Skip to content

Commit

Permalink
Merge branch 'main' of github.com:G-Research/astral
Browse files Browse the repository at this point in the history
  • Loading branch information
suprjinx committed Nov 6, 2024
2 parents 0902c95 + 9342477 commit 01dc025
Show file tree
Hide file tree
Showing 15 changed files with 201 additions and 19 deletions.
3 changes: 3 additions & 0 deletions Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ gem "jbuilder"
gem "faraday"
gem "faraday-retry"

# Use with_advisory_lock for multiprocess mutex
gem "with_advisory_lock"

group :development, :test do
# See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem
gem "debug", platforms: %i[ mri mswin ], require: "debug/prelude"
Expand Down
4 changes: 4 additions & 0 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,9 @@ GEM
websocket-driver (0.7.6)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5)
with_advisory_lock (5.1.0)
activerecord (>= 6.1)
zeitwerk (>= 2.6)
zeitwerk (2.7.1)

PLATFORMS
Expand Down Expand Up @@ -304,6 +307,7 @@ DEPENDENCIES
sqlite3 (>= 1.4)
tzinfo-data
vault
with_advisory_lock

BUNDLED WITH
2.5.11
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -201,4 +201,6 @@ the provider settings, so you will need to clear the browser's
* Vault login failed. Expired or missing OAuth state.
```


# Decoding JWKS based tokens
To decode JWKS based tokens, set the astral.yml "jwks_url" parameter to the
jwks endpoint of your auth provider.
3 changes: 2 additions & 1 deletion app/lib/clients/vault/key_value.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ module KeyValue
extend Policy

def kv_read(identity, path)
verify_policy(identity, policy_path(path))
client.kv(kv_mount).read(path)
end

Expand All @@ -14,6 +15,7 @@ def kv_write(identity, path, data)
end

def kv_delete(identity, path)
verify_policy(identity, policy_path(path))
client.logical.delete("#{kv_mount}/data/#{path}")
end

Expand All @@ -33,7 +35,6 @@ def kv_engine_type
"kv-v2"
end


def create_kv_policy(path)
client.sys.put_policy(policy_path(path), kv_policy(path))
end
Expand Down
18 changes: 14 additions & 4 deletions app/lib/clients/vault/policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,20 @@ def rotate_token
def assign_policy(identity, policy_name)
sub = identity.sub
email = identity.email
policies, metadata = get_entity_data(sub)
policies.append(policy_name).uniq!
put_entity(sub, policies, metadata)
put_entity_alias(sub, email, "oidc")
Domain.with_advisory_lock(sub) do
policies, metadata = get_entity_data(sub)
policies.append(policy_name).uniq!
put_entity(sub, policies, metadata)
put_entity_alias(sub, email, "oidc")
end
end

def verify_policy(identity, policy_name)
sub = identity.sub
policies, _ = get_entity_data(sub)
unless policies.any? { |p| p == policy_name }
raise AuthError.new("Policy has not been granted to the identity")
end
end

private
Expand Down
40 changes: 40 additions & 0 deletions app/lib/jwt/jwks_decoder.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
require "open-uri"
module Jwt
class JwksDecoder
def initialize(url)
@url = url
end

def configured?(config)
!@url.nil?
end

# Decode a JWT token signed with JWKS
def decode(token)
jwks = get_jwks_keyset_from_configured_url
jwks = filter_out_non_signing_keys(jwks)
body = JWT.decode(token, nil, true,
algorithms: get_algorithms_from_keyset(jwks),
jwks: jwks)[0]
Identity.new(body)
rescue => e
Rails.logger.warn "Unable to decode token: #{e}"
nil
end

private

def get_jwks_keyset_from_configured_url
jwks_json = URI.open(@url) { |f| f.read }
JWT::JWK::Set.new(JSON.parse(jwks_json))
end

def filter_out_non_signing_keys(jwks)
jwks.filter { |k| k[:use] == "sig" }
end

def get_algorithms_from_keyset(jwks)
jwks.map { |k| k[:alg] }.compact.uniq
end
end
end
20 changes: 20 additions & 0 deletions app/lib/jwt/secret_decoder.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
module Jwt
class SecretDecoder
def initialize(secret)
@secret = secret
end

def configured?(config)
!@secret.nil?
end

def decode(token)
# Decode a JWT access token using the configured base.
body = JWT.decode(token, Config[:jwt_signing_key])[0]
Identity.new(body)
rescue => e
Rails.logger.warn "Unable to decode token: #{e}"
nil
end
end
end
13 changes: 1 addition & 12 deletions app/lib/services/auth.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,11 @@ module Services
class Auth
class << self
def authenticate!(token)
identity = decode(token)
identity = Utils::DecoderFactory.get(Config).decode(token)
raise AuthError unless identity
