From: Remi Tricot-Le Breton Date: Mon, 18 Oct 2021 13:14:49 +0000 (+0200) Subject: MINOR: jwt: jwt_verify returns negative values in case of error X-Git-Tag: v2.5-dev11~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c891bcc90346aa84f8b16bc6fe00fa6c104a4cb;p=thirdparty%2Fhaproxy.git MINOR: jwt: jwt_verify returns negative values in case of error In order for all the error return values to be distributed on the same side (instead of surrounding the success error code), the return values for errors other than a simple verification failure are switched to negative values. This way the result of the jwt_verify converter can be compared strictly to 1 as well relative to 0 (any <= 0 return value is an error). The documentation was also modified to discourage conversion of the return value into a boolean (which would definitely not work). --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 5811dc5c5d..f2612012ac 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16576,8 +16576,10 @@ jwt_verify(,) Performs a signature verification for the JSON Web Token (JWT) given in input by using the algorithm and the parameter, which should either hold a secret or a path to a public certificate. Returns 1 in case of - verification success. See below for a full list of the possible return - values. + verification success, 0 in case of verification error and a strictly negative + value for any other error. Because of all those non-null error return values, + the result of this converter should never be converted to a boolean. See + below for a full list of the possible return values. For now, only JWS tokens using the Compact Serialization format can be processed (three dot-separated base64-url encoded strings). Among the @@ -16604,13 +16606,13 @@ jwt_verify(,) +----+----------------------------------------------------------------------+ | ID | message | +----+----------------------------------------------------------------------+ - | 0 | "Verification failure" | - | 1 | "Verification sucess" | - | 2 | "Unknown algorithm (not mentioned in RFC7518)" | - | 3 | "Unmanaged algorithm (PSXXX algorithm family)" | - | 4 | "Invalid token" | - | 5 | "Out of memory" | - | 6 | "Unknown certificate" | + | 0 | "Verification failure" | + | 1 | "Verification sucess" | + | -1 | "Unknown algorithm (not mentioned in RFC7518)" | + | -2 | "Unmanaged algorithm (PSXXX algorithm family)" | + | -3 | "Invalid token" | + | -4 | "Out of memory" | + | -5 | "Unknown certificate" | +----+----------------------------------------------------------------------+ Please note that this converter is only available when HAProxy has been diff --git a/include/haproxy/jwt-t.h b/include/haproxy/jwt-t.h index a781b0af0e..e94607eea5 100644 --- a/include/haproxy/jwt-t.h +++ b/include/haproxy/jwt-t.h @@ -72,11 +72,12 @@ struct jwt_cert_tree_entry { enum jwt_vrfy_status { JWT_VRFY_KO = 0, JWT_VRFY_OK = 1, - JWT_VRFY_UNKNOWN_ALG, - JWT_VRFY_UNMANAGED_ALG, - JWT_VRFY_INVALID_TOKEN, - JWT_VRFY_OUT_OF_MEMORY, - JWT_VRFY_UNKNOWN_CERT + + JWT_VRFY_UNKNOWN_ALG = -1, + JWT_VRFY_UNMANAGED_ALG = -2, + JWT_VRFY_INVALID_TOKEN = -3, + JWT_VRFY_OUT_OF_MEMORY = -4, + JWT_VRFY_UNKNOWN_CERT = -5 }; #endif /* USE_OPENSSL */ diff --git a/reg-tests/jwt/jws_verify.vtc b/reg-tests/jwt/jws_verify.vtc index 47d5303a4c..129e1b38f1 100644 --- a/reg-tests/jwt/jws_verify.vtc +++ b/reg-tests/jwt/jws_verify.vtc @@ -152,7 +152,7 @@ client c4 -connect ${h1_mainfe_sock} { rxresp expect resp.status == 200 expect resp.http.x-jwt-alg == "HS512" - expect resp.http.x-jwt-verify-HS512 == "4" + expect resp.http.x-jwt-verify-HS512 == "-3" } -run @@ -269,7 +269,7 @@ client c13 -connect ${h1_mainfe_sock} { expect resp.status == 200 expect resp.http.x-jwt-alg == "PS512" # Unmanaged algorithm - expect resp.http.x-jwt-verify == "3" + expect resp.http.x-jwt-verify == "-2" } -run # Unknown algorithm @@ -281,7 +281,7 @@ client c14 -connect ${h1_mainfe_sock} { expect resp.status == 200 expect resp.http.x-jwt-alg == "UNKNOWN_ALG" # Unmanaged algorithm - expect resp.http.x-jwt-verify == "2" + expect resp.http.x-jwt-verify == "-1" } -run # Invalid token (not enough fields) @@ -293,7 +293,7 @@ client c15 -connect ${h1_mainfe_sock} { expect resp.status == 200 expect resp.http.x-jwt-alg == "ES512" # Unmanaged algorithm - expect resp.http.x-jwt-verify == "4" + expect resp.http.x-jwt-verify == "-3" } -run # Invalid token (too many fields) @@ -305,7 +305,7 @@ client c16 -connect ${h1_mainfe_sock} { expect resp.status == 200 expect resp.http.x-jwt-alg == "ES512" # Unmanaged algorithm - expect resp.http.x-jwt-verify == "4" + expect resp.http.x-jwt-verify == "-3" } -run # Invalid token (empty signature) @@ -317,7 +317,7 @@ client c17 -connect ${h1_mainfe_sock} { expect resp.status == 200 expect resp.http.x-jwt-alg == "ES512" # Unmanaged algorithm - expect resp.http.x-jwt-verify == "4" + expect resp.http.x-jwt-verify == "-3" } -run # Unknown certificate @@ -332,5 +332,5 @@ client c18 -connect ${h1_mainfe_sock} { expect resp.status == 200 expect resp.http.x-jwt-alg == "ES512" # Unmanaged algorithm - expect resp.http.x-jwt-verify == "6" + expect resp.http.x-jwt-verify == "-5" } -run