2022-02-14 02:33:49 +03:00
-- |
-- Module : Hasura.Server.Auth.JWT
-- Description : Implements JWT Configuration and Validation Logic.
-- Copyright : Hasura
-- This module implements the bulk of Hasura's JWT capabilities and interactions.
-- Its main point of non-testing invocation is `Hasura.Server.Auth`.
-- It exports both `processJwt` and `processJwt_` with `processJwt_` being the
-- majority of the implementation with the JWT Token processing function
-- passed in as an argument in order to enable mocking in test-code.
-- In `processJwt_`, prior to validation of the token, first the token locations
-- and issuers are reconciled. Locations are either specified as auth or
-- cookie (with cookie name) or assumed to be auth. Issuers can be omitted or
-- specified, where an omitted configured issuer can match any issuer specified by
-- a request.
-- If none match, then this is considered an no-auth request, if one matches,
-- then normal token auth is performed, and if multiple match, then this is
-- considered an ambiguity error.
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
module Hasura.Server.Auth.JWT
2021-09-24 01:56:37 +03:00
( processJwt,
2022-02-14 02:33:49 +03:00
StringOrURI (..),
2021-09-24 01:56:37 +03:00
JWTConfig (..),
JWTCtx (..),
Jose.JWKSet (..),
JWTClaimsFormat (..),
JWTClaims (..),
JwkFetchError (..),
JWTHeader (..),
JWTNamespace (..),
-- * Exposed for testing
2022-02-14 02:33:49 +03:00
2021-09-24 01:56:37 +03:00
JWTCustomClaimsMapValueG (..),
JWTCustomClaimsMap (..),
2022-01-28 03:17:53 +03:00
2021-09-24 01:56:37 +03:00
import Control.Concurrent.Extended qualified as C
import Control.Exception.Lifted (try)
import Control.Lens
import Control.Monad.Trans.Control (MonadBaseControl)
import Crypto.JWT qualified as Jose
import Data.Aeson qualified as J
import Data.Aeson.Casing qualified as J
import Data.Aeson.Internal (JSONPath)
import Data.Aeson.TH qualified as J
2022-02-14 02:33:49 +03:00
import Data.ByteArray.Encoding qualified as BAE
import Data.ByteString.Char8 qualified as BC
import Data.ByteString.Internal qualified as B
2021-09-24 01:56:37 +03:00
import Data.ByteString.Lazy qualified as BL
import Data.ByteString.Lazy.Char8 qualified as BLC
import Data.CaseInsensitive qualified as CI
import Data.HashMap.Strict qualified as Map
2022-02-14 02:33:49 +03:00
import Data.Hashable
2021-09-24 01:56:37 +03:00
import Data.IORef (IORef, readIORef, writeIORef)
import Data.Parser.CacheControl
import Data.Parser.Expires
import Data.Parser.JSONPath (parseJSONPath)
import Data.Text qualified as T
import Data.Text.Encoding qualified as T
import Data.Time.Clock
( NominalDiffTime,
import GHC.AssertNF.CPP
import Hasura.Base.Error
import Hasura.HTTP
import Hasura.Logging (Hasura, LogLevel (..), Logger (..))
import Hasura.Prelude
import Hasura.Server.Auth.JWT.Internal (parseEdDSAKey, parseHmacKey, parseRsaKey)
import Hasura.Server.Auth.JWT.Logging
import Hasura.Server.Utils
( executeJSONPath,
import Hasura.Session
import Hasura.Tracing qualified as Tracing
import Network.HTTP.Client.Transformable qualified as HTTP
2021-11-09 15:00:21 +03:00
import Network.HTTP.Types as N
2021-09-24 01:56:37 +03:00
import Network.URI (URI)
import Network.Wreq qualified as Wreq
import Web.Spock.Internal.Cookies qualified as Spock
2018-09-27 14:22:49 +03:00
newtype RawJWT = RawJWT BL.ByteString
2019-02-05 15:04:16 +03:00
data JWTClaimsFormat
= JCFJson
| JCFStringifiedJson
deriving (Show, Eq)
2021-09-24 01:56:37 +03:00
$( J.deriveJSON
{ J.sumEncoding = J.ObjectWithSingleField,
J.constructorTagModifier = J.snakeCase . drop 3
2019-02-05 15:04:16 +03:00
2021-02-25 12:02:43 +03:00
data JWTHeader
= JHAuthorization
| JHCookie Text -- cookie name
2022-02-14 02:33:49 +03:00
deriving (Show, Eq, Generic)
instance Hashable JWTHeader
2021-02-25 12:02:43 +03:00
instance J.FromJSON JWTHeader where
parseJSON = J.withObject "JWTHeader" $ \o -> do
hdrType <- o J..: "type" <&> CI.mk @Text
2021-09-24 01:56:37 +03:00
| hdrType == "Authorization" -> pure JHAuthorization
| hdrType == "Cookie" -> JHCookie <$> o J..: "name"
| otherwise -> fail "expected 'type' is 'Authorization' or 'Cookie'"
2021-02-25 12:02:43 +03:00
instance J.ToJSON JWTHeader where
toJSON JHAuthorization = J.object ["type" J..= ("Authorization" :: String)]
2021-09-24 01:56:37 +03:00
toJSON (JHCookie name) =
[ "type" J..= ("Cookie" :: String),
"name" J..= name
2021-02-25 12:02:43 +03:00
2020-08-31 19:40:01 +03:00
defaultClaimsFormat :: JWTClaimsFormat
defaultClaimsFormat = JCFJson
allowedRolesClaim :: SessionVariable
allowedRolesClaim = mkSessionVariable "x-hasura-allowed-roles"
defaultRoleClaim :: SessionVariable
defaultRoleClaim = mkSessionVariable "x-hasura-default-role"
defaultClaimsNamespace :: Text
defaultClaimsNamespace = "https://hasura.io/jwt/claims"
-- | 'JWTCustomClaimsMapValueG' is used to represent a single value of
-- the 'JWTCustomClaimsMap'. A 'JWTCustomClaimsMapValueG' can either be
-- an JSON object or the literal value of the claim. If the value is an
-- JSON object, then it should contain a key `path`, which is the JSON path
-- to the claim value in the JWT token. There's also an option to specify a
-- default value in the map via the 'default' key, which will be used
-- when a peek at the JWT token using the JSON path fails (key does not exist).
