diff --git a/README.md b/README.md index 41acde1f..860eae2f 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,9 @@ note on [Docs and Samples Migration](https://blog.jetbrains.com/ktor/2020/09/16/ * [maven-google-appengine-standard](maven-google-appengine-standard/README.md) - A sample showing how to deploy Ktor application to Google App Engine using [Maven](https://maven.apache.org/) and [Google App Engine](https://cloud.google.com/appengine/). +## Testing + +* [jwt-auth-tests](jwt-auth-tests/README.md) - Shows how to write tests for RSA-signed JWT secured endpoints. ## License diff --git a/jwt-auth-tests/README.md b/jwt-auth-tests/README.md new file mode 100644 index 00000000..e8d9a3ab --- /dev/null +++ b/jwt-auth-tests/README.md @@ -0,0 +1,15 @@ +# Tests for API secured with RSA-signed JWT + +A sample project is to show how to write tests for an API secured with RSA-signed [JWT](https://auth0.com/docs/secure/tokens/json-web-tokens). + +## Running + +To run the tests execute: +```shell +./gradlew test +``` + +To run the application execute: +```shell +./gradlew run +``` diff --git a/jwt-auth-tests/build.gradle.kts b/jwt-auth-tests/build.gradle.kts new file mode 100644 index 00000000..92eecea7 --- /dev/null +++ b/jwt-auth-tests/build.gradle.kts @@ -0,0 +1,29 @@ +plugins { + kotlin("jvm") version "1.8.10" + kotlin("plugin.serialization") version "1.8.10" + id("io.ktor.plugin") version "2.2.4" +} + +application { + mainClass.set("io.ktor.samples.jwtauth.MainKt") +} + +repositories { + mavenCentral() +} + +dependencies { + implementation("io.ktor:ktor-server-core") + implementation("io.ktor:ktor-server-netty") + implementation("io.ktor:ktor-server-auth") + implementation("io.ktor:ktor-server-auth-jwt") + implementation("io.ktor:ktor-server-content-negotiation") + implementation("io.ktor:ktor-serialization-kotlinx-json") + implementation("ch.qos.logback:logback-classic:1.4.6") + testImplementation("io.ktor:ktor-server-test-host") + testImplementation(kotlin("test")) +} + +tasks.withType { + useJUnitPlatform() +} diff --git a/jwt-auth-tests/gradle/wrapper/gradle-wrapper.jar b/jwt-auth-tests/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 00000000..249e5832 Binary files /dev/null and b/jwt-auth-tests/gradle/wrapper/gradle-wrapper.jar differ diff --git a/jwt-auth-tests/gradle/wrapper/gradle-wrapper.properties b/jwt-auth-tests/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 00000000..8049c684 --- /dev/null +++ b/jwt-auth-tests/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/jwt-auth-tests/gradlew b/jwt-auth-tests/gradlew new file mode 100755 index 00000000..a69d9cb6 --- /dev/null +++ b/jwt-auth-tests/gradlew @@ -0,0 +1,240 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit + +APP_NAME="Gradle" +APP_BASE_NAME=${0##*/} + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/jwt-auth-tests/gradlew.bat b/jwt-auth-tests/gradlew.bat new file mode 100644 index 00000000..f127cfd4 --- /dev/null +++ b/jwt-auth-tests/gradlew.bat @@ -0,0 +1,91 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/jwt-auth-tests/settings.gradle.kts b/jwt-auth-tests/settings.gradle.kts new file mode 100644 index 00000000..98d0f89c --- /dev/null +++ b/jwt-auth-tests/settings.gradle.kts @@ -0,0 +1 @@ +rootProject.name = "jwt-auth-tests" diff --git a/jwt-auth-tests/src/main/kotlin/io/ktor/samples/jwtauth/Main.kt b/jwt-auth-tests/src/main/kotlin/io/ktor/samples/jwtauth/Main.kt new file mode 100644 index 00000000..08e343dd --- /dev/null +++ b/jwt-auth-tests/src/main/kotlin/io/ktor/samples/jwtauth/Main.kt @@ -0,0 +1,101 @@ +package io.ktor.samples.jwtauth + +import com.auth0.jwk.JwkProvider +import com.auth0.jwk.JwkProviderBuilder +import com.auth0.jwt.JWT +import com.auth0.jwt.algorithms.Algorithm +import io.ktor.http.