Remove obsoleted SSL_PRIVATE_KEY configuration

With the key rotation in place, eliminate the use of the
SSL_PRIVATE_KEY configuration which pointed to a specific non-changing
JWK.

4 files changed, 11 insertions, 9 deletions

diff --git a/gn_auth/__init__.py b/gn_auth/__init__.py
index b3df070..ee7ceb1 100644
--- a/gn_auth/__init__.py
+++ b/gn_auth/__init__.py
@@ -24,7 +24,7 @@ def check_mandatory_settings(app: Flask) -> None:
     undefined = tuple(
         setting for setting in (
             "SECRET_KEY", "SQL_URI", "AUTH_DB", "AUTH_MIGRATIONS",
-            "OAUTH2_SCOPE", "SSL_PRIVATE_KEY", "CLIENTS_SSL_PUBLIC_KEYS_DIR")
+            "OAUTH2_SCOPE", "CLIENTS_SSL_PUBLIC_KEYS_DIR")
         if not ((setting in app.config) and bool(app.config[setting])))
     if len(undefined) > 0:
         raise ConfigurationError(
@@ -64,8 +64,6 @@ def parse_ssl_keys(app):
             __parse_key__(Path(key_storage_dir).joinpath(key))
             for key in os.listdir(key_storage_dir))}
 
-    app.config["SSL_PRIVATE_KEY"] = __parse_key__(
-        Path(app.config["SSL_PRIVATE_KEY"]))
 
 def create_app(
         config: Optional[dict] = None,
diff --git a/gn_auth/auth/authentication/oauth2/server.py b/gn_auth/auth/authentication/oauth2/server.py
index 6ed3c86..5806da6 100644
--- a/gn_auth/auth/authentication/oauth2/server.py
+++ b/gn_auth/auth/authentication/oauth2/server.py
@@ -50,10 +50,14 @@ def create_query_client_func() -> Callable:
 
     return __query_client__
 
-def create_save_token_func(token_model: type, jwtkey: jwk) -> Callable:
+def create_save_token_func(token_model: type, app: Flask) -> Callable:
     """Create the function that saves the token."""
     def __save_token__(token, request):
-        _jwt = jwt.decode(token["access_token"], jwtkey)
+        _jwt = jwt.decode(
+            token["access_token"],
+            newest_jwk_with_rotation(
+                jwks_directory(app),
+                int(app.config["JWKS_ROTATION_AGE_DAYS"])))
         _token = token_model(
             token_id=uuid.UUID(_jwt["jti"]),
             client=request.client,
@@ -156,8 +160,7 @@ def setup_oauth2_server(app: Flask) -> None:
     server.init_app(
         app,
         query_client=create_query_client_func(),
-        save_token=create_save_token_func(
-            OAuth2Token, app.config["SSL_PRIVATE_KEY"]))
+        save_token=create_save_token_func(OAuth2Token, app))
     app.config["OAUTH2_SERVER"] = server
 
     ## Set up the token validators
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py
index 2eda72b..bccac08 100644
--- a/gn_auth/auth/authorisation/resources/views.py
+++ b/gn_auth/auth/authorisation/resources/views.py
@@ -18,6 +18,7 @@ from gn_auth.auth.requests import request_json
 
 from gn_auth.auth.db import sqlite3 as db
 from gn_auth.auth.db.sqlite3 import with_db_connection
+from gn_auth.auth.jwks import newest_jwk, jwks_directory
 
 from gn_auth.auth.authorisation.roles import Role
 from gn_auth.auth.authorisation.roles.models import (
@@ -491,7 +492,8 @@ def get_user_roles_on_resource(name) -> Response:
             "email": _token.user.email,
             "roles": roles,
         }
-        token = jwt.encode(jose_header, payload, app.config["SSL_PRIVATE_KEY"])
+        token = jwt.encode(
+            jose_header, payload, newest_jwk(jwks_directory(app)))
         response.headers["Authorization"] = f"Bearer {token.decode('utf-8')}"
         return response
 
diff --git a/gn_auth/settings.py b/gn_auth/settings.py
index ab6b079..2cac390 100644
--- a/gn_auth/settings.py
+++ b/gn_auth/settings.py
@@ -31,7 +31,6 @@ CORS_HEADERS = [
 
 # OpenSSL keys
 CLIENTS_SSL_PUBLIC_KEYS_DIR = "" # clients' public keys' directory
-SSL_PRIVATE_KEY = "" # authorisation server primary key
 JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use.
 JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it.