aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gn_auth/__init__.py23
-rw-r--r--gn_auth/auth/authentication/oauth2/server.py4
-rw-r--r--gn_auth/settings.py6
3 files changed, 18 insertions, 15 deletions
diff --git a/gn_auth/__init__.py b/gn_auth/__init__.py
index 5218673..f7e2620 100644
--- a/gn_auth/__init__.py
+++ b/gn_auth/__init__.py
@@ -25,8 +25,7 @@ def check_mandatory_settings(app: Flask) -> None:
undefined = tuple(
setting for setting in (
"SECRET_KEY", "SQL_URI", "AUTH_DB", "AUTH_MIGRATIONS",
- "OAUTH2_SCOPE", "SSL_KEY_PAIR_PRIVATE_KEY",
- "SSL_KEY_PAIR_PUBLIC_KEY")
+ "OAUTH2_SCOPE", "SSL_PRIVATE_KEY", "CLIENTS_SSL_PUBLIC_KEYS_DIR")
if not ((setting in app.config) and bool(app.config[setting])))
if len(undefined) > 0:
raise ConfigurationError(
@@ -61,14 +60,18 @@ def load_secrets_conf(app: Flask) -> None:
app.config.from_pyfile(secretsfile)
-def parse_ssl_key_pair(app):
- def __parse_key__(keypathconfig: str, configkey: Optional[str]):
- configkey = configkey or keypathconfig
- with open(app.config[keypathconfig]) as _sslkey:
- app.config[configkey] = JsonWebKey.import_key(_sslkey.read())
+def parse_ssl_public_keys(app):
+ def __parse_key__(keypath: Path) -> JsonWebKey:
+ with open(keypath) as _sslkey:
+ return JsonWebKey.import_key(_sslkey.read())
- __parse_key__("SSL_KEY_PAIR_PUBLIC_KEY", "JWT_PUBLIC_KEY")
- __parse_key__("SSL_KEY_PAIR_PRIVATE_KEY", "JWT_PRIVATE_KEY")
+ key_storage_dir = app.config["CLIENTS_SSL_PUBLIC_KEYS_DIR"]
+ app.config["SSL_PUBLIC_KEYS"] = {
+ _key.as_dict()["kid"]: _key for _key in (
+ __parse_key__(Path(key_storage_dir).joinpath(key))
+ for key in os.listdir(key_storage_dir))}
+
+ app.config["SSL_PRIVATE_KEY"] = __parse_key__(app.config["SSL_PRIVATE_KEY"])
def create_app(config: Optional[dict] = None) -> Flask:
"""Create and return a new flask application."""
@@ -85,7 +88,7 @@ def create_app(config: Optional[dict] = None) -> Flask:
override_settings_with_envvars(app)
load_secrets_conf(app)
- parse_ssl_key_pair(app)
+ parse_ssl_public_keys(app)
# ====== END: Setup configuration ======
check_mandatory_settings(app)
diff --git a/gn_auth/auth/authentication/oauth2/server.py b/gn_auth/auth/authentication/oauth2/server.py
index db2a0d5..0669139 100644
--- a/gn_auth/auth/authentication/oauth2/server.py
+++ b/gn_auth/auth/authentication/oauth2/server.py
@@ -66,7 +66,7 @@ def setup_oauth2_server(app: Flask) -> None:
server.register_grant(JWTBearerGrant)
server.register_token_generator(
"urn:ietf:params:oauth:grant-type:jwt-bearer",
- JWTBearerTokenGenerator(app.config["JWT_PRIVATE_KEY"]))
+ JWTBearerTokenGenerator(app.config["SSL_PRIVATE_KEY"]))
# register endpoints
server.register_endpoint(RevocationEndpoint)
@@ -82,4 +82,4 @@ def setup_oauth2_server(app: Flask) -> None:
## Set up the token validators
require_oauth.register_token_validator(BearerTokenValidator())
require_oauth.register_token_validator(
- JWTBearerTokenValidator(app.config["JWT_PUBLIC_KEY"]))
+ JWTBearerTokenValidator(app.config["SSL_PRIVATE_KEY"].get_public_key()))
diff --git a/gn_auth/settings.py b/gn_auth/settings.py
index 59f3eec..489f72d 100644
--- a/gn_auth/settings.py
+++ b/gn_auth/settings.py
@@ -29,6 +29,6 @@ CORS_HEADERS = [
"Access-Control-Allow-Credentials"
]
-# OpenSSL Key-Pair
-SSL_KEY_PAIR_PRIVATE_KEY = ""
-SSL_KEY_PAIR_PUBLIC_KEY = ""
+# OpenSSL keys
+CLIENTS_SSL_PUBLIC_KEYS_DIR = "" # keys from registered clients
+SSL_PRIVATE_KEY = "" # authorisation server primary key