make ALB base URL configurable; add unit test

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>

Author: zandbelt

AUTHORS

@@ -15,3 +15,4 @@ reporting bugs, providing fixes, suggesting useful features or other:
     Pavel Anpin <https://github.com/anpin>
 	smanolache <https://github.com/smanolache>
     pladen <https://github.com/pladen>
+    Drew <https://github.com/drwxmrrs>

src/jose.c

@@ -742,6 +742,7 @@ _oauth2_jose_jwks_provider_init(oauth2_log_t *log,
 	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
 		provider->resolve = oauth2_jose_jwks_aws_alb_resolve;
 		provider->alb_arn = NULL;
+		provider->alb_base_url = NULL;
 		break;
 	}
 
@@ -773,6 +774,7 @@ _oauth2_jose_jwks_provider_clone(oauth2_log_t *log,
 		break;
 	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
 		dst->alb_arn = oauth2_strdup(src->alb_arn);
+		dst->alb_base_url = oauth2_strdup(src->alb_base_url);
 		break;
 	}
 
@@ -802,6 +804,8 @@ _oauth2_jose_jwks_provider_free(oauth2_log_t *log,
 	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
 		if (provider->alb_arn)
 			oauth2_mem_free(provider->alb_arn);
+		if (provider->alb_base_url)
+			oauth2_mem_free(provider->alb_base_url);
 		break;
 	}
 
@@ -1864,6 +1868,7 @@ _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_aws_alb)
 	oauth2_cfg_token_verify_t *verify = (oauth2_cfg_token_verify_t *)ctx;
 	char *rv = NULL;
 	oauth2_jose_jwt_verify_ctx_t *ptr = NULL;
+	const char *alb_base_url = NULL;
 
 	oauth2_debug(log, "enter");
 
@@ -1880,6 +1885,11 @@ _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_aws_alb)
 
 	ptr->jwks_provider->alb_arn = oauth2_strdup(value);
 
+	alb_base_url = oauth2_nv_list_get(log, params, "alb_base_url");
+	if (alb_base_url) {
+		ptr->jwks_provider->alb_base_url = oauth2_strdup(alb_base_url);
+	}
+
 end:
 
 	oauth2_debug(log, "leave: %s", rv);
@@ -2266,6 +2276,8 @@ oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *log,
 				 bool *refresh, cjose_header_t *hdr)
 {
 	cjose_err err;
+	char *url = NULL;
+	const char *region = NULL;
 
 	const char *signer = cjose_header_get(hdr, "signer", &err);
 	const char *kid = cjose_header_get(hdr, "kid", &err);
@@ -2278,7 +2290,6 @@ oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *log,
 		return NULL;
 	}
 
-	// TODO - maybe needed? timing safe compare?
 	if (strcmp(signer, provider->alb_arn) != 0) {
 		oauth2_error(
 		    log,
@@ -2287,17 +2298,19 @@ oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *log,
 		return NULL;
 	}
 
-	const char *region =
-	    _oauth2_jose_jwks_aws_alb_region(provider->alb_arn);
-	if (!region) {
-		oauth2_error(log, "failed to extract region from ARN: arn=%s",
-			     provider->alb_arn);
-		return NULL;
+	if (provider->alb_base_url == NULL) {
+		region = _oauth2_jose_jwks_aws_alb_region(provider->alb_arn);
+		if (!region) {
+			oauth2_error(
+			    log, "failed to extract region from ARN: arn=%s",
+			    provider->alb_arn);
+			return NULL;
+		}
+		url = _oauth2_stradd4(NULL, "https://public-keys.auth.elb.",
+				      region, ".amazonaws.com/", kid);
+	} else {
+		url = oauth2_stradd(NULL, provider->alb_base_url, kid, NULL);
 	}
-
-	// TODO: make the base URL configurable
-	char *url = _oauth2_stradd4(NULL, "https://public-keys.auth.elb.",
-				    region, ".amazonaws.com/", kid);
 	oauth2_debug(log, "constructed ALB JWKs URL: %s", url);
 
 	provider->jwks_uri = oauth2_uri_ctx_init(log);

src/jose_int.h

@@ -63,7 +63,10 @@ typedef struct oauth2_jose_jwks_provider_t {
 	union {
 		oauth2_uri_ctx_t *jwks_uri;
 		oauth2_jose_jwk_list_t *jwks;
-		char *alb_arn;
+		struct {
+			char *alb_arn;
+			char *alb_base_url;
+		};
 	};
 	// struct oauth2_jose_jwks_provider_t *next;
 } oauth2_jose_jwks_provider_t;

