phil/ezidam
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ezidam: added jwks route in well-known

Browse source
This commit is contained in:
Philippe Loctaux 2023-03-12 18:46:58 +01:00
parent 8c37fc1181
commit d62cfcd1d9
6 changed files with 94 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
crates/ezidam/Cargo.toml
View file

@ -11,6 +11,7 @@ infer = { version = "0.12.0", default-features = false }
erased-serde = "0.3"
url = { workspace = true }
identicon-rs = "4.0.1"
futures = "0.3.26"
# local crates
database_pool = { path = "../database_pool" }

6
crates/ezidam/src/error/conversion.rs
View file

@ -35,3 +35,9 @@ impl From<openid::Error> for Error {
Error::internal_server_error(e)
}
}
impl From<jwt::Error> for Error {
fn from(e: jwt::Error) -> Self {
Error::internal_server_error(e)
}
}

47
crates/ezidam/src/routes/well_known.rs
View file

@ -1,10 +1,13 @@
use super::prelude::*;
use futures::future::join_all;
use jwt::database::Key;
use jwt::PublicKey;
use rocket::get;
use rocket::serde::json::{Json, Value};
use settings::Settings;
pub fn routes() -> Vec<Route> {
routes![openid_configuration]
routes![openid_configuration, json_web_keys]
}
#[get("/openid-configuration")]
@ -24,6 +27,35 @@ async fn openid_configuration(mut db: Connection<Database>) -> Result<Json<Value
Ok(Json(openid_configuration))
}
#[get("/jwks.json")]
async fn json_web_keys(mut db: Connection<Database>) -> Result<Json<Vec<Value>>> {
// Get keys
let keys = Key::get_all(&mut *db, Some(false)).await?;
// For each key, import as public key and extract the jwk
let json_web_keys = join_all(keys.into_iter().map(|key| {
task::spawn_blocking(move || {
// Import public key
PublicKey::try_from(key)
})
}))
.await
// Handle JoinError if one is found
.into_iter()
.collect::<std::result::Result<Vec<_>, _>>()?
// Collect all values, return error immediately if one is found
.into_iter()
.collect::<std::result::Result<Vec<_>, _>>()?
// Extract jwk
.into_iter()
.map(|key| key.jwk())
// Collect all values, return error immediately if one is found
.collect::<std::result::Result<Vec<_>, _>>()?;
// HTTP response
Ok(Json(json_web_keys))
}
#[cfg(test)]
mod test {
use crate::tests::*;
@ -58,4 +90,17 @@ mod test {
.dispatch();
assert_ne!(response.status(), Status::Ok);
}
#[test]
fn jwks() {
// Setup http server
let client = setup_rocket_testing();
// Make request
let response = client.get(uri!("/.well-known/jwks.json")).dispatch();
assert_eq!(response.status(), Status::Ok);
// Make sure it is valid json
assert!(response.into_json::<Value>().is_some());
}
}

3
crates/jwt/src/error.rs
View file

@ -17,4 +17,7 @@ pub enum Error {
#[error("Failed to parse JWT: `{0}`")]
JwtParsing(#[from] jwt_compact::ParseError),
#[error("Failed to serialize JWK: `{0}`")]
JwkSerialization(#[from] serde_json::Error),
}

