-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add jwks endpoint key support to auth (#511)
Co-authored-by: Matt Johnson-Pint <mjp@hypermode.com>
- Loading branch information
1 parent
bcbc85c
commit 5f7a1a9
Showing
7 changed files
with
246 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
/* | ||
* Copyright 2024 Hypermode Inc. | ||
* Licensed under the terms of the Apache License, Version 2.0 | ||
* See the LICENSE file that accompanied this code for further details. | ||
* | ||
* SPDX-FileCopyrightText: 2024 Hypermode Inc. <hello@hypermode.com> | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package middleware | ||
|
||
import ( | ||
"context" | ||
"os" | ||
"strconv" | ||
"sync" | ||
"time" | ||
|
||
"github.com/hypermodeinc/modus/runtime/logger" | ||
) | ||
|
||
var ( | ||
globalAuthKeys *AuthKeys | ||
) | ||
|
||
type AuthKeys struct { | ||
pemPublicKeys map[string]any | ||
jwksPublicKeys map[string]any | ||
mu sync.RWMutex | ||
quit chan struct{} | ||
done chan struct{} | ||
} | ||
|
||
func newAuthKeys() *AuthKeys { | ||
return &AuthKeys{ | ||
pemPublicKeys: make(map[string]any), | ||
jwksPublicKeys: make(map[string]any), | ||
quit: make(chan struct{}), | ||
done: make(chan struct{}), | ||
} | ||
} | ||
|
||
func (ak *AuthKeys) setPemPublicKeys(keys map[string]any) { | ||
ak.mu.Lock() | ||
defer ak.mu.Unlock() | ||
ak.pemPublicKeys = keys | ||
} | ||
|
||
func (ak *AuthKeys) setJwksPublicKeys(keys map[string]any) { | ||
ak.mu.Lock() | ||
defer ak.mu.Unlock() | ||
ak.jwksPublicKeys = keys | ||
} | ||
|
||
func (ak *AuthKeys) getPemPublicKeys() map[string]any { | ||
ak.mu.RLock() | ||
defer ak.mu.RUnlock() | ||
return ak.pemPublicKeys | ||
} | ||
|
||
func (ak *AuthKeys) getJwksPublicKeys() map[string]any { | ||
ak.mu.RLock() | ||
defer ak.mu.RUnlock() | ||
return ak.jwksPublicKeys | ||
} | ||
|
||
func getJwksRefreshMinutes(ctx context.Context) int { | ||
refreshTimeStr := os.Getenv("MODUS_JWKS_REFRESH_MINUTES") | ||
if refreshTimeStr == "" { | ||
return 1440 | ||
} | ||
refreshTime, err := strconv.Atoi(refreshTimeStr) | ||
if err != nil { | ||
logger.Warn(ctx).Err(err).Msg("Invalid MODUS_JWKS_REFRESH_MINUTES value. Using default value of 1440 minutes.") | ||
return 1440 | ||
} | ||
return refreshTime | ||
} | ||
|
||
func (ak *AuthKeys) worker(ctx context.Context) { | ||
defer close(ak.done) | ||
timer := time.NewTimer(time.Duration(getJwksRefreshMinutes(ctx)) * time.Minute) | ||
|
||
defer timer.Stop() | ||
for { | ||
select { | ||
case <-timer.C: | ||
// refresh JWKS keys | ||
keysStr := os.Getenv("MODUS_JWKS_ENDPOINTS") | ||
if keysStr != "" { | ||
timer.Reset(time.Duration(getJwksRefreshMinutes(ctx)) * time.Minute) | ||
} else { | ||
keys, err := jwksEndpointsJsonToKeys(ctx, keysStr) | ||
if err != nil { | ||
logger.Error(ctx).Err(err).Msg("Auth JWKS public keys deserializing error") | ||
} else { | ||
ak.setJwksPublicKeys(keys) | ||
} | ||
} | ||
case <-ak.quit: | ||
return | ||
} | ||
} | ||
|
||
} |
Oops, something went wrong.