From 45b3195cb51d492a397a65b9c52ff2c7df19d374 Mon Sep 17 00:00:00 2001 From: Geoff Wilson <geoff@gr-oss.io> Date: Thu, 22 Aug 2024 11:54:13 -0400 Subject: [PATCH] Little refactor to separate app_registry from auth --- app/lib/services/app_registry_service.rb | 32 ++++++++++++++++++++++++ app/lib/services/auth_service.rb | 30 ++++++++-------------- app/lib/services/vault_service.rb | 2 +- config/astral.yml | 1 + 4 files changed, 44 insertions(+), 21 deletions(-) create mode 100644 app/lib/services/app_registry_service.rb diff --git a/app/lib/services/app_registry_service.rb b/app/lib/services/app_registry_service.rb new file mode 100644 index 0000000..557523c --- /dev/null +++ b/app/lib/services/app_registry_service.rb @@ -0,0 +1,32 @@ +module Services + class AppRegistryService + def authenticate!(token) + identity = decode(token) + raise AuthError unless identity + # TODO verify identity with authority? + identity + end + + def authorize!(identity, cert_req) + cert_req.fqdns.each do |fqdn| + domain = get_domain_name(fqdn) + raise AuthError unless (domain[:auto_approved_groups] & identity[:groups]).any? + end + end + + private + + def decode(token) + # Decode a JWT access token using the configured base. + body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0] + HashWithIndifferentAccess.new body + rescue => e + Rails.logger.warn "Unable to decode token: #{e}" + nil + end + + def get_domain_name(fqdn) + # TODO implement + end + end +end diff --git a/app/lib/services/auth_service.rb b/app/lib/services/auth_service.rb index 2873285..a1e1764 100644 --- a/app/lib/services/auth_service.rb +++ b/app/lib/services/auth_service.rb @@ -1,26 +1,16 @@ module Services class AuthService - def decode(token) - # Decode a JWT access token using the configured base. - body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0] - HashWithIndifferentAccess.new body - rescue => e - Rails.logger.warn "Unable to decode token: #{e}" - nil - end + def initialize + # TODO make this selectable + @impl = AppRegistryService.new + end - def authenticate!(token) - identity = decode(token) - raise AuthError unless identity - # TODO verify identity with authority? - identity - end + def authenticate!(token) + @impl.authenticate!(token) + end - def authorize!(identity, cert_req) - cert_req.fqdns.each do |fqdn| - domain = AppRegistryService.get_domain_name(fqdn) - raise AuthError unless (domain[:auto_approved_groups] & identity[:groups]).any? - end - end + def authorize!(token, cert_issue_req) + @impl.authorize!(token, cert_issue_req) + end end end diff --git a/app/lib/services/vault_service.rb b/app/lib/services/vault_service.rb index 8396333..5b032d3 100644 --- a/app/lib/services/vault_service.rb +++ b/app/lib/services/vault_service.rb @@ -9,7 +9,7 @@ def initialize def get_cert_for(identity, cert_issue_request) # Generate the TLS certificate using the intermediate CA - tls_cert = @client.logical.write("pki_int/issue/learn", + tls_cert = @client.logical.write(Rails.application.config.astral[:vault_cert_path], common_name: cert_issue_request.common_name, ttl: cert_issue_request.ttl, ip_sans: cert_issue_request.ip_sans, diff --git a/config/astral.yml b/config/astral.yml index bee2f97..2872e54 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -1,6 +1,7 @@ shared: vault_addr: <%= ENV["VAULT_ADDR"] %> vault_token: <%= ENV["VAULT_TOKEN"] %> + vault_cert_path: "pki_int/issue/learn" jwt_signing_key: <%= ENV["JWT_SIGNING_KEY"] %> cert_ttl: <%= 24.hours.in_seconds %>