From e18deccab2b891cf7de75690b1054360243b139d Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Fri, 19 Jul 2024 10:15:53 -0500 Subject: Remove the `CLIENTS_SSL_PUBLIC_KEYS_DIR` configuration Moving forward, each client will advertise it's current JWKs at a known endpoint, and we'll use those, rather than having a configuration that requires manual update of the certificates. This will make it easier to implement key rotation on the clients too. --- gn_auth/__init__.py | 17 +---------------- gn_auth/settings.py | 3 +-- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/gn_auth/__init__.py b/gn_auth/__init__.py index ee7ceb1..973110a 100644 --- a/gn_auth/__init__.py +++ b/gn_auth/__init__.py @@ -24,7 +24,7 @@ def check_mandatory_settings(app: Flask) -> None: undefined = tuple( setting for setting in ( "SECRET_KEY", "SQL_URI", "AUTH_DB", "AUTH_MIGRATIONS", - "OAUTH2_SCOPE", "CLIENTS_SSL_PUBLIC_KEYS_DIR") + "OAUTH2_SCOPE") if not ((setting in app.config) and bool(app.config[setting]))) if len(undefined) > 0: raise ConfigurationError( @@ -51,20 +51,6 @@ def load_secrets_conf(app: Flask) -> None: app.config.from_pyfile(secretsfile) -def parse_ssl_keys(app): - """Parse the SSL keys.""" - def __parse_key__(keypath: Path) -> JsonWebKey: - with open(keypath) as _sslkey:# pylint: disable=[unspecified-encoding] - return JsonWebKey.import_key(_sslkey.read()) - - key_storage_dir = Path(app.config["CLIENTS_SSL_PUBLIC_KEYS_DIR"]) - key_storage_dir.mkdir(exist_ok=True) - app.config["SSL_PUBLIC_KEYS"] = { - _key.as_dict()["kid"]: _key for _key in ( - __parse_key__(Path(key_storage_dir).joinpath(key)) - for key in os.listdir(key_storage_dir))} - - def create_app( config: Optional[dict] = None, setup_logging: Callable[[Flask], None] = lambda appl: None @@ -83,7 +69,6 @@ def create_app( override_settings_with_envvars(app) load_secrets_conf(app) - parse_ssl_keys(app) # ====== END: Setup configuration ====== setup_logging(app) diff --git a/gn_auth/settings.py b/gn_auth/settings.py index e9bfe23..6015560 100644 --- a/gn_auth/settings.py +++ b/gn_auth/settings.py @@ -32,8 +32,7 @@ CORS_HEADERS = [ "Access-Control-Allow-Credentials" ] -# OpenSSL keys -CLIENTS_SSL_PUBLIC_KEYS_DIR = "" # clients' public keys' directory +# JSON Web Keys (JWKs) JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use. JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it. -- cgit v1.2.3