feat(jwt-auth): support to use of the RS256 algorithm (#2594)

* example for #2523

* fix: jwt-auth plugin RS256 algorithm is not easy to use. (#2523)

fix: add more test cases for jwt plugin. (#2355)

fix #2523

fix #2355
This commit is contained in:
tzssangglass 2020-11-06 10:16:20 +08:00 committed by GitHub
parent 3c89a437a1
commit 27875e5790
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 702 additions and 33 deletions

View File

@ -27,6 +27,7 @@ local ngx = ngx
local ngx_time = ngx.time local ngx_time = ngx.time
local sub_str = string.sub local sub_str = string.sub
local plugin_name = "jwt-auth" local plugin_name = "jwt-auth"
local pcall = pcall
local lrucache = core.lrucache.new({ local lrucache = core.lrucache.new({
@ -45,6 +46,8 @@ local consumer_schema = {
properties = { properties = {
key = {type = "string"}, key = {type = "string"},
secret = {type = "string"}, secret = {type = "string"},
public_key = {type = "string"},
private_key= {type = "string"},
algorithm = { algorithm = {
type = "string", type = "string",
enum = {"HS256", "HS512", "RS256"}, enum = {"HS256", "HS512", "RS256"},
@ -103,10 +106,19 @@ function _M.check_schema(conf, schema_type)
end end
if schema_type == core.schema.TYPE_CONSUMER then if schema_type == core.schema.TYPE_CONSUMER then
if not conf.secret then if conf.algorithm ~= "RS256" and not conf.secret then
conf.secret = ngx_encode_base64(resty_random.bytes(32, true)) conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
end end
if conf.algorithm == "RS256" then
if not conf.public_key then
return false, "missing valid public key"
end
if not conf.private_key then
return false, "missing valid private key"
end
end
if not conf.exp then if not conf.exp then
conf.exp = 60 * 60 * 24 conf.exp = 60 * 60 * 24
end end
@ -151,6 +163,64 @@ local function get_secret(conf)
end end
local function sign_jwt_with_HS(key, auth_conf)
local auth_secret = get_secret(auth_conf)
local ok, jwt_token = pcall(jwt.sign, _M,
auth_secret,
{
header = {
typ = "JWT",
alg = auth_conf.algorithm
},
payload = {
key = key,
exp = ngx_time() + auth_conf.exp
}
}
)
if not ok then
core.log.warn("failed to sign jwt, err: ", jwt_token.reason)
core.response.exit(500, "failed to sign jwt")
end
return jwt_token
end
local function sign_jwt_with_RS256(key, auth_conf)
local ok, jwt_token = pcall(jwt.sign, _M,
auth_conf.private_key,
{
header = {
typ = "JWT",
alg = auth_conf.algorithm,
x5c = {
auth_conf.public_key,
}
},
payload = {
key = key,
exp = ngx_time() + auth_conf.exp
}
}
)
if not ok then
core.log.warn("failed to sign jwt, err: ", jwt_token.reason)
core.response.exit(500, "failed to sign jwt")
end
return jwt_token
end
local function algorithm_handler(consumer)
if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256"
or consumer.auth_conf.algorithm == "HS512" then
return sign_jwt_with_HS, get_secret(consumer.auth_conf)
elseif consumer.auth_conf.algorithm == "RS256" then
return sign_jwt_with_RS256, consumer.auth_conf.public_key
end
end
function _M.rewrite(conf, ctx) function _M.rewrite(conf, ctx)
local jwt_token, err = fetch_jwt_token(ctx) local jwt_token, err = fetch_jwt_token(ctx)
if not jwt_token then if not jwt_token then
@ -186,9 +256,10 @@ function _M.rewrite(conf, ctx)
end end
core.log.info("consumer: ", core.json.delay_encode(consumer)) core.log.info("consumer: ", core.json.delay_encode(consumer))
local auth_secret = get_secret(consumer.auth_conf) local _, auth_secret = algorithm_handler(consumer)
jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj)
core.log.info("jwt object: ", core.json.delay_encode(jwt_obj)) core.log.info("jwt object: ", core.json.delay_encode(jwt_obj))
if not jwt_obj.verified then if not jwt_obj.verified then
return 401, {message = jwt_obj.reason} return 401, {message = jwt_obj.reason}
end end
@ -224,22 +295,13 @@ local function gen_token()
core.log.info("consumer: ", core.json.delay_encode(consumer)) core.log.info("consumer: ", core.json.delay_encode(consumer))
local auth_secret = get_secret(consumer.auth_conf) local sign_handler, _ = algorithm_handler(consumer)
local jwt_token = jwt:sign( local jwt_token = sign_handler(key, consumer.auth_conf)
auth_secret, if jwt_token then
{ return core.response.exit(200, jwt_token)
header = { end
typ = "JWT",
alg = consumer.auth_conf.algorithm
},
payload = {
key = key,
exp = ngx_time() + consumer.auth_conf.exp
}
}
)
core.response.exit(200, jwt_token) return core.response.exit(404)
end end