* +import io.ktor.serialization.kotlinx.json.* +import io.ktor.server.application.* +import io.ktor.server.auth.* +import io.ktor.server.auth.jwt.* +import io.ktor.server.http.content.* +import io.ktor.server.netty.* +import io.ktor.server.plugins.contentnegotiation.* +import io.ktor.server.request.* +import io.ktor.server.response.* +import io.ktor.server.routing.* +import kotlinx.serialization.Serializable +import java.security.KeyFactory +import java.security.interfaces.RSAPrivateKey +import java.security.interfaces.RSAPublicKey +import java.security.spec.PKCS8EncodedKeySpec +import java.util.* +import java.util.concurrent.TimeUnit + +fun main(args: Array) { + EngineMain.main(args) +} + +@Serializable +data class User(val username: String, val password: String) + +// This method is called via reflection by the fully qualified name of the module in the application.conf file +@Suppress("UNUSED") +fun Application.main() { + val issuer = environment.config.property("jwt.issuer").getString() + val jwkProvider = JwkProviderBuilder(issuer) + .cached(10, 24, TimeUnit.HOURS) + .rateLimited(10, 1, TimeUnit.MINUTES) + .build() + + main(jwkProvider) +} + +fun Application.main(jwkProvider: JwkProvider) { + install(ContentNegotiation) { + json() + } + val privateKeyString = environment.config.property("jwt.privateKey").getString() + val issuer = environment.config.property("jwt.issuer").getString() + val audience = environment.config.property("jwt.audience").getString() + val myRealm = environment.config.property("jwt.realm").getString() + + install(Authentication) { + jwt("auth-jwt") { + realm = myRealm + verifier(jwkProvider, issuer) { + acceptLeeway(3) + } + validate { credential -> + if (credential.payload.getClaim("username").asString() != "") { + JWTPrincipal(credential.payload) + } else { + null + } + } + challenge { _, _ -> + call.respond(HttpStatusCode.Unauthorized, "Token is not valid or has expired") + } + } + } + routing { + post("/login") { + val user = call.receive() + // Check username and password + // ... + + val publicKey = jwkProvider.get("6f8856ed-9189-488f-9011-0ff4b6c08edc").publicKey + val keySpecPKCS8 = PKCS8EncodedKeySpec(Base64.getDecoder().decode(privateKeyString)) + val privateKey = KeyFactory.getInstance("RSA").generatePrivate(keySpecPKCS8) + val token = JWT.create() + .withAudience(audience) + .withIssuer(issuer) + .withClaim("username", user.username) + .withExpiresAt(Date(System.currentTimeMillis() + 60000)) + .sign(Algorithm.RSA256(publicKey as RSAPublicKey, privateKey as RSAPrivateKey)) + call.respondText { token } + } + + authenticate("auth-jwt") { + get("/hello") { + val principal = call.principal() + val username = principal!!.payload.getClaim("username").asString() + call.respondText("Hello, $username!") + } + } + route(".well-known") { + resource("jwks.json") + } + } +} diff --git a/jwt-auth-tests/src/main/resources/application.conf b/jwt-auth-tests/src/main/resources/application.conf new file mode 100644 index 00000000..9f93b6d5 --- /dev/null +++ b/jwt-auth-tests/src/main/resources/application.conf @@ -0,0 +1,16 @@ +ktor { + deployment { + port = 8080 + } + + application { + modules = [ io.ktor.samples.jwtauth.MainKt.main ] + } +} + +jwt { + privateKey = "MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAtfJaLrzXILUg1U3N1KV8yJr92GHn5OtYZR7qWk1Mc4cy4JGjklYup7weMjBD9f3bBVoIsiUVX6xNcYIr0Ie0AQIDAQABAkEAg+FBquToDeYcAWBe1EaLVyC45HG60zwfG1S4S3IB+y4INz1FHuZppDjBh09jptQNd+kSMlG1LkAc/3znKTPJ7QIhANpyB0OfTK44lpH4ScJmCxjZV52mIrQcmnS3QzkxWQCDAiEA1Tn7qyoh+0rOO/9vJHP8U/beo51SiQMw0880a1UaiisCIQDNwY46EbhGeiLJR1cidr+JHl86rRwPDsolmeEF5AdzRQIgK3KXL3d0WSoS//K6iOkBX3KMRzaFXNnDl0U/XyeGMuUCIHaXv+n+Brz5BDnRbWS+2vkgIe9bUNlkiArpjWvX+2we" + issuer = "http://0.0.0.0:8080/" + audience = "http://0.0.0.0:8080/hello" + realm = "Access to 'hello'" +} \ No newline at end of file diff --git a/jwt-auth-tests/src/main/resources/jwks.json b/jwt-auth-tests/src/main/resources/jwks.json new file mode 100644 index 00000000..73838d5d --- /dev/null +++ b/jwt-auth-tests/src/main/resources/jwks.json @@ -0,0 +1,10 @@ +{ + "keys": [ + { + "kty": "RSA", + "e": "AQAB", + "kid": "6f8856ed-9189-488f-9011-0ff4b6c08edc", + "n":"tfJaLrzXILUg1U3N1KV8yJr92GHn5OtYZR7qWk1Mc4cy4JGjklYup7weMjBD9f3bBVoIsiUVX6xNcYIr0Ie0AQ" + } + ] +} \ No newline at end of file diff --git a/jwt-auth-tests/src/test/kotlin/io/ktor/samples/jwtauth/ApplicationTest.kt b/jwt-auth-tests/src/test/kotlin/io/ktor/samples/jwtauth/ApplicationTest.kt new file mode 100644 index 00000000..4a05e4e3 --- /dev/null +++ b/jwt-auth-tests/src/test/kotlin/io/ktor/samples/jwtauth/ApplicationTest.kt @@ -0,0 +1,76 @@ +package io.ktor.samples.jwtauth + +import com.auth0.jwk.Jwk +import com.auth0.jwk.JwkProvider +import io.ktor.client.request.* +import io.ktor.client.statement.* +import io.ktor.http.* +import io.ktor.server.config.* +import io.ktor.server.testing.* +import java.security.KeyPairGenerator +import java.security.interfaces.RSAPublicKey +import java.util.* +import kotlin.test.Test +import kotlin.test.assertEquals + +class ApplicationTest { + @Test + fun userIsGreetedProperly() = testApplication { + val generator = KeyPairGenerator.getInstance("RSA") + generator.initialize(2048) + val keyPair = generator.genKeyPair() + + environment { + config = MapApplicationConfig( + "jwt.privateKey" to Base64.getEncoder().encodeToString(keyPair.private.encoded), + "jwt.issuer" to "issuer.test", + "jwt.audience" to "audience", + "jwt.realm" to "realm", + ) + } + + application { + main(fakeJwkProvider("6f8856ed-9189-488f-9011-0ff4b6c08edc", keyPair.public as RSAPublicKey)) + } + + val response = client.post("/login") { + contentType(ContentType.Application.Json) + setBody( + """ + { + "username": "jetbrains", + "password": "foobar" + } + """.trimIndent() + ) + } + + val token = response.bodyAsText() + + val greetings = client.get("/hello") { + header(HttpHeaders.Authorization, "Bearer $token") + }.bodyAsText() + + assertEquals("Hello, jetbrains!", greetings) + } + + @Suppress("SameParameterValue") + private fun fakeJwkProvider(id: String, publicKey: RSAPublicKey): JwkProvider { + return JwkProvider { + Jwk( + id, + "RSA", + "RS256", + "", + listOf(), + "", + listOf(), + "", + mapOf( + "n" to Base64.getUrlEncoder().encodeToString(publicKey.modulus.toByteArray()), + "e" to Base64.getUrlEncoder().encodeToString(publicKey.publicExponent.toByteArray()) + ) + ) + } + } +}