feat: overwrite claims and jwt parser

Author: DMoscicki

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "casdoor-sdk-rust"
-version = "1.0.3"
+version = "1.1.0"
 edition = "2021"
 license = "Apache-2.0"
 description = "A Casdoor SDK (contain APIs) with more complete interfaces and better usability."
@@ -23,15 +23,15 @@ reqwest = { version = "0.12", features = ["json"] }
 jsonwebtoken = "9.3.0"
 oauth2 = "5.0.0-rc.1"
 toml = "0.8"
-openssl = "0.10.68"
+openssl = "0.10"
 anyhow = "1.0.95"
 rand = "0.8"
 chrono = "0.4.39"
 thiserror = "2.0.11"
 serde_with = { version = "3.12.0", features = ["chrono_0_4"] }
 
 [dependencies.uuid]
-version = "1.11.0"
+version = "1.12.1"
 features = [
     "v4",
     "fast-rng",

src/authn/mod.rs

@@ -1,21 +1,21 @@
 mod models;
 
-use crate::{Method, QueryArgs, QueryResult, Sdk, SdkError, SdkResult, NO_BODY};
-use anyhow::Result;
+use crate::{Method, QueryArgs, QueryResult, Sdk, SdkResult, NO_BODY};
+use anyhow::{format_err, Result};
 use jsonwebtoken::{
-    errors::{Error, ErrorKind},
-    Algorithm, DecodingKey, TokenData, Validation,
+    DecodingKey, TokenData, Validation,
 };
 pub use models::*;
-use oauth2::{AccessToken, url, AuthUrl, AuthorizationCode, ClientId, ClientSecret, IntrospectionUrl, RedirectUrl, RefreshToken, TokenUrl};
+pub use oauth2::{basic::{BasicTokenIntrospectionResponse, BasicTokenType}, TokenIntrospectionResponse, TokenResponse};
+use oauth2::{url, AccessToken, AuthUrl, AuthorizationCode, ClientId, ClientSecret, IntrospectionUrl, RedirectUrl, RefreshToken, TokenUrl};
+use openssl::pkey::Id;
 use openssl::{
     base64,
     pkey::{PKey, Public},
     sha::sha256,
 };
 use rand::Rng;
 use std::{fmt::Write, iter};
-pub use oauth2::{basic::{BasicTokenIntrospectionResponse, BasicTokenType}, TokenIntrospectionResponse, TokenResponse};
 use uuid::Uuid;
 
 impl Sdk {
@@ -132,30 +132,9 @@ impl AuthSdk {
 
         let pb_key = self.sdk.replace_cert_to_pub_key().unwrap();
 
-        // TODO: Add ES512 support after https://github.com/Keats/jsonwebtoken/issues/250#issuecomment-2488307814
-        match header.alg {
-            Algorithm::ES256 => {
-                let token_data: TokenData<ClaimsStandard> = get_tk_es(pb_key, validation, token);
-
-                Ok(token_data.claims)
-            }
-            Algorithm::ES384 => {
-                let token_data: TokenData<ClaimsStandard> = get_tk_es(pb_key, validation, token);
-
-                Ok(token_data.claims)
-            }
-            Algorithm::RS256 => {
-                let token_data: TokenData<ClaimsStandard> = get_tk_rsa(pb_key, validation, token);
-
-                Ok(token_data.claims)
-            }
-            Algorithm::RS512 => {
-                let token_data: TokenData<ClaimsStandard> = get_tk_rsa(pb_key, validation, token);
-
-                Ok(token_data.claims)
-            }
-            _ => Err(SdkError::from(Error::from(ErrorKind::InvalidAlgorithm))),
-        }
+        let td = get_tk(pb_key, validation, token).unwrap();
+
+        Ok(td.claims)
     }
 
     pub fn get_signing_url(&self, redirect_url: String) -> String {
@@ -264,27 +243,62 @@ fn generate_code_challange(verifier: String) -> String {
     base64::encode_block(&digest).replace("=", "-")
 }
 