data JWTCustomClaimsMapValueG v
2021-09-24 01:56:37 +03:00
= -- | JSONPath to the key in the claims map, in case
-- the key doesn't exist in the claims map then the default
-- value will be used (if provided)
JWTCustomClaimsMapJSONPath !J.JSONPath !(Maybe v)
2020-08-31 19:40:01 +03:00
| JWTCustomClaimsMapStatic !v
deriving (Show, Eq, Functor, Foldable, Traversable)
instance (J.FromJSON v) => J.FromJSON (JWTCustomClaimsMapValueG v) where
parseJSON (J.Object obj) = do
path <- obj J..: "path" >>= (either fail pure . parseJSONPath)
defaultVal <- obj J..:? "default" >>= traverse pure
pure $ JWTCustomClaimsMapJSONPath path defaultVal
parseJSON v = JWTCustomClaimsMapStatic <$> J.parseJSON v
instance (J.ToJSON v) => J.ToJSON (JWTCustomClaimsMapValueG v) where
toJSON (JWTCustomClaimsMapJSONPath jsonPath mDefVal) =
J.object $
2021-09-24 01:56:37 +03:00
["path" J..= encodeJSONPath jsonPath]
<> ["default" J..= defVal | Just defVal <- [mDefVal]]
toJSON (JWTCustomClaimsMapStatic v) = J.toJSON v
2020-08-31 19:40:01 +03:00
type JWTCustomClaimsMapDefaultRole = JWTCustomClaimsMapValueG RoleName
2021-09-24 01:56:37 +03:00
2020-08-31 19:40:01 +03:00
type JWTCustomClaimsMapAllowedRoles = JWTCustomClaimsMapValueG [RoleName]
-- Used to store other session variables like `x-hasura-user-id`
type JWTCustomClaimsMapValue = JWTCustomClaimsMapValueG SessionVariableValue
type CustomClaimsMap = Map.HashMap SessionVariable JWTCustomClaimsMapValue
-- | JWTClaimsMap is an option to provide a custom JWT claims map.
-- The JWTClaimsMap should be specified in the `HASURA_GRAPHQL_JWT_SECRET`
-- in the `claims_map`. The JWTClaimsMap, if specified, requires two
-- mandatory fields, namely, `x-hasura-allowed-roles` and the
-- `x-hasura-default-role`, other claims may also be provided in the claims map.
2021-09-24 01:56:37 +03:00
data JWTCustomClaimsMap = JWTCustomClaimsMap
{ jcmDefaultRole :: !JWTCustomClaimsMapDefaultRole,
jcmAllowedRoles :: !JWTCustomClaimsMapAllowedRoles,
jcmCustomClaims :: !CustomClaimsMap
deriving (Show, Eq)
2020-08-31 19:40:01 +03:00
instance J.ToJSON JWTCustomClaimsMap where
toJSON (JWTCustomClaimsMap defaultRole allowedRoles customClaims) =
J.Object $
2021-09-24 01:56:37 +03:00
Map.fromList $
[ (sessionVariableToText defaultRoleClaim, J.toJSON defaultRole),
(sessionVariableToText allowedRolesClaim, J.toJSON allowedRoles)
<> map (sessionVariableToText *** J.toJSON) (Map.toList customClaims)
2020-08-31 19:40:01 +03:00
instance J.FromJSON JWTCustomClaimsMap where
parseJSON = J.withObject "JWTClaimsMap" $ \obj -> do
let withNotFoundError sessionVariable =
2021-09-24 01:56:37 +03:00
let errorMsg =
T.unpack $
sessionVariableToText sessionVariable <> " is expected but not found"
in Map.lookup (sessionVariableToText sessionVariable) obj
`onNothing` fail errorMsg
allowedRoles <- withNotFoundError allowedRolesClaim >>= J.parseJSON
defaultRole <- withNotFoundError defaultRoleClaim >>= J.parseJSON
let filteredClaims =
Map.delete allowedRolesClaim $
Map.delete defaultRoleClaim $
mapKeys mkSessionVariable obj
2020-08-31 19:40:01 +03:00
customClaims <- flip Map.traverseWithKey filteredClaims $ const $ J.parseJSON
pure $ JWTCustomClaimsMap defaultRole allowedRoles customClaims
-- | JWTNamespace is used to locate the claims map within the JWT token.
-- The location can be either provided via a JSON path or the name of the
-- key in the JWT token.
data JWTNamespace
2020-04-16 09:45:21 +03:00
= ClaimNsPath JSONPath
2020-10-27 16:53:49 +03:00
| ClaimNs Text
2020-04-16 09:45:21 +03:00
deriving (Show, Eq)
2020-08-31 19:40:01 +03:00
instance J.ToJSON JWTNamespace where
2020-04-16 09:45:21 +03:00
toJSON (ClaimNsPath nsPath) = J.String . T.pack $ encodeJSONPath nsPath
2021-09-24 01:56:37 +03:00
toJSON (ClaimNs ns) = J.String ns
2020-04-16 09:45:21 +03:00
2020-08-31 19:40:01 +03:00
data JWTClaims
= JCNamespace !JWTNamespace !JWTClaimsFormat
| JCMap !JWTCustomClaimsMap
deriving (Show, Eq)
2022-02-14 02:33:49 +03:00
-- | Hashable Wrapper for constructing a HashMap of JWTConfigs
newtype StringOrURI = StringOrURI {unStringOrURI :: Jose.StringOrURI}
deriving newtype (Show, Eq, J.ToJSON, J.FromJSON)
instance J.ToJSONKey StringOrURI
instance J.FromJSONKey StringOrURI
instance J.ToJSONKey (Maybe StringOrURI)
instance J.FromJSONKey (Maybe StringOrURI)
instance Hashable StringOrURI where
hashWithSalt i = hashWithSalt i . J.encode
2020-05-19 17:48:49 +03:00
-- | The JWT configuration we got from the user.
