├── .dockerignore
├── .gitignore
├── CONTRIBUTING.md
├── DCO
├── Dockerfile
├── LICENSE
├── NOTICE
├── README.md
├── bill-of-materials.json
├── cmd
    └── jwtproxy
    │   └── main.go
├── code-of-conduct.md
├── config.example.yaml
├── config
    └── config.go
├── examples
    ├── httpserver
    │   ├── Procfile
    │   ├── README.md
    │   ├── mykey.crt
    │   ├── mykey.key
    │   ├── mykey.pub
    │   ├── reverseProxy.key
    │   ├── signer.yaml
    │   └── verifier.yaml
    └── kubernetes-httpserver
    │   ├── README.md
    │   ├── mykey.key
    │   ├── mykey.pub
    │   ├── nginx-app.yaml
    │   ├── nginx.conf
    │   ├── signer.yaml
    │   ├── tester-app.yaml
    │   └── verifier.yaml
├── glide.lock
├── glide.yaml
├── go.mod
├── go.sum
├── jwt
    ├── claims
    │   ├── static
    │   │   └── static.go
    │   └── verifier.go
    ├── jwt.go
    ├── jwt_test.go
    ├── keyserver
    │   ├── keyregistry
    │   │   ├── README.md
    │   │   ├── keycache
    │   │   │   ├── keycache.go
    │   │   │   └── memory
    │   │   │   │   └── memory.go
    │   │   └── keyregistry.go
    │   ├── keyserver.go
    │   ├── preshared
    │   │   └── preshared.go
    │   └── result.go
    ├── noncestorage
    │   ├── local
    │   │   └── local.go
    │   └── noncestorage.go
    ├── privatekey
    │   ├── autogenerated
    │   │   └── autogenerated.go
    │   ├── preshared
    │   │   └── preshared.go
    │   └── privatekey.go
    └── proxy_handlers.go
├── jwtproxy.go
├── proxy
    └── proxy.go
└── stop
    └── stopper.go


/.dockerignore:
--------------------------------------------------------------------------------
1 | .git
2 | .gitignore
3 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled Object files, Static and Dynamic libs (Shared Objects)
 2 | *.o
 3 | *.a
 4 | *.so
 5 | 
 6 | # Folders
 7 | _obj
 8 | _test
 9 | 
10 | # Architecture specific extensions/prefixes
11 | *.[568vq]
12 | [568vq].out
13 | 
14 | *.cgo1.go
15 | *.cgo2.c
16 | _cgo_defun.c
17 | _cgo_gotypes.go
18 | _cgo_export.*
19 | 
20 | _testmain.go
21 | 
22 | *.exe
23 | *.test
24 | *.prof
25 | 
26 | cmd/jwtproxy/jwtproxy
27 | jwtproxy
28 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute
 2 | 
 3 | CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
 4 | GitHub pull requests. This document outlines some of the conventions on
 5 | development workflow, commit message formatting, contact points and other
 6 | resources to make it easier to get your contribution accepted.
 7 | 
 8 | # Certificate of Origin
 9 | 
10 | By contributing to this project you agree to the Developer Certificate of
11 | Origin (DCO). This document was created by the Linux Kernel community and is a
12 | simple statement that you, as a contributor, have the legal right to make the
13 | contribution. See the [DCO](DCO) file for details.
14 | 
15 | # Email and Chat
16 | 
17 | The project currently uses the general CoreOS email list and IRC channel:
18 | - Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev)
19 | - IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org
20 | 
21 | Please avoid emailing maintainers found in the MAINTAINERS file directly. They
22 | are very busy and read the mailing lists.
23 | 
24 | ## Getting Started
25 | 
26 | - Fork the repository on GitHub
27 | - Read the [README](README.md) for build and test instructions
28 | - Play with the project, submit bugs, submit patches!
