Merge pull request #37 from agilezebra/36-add-root-cas

agilezebra · web-flow · commit cf0dac207927 · 2025-03-11T16:38:12.000Z
add rootCAs option
diff --git a/README.md b/README.md
@@ -19,15 +19,15 @@ experimental:
   plugins:
     jwt:
       moduleName: github.com/agilezebra/jwt-middleware
-      version: v1.2.7
+      version: v1.2.8
 ```
 1b. or with command-line options:
 
 ```yaml
 command:
   ...
   - "--experimental.plugins.jwt.modulename=github.com/agilezebra/jwt-middleware"
-  - "--experimental.plugins.jwt.version=v1.2.7"
+  - "--experimental.plugins.jwt.version=v1.2.8"
 ```
 
 2) Configure and activate the plugin as a middleware in your dynamic traefik config:
@@ -70,6 +70,7 @@ Name | Description
 `forwardToken` | Boolean indicating whether the token should be forwarded to the backend. Default true. If multiple tokens are present in different locations (e.g. cookie and header) and forwarding is false, only the token used will be removed. 
 `optional` | Validate tokens according to the normal rules but don't require that a token be present. If specific claim requirements are specified in `require` but with `optional` set to `true` and a token is not present, access will be permitted even though the requirements are obviously not met, which may not be what you want or expect. In this case, no headers will be set from claims (as there aren't any). This is quite a niche case but is intended for use on endpoints that support both authorized and anonymous access and you want JWTs verified if present.
 `insecureSkipVerify` | A list of issuers' domains for which TLS certificates should not be verified (i.e. use `InsecureSkipVerify: true`). Only the hostname/domain should be specified (i.e. no scheme or trailing slash). Applies to both the openid-configuration and jwks calls.
+`rootCAs` | One or more additional root certificate authorities, in PEM format, to be combined with the system cert pool when verifying server certificates.
 `infoToStdout` | traefik does not yet have support for plugins to use the logger so, by default, all messages are logged using `log.Printf`, which will send messages from the plugin out as if they were logged at `ERROR` level. This may be irritating for those that don't like to see non-error messages show up as if they are errors. There is a workaround available in that the plugin can send messages to STDOUT and traefik will log these as if they were logged at `DEBUG` level. Setting `infoToStdout` to `true` will send all non-error info messages to STDOUT and these will appear in logs at `DEBUG` level. These will obviously only appear if you set your traefik log level to `DEBUG` (which may actually be more irritating if you don't want the spew that this creates, so this option is not enabled by default). Note also that this workaround does not appear to be working correctly in traefik v2 and in this case you may not see info messages at all if you enable this.
 
 ### Template Interpolation
diff --git a/jwt.go b/jwt.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"html"
 	"html/template"
@@ -26,6 +27,7 @@ type Config struct {
 	Issuers              []string               `json:"issuers,omitempty"`
 	SkipPrefetch         bool                   `json:"skipPrefetch,omitempty"`
 	InsecureSkipVerify   []string               `json:"insecureSkipVerify,omitempty"`
+	RootCAs              []string               `json:"rootCAs,omitempty"`
 	Secret               string                 `json:"secret,omitempty"`
 	Secrets              map[string]string      `json:"secrets,omitempty"`
 	Require              map[string]interface{} `json:"require,omitempty"`
@@ -155,7 +157,7 @@ func New(_ context.Context, next http.Handler, config *Config, name string) (htt
 		secret:               secret,
 		issuers:              canonicalizeDomains(config.Issuers),
 		clients:              createClients(config.InsecureSkipVerify),
-		defaultClient:        &http.Client{},
+		defaultClient:        createDefaultClient(config.RootCAs, true),
 		require:              convertRequire(config.Require),
 		keys:                 make(map[string]interface{}),
 		issuerKeys:           make(map[string]map[string]interface{}),
@@ -569,6 +571,29 @@ func canonicalizeDomains(domains []string) []string {
 	return domains
 }
 
+// createDefaultClient returns an http.Client with the given root CAs, or a default client if no root CAs are provided.
