diff options
author | Frederick Muriuki Muriithi | 2024-07-18 16:54:07 -0500 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2024-07-31 09:30:21 -0500 |
commit | 8a3a16f25f6d87b6cf679c888eacba816415baa9 (patch) | |
tree | 7331f7c89ada5074a798c7fed923b9c8ab052498 | |
parent | ddb2b6804672c982568be891b35a5352cc6263b0 (diff) | |
download | gn-auth-8a3a16f25f6d87b6cf679c888eacba816415baa9.tar.gz |
Remove obsoleted SSL_PRIVATE_KEY configuration
With the key rotation in place, eliminate the use of the
SSL_PRIVATE_KEY configuration which pointed to a specific non-changing
JWK.
-rw-r--r-- | gn_auth/__init__.py | 4 | ||||
-rw-r--r-- | gn_auth/auth/authentication/oauth2/server.py | 11 | ||||
-rw-r--r-- | gn_auth/auth/authorisation/resources/views.py | 4 | ||||
-rw-r--r-- | gn_auth/settings.py | 1 |
4 files changed, 11 insertions, 9 deletions
diff --git a/gn_auth/__init__.py b/gn_auth/__init__.py index b3df070..ee7ceb1 100644 --- a/gn_auth/__init__.py +++ b/gn_auth/__init__.py @@ -24,7 +24,7 @@ def check_mandatory_settings(app: Flask) -> None: undefined = tuple( setting for setting in ( "SECRET_KEY", "SQL_URI", "AUTH_DB", "AUTH_MIGRATIONS", - "OAUTH2_SCOPE", "SSL_PRIVATE_KEY", "CLIENTS_SSL_PUBLIC_KEYS_DIR") + "OAUTH2_SCOPE", "CLIENTS_SSL_PUBLIC_KEYS_DIR") if not ((setting in app.config) and bool(app.config[setting]))) if len(undefined) > 0: raise ConfigurationError( @@ -64,8 +64,6 @@ def parse_ssl_keys(app): __parse_key__(Path(key_storage_dir).joinpath(key)) for key in os.listdir(key_storage_dir))} - app.config["SSL_PRIVATE_KEY"] = __parse_key__( - Path(app.config["SSL_PRIVATE_KEY"])) def create_app( config: Optional[dict] = None, diff --git a/gn_auth/auth/authentication/oauth2/server.py b/gn_auth/auth/authentication/oauth2/server.py index 6ed3c86..5806da6 100644 --- a/gn_auth/auth/authentication/oauth2/server.py +++ b/gn_auth/auth/authentication/oauth2/server.py @@ -50,10 +50,14 @@ def create_query_client_func() -> Callable: return __query_client__ -def create_save_token_func(token_model: type, jwtkey: jwk) -> Callable: +def create_save_token_func(token_model: type, app: Flask) -> Callable: """Create the function that saves the token.""" def __save_token__(token, request): - _jwt = jwt.decode(token["access_token"], jwtkey) + _jwt = jwt.decode( + token["access_token"], + newest_jwk_with_rotation( + jwks_directory(app), + int(app.config["JWKS_ROTATION_AGE_DAYS"]))) _token = token_model( token_id=uuid.UUID(_jwt["jti"]), client=request.client, @@ -156,8 +160,7 @@ def setup_oauth2_server(app: Flask) -> None: server.init_app( app, query_client=create_query_client_func(), - save_token=create_save_token_func( - OAuth2Token, app.config["SSL_PRIVATE_KEY"])) + save_token=create_save_token_func(OAuth2Token, app)) app.config["OAUTH2_SERVER"] = server ## Set up the token validators diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py index 2eda72b..bccac08 100644 --- a/gn_auth/auth/authorisation/resources/views.py +++ b/gn_auth/auth/authorisation/resources/views.py @@ -18,6 +18,7 @@ from gn_auth.auth.requests import request_json from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.db.sqlite3 import with_db_connection +from gn_auth.auth.jwks import newest_jwk, jwks_directory from gn_auth.auth.authorisation.roles import Role from gn_auth.auth.authorisation.roles.models import ( @@ -491,7 +492,8 @@ def get_user_roles_on_resource(name) -> Response: "email": _token.user.email, "roles": roles, } - token = jwt.encode(jose_header, payload, app.config["SSL_PRIVATE_KEY"]) + token = jwt.encode( + jose_header, payload, newest_jwk(jwks_directory(app))) response.headers["Authorization"] = f"Bearer {token.decode('utf-8')}" return response diff --git a/gn_auth/settings.py b/gn_auth/settings.py index ab6b079..2cac390 100644 --- a/gn_auth/settings.py +++ b/gn_auth/settings.py @@ -31,7 +31,6 @@ CORS_HEADERS = [ # OpenSSL keys CLIENTS_SSL_PUBLIC_KEYS_DIR = "" # clients' public keys' directory -SSL_PRIVATE_KEY = "" # authorisation server primary key JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use. JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it. |