From dae5b20a7e9181a5cebe279b349eac823031bc2e Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Fri, 22 Sep 2023 18:59:14 +0000 Subject: [PATCH 1/9] Proto file definition for JWKS --- pkg/proto/configuration/jwt/jwt.proto | 83 ++++++++++++++++++++++----- 1 file changed, 68 insertions(+), 15 deletions(-) diff --git a/pkg/proto/configuration/jwt/jwt.proto b/pkg/proto/configuration/jwt/jwt.proto index 5a76ac9f..a323fb64 100644 --- a/pkg/proto/configuration/jwt/jwt.proto +++ b/pkg/proto/configuration/jwt/jwt.proto @@ -6,22 +6,75 @@ import "pkg/proto/configuration/eviction/eviction.proto"; option go_package = "github.com/buildbarn/bb-storage/pkg/proto/configuration/jwt"; + +// (JSON Web Key) [https://tools.ietf.org/html/rfc7517] +message JSONWebKey { + // "kty" (Key Type) Parameter + // https://datatracker.ietf.org/doc/html/rfc7517#section-4.1 + string kty = 1; + + // "use" (Public Key Use) Parameter + // https://datatracker.ietf.org/doc/html/rfc7517#section-4.2 + string use = 2; + + // "alg" (Algorithm) Parameter + // https://datatracker.ietf.org/doc/html/rfc7517#section-4.4 + string alg = 3; + + // "kid" (Key ID) Parameter + // https://datatracker.ietf.org/doc/html/rfc7517#section-4.5 + string kid = 4; + + // "crv" (Curve) Parameter + // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.1 + string crv = 5; + + // "x" (X Coordinate) Parameter + // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2 + string x = 6; + + // "y" (X Coordinate) Parameter + // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.3 + string y = 7; + + // "n" (Modulus) Parameter + // https://datatracker.ietf.org/doc/html/rfc7518#section-6.3.1.1 + string n = 8; + + // "e" (Exponent) Parameter + // https://datatracker.ietf.org/doc/html/rfc7518#section-6.3.1.2 + string e = 9; + + // "k" (Key Value) Parameter + // https://datatracker.ietf.org/doc/html/rfc7518#section-6.4.1 + string k = 10; +} + +// (JWK Set) [https://tools.ietf.org/html/rfc7517] +message JSONWebKeySet { + // The value of the "keys" parameter is an array of JWK values. By + // default, the order of the JWK values within the array does not imply + // an order of preference among them, although applications of JWK Sets + // can choose to assign a meaning to the order for their purposes, if + // desired. + repeated JSONWebKey keys = 1; +} + message AuthorizationHeaderParserConfiguration { - oneof key { - // Accept signatures using algorithms "HS256", "HS384" and "HS512". - // - // This field contains the shared key secret to validate the - // signature. - bytes hmac_key = 1; - - // Accept signatures using algorithms "ES256", "ES384", "ES512", - // "EdDSA", "RS256", "RS384", or "RS512". - // - // This field contains the public key used to validate the - // signature. It should start with "-----BEGIN PUBLIC KEY-----". - // The public key type and curve size determine which exact - // algorithm is used. - string public_key = 2; + // Was 'hmac_key'. Replaced by 'jwks'. + reserved 1; + + // Was 'public_key'. Replaced by 'jwks'. + reserved 2; + + oneof jwks { + // JSON Web Key Set (JWKS) that contains the public keys that can sign + // accepted JWTs. + JSONWebKeySet jwks_inline = 7; + + // Path to a file containing a JSON Web Key Set (JWKS) that contains the the + // public keys that can sign accepted JWTs. + string jwks_path = 8; } // Maximum number of validated tokens to cache in memory. This speeds From 22bcb2d26520803f17d58f6859173388d824b1af Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Fri, 22 Sep 2023 12:48:07 +0000 Subject: [PATCH 2/9] Generate jwt.pb.go --- pkg/proto/configuration/jwt/jwt.pb.go | 360 ++++++++++++++++++++------ 1 file changed, 287 insertions(+), 73 deletions(-) diff --git a/pkg/proto/configuration/jwt/jwt.pb.go b/pkg/proto/configuration/jwt/jwt.pb.go index f671c239..53ffd1f0 100644 --- a/pkg/proto/configuration/jwt/jwt.pb.go +++ b/pkg/proto/configuration/jwt/jwt.pb.go @@ -21,26 +21,192 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +type JSONWebKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Kty string `protobuf:"bytes,1,opt,name=kty,proto3" json:"kty,omitempty"` + Use string `protobuf:"bytes,2,opt,name=use,proto3" json:"use,omitempty"` + Alg string `protobuf:"bytes,3,opt,name=alg,proto3" json:"alg,omitempty"` + Kid string `protobuf:"bytes,4,opt,name=kid,proto3" json:"kid,omitempty"` + Crv string `protobuf:"bytes,5,opt,name=crv,proto3" json:"crv,omitempty"` + X string `protobuf:"bytes,6,opt,name=x,proto3" json:"x,omitempty"` + Y string `protobuf:"bytes,7,opt,name=y,proto3" json:"y,omitempty"` + N string `protobuf:"bytes,8,opt,name=n,proto3" json:"n,omitempty"` + E string `protobuf:"bytes,9,opt,name=e,proto3" json:"e,omitempty"` + K string `protobuf:"bytes,10,opt,name=k,proto3" json:"k,omitempty"` +} + +func (x *JSONWebKey) Reset() { + *x = JSONWebKey{} + if protoimpl.UnsafeEnabled { + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *JSONWebKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JSONWebKey) ProtoMessage() {} + +func (x *JSONWebKey) ProtoReflect() protoreflect.Message { + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JSONWebKey.ProtoReflect.Descriptor instead. +func (*JSONWebKey) Descriptor() ([]byte, []int) { + return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{0} +} + +func (x *JSONWebKey) GetKty() string { + if x != nil { + return x.Kty + } + return "" +} + +func (x *JSONWebKey) GetUse() string { + if x != nil { + return x.Use + } + return "" +} + +func (x *JSONWebKey) GetAlg() string { + if x != nil { + return x.Alg + } + return "" +} + +func (x *JSONWebKey) GetKid() string { + if x != nil { + return x.Kid + } + return "" +} + +func (x *JSONWebKey) GetCrv() string { + if x != nil { + return x.Crv + } + return "" +} + +func (x *JSONWebKey) GetX() string { + if x != nil { + return x.X + } + return "" +} + +func (x *JSONWebKey) GetY() string { + if x != nil { + return x.Y + } + return "" +} + +func (x *JSONWebKey) GetN() string { + if x != nil { + return x.N + } + return "" +} + +func (x *JSONWebKey) GetE() string { + if x != nil { + return x.E + } + return "" +} + +func (x *JSONWebKey) GetK() string { + if x != nil { + return x.K + } + return "" +} + +type JSONWebKeySet struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Keys []*JSONWebKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"` +} + +func (x *JSONWebKeySet) Reset() { + *x = JSONWebKeySet{} + if protoimpl.UnsafeEnabled { + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *JSONWebKeySet) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JSONWebKeySet) ProtoMessage() {} + +func (x *JSONWebKeySet) ProtoReflect() protoreflect.Message { + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JSONWebKeySet.ProtoReflect.Descriptor instead. +func (*JSONWebKeySet) Descriptor() ([]byte, []int) { + return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{1} +} + +func (x *JSONWebKeySet) GetKeys() []*JSONWebKey { + if x != nil { + return x.Keys + } + return nil +} + type AuthorizationHeaderParserConfiguration struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // Types that are assignable to Key: + // Types that are assignable to Jwks: // - // *AuthorizationHeaderParserConfiguration_HmacKey - // *AuthorizationHeaderParserConfiguration_PublicKey - Key isAuthorizationHeaderParserConfiguration_Key `protobuf_oneof:"key"` - MaximumCacheSize int32 `protobuf:"varint,3,opt,name=maximum_cache_size,json=maximumCacheSize,proto3" json:"maximum_cache_size,omitempty"` - CacheReplacementPolicy eviction.CacheReplacementPolicy `protobuf:"varint,4,opt,name=cache_replacement_policy,json=cacheReplacementPolicy,proto3,enum=buildbarn.configuration.eviction.CacheReplacementPolicy" json:"cache_replacement_policy,omitempty"` - ClaimsValidationJmespathExpression string `protobuf:"bytes,5,opt,name=claims_validation_jmespath_expression,json=claimsValidationJmespathExpression,proto3" json:"claims_validation_jmespath_expression,omitempty"` - MetadataExtractionJmespathExpression string `protobuf:"bytes,6,opt,name=metadata_extraction_jmespath_expression,json=metadataExtractionJmespathExpression,proto3" json:"metadata_extraction_jmespath_expression,omitempty"` + // *AuthorizationHeaderParserConfiguration_JwksInline + // *AuthorizationHeaderParserConfiguration_JwksPath + Jwks isAuthorizationHeaderParserConfiguration_Jwks `protobuf_oneof:"jwks"` + MaximumCacheSize int32 `protobuf:"varint,3,opt,name=maximum_cache_size,json=maximumCacheSize,proto3" json:"maximum_cache_size,omitempty"` + CacheReplacementPolicy eviction.CacheReplacementPolicy `protobuf:"varint,4,opt,name=cache_replacement_policy,json=cacheReplacementPolicy,proto3,enum=buildbarn.configuration.eviction.CacheReplacementPolicy" json:"cache_replacement_policy,omitempty"` + ClaimsValidationJmespathExpression string `protobuf:"bytes,5,opt,name=claims_validation_jmespath_expression,json=claimsValidationJmespathExpression,proto3" json:"claims_validation_jmespath_expression,omitempty"` + MetadataExtractionJmespathExpression string `protobuf:"bytes,6,opt,name=metadata_extraction_jmespath_expression,json=metadataExtractionJmespathExpression,proto3" json:"metadata_extraction_jmespath_expression,omitempty"` } func (x *AuthorizationHeaderParserConfiguration) Reset() { *x = AuthorizationHeaderParserConfiguration{} if protoimpl.UnsafeEnabled { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -53,7 +219,7 @@ func (x *AuthorizationHeaderParserConfiguration) String() string { func (*AuthorizationHeaderParserConfiguration) ProtoMessage() {} func (x *AuthorizationHeaderParserConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -66,26 +232,26 @@ func (x *AuthorizationHeaderParserConfiguration) ProtoReflect() protoreflect.Mes // Deprecated: Use AuthorizationHeaderParserConfiguration.ProtoReflect.Descriptor instead. func (*AuthorizationHeaderParserConfiguration) Descriptor() ([]byte, []int) { - return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{0} + return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{2} } -func (m *AuthorizationHeaderParserConfiguration) GetKey() isAuthorizationHeaderParserConfiguration_Key { +func (m *AuthorizationHeaderParserConfiguration) GetJwks() isAuthorizationHeaderParserConfiguration_Jwks { if m != nil { - return m.Key + return m.Jwks } return nil } -func (x *AuthorizationHeaderParserConfiguration) GetHmacKey() []byte { - if x, ok := x.GetKey().(*AuthorizationHeaderParserConfiguration_HmacKey); ok { - return x.HmacKey +func (x *AuthorizationHeaderParserConfiguration) GetJwksInline() *JSONWebKeySet { + if x, ok := x.GetJwks().(*AuthorizationHeaderParserConfiguration_JwksInline); ok { + return x.JwksInline } return nil } -func (x *AuthorizationHeaderParserConfiguration) GetPublicKey() string { - if x, ok := x.GetKey().(*AuthorizationHeaderParserConfiguration_PublicKey); ok { - return x.PublicKey +func (x *AuthorizationHeaderParserConfiguration) GetJwksPath() string { + if x, ok := x.GetJwks().(*AuthorizationHeaderParserConfiguration_JwksPath); ok { + return x.JwksPath } return "" } @@ -118,22 +284,22 @@ func (x *AuthorizationHeaderParserConfiguration) GetMetadataExtractionJmespathEx return "" } -type isAuthorizationHeaderParserConfiguration_Key interface { - isAuthorizationHeaderParserConfiguration_Key() +type isAuthorizationHeaderParserConfiguration_Jwks interface { + isAuthorizationHeaderParserConfiguration_Jwks() } -type AuthorizationHeaderParserConfiguration_HmacKey struct { - HmacKey []byte `protobuf:"bytes,1,opt,name=hmac_key,json=hmacKey,proto3,oneof"` +type AuthorizationHeaderParserConfiguration_JwksInline struct { + JwksInline *JSONWebKeySet `protobuf:"bytes,7,opt,name=jwks_inline,json=jwksInline,proto3,oneof"` } -type AuthorizationHeaderParserConfiguration_PublicKey struct { - PublicKey string `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3,oneof"` +type AuthorizationHeaderParserConfiguration_JwksPath struct { + JwksPath string `protobuf:"bytes,8,opt,name=jwks_path,json=jwksPath,proto3,oneof"` } -func (*AuthorizationHeaderParserConfiguration_HmacKey) isAuthorizationHeaderParserConfiguration_Key() { +func (*AuthorizationHeaderParserConfiguration_JwksInline) isAuthorizationHeaderParserConfiguration_Jwks() { } -func (*AuthorizationHeaderParserConfiguration_PublicKey) isAuthorizationHeaderParserConfiguration_Key() { +func (*AuthorizationHeaderParserConfiguration_JwksPath) isAuthorizationHeaderParserConfiguration_Jwks() { } var File_pkg_proto_configuration_jwt_jwt_proto protoreflect.FileDescriptor @@ -146,39 +312,59 @@ var file_pkg_proto_configuration_jwt_jwt_proto_rawDesc = []byte{ 0x2e, 0x6a, 0x77, 0x74, 0x1a, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb9, 0x03, 0x0a, 0x26, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x50, 0x61, 0x72, - 0x73, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x12, 0x1b, 0x0a, 0x08, 0x68, 0x6d, 0x61, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0c, 0x48, 0x00, 0x52, 0x07, 0x68, 0x6d, 0x61, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1f, 0x0a, - 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x48, 0x00, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x2c, - 0x0a, 0x12, 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, - 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10, 0x6d, 0x61, 0x78, 0x69, - 0x6d, 0x75, 0x6d, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x72, 0x0a, 0x18, - 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, - 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x2e, 0x43, 0x61, 0x63, 0x68, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x16, 0x63, 0x61, 0x63, 0x68, 0x65, 0x52, - 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x12, 0x51, 0x0a, 0x25, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x65, - 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x22, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x4a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, - 0x69, 0x6f, 0x6e, 0x12, 0x55, 0x0a, 0x27, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, - 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, - 0x61, 0x74, 0x68, 0x5f, 0x65, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x06, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x24, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x78, - 0x74, 0x72, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, - 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x05, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2f, 0x62, 0x62, 0x2d, 0x73, 0x74, 0x6f, - 0x72, 0x61, 0x67, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x77, 0x74, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xac, 0x01, 0x0a, 0x0a, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, + 0x62, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x03, 0x6b, 0x74, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x73, 0x65, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x61, 0x6c, 0x67, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, + 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, + 0x63, 0x72, 0x76, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x63, 0x72, 0x76, 0x12, 0x0c, + 0x0a, 0x01, 0x78, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x01, 0x78, 0x12, 0x0c, 0x0a, 0x01, + 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x01, 0x79, 0x12, 0x0c, 0x0a, 0x01, 0x6e, 0x18, + 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x01, 0x6e, 0x12, 0x0c, 0x0a, 0x01, 0x65, 0x18, 0x09, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x01, 0x65, 0x12, 0x0c, 0x0a, 0x01, 0x6b, 0x18, 0x0a, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x01, 0x6b, 0x22, 0x4c, 0x0a, 0x0d, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, + 0x65, 0x79, 0x53, 0x65, 0x74, 0x12, 0x3b, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x6a, 0x77, + 0x74, 0x2e, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, + 0x79, 0x73, 0x22, 0xf6, 0x03, 0x0a, 0x26, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x50, 0x61, 0x72, 0x73, 0x65, 0x72, + 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, + 0x0b, 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x07, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, 0x63, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x6a, 0x77, 0x74, + 0x2e, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x48, 0x00, + 0x52, 0x0a, 0x6a, 0x77, 0x6b, 0x73, 0x49, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x12, 0x1d, 0x0a, 0x09, + 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x48, + 0x00, 0x52, 0x08, 0x6a, 0x77, 0x6b, 0x73, 0x50, 0x61, 0x74, 0x68, 0x12, 0x2c, 0x0a, 0x12, 0x6d, + 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, + 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10, 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, + 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x72, 0x0a, 0x18, 0x63, 0x61, 0x63, + 0x68, 0x65, 0x5f, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x62, 0x75, + 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x43, + 0x61, 0x63, 0x68, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x16, 0x63, 0x61, 0x63, 0x68, 0x65, 0x52, 0x65, 0x70, 0x6c, + 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x51, 0x0a, + 0x25, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x65, 0x78, 0x70, 0x72, + 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x22, 0x63, 0x6c, + 0x61, 0x69, 0x6d, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, + 0x12, 0x55, 0x0a, 0x27, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x74, + 0x72, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, + 0x5f, 