feat: v1.8.5, claims support jti, validity

2024-04-14 09:43:11 +08:00
parent 44a0e3512e
commit e13503116a
3 changed files with 620 additions and 424 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.8.4"
+version = "1.8.5"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"

--- a/src/cmd_signjwt.rs
+++ b/src/cmd_signjwt.rs
@@ -4,8 +4,9 @@ use std::collections::BTreeMap;
 use clap::{App, Arg, ArgMatches, SubCommand};
 use jwt::{AlgorithmType, Header, ToBase64};
 use jwt::header::HeaderType;
-use rust_util::{util_msg, XResult};
+use rust_util::{util_msg, util_time, XResult};
 use rust_util::util_clap::{Command, CommandError};
+use serde_json::{Map, Number, Value};
 use yubikey::{Certificate, YubiKey};
 use yubikey::piv::{AlgorithmId, sign_data};

@@ -25,6 +26,8 @@ impl Command for CommandImpl {
            .arg(Arg::with_name("key-id").short("K").long("key-id").takes_value(true).help("Header key ID"))
            .arg(Arg::with_name("claims").short("C").long("claims").takes_value(true).multiple(true).help("Claims, key:value"))
            .arg(Arg::with_name("payload").short("P").long("payload").takes_value(true).help("Claims in JSON"))
+            .arg(Arg::with_name("jti").long("jti").help("Claims jti"))
+            .arg(Arg::with_name("validity").long("validity").takes_value(true).help("Claims validity period e.g. 10m means 10 minutes (s - second, m - minute, h - hour, d - day)"))
            .arg(Arg::with_name("json").long("json").help("JSON output"))
    }

@@ -41,20 +44,23 @@ impl Command for CommandImpl {
        let key_id = sub_arg_matches.value_of("key-id");
        let claims = sub_arg_matches.values_of("claims");
        let payload = sub_arg_matches.value_of("payload");
+        let validity = sub_arg_matches.value_of("validity");
+        let jti = sub_arg_matches.is_present("jti");

        let header = Header {
            key_id: key_id.map(ToString::to_string),
            type_: Some(HeaderType::JsonWebToken),
            ..Default::default()
        };
-        let mut jwt_claims = BTreeMap::new();
+        let mut jwt_claims = Map::new();
        match (payload, claims) {
            (Some(_), _) => {}
            (_, Some(claims)) => {
                for claim in claims {
+                    // TODO support multiple claim types
                    match split_claim(claim) {
                        None => { warning!("Claim '{}' do not contains ':'", claim); }
-                        Some((k, v)) => { jwt_claims.insert(k, v); }
+                        Some((k, v)) => { jwt_claims.insert(k, Value::String(v)); }
                    }
                }
                if !jwt_claims.contains_key("sub") {
@@ -64,6 +70,21 @@ impl Command for CommandImpl {
            _ => return simple_error!("Payload or Claims is required."),
        }

+        // set jti, iat and sub
+        if jti && !jwt_claims.contains_key("jti") {
+            jwt_claims.insert("jti".to_string(), Value::String(format!("jti-{}", util_time::get_current_millis())));
+        }
+        if let Some(validity) = validity {
+            match util_time::parse_duration(validity) {
+                None => { warning!("Bad validity: {}", validity) }
+                Some(validity) => {
+                    let current_secs = (util_time::get_current_millis() / 1000) as u64;
+                    jwt_claims.insert("iat".to_string(), Value::Number(Number::from(current_secs)));
+                    jwt_claims.insert("exp".to_string(), Value::Number(Number::from(current_secs + validity.as_secs())));
+                }
+            }
+        }
+
        let token_string = sign_jwt(slot, &pin_opt, header, &payload, &jwt_claims)?;
        success!("Singed JWT: {}", token_string);
        if json_output { json.insert("token", token_string.clone()); }
@@ -76,7 +97,7 @@ impl Command for CommandImpl {
 }


-fn sign_jwt(slot: &str, pin_opt: &Option<&str>, mut header: Header, payload: &Option<&str>, claims: &BTreeMap<String, String>) -> XResult<String> {
+fn sign_jwt(slot: &str, pin_opt: &Option<&str>, mut header: Header, payload: &Option<&str>, claims: &Map<String, Value>) -> XResult<String> {
    let mut yk = opt_result!(YubiKey::open(), "Find YubiKey failed: {}");
    let slot_id = opt_result!(pivutil::get_slot_id(slot), "Get slot id failed: {}");