feat(plugin): implement golang version of plugin jwt-auth (#743)

Signed-off-by: Ink33 <Ink33@smlk.org>
2026-04-21 20:17:29 +08:00 · 2024-06-06 10:22:51 +08:00
parent 6a40d83ec0
commit ed976c6d06
24 changed files with 2713 additions and 1 deletions
--- a/plugins/wasm-go/extensions/jwt-auth/test/jwt_test.go
+++ b/plugins/wasm-go/extensions/jwt-auth/test/jwt_test.go
@@ -0,0 +1,144 @@
+package test
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/json"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
+)
+
+type keySet struct {
+	Name       string
+	PrivateKey any
+	PublicKey  any
+}
+
+type jwts struct {
+	JWTs []struct {
+		Algorithm string `json:"alg"`
+		Token     string `json:"token"`
+		Type      string `json:"type"`
+	} `json:"jwts"`
+}
+
+func genPrivateKey() (keySets map[string]keySet) {
+	keySets = map[string]keySet{}
+	rsaPri, _ := rsa.GenerateKey(rand.Reader, 2048)
+	keySets["rsa"] = keySet{Name: "rsa", PrivateKey: rsaPri, PublicKey: &rsaPri.PublicKey}
+
+	// ed25519pri, ed25519pub, _ := ed25519.GenerateKey(rand.Reader)
+	// keySets["ed25519"] = keySet{Name: "ed25519", PrivateKey: ed25519pri, PublicKey: ed25519pub}
+
+	p256Pri, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	keySets["p256"] = keySet{Name: "p256", PrivateKey: p256Pri, PublicKey: &p256Pri.PublicKey}
+
+	// p384Pri, _ := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	// keySets = append(keySets, keySet{Name: "p384", PrivateKey: p384Pri, PublicKey: &p384Pri.PublicKey})
+
+	// p521Pri, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	// keySets = append(keySets, keySet{Name: "p521", PrivateKey: p521Pri, PublicKey: &p521Pri.PublicKey})
+	return
+}
+
+func genJWKs(keySets map[string]keySet) (keys jose.JSONWebKeySet) {
+	for k := range keySets {
+		k := jose.JSONWebKey{
+			Key:   keySets[k].PublicKey,
+			KeyID: keySets[k].Name,
+		}
+		keys.Keys = append(keys.Keys, k)
+	}
+	return
+}
+
+func genJWTs(keySets map[string]keySet) (jwts jwts) {
+	claims := map[string]jwt.Claims{
+		"normal": {
+			Issuer:    "higress-test",
+			Subject:   "higress-test",
+			Audience:  []string{"foo", "bar"},
+			Expiry:    jwt.NewNumericDate(time.Date(2034, 1, 1, 0, 0, 0, 0, time.UTC)),
+			NotBefore: jwt.NewNumericDate(time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)),
+		},
+		"expried": {
+			Issuer:    "higress-test",
+			Subject:   "higress-test",
+			Audience:  []string{"foo", "bar"},
+			Expiry:    jwt.NewNumericDate(time.Date(2024, 1, 1, 0, 0, 0, 1, time.UTC)),
+			NotBefore: jwt.NewNumericDate(time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)),
+		},
+	}
+
+	sigrsa, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.RS256,
+		Key:       keySets["rsa"].PrivateKey,
+	}, (&jose.SignerOptions{}).WithType("JWT").WithHeader(jose.HeaderKey("kid"), "rsa"))
+	if err != nil {
+		panic(err)
+	}
+
+	sigp256, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.ES256,
+		Key:       keySets["p256"].PrivateKey,
+	}, (&jose.SignerOptions{}).WithType("JWT").WithHeader(jose.HeaderKey("kid"), "p256"))
+	if err != nil {
+		panic(err)
+	}
+
+	sigs := map[string]jose.Signer{
+		"RS256": sigrsa,
+		"ES256": sigp256,
+	}
+
+	for k1, v1 := range sigs {
+		for k2, v2 := range claims {
+			raw, _ := jwt.Signed(v1).Claims(v2).CompactSerialize()
+			jwts.JWTs = append(jwts.JWTs, struct {
+				Algorithm string "json:\"alg\""
+				Token     string "json:\"token\""
+				Type      string "json:\"type\""
+			}{
+				Algorithm: k1,
+				Token:     raw,
+				Type:      k2,
+			})
+		}
+	}
+	return
+}
+
+func TestMain(m *testing.M) {
+	keySets := genPrivateKey()
