Merge pull request #96 from Cafeine42/main

Support for Placeholder Integration on JWKURL

Author: ggicci

jwt.go

@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/caddyserver/caddy/v2"
@@ -30,6 +31,23 @@ func init() {
 type User = caddyauth.User
 type Token = jwt.Token
 
+// jwkCacheEntry stores the JWK cache information for a specific URL
+type jwkCacheEntry struct {
+	URL       string
+	Cache     *jwk.Cache
+	CachedSet jwk.Set
+}
+
+// refresh refreshes the JWK cache for this entry
+func (entry *jwkCacheEntry) refresh(ctx context.Context, logger *zap.Logger) error {
+	_, err := entry.Cache.Refresh(ctx, entry.URL)
+	if err != nil {
+		logger.Warn("failed to refresh JWK cache", zap.Error(err), zap.String("url", entry.URL))
+		return err
+	}
+	return nil
+}
+
 // JWTAuth facilitates JWT (JSON Web Token) authentication.
 type JWTAuth struct {
 	// SignKey is the key used by the signing algorithm to verify the signature.
@@ -150,8 +168,10 @@ type JWTAuth struct {
 	logger        *zap.Logger
 	parsedSignKey interface{} // can be []byte, *rsa.PublicKey, *ecdsa.PublicKey, etc.
 
-	jwkCache     *jwk.Cache
-	jwkCachedSet jwk.Set
+	// JWK cache by resolved URL to support placeholders in JWKURL
+	jwkCaches map[string]*jwkCacheEntry
+
+	mutex sync.RWMutex
 }
 
 // CaddyModule implements caddy.Module interface.
@@ -179,18 +199,64 @@ func (ja *JWTAuth) usingJWK() bool {
 }
 
 func (ja *JWTAuth) setupJWKLoader() {
-	cache := jwk.NewCache(context.Background(), jwk.WithErrSink(ja))
-	cache.Register(ja.JWKURL)
-	ja.jwkCache = cache
-	ja.refreshJWKCache()
-	ja.jwkCachedSet = jwk.NewCachedSet(cache, ja.JWKURL)
-	ja.logger.Info("using JWKs from URL", zap.String("url", ja.JWKURL), zap.Int("loaded_keys", ja.jwkCachedSet.Len()))
+	// Initialize cache for all possible URLs
+	ja.mutex.Lock()
+	ja.jwkCaches = make(map[string]*jwkCacheEntry)
+	ja.mutex.Unlock()
+	ja.logger.Info("JWK cache initialized for JWK URL", zap.String("jwk_url", ja.JWKURL))
 }
 
-// refreshJWKCache refreshes the JWK cache. It validates the JWKs from the given URL.
-func (ja *JWTAuth) refreshJWKCache() {
-	_, err := ja.jwkCache.Refresh(context.Background(), ja.JWKURL)
-	ja.logger.Warn("failed to refresh JWK cache", zap.Error(err))
+// getOrCreateJWKCache retrieves or creates a cache for a specific JWK URL
+func (ja *JWTAuth) getOrCreateJWKCache(resolvedURL string) (*jwkCacheEntry, error) {
+	// If the URL is empty, return an error
+	if resolvedURL == "" {
+		return nil, fmt.Errorf("resolved JWK URL is empty")
+	}
+
+	// First, check if cache already exists for this URL using a read lock
+	ja.mutex.RLock()
+	entry, ok := ja.jwkCaches[resolvedURL]
+	ja.mutex.RUnlock()
+
+	if ok {
+		return entry, nil
+	}
+
+	// If not found, acquire a write lock to create a new entry
+	ja.mutex.Lock()
+	defer ja.mutex.Unlock()
+
+	// Double-check if another goroutine created the cache while we were waiting for the lock
+	if entry, ok := ja.jwkCaches[resolvedURL]; ok {
+		return entry, nil
+	}
+
+	// Create a new cache for this URL
+	cache := jwk.NewCache(context.Background(), jwk.WithErrSink(ja))
+	err := cache.Register(resolvedURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to register JWK URL: %w", err)
+	}
+
+	// Create cache entry before attempting refresh
+	entry = &jwkCacheEntry{
+		URL:       resolvedURL,
+		Cache:     cache,
+		CachedSet: jwk.NewCachedSet(cache, resolvedURL),
+	}
+
+	// Try to refresh the cache immediately
+	err = entry.refresh(context.Background(), ja.logger)
+	if err != nil {
+		ja.logger.Warn("failed to refresh JWK cache during initialization", zap.Error(err), zap.String("url", resolvedURL))
+		// Continue even in case of error, the important thing is that the URL is registered
+	}
+
+	// Register the entry in the cache
+	ja.jwkCaches[resolvedURL] = entry
+	ja.logger.Info("new JWK cache created", zap.String("url", resolvedURL), zap.Int("loaded_keys", entry.CachedSet.Len()))
+
+	return entry, nil
 }
 