-fn get_tk_es(pb_key: PKey<Public>, validation: Validation, token: &str) -> TokenData<ClaimsStandard> {
-    let public_key = pb_key.ec_key().unwrap().public_key_to_pem().unwrap();
-    let decode_key = &DecodingKey::from_ec_pem(&public_key).unwrap();
-    let token_data: TokenData<ClaimsStandard> = jsonwebtoken::decode(token, decode_key, &validation).unwrap();
-
-    token_data
+fn get_tk(pb_key: PKey<Public>, validation: Validation, token: &str) -> Result<TokenData<ClaimsStandard>> {
+    match pb_key.id() {
+        Id::RSA => {
+            let rsa_pb_key = pb_key.rsa()?.public_key_to_pem()?;
+            let decode_key = &DecodingKey::from_rsa_pem(&rsa_pb_key)?;
+            let token_data: TokenData<ClaimsStandard> = jsonwebtoken::decode(token, decode_key, &validation)?;
+
+            Ok(token_data)
+        },
+        Id::EC => {
+            let ec_pb_key = pb_key.ec_key()?.public_key_to_pem()?;
+            let decode_key = &DecodingKey::from_ec_pem(&ec_pb_key)?;
+            let token_data: TokenData<ClaimsStandard> = jsonwebtoken::decode(token, decode_key, &validation)?;
+
+            Ok(token_data)
+        },
+        Id::RSA_PSS => {
+            println!("{}", "RSA_PSS");
+            let ec_pb_key = pb_key.rsa()?.public_key_to_pem()?;
+            let decode_key = &DecodingKey::from_rsa_pem(&ec_pb_key)?;
+            let token_data: TokenData<ClaimsStandard> = jsonwebtoken::decode(token, decode_key, &validation)?;
+
+            Ok(token_data)
+        },
+        _ => {
+            Err(format_err!("not supported"))
+        },
+    }
 }
 
-fn get_tk_rsa(pb_key: PKey<Public>, validation: Validation, token: &str) -> TokenData<ClaimsStandard> {
-    let public_key = pb_key.rsa().unwrap().public_key_to_pem().unwrap();
-    let decode_key = &DecodingKey::from_rsa_pem(&public_key).unwrap();
-    let td: TokenData<ClaimsStandard> = jsonwebtoken::decode(token, decode_key, &validation).unwrap();
-
-    td
-}
 #[cfg(test)]
 mod tests {
     use std::fs;
 
     use crate::Config;
 
+    #[test]
+    fn successfully_rs256_cert_ps256() {
+        let token = fs::read_to_string("./src/authn/testdata/tok_rs256_ps.txt").unwrap();
+        let cert = fs::read_to_string("./src/authn/testdata/cert_ps256.txt").unwrap();
+        let cfg = Config::new(
+            "http://localhost:8000".to_string(),
+            "2707072ef8e8048ce2df".to_string(),
+            "7d315de093a1b8268d0c7eb192bbe02f35a8877d".to_string(),
+            cert,
+            "built-in".to_string(),
+            Some("app-built-in".to_owned())
+        )
+            .into_sdk();
+
+        let authnx = cfg.authn();
+
+        let tk = authnx.parse_jwt_token(&token).unwrap();
+        assert_eq!(true, tk.reg_claims.audience.contains(&cfg.client_id));
+    }
+
     #[test]
     fn successfully_es256_jwt_custom() {
         let token = fs::read_to_string("./src/authn/testdata/tok_rs256_custom.txt").unwrap();
@@ -303,7 +317,6 @@ mod tests {
 
         let tk = authnx.parse_jwt_token(&token).unwrap();
         assert_eq!(true, tk.reg_claims.audience.contains(&cfg.client_id));
-        println!("{:#?}", tk);
     }
     #[test]
     fn successfully_es256_jwt_standart() {
@@ -324,7 +337,6 @@ mod tests {
         let tk = authnx.parse_jwt_token(&token).unwrap();
         assert_eq!("user", tk.user.display_name);
         assert_eq!(true, tk.reg_claims.audience.contains(&cfg.client_id));
-        println!("{:#?}", tk);
     }
 
