert!(matches!(AUD.extract_optional(&mut claims), Ok(None)));
}
#[test]
fn string_eq_validation() {
let claims = serde_json::json!({
"iss": "https://foo.com",
});
let mut claims: HashMap<String, serde_json::Value> =
serde_json::from_value(claims).unwrap();
ISS.extract_required_with_options(&mut claims.clone(), "https://foo.com")
.unwrap();
assert!(matches!(
ISS.extract_required_with_options(&mut claims, "https://bar.com"),
Err(ClaimError::ValidationError { claim: "iss", .. }),
));
}
}

8
crates/oidc-client/src/error.rs
View File

@ -335,10 +335,6 @@ where
/// All possible errors when exchanging a code for an access token.
#[derive(Debug, Error)]
pub enum TokenAuthorizationCodeError {
/// The nonce doesn't match the one that was sent.
#[error("wrong nonce")]
WrongNonce,
/// An error occurred requesting the access token.
#[error(transparent)]
Token(#[from] TokenRequestError),
@ -606,10 +602,6 @@ pub enum JwtVerificationError {
#[error(transparent)]
Claim(#[from] ClaimError),
/// The issuer is not the one that sent the JWT.
#[error("wrong issuer claim")]
WrongIssuer,
/// The audience of the JWT is not this client.
#[error("wrong aud claim")]
WrongAudience,

7
crates/oidc-client/src/requests/authorization_code.rs
View File

@ -444,12 +444,9 @@ pub async fn access_token_with_authorization_code(
.map_err(IdTokenError::from)?;
// Nonce must match.
let token_nonce = claims::NONCE
.extract_required(&mut claims)
claims::NONCE
.extract_required_with_options(&mut claims, validation_data.nonce.as_str())
.map_err(IdTokenError::from)?;
if token_nonce != validation_data.nonce {
return Err(TokenAuthorizationCodeError::WrongNonce);
}
Some(id_token.into_owned())
} else {

5
crates/oidc-client/src/requests/jose.rs
View File

@ -127,10 +127,7 @@ pub fn verify_signed_jwt<'a>(
let (header, mut claims) = jwt.clone().into_parts();
// Must have the proper issuer.
let iss = claims::ISS.extract_required(&mut claims)?;
if iss != issuer.as_str() {
return Err(JwtVerificationError::WrongIssuer);
}
claims::ISS.extract_required_with_options(&mut claims, issuer.as_str())?;
// Must have the proper audience.
let aud = claims::AUD.extract_required(&mut claims)?;

10
crates/oidc-client/tests/it/requests/authorization_code.rs
View File

@ -22,7 +22,7 @@ use chrono::Duration;
use mas_iana::oauth::{
OAuthAccessTokenType, OAuthClientAuthenticationMethod, PkceCodeChallengeMethod,
};
use mas_jose::jwk::PublicJsonWebKeySet;
use mas_jose::{claims::ClaimError, jwk::PublicJsonWebKeySet};
use mas_oidc_client::{
error::{
AuthorizationError, IdTokenError, PushedAuthorizationError, TokenAuthorizationCodeError,
@ -358,7 +358,13 @@ async fn fail_access_token_with_authorization_code_wrong_nonce() {
.await
.unwrap_err();
assert_matches!(error, TokenAuthorizationCodeError::WrongNonce);
assert_matches!(
error,
TokenAuthorizationCodeError::IdToken(IdTokenError::Claim(ClaimError::ValidationError {
claim: "nonce",
..
}))
);
}
#[tokio::test]

10
crates/oidc-client/tests/it/requests/jose.rs
View File

@ -18,7 +18,7 @@ use assert_matches::assert_matches;
use chrono::{DateTime, Duration, Utc};
use mas_iana::jose::JsonWebSignatureAlg;
use mas_jose::{
claims,
claims::{self, ClaimError},
constraints::Constrainable,
jwk::PublicJsonWebKeySet,
jwt::{JsonWebSignatureHeader, Jwt},
@ -128,7 +128,13 @@ async fn fail_verify_id_token_wrong_issuer() {
let error = verify_id_token(id_token.as_str(), verification_data, None, now).unwrap_err();
assert_matches!(error, IdTokenError::Jwt(JwtVerificationError::WrongIssuer));
assert_matches!(
error,
IdTokenError::Jwt(JwtVerificationError::Claim(ClaimError::ValidationError {
claim: "iss",
..
}))
);
}
#[tokio::test]

5
crates/oidc-client/tests/it/types/client_credentials.rs
View File

@ -467,10 +467,7 @@ fn verify_client_jwt(
claims: &mut HashMap<String, Value>,
token_endpoint: &String,
) -> Result<(), BoxError> {
let iss = claims::ISS.extract_required(claims)?;
if iss != CLIENT_ID {
return Err("Wrong iss".into());
}
claims::ISS.extract_required_with_options(claims, CLIENT_ID)?;
let sub = claims::SUB.extract_required(claims)?;
if sub != CLIENT_ID {