From 062c78f4358deecdf80403baffbc76ab8b6185fb Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 22 Apr 2024 12:25:32 +0300
Subject: Separate the auth server's public key from app's private key

* Use the app's private key to sign the initial assertions used for
  retrieving an authorisation token from the auth server.
* Use auth server's public key to validate the authorisation tokens
  got from the auth server.
---
 gn2/wqflask/__init__.py        | 26 +++++++++++++++++---------
 gn2/wqflask/oauth2/toplevel.py |  7 +++++--
 2 files changed, 22 insertions(+), 11 deletions(-)

(limited to 'gn2')

diff --git a/gn2/wqflask/__init__.py b/gn2/wqflask/__init__.py
index 6b6c48ac..f6e9ef53 100644
--- a/gn2/wqflask/__init__.py
+++ b/gn2/wqflask/__init__.py
@@ -45,13 +45,6 @@ from gn2.wqflask.startup import (
     startup_errors,
     check_mandatory_configs)
 
-app = Flask(__name__)
-
-
-# See http://flask.pocoo.org/docs/config/#configuring-from-files
-# Note no longer use the badly named WQFLASK_OVERRIDES (nyi)
-app.config.from_object('gn2.default_settings')
-app.config.from_envvar('GN2_SETTINGS')
 
 def numcoll():
     """Handle possible errors."""
@@ -60,6 +53,21 @@ def numcoll():
     except Exception as _exc:
         return "ERROR"
 
+
+def parse_ssl_key(app: Flask, keyconfig: str):
+    """Parse key file paths into objects"""
+    with open(app.config[keyconfig]) as _sslkey:
+        app.config[keyconfig] = JsonWebKey.import_key(_sslkey.read())
+
+
+
+app = Flask(__name__)
+
+# See http://flask.pocoo.org/docs/config/#configuring-from-files
+# Note no longer use the badly named WQFLASK_OVERRIDES (nyi)
+app.config.from_object('gn2.default_settings')
+app.config.from_envvar('GN2_SETTINGS')
+
 app.jinja_env.globals.update(
     undefined=jinja2.StrictUndefined,
     numify=formatting.numify,
@@ -108,8 +116,8 @@ except StartupError as serr:
 
 server_session = Session(app)
 
-with open(app.config["SSL_KEY_PAIR_PRIVATE_KEY"]) as _sslkey:
-    app.config["JWT_PRIVATE_KEY"] = JsonWebKey.import_key(_sslkey.read())
+parse_ssl_key(app, "SSL_PRIVATE_KEY")
+parse_ssl_key(app, "AUTH_SERVER_SSL_PUBLIC_KEY")
 
 @app.before_request
 def before_request():
diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index bc32e80e..a1e9196d 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -46,7 +46,7 @@ def authorisation_code():
     code = request.args.get("code", "")
     if bool(code):
         base_url = urlparse(request.base_url, scheme=request.scheme)
-        jwtkey = app.config["JWT_PRIVATE_KEY"]
+        jwtkey = app.config["SSL_PRIVATE_KEY"]
         issued = datetime.datetime.now()
         request_data = {
             "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
@@ -56,7 +56,10 @@ def authorisation_code():
                 urlunparse(base_url),
                 url_for("oauth2.toplevel.authorisation_code")),
             "assertion": jwt.encode(
-                header={"alg": "RS256", "typ": "jwt", "kid": jwtkey.kid},
+                header={
+                    "alg": "RS256",
+                    "typ": "jwt",
+                    "kid": jwtkey.as_dict()["kid"]},
                 payload={
                     "iss": str(oauth2_clientid()),
                     "sub": request.args["user_id"],
-- 
cgit v1.2.3