progress on extension

Author: michelp

Makefile

@@ -0,0 +1,8 @@
+EXTENSION = pgjwt
+DATA = pgjwt--0.0.1.sql
+REGRESS = jwt_test     # our test script file (without extension)
+
+# postgres build stuff
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)

README.md

@@ -1,35 +1,35 @@
 # pgjwt
 PostgreSQL implementation of [JSON Web Tokens](https://jwt.io/)
 
-Dependencies
-------------
+## Dependencies
 
 This code requires the pgcrypto extension, included in most
 distribution's "postgresql-contrib" package.  The tests require the
 pgtap extension to run.
 
-Install
--------
+## Install
 
-    'psql -f jwt.sql'
+Clone the repository and then run:
 
-Note that this file will DROP and CREATE a new schema called 'jwt'.
-To run the tests install pgtap and run 'pg_prove test.sql'.
+    'make install'
 
+You will require sudo privledges in most cases.  This creates a new
+extension that can be installed with 'CREATE EXTENSION pgjwt;' To run
+the tests install pgtap and run 'pg_prove test.sql'.
 
-Usage
------
+
+## Usage
 
 Create a token.  The first argument must be valid json, the second argument any text:
 
-    => select jwt.sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret');
+    => select sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret');
                                                                             sign
     -------------------------------------------------------------------------------------------------------------------------------------------------------
      eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
 
 Verify a token:
 
-    => select * from jwt.verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ', 'secret');
+    => select * from verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ', 'secret');
                header            |                       payload                       | valid
     -----------------------------+-----------------------------------------------------+-------
      {"alg":"HS256","typ":"JWT"} | {"sub":"1234567890","name":"John Doe","admin":true} | t
@@ -40,6 +40,12 @@ Algorithm
 sign() and verify() take an optional algorithm argument that can be
 'HS256', 'HS384' or 'HS512'.  The default is 'HS256':
 
-    => select jwt.sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret', 'HS384'),
+    => select sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret', 'HS384'),
+
+
+
+## TODO
 
+* public/private keys
 
+* SET ROLE and key lookup helper functions

jwt.sql

@@ -0,0 +1,61 @@
+\echo Use "CREATE EXTENSION base36" to load this file. \quit
+
+
+CREATE OR REPLACE FUNCTION url_encode(data bytea) RETURNS text LANGUAGE sql AS $$
+    SELECT translate(encode(data, 'base64'), E'+/=\n', '-_');
+$$;
+
+
+CREATE OR REPLACE FUNCTION url_decode(data text) RETURNS bytea LANGUAGE sql AS $$
+WITH t AS (SELECT translate(data, '-_', '+/')),
+     rem AS (SELECT length((SELECT * FROM t)) % 4) -- compute padding size
+    SELECT decode(
+        (SELECT * FROM t) ||
+        CASE WHEN (SELECT * FROM rem) > 0
+           THEN repeat('=', (4 - (SELECT * FROM rem)))
+           ELSE '' END,
+    'base64');
+$$;
+
+
+CREATE OR REPLACE FUNCTION algorithm_sign(signables text, secret text, algorithm text)
+RETURNS text LANGUAGE sql AS $$
+WITH
+  alg AS (
+    SELECT CASE
+      WHEN algorithm = 'HS256' THEN 'sha256'
+      WHEN algorithm = 'HS384' THEN 'sha384'
+      WHEN algorithm = 'HS512' THEN 'sha512'
+      ELSE '' END)  -- hmac throws error
+SELECT url_encode(hmac(signables, secret, (select * FROM alg)));
+$$;
+
+
+CREATE OR REPLACE FUNCTION sign(payload json, secret text, algorithm text DEFAULT 'HS256')
+RETURNS text LANGUAGE sql AS $$
+WITH
+  header AS (
+    SELECT url_encode(convert_to('{"alg":"' || algorithm || '","typ":"JWT"}', 'utf8'))
+    ),
+  payload AS (
+    SELECT url_encode(convert_to(payload::text, 'utf8'))
+    ),
+  signables AS (
+    SELECT (SELECT * FROM header) || '.' || (SELECT * FROM payload)
+    )
+SELECT
+    (SELECT * FROM signables)
+    || '.' ||
+    algorithm_sign((SELECT * FROM signables), secret, algorithm);
+$$;
+
+
+CREATE OR REPLACE FUNCTION verify(token text, secret text, algorithm text DEFAULT 'HS256')
+RETURNS table(header json, payload json, valid boolean) LANGUAGE sql AS $$
+  SELECT
+    convert_from(url_decode(r[1]), 'utf8')::json AS header,
+    convert_from(url_decode(r[2]), 'utf8')::json AS payload,
+    r[3] = algorithm_sign(r[1] || '.' || r[2], secret, algorithm) AS valid
+  FROM regexp_split_to_array(token, '\.') r;
+$$;
+COMMIT;