+func createDefaultClient(pems []string, useSystemCertPool bool) *http.Client {
+	if pems == nil {
+		return &http.Client{}
+	}
+	certs, _ := x509.SystemCertPool()
+	if certs == nil || !useSystemCertPool {
+		// We don't plan an option to set useSystemCertPool=false but it helps with test coverage
+		certs = x509.NewCertPool()
+	}
+	for _, pem := range pems {
+		if !certs.AppendCertsFromPEM([]byte(pem)) {
+			log.Printf("failed to add root CA:\n%s", pem)
+		}
+	}
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs: certs,
+		},
+	}
+	return &http.Client{Transport: transport}
+}
+
 // createClients reads a list of domains in the InsecureSkipVerify configuration and creates a map of domains to http.Client with InsecureSkipVerify set.
 func createClients(insecureSkipVerify []string) map[string]*http.Client {
 	// Create a single client with InsecureSkipVerify set
diff --git a/jwt_test.go b/jwt_test.go
@@ -1015,6 +1015,54 @@ func TestServeHTTP(tester *testing.T) {
 			Method:     jwt.SigningMethodES256,
 			HeaderName: "Authorization",
 		},
+		{
+			Name:   "RootCAs",
+			Expect: http.StatusOK,
+			Config: `
+				issuers:
+					- "https://127.0.0.1/"
+				rootCAs: |
+                    -----BEGIN CERTIFICATE-----
+                    MIIDJzCCAg+gAwIBAgIUDDYN8pGCpUC6tsqDW4meIXsmN04wDQYJKoZIhvcNAQEL
+                    BQAwIzELMAkGA1UEBhMCVUsxFDASBgNVBAoMC0FnaWxlIFplYnJhMB4XDTI1MDMx
+                    MTE0MTU1MloXDTM1MDMwOTE0MTU1MlowIzELMAkGA1UEBhMCVUsxFDASBgNVBAoM
+                    C0FnaWxlIFplYnJhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA70Gs
+                    A3QEKB94Eqyt+V07qDNtykhlyOLSiGIRk1/Slr5B1mTY8Mt88gg8MFldyVukjze+
+                    /5GT/lZ3plMMiA7wnpJ683iWqMVOzQTtYlgcMknnrRJhHuDIGmcdakudXl484emE
+                    9iz+cWgl2cw1rb0rtNC1koQ90MohcTqW+5By0TUaulf80ZcJbGFG8LTqVKVJatET
+                    QedgrYR3tIR6VRtj7pnFZ1w9gZhpPL26mrMg3Wk3GHf/j48jebHVYbeuuSoBXJX8
+                    rGmfCtwzMWqyZvMU9MRP6KpPu20UIOuzau6JyD22RhlLSrX/1eI9Et0IMqEF/iM/
+                    EGpTGDJTeX3bJavzAQIDAQABo1MwUTAdBgNVHQ4EFgQUwR3igK8QvKXQ3JuGlYUc
+                    1jHwBqUwHwYDVR0jBBgwFoAUwR3igK8QvKXQ3JuGlYUc1jHwBqUwDwYDVR0TAQH/
+                    BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoEgu6gQTf8Br0Id7Jp6Oht6XSG0o
+                    RtYJ4SwWD0U1acJpWKgtTkBA9cfGMYngFzUe9Xmxt1iBSCJtbQ/SQj5x0vcXsoR0
+                    zWBnihf3XERnJOyLWR7cUCfVYEu0xFCNrc1m5Wzj4IG2NJBTtiIiAdnTbEcBd7hk
+                    f7Vy+al187qn3HQcwdRfMatjFrrM92tHvd79VJsZcgj8Yl3QcgZFIQ2O+PtrXxLR
+                    2auMwVTxdRe0QUT6zvtZGf1niNH5s8DBVeDWqBArlC7M/HuLj6QOIMDEI2aC3yS1