0x65, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x24, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x78, 0x74, 0x72, 0x61, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x45, 0x78, 0x70, + 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x06, 0x0a, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x4a, + 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x42, 0x3d, 0x5a, 0x3b, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, + 0x61, 0x72, 0x6e, 0x2f, 0x62, 0x62, 0x2d, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2f, 0x70, + 0x6b, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, + 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x77, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( @@ -193,18 +379,22 @@ func file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP() []byte { return file_pkg_proto_configuration_jwt_jwt_proto_rawDescData } -var file_pkg_proto_configuration_jwt_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_pkg_proto_configuration_jwt_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3) var file_pkg_proto_configuration_jwt_jwt_proto_goTypes = []interface{}{ - (*AuthorizationHeaderParserConfiguration)(nil), // 0: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration - (eviction.CacheReplacementPolicy)(0), // 1: buildbarn.configuration.eviction.CacheReplacementPolicy + (*JSONWebKey)(nil), // 0: buildbarn.configuration.jwt.JSONWebKey + (*JSONWebKeySet)(nil), // 1: buildbarn.configuration.jwt.JSONWebKeySet + (*AuthorizationHeaderParserConfiguration)(nil), // 2: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration + (eviction.CacheReplacementPolicy)(0), // 3: buildbarn.configuration.eviction.CacheReplacementPolicy } var file_pkg_proto_configuration_jwt_jwt_proto_depIdxs = []int32{ - 1, // 0: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration.cache_replacement_policy:type_name -> buildbarn.configuration.eviction.CacheReplacementPolicy - 1, // [1:1] is the sub-list for method output_type - 1, // [1:1] is the sub-list for method input_type - 1, // [1:1] is the sub-list for extension type_name - 1, // [1:1] is the sub-list for extension extendee - 0, // [0:1] is the sub-list for field type_name + 0, // 0: buildbarn.configuration.jwt.JSONWebKeySet.keys:type_name -> buildbarn.configuration.jwt.JSONWebKey + 1, // 1: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration.jwks_inline:type_name -> buildbarn.configuration.jwt.JSONWebKeySet + 3, // 2: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration.cache_replacement_policy:type_name -> buildbarn.configuration.eviction.CacheReplacementPolicy + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_pkg_proto_configuration_jwt_jwt_proto_init() } @@ -214,6 +404,30 @@ func file_pkg_proto_configuration_jwt_jwt_proto_init() { } if !protoimpl.UnsafeEnabled { file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*JSONWebKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*JSONWebKeySet); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*AuthorizationHeaderParserConfiguration); i { case 0: return &v.state @@ -226,9 +440,9 @@ func file_pkg_proto_configuration_jwt_jwt_proto_init() { } } } - file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0].OneofWrappers = []interface{}{ - (*AuthorizationHeaderParserConfiguration_HmacKey)(nil), - (*AuthorizationHeaderParserConfiguration_PublicKey)(nil), + file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2].OneofWrappers = []interface{}{ + (*AuthorizationHeaderParserConfiguration_JwksInline)(nil), + (*AuthorizationHeaderParserConfiguration_JwksPath)(nil), } type x struct{} out := protoimpl.TypeBuilder{ @@ -236,7 +450,7 @@ func file_pkg_proto_configuration_jwt_jwt_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_pkg_proto_configuration_jwt_jwt_proto_rawDesc, NumEnums: 0, - NumMessages: 1, + NumMessages: 3, NumExtensions: 0, NumServices: 0, }, From be822802f513f2b4df1ec6d3374d96a336622ba6 Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Fri, 22 Sep 2023 19:12:43 +0000 Subject: [PATCH 3/9] Add github.com/go-jose/go-jose/v3 --- go.mod | 1 + go.sum | 3 +++ go_dependencies.bzl | 7 +++++++ 3 files changed, 11 insertions(+) diff --git a/go.mod b/go.mod index d7acb37f..b4048334 100644 --- a/go.mod +++ b/go.mod @@ -70,6 +70,7 @@ require ( github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect + github.com/go-jose/go-jose/v3 v3.0.0 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-redis/redis/extra/rediscmd v0.2.0 // indirect diff --git a/go.sum b/go.sum index 1fe808f3..46ed02af 100644 --- a/go.sum +++ b/go.sum @@ -77,6 +77,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fxtlabs/primes v0.0.0-20150821004651-dad82d10a449 h1:HOYnhuVrhAVGKdg3rZapII640so7QfXQmkLkefUN/uM= github.com/fxtlabs/primes v0.0.0-20150821004651-dad82d10a449/go.mod h1:i+vbdOOivRRh2j+WwBkjZXloGN/+KAqfKDwNfUJeugc= +github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= +github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= @@ -237,6 +239,7 @@ go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= diff --git a/go_dependencies.bzl b/go_dependencies.bzl index 770456d7..1b9ac1eb 100644 --- a/go_dependencies.bzl +++ b/go_dependencies.bzl @@ -249,6 +249,13 @@ def go_dependencies(): sum = "h1:HOYnhuVrhAVGKdg3rZapII640so7QfXQmkLkefUN/uM=", version = "v0.0.0-20150821004651-dad82d10a449", ) + go_repository( + name = "com_github_go_jose_go_jose_v3", + importpath = "github.com/go-jose/go-jose/v3", + sum = "h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=", + version = "v3.0.0", + ) + go_repository( name = "com_github_go_kit_log", importpath = "github.com/go-kit/log", From e7af2988d82ddffe386198fb57797bf4f58b199e Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Fri, 22 Sep 2023 18:52:18 +0000 Subject: [PATCH 4/9] Add keyId to ValidateSignature --- pkg/jwt/authorization_header_parser.go | 3 ++- pkg/jwt/authorization_header_parser_test.go | 4 ++++ pkg/jwt/ecdsa_sha_signature_generator_test.go | 2 +- pkg/jwt/ecdsa_sha_signature_validator.go | 2 +- pkg/jwt/ecdsa_sha_signature_validator_test.go | 8 ++++++++ pkg/jwt/ed25519_signature_validator.go | 2 +- pkg/jwt/ed25519_signature_validator_test.go | 3 +++ pkg/jwt/hmac_sha_signature_validator.go | 2 +- pkg/jwt/hmac_sha_signature_validator_test.go | 7 +++++++ pkg/jwt/rsa_sha_signature_validator.go | 2 +- pkg/jwt/rsa_sha_signature_validator_test.go | 7 +++++++ pkg/jwt/signature_validator.go | 2 +- 12 files changed, 37 insertions(+), 7 deletions(-) diff --git a/pkg/jwt/authorization_header_parser.go b/pkg/jwt/authorization_header_parser.go index 2f961428..fba4f797 100644 --- a/pkg/jwt/authorization_header_parser.go +++ b/pkg/jwt/authorization_header_parser.go @@ -102,11 +102,12 @@ func (a *AuthorizationHeaderParser) parseSingleAuthorizationHeader(header string // Perform signature validation. headerMessage := struct { Alg string `json:"alg"` + Kid string `json:"kid"` }{} if json.Unmarshal(decodedFields[0], &headerMessage) != nil { return unauthenticated } - if !a.signatureValidator.ValidateSignature(headerMessage.Alg, match[1], decodedFields[2]) { + if !a.signatureValidator.ValidateSignature(headerMessage.Alg, headerMessage.Kid, match[1], decodedFields[2]) { return unauthenticated } diff --git a/pkg/jwt/authorization_header_parser_test.go b/pkg/jwt/authorization_header_parser_test.go index 44367c97..17e32076 100644 --- a/pkg/jwt/authorization_header_parser_test.go +++ b/pkg/jwt/authorization_header_parser_test.go @@ -36,6 +36,7 @@ func TestAuthorizationHeaderParser(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1635747849, 0)) signatureValidator.EXPECT().ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ", []byte{ 0x49, 0xf9, 0x4a, 0xc7, 0x04, 0x49, 0x48, 0xc7, @@ -59,6 +60,7 @@ func TestAuthorizationHeaderParser(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1635781700, 0)) signatureValidator.EXPECT().ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ", []byte{ 0x69, 0xf2, 0xcf, 0x62, 0xca, 0x9a, 0xa4, 0x3c, @@ -102,6 +104,7 @@ func TestAuthorizationHeaderParser(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1635781778, 0)) signatureValidator.EXPECT().ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwibmJmIjoxNjM1NzgxNzgwLCJleHAiOjE2MzU3ODE3OTJ9", []byte{ 0x9a, 0xf0, 0xa6, 0x11, 0xb2, 0x62, 0xcb, 0xec, @@ -199,6 +202,7 @@ func TestAuthorizationHeaderParser(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1636144433, 0)) signatureValidator.EXPECT().ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb3JiaWRkZW5GaWVsZCI6Im9vcHMifQ", []byte{ 0xf1, 0x5c, 0xbc, 0x0c, 0x47, 0x71, 0x2d, 0x88, diff --git a/pkg/jwt/ecdsa_sha_signature_generator_test.go b/pkg/jwt/ecdsa_sha_signature_generator_test.go index a24c8d87..17cdf7c9 100644 --- a/pkg/jwt/ecdsa_sha_signature_generator_test.go +++ b/pkg/jwt/ecdsa_sha_signature_generator_test.go @@ -33,6 +33,6 @@ f2EJfEoVNO/YidkVY+J35v8vQoAMS4rRGA== // Ensure that the generated signature is valid. signatureValidator, err := jwt.NewECDSASHASignatureValidator(&key.PublicKey) require.NoError(t, err) - require.True(t, signatureValidator.ValidateSignature("ES256", headerAndPayload, signature)) + require.True(t, signatureValidator.ValidateSignature("ES256", "", headerAndPayload, signature)) }) } diff --git a/pkg/jwt/ecdsa_sha_signature_validator.go b/pkg/jwt/ecdsa_sha_signature_validator.go index 8213e5c8..dfb8a07a 100644 --- a/pkg/jwt/ecdsa_sha_signature_validator.go +++ b/pkg/jwt/ecdsa_sha_signature_validator.go @@ -60,7 +60,7 @@ func NewECDSASHASignatureValidator(publicKey *ecdsa.PublicKey) (SignatureValidat }, nil } -func (sv *ecdsaSHASignatureValidator) ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool { +func (sv *ecdsaSHASignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool { p := sv.parameters if algorithm != p.algorithm || len(signature) != 2*p.keySizeBytes { return false diff --git a/pkg/jwt/ecdsa_sha_signature_validator_test.go b/pkg/jwt/ecdsa_sha_signature_validator_test.go index be3e2035..443a5c0d 100644 --- a/pkg/jwt/ecdsa_sha_signature_validator_test.go +++ b/pkg/jwt/ecdsa_sha_signature_validator_test.go @@ -25,6 +25,7 @@ q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg== // Algorithm "HS256" uses HMAC; not ECDSA. Validation should fail. require.False(t, signatureValidator.ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ", []byte{ 0xb3, 0x57, 0x72, 0xdf, 0xc5, 0xc6, 0x74, 0xba, @@ -36,6 +37,7 @@ q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg== // ECDSA with SHA-256, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "ES256", + "", "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ // R. @@ -51,6 +53,7 @@ q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg== })) require.False(t, signatureValidator.ValidateSignature( "ES256", + "", "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ // R. @@ -82,6 +85,7 @@ Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii // 256-bit signatures. require.False(t, signatureValidator.ValidateSignature( "ES256", + "", "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ // R. @@ -99,6 +103,7 @@ Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii // ECDSA with SHA-384, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "ES384", + "", "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ // R. @@ -118,6 +123,7 @@ Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii })) require.False(t, signatureValidator.ValidateSignature( "ES384", + "", "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ // R. @@ -153,6 +159,7 @@ ihmzIyMgyPuqu8IuyzMNx4G2jpoCKhRu9qPCQUMGDeCG1x3/n/OgkWNQANsB82x7 // ECDSA with SHA-512, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "ES512", + "", "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJmb28iOiJiYXIifQ", []byte{ // R. @@ -178,6 +185,7 @@ ihmzIyMgyPuqu8IuyzMNx4G2jpoCKhRu9qPCQUMGDeCG1x3/n/OgkWNQANsB82x7 })) require.False(t, signatureValidator.ValidateSignature( "ES512", + "", "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJmb28iOiJiYXIifQ", []byte{ // R. diff --git a/pkg/jwt/ed25519_signature_validator.go b/pkg/jwt/ed25519_signature_validator.go index 662a4f37..776ce3e9 100644 --- a/pkg/jwt/ed25519_signature_validator.go +++ b/pkg/jwt/ed25519_signature_validator.go @@ -22,7 +22,7 @@ func NewEd25519SignatureValidator(publicKey ed25519.PublicKey) SignatureValidato } } -func (sv *ed25519SignatureValidator) ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool { +func (sv *ed25519SignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool { if algorithm != "EdDSA" { return false } diff --git a/pkg/jwt/ed25519_signature_validator_test.go b/pkg/jwt/ed25519_signature_validator_test.go index ca269b05..f8f179a3 100644 --- a/pkg/jwt/ed25519_signature_validator_test.go +++ b/pkg/jwt/ed25519_signature_validator_test.go @@ -22,6 +22,7 @@ MCowBQYDK2VwAyEA7fySb/9h7hVH8j1paD5IoLfXj4prjfNLwOPUYKvsTOc= // Algorithm "HS256" uses HMAC; not Ed25519. Validation should fail. require.False(t, signatureValidator.ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ", []byte{ 0xb3, 0x57, 0x72, 0xdf, 0xc5, 0xc6, 0x74, 0xba, @@ -33,6 +34,7 @@ MCowBQYDK2VwAyEA7fySb/9h7hVH8j1paD5IoLfXj4prjfNLwOPUYKvsTOc= // Ed25519, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "EdDSA", + "", "eyJhbGciOiJFZERTQSJ9.eyJpZCI6MX0", []byte{ 0x44, 0x0c, 0x41, 0x01, 0x03, 0xc5, 0x3b, 0x1a, @@ -46,6 +48,7 @@ MCowBQYDK2VwAyEA7fySb/9h7hVH8j1paD5IoLfXj4prjfNLwOPUYKvsTOc= })) require.False(t, signatureValidator.ValidateSignature( "EdDSA", + "", "eyJhbGciOiJFZERTQSJ9.eyJpZCI6MX0", []byte{ 0x04, 0x16, 0xeb, 0x4f, 0xfc, 0x5d, 0x6f, 0x39, diff --git a/pkg/jwt/hmac_sha_signature_validator.go b/pkg/jwt/hmac_sha_signature_validator.go index 2d648da8..98b6c7bf 100644 --- a/pkg/jwt/hmac_sha_signature_validator.go +++ b/pkg/jwt/hmac_sha_signature_validator.go @@ -26,7 +26,7 @@ func NewHMACSHASignatureValidator(key []byte) SignatureValidator { } } -func (sv *hmacSHASignatureValidator) ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool { +func (sv *hmacSHASignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool { // Determine the hashing function that was used to create the // signature. var hashFunc func() hash.Hash diff --git a/pkg/jwt/hmac_sha_signature_validator_test.go b/pkg/jwt/hmac_sha_signature_validator_test.go index 30a2efa7..5d2b21eb 100644 --- a/pkg/jwt/hmac_sha_signature_validator_test.go +++ b/pkg/jwt/hmac_sha_signature_validator_test.go @@ -13,6 +13,7 @@ func TestHMACSHASignatureValidator(t *testing.T) { // Algorithm "RS256" uses RSA; not HMAC. Validation should fail. require.False(t, signatureValidator.ValidateSignature( "RS256", + "", "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x34, 0x75, 0x5a, 0x61, 0xed, 0xba, 0x31, 0xbb, 0x4e, @@ -49,6 +50,7 @@ func TestHMACSHASignatureValidator(t *testing.T) { // HMAC with SHA-256, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ", []byte{ 0xb3, 0x57, 0x72, 0xdf, 0xc5, 0xc6, 0x74, 0xba, @@ -58,6 +60,7 @@ func TestHMACSHASignatureValidator(t *testing.T) { })) require.False(t, signatureValidator.ValidateSignature( "HS256", + "", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ", []byte{ 0x6d, 0x32, 0xc8, 0x2c, 0x25, 0xce, 0x4d, 0x54, @@ -69,6 +72,7 @@ func TestHMACSHASignatureValidator(t *testing.T) { // HMAC with SHA-384, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "HS384", + "", "eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x17, 0xf9, 0x9c, 0xc4, 0x9c, 0x91, 0xdf, 0x4e, @@ -80,6 +84,7 @@ func TestHMACSHASignatureValidator(t *testing.T) { })) require.False(t, signatureValidator.ValidateSignature( "HS384", + "", "eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0xd9, 0xa6, 0x0a, 0x8f, 0x74, 0xc6, 0xe9, 0x94, @@ -93,6 +98,7 @@ func TestHMACSHASignatureValidator(t *testing.T) { // HMAC with SHA-512, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "HS512", + "", "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0xa7, 0xaa, 0x8f, 0x98, 0x7a, 0xed, 0xfa, 0x02, @@ -106,6 +112,7 @@ func TestHMACSHASignatureValidator(t *testing.T) { })) require.False(t, signatureValidator.ValidateSignature( "HS512", + "", "eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x9b, 0x19, 0x35, 0xa6, 0xb3, 0xe0, 0x9c, 0x3a, diff --git a/pkg/jwt/rsa_sha_signature_validator.go b/pkg/jwt/rsa_sha_signature_validator.go index 2575e13b..6f5748c5 100644 --- a/pkg/jwt/rsa_sha_signature_validator.go +++ b/pkg/jwt/rsa_sha_signature_validator.go @@ -27,7 +27,7 @@ func NewRSASHASignatureValidator(key *rsa.PublicKey) SignatureValidator { } } -func (sv *rsaSHASignatureValidator) ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool { +func (sv *rsaSHASignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool { var hashType crypto.Hash var hasher hash.Hash switch algorithm { diff --git a/pkg/jwt/rsa_sha_signature_validator_test.go b/pkg/jwt/rsa_sha_signature_validator_test.go index 6f11e8c3..5d0f972b 100644 --- a/pkg/jwt/rsa_sha_signature_validator_test.go +++ b/pkg/jwt/rsa_sha_signature_validator_test.go @@ -28,6 +28,7 @@ mwIDAQAB // Algorithm "ES256" uses ECDSA; not RSA. Validation should fail. require.False(t, signatureValidator.ValidateSignature( "ES256", + "", "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ // R. @@ -45,6 +46,7 @@ mwIDAQAB // RSA with SHA-256, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "RS256", + "", "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x34, 0x75, 0x5a, 0x61, 0xed, 0xba, 0x31, 0xbb, @@ -82,6 +84,7 @@ mwIDAQAB })) require.False(t, signatureValidator.ValidateSignature( "RS256", + "", "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x25, 0x7e, 0x03, 0x4d, 0x2a, 0x4d, 0x94, 0xfc, @@ -121,6 +124,7 @@ mwIDAQAB // RSA with