mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 05:41:26 +02:00
Code Issues Projects Releases Wiki Activity

REGTESTS: jwt: Add test with actual certificate passed to jwt_verify

Browse Source 
The jwt_verify can now take public certificates as second parameter,
either with actual certificate path (no previously mentioned) or from a
predefined crt-store or from a variable.
This commit is contained in:
Remi Tricot-Le Breton 2025-06-30 16:56:29 +02:00 committed by William Lallemand
parent 093a3ad7f2
commit 663ba093aa
3 changed files with 73 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
reg-tests/jwt/cert.ecdsa.pem Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBfzCCASWgAwIBAgIUZ7eU/AOyw6luqrY4aHAErK8bI3AwCgYIKoZIzj0EAwIw
FDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTI1MDYyMzE0MDIxMVoYDzIxNjIwNTE2
MTQwMjExWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAASOru+/8VRGvKqvu6S+SufV6TmuMIyE6eCMPXu5BNk3t+jVBEhXXyU/
Hk7YR3miT+PyP+FloU4HpM2yE2a2GTd0o1MwUTAdBgNVHQ4EFgQUsI/5IENagw4r
QX/1qvtiiDZ5OlEwHwYDVR0jBBgwFoAUsI/5IENagw4rQX/1qvtiiDZ5OlEwDwYD
VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiAMdpsHRDNcXYU1mTSha30P
bRP+Coj5y/vIshqU8UjjRAIhAK/8VegDDHU1b2rww2FaFCbyoiWYoJ3e/W3HJmvk
nECr
-----END CERTIFICATE-----

29
reg-tests/jwt/cert.rsa.pem Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFCTCCAvGgAwIBAgIUAj45QKeD6LQ3Dby5l8pRJHxhC0cwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDYwNTE1MzI0OFoXDTM1MDYw
MzE1MzI0OFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAxCPdKRUDpwNqrka4OYaI9bweoN/YoMYR8sddqK39S0pm
zVIWZpZ51wXJU7oT4umSGAP0VpexxKNZdKnq6b9ScaIfLCazl8EaU3Wg16l5ZD/O
mHggaD5iHtI3lV2JhxTFlIdLI6sGoJxaDne0oelvtsE2dbBZBPT0OPKWyXgL2qQH
CtYnqZI7d9czA61rg1PfiUqV6zh9MC7NW5mKPVS95/MCIILyP4smljh5cUGkzhZa
By/mfKobTRe5xTP+DJ78wZhTAapOY/GmyQ4rFWZFISH2tVQ7Ic32lbxeYXycTcPx
EUcijNklnFHfpZ3Hhbz9hBuCWTaujcdYVxkRfMocnz9InY8FCic3vgcOPrpqhZMx
jeuVwUV9cjJhsWTjZeIne5P4l6DHmDIdoVJVatKR+O4AL2q+VZ+d5euSmUe6bwrz
1ufczIcRYAo1mnYD+USwjT5rGWSjG8brtfxtrzJzQP4oqMgLH2QBEgVDKlvsHiEC
2K16tTf1pSEAh9Lyo2t8Tbc1BbuuJPafixNGFEQIJ7sAwYoWNkncGOfwrPUpU13K
tAGoW8hMBlLSuGb70FLbei/Qiz/YsWi86ybetN4WMpF096lcgqa/JH8IeYvGa/MQ
YoavloGv05OhaGrvGRy0GV6I9elnLEaSdBROnA4kyPaHW8jKmj04T8EBFmx5Lu0C
AwEAAaNTMFEwHQYDVR0OBBYEFPj8dhAwfL7lF345ufvnc+esKy2vMB8GA1UdIwQY
MBaAFPj8dhAwfL7lF345ufvnc+esKy2vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAH2o5hZ5Mqq/JLVfsmJE3UrBq7Ky5PYBR1vis+EQwWdlQDcK
LC1MACkQeWhtPEBg//il9NQjQZG4iE3qbEEOKDjaKGuJTQ3+FhuCYg1t81chqiRW
PPLkAwN0QPZjTfCcIl4QYEeO9iEoxhLPB2QyqHj3ppFh+uPlz2ShdDclHlXcojod
AmVxjiIjEGbDKn/pBDJ0Ul/kfjdYKWvdwJg+CYLqntCxL0kbiApb1r4MvgqbH3FM
sPo7ro1gfTmL7YIkXZMnYJeRSUF1ZHMty+1tvibRwDf7nCsXvDIhxbTdXP9XcpfT
C4YZ0APQrEO6/Q682X0DwzXE55Fk8iD12VOEQZKRipsqL74HNKQ6JVcBhpqw40qv
sUSixzqic3DeEnT6Om3OMdafQVpRSynzpLAc1wcxMfrkNDkSQ4mXMgdD07w9h1tQ
uIflGtj1szg+mjHxFVV/nRWtJOqA0FJt+gZGy8V3NZ+zEBR2Nqe8AOoIkIBKVbK2
6UlHrMisuat3LlZjvwrHJtzU6fGemy1BFWAHjvQe3eilQfrDp6boueqWr9m9RjVK
UZ/2S//AnX+GGUVm6xjkVHcv8cJL//aOUV7tEUCuGjFTuKgNT5Mn9VttvePbgd9F
uaixpqrs0tuKFWRSLbWUaQE50oC4aJ9LWfzG5gAJJkeXeORYaisqfLCNmO6u
-----END CERTIFICATE-----