28
crates/jwt/src/key/public.rs
View file

@ -1,3 +1,4 @@
use crate::database::Key;
use crate::jwk::JsonWebKey;
use crate::Error;
use id::KeyID;
@ -5,12 +6,21 @@ use jwt_compact::alg::{Rsa, RsaPublicKey, StrongKey};
use jwt_compact::jwk::JsonWebKey as JsonWebKeyBase;
use jwt_compact::Algorithm;
use rsa::pkcs1::{DecodeRsaPublicKey, EncodeRsaPublicKey};
use serde_json::Value;
pub struct PublicKey {
id: KeyID,
key: RsaPublicKey,
}
impl TryFrom<Key> for PublicKey {
type Error = Error;
fn try_from(key: Key) -> Result<Self, Self::Error> {
PublicKey::from_der(key.public_der(), key.key_id())
}
}
impl PublicKey {
pub fn new(id: &KeyID, key: StrongKey<RsaPublicKey>) -> Self {
Self {
@ -30,12 +40,16 @@ impl PublicKey {
})
}
pub fn jwk(&self) -> JsonWebKey {
JsonWebKey {
pub fn jwk(&self) -> Result<Value, Error> {
Ok(serde_json::to_value(JsonWebKey {
base: JsonWebKeyBase::from(&self.key),
key_id: self.id.as_ref(),
algorithm: Rsa::ps256().name(),
}
})?)
}
pub fn key_id(&self) -> &KeyID {
&self.id
}
}
@ -82,11 +96,13 @@ mod tests {
let premade_der = include_bytes!("../../tests/public_key.der");
let public_key = PublicKey::from_der(premade_der, &key_id).unwrap();
let generated_jwk = serde_json::to_string(&public_key.jwk());
// Generate jwk
let generated_jwk = public_key.jwk();
assert!(generated_jwk.is_ok());
let jwk = r#"{"kty":"RSA","n":"3os0j_kNfdTHJVQ-eMYXyRBWIqsrJDdELxLAh3_WlOZtsBwiGVNnpHQm9cRB63Un9UJpYGbWz38emglXc8bHPrUArDl-K_5ioDlbh7hAaz3rZ6b8LDIPUO-jYICdxBdv1THXSWbTEistZF1TYsXg7G4xrxiFKnZLBNaSgJrKOAY8AUNWuby-vZKr5X9e3SG7kvPsUITyqSmDz4ZTCj4QScx4O9gyqz1_UEBxTRSKcpS82YzAo2Byo5avRWesiGoaxs8lNv0QJ22IY1KVoROv3hHFeFEcg3D4NTfFG2Cd8d1OMXfILhtFnQZbt5ZxIG9SCOfirn32-9OtoLemKlgSq0gbLf6t1OK12LK6mIJ78pphlnhHdvHeJ75PV6c2lS2Wwd75NYBJzhIojG4U4Lbpe7T_NDFaxExry_7V5oxX8tbb-OzJnuPOQRR0H5uOBjdVo7i5vjnDKOTDpro3XPQjBbIBkABhDdU2FcXkEbl8_ByyYZZni7ekzGrVSJB_vxvv","e":"AQAB","kid":"SgTG8ulMHAp5UsGWuCclw36zWsdEo5","alg":"PS256"}"#;
let generated_jwk = generated_jwk.unwrap();
// Convert to string to verify easily
let generated_jwk = serde_json::to_string(&generated_jwk.unwrap()).unwrap();
let jwk = r#"{"alg":"PS256","e":"AQAB","kid":"SgTG8ulMHAp5UsGWuCclw36zWsdEo5","kty":"RSA","n":"3os0j_kNfdTHJVQ-eMYXyRBWIqsrJDdELxLAh3_WlOZtsBwiGVNnpHQm9cRB63Un9UJpYGbWz38emglXc8bHPrUArDl-K_5ioDlbh7hAaz3rZ6b8LDIPUO-jYICdxBdv1THXSWbTEistZF1TYsXg7G4xrxiFKnZLBNaSgJrKOAY8AUNWuby-vZKr5X9e3SG7kvPsUITyqSmDz4ZTCj4QScx4O9gyqz1_UEBxTRSKcpS82YzAo2Byo5avRWesiGoaxs8lNv0QJ22IY1KVoROv3hHFeFEcg3D4NTfFG2Cd8d1OMXfILhtFnQZbt5ZxIG9SCOfirn32-9OtoLemKlgSq0gbLf6t1OK12LK6mIJ78pphlnhHdvHeJ75PV6c2lS2Wwd75NYBJzhIojG4U4Lbpe7T_NDFaxExry_7V5oxX8tbb-OzJnuPOQRR0H5uOBjdVo7i5vjnDKOTDpro3XPQjBbIBkABhDdU2FcXkEbl8_ByyYZZni7ekzGrVSJB_vxvv"}"#;
assert_eq!(jwk, generated_jwk);
}
}