Add wildcard configuration

A "wildcard" configuration is added to enable key server verification with wildcard certificate
2021-12-10 17:17:58 +07:00 · 2021-12-10 17:17:58 +07:00 · 118e44c10e
parent a9bc1c0ce9
commit 118e44c10e
4 changed files with 19 additions and 5 deletions
--- a/deps/rabbitmq_auth_backend_oauth2/README.md
+++ b/deps/rabbitmq_auth_backend_oauth2/README.md
@ -151,6 +151,7 @@ NOTE: `jwks_url` takes precedence over `signing_keys` if both are provided.
 | `auth_oauth2.https.cacertfile`           | Path to a file containing PEM-encoded CA certificates. The CA certificates are used during key server authentication
 | `auth_oauth2.https.depth`                | Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. Default is 10. Please see: https://www.erlang.org/doc/man/ssl.html#type-allowed_cert_chain_length for more details
 | `auth_oauth2.https.peer_verification`    | Identify if the verification should be performed towards key server. Available values: `verify_none`, `verify_peer`. Default is `verify_none`. It is recommended to configure `verify_peer`
+| `auth_oauth2.https.wildcard`             | Enable wildcard-aware hostname verification for key server. Available values: `true`, `false`. Default is `false`.
 | `auth_oauth2.algorithms`                 | Restrict the usable algorithms

 For example:
@ -172,6 +173,7 @@ auth_oauth2.jwks_url = https://my-jwt-issuer/jwks.json
 auth_oauth2.https.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem
 auth_oauth2.https.peer_verification = verify_peer
 auth_oauth2.https.depth = 5
+auth_oauth2.https.wildcard = true
 auth_oauth2.algorithms.1 = HS256
 auth_oauth2.algorithms.2 = RS256
 ```
--- a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
+++ b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
@ -98,6 +98,11 @@
 "rabbitmq_auth_backend_oauth2.key_config.depth",
 [{datatype, integer}]}.

+{mapping,
+ "auth_oauth2.https.wildcard",
+ "rabbitmq_auth_backend_oauth2.key_config.wildcard",
+ [{datatype, {enum, [true, false]}}]}.
+
 {validator, "https_uri", "According to the JWT Specification, Key Server URL must be https.",
 fun(Uri) -> string:nth_lexeme(Uri, 1, "://") == "https" end}.

--- a/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl
+++ b/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl
@ -58,7 +58,7 @@ update_jwks_signing_keys() ->
        undefined ->
            {error, no_jwks_url};
        JwksUrl ->
-            case fetch_keys(JwksUrl) of
+            case httpc:request(get, {JwksUrl, []}, [{ssl, ssl_options()}], []) of
                {ok, {_, _, JwksBody}} ->
                    KeyList = maps:get(<<"keys">>, jose:decode(erlang:iolist_to_binary(JwksBody)), []),
                    Keys = maps:from_list(lists:map(fun(Key) -> {maps:get(<<"kid">>, Key, undefined), {json, Key}} end, KeyList)),
@ -68,14 +68,19 @@ update_jwks_signing_keys() ->
            end
    end.

-spec fetch_keys(binary() | list()) -> {ok, term()} | {error, term()}.
-fetch_keys(JwksUrl) ->
+-spec ssl_options() -> list().
+ssl_options() ->
    UaaEnv = application:get_env(?APP, key_config, []),
    PeerVerification = proplists:get_value(peer_verification, UaaEnv, verify_none),
    CaCertFile = proplists:get_value(cacertfile, UaaEnv),
    Depth = proplists:get_value(depth, UaaEnv, 10),
-    SslOpts = [{verify, PeerVerification}, {cacertfile, CaCertFile}, {depth, Depth}],
-    httpc:request(get, {JwksUrl, []}, [{ssl, SslOpts}], []).
+    SslOpts0 = [{verify, PeerVerification}, {cacertfile, CaCertFile}, {depth, Depth}],
+    case proplists:get_value(wildcard, UaaEnv, false) of
+        true ->
+            [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]} | SslOpts0];
+        false ->
+            SslOpts0
+    end.

 -spec decode_and_verify(binary()) -> {boolean(), map()} | {error, term()}.
 decode_and_verify(Token) ->
--- a/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets
+++ b/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets
@ -9,6 +9,7 @@
        auth_oauth2.https.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem
        auth_oauth2.https.peer_verification = verify_none
        auth_oauth2.https.depth = 5
+        auth_oauth2.https.wildcard = true
        auth_oauth2.algorithms.1 = HS256
        auth_oauth2.algorithms.2 = RS256",
        [
@ -27,6 +28,7 @@
            {cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"},
            {peer_verification, verify_none},
            {depth, 5},
+            {wildcard, true},
            {algorithms, [<<"HS256">>, <<"RS256">>]}
            ]
            }