View File

@ -20,6 +20,7 @@
- [中文](../zh-cn/plugins/jwt-auth.md) - [中文](../zh-cn/plugins/jwt-auth.md)
# Summary # Summary
- [**Name**](#name) - [**Name**](#name)
- [**Attributes**](#attributes) - [**Attributes**](#attributes)
- [**How To Enable**](#how-to-enable) - [**How To Enable**](#how-to-enable)
@ -37,13 +38,15 @@ For more information on JWT, refer to [JWT](https://jwt.io/) for more informatio
## Attributes ## Attributes
| Name | Type | Requirement | Default | Valid | Description | | Name | Type | Requirement | Default | Valid | Description |
| ------------- | ------- | ----------- | ------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | |:--------------|:--------|:------------|:--------|:----------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------|
| key | string | required | | | different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception. | | key | string | required | | | different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception. |
| secret | string | optional | | | encryption key. if you do not specify, the value is auto-generated in the background. | | secret | string | optional | | | encryption key. if you do not specify, the value is auto-generated in the background. |
| public_key | string | optional | | | RSA public key, required when `algorithm` attribute selects `RS256` algorithm. |
| private_key | string | optional | | | RSA private key, required when `algorithm` attribute selects `RS256` algorithm. |
| algorithm | string | optional | "HS256" | ["HS256", "HS512", "RS256"] | encryption algorithm. | | algorithm | string | optional | "HS256" | ["HS256", "HS512", "RS256"] | encryption algorithm. |
| exp | integer | optional | 86400 | [1,...] | token's expire time, in seconds | | exp | integer | optional | 86400 | [1,...] | token's expire time, in seconds |
| base64_secret | boolean | optional | false | | whether secret is base64 encoded | | base64_secret | boolean | optional | false | | whether secret is base64 encoded |
## API ## API
@ -67,6 +70,23 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
}' }'
``` ```
`jwt-auth` uses the `HS256` algorithm by default, and if you use the `RS256` algorithm, you need to specify the algorithm and configure the public key and private key, as follows:
```shell
curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key",
"public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----",
"algorithm": "RS256"
}
}
}'
```
you can visit Dashboard `http://127.0.0.1:9080/apisix/dashboard/` and add a Consumer through the web console: you can visit Dashboard `http://127.0.0.1:9080/apisix/dashboard/` and add a Consumer through the web console:
![](../images/plugin/jwt-auth-1.png) ![](../images/plugin/jwt-auth-1.png)
@ -168,8 +188,8 @@ Accept-Ranges: bytes
## Disable Plugin ## Disable Plugin
When you want to disable the `jwt-auth` plugin, it is very simple, When you want to disable the `jwt-auth` plugin, it is very simple,
you can delete the corresponding json configuration in the plugin configuration, you can delete the corresponding json configuration in the plugin configuration,
no need to restart the service, it will take effect immediately: no need to restart the service, it will take effect immediately:
```shell ```shell
$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value=' $ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value='
@ -186,3 +206,4 @@ $ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value='
} }
}' }'
``` ```

View File

@ -20,6 +20,7 @@
- [English](../../plugins/jwt-auth.md) - [English](../../plugins/jwt-auth.md)
# 目录 # 目录
- [**名字**](#名字) - [**名字**](#名字)
- [**属性**](#属性) - [**属性**](#属性)
- [**如何启用**](#如何启用) - [**如何启用**](#如何启用)
@ -38,13 +39,15 @@
