From 78fb200845b28993077d3ddb091409caf112f9c3 Mon Sep 17 00:00:00 2001 From: Rory Shanks Date: Sat, 30 Mar 2024 15:41:11 +0100 Subject: [PATCH] Fixed JWKS endpoint issue due to recent security fix --- example-config.yaml | 2 +- lib/http.js | 4 +++- test/e2e/configs/veriflow.yaml | 1 - test/e2e/tests/jwks_test.js | 6 ++++++ util/caddyModels.js | 3 ++- 5 files changed, 12 insertions(+), 4 deletions(-) create mode 100644 test/e2e/tests/jwks_test.js diff --git a/example-config.yaml b/example-config.yaml index e2fe48a..ae130ec 100644 --- a/example-config.yaml +++ b/example-config.yaml @@ -31,7 +31,7 @@ idp_refresh_directory_interval: 10m idp_refresh_directory_timeout: 5m signing_key: "BASE64_ENCODED_RSA_PRIVATE_KEY" redirect_base_path: /.veriflow -jwks_path: /.well-known/veriflow/jwks.json +jwks_path: /.veriflow/jwks.json trusted_ranges: - 192.168.60.0/24 - 192.168.61.0/24 diff --git a/lib/http.js b/lib/http.js index 587e7bb..3c5729b 100644 --- a/lib/http.js +++ b/lib/http.js @@ -101,7 +101,9 @@ app.get(redirectBasePath + '/logout', async (req, res) => { app.get(redirectBasePath + '/auth', ssoController.redirectToSsoProvider) app.get(redirectBasePath + '/callback', ssoController.verifySsoCallback) -app.get(config.jwks_path, (req, res) => { +var jwksPath = config.jwks_path || getRedirectBasepath() + "/jwks.json" + +app.get(jwksPath, (req, res) => { res.json({ keys: [jwks], }); diff --git a/test/e2e/configs/veriflow.yaml b/test/e2e/configs/veriflow.yaml index 060fb52..b96a5b3 100644 --- a/test/e2e/configs/veriflow.yaml +++ b/test/e2e/configs/veriflow.yaml @@ -21,7 +21,6 @@ refresh_idp_at_start: true # BELOW KEY IS ONLY FOR TESTING AND NOT A REAL KEY signing_key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBazdPT1kyZzk4QnVRWFFGN0d6VXQ3V3pQc1hsQXBXYWg5blozMDZwZzJUV0NXYm95CmIwekJEVWpmeWZHWDNEUnl1NTdZSFgwL2pwWUdhcGt6YW41SkxWSkl2MmpsQnZkWGZOREFvRkFWVURnTFJYa3QKN3FlMnRNazFGMEFoQnBpbWdQSUlMbU9HRVJrSzZ4cmFmRHorTXRyV2NOVnNqdmJUZ1ZuSC85K2lBSGZXSTQ3Zwp4NWd1MmJuR1U2N3cyN3BvZGo1ZWsyUGdBR0cwb2M0dUJiY3V4cGFOSy9xdERnZU1samtyRWc0S0NpYmlFMUFuCm5aUUc2aGkrNkJuQnNWQkRWTDV5L0xkOUhrS0FxNDB2MHQ4VThKZ0xqNElmcUJ4c2Z0WllyL2Y4UDhoR2Z1N0UKek13ZS91MnU2NXZCRVBlRnNYQk14UmZqQ041enVlVWI2L1RRaXdJREFRQUJBb0lCQVFDUlZ1bXhKZjEwelJyVQpla1dTYzFUN1FjeHFQZitBQXFzelpFWHJVY2UxVlhNc0tnM0ErYzBwN21EUVRkeDZRbDM0QTRsMEV6QThkYUpnCnVOb2dXNTVVYTVqTVNVSzlCUnpnNUdYNEduV3VsMGQ0R0pNN09XdVBJRU1PMnZya2k4ZWtNUVlkNTY4Z0dmMWwKZGVveXdLMytpdHJpOHhDODZXTWM4S1RlUTBnZG5rKzBOM0h0cWx5N005TG9laElpVHMyMGRBSGcwT1NGaXdyYwpiL2Y1T0MybFRhbmdJb1FpbzFvTEwwRUM2dk4wdnpUUkxnNW9hMXhUMTlDN21FcFprL1ZnUjBuQlpRcU4vNDlICklvTGpIWWNFbXVsZDh1UU14dUZ1RzVLN0lpQlBVKys1QWhvbmUwTDlvQnB2NFlYeVM2OXE0amU0ZjNFSllPa2QKS2VndmVJa3BBb0dCQU1RVUhheDBhOHVaTWNaZnhvaG9CMjVuaE53Nng1VEZtVGRQeC9DamxYWllBYWcrbUFGYwpTWnF4SEJHcVJTTFRQMVkreFp6VExlS0VJNnlLSXJwbHozMXZPMEdsU05Xb3UybGkvUFRBQlBUVnl3eEcvWVpHCmZUL3BhZXJXYzJuYkxnUngxMkl5TzhsQXIwUVFJU3ZHdlF0cUdHUlpQY2YxSHJMQU81dkgzK2U5QW9HQkFNRFcKdXgxMmo5U1BZT3NBN2E1b2JmSzZmazNnTVFjeEZVRGVUaU1GSHl3bFdoWThQOUhqelRHVUNEQ3gzT2lwSHdNZApBUWZOTXRMRDR4WThZS05Ha2t1YklFemFRL0hWckRIQklZdGNsMHFobUZzRDAyYXJqWnlNV2xQN0FySEZlenNhCnZGMHR5eEIzQlFjVWE0REpqcG1jN1V2S2l6Zm4xVEl0a2NXL1lsbm5Bb0dCQUpndEFJYXFhRXJBWDNnVk52RUEKdzl1MHJkRjZNUkZPZGtZT1BoK041ZDdPR0tNcHlURXRIZGJYNCsvMTFPaGRTUWUzZWdqbmdQSVBHZHk3N0kzNwpuQmcrcnArWkZyanoxbGZKUW9iMVRDTjBsYnkyaithWmFIV2t3dFpHajVZMVREYVkzODlQSzBWYlZXc2VsWS96CkV4Nzd2V2lNTmoydENLRTBQazc5eGRHRkFvR0JBSUVNc3JmcTZpSWp1WVpMWHNSQzJxRi9zSnJKRjhacVVJRFMKeEpPbkQ4OXBSN3B0bzRBQTVRYnl1L0JxZHgyMFlDNmpNRmRhT1ZMWENKZU8zRlVvR3l0QnF3SURaMGpsNTVCOApZTWgwdEVLYmxld0N5V3lDRGdqZjNHc3JKZ2gxMGh3aHJrRGxMbW5jWEo3NlNWOHNnNlBGWXdBL2taOWVKRXlxCk5rMlI0RzJ0QW9HQWZVL092bHdCSWlBN0p3Wjc4c2x5MVFPMkkrbWdybHo5OWRERlNRcTAwQTVUZjd2dGFEYncKNzQwRXBGc0lNRm5BNlZRQUg5YVV1RnVxSVV4K1RQazMyQXdJTy9SNVpLR2dNelNqcndDRVNBeXMyR0JJdWx1TwpFcktHNUp1NmFteWUyWk90eEl5emdWV3Zmc0hERG5MNDRuTmNhYkNDbnRQR1dJb3QyeXhnZllvPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" # ONLY FOR TESTING redirect_base_path: /.veriflow -jwks_path: /.well-known/pomerium/jwks.json kid_override: "0" policy: - from: http://test-basic-login.localtest.me diff --git a/test/e2e/tests/jwks_test.js b/test/e2e/tests/jwks_test.js new file mode 100644 index 0000000..685e73e --- /dev/null +++ b/test/e2e/tests/jwks_test.js @@ -0,0 +1,6 @@ +Feature('JWKS').retry(3); + +Scenario('I can see JWKS from configuration', async ({ I }) => { + I.amOnPage('http://veriflow.localtest.me/.veriflow/jwks.json'); + I.see("kid") +}) \ No newline at end of file diff --git a/util/caddyModels.js b/util/caddyModels.js index 9e14d21..40c7056 100644 --- a/util/caddyModels.js +++ b/util/caddyModels.js @@ -394,7 +394,8 @@ async function generateCaddyConfig() { getRedirectBasepath() + "/set", getRedirectBasepath() + "/logout", getRedirectBasepath() + "/auth", - getRedirectBasepath() + "/callback" + getRedirectBasepath() + "/callback", + config.jwks_path || getRedirectBasepath() + "/jwks.json" ] } ],