jwks works, but null pointer access possible

2024-09-19 16:20:50 +00:00 · 2024-08-26 00:58:29 +00:00 · 2024-08-26 00:58:29 +00:00 · bfb0b32de8
commit bfb0b32de8
parent 45ad6ba2fd
3 changed files with 32 additions and 31 deletions
--- a/src/Access/JWTVerifier.cpp
+++ b/src/Access/JWTVerifier.cpp
@ -235,8 +235,8 @@ void IJWTVerifier::init(const JWTVerifierParams &_params)

 bool IJWTVerifier::verify(const String &claims, const String &token, SettingsChanges & settings) const
 {
-    try
-    {
+//    try
+//    {
        auto decoded_jwt = jwt::decode(token);
        if (!verify_impl(decoded_jwt))
            return false;
@ -250,11 +250,11 @@ bool IJWTVerifier::verify(const String &claims, const String &token, SettingsCha
        for (const auto &it : string_settings)
            settings.insertSetting(it.first, it.second);
        return true;
-    }
-    catch (const std::exception &ex)
-    {
-        throw Exception(ErrorCodes::JWT_ERROR, "{}: Failed to validate JWT with exception {}", name, ex.what());
-    }
+//    }
+//    catch (const std::exception &ex)
+//    {
+//        throw Exception(ErrorCodes::JWT_ERROR, "{}: Failed to validate JWT with exception {}", name, ex.what());
+//    }
 }

 void SimpleJWTVerifierParams::validate() const
@ -374,13 +374,6 @@ bool JWKSVerifier::verify_impl(const jwt::decoded_jwt<jwt::traits::kazuho_picojs
            LOG_TRACE(getLogger("JWTAuthentication"), "{}: Verifying {} with 'x5c' key", name, subject);
            public_key = jwt::helper::convert_base64_der_to_pem(x5c);
        }
-        else
-        {
-            LOG_TRACE(getLogger("JWTAuthentication"), "{}: `issuer` or `x5c` not present, verifying {} with RSA components", name, subject);
-            const auto modulus = jwk.get_jwk_claim("n").as_string();
-            const auto exponent = jwk.get_jwk_claim("e").as_string();
-            public_key = jwt::helper::create_public_key_from_rsa_components(modulus, exponent);
-        }
    }
    catch (const jwt::error::claim_not_present_exception &)
    {
@ -391,6 +384,14 @@ bool JWKSVerifier::verify_impl(const jwt::decoded_jwt<jwt::traits::kazuho_picojs
        throw Exception(ErrorCodes::JWT_ERROR, "Invalid claim value type: must be string");
    }

+    if (public_key.empty())
+    {
+        LOG_TRACE(getLogger("JWTAuthentication"), "{}: `issuer` or `x5c` not present, verifying {} with RSA components", name, subject);
+        const auto modulus = jwk.get_jwk_claim("n").as_string();
+        const auto exponent = jwk.get_jwk_claim("e").as_string();
+        public_key = jwt::helper::create_public_key_from_rsa_components(modulus, exponent);
+    }
+
    if (algo == "rs256")
        verifier = verifier.allow_algorithm(jwt::algorithm::rs256(public_key, "", "", ""));
    else if (algo == "rs384")
--- a/tests/integration/test_jwt_auth/configs/verify_static_key.xml
+++ b/tests/integration/test_jwt_auth/configs/verify_static_key.xml
@ -1,12 +1,12 @@
 <clickhouse>
    <jwt_verifiers>
-<!--        <single_key_validator>-->
-<!--            <algo>hs256</algo>-->
-<!--            <single_key>my_secret</single_key>-->
-<!--            <single_key_in_base64>false</single_key_in_base64>-->
-<!--        </single_key_validator>-->
-        <static_jwks_validator>
-            <static_jwks>{"keys": [{"kty": "RSA", "alg": "RS256", "kid": "mykid", "n": "lICGC8S5pObyASih5qfmwuclG0oKsbzY2z9vgwqyhTYQOWcqYcTjVV4aQ30qb6E0-5W6rJ-jx9zx6GuAEGMiG_aWJEdbUAMGp-L1kz4lrw5U6GlwoZIvk4wqoRwsiyc-mnDMQAmiZLBNyt3wU6YnKgYmb4O1cSzcZ5HMbImJpj4tpYjqnIazvYMn_9Pxjkl0ezLCr52av0UkWHro1H4QMVfuEoNmHuWPww9jgHn-I-La0xdOhRpAa0XnJi65dXZd4330uWjeJwt413yz881uS4n1OLOGKG8ImDcNlwU_guyvk0n0aqT0zkOAPp9_yYo13MPWmiRCfOX8ozdN7VDIJw", "e": "AQAB"}]}</static_jwks>
-        </static_jwks_validator>
+        <single_key_validator>
+            <algo>hs256</algo>
+            <single_key>my_secret</single_key>
+            <single_key_in_base64>false</single_key_in_base64>
+        </single_key_validator>
+<!--        <static_jwks_validator>-->
+<!--            <static_jwks>{"keys": [{"kty": "RSA", "alg": "RS256", "kid": "mykid", "n": "lICGC8S5pObyASih5qfmwuclG0oKsbzY2z9vgwqyhTYQOWcqYcTjVV4aQ30qb6E0-5W6rJ-jx9zx6GuAEGMiG_aWJEdbUAMGp-L1kz4lrw5U6GlwoZIvk4wqoRwsiyc-mnDMQAmiZLBNyt3wU6YnKgYmb4O1cSzcZ5HMbImJpj4tpYjqnIazvYMn_9Pxjkl0ezLCr52av0UkWHro1H4QMVfuEoNmHuWPww9jgHn-I-La0xdOhRpAa0XnJi65dXZd4330uWjeJwt413yz881uS4n1OLOGKG8ImDcNlwU_guyvk0n0aqT0zkOAPp9_yYo13MPWmiRCfOX8ozdN7VDIJw", "e": "AQAB"}]}</static_jwks>-->
+<!--        </static_jwks_validator>-->
    </jwt_verifiers>
 </clickhouse>
--- a/tests/integration/test_jwt_auth/test.py
+++ b/tests/integration/test_jwt_auth/test.py
@ -26,15 +26,15 @@ def started_cluster():
        cluster.shutdown()


-# def test_static_key(started_cluster):
-#     res = client.exec_in_container(
-#         [
-#             "bash",
-#             "-c",
-#             f'curl -H "X-ClickHouse-JWT-Token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqd3RfdXNlciIsInJlc291cmNlX2FjY2VzcyI6InZpZXctcHJvZmlsZSJ9.TVnAmEMZeUqG-BD2K4f3Hk6LRvCiTr28W9dbjSGzi0Q" "http://{cluster.get_instance_ip(instance.name)}:8123/?query=SELECT%20currentUser()"',
-#         ]
-#     )
-#     assert res == "jwt_user\n"
+def test_static_key(started_cluster):
+    res = client.exec_in_container(
+        [
+            "bash",
+            "-c",
+            f'curl -H "X-ClickHouse-JWT-Token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqd3RfdXNlciIsInJlc291cmNlX2FjY2VzcyI6InZpZXctcHJvZmlsZSJ9.TVnAmEMZeUqG-BD2K4f3Hk6LRvCiTr28W9dbjSGzi0Q" "http://{cluster.get_instance_ip(instance.name)}:8123/?query=SELECT%20currentUser()"',
+        ]
+    )
+    assert res == "jwt_user\n"


 def test_static_jwks(started_cluster):