## 属性 ## 属性
| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 | | 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| ------------- | ------- | ------ | ------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | |:--------------|:--------|:------|:--------|:----------------------------|:-----------------------------------------------------------------------------------------------|
| key | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key` ,将会出现请求匹配异常。 | | key | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key` ,将会出现请求匹配异常。 |
| secret | string | 可选 | | | 加密秘钥。如果您未指定,后台将会自动帮您生成。 | | secret | string | 可选 | | | 加密秘钥。如果您未指定,后台将会自动帮您生成。 |
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 | | public_key | string | 可选 | | | RSA公钥 `algorithm` 属性选择 `RS256` 算法时必填 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 | | private_key | string | 可选 | | | RSA私钥 `algorithm` 属性选择 `RS256` 算法时必填 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 | | algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
## 接口 ## 接口
@ -67,6 +70,24 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
} }
}' }'
``` ```
`jwt-auth` 默认使用 `HS256` 算法,如果使用 `RS256` 算法,需要指定算法,并配置公钥与私钥,示例如下:
```shell
curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key",
"public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----",
"algorithm": "RS256"
}
}
}'
```
你可以使用浏览器打开 dashboard`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 consumer 你可以使用浏览器打开 dashboard`http://127.0.0.1:9080/apisix/dashboard/`,通过 web 界面来完成上面的操作,先增加一个 consumer
![](../../images/plugin/jwt-auth-1.png) ![](../../images/plugin/jwt-auth-1.png)
@ -183,3 +204,4 @@ $ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value='
} }
}' }'
``` ```

View File

@ -526,7 +526,7 @@ GET /t
--- request --- request
GET /apisix/admin/schema/plugins/jwt-auth?schema_type=consumer GET /apisix/admin/schema/plugins/jwt-auth?schema_type=consumer
--- response_body --- response_body
{"required":["key"],"properties":{"exp":{"minimum":1,"type":"integer"},"algorithm":{"type":"string","default":"HS256","enum":["HS256","HS512","RS256"]},"base64_secret":{"default":false,"type":"boolean"},"secret":{"type":"string"},"key":{"type":"string"}},"additionalProperties":false,"type":"object"} {"required":["key"],"properties":{"exp":{"minimum":1,"type":"integer"},"private_key":{"type":"string"},"public_key":{"type":"string"},"algorithm":{"type":"string","default":"HS256","enum":["HS256","HS512","RS256"]},"base64_secret":{"default":false,"type":"boolean"},"secret":{"type":"string"},"key":{"type":"string"}},"additionalProperties":false,"type":"object"}
--- no_error_log --- no_error_log
[error] [error]
@ -549,3 +549,567 @@ GET /apisix/admin/schema/plugins/jwt-auth
{"properties":{"disable":{"type":"boolean"}},"additionalProperties":false,"type":"object"} {"properties":{"disable":{"type":"boolean"}},"additionalProperties":false,"type":"object"}
--- no_error_log --- no_error_log
[error] [error]
=== TEST 28: add consumer with username and plugins with public_key, private_key(private_key numbits = 512)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----"
}
}
}]],
[[{
"node": {
"value": {
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----"
}
}
}
},
"action": "set"
}]]
)
ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 29: JWT sign and verify use RS256 algorithm(private_key numbits = 512)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 30: sign use RS256 algorithm(private_key numbits = 512)
--- request
GET /apisix/plugin/jwt/sign?key=user-key-rs256
--- response_body_like eval
qr/eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Gd3dEUVlKS29aSWh2Y05BUUVCQlFBRFN3QXdTQUpCQUtlYkR4bHZRTUd5RWVzQUwxcjFuSUpCa1NkcXUzSHJcbjdub3FcLzB1a2lacVZRTFNKUE1PdjBveFFTdXR2dkszaG9pYndHYWtET3phK3hSSVRCN2NzMmNFQ0F3RUFBUT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.\w+.\w+/
--- no_error_log
[error]
=== TEST 31: verify (in argument) use RS256 algorithm(private_key numbits = 512)
