JWT: Enable reading a JSON Web Key Set from a file

pkg/global/apply_configuration.go

@@ -70,16 +70,10 @@ func (ls *LifecycleState) MarkReadyAndWait(group program.Group) {
 			router.Handle("/active_spans", httpHandler)
 		}
 
-		group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
-			if err := bb_http.NewServersFromConfigurationAndServe(
-				ls.config.HttpServers,
-				bb_http.NewMetricsHandler(router, "Diagnostics"),
-				group,
-			); err != nil {
-				return util.StatusWrap(err, "Failed to launch diagnostics HTTP server")
-			}
-			return nil
-		})
+		bb_http.NewServersFromConfigurationAndServe(
+			ls.config.HttpServers,
+			bb_http.NewMetricsHandler(router, "Diagnostics"),
+			group)
 	}
 }
 

pkg/grpc/authenticator.go

@@ -7,6 +7,7 @@ import (
 	"github.com/buildbarn/bb-storage/pkg/auth"
 	"github.com/buildbarn/bb-storage/pkg/clock"
 	"github.com/buildbarn/bb-storage/pkg/jwt"
+	"github.com/buildbarn/bb-storage/pkg/program"
 	configuration "github.com/buildbarn/bb-storage/pkg/proto/configuration/grpc"
 	"github.com/buildbarn/bb-storage/pkg/util"
 	"github.com/jmespath/go-jmespath"
@@ -24,7 +25,7 @@ type Authenticator interface {
 
 // NewAuthenticatorFromConfiguration creates a tree of Authenticator
 // objects based on a configuration file.
-func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolicy) (Authenticator, bool, error) {
+func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolicy, group program.Group) (Authenticator, bool, error) {
 	if policy == nil {
 		return nil, false, status.Error(codes.InvalidArgument, "Authentication policy not specified")
 	}
@@ -39,7 +40,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 		children := make([]Authenticator, 0, len(policyKind.Any.Policies))
 		needsPeerTransportCredentials := false
 		for _, childConfiguration := range policyKind.Any.Policies {
-			child, childNeedsPeerTransportCredentials, err := NewAuthenticatorFromConfiguration(childConfiguration)
+			child, childNeedsPeerTransportCredentials, err := NewAuthenticatorFromConfiguration(childConfiguration, group)
 			if err != nil {
 				return nil, false, err
 			}
@@ -51,7 +52,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 		children := make([]Authenticator, 0, len(policyKind.All.Policies))
 		needsPeerTransportCredentials := false
 		for _, childConfiguration := range policyKind.All.Policies {
-			child, childNeedsPeerTransportCredentials, err := NewAuthenticatorFromConfiguration(childConfiguration)
+			child, childNeedsPeerTransportCredentials, err := NewAuthenticatorFromConfiguration(childConfiguration, group)
 			if err != nil {
 				return nil, false, err
 			}
@@ -81,7 +82,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 			metadataExtractor,
 		), false, nil
 	case *configuration.AuthenticationPolicy_Jwt:
-		authorizationHeaderParser, err := jwt.NewAuthorizationHeaderParserFromConfiguration(policyKind.Jwt)
+		authorizationHeaderParser, err := jwt.NewAuthorizationHeaderParserFromConfiguration(policyKind.Jwt, group)
 		if err != nil {
 			return nil, false, util.StatusWrap(err, "Failed to create authorization header parser for JWT authentication policy")
 		}

pkg/grpc/server.go

@@ -36,7 +36,7 @@ func init() {
 func NewServersFromConfigurationAndServe(configurations []*configuration.ServerConfiguration, registrationFunc func(grpc.ServiceRegistrar), group program.Group) error {
 	for _, configuration := range configurations {
 		// Create an authenticator for requests.
-		authenticator, needsPeerTransportCredentials, err := NewAuthenticatorFromConfiguration(configuration.AuthenticationPolicy)
+		authenticator, needsPeerTransportCredentials, err := NewAuthenticatorFromConfiguration(configuration.AuthenticationPolicy, group)
 		if err != nil {
 			return err
 		}

pkg/http/authenticator.go

@@ -10,6 +10,7 @@ import (
 	"github.com/buildbarn/bb-storage/pkg/auth"
 	"github.com/buildbarn/bb-storage/pkg/clock"
 	"github.com/buildbarn/bb-storage/pkg/jwt"
+	"github.com/buildbarn/bb-storage/pkg/program"
 	configuration "github.com/buildbarn/bb-storage/pkg/proto/configuration/http"
 	"github.com/buildbarn/bb-storage/pkg/random"
 	"github.com/buildbarn/bb-storage/pkg/util"
@@ -30,7 +31,7 @@ type Authenticator interface {
 