 // Validate implements caddy.Validator interface.
@@ -216,6 +282,8 @@ func (ja *JWTAuth) Validate() error {
 
 func (ja *JWTAuth) validateSignatureKeys() error {
 	if ja.usingJWK() {
+		// Initialize the cache structure without attempting to resolve placeholders
+		// URLs will be resolved during usage
 		ja.setupJWKLoader()
 	} else {
 		if keyBytes, asymmetric, err := parseSignKey(ja.SignKey); err != nil {
@@ -241,19 +309,36 @@ func (ja *JWTAuth) validateSignatureKeys() error {
 	return nil
 }
 
-func (ja *JWTAuth) keyProvider() jws.KeyProviderFunc {
-	return func(_ context.Context, sink jws.KeySink, sig *jws.Signature, _ *jws.Message) error {
+// resolveJWKURL prend une requête HTTP et résout l'URL JWK avec des espaces réservés
+func (ja *JWTAuth) resolveJWKURL(request *http.Request) string {
+	replacer := request.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
+	return replacer.ReplaceAll(ja.JWKURL, "")
+}
+
+func (ja *JWTAuth) keyProvider(request *http.Request) jws.KeyProviderFunc {
+	return func(curContext context.Context, sink jws.KeySink, sig *jws.Signature, _ *jws.Message) error {
 		if ja.usingJWK() {
+			resolvedURL := ja.resolveJWKURL(request)
+
+			ja.logger.Info("JWK URL", zap.String("unresolved", ja.JWKURL), zap.String("resolved", resolvedURL))
+
+			// Get or create the cache for this URL
+			cacheEntry, err := ja.getOrCreateJWKCache(resolvedURL)
+			if err != nil {
+				return fmt.Errorf("failed to get JWK cache: %w", err)
+			}
+
+			// Use the key set associated with this URL
 			kid := sig.ProtectedHeaders().KeyID()
-			key, found := ja.jwkCachedSet.LookupKeyID(kid)
+			key, found := cacheEntry.CachedSet.LookupKeyID(kid)
 			if !found {
-				// trigger a refresh if the key is not found
-				go ja.refreshJWKCache()
+				// Trigger an asynchronous refresh if the key is not found
+				go cacheEntry.refresh(context.Background(), ja.logger)
 
 				if kid == "" {
 					return fmt.Errorf("missing kid in JWT header")
 				}
-				return fmt.Errorf("key specified by kid %q not found in JWKs", kid)
+				return fmt.Errorf("key specified by kid %q not found in JWKs from %s", kid, resolvedURL)
 			}
 			sink.Key(ja.determineSigningAlgorithm(key.Algorithm(), sig.ProtectedHeaders().Algorithm()), key)
 		} else if ja.SignAlgorithm == string(jwa.EdDSA) {
@@ -304,7 +389,7 @@ func (ja *JWTAuth) Authenticate(rw http.ResponseWriter, r *http.Request) (User,
 			jwt.WithVerify(!ja.SkipVerification),
 		}
 		if !ja.SkipVerification {
-			jwtOptions = append(jwtOptions, jwt.WithKeyProvider(ja.keyProvider()))
+			jwtOptions = append(jwtOptions, jwt.WithKeyProvider(ja.keyProvider(r)))
 		}
 		gotToken, err = jwt.ParseString(tokenString, jwtOptions...)
 
@@ -515,15 +600,15 @@ func desensitizedTokenString(token string) string {
 func parseSignKey(signKey string) (keyBytes []byte, asymmetric bool, err error) {
 	repl := caddy.NewReplacer()
 	// Replace placeholders in the signKey such as {file./path/to/sign_key.txt}
-	signKey = repl.ReplaceAll(signKey, "")
-	if len(signKey) == 0 {
+	resolvedSignKey := repl.ReplaceAll(signKey, "")
+	if len(resolvedSignKey) == 0 {
 		return nil, false, ErrMissingKeys
 	}
-	if strings.Contains(signKey, "-----BEGIN PUBLIC KEY-----") {
-		keyBytes, err = parsePEMFormattedPublicKey(signKey)
+	if strings.Contains(resolvedSignKey, "-----BEGIN PUBLIC KEY-----") {
+		keyBytes, err = parsePEMFormattedPublicKey(resolvedSignKey)
 		return keyBytes, true, err
 	}
-	keyBytes, err = base64.StdEncoding.DecodeString(signKey)
+	keyBytes, err = base64.StdEncoding.DecodeString(resolvedSignKey)
 	return keyBytes, false, err
 }
 

jwt_test.go

@@ -1,11 +1,13 @@
 package caddyjwt
 
 import (
+	"context"
 	"crypto/ed25519"
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
 	"encoding/json"
+	"github.com/caddyserver/caddy/v2"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -153,9 +155,20 @@ func issueTokenStringEdDSA(claims MapClaims) string {
 	return string(tokenBytes)
 }
 