2021-09-24 01:56:37 +03:00
data JWTConfig = JWTConfig
{ jcKeyOrUrl :: !(Either Jose.JWK URI),
jcAudience :: !(Maybe Jose.Audience),
jcIssuer :: !(Maybe Jose.StringOrURI),
jcClaims :: !JWTClaims,
jcAllowedSkew :: !(Maybe NominalDiffTime),
jcHeader :: !(Maybe JWTHeader)
deriving (Show, Eq)
2020-05-19 17:48:49 +03:00
-- | The validated runtime JWT configuration returned by 'mkJwtCtx' in 'setupAuthMode'.
-- This is also evidence that the 'jwkRefreshCtrl' thread is running, if an
-- expiration schedule could be determined.
2021-09-24 01:56:37 +03:00
data JWTCtx = JWTCtx
{ -- | This needs to be a mutable variable for 'updateJwkRef'.
jcxKey :: !(IORef Jose.JWKSet),
jcxAudience :: !(Maybe Jose.Audience),
jcxIssuer :: !(Maybe Jose.StringOrURI),
jcxClaims :: !JWTClaims,
jcxAllowedSkew :: !(Maybe NominalDiffTime),
jcxHeader :: !JWTHeader
deriving (Eq)
2018-11-16 15:40:23 +03:00
instance Show JWTCtx where
2021-02-25 12:02:43 +03:00
show (JWTCtx _ audM iss claims allowedSkew headers) =
show ["<IORef JWKSet>", show audM, show iss, show claims, show allowedSkew, show headers]
add support for jwt authorization (close #186) (#255)
2021-09-24 01:56:37 +03:00
data HasuraClaims = HasuraClaims
{ _cmAllowedRoles :: ![RoleName],
_cmDefaultRole :: !RoleName
deriving (Show, Eq)
2021-01-19 22:14:42 +03:00
$(J.deriveJSON hasuraJSON ''HasuraClaims)
2020-03-05 20:59:26 +03:00
-- | An action that refreshes the JWK at intervals in an infinite loop.
2021-09-24 01:56:37 +03:00
jwkRefreshCtrl ::
2021-10-13 19:38:56 +03:00
(MonadIO m, MonadBaseControl IO m, Tracing.HasReporter m) =>
2021-09-24 01:56:37 +03:00
Logger Hasura ->
HTTP.Manager ->
URI ->
IORef Jose.JWKSet ->
DiffTime ->
m void
2020-07-14 22:00:58 +03:00
jwkRefreshCtrl logger manager url ref time = do
2021-09-24 01:56:37 +03:00
liftIO $ C.sleep time
forever $ Tracing.runTraceT "jwk refresh" do
res <- runExceptT $ updateJwkRef logger manager url ref
mTime <- onLeft res (const $ logNotice >> return Nothing)
-- if can't parse time from header, defaults to 1 min
2022-01-28 03:17:53 +03:00
-- and never use a smaller delay than one second to avoid a tight loop
let delay = max (seconds 1) $ maybe (minutes 1) convertDuration mTime
2021-09-24 01:56:37 +03:00
liftIO $ C.sleep delay
2018-09-27 14:22:49 +03:00
2019-12-03 23:56:59 +03:00
logNotice = do
2020-02-05 10:07:31 +03:00
let err = JwkRefreshLog LevelInfo (Just "retrying again in 60 secs") Nothing
2019-12-03 23:56:59 +03:00
liftIO $ unLogger logger err
2018-09-27 14:22:49 +03:00
-- | Given a JWK url, fetch JWK from it and update the IORef
2021-09-24 01:56:37 +03:00
updateJwkRef ::
2021-10-13 19:38:56 +03:00
( MonadIO m,
2021-09-24 01:56:37 +03:00
MonadBaseControl IO m,
MonadError JwkFetchError m,
Tracing.MonadTrace m
) =>
Logger Hasura ->
HTTP.Manager ->
URI ->
IORef Jose.JWKSet ->
m (Maybe NominalDiffTime)
2018-09-27 14:22:49 +03:00
updateJwkRef (Logger logger) manager url jwkRef = do
2021-09-24 01:56:37 +03:00
let urlT = tshow url
2020-02-05 10:07:31 +03:00
infoMsg = "refreshing JWK from endpoint: " <> urlT
liftIO $ logger $ JwkRefreshLog LevelInfo (Just infoMsg) Nothing
2020-07-28 21:51:56 +03:00
res <- try $ do
2021-09-16 14:03:01 +03:00
req <- liftIO $ HTTP.mkRequestThrow $ tshow url
let req' = req & over HTTP.headers addDefaultHeaders
Tracing.tracedHttpRequest req' \req'' -> do
liftIO $ HTTP.performRequest req'' manager
2020-10-28 19:40:33 +03:00
resp <- onLeft res logAndThrowHttp
2018-09-27 14:22:49 +03:00
let status = resp ^. Wreq.responseStatus
respBody = resp ^. Wreq.responseBody
2020-02-05 10:07:31 +03:00
statusCode = status ^. Wreq.statusCode
2018-09-27 14:22:49 +03:00
2020-02-05 10:07:31 +03:00
unless (statusCode >= 200 && statusCode < 300) $ do
let errMsg = "Non-2xx response on fetching JWK from: " <> urlT
err = JFEHttpError url status respBody errMsg
logAndThrow err
2018-09-27 14:22:49 +03:00
2020-02-05 10:07:31 +03:00
let parseErr e = JFEJwkParseError (T.pack e) $ "Error parsing JWK from url: " <> urlT
2020-10-28 19:40:33 +03:00
!jwkset <- onLeft (J.eitherDecode' respBody) (logAndThrow . parseErr)
