feat: support multiple jwt public keys

Support two JWT keys. One used for signing (the primary private key), and an extra one for verification, so that we can rotate keys without downtime, and then remove the "secondary" if desired. It also now possible to specify the key algorithm. ES256 and RS256 are supported but RS256 will be removed. Adds a new crate, `si-jwt-public-key` (since this logic needs to be shared between sdf and the module-index).
systeminit · Dec 9, 2024 · 8e99bac · 8e99bac
1 parent 84dd6d3
commit 8e99bac
Show file tree

Hide file tree

Showing 34 changed files with 731 additions and 398 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -56,6 +56,7 @@ members = [
     "lib/si-firecracker",
     "lib/si-frontend-types-rs",
     "lib/si-hash",
+    "lib/si-jwt-public-key",
     "lib/si-layer-cache",
     "lib/si-pkg",
     "lib/si-pool-noodle",

diff --git a/bin/auth-api/README.md b/bin/auth-api/README.md
@@ -10,6 +10,13 @@ Use `pnpx prisma` to run prisma commands locally. For example
 
 ### JWT Signing Key
 
+### ES256 
+
+- `ssh-keygen -t ecdsa -b 256 -m PEM -f jwtES256.key`
+- `openssl ec -in jwtES256.key -pubout -outform PEM -out jwtES256.key.pub`
+
+### RS256 (deprecated)
+
 - `ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key`
 - `openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub`
 

diff --git a/bin/auth-api/src/lib/jwt.ts b/bin/auth-api/src/lib/jwt.ts
@@ -1,5 +1,11 @@
 /*
 instructions to generate JWT signing key
+ run `ssh-keygen -t ecdsa -b 256 -m PEM -f jwtES256.key`
+- run `openssl ec -in jwtES256.key -pubout -outform PEM -out jwtES256.key.pub`
+- `cat jwtES256.key`
+- `cat jwtES256.key.pub`
+
+For RS256: (deprecated)
 - run `ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key` # Don't add passphrase
 - run `openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub`
 - `cat jwtRS256.key`
@@ -9,34 +15,92 @@ instructions to generate JWT signing key
 import fs from "fs";
 import JWT from "jsonwebtoken";
 
-// load private and public key from either env var or paths set in config
-// keys in the repo are also used by SDF to verify jwt is signed correctly and in tests to create/sign jwts
-let _JWT_PRIVATE_KEY = process.env.JWT_PRIVATE_KEY;
-if (!_JWT_PRIVATE_KEY && process.env.JWT_PRIVATE_KEY_PATH) {
-  // path is relative to .env file
-  _JWT_PRIVATE_KEY = fs.readFileSync(`${process.env.JWT_PRIVATE_KEY_PATH}`, 'utf-8');
-}
-let _JWT_PUBLIC_KEY = process.env.JWT_PUBLIC_KEY;
-if (!_JWT_PUBLIC_KEY && process.env.JWT_PUBLIC_KEY_PATH) {
-  // path is relative to .env file
-  _JWT_PUBLIC_KEY = fs.readFileSync(`${process.env.JWT_PUBLIC_KEY_PATH}`, 'utf-8');
-}
-if (!_JWT_PRIVATE_KEY) throw new Error('Missing JWT signing private key');
-if (!_JWT_PUBLIC_KEY) throw new Error('Missing JWT signing public key');
+const DEFAULT_ALGO = "RS256";
+
+type Algo = "RS256" | "ES256";
+
+const jwtAlgo = (algo?: string): Algo => {
+  switch (algo) {
+    case "RS256":
+    case "ES256":
+      return algo;
+    default:
+      return DEFAULT_ALGO;
+  }
+};
+
+const keyEnvPaths = {
+  primary: {
+    private: "JWT_PRIVATE_KEY",
+    privatePath: "JWT_PRIVATE_KEY_PATH",
+    public: "JWT_PUBLIC_KEY",
+    publicPath: "JWT_PUBLIC_KEY_PATH",
+    algo: "JWT_ALGO",
+  },
+  secondary: {
+    private: "JWT_2ND_PRIVATE_KEY",
+    privatePath: "JWT_2ND_PRIVATE_KEY_PATH",
+    public: "JWT_2ND_PUBLIC_KEY",
+    publicPath: "JWT_2ND_PUBLIC_KEY_PATH",
+    algo: "JWT_2ND_ALGO",
+  },
+};
+
+// load private and public keys from either env var or paths set in config keys
+// in the repo are also used by SDF to verify jwt is signed correctly and in
+// tests to create/sign jwts
+
+const prepareKeys = (which: "primary" | "secondary"): { privKey?: string, pubKey?: string, algo: Algo } => {
+  const privateLiteral = process.env[keyEnvPaths[which].private];
+  const privatePath = process.env[keyEnvPaths[which].privatePath];
+
+  let privKey = privateLiteral ?? (privatePath ? fs.readFileSync(privatePath, 'utf-8') : undefined);
+  if (privKey) {
+    privKey = privKey.replace(/\\n/g, '\n');
+  }
+
+  const publicLiteral = process.env[keyEnvPaths[which].public];
+  const publicPath = process.env[keyEnvPaths[which].publicPath];
+
+  let pubKey = publicLiteral ?? (publicPath ? fs.readFileSync(publicPath, 'utf-8') : undefined);
+  if (pubKey) {
+    pubKey = pubKey.replace(/\\n/g, '\n');
+  }
+
+  const algo = jwtAlgo(process.env[keyEnvPaths[which].algo]);
+
+  return {
+    privKey,
+    pubKey,
+    algo,
+  };
+};
+
+const { privKey: primaryPrivKey, pubKey: primaryPubKey, algo } = prepareKeys("primary");
+const { pubKey: secondaryPubKey } = prepareKeys("secondary");
 