+                    LT12fZ0MWBjfGc90EEJ9z4/CRUWMdtlOaLnXinyrvOH+SSTJD8xfwKqH6g==
+                    -----END CERTIFICATE-----
+				require:
+					aud: test`,
+			Claims:     `{"aud": "test"}`,
+			Method:     jwt.SigningMethodES256,
+			HeaderName: "Authorization",
+		},
+		{
+			Name:   "Bad RootCAs",
+			Expect: http.StatusOK,
+			Config: `
+				issuers:
+					- "https://127.0.0.1/"
+				rootCAs: |
+                    -----BEGIN CERTIFICATE-----
+                    bad
+                    -----END CERTIFICATE-----
+				require:
+					aud: test`,
+			Claims:     `{"aud": "test"}`,
+			Method:     jwt.SigningMethodES256,
+			HeaderName: "Authorization",
+		},
 		{
 			Name:   "infoToStdout",
 			Expect: http.StatusOK,
@@ -1517,6 +1565,45 @@ func TestHostname(tester *testing.T) {
 	}
 }
 
+func TestCreateDefaultClient(tester *testing.T) {
+	pems := []string{
+		`\
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUDDYN8pGCpUC6tsqDW4meIXsmN04wDQYJKoZIhvcNAQEL
+BQAwIzELMAkGA1UEBhMCVUsxFDASBgNVBAoMC0FnaWxlIFplYnJhMB4XDTI1MDMx
+MTE0MTU1MloXDTM1MDMwOTE0MTU1MlowIzELMAkGA1UEBhMCVUsxFDASBgNVBAoM
+C0FnaWxlIFplYnJhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA70Gs
+A3QEKB94Eqyt+V07qDNtykhlyOLSiGIRk1/Slr5B1mTY8Mt88gg8MFldyVukjze+
+/5GT/lZ3plMMiA7wnpJ683iWqMVOzQTtYlgcMknnrRJhHuDIGmcdakudXl484emE
+9iz+cWgl2cw1rb0rtNC1koQ90MohcTqW+5By0TUaulf80ZcJbGFG8LTqVKVJatET
+QedgrYR3tIR6VRtj7pnFZ1w9gZhpPL26mrMg3Wk3GHf/j48jebHVYbeuuSoBXJX8
+rGmfCtwzMWqyZvMU9MRP6KpPu20UIOuzau6JyD22RhlLSrX/1eI9Et0IMqEF/iM/
+EGpTGDJTeX3bJavzAQIDAQABo1MwUTAdBgNVHQ4EFgQUwR3igK8QvKXQ3JuGlYUc
+1jHwBqUwHwYDVR0jBBgwFoAUwR3igK8QvKXQ3JuGlYUc1jHwBqUwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoEgu6gQTf8Br0Id7Jp6Oht6XSG0o
+RtYJ4SwWD0U1acJpWKgtTkBA9cfGMYngFzUe9Xmxt1iBSCJtbQ/SQj5x0vcXsoR0
+zWBnihf3XERnJOyLWR7cUCfVYEu0xFCNrc1m5Wzj4IG2NJBTtiIiAdnTbEcBd7hk
+f7Vy+al187qn3HQcwdRfMatjFrrM92tHvd79VJsZcgj8Yl3QcgZFIQ2O+PtrXxLR
+2auMwVTxdRe0QUT6zvtZGf1niNH5s8DBVeDWqBArlC7M/HuLj6QOIMDEI2aC3yS1
+LT12fZ0MWBjfGc90EEJ9z4/CRUWMdtlOaLnXinyrvOH+SSTJD8xfwKqH6g==
+-----END CERTIFICATE-----`,
+	}
+	tester.Run("Default", func(tester *testing.T) {
+		client := createDefaultClient(nil, true)
+		if client == nil {
+			tester.Error("client is nil")
+		}
+		client = createDefaultClient(pems, true)
+		if client == nil {
+			tester.Error("client is nil")
+		}
+		client = createDefaultClient(pems, false)
+		if client == nil {
+			tester.Error("client is nil")
+		}
+	})
+}
+
 func BenchmarkServeHTTP(benchmark *testing.B) {
 	test := Test{
 		Name:   "SigningMethodRS256 passes",