pgjwt--0.0.1.sql

@@ -0,0 +1,4 @@
+# pgjwt extension
+comment = 'JSON Web Token API for Postgresql'
+default_version = '0.0.1'
+relocatable = true

pgjwt.control

@@ -0,0 +1,79 @@
+
+SELECT jwt.sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret');
+
+    --  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ');
+
+SELECT jwt.sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret', 'HS256');
+--  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ');
+
+SELECT jwt.sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret', 'bogus');
+    -- $$,
+    -- '22023',
+    -- 'Cannot use "": No such hash algorithm',
+    -- 'sign() should raise on bogus algorithm'
+    -- );
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ',
+    'secret', 'bogus');
+    -- '22023',
+    -- 'Cannot use "": No such hash algorithm',
+    -- 'verify() should raise on bogus algorithm'
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    'eyJhbGciOiJIUzI1NiIBOGUScCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ',
+    'secret', 'HS256');
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaBOGUS9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ',
+    'secret', 'HS256');
+
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ',
+    'secret');
+    -- $$VALUES ('{"alg":"HS256","typ":"JWT"}', '{"sub":"1234567890","name":"John Doe","admin":true}', true)$$,
+    -- 'verify() should return return data marked valid'
+
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ',
+    'badsecret');
+
+    -- $$VALUES ('{"alg":"HS256","typ":"JWT"}', '{"sub":"1234567890","name":"John Doe","admin":true}', false)$$,
+    -- 'verify() should return return data marked invalid'
+
+
+SELECT jwt.sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret', 'HS384');
+--  E'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.DtVnCyiYCsCbg8gUP-579IC2GJ7P3CtFw6nfTTPw-0lZUzqgWAo9QIQElyxOpoRm');
+
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    E'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.DtVnCyiYCsCbg8gUP-579IC2GJ7P3CtFw6nfTTPw-0lZUzqgWAo9QIQElyxOpoRm',
+    'secret', 'HS384');
+    -- $$VALUES ('{"alg":"HS384","typ":"JWT"}', '{"sub":"1234567890","name":"John Doe","admin":true}', true)$$,
+    -- 'verify() should return return data marked valid'
+
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    E'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.DtVnCyiYCsCbg8gUP-579IC2GJ7P3CtFw6nfTTPw-0lZUzqgWAo9QIQElyxOpoRm',
+    'badsecret', 'HS384');
+    -- $$VALUES ('{"alg":"HS384","typ":"JWT"}', '{"sub":"1234567890","name":"John Doe","admin":true}', false)$$,
+    -- 'verify() should return return data marked invalid'
+
+
+SELECT jwt.sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret', 'HS512');
+--  E'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.YI0rUGDq5XdRw8vW2sDLRNFMN8Waol03iSFH8I4iLzuYK7FKHaQYWzPt0BJFGrAmKJ6SjY0mJIMZqNQJFVpkuw');
+
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    E'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.YI0rUGDq5XdRw8vW2sDLRNFMN8Waol03iSFH8I4iLzuYK7FKHaQYWzPt0BJFGrAmKJ6SjY0mJIMZqNQJFVpkuw',
+    'secret', 'HS512');
+    -- $$VALUES ('{"alg":"HS512","typ":"JWT"}', '{"sub":"1234567890","name":"John Doe","admin":true}', true)$$,
+    -- 'verify() should return return data marked valid'
+
+SELECT header::text, payload::text, valid FROM jwt.verify(
+    E'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.YI0rUGDq5XdRw8vW2sDLRNFMN8Waol03iSFH8I4iLzuYK7FKHaQYWzPt0BJFGrAmKJ6SjY0mJIMZqNQJFVpkuw',
+    'badsecret', 'HS512');
+    -- $$VALUES ('{"alg":"HS512","typ":"JWT"}', '{"sub":"1234567890","name":"John Doe","admin":true}', false)$$,
+    -- 'verify() should return return data marked invalid'