SHA-384, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "RS384", + "", "eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0xa3, 0x58, 0x42, 0xd7, 0x16, 0x1b, 0x26, 0x89, @@ -158,6 +162,7 @@ mwIDAQAB })) require.False(t, signatureValidator.ValidateSignature( "RS384", + "", "eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x86, 0x0d, 0x70, 0xc5, 0x6d, 0x52, 0x1c, 0xa2, @@ -197,6 +202,7 @@ mwIDAQAB // RSA with SHA-512, both with a valid and invalid signature. require.True(t, signatureValidator.ValidateSignature( "RS512", + "", "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x8d, 0x85, 0xb4, 0xe3, 0x32, 0xc3, 0x1d, 0xf4, @@ -234,6 +240,7 @@ mwIDAQAB })) require.False(t, signatureValidator.ValidateSignature( "RS512", + "", "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0", []byte{ 0x18, 0x6a, 0x31, 0xc7, 0xab, 0xea, 0x89, 0x80, diff --git a/pkg/jwt/signature_validator.go b/pkg/jwt/signature_validator.go index 5f1aab4c..df0e0917 100644 --- a/pkg/jwt/signature_validator.go +++ b/pkg/jwt/signature_validator.go @@ -4,5 +4,5 @@ package jwt // of a JWT. Implementations of this interface may use HMAC, ECDSA or // other algorithms. type SignatureValidator interface { - ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool + ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool } From f8145ba80848a7304e2588d697b7dcf2e9646856 Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Fri, 22 Sep 2023 18:56:20 +0000 Subject: [PATCH 5/9] Add JWKSSignatureValidator --- pkg/jwt/BUILD.bazel | 4 ++ pkg/jwt/jwks_signature_validator.go | 68 ++++++++++++++++++++++++ pkg/jwt/jwks_signature_validator_test.go | 26 +++++++++ 3 files changed, 98 insertions(+) create mode 100644 pkg/jwt/jwks_signature_validator.go create mode 100644 pkg/jwt/jwks_signature_validator_test.go diff --git a/pkg/jwt/BUILD.bazel b/pkg/jwt/BUILD.bazel index 05f22ba9..d70499ec 100644 --- a/pkg/jwt/BUILD.bazel +++ b/pkg/jwt/BUILD.bazel @@ -10,6 +10,7 @@ go_library( "ed25519_signature_validator.go", "generate_authorization_header.go", "hmac_sha_signature_validator.go", + "jwks_signature_validator.go", "rsa_sha_signature_validator.go", "signature_generator.go", "signature_validator.go", @@ -23,9 +24,11 @@ go_library( "//pkg/proto/configuration/jwt", "//pkg/random", "//pkg/util", + "@com_github_go_jose_go_jose_v3//:go-jose", "@com_github_jmespath_go_jmespath//:go-jmespath", "@org_golang_google_grpc//codes", "@org_golang_google_grpc//status", + "@org_golang_google_protobuf//encoding/protojson", ], ) @@ -38,6 +41,7 @@ go_test( "ed25519_signature_validator_test.go", "generate_authorization_header_test.go", "hmac_sha_signature_validator_test.go", + "jwks_signature_validator_test.go", "rsa_sha_signature_validator_test.go", ], deps = [ diff --git a/pkg/jwt/jwks_signature_validator.go b/pkg/jwt/jwks_signature_validator.go new file mode 100644 index 00000000..b3b3e2e2 --- /dev/null +++ b/pkg/jwt/jwks_signature_validator.go @@ -0,0 +1,68 @@ +package jwt + +import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" + "encoding/json" + "reflect" + + jose "github.com/go-jose/go-jose/v3" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +type jwksSignatureValidator struct { + validators map[string]SignatureValidator +} + +// FIXME +// NewJWKSignatureValidator creates a SignatureValidator... +func NewJWKSSignatureValidator(jwks []byte) (SignatureValidator, error) { + validators := make(map[string]SignatureValidator) + + var keySet jose.JSONWebKeySet + err := json.Unmarshal(jwks, &keySet) + if err != nil { + return nil, err + } + + for _, k := range keySet.Keys { + if !k.Valid() { + // Should this be fatal? + continue + } + + switch key := k.Key.(type) { + case *ecdsa.PublicKey: + val, err := NewECDSASHASignatureValidator(key) + if err != nil { + return nil, err + } + validators[k.KeyID] = val + case ed25519.PublicKey: + validators[k.KeyID] = NewEd25519SignatureValidator(key) + case *rsa.PublicKey: + validators[k.KeyID] = NewRSASHASignatureValidator(key) + case []byte: + validators[k.KeyID] = NewHMACSHASignatureValidator(key) + default: + keyType := reflect.TypeOf(k.Key) + return nil, status.Errorf(codes.InvalidArgument, "Unsupported public key type: %s/%s", keyType.PkgPath(), keyType.Name()) + } + } + + return &jwksSignatureValidator{ + validators: validators, + }, nil +} + +func (sv *jwksSignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool { + val, ok := sv.validators[keyId] + if !ok { + return false + } + + return val.ValidateSignature(algorithm, keyId, headerAndPayload, signature) +} diff --git a/pkg/jwt/jwks_signature_validator_test.go b/pkg/jwt/jwks_signature_validator_test.go new file mode 100644 index 00000000..5e32cdeb --- /dev/null +++ b/pkg/jwt/jwks_signature_validator_test.go @@ -0,0 +1,26 @@ +package jwt_test + +import ( + "testing" + + "github.com/buildbarn/bb-storage/pkg/jwt" + "github.com/stretchr/testify/require" +) + +func TestJWKSSignatureValidatorCreation(t *testing.T) { + var key = []byte(`{ + "keys": [ + { + "kty": "RSA", + "n": "u1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0_IzW7yWR7QkrmBL7jTKEn5u-qKhbwKfBstIs-bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW_VDL5AaWTg0nLVkjRo9z-40RQzuVaE8AkAFmxZzow3x-VJYKdjykkJ0iT9wCS0DRTXu269V264Vf_3jvredZiKRkgwlL9xNAwxXFg0x_XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC-9aGVd-Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmw", + "e": "AQAB", + "alg": "RS256", + "kid": "7c0b6913fe13820a333399ace426e70535a9a0bf", + "use": "sig" + } + ] + }`) + + _, err := jwt.NewJWKSSignatureValidator(key) + require.NoError(t, err) +} \ No newline at end of file From 7a89673c30b3afc5ad4fa9689fe52e7357bd80d8 Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Fri, 22 Sep 2023 18:59:20 +0000 Subject: [PATCH 6/9] Use JWKSSignatureValidator --- pkg/jwt/configuration.go | 50 ++++++++++++---------------------------- 1 file changed, 15 insertions(+), 35 deletions(-) diff --git a/pkg/jwt/configuration.go b/pkg/jwt/configuration.go index 0a896cda..06cabca9 100644 --- a/pkg/jwt/configuration.go +++ b/pkg/jwt/configuration.go @@ -1,13 +1,6 @@ package jwt import ( - "crypto/ecdsa" - "crypto/ed25519" - "crypto/rsa" - "crypto/x509" - "encoding/pem" - "reflect" - "github.com/buildbarn/bb-storage/pkg/clock" "github.com/buildbarn/bb-storage/pkg/eviction" configuration "github.com/buildbarn/bb-storage/pkg/proto/configuration/jwt" @@ -16,44 +9,31 @@ import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/status" + "google.golang.org/protobuf/encoding/protojson" ) // NewAuthorizationHeaderParserFromConfiguration creates a new HTTP // "Authorization" header parser based on options stored in a // configuration file. func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration) (*AuthorizationHeaderParser, error) { - var signatureValidator SignatureValidator - switch key := config.Key.(type) { - case *configuration.AuthorizationHeaderParserConfiguration_HmacKey: - signatureValidator = NewHMACSHASignatureValidator(key.HmacKey) - case *configuration.AuthorizationHeaderParserConfiguration_PublicKey: - block, _ := pem.Decode([]byte(key.PublicKey)) - if block == nil { - return nil, status.Error(codes.InvalidArgument, "Public key does not use the PEM format") - } - parsedKey, err := x509.ParsePKIXPublicKey(block.Bytes) - if err != nil { - return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to parse public key") - } - switch convertedKey := parsedKey.(type) { - case *ecdsa.PublicKey: - var err error - signatureValidator, err = NewECDSASHASignatureValidator(convertedKey) - if err != nil { - return nil, err - } - case ed25519.PublicKey: - signatureValidator = NewEd25519SignatureValidator(convertedKey) - case *rsa.PublicKey: - signatureValidator = NewRSASHASignatureValidator(convertedKey) - default: - keyType := reflect.TypeOf(parsedKey) - return nil, status.Errorf(codes.InvalidArgument, "Unsupported public key type: %s/%s", keyType.PkgPath(), keyType.Name()) - } + var keySet *configuration.JSONWebKeySet + + switch key := config.Jwks.(type) { + case *configuration.AuthorizationHeaderParserConfiguration_JwksInline: + keySet = key.JwksInline + case *configuration.AuthorizationHeaderParserConfiguration_JwksPath: + // FIXME: Implement reading this from a file default: return nil, status.Error(codes.InvalidArgument, "No key type provided") } + messageJSON, err := protojson.Marshal(keySet) + if err != nil { + return nil, util.StatusWrap(err, "Failed to convert JWKS to JSON") + } + + signatureValidator, err := NewJWKSSignatureValidator(messageJSON) + evictionSet, err := eviction.NewSetFromConfiguration[string](config.CacheReplacementPolicy) if err != nil { return nil, util.StatusWrap(err, "Failed to create eviction set") From 439a809ccc7b5e7d154cd8fa6521937c00587b7c Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Fri, 22 Sep 2023 20:17:18 +0000 Subject: [PATCH 7/9] Read from file --- pkg/jwt/configuration.go | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/pkg/jwt/configuration.go b/pkg/jwt/configuration.go index 06cabca9..a3122a43 100644 --- a/pkg/jwt/configuration.go +++ b/pkg/jwt/configuration.go @@ -1,6 +1,8 @@ package jwt import ( + "os" + "github.com/buildbarn/bb-storage/pkg/clock" "github.com/buildbarn/bb-storage/pkg/eviction" configuration "github.com/buildbarn/bb-storage/pkg/proto/configuration/jwt" @@ -16,23 +18,25 @@ import ( // "Authorization" header parser based on options stored in a // configuration file. func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration) (*AuthorizationHeaderParser, error) { - var keySet *configuration.JSONWebKeySet + var err error + var jwksJson []byte switch key := config.Jwks.