 // NewAuthenticatorFromConfiguration creates a tree of Authenticator
 // objects based on a configuration file.
-func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolicy) (Authenticator, error) {
+func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolicy, group program.Group) (Authenticator, error) {
 	if policy == nil {
 		return nil, status.Error(codes.InvalidArgument, "Authentication policy not specified")
 	}
@@ -44,7 +45,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 	case *configuration.AuthenticationPolicy_Any:
 		children := make([]Authenticator, 0, len(policyKind.Any.Policies))
 		for _, childConfiguration := range policyKind.Any.Policies {
-			child, err := NewAuthenticatorFromConfiguration(childConfiguration)
+			child, err := NewAuthenticatorFromConfiguration(childConfiguration, group)
 			if err != nil {
 				return nil, err
 			}
@@ -54,7 +55,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 	case *configuration.AuthenticationPolicy_Deny:
 		return NewDenyAuthenticator(policyKind.Deny), nil
 	case *configuration.AuthenticationPolicy_Jwt:
-		authorizationHeaderParser, err := jwt.NewAuthorizationHeaderParserFromConfiguration(policyKind.Jwt)
+		authorizationHeaderParser, err := jwt.NewAuthorizationHeaderParserFromConfiguration(policyKind.Jwt, group)
 		if err != nil {
 			return nil, util.StatusWrap(err, "Failed to create authorization header parser for JWT authentication policy")
 		}
@@ -118,7 +119,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 			cookieAEAD,
 			clock.SystemClock)
 	case *configuration.AuthenticationPolicy_AcceptHeader:
-		base, err := NewAuthenticatorFromConfiguration(policyKind.AcceptHeader.Policy)
+		base, err := NewAuthenticatorFromConfiguration(policyKind.AcceptHeader.Policy, group)
 		if err != nil {
 			return nil, err
 		}

pkg/http/server.go

@@ -13,29 +13,31 @@ import (
 // program.Group, based on a configuration message. The web servers are
 // automatically terminated if the context associated with the group is
 // canceled.
-func NewServersFromConfigurationAndServe(configurations []*configuration.ServerConfiguration, handler http.Handler, group program.Group) error {
-	for _, configuration := range configurations {
-		authenticator, err := NewAuthenticatorFromConfiguration(configuration.AuthenticationPolicy)
-		if err != nil {
-			return err
-		}
-		authenticatedHandler := NewAuthenticatingHandler(handler, authenticator)
-		for _, listenAddress := range configuration.ListenAddresses {
-			server := http.Server{
-				Addr:    listenAddress,
-				Handler: authenticatedHandler,
+func NewServersFromConfigurationAndServe(configurations []*configuration.ServerConfiguration, handler http.Handler, group program.Group) {
+	group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
+		for _, configuration := range configurations {
+			authenticator, err := NewAuthenticatorFromConfiguration(configuration.AuthenticationPolicy, dependenciesGroup)
+			if err != nil {
+				return err
 			}
-			group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
-				<-ctx.Done()
-				return server.Close()
-			})
-			group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
-				if err := server.ListenAndServe(); err != http.ErrServerClosed {
-					return util.StatusWrapf(err, "Failed to launch HTTP server %#v", server.Addr)
+			authenticatedHandler := NewAuthenticatingHandler(handler, authenticator)
+			for _, listenAddress := range configuration.ListenAddresses {
+				server := http.Server{
+					Addr:    listenAddress,
+					Handler: authenticatedHandler,
 				}
-				return nil
-			})
+				group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
+					<-ctx.Done()
+					return server.Close()
+				})
+				group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
+					if err := server.ListenAndServe(); err != http.ErrServerClosed {
+						return util.StatusWrapf(err, "Failed to launch HTTP server %#v", server.Addr)
+					}
+					return nil
+				})
+			}
 		}
-	}
-	return nil
+		return nil
+	})
 }

pkg/jwt/BUILD.bazel

@@ -9,6 +9,7 @@ go_library(
         "ecdsa_sha_signature_generator.go",
         "ecdsa_sha_signature_validator.go",
         "ed25519_signature_validator.go",
+        "forwarding_signature_validator.go",
         "generate_authorization_header.go",
         "hmac_sha_signature_validator.go",
         "rsa_sha_signature_validator.go",
@@ -21,6 +22,7 @@ go_library(
         "//pkg/auth",
         "//pkg/clock",
         "//pkg/eviction",
+        "//pkg/program",
         "//pkg/proto/configuration/jwt",
         "//pkg/random",
         "//pkg/util",

pkg/jwt/configuration.go

@@ -1,14 +1,19 @@
 package jwt
 
 import (
+	"context"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rsa"
 	"encoding/json"
+	"log"
+	"os"
 	"reflect"
+	"time"
 
