Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT: Enable reading a JSON Web Key Set from a file #180

Merged
merged 25 commits into from
Oct 30, 2023
Merged

JWT: Enable reading a JSON Web Key Set from a file #180

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
19b23a9
Add ForwardingSignatureValidator
mortenmj Oct 6, 2023
6c61cd4
Make JWKS a oneoff with either inline or file content
mortenmj Oct 6, 2023
67b1d0f
First pass at loading JWKS file
mortenmj Oct 6, 2023
b35cd96
Remove RefreshInterval from JWKS config
mortenmj Oct 8, 2023
a4436e4
Make ForwardingSignatureValidator a public type, and have NewForwardi…
mortenmj Oct 8, 2023
0de767a
Init the ForwardingSignatureValidator with a SignatureValidator on in…
mortenmj Oct 8, 2023
76aa95b
Run JWKS refresh as part of the program group
mortenmj Oct 8, 2023
516fb4e
Lint
mortenmj Oct 8, 2023
50d1710
Defer t.Stop()
mortenmj Oct 13, 2023
b519c31
Log errors from getJwksFromFile and continue
mortenmj Oct 13, 2023
c36da1c
Simplify return in getJwksFromFile
mortenmj Oct 13, 2023
ba426d0
Use json.NewDecoder
mortenmj Oct 13, 2023
7af2741
Reorder proto comments
mortenmj Oct 13, 2023
82ecff8
Use dependenciesGroup in http/server.go
mortenmj Oct 13, 2023
14c2f8f
Close file
mortenmj Oct 17, 2023
dbf7241
Casing
mortenmj Oct 17, 2023
727655a
Use %#v to quote paths
mortenmj Oct 17, 2023
23879f2
Use util.StatusWrapf
mortenmj Oct 17, 2023
74cf1f7
Document ForwardingSignatureValidator
mortenmj Oct 17, 2023
9c0ff72
Revert "Use json.NewDecoder"
mortenmj Oct 27, 2023
ecbb54b
Use io.ReadAll()
mortenmj Oct 27, 2023
3f1266f
Document methods
mortenmj Oct 27, 2023
2d62169
Fix docstrings
mortenmj Oct 27, 2023
b5faaeb
Use os.ReadFile
mortenmj Oct 28, 2023
c42e95f
Remove unused import
mortenmj Oct 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pkg/jwt/BUILD.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ go_library(
"ecdsa_sha_signature_generator.go",
"ecdsa_sha_signature_validator.go",
"ed25519_signature_validator.go",
"forwarding_signature_validator.go",
"generate_authorization_header.go",
"hmac_sha_signature_validator.go",
"rsa_sha_signature_validator.go",
Expand Down
70 changes: 59 additions & 11 deletions pkg/jwt/configuration.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ import (
"crypto/ed25519"
"crypto/rsa"
"encoding/json"
"log"
"os"
"reflect"
"time"

"github.com/buildbarn/bb-storage/pkg/clock"
"github.com/buildbarn/bb-storage/pkg/eviction"
Expand All @@ -23,19 +26,29 @@ import (
// "Authorization" header parser based on options stored in a
// configuration file.
func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration) (*AuthorizationHeaderParser, error) {
jwksJSON, err := protojson.Marshal(config.JwksInline)
if err != nil {
return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to marshal JSON Web Key Set")
}
var jwks jose.JSONWebKeySet
if err := json.Unmarshal(jwksJSON, &jwks); err != nil {
return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to unmarshal JSON Web Key Set")
}
signatureValidator, err := NewSignatureValidatorFromJSONWebKeySet(&jwks)
if err != nil {
return nil, err
var signatureValidator SignatureValidator

switch key := config.Jwks.(type) {
case *configuration.AuthorizationHeaderParserConfiguration_JwksInline:
jwksJSON, err := protojson.Marshal(key.JwksInline)
if err != nil {
return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to marshal JSON Web Key Set")
}
var jwks jose.JSONWebKeySet
if err := json.Unmarshal(jwksJSON, &jwks); err != nil {
return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to unmarshal JSON Web Key Set")
}
signatureValidator, err = NewSignatureValidatorFromJSONWebKeySet(&jwks)
if err != nil {
return nil, err
}
case *configuration.AuthorizationHeaderParserConfiguration_JwksFile_:
signatureValidator = NewSignatureValidatorFromJSONWebKeySetFile(key.JwksFile.FilePath, key.JwksFile.RefreshInterval.AsDuration())
default:
return nil, status.Error(codes.InvalidArgument, "No key type provided")
}


evictionSet, err := eviction.NewSetFromConfiguration[string](config.CacheReplacementPolicy)
if err != nil {
return nil, util.StatusWrap(err, "Failed to create eviction set")
Expand Down Expand Up @@ -102,3 +115,38 @@ func NewSignatureValidatorFromJSONWebKeySet(jwks *jose.JSONWebKeySet) (Signature

return NewDemultiplexingSignatureValidator(namedSignatureValidators, allSignatureValidators), nil
}

func NewSignatureValidatorFromJSONWebKeySetFile(path string, refreshInterval time.Duration) SignatureValidator {
// Hmm. I don't want us to first read the file once, to initialize this, and then read the file periodically to update it.
mortenmj marked this conversation as resolved.
Show resolved Hide resolved
// However, I also don't want us to initialize this in a state that isn't ready for use.
validator := NewForwardingSignatureValidator(nil)

// TODO: Run this as part of the program.Group, so that it gets
mortenmj marked this conversation as resolved.
Show resolved Hide resolved
// cleaned up upon shutdown.
go func() {
t := time.NewTicker(refreshInterval)
for range t.C {
jwksJSON, err := os.ReadFile(path)
if err != nil {
log.Printf("Failed to reload JWKS file: %v", err)
continue
}

var jwks jose.JSONWebKeySet
if err := json.Unmarshal(jwksJSON, &jwks); err != nil {
log.Printf("Failed to reload JWKS file: %v", err)
continue
}

signatureValidator, err := NewSignatureValidatorFromJSONWebKeySet(&jwks)
if err != nil {
log.Printf("Failed to create SignatureValidator for JWKS file: %v", err)
continue
}

(validator.(*forwardingSignatureValidator)).Replace(signatureValidator)
}
}()

return validator
}
26 changes: 26 additions & 0 deletions pkg/jwt/forwarding_signature_validator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package jwt

import (
"sync/atomic"
)

type forwardingSignatureValidator struct {
mortenmj marked this conversation as resolved.
Show resolved Hide resolved
validator atomic.Pointer[SignatureValidator]
}

// NewForwardingSignatureValidator creates a SignatureValidator that simply forwards
// requests to another SignatureValidator.
func NewForwardingSignatureValidator(validator SignatureValidator) SignatureValidator {
sv := &forwardingSignatureValidator{}
sv.validator.Store(&validator)

return sv
}

func (sv *forwardingSignatureValidator) Replace(validator SignatureValidator) {
sv.validator.Store(&validator)
}

func (sv *forwardingSignatureValidator) ValidateSignature(algorithm string, keyID *string, headerAndPayload string, signature []byte) bool {
return (*sv.validator.Load()).ValidateSignature(algorithm, keyID, headerAndPayload, signature)
}
1 change: 1 addition & 0 deletions pkg/proto/configuration/jwt/BUILD.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ proto_library(
visibility = ["//visibility:public"],
deps = [
"//pkg/proto/configuration/eviction:eviction_proto",
"@com_google_protobuf//:duration_proto",
"@com_google_protobuf//:struct_proto",
],
)
Expand Down
Loading