forked from TrueCloudLab/certificates
Use JWKSet to get the GCP keys.
This commit is contained in:
parent
f794dbeb93
commit
b4729cd670
2 changed files with 19 additions and 112 deletions
|
@ -47,7 +47,7 @@ type GCP struct {
|
|||
ServiceAccounts []string `json:"serviceAccounts"`
|
||||
Claims *Claims `json:"claims,omitempty"`
|
||||
claimer *Claimer
|
||||
certStore *keyStore
|
||||
keyStore *keyStore
|
||||
}
|
||||
|
||||
// GetID returns the provisioner unique identifier. The name should uniquely
|
||||
|
@ -103,8 +103,8 @@ func (p *GCP) Init(config Config) error {
|
|||
if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
|
||||
return err
|
||||
}
|
||||
// Initialize certificate store
|
||||
p.certStore, err = newCertificateStore("https://www.googleapis.com/oauth2/v1/certs")
|
||||
// Initialize key store
|
||||
p.keyStore, err = newKeyStore("https://www.googleapis.com/oauth2/v3/certs")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -185,15 +185,19 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
|
|||
if len(jwt.Headers) == 0 {
|
||||
return nil, errors.New("error parsing token: header is missing")
|
||||
}
|
||||
kid := jwt.Headers[0].KeyID
|
||||
cert := p.certStore.GetCertificate(kid)
|
||||
if cert == nil {
|
||||
return nil, errors.Errorf("failed to validate payload: cannot find certificate for kid %s", kid)
|
||||
}
|
||||
|
||||
var found bool
|
||||
var claims gcpPayload
|
||||
if err = jwt.Claims(cert.PublicKey, &claims); err != nil {
|
||||
return nil, errors.Wrap(err, "error parsing claims")
|
||||
kid := jwt.Headers[0].KeyID
|
||||
keys := p.keyStore.Get(kid)
|
||||
for _, key := range keys {
|
||||
if err := jwt.Claims(key, &claims); err == nil {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
return nil, errors.Errorf("failed to validate payload: cannot find certificate for kid %s", kid)
|
||||
}
|
||||
|
||||
// According to "rfc7519 JSON Web Token" acceptable skew should be no
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
package provisioner
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"regexp"
|
||||
|
@ -22,29 +20,10 @@ const (
|
|||
|
||||
var maxAgeRegex = regexp.MustCompile("max-age=([0-9]*)")
|
||||
|
||||
type oauth2Certificate struct {
|
||||
ID string
|
||||
Certificate *x509.Certificate
|
||||
}
|
||||
|
||||
type oauth2CertificateSet struct {
|
||||
Certificates []oauth2Certificate
|
||||
}
|
||||
|
||||
func (s oauth2CertificateSet) Get(id string) *x509.Certificate {
|
||||
for _, c := range s.Certificates {
|
||||
if c.ID == id {
|
||||
return c.Certificate
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type keyStore struct {
|
||||
sync.RWMutex
|
||||
uri string
|
||||
keySet jose.JSONWebKeySet
|
||||
certSet oauth2CertificateSet
|
||||
timer *time.Timer
|
||||
expiry time.Time
|
||||
jitter time.Duration
|
||||
|
@ -66,22 +45,6 @@ func newKeyStore(uri string) (*keyStore, error) {
|
|||
return ks, nil
|
||||
}
|
||||
|
||||
func newCertificateStore(uri string) (*keyStore, error) {
|
||||
certs, age, err := getOauth2Certificates(uri)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ks := &keyStore{
|
||||
uri: uri,
|
||||
certSet: certs,
|
||||
expiry: getExpirationTime(age),
|
||||
jitter: getCacheJitter(age),
|
||||
}
|
||||
next := ks.nextReloadDuration(age)
|
||||
ks.timer = time.AfterFunc(next, ks.reloadCertificates)
|
||||
return ks, nil
|
||||
}
|
||||
|
||||
func (ks *keyStore) Close() {
|
||||
ks.timer.Stop()
|
||||
}
|
||||
|
@ -99,19 +62,6 @@ func (ks *keyStore) Get(kid string) (keys []jose.JSONWebKey) {
|
|||
return
|
||||
}
|
||||
|
||||
func (ks *keyStore) GetCertificate(kid string) (cert *x509.Certificate) {
|
||||
ks.RLock()
|
||||
// Force reload if expiration has passed
|
||||
if time.Now().After(ks.expiry) {
|
||||
ks.RUnlock()
|
||||
ks.reloadCertificates()
|
||||
ks.RLock()
|
||||
}
|
||||
cert = ks.certSet.Get(kid)
|
||||
ks.RUnlock()
|
||||
return
|
||||
}
|
||||
|
||||
func (ks *keyStore) reload() {
|
||||
var next time.Duration
|
||||
keys, age, err := getKeysFromJWKsURI(ks.uri)
|
||||
|
@ -131,25 +81,6 @@ func (ks *keyStore) reload() {
|
|||
ks.Unlock()
|
||||
}
|
||||
|
||||
func (ks *keyStore) reloadCertificates() {
|
||||
var next time.Duration
|
||||
certs, age, err := getOauth2Certificates(ks.uri)
|
||||
if err != nil {
|
||||
next = ks.nextReloadDuration(ks.jitter / 2)
|
||||
} else {
|
||||
ks.Lock()
|
||||
ks.certSet = certs
|
||||
ks.expiry = getExpirationTime(age)
|
||||
ks.jitter = getCacheJitter(age)
|
||||
next = ks.nextReloadDuration(age)
|
||||
ks.Unlock()
|
||||
}
|
||||
|
||||
ks.Lock()
|
||||
ks.timer.Reset(next)
|
||||
ks.Unlock()
|
||||
}
|
||||
|
||||
func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration {
|
||||
n := rand.Int63n(int64(ks.jitter))
|
||||
age -= time.Duration(n)
|
||||
|
@ -172,34 +103,6 @@ func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) {
|
|||
return keys, getCacheAge(resp.Header.Get("cache-control")), nil
|
||||
}
|
||||
|
||||
func getOauth2Certificates(uri string) (oauth2CertificateSet, time.Duration, error) {
|
||||
var certs oauth2CertificateSet
|
||||
resp, err := http.Get(uri)
|
||||
if err != nil {
|
||||
return certs, 0, errors.Wrapf(err, "failed to connect to %s", uri)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
m := make(map[string]string)
|
||||
if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
|
||||
return certs, 0, errors.Wrapf(err, "error reading %s", uri)
|
||||
}
|
||||
for k, v := range m {
|
||||
block, _ := pem.Decode([]byte(v))
|
||||
if block == nil || block.Type != "CERTIFICATE" {
|
||||
return certs, 0, errors.Wrapf(err, "error parsing certificate %s from %s", k, uri)
|
||||
}
|
||||
cert, err := x509.ParseCertificate(block.Bytes)
|
||||
if err != nil {
|
||||
return certs, 0, errors.Wrapf(err, "error parsing certificate %s from %s", k, uri)
|
||||
}
|
||||
certs.Certificates = append(certs.Certificates, oauth2Certificate{
|
||||
ID: k,
|
||||
Certificate: cert,
|
||||
})
|
||||
}
|
||||
return certs, getCacheAge(resp.Header.Get("cache-control")), nil
|
||||
}
|
||||
|
||||
func getCacheAge(cacheControl string) time.Duration {
|
||||
age := defaultCacheAge
|
||||
if len(cacheControl) > 0 {
|
||||
|
|
Loading…
Reference in a new issue