29 | 
30 | ## Contribution Flow
31 | 
32 | This is a rough outline of what a contributor's workflow looks like:
33 | 
34 | - Create a topic branch from where you want to base your work (usually master).
35 | - Make commits of logical units.
36 | - Make sure your commit messages are in the proper format (see below).
37 | - Push your changes to a topic branch in your fork of the repository.
38 | - Make sure the tests pass, and add any new tests as appropriate.
39 | - Submit a pull request to the original repository.
40 | 
41 | Thanks for your contributions!
42 | 
43 | ### Format of the Commit Message
44 | 
45 | We follow a rough convention for commit messages that is designed to answer two
46 | questions: what changed and why. The subject line should feature the what and
47 | the body of the commit should describe the why.
48 | 
49 | ```
50 | scripts: add the test-cluster command
51 | 
52 | this uses tmux to setup a test cluster that you can easily kill and
53 | start for debugging.
54 | 
55 | Fixes #38
56 | ```
57 | 
58 | The format can be described more formally as follows:
59 | 
60 | ```
61 | <subsystem>: <what changed>
62 | <BLANK LINE>
63 | <why this change was made>
64 | <BLANK LINE>
65 | <footer>
66 | ```
67 | 
68 | The first line is the subject and should be no longer than 70 characters, the
69 | second line is always blank, and other lines should be wrapped at 80 characters.
70 | This allows the message to be easier to read on GitHub as well as in various
71 | git tools.
72 | 


--------------------------------------------------------------------------------
/DCO:
--------------------------------------------------------------------------------
 1 | Developer Certificate of Origin
 2 | Version 1.1
 3 | 
 4 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 5 | 660 York Street, Suite 102,
 6 | San Francisco, CA 94110 USA
 7 | 
 8 | Everyone is permitted to copy and distribute verbatim copies of this
 9 | license document, but changing it is not allowed.
10 | 
11 | 
12 | Developer's Certificate of Origin 1.1
13 | 
14 | By making a contribution to this project, I certify that:
15 | 
16 | (a) The contribution was created in whole or in part by me and I
17 |     have the right to submit it under the open source license
18 |     indicated in the file; or
19 | 
20 | (b) The contribution is based upon previous work that, to the best
21 |     of my knowledge, is covered under an appropriate open source
22 |     license and I have the right under that license to submit that
23 |     work with modifications, whether created in whole or in part
24 |     by me, under the same open source license (unless I am
25 |     permitted to submit under a different license), as indicated
26 |     in the file; or
27 | 
28 | (c) The contribution was provided directly to me by some other
29 |     person who certified (a), (b) or (c) and I have not modified
30 |     it.
31 | 
32 | (d) I understand and agree that this project and the contribution
33 |     are public and that a record of the contribution (including all
34 |     personal information I submit with it, including my sign-off) is
35 |     maintained indefinitely and may be redistributed consistent with
36 |     this project or the open source license(s) involved.
37 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | # Copyright 2015 CoreOS, Inc
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http:#www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | FROM golang:1.12-alpine
16 | 
17 | MAINTAINER Quentin Machu <quentin.machu@coreos.com>
18 | 
19 | ENV XDG_CONFIG_HOME=/config/
20 | VOLUME /config
21 | 
22 | ENTRYPOINT ["jwtproxy"]
23 | CMD ["-config", "/config/config.yaml"]
24 | 
25 | ADD .   /go/src/github.com/quay/jwtproxy/
26 | WORKDIR /go/src/github.com/quay/jwtproxy/
27 | 
28 | RUN go install -v github.com/quay/jwtproxy/cmd/jwtproxy
29 | RUN rm -r /usr/local/go
30 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | CoreOS Project
2 | Copyright 2016 CoreOS, Inc
3 | 
4 | This product includes software developed at CoreOS, Inc.
5 | (http://www.coreos.com/).