-_JWT_PRIVATE_KEY = _JWT_PRIVATE_KEY.replace(/\\n/g, '\n');
-_JWT_PUBLIC_KEY = _JWT_PUBLIC_KEY.replace(/\\n/g, '\n');
+if (!primaryPrivKey) throw new Error('Missing JWT signing private key');
+if (!primaryPubKey) throw new Error('Missing JWT signing public key');
 
-export const JWT_PUBLIC_KEY = _JWT_PUBLIC_KEY;
+export const JWT_PUBLIC_KEY = primaryPubKey;
+export const JWT_2ND_PUBLIC_KEY = secondaryPubKey;
 
 export function createJWT(
   payload: Record<string, any>,
   options?: Omit<JWT.SignOptions, 'algorithm'>,
 ) {
   // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-  return JWT.sign(payload, _JWT_PRIVATE_KEY!, { algorithm: "RS256", ...options });
+  return JWT.sign(payload, primaryPrivKey!, { algorithm: algo, ...options });
 }
 export function verifyJWT(token: string) {
   // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-  return JWT.verify(token, _JWT_PUBLIC_KEY!);
+  try {
+    return JWT.verify(token, primaryPubKey!);
+  } catch (err) {
+    if (secondaryPubKey) {
+      return JWT.verify(token, secondaryPubKey);
+    } else {
+      throw err;
+    }
+  }
 }
diff --git a/bin/module-index/BUCK b/bin/module-index/BUCK
@@ -10,6 +10,7 @@ rust_binary(
     deps = [
         "//lib/module-index-server:module-index-server",
         "//lib/si-std:si-std",
+        "//lib/si-jwt-public-key:si-jwt-public-key",
         "//lib/telemetry-application-rs:telemetry-application",
         "//third-party/rust:clap",
         "//third-party/rust:color-eyre",

diff --git a/bin/module-index/src/args.rs b/bin/module-index/src/args.rs
@@ -118,6 +118,15 @@ pub(crate) struct Args {
     /// The path to the JWT public signing key
     #[arg(long, env)]
     pub(crate) jwt_public_key: Option<String>,
+
+    #[arg(long, env)]
+    pub(crate) jwt_public_key_algo: Option<String>,
+
+    #[arg(long, env)]
+    pub(crate) jwt_secondary_public_key: Option<String>,
+
+    #[arg(long, env)]
+    pub(crate) jwt_secondary_public_key_algo: Option<String>,
     // /// Database migration mode on startup
     // #[arg(long, value_parser = PossibleValuesParser::new(MigrationMode::variants()))]
 }

diff --git a/bin/module-index/src/main.rs b/bin/module-index/src/main.rs
@@ -54,8 +54,7 @@ async fn async_main() -> Result<()> {
 
     let config = Config::try_from(args)?;
 