2020-03-18 04:31:22 +03:00
liftIO $ do
2021-09-24 01:56:37 +03:00
$assertNFHere jwkset -- so we don't write thunks to mutable vars
2020-03-18 04:31:22 +03:00
writeIORef jwkRef jwkset
2018-09-27 14:22:49 +03:00
2022-01-28 03:17:53 +03:00
determineJwkExpiryLifetime (liftIO getCurrentTime) (Logger logger) (resp ^. Wreq.responseHeaders)
2018-09-27 14:22:49 +03:00
2020-02-05 10:07:31 +03:00
logAndThrow :: (MonadIO m, MonadError JwkFetchError m) => JwkFetchError -> m a
logAndThrow err = do
liftIO $ logger $ JwkRefreshLog (LevelOther "critical") Nothing (Just err)
throwError err
logAndThrowHttp :: (MonadIO m, MonadError JwkFetchError m) => HTTP.HttpException -> m a
logAndThrowHttp httpEx = do
let errMsg = "Error fetching JWK: " <> T.pack (getHttpExceptionMsg httpEx)
err = JFEHttpException (HttpException httpEx) errMsg
logAndThrow err
2018-09-27 14:22:49 +03:00
2019-08-01 13:51:59 +03:00
getHttpExceptionMsg = \case
HTTP.HttpExceptionRequest _ reason -> show reason
2021-09-24 01:56:37 +03:00
HTTP.InvalidUrlException _ reason -> show reason
2019-08-01 13:51:59 +03:00
2022-01-28 03:17:53 +03:00
-- | First check for Cache-Control header, if not found, look for Expires header
determineJwkExpiryLifetime ::
forall m.
(MonadIO m, MonadError JwkFetchError m) =>
m UTCTime ->
Logger Hasura ->
ResponseHeaders ->
m (Maybe NominalDiffTime)
determineJwkExpiryLifetime getCurrentTime' (Logger logger) responseHeaders =
runMaybeT $ timeFromCacheControl <|> timeFromExpires
parseCacheControlErr :: Text -> JwkFetchError
parseCacheControlErr e =
(Just e)
"Failed parsing Cache-Control header from JWK response"
parseTimeErr :: JwkFetchError
parseTimeErr =
"Failed parsing Expires header from JWK response. Value of header is not a valid timestamp"
timeFromCacheControl :: MaybeT m NominalDiffTime
timeFromCacheControl = do
header <- afold $ bsToTxt <$> lookup "Cache-Control" responseHeaders
cacheControl <- parseCacheControl header `onLeft` \err -> logAndThrowInfo $ parseCacheControlErr $ T.pack err
if noCacheExists cacheControl || noStoreExists cacheControl || mustRevalidateExists cacheControl
then pure 0 -- In these cases we want don't want to cache the JWK, so we use an immediate expiry time
else fromInteger <$> MaybeT (findMaxAge cacheControl `onLeft` \err -> logAndThrowInfo $ parseCacheControlErr $ T.pack err)
timeFromExpires :: MaybeT m NominalDiffTime
timeFromExpires = do
header <- afold $ bsToTxt <$> lookup "Expires" responseHeaders
expiry <- parseExpirationTime header `onLeft` const (logAndThrowInfo parseTimeErr)
diffUTCTime expiry <$> lift getCurrentTime'
logAndThrowInfo :: (MonadIO m1, MonadError JwkFetchError m1) => JwkFetchError -> m1 a
logAndThrowInfo err = do
liftIO $ logger $ JwkRefreshLog LevelInfo Nothing (Just err)
throwError err
2020-08-31 19:40:01 +03:00
type ClaimsMap = Map.HashMap SessionVariable J.Value
2018-09-27 14:22:49 +03:00
2022-02-14 02:33:49 +03:00
-- | Decode a Jose ClaimsSet without verifying the signature
decodeClaimsSet :: RawJWT -> Maybe Jose.ClaimsSet
decodeClaimsSet (RawJWT jwt) = do
(_, c, _) <- extractElems $ BL.splitWith (== B.c2w '.') jwt
case BAE.convertFromBase BAE.Base64URLUnpadded $ BL.toStrict c of
Left _ -> Nothing
Right s -> J.decode $ BL.fromStrict s
extractElems (h : c : s : _) = Just (h, c, s)
extractElems _ = Nothing
-- | Extract the issuer from a bearer tokena _without_ verifying it.
tokenIssuer :: RawJWT -> Maybe StringOrURI
tokenIssuer = coerce <$> (decodeClaimsSet >=> view Jose.claimIss)
-- | Process the request headers to verify the JWT and extract UserInfo from it
2021-02-25 12:02:43 +03:00
-- From the JWT config, we check which header to expect, it can be the "Authorization"
-- or "Cookie" header
2020-05-28 19:18:26 +03:00
2021-02-25 12:02:43 +03:00
-- Iff no "Authorization"/"Cookie" header was passed, we will fall back to the
2020-05-28 19:18:26 +03:00
-- unauthenticated user role [1], if one was configured at server start.
-- When no 'x-hasura-user-role' is specified in the request, the mandatory
-- 'x-hasura-default-role' [2] from the JWT claims will be used.