-func issueTokenStringJWK(claims MapClaims) string {
+func issueTokenStringJWK(claims MapClaims, options ...func(*jwt.SignOption)) string {
 	token := buildToken(claims)
-	tokenBytes, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, jwkKey))
+
+	// Options par défaut
+	signOptions := []jwt.SignOption{jwt.WithKey(jwa.RS256, jwkKey)}
+
+	// Appliquer les options supplémentaires
+	for _, opt := range options {
+		var option jwt.SignOption
+		opt(&option)
+		signOptions = append(signOptions, option)
+	}
+
+	tokenBytes, err := jwt.Sign(token, signOptions...)
 	panicOnError(err)
 
 	return string(tokenBytes)
@@ -772,45 +785,83 @@ func TestJWK(t *testing.T) {
 	time.Sleep(3 * time.Second)
 	ja := &JWTAuth{JWKURL: TestJWKURL, logger: testLogger}
 	assert.Nil(t, ja.Validate())
-	assert.Equal(t, 1, ja.jwkCachedSet.Len())
 
+	// Le cache sera créé lors de la première authentification
 	token := issueTokenStringJWK(MapClaims{"sub": "ggicci"})
 	rw := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "/", nil)
+
+	repl := caddy.NewReplacer()
+	ctx := context.WithValue(r.Context(), caddy.ReplacerCtxKey, repl)
+	r = r.WithContext(ctx)
+
 	r.Header.Add("Authorization", "Bearer "+token)
 	gotUser, authenticated, err := ja.Authenticate(rw, r)
 	assert.Nil(t, err)
 	assert.True(t, authenticated)
 	assert.Equal(t, User{ID: "ggicci"}, gotUser)
+
+	// Vérifier que le cache a bien été créé pour l'URL
+	assert.NotNil(t, ja.jwkCaches)
+	cachedEntry, exists := ja.jwkCaches[TestJWKURL]
+	assert.True(t, exists, "Le cache devrait exister pour l'URL de test")
+	assert.NotNil(t, cachedEntry)
+	assert.Equal(t, 1, cachedEntry.CachedSet.Len())
 }
 
 func TestJWKSet(t *testing.T) {
 	time.Sleep(3 * time.Second)
 	ja := &JWTAuth{JWKURL: TestJWKSetURL, logger: testLogger}
 	assert.Nil(t, ja.Validate())
-	assert.Equal(t, 2, ja.jwkCachedSet.Len())
 
+	// Authentifier pour créer le cache
 	token := issueTokenStringJWK(MapClaims{"sub": "ggicci"})
 	rw := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "/", nil)
+
+	repl := caddy.NewReplacer()
+	ctx := context.WithValue(r.Context(), caddy.ReplacerCtxKey, repl)
+	r = r.WithContext(ctx)
+
 	r.Header.Add("Authorization", "Bearer "+token)
 	gotUser, authenticated, err := ja.Authenticate(rw, r)
 	assert.Nil(t, err)
 	assert.True(t, authenticated)
 	assert.Equal(t, User{ID: "ggicci"}, gotUser)
+
+	// Vérifier que le cache a été créé correctement
+	assert.NotNil(t, ja.jwkCaches)
+	cachedEntry, exists := ja.jwkCaches[TestJWKSetURL]
+	assert.True(t, exists, "Le cache devrait exister pour l'URL du set JWK")
+	assert.NotNil(t, cachedEntry)
+	assert.Equal(t, 2, cachedEntry.CachedSet.Len())
 }
 
 func TestJWKSet_KeyNotFound(t *testing.T) {
 	time.Sleep(3 * time.Second)
 	ja := &JWTAuth{JWKURL: TestJWKSetURLInapplicable, logger: testLogger}
 	assert.Nil(t, ja.Validate())
-	assert.Equal(t, 2, ja.jwkCachedSet.Len())
 
+	// Première requête pour créer le cache
 	token := issueTokenStringJWK(MapClaims{"sub": "ggicci"})
 	rw := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "/", nil)
+
+	repl := caddy.NewReplacer()
+	ctx := context.WithValue(r.Context(), caddy.ReplacerCtxKey, repl)
+	r = r.WithContext(ctx)
+
 	r.Header.Add("Authorization", "Bearer "+token)
 	gotUser, authenticated, err := ja.Authenticate(rw, r)
+
+	// Vérifier que le cache a été créé correctement
+	assert.NotNil(t, ja.jwkCaches)
+	cachedEntry, exists := ja.jwkCaches[TestJWKSetURLInapplicable]
+	assert.True(t, exists, "Le cache devrait exister pour l'URL inapplicable")
+	assert.NotNil(t, cachedEntry)
+	assert.Equal(t, 2, cachedEntry.CachedSet.Len())
+
+	// Vérifier que l'authentification a échoué car la clé n'est pas trouvée
 	assert.Error(t, err)
 	assert.False(t, authenticated)
 	assert.Empty(t, gotUser.ID)