-    let jwt_public_signing_key =
-        Server::load_jwt_public_signing_key(config.jwt_signing_public_key_path()).await?;
+    let jwt_public_signing_key = Server::load_jwt_public_signing_key(&config).await?;
 
     // our pg pool works for migrations (refinery) but doesnt work for SeaORM :(
     // so we set up both connections for now... Would like to clean this up

diff --git a/bin/sdf/src/args.rs b/bin/sdf/src/args.rs
@@ -125,7 +125,19 @@ pub(crate) struct Args {
 
     /// jwt public signing key as a base64 string
     #[arg(long)]
-    pub(crate) jwt_public_signing_key_base64: Option<SensitiveString>,
+    pub(crate) jwt_public_signing_key_base64: Option<String>,
+
+    /// jwt public signing key algorithm (ES256 or RS256)
+    #[arg(long)]
+    pub(crate) jwt_public_signing_key_algo: Option<String>,
+
+    /// jwt secondary public signing key as a base64 string
+    #[arg(long)]
+    pub(crate) jwt_secondary_public_signing_key_base64: Option<String>,
+
+    /// jwt secondary public signing key algorithm (ES256 or RS256)
+    #[arg(long)]
+    pub(crate) jwt_secondary_public_signing_key_algo: Option<String>,
 
     /// The path at which the layer db cache is created/used on disk [e.g. /banana/]
     #[arg(long)]
@@ -338,9 +350,21 @@ impl TryFrom<Args> for Config {
                     base64.to_string(),
                 );
             }
+
             if let Some(jwt) = args.jwt_public_signing_key_base64 {
-                config_map.set("jwt_signing_public_key.key_base64", jwt.to_string());
+                config_map.set("jwt_signing_public_key.key_base64", jwt);
+            }
+            if let Some(algo) = args.jwt_public_signing_key_algo {
+                config_map.set("jwt_signing_public_key.algo", algo);
+            }
+
+            if let Some(jwt) = args.jwt_secondary_public_signing_key_base64 {
+                config_map.set("jwt_secondary_signing_public_key.key_base64", jwt);
+            }
+            if let Some(algo) = args.jwt_secondary_public_signing_key_algo {
+                config_map.set("jwt_secondary_signing_public_key.algo", algo);
             }
+
             if let Some(layer_cache_disk_path) = args.layer_db_disk_path {
                 config_map.set("layer_db_config.disk_path", layer_cache_disk_path);
             }

diff --git a/component/init/configs/service.toml b/component/init/configs/service.toml
@@ -18,6 +18,7 @@ runtime_strategy = "LocalFirecracker"
 
 [jwt_signing_public_key]
 key_base64 = "$SI_JWT_KEY_BASE64"
+algo = "RS256"
 
 [nats]
 creds = """

diff --git a/lib/dal-test/Cargo.toml b/lib/dal-test/Cargo.toml
@@ -20,6 +20,7 @@ si-crypto = { path = "../../lib/si-crypto" }
 si-data-nats = { path = "../../lib/si-data-nats" }
 si-data-pg = { path = "../../lib/si-data-pg" }
 si-events = { path = "../../lib/si-events-rs" }
+si-jwt-public-key = { path = "../../lib/si-jwt-public-key" }
 si-layer-cache = { path = "../../lib/si-layer-cache" }
 si-pkg = { path = "../../lib/si-pkg" }
 si-runtime = { path = "../../lib/si-runtime-rs" }
@@ -50,5 +51,5 @@ tokio = { workspace = true }
 tokio-util = { workspace = true }
 tracing-opentelemetry = { workspace = true }
 tracing-subscriber = { workspace = true }
-ulid =  { workspace = true }
+ulid = { workspace = true }
 uuid = { workspace = true }
diff --git a/lib/dal-test/src/lib.rs b/lib/dal-test/src/lib.rs
@@ -30,6 +30,7 @@ use std::{
     env, fmt,
     future::IntoFuture,
     path::{Path, PathBuf},
+    str::FromStr,
     sync::{Arc, Once},
 };
 