--- request
GET /hello?jwt=eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Gd3dEUVlKS29aSWh2Y05BUUVCQlFBRFN3QXdTQUpCQUtlYkR4bHZRTUd5RWVzQUwxcjFuSUpCa1NkcXUzSHJcbjdub3FcLzB1a2lacVZRTFNKUE1PdjBveFFTdXR2dkszaG9pYndHYWtET3phK3hSSVRCN2NzMmNFQ0F3RUFBUT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTkxOTY5Mjg3OX0.S7XMbZjl3HAm_r9xlXaKGnvQgMA6-G9RZ-3esJM3B3gDuTeyPr_JvWzou-9aDVCArr0ogcSa2dx7EwiwKaOwIA
--- response_body
hello world
--- no_error_log
[error]
=== TEST 32: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----",
]] .. [[
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----"
}
}
}
]],
[[{
"node": {
"value": {
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----",
]] .. [[
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----"
}
}
}
},
"action": "set"
}]]
)
ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 33: JWT sign and verify use RS256 algorithm(private_key numbits = 1024)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 34: sign use RS256 algorithm(private_key numbits = 1024)
--- request
GET /apisix/plugin/jwt/sign?key=user-key-rs256
--- response_body_like eval
qr/eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRREd4T2ZWZVwvc2VQNVRcL1Y4cGtTNVlOQVBSQ1xuM0ZmeHhlZGk3djBweVpoXC80ZDRwOVF4MFA5d09tQUx3bE9xNEZ0Z2tzMzExcHhHMHpMMExjVEpZNGlrYmMzcjBcbmg4U00weWhqOVVWMVZHdHVpYTRZYWtvYnZwTTlVK2txM2x5SU1POVpQUmV6MGNQM0FKSVlDdDV5ZjhFN2JOWUpcbmpiSk5qbDhXeHZNMXRESHFWUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIl0sImFsZyI6IlJTMjU2IiwidHlwIjoiSldUIn0.\w+.\w+/
--- no_error_log
[error]
=== TEST 35: verify (in argument) use RS256 algorithm(private_key numbits = 1024)
--- request
GET /hello?jwt=eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRREd4T2ZWZVwvc2VQNVRcL1Y4cGtTNVlOQVBSQ1xuM0ZmeHhlZGk3djBweVpoXC80ZDRwOVF4MFA5d09tQUx3bE9xNEZ0Z2tzMzExcHhHMHpMMExjVEpZNGlrYmMzcjBcbmg4U00weWhqOVVWMVZHdHVpYTRZYWtvYnZwTTlVK2txM2x5SU1POVpQUmV6MGNQM0FKSVlDdDV5ZjhFN2JOWUpcbmpiSk5qbDhXeHZNMXRESHFWUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIl0sImFsZyI6IlJTMjU2IiwidHlwIjoiSldUIn0.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTkxOTc4MjQ0MH0.ExLbD7bMUw4117DTXwdxOJ2cfJajSX0VzINkKzjvr7-4sod9q2gpLbemoXH_IBIcdKF2raC8k6OVxRUAJa_Nlk4NIdbjEWk4Z9zfdjWK_t7QED-5nfoYflwGVOpNh-q8zdXsZRhPnBWuPB9yGJLpI_NfqdRdlRQrQ3JaCIgvYBg
--- response_body
hello world
--- no_error_log
[error]
=== TEST 36: add consumer with username and plugins with public_key, private_key(private_key numbits = 2048)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----",
]] .. [[
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----"
}
}
}
]],
[[{
"node": {
"value": {
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----",
]] .. [[
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----"
}
}
}
},
"action": "set"
}]]
)
ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 37: JWT sign and verify use RS256 algorithm(private_key numbits = 2048)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 38: sign use RS256 algorithm(private_key numbits = 2048)
--- request
GET /apisix/plugin/jwt/sign?key=user-key-rs256
--- response_body_like eval
qr/eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdjVMSGpaNEZ4UTlqazZlUUdEUnRcbm9Sd0ZWa0xxK2RVQmViczk3aHJ6aXJva1ZyMkIrUm94cWRMZktBTStBc04yRGFkYXdaMkdxbENWOURMMFwvZ3o2XG5uV1NxVFFwV2JROGM3Q3JGMzFFa0lIVVlSelp2V3kxN0szV0M5T2RrXC9nTTFGVmQwSGJaMlJqdXFqOUFEZWVxeFxubmo5bnBEcUtyTU9ET0VOeTMxU3FaTmVyV1pzZGdHa01MNUpZYlg1aGJJMkw5TFJFdlJVMjFmRGdTZkdMNk13NFxuTmF4bm56Y3ZsbDR5cXdyQkVMU2VEWkVBdDArZVwvcDFkTzdtb3hGK2IxcEZraDl2UWw2ekd2bnZmOGZPcW41RXhcbnRMSFhWemd4NzUyUEhNd211ajltTzFrbzZwOEZPTTBKSERub29JKzVyd0s0ajNJMjdIbzVubmF0VldVYXhLNFVcbjh3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.\w+.\w+/
--- no_error_log
[error]
=== TEST 39: verify (in argument) use RS256 algorithm(private_key numbits = 2048)
