From 45b3195cb51d492a397a65b9c52ff2c7df19d374 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Thu, 22 Aug 2024 11:54:13 -0400
Subject: [PATCH] Little refactor to separate app_registry from auth

---
 app/lib/services/app_registry_service.rb | 32 ++++++++++++++++++++++++
 app/lib/services/auth_service.rb         | 30 ++++++++--------------
 app/lib/services/vault_service.rb        |  2 +-
 config/astral.yml                        |  1 +
 4 files changed, 44 insertions(+), 21 deletions(-)
 create mode 100644 app/lib/services/app_registry_service.rb

diff --git a/app/lib/services/app_registry_service.rb b/app/lib/services/app_registry_service.rb
new file mode 100644
index 0000000..557523c
--- /dev/null
+++ b/app/lib/services/app_registry_service.rb
@@ -0,0 +1,32 @@
+module Services
+  class AppRegistryService
+    def authenticate!(token)
+      identity = decode(token)
+      raise AuthError unless identity
+      # TODO verify identity with authority?
+      identity
+    end
+
+    def authorize!(identity, cert_req)
+      cert_req.fqdns.each do |fqdn|
+        domain = get_domain_name(fqdn)
+        raise AuthError unless (domain[:auto_approved_groups] & identity[:groups]).any?
+      end
+    end
+
+    private
+    
+    def decode(token)
+      # Decode a JWT access token using the configured base.
+      body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0]
+      HashWithIndifferentAccess.new body
+    rescue => e
+      Rails.logger.warn "Unable to decode token: #{e}"
+      nil
+    end
+    
+    def get_domain_name(fqdn)
+      # TODO implement
+    end
+  end
+end
diff --git a/app/lib/services/auth_service.rb b/app/lib/services/auth_service.rb
index 2873285..a1e1764 100644
--- a/app/lib/services/auth_service.rb
+++ b/app/lib/services/auth_service.rb
@@ -1,26 +1,16 @@
 module Services
   class AuthService
-   def decode(token)
-     # Decode a JWT access token using the configured base.
-     body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0]
-     HashWithIndifferentAccess.new body
-   rescue => e
-     Rails.logger.warn "Unable to decode token: #{e}"
-     nil
-   end
+    def initialize
+      # TODO make this selectable
+      @impl = AppRegistryService.new
+    end
 
-   def authenticate!(token)
-     identity = decode(token)
-     raise AuthError unless identity
-     # TODO verify identity with authority?
-     identity
-   end
+    def authenticate!(token)
+      @impl.authenticate!(token)
+    end
 
-   def authorize!(identity, cert_req)
-     cert_req.fqdns.each do |fqdn|
-       domain = AppRegistryService.get_domain_name(fqdn)
-       raise AuthError unless (domain[:auto_approved_groups] & identity[:groups]).any?
-     end
-   end
+    def authorize!(token, cert_issue_req)
+      @impl.authorize!(token, cert_issue_req)
+    end
   end
 end
diff --git a/app/lib/services/vault_service.rb b/app/lib/services/vault_service.rb
index 8396333..5b032d3 100644
--- a/app/lib/services/vault_service.rb
+++ b/app/lib/services/vault_service.rb
@@ -9,7 +9,7 @@ def initialize
 
     def get_cert_for(identity, cert_issue_request)
       # Generate the TLS certificate using the intermediate CA
-      tls_cert = @client.logical.write("pki_int/issue/learn",
+      tls_cert = @client.logical.write(Rails.application.config.astral[:vault_cert_path],
           common_name: cert_issue_request.common_name,
           ttl: cert_issue_request.ttl,
           ip_sans: cert_issue_request.ip_sans,
diff --git a/config/astral.yml b/config/astral.yml
index bee2f97..2872e54 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -1,6 +1,7 @@
 shared:
   vault_addr: <%= ENV["VAULT_ADDR"] %>
   vault_token: <%= ENV["VAULT_TOKEN"] %>
+  vault_cert_path: "pki_int/issue/learn"
   jwt_signing_key: <%= ENV["JWT_SIGNING_KEY"] %>
   cert_ttl: <%= 24.hours.in_seconds %>