2021-03-01 21:50:24 +03:00
-- [1]: https://hasura.io/docs/latest/graphql/core/auth/authentication/unauthenticated-access.html
-- [2]: https://hasura.io/docs/latest/graphql/core/auth/authentication/jwt.html#the-spec
2021-09-24 01:56:37 +03:00
processJwt ::
( MonadIO m,
MonadError QErr m
) =>
2022-02-14 02:33:49 +03:00
[JWTCtx] ->
2021-09-24 01:56:37 +03:00
HTTP.RequestHeaders ->
Maybe RoleName ->
2021-11-09 15:00:21 +03:00
m (UserInfo, Maybe UTCTime, [N.Header])
2022-02-14 02:33:49 +03:00
processJwt = processJwt_ processHeaderSimple tokenIssuer jcxHeader
type AuthTokenLocation = JWTHeader
2020-05-28 19:18:26 +03:00
-- Broken out for testing with mocks:
2021-09-24 01:56:37 +03:00
processJwt_ ::
(MonadError QErr m) =>
-- | mock 'processAuthZOrCookieHeader'
2022-02-14 02:33:49 +03:00
(JWTCtx -> BLC.ByteString -> m (ClaimsMap, Maybe UTCTime)) ->
(RawJWT -> Maybe StringOrURI) ->
(JWTCtx -> JWTHeader) ->
[JWTCtx] ->
2021-09-24 01:56:37 +03:00
HTTP.RequestHeaders ->
Maybe RoleName ->
2021-11-09 15:00:21 +03:00
m (UserInfo, Maybe UTCTime, [N.Header])
2022-02-14 02:33:49 +03:00
processJwt_ processJwtBytes decodeIssuer fGetHeaderType jwtCtxs headers mUnAuthRole = do
-- Here we use `intersectKeys` to match up the correct locations of JWTs to those specified in JWTCtxs
-- Then we match up issuers, where no-issuer specified in a JWTCtx can match any issuer in a JWT
-- Then there should either be zero matches - Perform no auth
-- Or one match - Perform normal auth
-- Otherwise there is an ambiguous situation which we currently treat as an error.
issuerMatches <- traverse issuerMatch $ intersectKeys (keyCtxOnAuthTypes jwtCtxs) (keyTokensOnAuthTypes headers)
-- ltraceM "issuerMatches" issuerMatches
case (lefts issuerMatches, rights issuerMatches) of
([], []) -> withoutAuthZ
(_ : _, []) -> jwtNotIssuerError
(_, [(ctx, val)]) -> withAuthZ val ctx
_ -> throw400 InvalidHeaders "Could not verify JWT: Multiple JWTs found"
2018-10-25 21:16:25 +03:00
2022-02-14 02:33:49 +03:00
intersectKeys :: (Hashable a, Eq a) => Map.HashMap a [b] -> Map.HashMap a [c] -> [(b, c)]
intersectKeys m n = concatMap (uncurry cartesianProduct) $ Map.elems $ Map.intersectionWith (,) m n
issuerMatch (j, b) = do
b'' <- case b of
(JHCookie _, b') -> pure b'
(JHAuthorization, b') ->
case BC.words b' of
["Bearer", jwt] -> pure jwt
_ -> throw400 InvalidHeaders "Malformed Authorization header"
case (StringOrURI <$> jcxIssuer j, decodeIssuer $ RawJWT $ BLC.fromStrict b'') of
(Nothing, _) -> pure $ Right (j, b'')
(_, Nothing) -> pure $ Right (j, b'')
(ci, ji)
| ci == ji -> pure $ Right (j, b'')
| otherwise -> pure $ Left (ci, ji, j, b'')
cartesianProduct :: [a] -> [b] -> [(a, b)]
cartesianProduct as bs = [(a, b) | a <- as, b <- bs]
keyCtxOnAuthTypes :: [JWTCtx] -> Map.HashMap AuthTokenLocation [JWTCtx]
keyCtxOnAuthTypes = Map.fromListWith (++) . fmap (expectedHeader &&& pure)
keyTokensOnAuthTypes :: [HTTP.Header] -> Map.HashMap AuthTokenLocation [(AuthTokenLocation, B.ByteString)]
keyTokensOnAuthTypes = Map.fromListWith (++) . map (fst &&& pure) . concatMap findTokensInHeader
findTokensInHeader :: Header -> [(AuthTokenLocation, B.ByteString)]
findTokensInHeader (key, val)
| key == CI.mk "Authorization" = [(JHAuthorization, val)]
| key == CI.mk "Cookie" = bimap JHCookie T.encodeUtf8 <$> Spock.parseCookies val
| otherwise = []
expectedHeader :: JWTCtx -> AuthTokenLocation
expectedHeader jwtCtx =
2021-02-25 12:02:43 +03:00
case fGetHeaderType jwtCtx of
2022-02-14 02:33:49 +03:00
JHAuthorization -> JHAuthorization
JHCookie name -> JHCookie name
withAuthZ authzHeader jwtCtx = do
authMode <- processJwtBytes jwtCtx $ BL.fromStrict authzHeader
let (claimsMap, expTimeM) = authMode
in do
HasuraClaims allowedRoles defaultRole <- parseHasuraClaims claimsMap
-- see if there is a x-hasura-role header, or else pick the default role.
