aboutsummaryrefslogtreecommitdiff
path: root/gn2
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-04-22 12:25:32 +0300
committerFrederick Muriuki Muriithi2024-04-23 11:49:09 +0300
commit062c78f4358deecdf80403baffbc76ab8b6185fb (patch)
tree95ba61f8db64241240abfe0c3048ad87043a190f /gn2
parent70880f8ab3418a147d0577b2af1f813492a0c68b (diff)
downloadgenenetwork2-062c78f4358deecdf80403baffbc76ab8b6185fb.tar.gz
Separate the auth server's public key from app's private key
* Use the app's private key to sign the initial assertions used for retrieving an authorisation token from the auth server. * Use auth server's public key to validate the authorisation tokens got from the auth server.
Diffstat (limited to 'gn2')
-rw-r--r--gn2/wqflask/__init__.py26
-rw-r--r--gn2/wqflask/oauth2/toplevel.py7
2 files changed, 22 insertions, 11 deletions
diff --git a/gn2/wqflask/__init__.py b/gn2/wqflask/__init__.py
index 6b6c48ac..f6e9ef53 100644
--- a/gn2/wqflask/__init__.py
+++ b/gn2/wqflask/__init__.py
@@ -45,13 +45,6 @@ from gn2.wqflask.startup import (
startup_errors,
check_mandatory_configs)
-app = Flask(__name__)
-
-
-# See http://flask.pocoo.org/docs/config/#configuring-from-files
-# Note no longer use the badly named WQFLASK_OVERRIDES (nyi)
-app.config.from_object('gn2.default_settings')
-app.config.from_envvar('GN2_SETTINGS')
def numcoll():
"""Handle possible errors."""
@@ -60,6 +53,21 @@ def numcoll():
except Exception as _exc:
return "ERROR"
+
+def parse_ssl_key(app: Flask, keyconfig: str):
+ """Parse key file paths into objects"""
+ with open(app.config[keyconfig]) as _sslkey:
+ app.config[keyconfig] = JsonWebKey.import_key(_sslkey.read())
+
+
+
+app = Flask(__name__)
+
+# See http://flask.pocoo.org/docs/config/#configuring-from-files
+# Note no longer use the badly named WQFLASK_OVERRIDES (nyi)
+app.config.from_object('gn2.default_settings')
+app.config.from_envvar('GN2_SETTINGS')
+
app.jinja_env.globals.update(
undefined=jinja2.StrictUndefined,
numify=formatting.numify,
@@ -108,8 +116,8 @@ except StartupError as serr:
server_session = Session(app)
-with open(app.config["SSL_KEY_PAIR_PRIVATE_KEY"]) as _sslkey:
- app.config["JWT_PRIVATE_KEY"] = JsonWebKey.import_key(_sslkey.read())
+parse_ssl_key(app, "SSL_PRIVATE_KEY")
+parse_ssl_key(app, "AUTH_SERVER_SSL_PUBLIC_KEY")
@app.before_request
def before_request():
diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index bc32e80e..a1e9196d 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -46,7 +46,7 @@ def authorisation_code():
code = request.args.get("code", "")
if bool(code):
base_url = urlparse(request.base_url, scheme=request.scheme)
- jwtkey = app.config["JWT_PRIVATE_KEY"]
+ jwtkey = app.config["SSL_PRIVATE_KEY"]
issued = datetime.datetime.now()
request_data = {
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
@@ -56,7 +56,10 @@ def authorisation_code():
urlunparse(base_url),
url_for("oauth2.toplevel.authorisation_code")),
"assertion": jwt.encode(
- header={"alg": "RS256", "typ": "jwt", "kid": jwtkey.kid},
+ header={
+ "alg": "RS256",
+ "typ": "jwt",
+ "kid": jwtkey.as_dict()["kid"]},
payload={
"iss": str(oauth2_clientid()),
"sub": request.args["user_id"],