Little refactor to separate app_registry from auth

G-Research · Aug 22, 2024 · 45b3195 · 45b3195
1 parent 74687b4
commit 45b3195
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 21 deletions.
diff --git a/app/lib/services/app_registry_service.rb b/app/lib/services/app_registry_service.rb
@@ -0,0 +1,32 @@
+module Services
+  class AppRegistryService
+    def authenticate!(token)
+      identity = decode(token)
+      raise AuthError unless identity
+      # TODO verify identity with authority?
+      identity
+    end
+
+    def authorize!(identity, cert_req)
+      cert_req.fqdns.each do |fqdn|
+        domain = get_domain_name(fqdn)
+        raise AuthError unless (domain[:auto_approved_groups] & identity[:groups]).any?
+      end
+    end
+
+    private
+
+    def decode(token)
+      # Decode a JWT access token using the configured base.
+      body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0]
+      HashWithIndifferentAccess.new body
+    rescue => e
+      Rails.logger.warn "Unable to decode token: #{e}"
+      nil
+    end
+
+    def get_domain_name(fqdn)
+      # TODO implement
+    end
+  end
+end
diff --git a/app/lib/services/auth_service.rb b/app/lib/services/auth_service.rb
@@ -1,26 +1,16 @@
 module Services
   class AuthService
-   def decode(token)
-     # Decode a JWT access token using the configured base.
-     body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0]
-     HashWithIndifferentAccess.new body
-   rescue => e
-     Rails.logger.warn "Unable to decode token: #{e}"
-     nil
-   end
+    def initialize
+      # TODO make this selectable
+      @impl = AppRegistryService.new
+    end
 
-   def authenticate!(token)
-     identity = decode(token)
-     raise AuthError unless identity
-     # TODO verify identity with authority?
-     identity
-   end
+    def authenticate!(token)
+      @impl.authenticate!(token)
+    end
 
-   def authorize!(identity, cert_req)
-     cert_req.fqdns.each do |fqdn|
-       domain = AppRegistryService.get_domain_name(fqdn)
-       raise AuthError unless (domain[:auto_approved_groups] & identity[:groups]).any?
-     end
-   end
+    def authorize!(token, cert_issue_req)
+      @impl.authorize!(token, cert_issue_req)
+    end
   end
 end
diff --git a/app/lib/services/vault_service.rb b/app/lib/services/vault_service.rb
@@ -9,7 +9,7 @@ def initialize
 
     def get_cert_for(identity, cert_issue_request)
       # Generate the TLS certificate using the intermediate CA
-      tls_cert = @client.logical.write("pki_int/issue/learn",
+      tls_cert = @client.logical.write(Rails.application.config.astral[:vault_cert_path],
           common_name: cert_issue_request.common_name,
           ttl: cert_issue_request.ttl,
           ip_sans: cert_issue_request.ip_sans,

diff --git a/config/astral.yml b/config/astral.yml
@@ -1,6 +1,7 @@
 shared:
   vault_addr: <%= ENV["VAULT_ADDR"] %>
   vault_token: <%= ENV["VAULT_TOKEN"] %>
+  vault_cert_path: "pki_int/issue/learn"
   jwt_signing_key: <%= ENV["JWT_SIGNING_KEY"] %>
   cert_ttl: <%= 24.hours.in_seconds %>