-- The role returned is unauthenticated at this point:
let requestedRole =
fromMaybe defaultRole $
getRequestHeader userRoleHeader headers >>= mkRoleName . bsToTxt
when (requestedRole `notElem` allowedRoles) $
throw400 AccessDenied "Your requested role is not in allowed roles"
let finalClaims =
Map.delete defaultRoleClaim . Map.delete allowedRolesClaim $ claimsMap
let finalClaimsObject = mapKeys sessionVariableToText finalClaims
metadata <- parseJwtClaim (J.Object finalClaimsObject) "x-hasura-* claims"
userInfo <-
mkUserInfo (URBPreDetermined requestedRole) UAdminSecretNotSent $
mkSessionVariablesText metadata
pure (userInfo, expTimeM, [])
withoutAuthZ = do
unAuthRole <- onNothing mUnAuthRole (throw400 InvalidHeaders "Missing 'Authorization' or 'Cookie' header in JWT authentication mode")
2021-09-24 01:56:37 +03:00
userInfo <-
mkUserInfo (URBPreDetermined unAuthRole) UAdminSecretNotSent $
mkSessionVariablesHeaders headers
2021-11-09 15:00:21 +03:00
pure (userInfo, Nothing, [])
2022-02-14 02:33:49 +03:00
jwtNotIssuerError = throw400 JWTInvalid "Could not verify JWT: JWTNotInIssuer"
-- | Processes a token payload (excluding the `Bearer ` prefix in the context of a JWTCtx)
processHeaderSimple ::
2021-09-24 01:56:37 +03:00
( MonadIO m,
MonadError QErr m
) =>
JWTCtx ->
BLC.ByteString ->
2021-12-08 21:28:36 +03:00
-- The "Maybe" in "m (Maybe (...))" covers the case where the
-- requested Cookie name is not present (returns "m Nothing")
2022-02-14 02:33:49 +03:00
m (ClaimsMap, Maybe UTCTime)
processHeaderSimple jwtCtx jwt = do
--iss <- _ <$> Jose.decodeCompact (BL.fromStrict token)
--let ctx = M.lookup iss jwtCtx
2022-02-14 02:33:49 +03:00
-- try to parse JWT token from Authorization or Cookie header
add support for jwt authorization (close #186) (#255)
-- verify the JWT
2022-02-14 02:33:49 +03:00
claims <- liftJWTError invalidJWTError $ verifyJwt jwtCtx $ RawJWT jwt
add support for jwt authorization (close #186) (#255)
2022-02-14 02:33:49 +03:00
let expTimeM = fmap (\(Jose.NumericDate t) -> t) $ claims ^. Jose.claimExp
2018-09-07 09:00:50 +03:00
2022-02-14 02:33:49 +03:00
claimsObject <- parseClaimsMap claims claimsConfig
2020-04-16 09:45:21 +03:00
2022-02-14 02:33:49 +03:00
pure (claimsObject, expTimeM)
add support for jwt authorization (close #186) (#255)
2020-08-31 19:40:01 +03:00
claimsConfig = jcxClaims jwtCtx
2021-02-25 12:02:43 +03:00
add support for jwt authorization (close #186) (#255)
liftJWTError :: (MonadError e' m) => (e -> e') -> ExceptT e m a -> m a
liftJWTError ef action = do
res <- runExceptT action
2020-10-28 19:40:33 +03:00
onLeft res (throwError . ef)
add support for jwt authorization (close #186) (#255)
2022-02-14 02:33:49 +03:00
invalidJWTError e = err400 JWTInvalid $ "Could not verify JWT: " <> tshow e
add support for jwt authorization (close #186) (#255)
2020-08-31 19:40:01 +03:00
-- | parse the claims map from the JWT token or custom claims from the JWT config
2021-09-24 01:56:37 +03:00
parseClaimsMap ::
MonadError QErr m =>
-- | Unregistered JWT claims
Jose.ClaimsSet ->
-- | Claims config
JWTClaims ->
-- | Hasura claims and other claims
m ClaimsMap
2021-01-21 19:49:46 +03:00
parseClaimsMap claimsSet jcxClaims = do
let claimsJSON = J.toJSON claimsSet
unregisteredClaims = claimsSet ^. Jose.unregisteredClaims
2020-08-31 19:40:01 +03:00
case jcxClaims of
2021-01-21 19:49:46 +03:00
-- when the user specifies the namespace of the hasura claims map,
-- the hasura claims map *must* be specified in the unregistered claims
2020-08-31 19:40:01 +03:00
JCNamespace namespace claimsFormat -> do
2021-01-19 22:14:42 +03:00
claimsV <- flip onNothing (claimsNotFound namespace) $ case namespace of
2021-09-24 01:56:37 +03:00
ClaimNs k -> Map.lookup k unregisteredClaims
2021-01-19 22:14:42 +03:00
ClaimNsPath path -> iResultToMaybe $ executeJSONPath path (J.toJSON unregisteredClaims)
2020-08-31 19:40:01 +03:00
-- get hasura claims value as an object. parse from string possibly
claimsObject <- parseObjectFromString namespace claimsFormat claimsV
-- filter only x-hasura claims
2021-09-24 01:56:37 +03:00
let claimsMap =
mapKeys mkSessionVariable $
Map.filterWithKey (const . isSessionVariable) claimsObject
2020-08-31 19:40:01 +03:00
pure claimsMap
JCMap claimsConfig -> do
let JWTCustomClaimsMap defaultRoleClaimsMap allowedRolesClaimsMap otherClaimsMap = claimsConfig
allowedRoles <- case allowedRolesClaimsMap of
JWTCustomClaimsMapJSONPath allowedRolesJsonPath defaultVal ->
2021-01-21 19:49:46 +03:00
parseAllowedRolesClaim defaultVal $ iResultToMaybe $ executeJSONPath allowedRolesJsonPath claimsJSON
2020-08-31 19:40:01 +03:00
JWTCustomClaimsMapStatic staticAllowedRoles -> pure staticAllowedRoles
defaultRole <- case defaultRoleClaimsMap of
