do not accept PKCS#8, certificates.

accept jwk

Author: felixheck

src/utils.js

@@ -1,5 +1,6 @@
 const boom = require('boom')
 const joi = require('joi')
+const jwkToPem = require('jwk-to-pem')
 
 /**
  * @type Object
@@ -18,7 +19,7 @@ const scheme = joi.object({
     .description('The related secret of the Keycloak client/application')
     .example('1234-bar-4321-foo'),
   publicKey: joi.alternatives().try(
-    joi.string().regex(/^-----BEGIN((( RSA)? PUBLIC KEY)| CERTIFICATE)-----[\s\S]*-----END((( RSA)? PUBLIC KEY)| CERTIFICATE)-----\s?$/ig, 'PEM'),
+    joi.string().regex(/^-----BEGIN RSA PUBLIC KEY-----[\s\S]*-----END RSA PUBLIC KEY-----\s?$/ig, 'PEM'),
     joi.object().type(Buffer),
     joi.object({
       kty: joi.string().required()
@@ -45,18 +46,37 @@ const scheme = joi.object({
 .unknown(false)
 .required()
 
+/**
+ * @function
+ * @private
+ *
+ * Check whether the passed in value is a JSON Web Key.
+ *
+ * @param {*} key The value to be tested
+ * @returns {boolean} Whether the value is a JWK
+ */
+function isJwk (key) {
+  return !!(key && key.kty)
+}
+
 /**
  * @function
  * @public
  *
  * Validate the plugin related options.
+ * If `publicKey` is JWK transform to PEM.
  *
  * @param {Object} opts The plugin related options
  * @returns {Object} The validated options
  *
- * @throws {Error} Options are invalid
+ * @throws {TypeError} If JWK is malformed or invalid
+ * @throws {Error} If options are invalid
  */
 function verify (opts) {
+  if (isJwk(opts.publicKey)) {
+    opts.publicKey = jwkToPem(opts.publicKey)
+  }
+
   return joi.attempt(opts, scheme)
 }
 
@@ -109,6 +129,7 @@ function fakeToolkit (h) {
 }
 
 module.exports = {
+  isJwk,
   raiseUnauthorized,
   errorMessages,
   fakeToolkit,

test/fixtures/index.js

@@ -48,8 +48,8 @@ const entitlementPath = `/authz/entitlement/${clientId}`
 const realmUrl = `${baseUrl}${realmPath}`
 const publicKeyBuffer = fs.readFileSync('./test/fixtures/public-rsa.pem')
 const publicKeyRsa = publicKeyBuffer.toString()
-const publicKey = fs.readFileSync('./test/fixtures/public.pem')
-const publicKeyCert = fs.readFileSync('./test/fixtures/public.cert')
+const publicKey = fs.readFileSync('./test/fixtures/public.pem').toString()
+const publicKeyCert = fs.readFileSync('./test/fixtures/public.cert').toString()
 const publicKeyJwk = {
   kty: 'RSA',
   n: 'ALq_ejKEGv25YOXiRapjf_1eKEIymgSZeihL1khgFYEZtj7JxSswiSvWia1IxE0uO9_8enwB18heUCrp-mrzcaVrNlc8JTuLfAYthKUltsNJXndjs0fzBQmFF9QYNNDly5nYdJL3pgAR10ji-GbOJzfea6--ybHRup7cpVprZ2ZaH8ksC4xa1wdiRabp5eJ-3he8vLw-GcsnL4vsZfjrjAOqqJi0JnyAxdKiYdEDLf8YeggeKKCuWhculRzkVOYEujKEoCe_GT4apimskXelNK4Qzqu21olcpJLUz3QdV_2JTG0B6J8qmdM9rIe3u6Ja6FHRNRbA4tEncVdmc733_CCD0hk--IELmlOG7qFVKTI0nVw3ycPZuIv5obGcF9fzFFPDqtQLAR3YE5DVWlcBXOmewKiUhlv5sTCkKrKTq_vwQDPKZ8OQQkf0Z2QSXzIwGIkoeq1WLhFlAQS4GViETQDMkcEvDrVsQA3zgbVcJ_H5sPLHIa6PVw9e1XKk3Y5UtTJK-92aA9RmoFmb7kjms9j9D4Z32qUVBdSpG44528sy6X0_DIKL78QUCQyHEWC-aHrV7v_1eazQK9J2uMzAZDzotwK6RafmeGCrpWJkhBv_9teqy5s45VihJB9Tit_Y3XQ6zE4nZcQymPkx4XskAT2eqRX2yhDOdvNYJWI5HkKR',

test/index.verify.spec.js

@@ -104,7 +104,9 @@ test('throw error if options are invalid – publicKey', (t) => {
     {},
     {
       foobar: 42
-    }
+    },
+    fixtures.common.publicKey,
+    fixtures.common.publicKeyCert
   ]
 
   t.plan(invalids.length)
@@ -258,18 +260,6 @@ test('throw no error if options are valid – offline', (t) => {
   })
 })
 
-test('throw no error if options are valid – publicKey', (t) => {
-  t.plan(valids.length)
-
-  valids.forEach((valid) => {
-    t.notThrows(
-      () => utils.verify(helpers.getOptions(Object.assign({
-        publicKey: fixtures.common.publicKey
-      }, valid))),
-      Error, helpers.log('valid.publicKey', valid))
-  })
-})
-
 test('throw no error if options are valid – publicKey/Rsa', (t) => {
   t.plan(valids.length)
 
@@ -282,18 +272,6 @@ test('throw no error if options are valid – publicKey/Rsa', (t) => {
   })
 })
 
-test('throw no error if options are valid – publicKey/Cert', (t) => {
-  t.plan(valids.length)
-
-  valids.forEach((valid) => {
-    t.notThrows(
-      () => utils.verify(helpers.getOptions(Object.assign({
-        publicKey: fixtures.common.publicKeyCert
-      }, valid))),
-      Error, helpers.log('valid.publicKey/Cert', valid))
-  })
-})
-
 test('throw no error if options are valid – publicKey/Buffer', (t) => {
   t.plan(valids.length)