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # JWT Proxy
  2 | 
  3 | [![Docker Repository on Quay](https://quay.io/repository/quay/jwtproxy/status "Docker Repository on Quay")](https://quay.io/repository/quay/jwtproxy)
  4 | 
  5 | The JWT proxy is intended to be used as a complementary service for authenticating, and possibly authorizing requests made between services.
  6 | There is a forward proxy component, which can be configured to sign outgoing requests to another service, and a reverse proxy component, which can be used to authenticate incoming requests from another service.
  7 | 
  8 | ## JWT Forward Proxy
  9 | 
 10 | The JWT forward proxy is used to sign outgoing requests with a JWT using a private key.
 11 | 
 12 | ### Features
 13 | 
 14 | - Append a JWT `Authorization` header containing claims about which service the request originated from, and who is the intended recipient
 15 | - Autogenerate private signing keys, and publish the public portion to a server following the [key server specification](https://github.com/coreos-inc/jwtproxy/blob/master/jwt/keyserver/keyregistry/README.md)
 16 | - Ability to use a preshared private key if we don't want to use autogenerated keys (useful when originating service is HA)
 17 | - Ability to sign SSL requests using MITM SSL with configurable certificate authority
 18 | 
 19 | ### Potential Features
 20 | 
 21 | - Ability to append static claims via config
 22 | - Ability to read dynamic claims out of a request header and turn them into JWT claims
 23 | 
 24 | ### Limitations
 25 | 
 26 | - When the proxy is configured to use MITM SSL, the `CONNECT` tunneling mechanism is only available to forward HTTPS requests. By default, most clients exclusively use `CONNECT` for HTTPS requests, which is 100% supported.
 27 | 
 28 | ## JWT Reverse Proxy
 29 | 
 30 | The JWT reverse proxy is used to verify incoming requests that were signed by the forward proxy.
 31 | 
 32 | ### Features
 33 | 
 34 | - Ability to decode and verify JWT `Authorization` headers on incoming requests
 35 | - Ability to verify the signature based on the specified signing key against a public key fetched from a [key server](https://github.com/coreos-inc/jwtproxy/blob/master/jwt/keyserver/keyregistry/README.md)
 36 | - Ability to verify from a single issuer using a pre-shared public key (likely only useful for testing)
 37 | - Ability to verify SSL requests by doing SSL termination on behalf of the upstream
 38 | - Pluggable claims verifier interface, with bundled static claims verifier implementation
 39 | 
 40 | ### Potential Features
 41 | 
 42 | - Ability to parse and write claims as an unforgeable header sent to the upstream
 43 | - Load balancing among multiple upstreams
 44 | - Ability to dial a unix socket for communication with upstream server
 45 | - Ability to bind a unix socket for use behind another proxy/load balancer/server
 46 | - Implementation of the claims verifier interface which loads a lua file
 47 | 
 48 | ## Usage
 49 | 
 50 | Run with:
 51 | 
 52 | ```bash
 53 | jwtproxy -config config.yaml
 54 | ```
 55 | 
 56 | The configuration yaml file contains a `jwtproxy` top level config flag, which allows a single yaml file to be used to configure multiple services. The presence or absence of a signer config or verifier config block will enable the forward and reverse proxy respectively.
 57 | 
 58 | ```yaml
 59 | jwtproxy:
 60 |   <Signer Config>
 61 | 
 62 |   verifier_proxies:
 63 |   - <Verifier Config>
 64 |   - <Verifier Config>
 65 | ```
 66 | 
 67 | ### Examples
 68 | 
 69 | Usage examples are provided in the [examples](examples/) folder.
 70 | 
 71 | ### Signer Config
 72 | 
 73 | Configures and enables the JWT forward signing proxy.
