keys ui WIP
This commit is contained in:
Joseph Schorr
Jimmy Zelinskie
parent
dc593c0197
commit
11ff3e9b59
25 changed files with 1154 additions and 74 deletions
|
|
@ -12,6 +12,7 @@ from jwkest.jwk import keyrep, RSAKey, ECKey
|
|||
|
||||
import data.model
|
||||
import data.model.service_keys
|
||||
from data.model.log import log_action
|
||||
|
||||
from app import app
|
||||
from auth.registry_jwt_auth import TOKEN_REGEX
|
||||
|
|
@ -59,13 +60,14 @@ def _validate_jwt(encoded_jwt, jwk, service):
|
|||
strictjwt.decode(encoded_jwt, public_key, algorithms=['RS256'],
|
||||
audience=JWT_AUDIENCE, issuer=service)
|
||||
except strictjwt.InvalidTokenError:
|
||||
logger.exception('JWT validation failure')
|
||||
abort(400)
|
||||
|
||||
|
||||
def _signer_kid(encoded_jwt):
|
||||
decoded_jwt = jwt.decode(encoded_jwt, verify=False)
|
||||
logger.debug(decoded_jwt)
|
||||
return decoded_jwt.get('signer_kid', None)
|
||||
return decoded_jwt.get('kid', None)
|
||||
|
||||
|
||||
def _signer_key(service, signer_kid):
|
||||
|
|
@ -104,6 +106,7 @@ def put_service_key(service, kid):
|
|||
try:
|
||||
expiration_date = datetime.utcfromtimestamp(float(expiration_date))
|
||||
except ValueError:
|
||||
logger.exception('Error parsing expiration date on key')
|
||||
abort(400)
|
||||
|
||||
rotation_ttl = request.args.get('rotation', None)
|
||||
|
|
@ -113,6 +116,7 @@ def put_service_key(service, kid):
|
|||
try:
|
||||
jwk = request.get_json()
|
||||
except ValueError:
|
||||
logger.exception('Error parsing JWK')
|
||||
abort(400)
|
||||
|
||||
logger.debug(jwk)
|
||||
|
|
@ -120,7 +124,9 @@ def put_service_key(service, kid):
|
|||
jwt_header = request.headers.get(JWT_HEADER_NAME, '')
|
||||
match = TOKEN_REGEX.match(jwt_header)
|
||||
if match is None:
|
||||
logger.error('Could not find matching bearer token')
|
||||
abort(400)
|
||||
|
||||
encoded_jwt = match.group(1)
|
||||
|
||||
_validate_jwk(jwk, kid)
|
||||
|
|
@ -131,6 +137,18 @@ def put_service_key(service, kid):
|
|||
# The key is self-signed. Create a new instance and await approval.
|
||||
_validate_jwt(encoded_jwt, jwk, service)
|
||||
data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date)
|
||||
|
||||
key_log_metadata = {
|
||||
'kid': kid,
|
||||
'preshared': False,
|
||||
'service': service,
|
||||
'name': '',
|
||||
'expiration_date': expiration_date,
|
||||
'user_agent': request.headers.get('User-Agent'),
|
||||
'ip': request.remote_addr,
|
||||
}
|
||||
|
||||
log_action('service_key_create', None, metadata=key_log_metadata, ip=request.remote_addr)
|
||||
return make_response('', 202)
|
||||
|
||||
metadata.update({'created_by': 'Key Rotation'})
|
||||
|
|
@ -146,6 +164,17 @@ def put_service_key(service, kid):
|
|||
except data.model.ServiceKeyDoesNotExist:
|
||||
abort(404)
|
||||
|
||||
key_log_metadata = {
|
||||
'kid': kid,
|
||||
'signer_kid': signer_key.kid,
|
||||
'service': service,
|
||||
'name': signer_key.name,
|
||||
'expiration_date': expiration_date,
|
||||
'user_agent': request.headers.get('User-Agent'),
|
||||
'ip': request.remote_addr,
|
||||
}
|
||||
|
||||
log_action('service_key_rotate', None, metadata=key_log_metadata, ip=request.remote_addr)
|
||||
return make_response('', 200)
|
||||
|
||||
|
||||
|
|
|
|||
Reference in a new issue