33
reg-tests/jwt/jws_verify.vtc
View File

@ -45,6 +45,12 @@ haproxy h1 -conf {
use_backend auth_bearer_be if { path /auth_bearer } use_backend auth_bearer_be if { path /auth_bearer }
default_backend dflt_be default_backend dflt_be
# Unnamed crt-store
crt-store
load crt "${testdir}/cert.ecdsa.pem"
crt-store named_store
load crt "${testdir}/cert.rsa.pem"
backend hsXXX_be backend hsXXX_be
http-request set-var(txn.bearer) http_auth_bearer http-request set-var(txn.bearer) http_auth_bearer
@ -72,6 +78,20 @@ haproxy h1 -conf {
http-response set-header x-jwt-verify-RS256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS256" } http-response set-header x-jwt-verify-RS256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS256" }
http-response set-header x-jwt-verify-RS384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS384" } http-response set-header x-jwt-verify-RS384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS384" }
http-response set-header x-jwt-verify-RS512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS512" } http-response set-header x-jwt-verify-RS512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS512" }
# Pure certificate (not predefined in crt-store)
http-response set-header x-jwt-verify-RS256-cert %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/cert.rsa.pem")] if { var(txn.jwt_alg) -m str "RS256" }
# Named crt-store
http-response set-header x-jwt-verify-RS256-cert-named %[var(txn.bearer),jwt_verify(txn.jwt_alg,"@named_store${testdir}/cert.rsa.pem")] if { var(txn.jwt_alg) -m str "RS256" }
# Variables
# This first case only works because the certificate
# is already explicitely used in a previous jwt_verify call.
http-response set-var(txn.cert) str("${testdir}/cert.rsa.pem")
http-response set-header x-jwt-verify-RS256-var1 %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "RS256" }
http-response set-var(txn.cert) str("@named_store${testdir}/cert.rsa.pem")
http-response set-header x-jwt-verify-RS256-var2 %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "RS256" }
server s1 ${s1_addr}:${s1_port} server s1 ${s1_addr}:${s1_port}
backend esXXX_be backend esXXX_be
@ -86,6 +106,11 @@ haproxy h1 -conf {
http-response set-header x-jwt-verify-ES256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es256-public.pem")] if { var(txn.jwt_alg) -m str "ES256" } http-response set-header x-jwt-verify-ES256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es256-public.pem")] if { var(txn.jwt_alg) -m str "ES256" }
http-response set-header x-jwt-verify-ES384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es384-public.pem")] if { var(txn.jwt_alg) -m str "ES384" } http-response set-header x-jwt-verify-ES384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es384-public.pem")] if { var(txn.jwt_alg) -m str "ES384" }
http-response set-header x-jwt-verify-ES512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es512-public.pem")] if { var(txn.jwt_alg) -m str "ES512" } http-response set-header x-jwt-verify-ES512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es512-public.pem")] if { var(txn.jwt_alg) -m str "ES512" }
# Variables and real certificate
http-response set-var(txn.cert) str("${testdir}/cert.ecdsa.pem")
http-response set-header x-jwt-verify-ES256-var %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "ES256" }
server s1 ${s1_addr}:${s1_port} server s1 ${s1_addr}:${s1_port}
backend psXXX_be backend psXXX_be
@ -192,6 +217,13 @@ client c5 -connect ${h1_mainfe_sock} {
expect resp.status == 200 expect resp.status == 200
expect resp.http.x-jwt-alg == "RS256" expect resp.http.x-jwt-alg == "RS256"
expect resp.http.x-jwt-verify-RS256 == "1" expect resp.http.x-jwt-verify-RS256 == "1"
expect resp.http.x-jwt-verify-RS256-cert == "1"
expect resp.http.x-jwt-verify-RS256-cert-named == "1"
expect resp.http.x-jwt-verify-RS256-var1 == "1"
expect resp.http.x-jwt-verify-RS256-var2 == "1"
} -run } -run
client c6 -connect ${h1_mainfe_sock} { client c6 -connect ${h1_mainfe_sock} {
@ -244,6 +276,7 @@ client c9 -connect ${h1_mainfe_sock} {
expect resp.status == 200 expect resp.status == 200
expect resp.http.x-jwt-alg == "ES256" expect resp.http.x-jwt-alg == "ES256"
expect resp.http.x-jwt-verify-ES256 == "1" expect resp.http.x-jwt-verify-ES256 == "1"
expect resp.http.x-jwt-verify-ES256-var == "1"
} -run } -run
client c10 -connect ${h1_mainfe_sock} { client c10 -connect ${h1_mainfe_sock} {