diff options
| author | Frederick Muriuki Muriithi | 2024-07-19 10:15:53 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2024-07-31 09:30:23 -0500 |
| commit | e18deccab2b891cf7de75690b1054360243b139d (patch) | |
| tree | 0fb816f171d4e5a5f04e8f1e18d09dcace6190d9 | |
| parent | 6510dd5175b84c9780dda2fe0d8869efaeb2404b (diff) | |
| download | gn-auth-e18deccab2b891cf7de75690b1054360243b139d.tar.gz | |
Remove the `CLIENTS_SSL_PUBLIC_KEYS_DIR` configuration
Moving forward, each client will advertise it's current JWKs at a
known endpoint, and we'll use those, rather than having a
configuration that requires manual update of the certificates.
This will make it easier to implement key rotation on the clients too.
| -rw-r--r-- | gn_auth/__init__.py | 17 | ||||
| -rw-r--r-- | gn_auth/settings.py | 3 |
2 files changed, 2 insertions, 18 deletions
diff --git a/gn_auth/__init__.py b/gn_auth/__init__.py index ee7ceb1..973110a 100644 --- a/gn_auth/__init__.py +++ b/gn_auth/__init__.py @@ -24,7 +24,7 @@ def check_mandatory_settings(app: Flask) -> None: undefined = tuple( setting for setting in ( "SECRET_KEY", "SQL_URI", "AUTH_DB", "AUTH_MIGRATIONS", - "OAUTH2_SCOPE", "CLIENTS_SSL_PUBLIC_KEYS_DIR") + "OAUTH2_SCOPE") if not ((setting in app.config) and bool(app.config[setting]))) if len(undefined) > 0: raise ConfigurationError( @@ -51,20 +51,6 @@ def load_secrets_conf(app: Flask) -> None: app.config.from_pyfile(secretsfile) -def parse_ssl_keys(app): - """Parse the SSL keys.""" - def __parse_key__(keypath: Path) -> JsonWebKey: - with open(keypath) as _sslkey:# pylint: disable=[unspecified-encoding] - return JsonWebKey.import_key(_sslkey.read()) - - key_storage_dir = Path(app.config["CLIENTS_SSL_PUBLIC_KEYS_DIR"]) - key_storage_dir.mkdir(exist_ok=True) - app.config["SSL_PUBLIC_KEYS"] = { - _key.as_dict()["kid"]: _key for _key in ( - __parse_key__(Path(key_storage_dir).joinpath(key)) - for key in os.listdir(key_storage_dir))} - - def create_app( config: Optional[dict] = None, setup_logging: Callable[[Flask], None] = lambda appl: None @@ -83,7 +69,6 @@ def create_app( override_settings_with_envvars(app) load_secrets_conf(app) - parse_ssl_keys(app) # ====== END: Setup configuration ====== setup_logging(app) diff --git a/gn_auth/settings.py b/gn_auth/settings.py index e9bfe23..6015560 100644 --- a/gn_auth/settings.py +++ b/gn_auth/settings.py @@ -32,8 +32,7 @@ CORS_HEADERS = [ "Access-Control-Allow-Credentials" ] -# OpenSSL keys -CLIENTS_SSL_PUBLIC_KEYS_DIR = "" # clients' public keys' directory +# JSON Web Keys (JWKs) JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use. JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it. |