+	keys := genJWKs(keySets)
+	jwts := genJWTs(keySets)
+
+	jwks, err := json.Marshal(keys)
+	if err != nil {
+		panic(err)
+	}
+	f, _ := os.Create("keys.json")
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+	f.WriteString(string(jwks))
+
+	jwtsm, err := json.Marshal(&jwts)
+	if err != nil {
+		panic(err)
+	}
+	f, _ = os.Create("jwts.json")
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+	f.WriteString(string(jwtsm))
+	m.Run()
+}
--- a/plugins/wasm-go/extensions/jwt-auth/test/jwts.json
+++ b/plugins/wasm-go/extensions/jwt-auth/test/jwts.json
@@ -0,0 +1,24 @@
+{
+    "jwts": [
+        {
+            "alg": "RS256",
+            "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InJzYSIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiZm9vIiwiYmFyIl0sImV4cCI6MjAxOTY4NjQwMCwiaXNzIjoiaGlncmVzcy10ZXN0IiwibmJmIjoxNzA0MDY3MjAwLCJzdWIiOiJoaWdyZXNzLXRlc3QifQ.iO0wPY91b_VNGUMZ1n-Ub-SRmEkDQMFLSi77z49tEzll3UZXwmBraP5udM_OPUAdk9ZO3dbb_fOgdcN9V1H9p5kiTr-l-pZTFTJHrPJj8wC519sYRcCk3wrZ9aXR5tNMwOsMdQb7waTBatDQLmHPWzAoTNBc8mwXkRcv1dmJLvsJgxyCl1I9CMOMPq0fYj1NBvaUDIdVSL1o7GGiriD8-0UIOmS72-I3mbaoCIyVb0h3wx7gnIW3zr0yYWaYoiIgmHLag-eEGxHp4-BjtCqcokU4QVMS91qpH7Mkl1iv2WHEkuDQRJ-nLzYGwXb7Dncx9K5tNWHJuZ-DihIU2oT0aA",
+            "type": "normal"
+        },
+        {
+            "alg": "RS256",
+            "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InJzYSIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiZm9vIiwiYmFyIl0sImV4cCI6MTcwNDA2NzIwMCwiaXNzIjoiaGlncmVzcy10ZXN0IiwibmJmIjoxNzA0MDY3MjAwLCJzdWIiOiJoaWdyZXNzLXRlc3QifQ.jqzlhBPk9mmvtTT5aCYf-_5uXXSEU5bQ32fx78XeboCnjR9K1CsI4KYUIkXEX3bk66XJQUeSes7lz3gA4Yzkd-v9oADHTgpKnIxzv_5mD0_afIwEFjcalqVbSvCmro4PessQZDnmU7AIzoo3RPSqbmq8xbPVYUH9I-OO8aUu2ATd1HozgxJH1XnRU8k9KMkVW8XhvJXLKZJmnqe3Tu6pCU_tawFlBfBC4fAhMf0yX2CGE0ABAHubcdiI6JXObQmQQ9Or2a-g2a8g_Bw697PoPOsAn0YpTrHst9GcyTpkbNTAq9X8fc5EM7hiDM1FGeMYcaQTdMnOh4HBhP0p4YEhvA",
+            "type": "expried"
+        },
+        {
+            "alg": "ES256",
+            "token": "eyJhbGciOiJFUzI1NiIsImtpZCI6InAyNTYiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiZm9vIiwiYmFyIl0sImV4cCI6MTcwNDA2NzIwMCwiaXNzIjoiaGlncmVzcy10ZXN0IiwibmJmIjoxNzA0MDY3MjAwLCJzdWIiOiJoaWdyZXNzLXRlc3QifQ.9AnXd2rZ6FirHZQAoabyL4xZNz0jr-3LmcV4-pFV3JrdtUT4386Mw5Qan125fUB-rZf_ZBlv0Bft2tWY149fyg",
+            "type": "expried"
+        },
+        {
+            "alg": "ES256",
+            "token": "eyJhbGciOiJFUzI1NiIsImtpZCI6InAyNTYiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiZm9vIiwiYmFyIl0sImV4cCI6MjAxOTY4NjQwMCwiaXNzIjoiaGlncmVzcy10ZXN0IiwibmJmIjoxNzA0MDY3MjAwLCJzdWIiOiJoaWdyZXNzLXRlc3QifQ.hm71YWfjALshUAgyOu-r9W2WBG_zfqIZZacAbc7oIH1r7dbB0sGQn3wKMWMmOzmxX0UyaVZ0KMk-HFTA1hDnBQ",
+            "type": "normal"
+        }
+    ]
+}
--- a/plugins/wasm-go/extensions/jwt-auth/test/keys.json
+++ b/plugins/wasm-go/extensions/jwt-auth/test/keys.json
@@ -0,0 +1,17 @@
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "kid": "rsa",
+            "n": "pFKAKJ0V3vFwGTvBSHbPwrNdvPyr-zMTh7Y9IELFIMNUQfG9_d2D1wZcrX5CPvtEISHin3GdPyfqEX6NjPyqvCLFTuNh80-r5Mvld-A5CHwITZXz5krBdqY5Z0wu64smMbzst3HNxHbzLQvHUY-KS6hceOB84d9B4rhkIJEEAWxxIA7yPJYjYyIC_STpPddtJkkweVvoa0m0-_FQkDFsbRS0yGgMNG4-uc7qLIU4kSwMQWcw1Rwy39LUDP4zNzuZABbWsDDBsMlVUaszRdKIlk5AQ-Fkah3E247dYGUQjSQ0N3dFLlMDv_e62BT3IBXGLg7wvGosWFNT_LpIenIW6Q",
+            "e": "AQAB"
+        },
+        {
+            "kty": "EC",
+            "kid": "p256",
+            "crv": "P-256",
+            "x": "GWym652nfByDbs4EzNpGXCkdjG03qFZHulNDHTo3YJU",
+            "y": "5uVg_n-flqRJ5Zhf_aEKS0ow9SddTDgxGduSCgpoAZQ"
+        }
+    ]
+}