126 lines
3.3 KiB
Python
126 lines
3.3 KiB
Python
from datetime import datetime
|
|
|
|
import jwt
|
|
|
|
from flask import Blueprint, jsonify, abort, request, make_response
|
|
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
|
|
from cryptography.hazmat.backends import default_backend
|
|
|
|
import data.model
|
|
import data.model.service_keys
|
|
|
|
from util.security import strictjwt
|
|
|
|
|
|
key_server = Blueprint('key_server', __name__)
|
|
|
|
JWT_HEADER_NAME = 'Authorization'
|
|
JWT_AUDIENCE = 'quay'
|
|
|
|
|
|
def _validate_jwk(jwk, kid):
|
|
if 'kty' not in jwk:
|
|
abort(400)
|
|
|
|
if 'kid' not in jwk or jwk['kid'] != kid:
|
|
abort(400)
|
|
|
|
if jwk['kty'] == 'EC':
|
|
if 'x' not in jwk or 'y' not in jwk:
|
|
abort(400)
|
|
elif jwk['kty'] == 'RSA':
|
|
if 'e' not in jwk or 'n' not in jwk:
|
|
abort(400)
|
|
else:
|
|
abort(400)
|
|
|
|
|
|
def _validate_jwt(encoded_jwt, jwk, service):
|
|
public_key = RSAPublicNumbers(e=jwk.e,
|
|
n=jwk.n).public_key(default_backend())
|
|
|
|
try:
|
|
strictjwt.decode(encoded_jwt, public_key, algorithms=['RS256'],
|
|
audience=JWT_AUDIENCE, issuer=service)
|
|
except strictjwt.InvalidTokenError:
|
|
abort(400)
|
|
|
|
|
|
def _signer_jwk(encoded_jwt, jwk, kid):
|
|
decoded_jwt = jwt.decode(encoded_jwt, verify=False)
|
|
|
|
signer_kid = decoded_jwt.get('signer_kid', '')
|
|
# If we already have our own JWK and it's the signer, short-circuit.
|
|
if (signer_kid == kid or signer_kid == '') and jwk is not None:
|
|
return jwk
|
|
else:
|
|
try:
|
|
service_key = data.model.service_keys.get_service_key(signer_kid)
|
|
except data.model.ServiceKeyDoesNotExist:
|
|
abort(404)
|
|
|
|
return service_key.jwk
|
|
|
|
|
|
@key_server.route('/services/<service>/keys', methods=['GET'])
|
|
def get_service_keys(service):
|
|
keys = data.model.service_keys.get_service_keys(service)
|
|
return jsonify({'keys': [key.jwk for key in keys]})
|
|
|
|
|
|
@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
|
|
def get_service_key(kid):
|
|
key = data.model.service_keys.get_service_key(kid)
|
|
return jsonify(key.jwk)
|
|
|
|
|
|
@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
|
|
def put_service_keys(service, kid):
|
|
expiration_date = request.args.get('expiration', None)
|
|
if expiration_date:
|
|
try:
|
|
expiration_date = datetime.utcfromtimestamp(float(expiration_date))
|
|
except ValueError:
|
|
abort(400)
|
|
|
|
try:
|
|
jwk = request.json()
|
|
except ValueError:
|
|
abort(400)
|
|
|
|
_validate_jwk(jwk, kid)
|
|
|
|
encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)
|
|
if not encoded_jwt:
|
|
abort(400)
|
|
|
|
signer_jwk = _signer_jwk(encoded_jwt, jwk, kid)
|
|
_validate_jwt(encoded_jwt, signer_jwk, service)
|
|
|
|
metadata = {
|
|
'ip': request.remote_addr,
|
|
'signer_jwk': signer_jwk,
|
|
}
|
|
|
|
|
|
try:
|
|
data.model.service_keys.update_service_key('', kid, metadata, expiration_date)
|
|
except data.model.ServiceKeyDoesNotExist:
|
|
data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date)
|
|
|
|
|
|
@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
|
|
def delete_service_key(service, kid):
|
|
encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)
|
|
if not encoded_jwt:
|
|
abort(400)
|
|
|
|
signer_jwk = _signer_jwk(encoded_jwt, None, kid)
|
|
_validate_jwt(encoded_jwt, signer_jwk, service)
|
|
|
|
try:
|
|
data.model.service_keys.delete_service_key(service, kid)
|
|
except data.model.ServiceKeyDoesNotExist:
|
|
abort(404)
|
|
|
|
return make_response('', 200)
|