JWTCustomClaimsMapJSONPath defaultRoleJsonPath defaultVal ->
2021-09-24 01:56:37 +03:00
parseDefaultRoleClaim defaultVal $
iResultToMaybe $
executeJSONPath defaultRoleJsonPath claimsJSON
2020-08-31 19:40:01 +03:00
JWTCustomClaimsMapStatic staticDefaultRole -> pure staticDefaultRole
otherClaims <- flip Map.traverseWithKey otherClaimsMap $ \k claimObj -> do
2021-09-24 01:56:37 +03:00
let throwClaimErr =
throw400 JWTInvalidClaims $
"JWT claim from claims_map, "
<> sessionVariableToText k
<> " not found"
2020-08-31 19:40:01 +03:00
case claimObj of
JWTCustomClaimsMapJSONPath path defaultVal ->
2021-01-21 19:49:46 +03:00
iResultToMaybe (executeJSONPath path claimsJSON)
2021-09-24 01:56:37 +03:00
`onNothing` (J.String <$> defaultVal)
`onNothing` throwClaimErr
2020-08-31 19:40:01 +03:00
JWTCustomClaimsMapStatic claimStaticValue -> pure $ J.String claimStaticValue
2021-09-24 01:56:37 +03:00
pure $
[ (allowedRolesClaim, J.toJSON allowedRoles),
2020-08-31 19:40:01 +03:00
(defaultRoleClaim, J.toJSON defaultRole)
2021-09-24 01:56:37 +03:00
<> otherClaims
add support for jwt authorization (close #186) (#255)
2020-08-31 19:40:01 +03:00
parseAllowedRolesClaim defaultVal = \case
Nothing ->
onNothing defaultVal $
2021-09-24 01:56:37 +03:00
throw400 JWTRoleClaimMissing $ "JWT claim does not contain " <> sessionVariableToText allowedRolesClaim
Just v ->
parseJwtClaim v $
"invalid " <> sessionVariableToText allowedRolesClaim
<> "; should be a list of roles"
2020-08-31 19:40:01 +03:00
parseDefaultRoleClaim defaultVal = \case
Nothing ->
onNothing defaultVal $
2021-09-24 01:56:37 +03:00
throw400 JWTRoleClaimMissing $ "JWT claim does not contain " <> sessionVariableToText defaultRoleClaim
Just v ->
parseJwtClaim v $
"invalid " <> sessionVariableToText defaultRoleClaim
<> "; should be a role"
2020-08-31 19:40:01 +03:00
claimsNotFound namespace =
throw400 JWTInvalidClaims $ case namespace of
2021-09-24 01:56:37 +03:00
ClaimNsPath path ->
T.pack $
"claims not found at claims_namespace_path: '"
<> encodeJSONPath path
<> "'"
ClaimNs ns -> "claims key: '" <> ns <> "' not found"
2020-08-31 19:40:01 +03:00
parseObjectFromString namespace claimsFmt jVal =
case (claimsFmt, jVal) of
(JCFStringifiedJson, J.String v) ->
2020-10-28 19:40:33 +03:00
onLeft (J.eitherDecodeStrict $ T.encodeUtf8 v) (const $ claimsErr $ strngfyErr v)
2020-08-31 19:40:01 +03:00
(JCFStringifiedJson, _) ->
claimsErr "expecting a string when claims_format is stringified_json"
(JCFJson, J.Object o) -> return o
(JCFJson, _) ->
claimsErr "expecting a json object when claims_format is json"
2020-05-28 19:18:26 +03:00
2020-08-31 19:40:01 +03:00
strngfyErr v =
let claimsLocation = case namespace of
ClaimNsPath path -> T.pack $ "claims_namespace_path " <> encodeJSONPath path
2021-09-24 01:56:37 +03:00
ClaimNs ns -> "claims_namespace " <> ns
in "expecting stringified json at: '"
<> claimsLocation
<> "', but found: "
<> v
2020-08-31 19:40:01 +03:00
claimsErr = throw400 JWTInvalidClaims
add support for jwt authorization (close #186) (#255)
-- | Verify the JWT against given JWK
2021-09-24 01:56:37 +03:00
verifyJwt ::
( MonadError Jose.JWTError m,
MonadIO m
) =>
JWTCtx ->
RawJWT ->
m Jose.ClaimsSet
2018-09-27 14:22:49 +03:00
verifyJwt ctx (RawJWT rawJWT) = do
key <- liftIO $ readIORef $ jcxKey ctx
2019-07-11 12:58:39 +03:00
jwt <- Jose.decodeCompact rawJWT
2021-09-24 01:56:37 +03:00
t <- liftIO getCurrentTime
2019-07-11 12:58:39 +03:00
Jose.verifyClaimsAt config key t jwt
add support for jwt authorization (close #186) (#255)
2021-01-13 11:38:13 +03:00
validationSettingsWithSkew =
case jcxAllowedSkew ctx of
Just allowedSkew -> Jose.defaultJWTValidationSettings audCheck & set Jose.allowedSkew allowedSkew
-- In `Jose.defaultJWTValidationSettings`, the `allowedSkew` is 0
2021-09-24 01:56:37 +03:00
Nothing -> Jose.defaultJWTValidationSettings audCheck
2021-01-13 11:38:13 +03:00
2019-07-11 12:58:39 +03:00
config = case jcxIssuer ctx of
2021-09-24 01:56:37 +03:00
Nothing -> validationSettingsWithSkew
2021-01-13 11:38:13 +03:00
Just iss -> validationSettingsWithSkew & set Jose.issuerPredicate (== iss)
2019-07-11 12:58:39 +03:00
audCheck audience =
-- dont perform the check if there are no audiences in the conf
case jcxAudience ctx of
2021-09-24 01:56:37 +03:00
Nothing -> True
2019-07-11 12:58:39 +03:00
Just (Jose.Audience audiences) -> audience `elem` audiences
add support for jwt authorization (close #186) (#255)
2020-02-05 10:07:31 +03:00
instance J.ToJSON JWTConfig where
2021-02-25 12:02:43 +03:00
toJSON (JWTConfig keyOrUrl aud iss claims allowedSkew jwtHeader) =
2020-08-31 19:40:01 +03:00
let keyOrUrlPairs = case keyOrUrl of
2021-09-24 01:56:37 +03:00
Left _ ->
[ "type" J..= J.String "<TYPE REDACTED>",