@@ -39,8 +40,7 @@ use dal::{
     builtins::func,
     feature_flags::FeatureFlagService,
     job::processor::{JobQueueProcessor, NatsProcessor},
-    DalContext, DalLayerDb, JetstreamStreams, JwtPublicSigningKey, ModelResult, ServicesContext,
-    Workspace,
+    DalContext, DalLayerDb, JetstreamStreams, ModelResult, ServicesContext, Workspace,
 };
 use derive_builder::Builder;
 use jwt_simple::prelude::RS256KeyPair;
@@ -51,9 +51,10 @@ use si_crypto::{
 };
 use si_data_nats::{jetstream, NatsClient, NatsConfig};
 use si_data_pg::{PgPool, PgPoolConfig};
+use si_jwt_public_key::{JwtAlgo, JwtConfig, JwtPublicSigningKeyChain};
 use si_layer_cache::hybrid_cache::CacheConfig;
 use si_runtime::DedicatedExecutor;
-use si_std::ResultExt;
+use si_std::{CanonicalFile, ResultExt};
 use telemetry::prelude::*;
 use tokio::{fs::File, io::AsyncReadExt, sync::Mutex};
 use tokio_util::{sync::CancellationToken, task::TaskTracker};
@@ -170,6 +171,7 @@ pub struct Config {
     module_index_url: String,
     veritech_encryption_key_path: String,
     jwt_signing_public_key_path: String,
+    jwt_signing_public_key_algo: JwtAlgo,
     jwt_signing_private_key_path: String,
     postgres_key_path: String,
     #[builder(default)]
@@ -619,13 +621,22 @@ pub fn random_identifier_string() -> String {
 }
 
 /// Returns a JWT public signing key, which is used to verify claims.
-pub async fn jwt_public_signing_key() -> Result<JwtPublicSigningKey> {
-    let jwt_signing_public_key_path = {
+pub async fn jwt_public_signing_key() -> Result<JwtPublicSigningKeyChain> {
+    let jwt_config = {
         let context_builder = TEST_CONTEXT_BUILDER.lock().await;
         let config = context_builder.config()?;
-        config.jwt_signing_public_key_path.clone()
+        let key_file = Some(CanonicalFile::from_str(
+            &config.jwt_signing_public_key_path,
+        )?);
+
+        JwtConfig {
+            key_file,
+            key_base64: None,
+            algo: config.jwt_signing_public_key_algo,
+        }
     };
-    let key = JwtPublicSigningKey::load(&jwt_signing_public_key_path).await?;
+
+    let key = JwtPublicSigningKeyChain::from_config(jwt_config, None).await?;
 
     Ok(key)
 }

diff --git a/lib/dal/BUCK b/lib/dal/BUCK
@@ -23,6 +23,7 @@ rust_library(
         "//lib/si-events-rs:si-events",
         "//lib/si-frontend-types-rs:si-frontend-types",
         "//lib/si-hash:si-hash",
+        "//lib/si-jwt-public-key:si-jwt-public-key",
         "//lib/si-layer-cache:si-layer-cache",
         "//lib/si-pkg:si-pkg",
         "//lib/si-runtime-rs:si-runtime",
@@ -121,7 +122,7 @@ rust_test(
     ],
     crate_root = "tests/integration.rs",
     srcs = glob([
-       "tests/**/*.rs",
+        "tests/**/*.rs",
         "tests/integration_test/external/ignition/*.ign",
     ]),
     env = {

diff --git a/lib/dal/Cargo.toml b/lib/dal/Cargo.toml
@@ -25,6 +25,7 @@ si-data-pg = { path = "../../lib/si-data-pg" }
 si-events = { path = "../../lib/si-events-rs" }
 si-frontend-types = { path = "../../lib/si-frontend-types-rs" }
 si-hash = { path = "../../lib/si-hash" }
+si-jwt-public-key = { path = "../../lib/si-jwt-public-key" }
 si-layer-cache = { path = "../../lib/si-layer-cache" }
 si-pkg = { path = "../../lib/si-pkg" }
 si-runtime = { path = "../../lib/si-runtime-rs" }