(type) { case *configuration.AuthorizationHeaderParserConfiguration_JwksInline: - keySet = key.JwksInline + jwksJson, err = protojson.Marshal(key.JwksInline) + if err != nil { + return nil, util.StatusWrap(err, "Failed to parse inline JWKS") + } case *configuration.AuthorizationHeaderParserConfiguration_JwksPath: - // FIXME: Implement reading this from a file + jwksJson, err = os.ReadFile(key.JwksPath) + if err != nil { + return nil, util.StatusWrap(err, "Failed to read JWKS file") + } default: return nil, status.Error(codes.InvalidArgument, "No key type provided") } - messageJSON, err := protojson.Marshal(keySet) - if err != nil { - return nil, util.StatusWrap(err, "Failed to convert JWKS to JSON") - } - - signatureValidator, err := NewJWKSSignatureValidator(messageJSON) + signatureValidator, err := NewJWKSSignatureValidator(jwksJson) evictionSet, err := eviction.NewSetFromConfiguration[string](config.CacheReplacementPolicy) if err != nil { From 6c74f20b6a2f9b1d30685f6b8b978e2799726f86 Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Thu, 5 Oct 2023 12:56:41 +0200 Subject: [PATCH 8/9] Lint --- go_dependencies.bzl | 1 - pkg/jwt/jwks_signature_validator_test.go | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/go_dependencies.bzl b/go_dependencies.bzl index 1b9ac1eb..4b66537c 100644 --- a/go_dependencies.bzl +++ b/go_dependencies.bzl @@ -255,7 +255,6 @@ def go_dependencies(): sum = "h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=", version = "v3.0.0", ) - go_repository( name = "com_github_go_kit_log", importpath = "github.com/go-kit/log", diff --git a/pkg/jwt/jwks_signature_validator_test.go b/pkg/jwt/jwks_signature_validator_test.go index 5e32cdeb..0541d4df 100644 --- a/pkg/jwt/jwks_signature_validator_test.go +++ b/pkg/jwt/jwks_signature_validator_test.go @@ -8,7 +8,7 @@ import ( ) func TestJWKSSignatureValidatorCreation(t *testing.T) { - var key = []byte(`{ + key := []byte(`{ "keys": [ { "kty": "RSA", @@ -23,4 +23,4 @@ func TestJWKSSignatureValidatorCreation(t *testing.T) { _, err := jwt.NewJWKSSignatureValidator(key) require.NoError(t, err) -} \ No newline at end of file +} From 1827c5bb5348250f5513fb4e28dc55c8d86c6f54 Mon Sep 17 00:00:00 2001 From: Morten Mjelva Date: Thu, 5 Oct 2023 13:29:57 +0200 Subject: [PATCH 9/9] Remove JWKS file option --- pkg/jwt/configuration.go | 23 +- pkg/proto/configuration/jwt/BUILD.bazel | 5 +- pkg/proto/configuration/jwt/jwt.pb.go | 377 ++++-------------------- pkg/proto/configuration/jwt/jwt.proto | 72 +---- 4 files changed, 81 insertions(+), 396 deletions(-) diff --git a/pkg/jwt/configuration.go b/pkg/jwt/configuration.go index a3122a43..ffb6bde1 100644 --- a/pkg/jwt/configuration.go +++ b/pkg/jwt/configuration.go @@ -1,16 +1,12 @@ package jwt import ( - "os" - "github.com/buildbarn/bb-storage/pkg/clock" "github.com/buildbarn/bb-storage/pkg/eviction" configuration "github.com/buildbarn/bb-storage/pkg/proto/configuration/jwt" "github.com/buildbarn/bb-storage/pkg/util" "github.com/jmespath/go-jmespath" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" "google.golang.org/protobuf/encoding/protojson" ) @@ -21,22 +17,15 @@ func NewAuthorizationHeaderParserFromConfiguration(config *configuration.Authori var err error var jwksJson []byte - switch key := config.Jwks.(type) { - case *configuration.AuthorizationHeaderParserConfiguration_JwksInline: - jwksJson, err = protojson.Marshal(key.JwksInline) - if err != nil { - return nil, util.StatusWrap(err, "Failed to parse inline JWKS") - } - case *configuration.AuthorizationHeaderParserConfiguration_JwksPath: - jwksJson, err = os.ReadFile(key.JwksPath) - if err != nil { - return nil, util.StatusWrap(err, "Failed to read JWKS file") - } - default: - return nil, status.Error(codes.InvalidArgument, "No key type provided") + jwksJson, err = protojson.Marshal(config.JwksInline) + if err != nil { + return nil, util.StatusWrap(err, "Failed to parse inline JWKS") } signatureValidator, err := NewJWKSSignatureValidator(jwksJson) + if err != nil { + return nil, util.StatusWrap(err, "Failed to create signature validator") + } evictionSet, err := eviction.NewSetFromConfiguration[string](config.CacheReplacementPolicy) if err != nil { diff --git a/pkg/proto/configuration/jwt/BUILD.bazel b/pkg/proto/configuration/jwt/BUILD.bazel index 72329987..08c0a5a8 100644 --- a/pkg/proto/configuration/jwt/BUILD.bazel +++ b/pkg/proto/configuration/jwt/BUILD.bazel @@ -6,7 +6,10 @@ proto_library( name = "jwt_proto", srcs = ["jwt.proto"], visibility = ["//visibility:public"], - deps = ["//pkg/proto/configuration/eviction:eviction_proto"], + deps = [ + "//pkg/proto/configuration/eviction:eviction_proto", + "@com_google_protobuf//:struct_proto", + ], ) go_proto_library( diff --git a/pkg/proto/configuration/jwt/jwt.pb.go b/pkg/proto/configuration/jwt/jwt.pb.go index 53ffd1f0..b530d92f 100644 --- a/pkg/proto/configuration/jwt/jwt.pb.go +++ b/pkg/proto/configuration/jwt/jwt.pb.go @@ -10,6 +10,7 @@ import ( eviction "github.com/buildbarn/bb-storage/pkg/proto/configuration/eviction" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + structpb "google.golang.org/protobuf/types/known/structpb" reflect "reflect" sync "sync" ) @@ -21,192 +22,22 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) -type JSONWebKey struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Kty string `protobuf:"bytes,1,opt,name=kty,proto3" json:"kty,omitempty"` - Use string `protobuf:"bytes,2,opt,name=use,proto3" json:"use,omitempty"` - Alg string `protobuf:"bytes,3,opt,name=alg,proto3" json:"alg,omitempty"` - Kid string `protobuf:"bytes,4,opt,name=kid,proto3" json:"kid,omitempty"` - Crv string `protobuf:"bytes,5,opt,name=crv,proto3" json:"crv,omitempty"` - X string `protobuf:"bytes,6,opt,name=x,proto3" json:"x,omitempty"` - Y string `protobuf:"bytes,7,opt,name=y,proto3" json:"y,omitempty"` - N string `protobuf:"bytes,8,opt,name=n,proto3" json:"n,omitempty"` - E string `protobuf:"bytes,9,opt,name=e,proto3" json:"e,omitempty"` - K string `protobuf:"bytes,10,opt,name=k,proto3" json:"k,omitempty"` -} - -func (x *JSONWebKey) Reset() { - *x = JSONWebKey{} - if protoimpl.UnsafeEnabled { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *JSONWebKey) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*JSONWebKey) ProtoMessage() {} - -func (x *JSONWebKey) ProtoReflect() protoreflect.Message { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use JSONWebKey.ProtoReflect.Descriptor instead. -func (*JSONWebKey) Descriptor() ([]byte, []int) { - return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{0} -} - -func (x *JSONWebKey) GetKty() string { - if x != nil { - return x.Kty - } - return "" -} - -func (x *JSONWebKey) GetUse() string { - if x != nil { - return x.Use - } - return "" -} - -func (x *JSONWebKey) GetAlg() string { - if x != nil { - return x.Alg - } - return "" -} - -func (x *JSONWebKey) GetKid() string { - if x != nil { - return x.Kid - } - return "" -} - -func (x *JSONWebKey) GetCrv() string { - if x != nil { - return x.Crv - } - return "" -} - -func (x *JSONWebKey) GetX() string { - if x != nil { - return x.X - } - return "" -} - -func (x *JSONWebKey) GetY() string { - if x != nil { - return x.Y - } - return "" -} - -func (x *JSONWebKey) GetN() string { - if x != nil { - return x.N - } - return "" -} - -func (x *JSONWebKey) GetE() string { - if x != nil { - return x.E - } - return "" -} - -func (x *JSONWebKey) GetK() string { - if x != nil { - return x.K - } - return "" -} - -type JSONWebKeySet struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Keys []*JSONWebKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"` -} - -func (x *JSONWebKeySet) Reset() { - *x = JSONWebKeySet{} - if protoimpl.UnsafeEnabled { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *JSONWebKeySet) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*JSONWebKeySet) ProtoMessage() {} - -func (x *JSONWebKeySet) ProtoReflect() protoreflect.Message { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use JSONWebKeySet.ProtoReflect.Descriptor