# TODO verify identity with authority?
identity
end

private

def decode(token)
# Decode a JWT access token using the configured base.
body = JWT.decode(token, Config[:jwt_signing_key])[0]
Identity.new(body)
rescue => e
Rails.logger.warn "Unable to decode token: #{e}"
nil
end
end
end
end
23 changes: 23 additions & 0 deletions app/lib/utils/decoder_factory.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
module Utils
class DecoderFactory
cattr_reader :decoders
class << self
# Any new decoders should be added here:
@@decoders = [ Jwt::JwksDecoder.new(Config[:jwks_url]),
Jwt::SecretDecoder.new(Config[:jwt_signing_key]) ]

def get(config)
configured_decoders = getConfiguredDecoders(config)
if configured_decoders.length != 1
raise "Exactly one decoder must be configured"
end
configured_decoders.first
end

private
def getConfiguredDecoders(config)
decoders.filter { |c| c.configured?(config) }
end
end
end
end
3 changes: 3 additions & 0 deletions config/astral.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ shared:

jwt_signing_key:

# define this to allow jwks decoding of JWT's
jwks_url:

# When using AppRegistry for Domain Ownership information
app_registry_addr:
app_registry_token:
Expand Down
11 changes: 10 additions & 1 deletion test/lib/clients/vault_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,14 +98,23 @@ class VaultTest < ActiveSupport::TestCase
entity = @client.read_entity(@identity.sub)
assert_equal "kv_policy/#{path}", entity.data[:policies][0]

# check kv_read denied to other identity
alt_identity = Identity.new
alt_identity.sub = SecureRandom.hex(4)
err = assert_raises { @client.kv_read(alt_identity, path) }
assert_kind_of AuthError, err

# check kv_delete denied to other identity
err = assert_raises { @client.kv_delete(alt_identity, path) }
assert_kind_of AuthError, err

# check kv_delete
del_secret = @client.kv_delete(@identity, path)
assert del_secret
read_secret = @client.kv_read(@identity, path)
assert_nil read_secret
end


test "entity_alias methods" do
# confirm no entity yet
err = assert_raises RuntimeError do
Expand Down
39 changes: 39 additions & 0 deletions test/lib/jwt/jwks_decoder_test.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
require "test_helper"
require "jwt"
require "openssl"
require "json"
require "tempfile"

class JwksDecoderTest < ActiveSupport::TestCase
test ".decode returns correct identity" do
jwk = generate_jwks_signing_key
token = generate_jwks_token(jwk)
keyset_path = generate_jwks_keyset(jwk)

identity = Jwt::JwksDecoder.new(keyset_path).decode(token)
assert_equal "[email protected]", identity.sub
assert_equal "astral", identity.aud
end

private

def generate_jwks_signing_key
optional_parameters = { kid: "1", use: "sig", alg: "RS256" }
jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
end

def generate_jwks_token(jwk)
payload = { "sub"=>"[email protected]", "name"=>"John Doe", "iat"=>1516239022,
"groups"=>[ "group1", "group2" ], "aud"=>"astral" }

JWT.encode(payload, jwk.signing_key, jwk[:alg], kid: jwk[:kid])
end

def generate_jwks_keyset(jwk)
jwks_hash = JWT::JWK::Set.new(jwk).export
f = Tempfile.new
f.write(JSON.pretty_generate(jwks_hash))
f.close
f.path
end
end
10 changes: 10 additions & 0 deletions test/lib/jwt/secret_decoder_test.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
require "test_helper"

class SecretDecoderTest < ActiveSupport::TestCase
test ".decode returns correct identity" do
identity = Jwt::SecretDecoder.new(Config[:jwt_signing_key]).
decode(jwt_authorized)
assert_equal "[email protected]", identity.sub
assert_equal "astral", identity.aud
end
end
29 changes: 29 additions & 0 deletions test/lib/utils/decoder_factory_test.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
require "test_helper"

class DecoderFactoryTest < ActiveSupport::TestCase
test ".get returns configured decoder" do
decoders = [ UnconfiguredDecoder.new, ConfiguredDecoder.new ]
Utils::DecoderFactory.stub :decoders, decoders do
decoder = Utils::DecoderFactory.get({})
assert decoder.instance_of?(ConfiguredDecoder)
end
end

test ".get recognizes invalid config" do
decoders = [ ConfiguredDecoder.new, ConfiguredDecoder.new ]
Utils::DecoderFactory.stub :decoders, decoders do
assert_raises(
RuntimeError, "Exactly one decoder must be configured") do
decoder = Utils::DecoderFactory.get({})
end
end
end

class ConfiguredDecoder
def configured?(c) = true
end

class UnconfiguredDecoder
def configured?(c) = false
end
end
File renamed without changes.

0 comments on commit 01dc025

Please sign in to comment.