     #[test]

src/authn/testdata/cert_ps256.txt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFQTCCAvWgAwIBAgIDAeJAMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIDAmMQ4wDAYDVQQK
+EwVhZG1pbjEUMBIGA1UEAwwLY2VydF9mOTA3djkwHhcNMjUwMTEyMjAzMDEwWhcN
+NDUwMTEyMjAzMDEwWjAmMQ4wDAYDVQQKEwVhZG1pbjEUMBIGA1UEAwwLY2VydF9m
+OTA3djkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCW0T7GiA/8DoGd
+DFrcDAFwXtZIGA5oA7w13OP/7OYU1B3+AULUHjtKB3t5kiOL6AgFNvEliY9t4Kyi
+8mV1XZWP2qv1wiDVQSJmMbzqrkkbHi+4rI7FDz7DhEXaFoARmcxRq6xa46I750c3
+UU6JV+BWHssrBIhr1hTGPfzrMR4aMIfYlBr3Q1pl8ZztVU72Fvk5T/7g77EIBRZ6
+RPHjcYnSyxv56kF9W13ukO4BbTn1/a0U0dz3nh1kTsmmH4Rk21Yk+FbdhIsI5BtP
+enaz9+Zu+Aq28AiyMjP9BFZrfHR6YHVEKs9M4zsTn9YFQAXNX67zAlKvcCXCCFbD
+E8YrGoa5B5fIkMZbMkIN+5iGRLaGkZaVQY2y/eYX/lQ+23KwdOrblHl5rZbHa4TK
++QZcjdlYArIybzjR36ZCH/5AqT6O7pjVHflIfz0gMUMWrqkimV6AXuTxQf3lOyDZ
+i3ZS0c+bWpLZDKyao5vRIn1kYl0DyCQmIZ3jtxxg9vmOYarS25MFUe1xsY2CuIwV
+d2IR0IgFzqGkga73N+k8nHX79qI/sKP0wpSvE7OH61ZsarkliL8KDr4OYCRZe5Df
+NudtiyoaT8nC8C5kPRtwvVg7uWoeXGIrOrUJT2xvUuuU0rkIAOGYey8LA9xCSwPz
+EoBOgiY1y/MWSEXV371q6fijH+OT/wIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMEEG
+CSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJ
+YIZIAWUDBAIBBQCiAwIBIAOCAgEAAYzn7qqWn9pEWA9iG5FWSnJV66jcJ44dxUJB
+4WJlEQiSBh1BJx2Y/B/CFfES2OlfxxWsTKMc2jdEg7ebHLxHvfLfL54lxxTsKvE7
+EvKzgVwxelwSq5qyfKBCyhCEJ336zqu9EtdlzgEir/gQF9+mAOlz/K3wXzytJ2UL
+nHbJWz8wueAMjvO2hlIoeDZHjgg4DZL/z3TOKXEvXg4u6h7DsvUiI736klIeDt+i
+XWqokT6o/cEF4btgO+b7Fc6hs3Q30PNrqkmeK+UdrnXap0b4kAf7bsLwFpNjnkk8
+WRkVOg0j3XFcOnblZOzUh6WatZWgsXjJm2wqmYKS9BuOGvEmhL7484fcBZHKPT/b
+nmFICFrNPB9L1ORpaEh0B4g28JsW7PdVjstlIhqTyUgTFvpmY0MlnW0JtGy87iol
+P4l431G1hzkZRUaxLwKvGT2+rkJYCfjjJ3fdnKFIGnNYknGYMVYcRUFmkTQ0xUQa
+9xHYjjXc7K+eLeJF3tPbnZ5/mIpSrRVAYPauP8hJZjgHrDyxAIPPSsLj89SpFrSp
+kTyBYwUT/8feb7AUGRlLk2uxMngxx1CE2+sX/rkVXhO17B4ZFY4IuiPsGdIUSxNP
+4eqQpTOsxgCNqCktFijOa1fI4bX8KUz6s2Of8wNGR59iUwOBRsHWYLYQkdTiKH1P
+I/GMs+M=
+-----END CERTIFICATE-----