instead. -func (*JSONWebKeySet) Descriptor() ([]byte, []int) { - return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{1} -} - -func (x *JSONWebKeySet) GetKeys() []*JSONWebKey { - if x != nil { - return x.Keys - } - return nil -} - type AuthorizationHeaderParserConfiguration struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // Types that are assignable to Jwks: - // - // *AuthorizationHeaderParserConfiguration_JwksInline - // *AuthorizationHeaderParserConfiguration_JwksPath - Jwks isAuthorizationHeaderParserConfiguration_Jwks `protobuf_oneof:"jwks"` - MaximumCacheSize int32 `protobuf:"varint,3,opt,name=maximum_cache_size,json=maximumCacheSize,proto3" json:"maximum_cache_size,omitempty"` - CacheReplacementPolicy eviction.CacheReplacementPolicy `protobuf:"varint,4,opt,name=cache_replacement_policy,json=cacheReplacementPolicy,proto3,enum=buildbarn.configuration.eviction.CacheReplacementPolicy" json:"cache_replacement_policy,omitempty"` - ClaimsValidationJmespathExpression string `protobuf:"bytes,5,opt,name=claims_validation_jmespath_expression,json=claimsValidationJmespathExpression,proto3" json:"claims_validation_jmespath_expression,omitempty"` - MetadataExtractionJmespathExpression string `protobuf:"bytes,6,opt,name=metadata_extraction_jmespath_expression,json=metadataExtractionJmespathExpression,proto3" json:"metadata_extraction_jmespath_expression,omitempty"` + MaximumCacheSize int32 `protobuf:"varint,3,opt,name=maximum_cache_size,json=maximumCacheSize,proto3" json:"maximum_cache_size,omitempty"` + CacheReplacementPolicy eviction.CacheReplacementPolicy `protobuf:"varint,4,opt,name=cache_replacement_policy,json=cacheReplacementPolicy,proto3,enum=buildbarn.configuration.eviction.CacheReplacementPolicy" json:"cache_replacement_policy,omitempty"` + ClaimsValidationJmespathExpression string `protobuf:"bytes,5,opt,name=claims_validation_jmespath_expression,json=claimsValidationJmespathExpression,proto3" json:"claims_validation_jmespath_expression,omitempty"` + MetadataExtractionJmespathExpression string `protobuf:"bytes,6,opt,name=metadata_extraction_jmespath_expression,json=metadataExtractionJmespathExpression,proto3" json:"metadata_extraction_jmespath_expression,omitempty"` + JwksInline *structpb.Struct `protobuf:"bytes,7,opt,name=jwks_inline,json=jwksInline,proto3" json:"jwks_inline,omitempty"` } func (x *AuthorizationHeaderParserConfiguration) Reset() { *x = AuthorizationHeaderParserConfiguration{} if protoimpl.UnsafeEnabled { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2] + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -219,7 +50,7 @@ func (x *AuthorizationHeaderParserConfiguration) String() string { func (*AuthorizationHeaderParserConfiguration) ProtoMessage() {} func (x *AuthorizationHeaderParserConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2] + mi := &file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -232,28 +63,7 @@ func (x *AuthorizationHeaderParserConfiguration) ProtoReflect() protoreflect.Mes // Deprecated: Use AuthorizationHeaderParserConfiguration.ProtoReflect.Descriptor instead. func (*AuthorizationHeaderParserConfiguration) Descriptor() ([]byte, []int) { - return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{2} -} - -func (m *AuthorizationHeaderParserConfiguration) GetJwks() isAuthorizationHeaderParserConfiguration_Jwks { - if m != nil { - return m.Jwks - } - return nil -} - -func (x *AuthorizationHeaderParserConfiguration) GetJwksInline() *JSONWebKeySet { - if x, ok := x.GetJwks().(*AuthorizationHeaderParserConfiguration_JwksInline); ok { - return x.JwksInline - } - return nil -} - -func (x *AuthorizationHeaderParserConfiguration) GetJwksPath() string { - if x, ok := x.GetJwks().(*AuthorizationHeaderParserConfiguration_JwksPath); ok { - return x.JwksPath - } - return "" + return file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP(), []int{0} } func (x *AuthorizationHeaderParserConfiguration) GetMaximumCacheSize() int32 { @@ -284,22 +94,11 @@ func (x *AuthorizationHeaderParserConfiguration) GetMetadataExtractionJmespathEx return "" } -type isAuthorizationHeaderParserConfiguration_Jwks interface { - isAuthorizationHeaderParserConfiguration_Jwks() -} - -type AuthorizationHeaderParserConfiguration_JwksInline struct { - JwksInline *JSONWebKeySet `protobuf:"bytes,7,opt,name=jwks_inline,json=jwksInline,proto3,oneof"` -} - -type AuthorizationHeaderParserConfiguration_JwksPath struct { - JwksPath string `protobuf:"bytes,8,opt,name=jwks_path,json=jwksPath,proto3,oneof"` -} - -func (*AuthorizationHeaderParserConfiguration_JwksInline) isAuthorizationHeaderParserConfiguration_Jwks() { -} - -func (*AuthorizationHeaderParserConfiguration_JwksPath) isAuthorizationHeaderParserConfiguration_Jwks() { +func (x *AuthorizationHeaderParserConfiguration) GetJwksInline() *structpb.Struct { + if x != nil { + return x.JwksInline + } + return nil } var File_pkg_proto_configuration_jwt_jwt_proto protoreflect.FileDescriptor @@ -309,62 +108,44 @@ var file_pkg_proto_configuration_jwt_jwt_proto_rawDesc = []byte{ 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x77, 0x74, 0x2f, 0x6a, 0x77, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x2e, 0x6a, 0x77, 0x74, 0x1a, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, - 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x65, 0x76, - 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xac, 0x01, 0x0a, 0x0a, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, - 0x62, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x03, 0x6b, 0x74, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x73, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x61, 0x6c, 0x67, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, - 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, - 0x63, 0x72, 0x76, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x63, 0x72, 0x76, 0x12, 0x0c, - 0x0a, 0x01, 0x78, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x01, 0x78, 0x12, 0x0c, 0x0a, 0x01, - 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x01, 0x79, 0x12, 0x0c, 0x0a, 0x01, 0x6e, 0x18, - 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x01, 0x6e, 0x12, 0x0c, 0x0a, 0x01, 0x65, 0x18, 0x09, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x01, 0x65, 0x12, 0x0c, 0x0a, 0x01, 0x6b, 0x18, 0x0a, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x01, 0x6b, 0x22, 0x4c, 0x0a, 0x0d, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, - 0x65, 0x79, 0x53, 0x65, 0x74, 0x12, 0x3b, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, - 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x6a, 0x77, - 0x74, 0x2e, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, - 0x79, 0x73, 0x22, 0xf6, 0x03, 0x0a, 0x26, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x50, 0x61, 0x72, 0x73, 0x65, 0x72, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, - 0x0b, 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x07, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, 0x63, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x6a, 0x77, 0x74, - 0x2e, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x48, 0x00, - 0x52, 0x0a, 0x6a, 0x77, 0x6b, 0x73, 0x49, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x12, 0x1d, 0x0a, 0x09, - 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x48, - 0x00, 0x52, 0x08, 0x6a, 0x77, 0x6b, 0x73, 0x50, 0x61, 0x74, 0x68, 0x12, 0x2c, 0x0a, 0x12, 0x6d, - 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, - 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10, 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, - 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x72, 0x0a, 0x18, 0x63, 0x61, 0x63, - 0x68, 0x65, 0x5f, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x62, 0x75, - 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x43, - 0x61, 0x63, 0x68, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x16, 0x63, 0x61, 0x63, 0x68, 0x65, 0x52, 0x65, 0x70, 0x6c, - 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x51, 0x0a, - 0x25, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x65, 0x78, 0x70, 0x72, - 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x22, 0x63, 0x6c, - 0x61, 0x69, 0x6d, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, - 0x12, 0x55, 0x0a, 0x27, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x74, - 0x72, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, - 0x5f, 0x65, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x24, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x78, 0x74, 0x72, 0x61, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x45, 0x78, 0x70, - 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x06, 0x0a, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x4a, - 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x42, 0x3d, 0x5a, 