--- request
GET /hello?jwt=eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdjVMSGpaNEZ4UTlqazZlUUdEUnRcbm9Sd0ZWa0xxK2RVQmViczk3aHJ6aXJva1ZyMkIrUm94cWRMZktBTStBc04yRGFkYXdaMkdxbENWOURMMFwvZ3o2XG5uV1NxVFFwV2JROGM3Q3JGMzFFa0lIVVlSelp2V3kxN0szV0M5T2RrXC9nTTFGVmQwSGJaMlJqdXFqOUFEZWVxeFxubmo5bnBEcUtyTU9ET0VOeTMxU3FaTmVyV1pzZGdHa01MNUpZYlg1aGJJMkw5TFJFdlJVMjFmRGdTZkdMNk13NFxuTmF4bm56Y3ZsbDR5cXdyQkVMU2VEWkVBdDArZVwvcDFkTzdtb3hGK2IxcEZraDl2UWw2ekd2bnZmOGZPcW41RXhcbnRMSFhWemd4NzUyUEhNd211ajltTzFrbzZwOEZPTTBKSERub29JKzVyd0s0ajNJMjdIbzVubmF0VldVYXhLNFVcbjh3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsImV4cCI6MTkxOTc3MTQ3Mn0.m8n0iq0FthBGuCP4IOzIi9J0aHJeBKGhV0A7_DI0QqdXDxFjImGZSsDrNa77_3_gQonLY9xwWO0eobBzcpXuBQKVjl7fEn1brY4m1SKMB0xxWn525khzWe4aN3Yf101fCXd-8rKfZoCOMs_KS9YLTpEGbHJJ3nPiJdN9Btlt-jqCfbQvTT_zogITxJBcUiwz_ikttDTCLVrAvE5M7Xmck245MayOhSvu0f1df1XcmdrnKV4fHypl3UPhQNdb0Up4IBao0lJsKF2QCrvn_rP_oXrViurnpJDv6nP_46woWvnS74_WWGmVg2BptlQ7p8IYF4yAoXW8gsjcgoixbYTOGg
--- response_body
hello world
--- no_error_log
[error]
=== TEST 40: JWT sign with the public key when using the RS256 algorithm
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"private_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----",
"public_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----"
}
}
}]],
[[{
"node": {
"value": {
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"algorithm": "RS256",
"private_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----",
"public_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----"
}
}
}
},
"action": "set"
}]]
)
ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 41: JWT sign and verify RS256
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 42: sign failed
--- request
GET /apisix/plugin/jwt/sign?key=user-key-rs256
--- error_code: 500
--- response_body eval
qr/failed to sign jwt/
=== TEST 43: sanity(algorithm = HS512)
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.jwt-auth")
local core = require("apisix.core")
local conf = {key = "123", algorithm = "HS512"}
local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER)
if not ok then
ngx.say(err)
end
ngx.say(require("cjson").encode(conf))
}
}
--- request
GET /t
--- response_body_like eval
qr/{"algorithm":"HS512","secret":"[a-zA-Z0-9+\\\/]+={0,2}","key":"123","exp":86400}/
--- no_error_log
[error]
=== TEST 44: add consumer with username and plugins use HS512 algorithm
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-HS512",
"algorithm": "HS512",
"secret": "my-secret-key"
}
}
}]],
[[{
"node": {
"value": {
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-HS512",
"algorithm": "HS512",
"secret": "my-secret-key"
}
}
}
},
"action": "set"
}]]
)
ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 45: JWT sign and verify use HS512 algorithm
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 46: sign(algorithm = HS512)
--- request
GET /apisix/plugin/jwt/sign?key=user-key-HS512
--- response_body_like eval
qr/eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.\w+.\w+/
--- no_error_log
[error]
=== TEST 47: verify (in argument) use HS512 algorithm
--- request
GET /hello?jwt=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1IUzUxMiIsImV4cCI6MTkxOTc4NzU5OH0.zJAE-BDs6QtMvGbBmQL6hNbZ9seYSfZ9SDH3R3VSiOhY3UAjdrl3SUStTeCirlVzIV1eoEiW2jd_xHpKNw7nWA
--- response_body
hello world
--- no_error_log
[error]
=== TEST 48: test for unsupported algorithm
--- request
PATCH /apisix/plugin/jwt/sign?key=user-key
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.jwt-auth")
local core = require("apisix.core")
local conf = {key = "123", algorithm = "ES256"}
local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER)
if not ok then
ngx.say(err)
end
ngx.say(require("cjson").encode(conf))
}
}
--- request
GET /t
--- response_body_like eval
qr/property "algorithm" validation failed/