 74 | 
 75 | ```yaml
 76 | jwtproxy:
 77 |   signer_proxy:
 78 |     enabled: <bool|true>
 79 | 
 80 |     # Addr at which to bind proxy server
 81 |     listen_addr: <string|:8080>
 82 |     shutdown_timeout: <time.Duration|1m>
 83 | 
 84 |     # Optional key and CA certificate to forge MITM SSL certificates
 85 |     ca_key_file: <path|nil>
 86 |     ca_crt_file: <path|nil>
 87 | 
 88 |     # Certificates to be trusted by the proxy when its MITM mechanism communicates with remotes.
 89 |     # This is optional. Specifying it currently replaces system root certificates entirely.
 90 |     trusted_certificates: <[]string|system root certificates>
 91 | 
 92 |     # Whether the remotes' certificate chain and host name should be verified.
 93 |     insecure_skip_verify: <bool|false>
 94 | 
 95 |     signer:
 96 |       # Signing service name
 97 |       issuer: <string|nil>
 98 | 
 99 |       # Validity duration
100 |       expiration_time: <time.Duration|5m>
101 | 
102 |       # How much time skew we allow between signer and verifier
103 |       max_skew: <time.Duration|1m>
104 | 
105 |       # Length of random nonce values
106 |       nonce_length: <int|32>
107 | 
108 |       # Registerable private key source type
109 |       private_key:
110 |         type: <string|nil>
111 |         options: <map[string]interface{}>
112 | ```
113 | 
114 | #### Autogenerated Private Key
115 | 
116 | Configures a private key source which generates key pairs automatically and publishes them to a key server.
117 | 
118 | ```yaml
119 | private_key:
120 |   type: autogenerated
121 |   options:
122 |     # How often we publish a new key
123 |     rotate_every: <time.Duration|12h>
124 | 
125 |     # Folder in which to store autogenerated keys on disk
126 |     key_folder: <string|~/.config/jwtproxy/>
127 | 
128 |     # Registerable key server and config at which to publish public keys
129 |     key_server:
130 |       type: <string|nil>
131 |       options: <map[string]interface{}>
132 | ```
133 | 
134 | #### Key Registry Key Server
135 | 
136 | Configures a key server which talks to a server which implements the key registry protocol.
137 | 
138 | ```yaml
139 | key_server:
140 |   type: keyregistry
141 |   options:
142 |     # Base URL from which to access key registry endpoints.
143 |     registry: <string|nil>
144 | ```
145 | 
146 | #### Preshared Private Key
147 | 
148 | Configures a private key source which simply uses the key files specified.
149 | 
150 | ```yaml
151 | private_key:
152 |   type: preshared
153 |   options:
154 |     # Unique identifier for the private key
155 |     key_id: <string|nil>
156 | 
157 |     # Location of PEM encoded private key file
158 |     private_key_path: <path|nil>
159 | ```
160 | 
161 | ### Verifier Config
162 | 
163 | Configures and enables one or more JWT verifying reverse proxyies.
164 | 
165 | ```yaml
166 | jwtproxy:
167 |   verifier_proxies:
168 |   - enabled: <bool|true>
169 | 
170 |     # Addr at which to listen for requests
171 |     # It can either be an HTTP(s) URL or an UNIX socket path prefixed by 'unix:'
172 |     listen_addr: <string|:8081>
173 |     shutdown_timeout: <time.Duration|1m>
174 | 
175 |     # Optional PEM private key and certificate files for SSL termination
176 |     key_file: <path|nil>
177 |     crt_file: <path|nil>
178 | 
179 |     verifier:
180 |       # Upstream server to which to forward requests
181 |       # It can either be an HTTP(s) URL or an UNIX socket path prefixed by 'unix:'
182 |       upstream: <string|nil>
183 | 
184 |       # Required value for audience claim,
185 |       # Usually our advertised protocol and hostname
186 |       audience: <string|nil>
187 | 
188 |       # How much time skew we allow between signer and verifier
189 |       max_skew: <time.Duration|1m>
190 | 
191 |       # Maximum total amount of time for which a JWT can be signed
192 |       max_ttl: <time.Duration|5m>
193 | 
194 |       # Registerable key server type and options used to fetch
195 |       # public keys for verifying signatures
196 |       key_server:
197 |          type: <string|nil>
198 |          options: <map[string]interface{}>
199 | 
200 |       # Registerable type and options where we track used nonces
201 |       nonce_storage:
202 |         type: <string|nil>
203 |         options: <map[string]interface{}>
204 | ```
205 | 
206 | #### Key Registry Key Server
207 | 
208 | Configures a key server which fetches public keys from a server which implements the key registry protocol.
