Added jwt http timeout (#285)

* Added jwt http timeout Co-authored-by: Alessandro Peretti <alessandro.peretti@spindox.it>
2023-06-09 14:29:01 +02:00 · 2023-06-09 14:29:01 +02:00 · 807e8f25e3
parent a271ad1e70
commit 807e8f25e3
3 changed files with 100 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -864,6 +864,7 @@ The following options are supported by the `jwt` backend when remote is set to t
 | --------------------------- | --------- | :-------: | ------------------------------------------------------------- |
 | auth_opt_jwt_host           |           |    Y/N    | API server host name or ip                                    |
 | auth_opt_jwt_port           |           |     Y     | TCP port number                                               |
+| auth_opt_jwt_http_timeout   |     5     |     N     | Timeout in seconds for http client                            |
 | auth_opt_jwt_getuser_uri    |           |     Y     | URI for check username/password                               |
 | auth_opt_jwt_superuser_uri  |           |     N     | URI for check superuser                                       |
 | auth_opt_jwt_aclcheck_uri   |           |     Y     | URI for check acl                                             |
--- a/backends/jwt_remote.go
+++ b/backends/jwt_remote.go
@ -27,10 +27,10 @@ type remoteJWTChecker struct {
 	hostWhitelist []string
 	withTLS       bool
 	verifyPeer    bool
-
-	paramsMode   string
-	httpMethod   string
-	responseMode string
+	paramsMode    string
+	httpMethod    string
+	responseMode  string
+	timeout       int

 	options tokenOptions

@ -152,7 +152,16 @@ func NewRemoteJWTChecker(authOpts map[string]string, options tokenOptions, versi
 		return nil, errors.Errorf("JWT backend error: missing remote options: %s", missingOpts)
 	}

-	checker.client = &h.Client{Timeout: 5 * time.Second}
+	checker.timeout = 5
+	if timeoutString, ok := authOpts["jwt_http_timeout"]; ok {
+		if timeout, err := strconv.Atoi(timeoutString); err == nil {
+			checker.timeout = timeout
+		} else {
+			log.Errorf("unable to parse timeout: %s", err)
+		}
+	}
+
+	checker.client = &h.Client{Timeout: time.Duration(checker.timeout) * time.Second}

 	if !checker.verifyPeer {
 		tr := &h.Transport{
--- a/backends/jwt_test.go
+++ b/backends/jwt_test.go
@ -1654,3 +1654,88 @@ func TestJWTFormTextResponseServer(t *testing.T) {
 	})

 }
+
+func TestJWTHttpTimeout(t *testing.T) {
+
+	topic := "test/topic"
+	var acc = int64(1)
+	clientID := "test_client"
+	token, _ := jwtToken.SignedString([]byte(jwtSecret))
+
+	version := "2.0.0"
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+
+		err := r.ParseForm()
+		if err != nil {
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
+		var params = r.Form
+
+		gToken := r.Header.Get("Authorization")
+		gToken = strings.TrimPrefix(gToken, "Bearer ")
+
+		if token != gToken {
+			w.Write([]byte("Wrong credentials."))
+			return
+		}
+
+		switch r.URL.Path {
+		case "/user", "/superuser":
+			w.Write([]byte("ok"))
+		case "/acl":
+			time.Sleep(time.Duration(1200) * time.Millisecond)
+			paramsAcc, _ := strconv.ParseInt(params["acc"][0], 10, 64)
+			if params["topic"][0] == topic && params["clientid"][0] == clientID && paramsAcc <= acc {
+				w.Write([]byte("ok"))
+				break
+			}
+			w.Write([]byte("Acl check failed."))
+		}
+
+	}))
+
+	defer mockServer.Close()
+
+	authOpts := make(map[string]string)
+	authOpts["jwt_mode"] = "remote"
+	authOpts["jwt_params_mode"] = "form"
+	authOpts["jwt_response_mode"] = "text"
+	authOpts["jwt_host"] = strings.Replace(mockServer.URL, "http://", "", -1)
+	authOpts["jwt_port"] = ""
+	authOpts["jwt_getuser_uri"] = "/user"
+	authOpts["jwt_superuser_uri"] = "/superuser"
+	authOpts["jwt_aclcheck_uri"] = "/acl"
+	authOpts["jwt_http_timeout"] = "1"
+
+	Convey("Given correct options an http backend instance should be returned", t, func() {
+		hb, err := NewJWT(authOpts, log.DebugLevel, hashing.NewHasher(authOpts, ""), version)
+		So(err, ShouldBeNil)
+
+		Convey("JWT remote test timeout parameter: YES TIMEOUT", func() {
+			_, err := hb.CheckAcl(token, topic, clientID, MOSQ_ACL_READ)
+			So(err, ShouldBeError)
+			So(err.Error(), ShouldContainSubstring, "acl")
+		})
+
+		hb.Halt()
+	})
+
+	authOpts["jwt_http_timeout"] = "2"
+
+	Convey("Given correct options an http backend instance should be returned", t, func() {
+		hb, err := NewJWT(authOpts, log.DebugLevel, hashing.NewHasher(authOpts, ""), version)
+		So(err, ShouldBeNil)
+
+		Convey("JWT remote test timeout parameter: NO TIMEOUT", func() {
+			_, err := hb.CheckAcl(token, topic, clientID, MOSQ_ACL_READ)
+			So(err, ShouldBeNil)
+		})
+
+		hb.Halt()
+	})
+
+}