abcxyz · sethvargo · May 26, 2022 · Apr 19, 2022 · Apr 20, 2022 · Apr 20, 2022
@@ -21,5 +21,6 @@ import (
 // JVSClaims are the claims that will be held within a JWT minted by the JVS server.
 type JVSClaims struct {
 	*jwt.StandardClaims
-	Justifications []*Justification
+	Justifications []*Justification `json:"justs,omitempty"`
+	KeyID          string           `json:"kid,omitempty"`
 }
@@ -0,0 +1,65 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package client provides a client library for JVS
+package client
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v2/jws"
+	"github.com/lestrrat-go/jwx/v2/jwt"
+)
+
+// JVSClient allows for getting JWK keys from the JVS and validating JWTs with those keys
+type JVSClient struct {
+	config *JVSConfig
+	keys   jwk.Set
+	mu     sync.RWMutex
+}
+
+// NewJVSClient returns a JVSClient with the cache initialized
+func NewJVSClient(ctx context.Context, config *JVSConfig) (*JVSClient, error) {
+	c := jwk.NewCache(ctx)
+	c.Register(config.JVSEndpoint, jwk.WithMinRefreshInterval(config.CacheTimeout))
+
+	// check that cache is correctly set up and certs are available
+	if _, err := c.Refresh(ctx, config.JVSEndpoint); err != nil {
+		return nil, fmt.Errorf("failed to retrieve JVS public keys: %w", err)
+	}
+
+	cached := jwk.NewCachedSet(c, config.JVSEndpoint)
+
+	if err := config.Validate(); err != nil {
+		return nil, fmt.Errorf("failed to validate configuration: %w", err)
+	}
+
+	return &JVSClient{
+		config: config,
+		keys:   cached,
+	}, nil
+}
+
+// ValidateJWT takes a jwt string, converts it to a JWT, and validates the signature.
+func (j *JVSClient) ValidateJWT(ctx context.Context, jwtStr string) (*jwt.Token, error) {
+	verifiedToken, err := jwt.Parse([]byte(jwtStr), jwt.WithKeySet(j.keys, jws.WithInferAlgorithmFromKey(true)))
+	if err != nil {
+		return nil, fmt.Errorf("failed to verify jwt %s: %w", jwtStr, err)
+	}
+
+	return &verifiedToken, nil
+}
@@ -0,0 +1,191 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	v0 "github.com/abcxyz/jvs/apis/v0"
+	"github.com/abcxyz/jvs/pkg/testutil"
+	"github.com/google/go-cmp/cmp"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v2/jws"
+	"github.com/lestrrat-go/jwx/v2/jwt"
+)
+
+func TestValidateJWT(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// create another key, to show the correct key is retrieved from cache and used for validation.
+	privateKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key := "projects/[PROJECT]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[CRYPTO_KEY]"
+	keyID := key + "/cryptoKeyVersions/[VERSION]-0"
+	keyID2 := key + "/cryptoKeyVersions/[VERSION]-1"
+
+	ecdsaKey, err := jwk.FromRaw(privateKey.PublicKey)
+	ecdsaKey.Set(jwk.KeyIDKey, keyID)
+	ecdsaKey2, err := jwk.FromRaw(privateKey2.PublicKey)
+	ecdsaKey2.Set(jwk.KeyIDKey, keyID2)
+	jwks := make(map[string][]jwk.Key)
+	jwks["keys"] = []jwk.Key{ecdsaKey, ecdsaKey2}
+
+	j, err := json.MarshalIndent(jwks, "", " ")
+	if err != nil {
+		t.Fatal("couldn't create jwks json")
+	}
+
+	path := "/.well-known/jwks"
+	mux := http.NewServeMux()
+	mux.HandleFunc(path, func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, string(j))
+	})
+
+	svr := httptest.NewServer(mux)
+
+	t.Cleanup(func() {
+		svr.Close()
+	})
+
+	client, err := NewJVSClient(ctx, &JVSConfig{
+		Version:      1,
+		JVSEndpoint:  svr.URL + path,
+		CacheTimeout: 5 * time.Minute,
+	})
+	if err != nil {
+		t.Fatalf("failed to create JVS client: %v", err)
+	}
+
+	tok := createToken(t, "test_id")
+	validJWT := signToken(t, tok, privateKey, keyID)
+
+	tok2 := createToken(t, "test_id_2")
+	validJWT2 := signToken(t, tok2, privateKey2, keyID2)
+
+	unsig, err := jwt.NewSerializer().Serialize(tok)
+	if err != nil {
+		t.Fatal("Couldn't get signing string.")
+	}
+	unsignedJWT := string(unsig)
+
+	split := strings.Split(validJWT2, ".")
