MINOR: jwt: jwt_verify returns negative values in case of error

In order for all the error return values to be distributed on the same
side (instead of surrounding the success error code), the return values
for errors other than a simple verification failure are switched to
negative values. This way the result of the jwt_verify converter can be
compared strictly to 1 as well relative to 0 (any <= 0 return value is
an error).
The documentation was also modified to discourage conversion of the
return value into a boolean (which would definitely not work).

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 5811dc5c5df90f1405a67d087eaf15343afd5256..f2612012aca0e2a7c320dd84cc7cc4c01652494f 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16576,8 +16576,10 @@ jwt_verify(<alg>,<key>)
   Performs a signature verification for the JSON Web Token (JWT) given in input
   by using the <alg> algorithm and the <key> parameter, which should either
   hold a secret or a path to a public certificate. Returns 1 in case of
-  verification success. See below for a full list of the possible return
-  values.
+  verification success, 0 in case of verification error and a strictly negative
+  value for any other error. Because of all those non-null error return values,
+  the result of this converter should never be converted to a boolean. See
+  below for a full list of the possible return values.
 
   For now, only JWS tokens using the Compact Serialization format can be
   processed (three dot-separated base64-url encoded strings). Among the
@@ -16604,13 +16606,13 @@ jwt_verify(<alg>,<key>)
   +----+----------------------------------------------------------------------+
   | ID | message                                                              |
   +----+----------------------------------------------------------------------+
-  | 0  | "Verification failure"                                               |
-  | 1  | "Verification sucess"                                                |
-  | 2  | "Unknown algorithm (not mentioned in RFC7518)"                       |
-  | 3  | "Unmanaged algorithm (PSXXX algorithm family)"                       |
-  | 4  | "Invalid token"                                                      |
-  | 5  | "Out of memory"                                                      |
-  | 6  | "Unknown certificate"                                                |
+  |  0 | "Verification failure"                                               |
+  |  1 | "Verification sucess"                                                |
+  | -1 | "Unknown algorithm (not mentioned in RFC7518)"                       |
+  | -2 | "Unmanaged algorithm (PSXXX algorithm family)"                       |
+  | -3 | "Invalid token"                                                      |
+  | -4 | "Out of memory"                                                      |
+  | -5 | "Unknown certificate"                                                |
   +----+----------------------------------------------------------------------+
 
   Please note that this converter is only available when HAProxy has been

diff --git a/include/haproxy/jwt-t.h b/include/haproxy/jwt-t.h
index a781b0af0e109285bd3d84bd59d6a9abe11d68ae..e94607eea5db13dd43c1fafeb58bd234405e008c 100644 (file)
--- a/include/haproxy/jwt-t.h
+++ b/include/haproxy/jwt-t.h
@@ -72,11 +72,12 @@ struct jwt_cert_tree_entry {
 enum jwt_vrfy_status {
        JWT_VRFY_KO = 0,
        JWT_VRFY_OK = 1,
-       JWT_VRFY_UNKNOWN_ALG,
-       JWT_VRFY_UNMANAGED_ALG,
-       JWT_VRFY_INVALID_TOKEN,
-       JWT_VRFY_OUT_OF_MEMORY,
-       JWT_VRFY_UNKNOWN_CERT
+
+       JWT_VRFY_UNKNOWN_ALG   = -1,
+       JWT_VRFY_UNMANAGED_ALG = -2,
+       JWT_VRFY_INVALID_TOKEN = -3,
+       JWT_VRFY_OUT_OF_MEMORY = -4,
+       JWT_VRFY_UNKNOWN_CERT  = -5
 };
 
 #endif /* USE_OPENSSL */

diff --git a/reg-tests/jwt/jws_verify.vtc b/reg-tests/jwt/jws_verify.vtc
index 47d5303a4c2674a8ea8e2f6724b94ca942ec3abb..129e1b38f1f28e8f3f852a459a0207209919b8b3 100644 (file)
--- a/reg-tests/jwt/jws_verify.vtc
+++ b/reg-tests/jwt/jws_verify.vtc
@@ -152,7 +152,7 @@ client c4 -connect ${h1_mainfe_sock} {
     rxresp
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "HS512"
-    expect resp.http.x-jwt-verify-HS512 == "4"
+    expect resp.http.x-jwt-verify-HS512 == "-3"
 } -run
 
 
@@ -269,7 +269,7 @@ client c13 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "PS512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "3"
+    expect resp.http.x-jwt-verify == "-2"
 } -run
 
 # Unknown algorithm
@@ -281,7 +281,7 @@ client c14 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "UNKNOWN_ALG"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "2"
+    expect resp.http.x-jwt-verify == "-1"
 } -run
 
 # Invalid token (not enough fields)
@@ -293,7 +293,7 @@ client c15 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "4"
+    expect resp.http.x-jwt-verify == "-3"
 } -run
 
 # Invalid token (too many fields)
@@ -305,7 +305,7 @@ client c16 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "4"
+    expect resp.http.x-jwt-verify == "-3"
 } -run
 
 # Invalid token (empty signature)
@@ -317,7 +317,7 @@ client c17 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "4"
+    expect resp.http.x-jwt-verify == "-3"
 } -run
 
 # Unknown certificate
@@ -332,5 +332,5 @@ client c18 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "6"
+    expect resp.http.x-jwt-verify == "-5"
 } -run