commit 1bf861a9f3162f01c3ac477836499151fd46f5f5 · nekomimi.pet/microcosm-rs

+29 -10

who-am-i/src/jwt.rs

···

       1
       1
       +
       use elliptic_curve::SecretKey;

     

       2
       2
       +
       use jose_jwk::{Class, Jwk, Key, Parameters};

     

       1
       3
        
       use jsonwebtoken::{Algorithm, EncodingKey, Header, encode, errors::Error as JWTError};

     

       4
       4
       +
       use pkcs8::DecodePrivateKey;

     

       2
       5
        
       use serde::Serialize;

     

       3
       6
        
       use std::fs;

     

       4
       7
        
       use std::io::Error as IOError;

     
···

       27
       30
        
       

     

       28
       31
        
       pub struct Tokens {

     

       29
       32
        
           encoding_key: EncodingKey,

     

       30
       30
       -
           jwks: String,

     

       33
       33
       +
           jwk: Jwk,

     

       31
       34
        
       }

     

       32
       35
        
       

     

       33
       36
        
       impl Tokens {

     

       34
       34
       -
           pub fn from_files(

     

       35
       35
       -
               priv_f: impl AsRef<Path>,

     

       36
       36
       -
               jwks_f: impl AsRef<Path>,

     

       37
       37
       -
           ) -> Result<Self, TokensSetupError> {

     

       37
       37
       +
           pub fn from_files(priv_f: impl AsRef<Path>) -> Result<Self, TokensSetupError> {

     

       38
       38
        
               let private_key_data: Vec<u8> =

     

       39
       39
        
                   fs::read(priv_f).map_err(TokensSetupError::ReadPrivateKey)?;

     

       40
       40
        
               let encoding_key =

     

       41
       41
        
                   EncodingKey::from_ec_pem(&private_key_data).map_err(TokensSetupError::PrivateKey)?;

     

       42
       42
        
       

     

       43
       43
       -
               let jwks_data: Vec<u8> = fs::read(jwks_f).map_err(TokensSetupError::ReadJwks)?;

     

       44
       44
       -
               let jwks = String::from_utf8(jwks_data).map_err(TokensSetupError::DecodeJwks)?;

     

       43
       43
       +
               let jwk_key_string = String::from_utf8(private_key_data).unwrap();

     

       44
       44
       +
               let mut jwk = SecretKey::<p256::NistP256>::from_pkcs8_pem(&jwk_key_string)

     

       45
       45
       +
                   .map(|secret_key| Jwk {

     

       46
       46
       +
                       key: Key::from(&secret_key.into()),

     

       47
       47
       +
                       prm: Parameters {

     

       48
       48
       +
                           kid: Some("who-am-i-00".to_string()),

     

       49
       49
       +
                           cls: Some(Class::Signing),

     

       50
       50
       +
                           ..Default::default()

     

       51
       51
       +
                       },

     

       52
       52
       +
                   })

     

       53
       53
       +
                   .expect("to get private key");

     

       54
       54
       +
       

     

       55
       55
       +
               // CRITICAL: this is what turns the private jwk into a public one: the

     

       56
       56
       +
               // `d` parameter is the secret for an EC key; a pubkey just has no `d`.

     

       57
       57
       +
               //

     

       58
       58
       +
               // this feels baaaadd but hey we're just copying atrium

     

       59
       59
       +
               // https://github.com/atrium-rs/atrium/blob/b48810f84d83d037ee89b79b8566df9e0f2a6dae/atrium-oauth/src/keyset.rs#L41

     

       60
       60
       +
               let Key::Ec(ref mut ec) = jwk.key else {

     

       61
       61
       +
                   unimplemented!()

     

       62
       62
       +
               };

     

       63
       63
       +
               ec.d = None; // CRITICAL

     

       45
       64
        
       

     

       46
       46
       -
               Ok(Self { encoding_key, jwks })

     

       65
       65
       +
               Ok(Self { encoding_key, jwk })

     

       47
       66
        
           }

     

       48
       67
        
       

     

       49
       68
        
           pub fn mint(&self, t: impl ToString) -> Result<String, TokenMintingError> {

     
···

       62
       81
        
               )?)