test/check_oauth2.c

@@ -789,6 +789,49 @@ START_TEST(test_oauth2_verify_eckey_uri)
 }
 END_TEST
 
+START_TEST(test_oauth2_verify_aws_alb)
+{
+	bool rc = false;
+	oauth2_cfg_token_verify_t *verify = NULL;
+	char *jwt =
+	    "eyJ0eXAiOiJKV1QiLCJraWQiOiIwOWQ0ZmExNy0yMjNlLTQwZmEtYjI4MC04OTRlOD"
+	    "QzZDcwMWYiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29v"
+	    "Z2xlLmNvbSIsImNsaWVudCI6IjY4NjMwMzIzMzEzMS1wZjA4b3J2YzVyY3BmaXQwdm"
+	    "xxNW82dWg0N3UyZW5mZy5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsInNpZ25l"
+	    "ciI6ImFybjphd3M6ZWxhc3RpY2xvYWRiYWxhbmNpbmc6ZXUtY2VudHJhbC0xOjAwNj"
+	    "E3NTk0MDQ5NDpsb2FkYmFsYW5jZXIvYXBwL2JhbGFuY2VyMS8xODE3NThhZTJiMGMz"
+	    "ZWRlIiwiZXhwIjoxNTQyMDQ1Mzk5fQ==."
+	    "ewogICJzdWIiOiAiMTA5NzE2NDkyNjgxNjg2MTcyOTY5IiwKICAibmFtZSI6ICJIYW"
+	    "5zIFphbmRiZWx0IiwKICAiZ2l2ZW5fbmFtZSI6ICJIYW5zIiwKICAiZmFtaWx5X25h"
+	    "bWUiOiAiWmFuZGJlbHQiLAogICJwcm9maWxlIjogImh0dHBzOi8vcGx1cy5nb29nbG"
+	    "UuY29tLzEwOTcxNjQ5MjY4MTY4NjE3Mjk2OSIsCiAgInBpY3R1cmUiOiAiaHR0cHM6"
+	    "Ly9saDMuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy1pOUc3U1V2S1FETS9BQUFBQUFBQU"
+	    "FBSS9BQUFBQUFBQUFBQS9zeEFzTk5FVlJWZy9waG90by5qcGciCn0=."
+	    "AlH8PGya9avWoGVkWOFWbMNiLdpSDQZqP-"
+	    "OuGfIXHw1CZWjxfJInXYiRsKRZlvlXJA5fguaeNKZ1Q_RyDjNqRg==";
+	json_t *json_payload = NULL;
+	const char *rv = NULL;
+	char *url = NULL, *options = NULL;
+
+	url = oauth2_stradd(NULL, oauth2_check_http_base_url(),
+			    get_eckey_url_path, NULL);
+	options = oauth2_stradd(NULL, "alb_base_url", "=", url);
+	rv = oauth2_cfg_token_verify_add_options(
+	    _log, &verify, "aws_alb",
+	    "arn:aws:elasticloadbalancing:eu-central-1:006175940494:"
+	    "loadbalancer/app/balancer1/181758ae2b0c3ede",
+	    options);
+	ck_assert_ptr_eq(rv, NULL);
+
+	rc = oauth2_token_verify(_log, NULL, verify, jwt, &json_payload);
+	ck_assert_int_eq(rc, true);
+
+	oauth2_cfg_token_verify_free(_log, verify);
+	oauth2_mem_free(url);
+	json_decref(json_payload);
+}
+END_TEST
+
 START_TEST(test_oauth2_verify_token_introspection)
 {
 	bool rc = false;
@@ -1166,6 +1209,7 @@ Suite *oauth2_check_oauth2_suite()
 	tcase_add_test(c, test_oauth2_verify_jwk);
 	tcase_add_test(c, test_oauth2_verify_jwk_dpop);
 	tcase_add_test(c, test_oauth2_verify_eckey_uri);
+	tcase_add_test(c, test_oauth2_verify_aws_alb);
 	tcase_add_test(c, test_oauth2_verify_token_introspection);
 	tcase_add_test(c, test_oauth2_verify_token_plain);
 	tcase_add_test(c, test_oauth2_verify_token_base64);