0x3b, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, - 0x61, 0x72, 0x6e, 0x2f, 0x62, 0x62, 0x2d, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2f, 0x70, - 0x6b, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x77, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x2e, 0x6a, 0x77, 0x74, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x1a, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, + 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x65, 0x76, 0x69, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x22, 0xba, 0x03, 0x0a, 0x26, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x50, 0x61, 0x72, 0x73, 0x65, + 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2c, + 0x0a, 0x12, 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, + 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10, 0x6d, 0x61, 0x78, 0x69, + 0x6d, 0x75, 0x6d, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x72, 0x0a, 0x18, + 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, + 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x65, 0x76, 0x69, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x2e, 0x43, 0x61, 0x63, 0x68, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x16, 0x63, 0x61, 0x63, 0x68, 0x65, 0x52, + 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x12, 0x51, 0x0a, 0x25, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x65, + 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x22, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x4a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, + 0x69, 0x6f, 0x6e, 0x12, 0x55, 0x0a, 0x27, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, + 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6a, 0x6d, 0x65, 0x73, 0x70, + 0x61, 0x74, 0x68, 0x5f, 0x65, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x06, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x24, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x78, + 0x74, 0x72, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x74, 0x68, + 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x0b, 0x6a, 0x77, + 0x6b, 0x73, 0x5f, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x0a, 0x6a, 0x77, 0x6b, 0x73, 0x49, 0x6e, + 0x6c, 0x69, 0x6e, 0x65, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, + 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, + 0x75, 0x69, 0x6c, 0x64, 0x62, 0x61, 0x72, 0x6e, 0x2f, 0x62, 0x62, 0x2d, 0x73, 0x74, 0x6f, 0x72, + 0x61, 0x67, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, + 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x77, 0x74, 0x62, + 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -379,22 +160,20 @@ func file_pkg_proto_configuration_jwt_jwt_proto_rawDescGZIP() []byte { return file_pkg_proto_configuration_jwt_jwt_proto_rawDescData } -var file_pkg_proto_configuration_jwt_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_pkg_proto_configuration_jwt_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 1) var file_pkg_proto_configuration_jwt_jwt_proto_goTypes = []interface{}{ - (*JSONWebKey)(nil), // 0: buildbarn.configuration.jwt.JSONWebKey - (*JSONWebKeySet)(nil), // 1: buildbarn.configuration.jwt.JSONWebKeySet - (*AuthorizationHeaderParserConfiguration)(nil), // 2: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration - (eviction.CacheReplacementPolicy)(0), // 3: buildbarn.configuration.eviction.CacheReplacementPolicy + (*AuthorizationHeaderParserConfiguration)(nil), // 0: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration + (eviction.CacheReplacementPolicy)(0), // 1: buildbarn.configuration.eviction.CacheReplacementPolicy + (*structpb.Struct)(nil), // 2: google.protobuf.Struct } var file_pkg_proto_configuration_jwt_jwt_proto_depIdxs = []int32{ - 0, // 0: buildbarn.configuration.jwt.JSONWebKeySet.keys:type_name -> buildbarn.configuration.jwt.JSONWebKey - 1, // 1: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration.jwks_inline:type_name -> buildbarn.configuration.jwt.JSONWebKeySet - 3, // 2: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration.cache_replacement_policy:type_name -> buildbarn.configuration.eviction.CacheReplacementPolicy - 3, // [3:3] is the sub-list for method output_type - 3, // [3:3] is the sub-list for method input_type - 3, // [3:3] is the sub-list for extension type_name - 3, // [3:3] is the sub-list for extension extendee - 0, // [0:3] is the sub-list for field type_name + 1, // 0: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration.cache_replacement_policy:type_name -> buildbarn.configuration.eviction.CacheReplacementPolicy + 2, // 1: buildbarn.configuration.jwt.AuthorizationHeaderParserConfiguration.jwks_inline:type_name -> google.protobuf.Struct + 2, // [2:2] is the sub-list for method output_type + 2, // [2:2] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name } func init() { file_pkg_proto_configuration_jwt_jwt_proto_init() } @@ -404,30 +183,6 @@ func file_pkg_proto_configuration_jwt_jwt_proto_init() { } if !protoimpl.UnsafeEnabled { file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*JSONWebKey); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*JSONWebKeySet); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*AuthorizationHeaderParserConfiguration); i { case 0: return &v.state @@ -440,17 +195,13 @@ func file_pkg_proto_configuration_jwt_jwt_proto_init() { } } } - file_pkg_proto_configuration_jwt_jwt_proto_msgTypes[2].OneofWrappers = []interface{}{ - (*AuthorizationHeaderParserConfiguration_JwksInline)(nil), - (*AuthorizationHeaderParserConfiguration_JwksPath)(nil), - } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_pkg_proto_configuration_jwt_jwt_proto_rawDesc, NumEnums: 0, - NumMessages: 3, + NumMessages: 1, NumExtensions: 0, NumServices: 0, }, diff --git a/pkg/proto/configuration/jwt/jwt.proto b/pkg/proto/configuration/jwt/jwt.proto index a323fb64..ec341d19 100644 --- a/pkg/proto/configuration/jwt/jwt.proto +++ b/pkg/proto/configuration/jwt/jwt.proto @@ -2,81 +2,19 @@ syntax = "proto3"; package buildbarn.configuration.jwt; +import "google/protobuf/struct.proto"; import "pkg/proto/configuration/eviction/eviction.proto"; option go_package = "github.com/buildbarn/bb-storage/pkg/proto/configuration/jwt"; -// (JSON Web Key) [https://tools.ietf.org/html/rfc7517] -message JSONWebKey { - // "kty" (Key Type) Parameter - // https://datatracker.ietf.org/doc/html/rfc7517#section-4.1 - string kty = 1; - - // "use" (Public Key Use) Parameter - // https://datatracker.ietf.org/doc/html/rfc7517#section-4.2 - string use = 2; - - // "alg" (Algorithm) Parameter - // https://datatracker.ietf.org/doc/html/rfc7517#section-4.4 - string alg = 3; - - // "kid" (Key ID) Parameter - // https://datatracker.ietf.org/doc/html/rfc7517#section-4.5 - string kid = 4; - - // "crv" (Curve) Parameter - // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.1 - string crv = 5; - - // "x" (X Coordinate) Parameter - // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2 - string x = 6; - - // "y" (X Coordinate) Parameter - // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.3 - string y = 7; - - // "n" (Modulus) Parameter - // https://datatracker.ietf.org/doc/html/rfc7518#section-6.3.1.1 - string n = 8; - - // "e" (Exponent) Parameter - // https://datatracker.ietf.org/doc/html/rfc7518#section-6.3.1.2 - string e = 9; - - // "k" (Key Value) Parameter - // https://datatracker.ietf.org/doc/html/rfc7518#section-6.4.1 - string k = 10; -} - -// (JWK Set) [https://tools.ietf.org/html/rfc7517] -message JSONWebKeySet { - // The value of the "keys" parameter is an array of JWK values. By - // default, the order of the JWK values within the array does not imply - // an order of preference among them, although applications of JWK Sets - // can choose to assign a meaning to the order for their purposes, if - // desired. - repeated JSONWebKey keys = 1; -} - message AuthorizationHeaderParserConfiguration { - // Was 'hmac_key'. Replaced by 'jwks'. + // Was `hmac_key`, instead use `jwks_inline`. reserved 1; - // Was 'public_key'. Replaced by 'jwks'. + // Was `public_key`, instead use `jwks_inline`. reserved 2; - oneof jwks { - // JSON Web Key Set (JWKS) that contains the public keys that can sign - // accepted JWTs. - JSONWebKeySet jwks_inline = 7; - - // Path to a file containing a JSON Web Key Set (JWKS) that contains the the - // public keys that can sign accepted JWTs. - string jwks_path = 8; - } - // Maximum number of validated tokens to cache in memory. This speeds // up successive requests made with the same token. int32 maximum_cache_size = 3; @@ -132,4 +70,8 @@ message AuthorizationHeaderParserConfiguration { // // `{}` string metadata_extraction_jmespath_expression = 6; + + // JSON Web Key Set (JWKS) that contains the public keys that can sign + // accepted JWTs. + google.protobuf.Struct jwks_inline = 7; }