     

       63
       82
        
           }

     

       64
       83
        
       

     

       65
       65
       -
           pub fn jwks(&self) -> String {

     

       66
       66
       -
               self.jwks.clone()

     

       84
       84
       +
           pub fn jwk(&self) -> Jwk {

     

       85
       85
       +
               self.jwk.clone()

     

       67
       86
        
           }

     

       68
       87
        
       }

     

       69
       88

+1 -16

who-am-i/src/main.rs

···

       31
       31
        
           ///         | openssl pkcs8 -topk8 -nocrypt -out <PATH-TO-PRIV-KEY>.pem

     

       32
       32
        
           #[arg(long)]

     

       33
       33
        
           jwt_private_key: PathBuf,

     

       34
       34
       -
           /// path to pubkeys file (jwks format)

     

       35
       35
       -
           ///

     

       36
       36
       -
           /// get pem of pubkey from private key with:

     

       37
       37
       -
           ///

     

       38
       38
       -
           ///     openssl ec -in <PATH-TO-PRIV-KEY>.pem -pubout

     

       39
       39
       -
           ///

     

       40
       40
       -
           /// then convert to a jwk, probably with something less sketchy than an [online tool](https://jwkset.com/generate)

     

       41
       41
       -
           ///

     

       42
       42
       -
           /// wrap the jwk in an array, then in an object under "keys":

     

       43
       43
       -
           ///

     

       44
       44
       -
           ///     { "keys": [<JWK obj>] }

     

       45
       45
       -
           ///

     

       46
       46
       -
           /// TODO: remove this, serve automatically

     

       47
       47
       -
           #[arg(long)]

     

       48
       48
       -
           jwks: PathBuf,

     

       49
       34
        
           /// this server's client-reachable base url, for oauth redirect + jwt check

     

       50
       35
        
           ///

     

       51
       36
        
           /// required unless running in localhost mode with --dev

     
···

       100
       85
        
               println!(" - {host}");

     

       101
       86
        
           }

     

       102
       87
        
       

     

       103
       103
       -
           let tokens = Tokens::from_files(args.jwt_private_key, args.jwks).unwrap();

     

       88
       88
       +
           let tokens = Tokens::from_files(args.jwt_private_key).unwrap();

     

       104
       89
        
       

     

       105
       90
        
           if let Err(e) = install_metrics_server() {

     

       106
       91
        
               eprintln!("failed to install metrics server: {e:?}");

+4 -11

who-am-i/src/server.rs

···

       99
       99
        
               .route("/auth", get(start_oauth))

     

       100
       100
        
               .route("/authorized", get(complete_oauth))

     

       101
       101
        
               .route("/disconnect", post(disconnect))

     

       102
       102
       -
               .route("/.well-known/at-jwks.json", get(at_jwks)) // todo combine jwks eps (key id is enough?)

     

       103
       102
        
               .route("/.well-known/jwks.json", get(jwks))

     

       104
       103
        
               .with_state(state);

     

       105
       104
        
       

     
···

       315
       314
        
           Json(oauth.client_metadata())

     

       316
       315
        
       }

     

       317
       316
        
       

     

       318
       318
       -
       async fn at_jwks(State(AppState { oauth, .. }): State<AppState>) -> Json<JwkSet> {

     

       319
       319
       -
           Json(oauth.jwks())

     

       320
       320
       -
       }

     

       321
       321
       -
       

     

       322
       317
        
       #[derive(Debug, Deserialize)]

     

       323
       318
        
       struct BeginOauthParams {

     

       324
       319
        
           handle: String,

     
···

       450
       445
        
           (jar, Json(json!({ "ok": true })))

     

       451
       446
        
       }

     

       452
       447
        
       

     

       453
       453
       -
       async fn jwks(State(AppState { tokens, .. }): State<AppState>) -> impl IntoResponse {

     

       454
       454
       -
           let headers = [

     

       455
       455
       -
               (CONTENT_TYPE, "application/json"),

     

       456
       456
       -
               // (CACHE_CONTROL, "") // TODO

     

       457
       457
       -
           ];

     

       458
       458
       -
           (headers, tokens.jwks())

     

       448
       448
       +
       async fn jwks(State(AppState { oauth, tokens, .. }): State<AppState>) -> Json<JwkSet> {

     

       449
       449
       +
           let mut jwks = oauth.jwks();

     

       450
       450
       +
           jwks.keys.push(tokens.jwk());

     

       451
       451
       +
           Json(jwks)

     

       459
       452
        
       }