 	"github.com/buildbarn/bb-storage/pkg/clock"
 	"github.com/buildbarn/bb-storage/pkg/eviction"
+	"github.com/buildbarn/bb-storage/pkg/program"
 	configuration "github.com/buildbarn/bb-storage/pkg/proto/configuration/jwt"
 	"github.com/buildbarn/bb-storage/pkg/util"
 	jose "github.com/go-jose/go-jose/v3"
@@ -22,18 +27,31 @@ import (
 // NewAuthorizationHeaderParserFromConfiguration creates a new HTTP
 // "Authorization" header parser based on options stored in a
 // configuration file.
-func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration) (*AuthorizationHeaderParser, error) {
-	jwksJSON, err := protojson.Marshal(config.JwksInline)
-	if err != nil {
-		return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to marshal JSON Web Key Set")
-	}
-	var jwks jose.JSONWebKeySet
-	if err := json.Unmarshal(jwksJSON, &jwks); err != nil {
-		return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to unmarshal JSON Web Key Set")
-	}
-	signatureValidator, err := NewSignatureValidatorFromJSONWebKeySet(&jwks)
-	if err != nil {
-		return nil, err
+func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration, group program.Group) (*AuthorizationHeaderParser, error) {
+	var signatureValidator SignatureValidator
+
+	switch key := config.Jwks.(type) {
+	case *configuration.AuthorizationHeaderParserConfiguration_JwksInline:
+		jwksJSON, err := protojson.Marshal(key.JwksInline)
+		if err != nil {
+			return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to marshal JSON Web Key Set")
+		}
+		var jwks jose.JSONWebKeySet
+		if err := json.Unmarshal(jwksJSON, &jwks); err != nil {
+			return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to unmarshal JSON Web Key Set")
+		}
+		signatureValidator, err = NewSignatureValidatorFromJSONWebKeySet(&jwks)
+		if err != nil {
+			return nil, err
+		}
+	case *configuration.AuthorizationHeaderParserConfiguration_JwksFile:
+		var err error
+		signatureValidator, err = NewSignatureValidatorFromJSONWebKeySetFile(key.JwksFile, group)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, status.Error(codes.InvalidArgument, "No key type provided")
 	}
 
 	evictionSet, err := eviction.NewSetFromConfiguration[string](config.CacheReplacementPolicy)
@@ -102,3 +120,51 @@ func NewSignatureValidatorFromJSONWebKeySet(jwks *jose.JSONWebKeySet) (Signature
 
 	return NewDemultiplexingSignatureValidator(namedSignatureValidators, allSignatureValidators), nil
 }
+
+// NewSignatureValidatorFromJSONWebKeySetFile creates a new
+// SignatureValidator capable of validating JWTs matching keys contained
+// in a JSON Web Key Set read from a file. The content of the file is
+// periodically refreshed.
+func NewSignatureValidatorFromJSONWebKeySetFile(path string, group program.Group) (SignatureValidator, error) {
+	internalValidator, err := getJWKSFromFile(path)
+	if err != nil {
+		return nil, util.StatusWrapf(err, "Unable to read JWKS content from file at %#v", path)
+	}
+	forwardingValidator := NewForwardingSignatureValidator(internalValidator)
+
+	group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
+		t := time.NewTicker(300 * time.Second)
+		defer t.Stop()
+
+		for {
+			select {
+			case <-t.C:
+				internalValidator, err := getJWKSFromFile(path)
+				if err != nil {
+					log.Printf("Failed to read JWKS content from file at %#v: %s", path, err)
+					continue
+				}
+				forwardingValidator.Replace(internalValidator)
+
+			case <-ctx.Done():
+				return util.StatusFromContext(ctx)
+			}
+		}
+	})
+
+	return forwardingValidator, nil
+}
+
+func getJWKSFromFile(path string) (SignatureValidator, error) {
+	jwksJSON, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var jwks jose.JSONWebKeySet
+	if err := json.Unmarshal(jwksJSON, &jwks); err != nil {
+		return nil, err
+	}
+
+	return NewSignatureValidatorFromJSONWebKeySet(&jwks)
+}

pkg/jwt/forwarding_signature_validator.go

@@ -0,0 +1,33 @@
+package jwt
+
+import (
+	"sync/atomic"
+)
+
+// ForwardingSignatureValidator wraps another SignatureValidator. It is
+// used when the underlying SignatureValidator needs to be replaced at
+// runtime.
+type ForwardingSignatureValidator struct {
+	validator atomic.Pointer[SignatureValidator]
+}
+
+// NewForwardingSignatureValidator creates a SignatureValidator that simply forwards
+// requests to another SignatureValidator.
+// This returns a pointer to the new ForwardingSignatureValidator, so as not to
+// copy the atomic.Pointer.
+func NewForwardingSignatureValidator(validator SignatureValidator) *ForwardingSignatureValidator {
+	sv := ForwardingSignatureValidator{}
+	sv.validator.Store(&validator)
+
+	return &sv
+}
+
+// Replace replaces the registered SignatureValidator
+func (sv *ForwardingSignatureValidator) Replace(validator SignatureValidator) {
+	sv.validator.Store(&validator)
+}
+
+// ValidateSignature validates a signature using the registered SignatureValidator
+func (sv *ForwardingSignatureValidator) ValidateSignature(algorithm string, keyID *string, headerAndPayload string, signature []byte) bool {
+	return (*sv.validator.Load()).ValidateSignature(algorithm, keyID, headerAndPayload, signature)
+}

pkg/proto/configuration/jwt/BUILD.bazel

@@ -8,6 +8,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/proto/configuration/eviction:eviction_proto",
+        "@com_google_protobuf//:duration_proto",
         "@com_google_protobuf//:struct_proto",
     ],
 )