"key" J..= J.String "<JWK REDACTED>"
2020-08-31 19:40:01 +03:00
Right url -> ["jwk_url" J..= url]
claimsPairs = case claims of
JCNamespace namespace claimsFormat ->
let namespacePairs = case namespace of
ClaimNsPath nsPath ->
["claims_namespace_path" J..= encodeJSONPath nsPath]
ClaimNs ns -> ["claims_namespace" J..= J.String ns]
2021-09-24 01:56:37 +03:00
in namespacePairs <> ["claims_format" J..= claimsFormat]
2020-08-31 19:40:01 +03:00
JCMap claimsMap -> ["claims_map" J..= claimsMap]
2021-09-24 01:56:37 +03:00
in J.object $
<> [ "audience" J..= aud,
"issuer" J..= iss,
"header" J..= jwtHeader
<> claimsPairs
<> (maybe [] (\skew -> ["allowed_skew" J..= skew]) allowedSkew)
2019-07-11 08:37:06 +03:00
add support for jwt authorization (close #186) (#255)
-- | Parse from a json string like:
-- | `{"type": "RS256", "key": "<PEM-encoded-public-key-or-X509-cert>"}`
-- | to JWTConfig
2020-02-05 10:07:31 +03:00
instance J.FromJSON JWTConfig where
parseJSON = J.withObject "JWTConfig" $ \o -> do
mRawKey <- o J..:? "key"
2020-04-16 09:45:21 +03:00
claimsNs <- o J..:? "claims_namespace"
claimsNsPath <- o J..:? "claims_namespace_path"
2021-09-24 01:56:37 +03:00
aud <- o J..:? "audience"
iss <- o J..:? "issuer"
jwkUrl <- o J..:? "jwk_url"
2020-08-31 19:40:01 +03:00
claimsFormat <- o J..:? "claims_format" J..!= defaultClaimsFormat
claimsMap <- o J..:? "claims_map"
2021-01-13 11:38:13 +03:00
allowedSkew <- o J..:? "allowed_skew"
2021-02-25 12:02:43 +03:00
jwtHeader <- o J..:? "header"
2020-04-16 09:45:21 +03:00
hasuraClaimsNs <-
2021-09-24 01:56:37 +03:00
case (claimsNsPath, claimsNs) of
2020-08-31 19:40:01 +03:00
(Nothing, Nothing) -> pure $ ClaimNs defaultClaimsNamespace
(Just nsPath, Nothing) -> either failJSONPathParsing (return . ClaimNsPath) . parseJSONPath $ nsPath
2020-04-16 09:45:21 +03:00
(Nothing, Just ns) -> return $ ClaimNs ns
(Just _, Just _) -> fail "claims_namespace and claims_namespace_path both cannot be set"
2020-08-31 19:40:01 +03:00
keyOrUrl <- case (mRawKey, jwkUrl) of
2018-09-27 14:22:49 +03:00
(Nothing, Nothing) -> fail "key and jwk_url both cannot be empty"
2021-09-24 01:56:37 +03:00
(Just _, Just _) -> fail "key, jwk_url both cannot be present"
2018-09-27 14:22:49 +03:00
(Just rawKey, Nothing) -> do
2020-04-10 16:55:59 +03:00
keyType <- o J..: "type"
2020-04-16 09:45:21 +03:00
key <- parseKey keyType rawKey
2020-08-31 19:40:01 +03:00
pure $ Left key
(Nothing, Just url) -> pure $ Right url
2021-01-13 11:38:13 +03:00
let jwtClaims = maybe (JCNamespace hasuraClaimsNs claimsFormat) JCMap claimsMap
2021-02-25 12:02:43 +03:00
pure $ JWTConfig keyOrUrl aud iss jwtClaims allowedSkew jwtHeader
2018-09-27 14:22:49 +03:00
2020-04-16 09:45:21 +03:00
parseKey keyType rawKey =
2021-09-24 01:56:37 +03:00
case keyType of
"HS256" -> runEither $ parseHmacKey rawKey 256
"HS384" -> runEither $ parseHmacKey rawKey 384
"HS512" -> runEither $ parseHmacKey rawKey 512
"RS256" -> runEither $ parseRsaKey rawKey
"RS384" -> runEither $ parseRsaKey rawKey
"RS512" -> runEither $ parseRsaKey rawKey
2021-08-12 04:53:13 +03:00
"Ed25519" -> runEither $ parseEdDSAKey rawKey
-- TODO(from master): support ES256, ES384, ES512, PS256, PS384, Ed448 (JOSE doesn't support it as of now)
2021-09-24 01:56:37 +03:00
_ -> invalidJwk ("Key type: " <> T.unpack keyType <> " is not supported")
2018-09-27 14:22:49 +03:00
runEither = either (invalidJwk . T.unpack) return
2020-04-16 09:45:21 +03:00
add support for jwt authorization (close #186) (#255)
invalidJwk msg = fail ("Invalid JWK: " <> msg)
2020-04-16 09:45:21 +03:00
failJSONPathParsing err = fail $ "invalid JSON path claims_namespace_path error: " ++ err
2020-05-28 19:18:26 +03:00
2020-08-31 19:40:01 +03:00
-- parse x-hasura-allowed-roles, x-hasura-default-role from JWT claims
parseHasuraClaims :: forall m. (MonadError QErr m) => ClaimsMap -> m HasuraClaims
parseHasuraClaims claimsMap = do
2021-09-24 01:56:37 +03:00
<$> parseClaim allowedRolesClaim "should be a list of roles"
<*> parseClaim defaultRoleClaim "should be a single role name"
2020-08-31 19:40:01 +03:00
parseClaim :: J.FromJSON a => SessionVariable -> Text -> m a
parseClaim claim hint = do
2020-10-28 19:40:33 +03:00
claimV <- onNothing (Map.lookup claim claimsMap) missingClaim
2020-08-31 19:40:01 +03:00
parseJwtClaim claimV $ "invalid " <> claimText <> "; " <> hint
missingClaim = throw400 JWTRoleClaimMissing $ "JWT claim does not contain " <> claimText
claimText = sessionVariableToText claim
2020-05-28 19:18:26 +03:00
-- Utility:
parseJwtClaim :: (J.FromJSON a, MonadError QErr m) => J.Value -> Text -> m a
parseJwtClaim v errMsg =
case J.fromJSON v of
J.Success val -> return val
2021-09-24 01:56:37 +03:00
J.Error e -> throw400 JWTInvalidClaims $ errMsg <> ": " <> T.pack e