+	sig := split[len(split)-1]
+
+	invalidSignatureJWT := unsignedJWT + sig // signature from a different JWT
+
+	tests := []struct {
+		name      string
+		jwt       string
+		wantErr   string
+		wantToken jwt.Token
+	}{
+		{
+			name:      "happy-path",
+			jwt:       validJWT,
+			wantToken: tok,
+		}, {
+			name:      "other-key",
+			jwt:       validJWT2,
+			wantToken: tok2,
+		}, {
+			name:    "unsigned",
+			jwt:     unsignedJWT,
+			wantErr: "required field \"signatures\" not present",
+		}, {
+			name:    "invalid",
+			jwt:     invalidSignatureJWT,
+			wantErr: "failed to verify jwt",
+		},
+	}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			res, err := client.ValidateJWT(ctx, tc.jwt)
+			testutil.ErrCmp(t, tc.wantErr, err)
+			if err != nil {
+				return
+			}
+			got, err := json.MarshalIndent(res, "", " ")
+			if err != nil {
+				t.Errorf("couldn't marshal returned token %v", err)
+			}
+			want, err := json.MarshalIndent(tc.wantToken, "", " ")
+			if err != nil {
+				t.Errorf("couldn't marshal expected token %v", err)
+			}
+			if diff := cmp.Diff(want, got); diff != "" {
+				t.Errorf("Token diff (-want, +got): %v", diff)
+			}
+		})
+	}
+}
+
+func createToken(tb testing.TB, id string) jwt.Token {
+	tb.Helper()
+
+	tok, err := jwt.NewBuilder().
+		Audience([]string{"test_aud"}).
+		Expiration(time.Now().Add(5 * time.Minute)).
+		JwtID(id).
+		IssuedAt(time.Now()).
+		Issuer(`test_iss`).
+		NotBefore(time.Now()).
+		Subject("test_sub").
+		Build()
+	if err != nil {
+		tb.Fatalf("failed to build token: %s\n", err)
+	}
+	tok.Set("justs", []*v0.Justification{
+		{
+			Category: "explanation",
+			Value:    "this is a test explanation",
+		},
+	})
+	return tok
+}
+
+func signToken(tb testing.TB, tok jwt.Token, privateKey *ecdsa.PrivateKey, keyID string) string {
+	tb.Helper()
+	hdrs := jws.NewHeaders()
+	hdrs.Set(jws.KeyIDKey, keyID)
+
+	valid, err := jwt.Sign(tok, jwt.WithKey(jwa.ES256, privateKey, jws.WithProtectedHeaders(hdrs)))
+	if err != nil {
+		tb.Fatalf("failed to sign token: %s\n", err)
+	}
+	return string(valid)
+}
@@ -0,0 +1,94 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/sethvargo/go-envconfig"
+	"gopkg.in/yaml.v2"
+)
+
+const (
+	// Version default for config.
+	Version             = 1
+	CacheTimeoutDefault = 5 * time.Minute
+)
+
+// JVSConfig is the jvs client configuration.
+type JVSConfig struct {
+	// Version is the version of the config.
+	Version uint8 `yaml:"version,omitempty" env:"VERSION,overwrite"`
+
+	// JVS Endpoint. Expected to be fully qualified, including port. ex. http://127.0.0.1:8080
+	JVSEndpoint string `yaml:"endpoint,omitempty" env:"ENDPOINT,overwrite"`
+
+	// CacheTimeout is the duration that keys stay in cache before being revoked.
+	CacheTimeout time.Duration `yaml:"cache_timeout" env:"CACHE_TIMEOUT,overwrite"`
+}
+
+// Validate checks if the config is valid.
+func (cfg *JVSConfig) Validate() error {
+	cfg.SetDefault()
+	var err *multierror.Error
+	if cfg.Version != Version {
+		err = multierror.Append(err, fmt.Errorf("unexpected Version %d want %d", cfg.Version, Version))
+	}
+	if cfg.JVSEndpoint == "" {
+		err = multierror.Append(err, fmt.Errorf("endpoint must be set"))
+	}
+	if cfg.CacheTimeout <= 0 {
+		err = multierror.Append(err, fmt.Errorf("cache timeout invalid: %d", cfg.CacheTimeout))
+	}
+	return err.ErrorOrNil()
+}
+
+// SetDefault sets defaults for the config.
+func (cfg *JVSConfig) SetDefault() {
+	if cfg.Version == 0 {
+		cfg.Version = Version
+	}
+	if cfg.CacheTimeout == 0 {
+		// env config lib doesn't gracefully handle env overrides with defaults, have to set manually.
+		cfg.CacheTimeout = CacheTimeoutDefault
+	}
+}
+
+// LoadJVSConfig calls the necessary methods to load in config using the OsLookuper which finds env variables specified on the host.
+func LoadJVSConfig(ctx context.Context, b []byte) (*JVSConfig, error) {
+	return loadJVSConfigFromLookuper(ctx, b, envconfig.OsLookuper())
+}
+
+// loadConfigFromLooker reads in a yaml file, applies ENV config overrides from the lookuper, and finally validates the config.
+func loadJVSConfigFromLookuper(ctx context.Context, b []byte, lookuper envconfig.Lookuper) (*JVSConfig, error) {
+	cfg := &JVSConfig{}
+	if err := yaml.Unmarshal(b, cfg); err != nil {
+		return nil, err
+	}
+
+	// Process overrides from env vars.
+	l := envconfig.PrefixLookuper("JVS_", lookuper)
+	if err := envconfig.ProcessWith(ctx, cfg, l); err != nil {
+		return nil, err
+	}
+
+	if err := cfg.Validate(); err != nil {
+		return nil, fmt.Errorf("failed validating config: %w", err)
+	}
+	return cfg, nil
+}