Skip to content

Commit

Permalink
Integrate signing key settings and settings fetcher to main flow
Browse files Browse the repository at this point in the history
  • Loading branch information
sashaCher committed Jan 12, 2022
1 parent da5a348 commit 6075461
Show file tree
Hide file tree
Showing 7 changed files with 165 additions and 279 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,73 +14,60 @@ module SigningKey
max_concurrent_requests: CACHE_MAX_CONCURRENT_REQUESTS,
logger: Rails.logger
),
fetch_signing_key_settings: Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new,
fetch_provider_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchProviderUriSigningKey,
fetch_jwks_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchJwksUriSigningKey,
check_authenticator_secret_exists: Authentication::Util::CheckAuthenticatorSecretExists.new,
logger: Rails.logger
},
inputs: %i[authenticator_input]
) do
def call
@logger.debug(LogMessages::Authentication::AuthnJwt::SelectingSigningKeyInterface.new)
fetch_signing_key_settings
create_signing_key_provider
end

private

def fetch_signing_key_settings
@signing_key_settings ||= @fetch_signing_key_settings.call(
authenticator_input: @authenticator_input
)
end

def signing_key_settings
fetch_signing_key_settings
end

def create_signing_key_provider
if provider_uri_resource_exists? and !jwks_uri_has_resource_exists?
fetch_provider_uri_signing_key
elsif jwks_uri_has_resource_exists? and !provider_uri_resource_exists?
case signing_key_settings.type
when JWKS_URI_INTERFACE_NAME
fetch_jwks_uri_signing_key
when PROVIDER_URI_INTERFACE_NAME
fetch_provider_uri_signing_key
else
raise Errors::Authentication::AuthnJwt::InvalidUriConfiguration.new(
PROVIDER_URI_RESOURCE_NAME,
JWKS_URI_RESOURCE_NAME
raise Errors::Authentication::AuthnJwt::InvalidSigningKeyType.new(
signing_key_settings.type
)
end
end

def provider_uri_resource_exists?
# defined? is needed for memoization of boolean value
return @provider_uri_resource_exists if defined?(@provider_uri_resource_exists)

@provider_uri_resource_exists = @check_authenticator_secret_exists.call(
conjur_account: @authenticator_input.account,
authenticator_name: @authenticator_input.authenticator_name,
service_id: @authenticator_input.service_id,
var_name: PROVIDER_URI_RESOURCE_NAME
)
end

def fetch_provider_uri_signing_key
@logger.info(
LogMessages::Authentication::AuthnJwt::SelectedSigningKeyInterface.new(PROVIDER_URI_INTERFACE_NAME)
)
@fetch_provider_uri_signing_key ||= @fetch_provider_uri_signing_key_class.new(
authenticator_input: @authenticator_input,
provider_uri: signing_key_settings.uri,
fetch_signing_key: @fetch_signing_key
)
end

def jwks_uri_has_resource_exists?
# defined? is needed for memoization of boolean value
return @jwks_uri_has_resource_exists if defined?(@jwks_uri_has_resource_exists)

@jwks_uri_has_resource_exists = @check_authenticator_secret_exists.call(
conjur_account: @authenticator_input.account,
authenticator_name: @authenticator_input.authenticator_name,
service_id: @authenticator_input.service_id,
var_name: JWKS_URI_RESOURCE_NAME
)
end

def fetch_jwks_uri_signing_key
@logger.info(
LogMessages::Authentication::AuthnJwt::SelectedSigningKeyInterface.new(JWKS_URI_INTERFACE_NAME)
)
@fetch_jwks_uri_signing_key ||= @fetch_jwks_uri_signing_key_class.new(
authenticator_input: @authenticator_input,
jwks_uri: signing_key_settings.uri,
fetch_signing_key: @fetch_signing_key
)
end
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,66 +9,46 @@ module SigningKey
class FetchJwksUriSigningKey

def initialize(
authenticator_input:,
jwks_uri:,
fetch_signing_key:,
ca_cert: nil,
fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new,
http_lib: Net::HTTP,
create_jwks_from_http_response: CreateJwksFromHttpResponse.new,
logger: Rails.logger
)
@logger = logger
@http_lib = http_lib
@create_jwks_from_http_response = create_jwks_from_http_response
@fetch_authenticator_secrets = fetch_authenticator_secrets