src/authn/testdata/tok_rs256_ps.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsImtpZCI6ImNlcnRfZjkwN3Y5IiwidHlwIjoiSldUIn0.eyJvd25lciI6ImJ1aWx0LWluIiwibmFtZSI6ImFkbWluIiwiaWQiOiI1NjVjMWRiMi0zYTczLTRhM2YtYTYwMy0yMDc5NjFkNTUxN2IiLCJkaXNwbGF5TmFtZSI6IkFkbWluIiwiYXZhdGFyIjoiaHR0cHM6Ly9jZG4uY2FzYmluLm9yZy9pbWcvY2FzYmluLnN2ZyIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20iLCJwaG9uZSI6IiIsInRva2VuVHlwZSI6ImFjY2Vzcy10b2tlbiIsInNjb3BlIjoicHJvZmlsZSIsImFkZHJlc3MiOnsiZm9ybWF0dGVkIjoiIiwic3RyZWV0X2FkZHJlc3MiOiIiLCJsb2NhbGl0eSI6IiIsInJlZ2lvbiI6IiIsInBvc3RhbF9jb2RlIjoiIiwiY291bnRyeSI6IiJ9LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJzdWIiOiI1NjVjMWRiMi0zYTczLTRhM2YtYTYwMy0yMDc5NjFkNTUxN2IiLCJhdWQiOlsiMjcwNzA3MmVmOGU4MDQ4Y2UyZGYiXSwiZXhwIjoyMDk3NjQ3MDUzLCJuYmYiOjE3Mzc2NTA2NTMsImlhdCI6MTczNzY1MDY1MywianRpIjoiYWRtaW4vM2NjYmE4MWUtMzM4Ni00MDRkLTg4ZDEtNDA3Zjk0YTc2ODkzIn0.iqMxd-8IT8cgKTFYAw0TKGDVIlYrK5x5zI2u4W2HN3bQAUFsF11qFUXaWHk1WczALSkQjJTLr2xl_Drd1VKuJQlun8PoKitxEmcd2fylRF2mJq5-BgKkxEQT_lTV5ATGOkOHZpS2aVlgw8fi0ECPn4Qj9aSzqHPxiRbEDu7R8cXfZMQp3nMdGwm_Y0w-vfR72UaapAqvL_OpWKNB7YD8nwDd43FXuYmv4eO-H1tMtBoDwovNWuw2o_cqN3dGeLygELd-HVDcHhoGTGkJlM1mvY2iDsXDi_MeiYCKlZ3qa28QVonH5eSajk6V0gQa7ILr94l8hGw6AMBPHZpVZVPRz2DnZm79EPNBwNTzM-oeOEFF57Ga-xRX6xdfbvpb7qQSEUMs-e_IibQaB7UPqGKn4cS4trpwPh-_4Zjmos_LitbNohdIk2tgvpUrqSgYjo_1ewcDouDVMqlymSCabRLlipW_GoxOBT-462_YMAWXC_96X_wTZRiy4Sb7T5ZPva30L2jRVmrqacBpMXeZ4Nq2Dgnqv5JA8rElqJ0uLPYycvYbTiPnpdtnpztF0WEOMzTD_-uCX1XEQ0WQ3dPP3AyR3Y6K_Q2Qip5vwRU8ukrfPPqOqmBzCWFQ5SM4pXCyJirVr5pj9D0V9M06SXgmePmS59zAXbm6NohiHr_A_IJZlBA

src/config.rs

@@ -53,7 +53,7 @@ impl Config {
     }
 
     pub fn replace_cert_to_pub_key(&self) -> Result<PKey<Public>, ErrorStack> {
-        let cert_x509 = &X509::from_pem(self.certificate.as_bytes())?;
+        let cert_x509 = X509::from_pem(self.certificate.as_bytes())?;
         cert_x509.public_key()
     }
 }