@authenticator_input = authenticator_input
@jwks_uri = jwks_uri
@fetch_signing_key = fetch_signing_key
@ca_cert = ca_cert
end

def call(force_fetch:)
@fetch_signing_key.call(
refresh: force_fetch,
cache_key: jwks_uri,
cache_key: @jwks_uri,
signing_key_provider: self
)
end

def fetch_signing_key
fetch_jwks_uri
fetch_jwks_keys
create_jwks_from_http_response
end

private

def fetch_jwks_uri
jwks_uri
end

def jwks_uri
@jwks_uri ||= jwks_uri_secret
end

def jwks_uri_secret
@jwks_uri_secret ||= @fetch_authenticator_secrets.call(
conjur_account: @authenticator_input.account,
authenticator_name: @authenticator_input.authenticator_name,
service_id: @authenticator_input.service_id,
required_variable_names: [JWKS_URI_RESOURCE_NAME]
)[JWKS_URI_RESOURCE_NAME]
end

def fetch_jwks_keys
jwks_keys
end

def jwks_keys
return @jwks_keys if defined?(@jwks_keys)

uri = URI(jwks_uri)
@logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(jwks_uri))
uri = URI(@jwks_uri)
@logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(@jwks_uri))
@jwks_keys = net_http_start(
uri.host,
uri.port,
Expand All @@ -77,15 +57,15 @@ def jwks_keys
@logger.debug(LogMessages::Authentication::AuthnJwt::FetchJwtUriKeysSuccess.new)
rescue => e
raise Errors::Authentication::AuthnJwt::FetchJwksKeysFailed.new(
jwks_uri,
@jwks_uri,
e.inspect
)
end

def net_http_start(host, port, use_ssl, &block)
if @ca_cert && !use_ssl
raise Errors::Authentication::AuthnJwt::FetchJwksKeysFailed.new(
jwks_uri,
@jwks_uri,
"TLS misconfiguration - ca-cert is provided but jwks-uri URI scheme is http"
)
end
Expand Down Expand Up @@ -117,7 +97,7 @@ def net_http_start_without_ca_cert(host, port, use_ssl, &block)
end

def create_jwks_from_http_response
@create_jwks_from_http_response.call(http_response: jwks_keys)
@create_jwks_from_http_response.call(http_response: @jwks_keys)
end
end
end
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,22 @@ module SigningKey
class FetchProviderUriSigningKey

def initialize(
authenticator_input:,
provider_uri:,
fetch_signing_key:,
fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new,
discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new,
logger: Rails.logger
)
@logger = logger
@fetch_authenticator_secrets = fetch_authenticator_secrets
@discover_identity_provider = discover_identity_provider

@authenticator_input = authenticator_input
@provider_uri = provider_uri
@fetch_signing_key = fetch_signing_key
end

def call(force_fetch:)
@fetch_signing_key.call(
refresh: force_fetch,
cache_key: provider_uri,
cache_key: @provider_uri,
signing_key_provider: self
)
end
Expand All @@ -35,36 +33,23 @@ def fetch_signing_key
private

def discover_provider
@logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(provider_uri))
@logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(@provider_uri))
discovered_provider
end

def discovered_provider
@discovered_provider ||= @discover_identity_provider.call(
provider_uri: provider_uri
provider_uri: @provider_uri
)
end

def provider_uri
@provider_uri ||= provider_uri_secret
end

def provider_uri_secret
@provider_uri_secret ||= @fetch_authenticator_secrets.call(
conjur_account: @authenticator_input.account,
authenticator_name: @authenticator_input.authenticator_name,
service_id: @authenticator_input.service_id,
required_variable_names: [PROVIDER_URI_RESOURCE_NAME]
)[PROVIDER_URI_RESOURCE_NAME]
end

def fetch_provider_keys
keys = { keys: discovered_provider.jwks }
@logger.debug(LogMessages::Authentication::OAuth::FetchProviderKeysSuccess.new)
keys
rescue => e
raise Errors::Authentication::OAuth::FetchProviderKeysFailed.new(
provider_uri,
@provider_uri,
e.inspect
)
end
Expand Down
5 changes: 5 additions & 0 deletions app/domain/errors.rb
Original file line number Diff line number Diff line change
Expand Up @@ -583,6 +583,11 @@ module AuthnJwt
msg: "Failed to parse 'public-keys': {0-parse-error}",
code: "CONJ00120E"
)

InvalidSigningKeyType = ::Util::TrackableErrorClass.new(
msg: "Signing key type '{0-type}' is invalid",
code: "CONJ00121E"
)
end

module ResourceRestrictions
Expand Down
Loading

0 comments on commit 6075461

Please sign in to comment.