209 | 
210 | ```yaml
211 | key_server:
212 |   type: keyregistry
213 |   options:
214 |     # Base URL from which to access key registry endpoints.
215 |     registry: <string|nil>
216 | 
217 |     # Optional cache config to alleviate load on the key server.
218 |     cache:
219 |       # How long the keys stay valid in the cache
220 |       duration: <time.Duration|10m>
221 | 
222 |       # How often expired keys are removed from memory
223 |       purge_interval: <time.Duration|1m>
224 | ```
225 | 
226 | #### Preshared Key Server (Testing Only)
227 | 
228 | Configures a local preshared mock key server which can return one and only one public key. This should probably be used **only for testing**.
229 | 
230 | ```yaml
231 | key_server:
232 |   type: preshared
233 |   options:
234 |     # Configures the only issuer we will allow
235 |     issuer: <string|nil>
236 | 
237 |     # Unique ID of the only key from which we validate requests
238 |     key_id: <string|nil>
239 | 
240 |     # File path to the PEM encoded public key to verify signatures
241 |     public_key_path: <path|nil>
242 | ```
243 | 
244 | #### Local Nonce Storage
245 | 
246 | Configures nonce storage which stores previously seen nonces in a TTL cache in memory.
247 | 
248 | ```yaml
249 | nonce_storage:
250 |   type: local
251 |   options:
252 |     # How often we run the cache janitor to clean up expired nonces
253 |     purge_interval: <time.Duration|0>
254 | ```
255 | 
256 | 
257 | ### Generate keys
258 | 
259 | ## Generate forward proxy's CA certificate and private key
260 | 
261 | When it comes to sign HTTPs requests, the forward proxy must *hijack* connections and act as a man-in-the-middle.
262 | Therefore, the proxy requires a CA certificate and private key in order to forge TLS/SSL certificates on behalf on the remote HTTPs server.
263 | If none are specified, the forward proxy will throw a warning at startup and refuse to proxy HTTPs requests.
264 | 
265 | The following commands generate both, valid for a year, without any passphrase (otherwise, the proxy would require us to type it).
266 | 
267 | ```
268 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt
269 | ```
270 | 
271 | The certificate then has to be distributed and trusted by every clients that goes through the forward proxy.
272 | The private key must remain secret.
273 | 
274 | The CA certificate and private key should be specified using the `ca_key_file` and `ca_crt_file` parameters in the [Signer configuration](#signer-config).
275 | 
276 | ## Generate reverse proxy's key pair
277 | 
278 | To confirm reverse proxy's authenticity and to guarantee confidentiality and integrity of the exchanged data, the reverse proxy can terminate TLS/SSL using a public/private key pair.
279 | The key pair could either be provided by a trusted certificate authority or self-signed using the commands below:
280 | 
281 | ```
282 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout reverseProxy.key -out reverseProxy.crt
283 | ```
284 | 
285 | Note that to the question `Common Name (e.g. server FQDN or YOUR name)`, you must write the host that you expect to use for the reverse proxy.
286 | 
287 | The key pair should be specified using the `key_file` and `crt_file` parameters in the [Verifier configuration](#verifier-config).
288 | Also, because the key pair is self-signed, the certificate must be trusted by the forward proxy. This can be done by trusting the certificate system-wide or by specifying it using the `trusted_certificates` list parameter in the [Signer configuration](#signer-config).
289 | 
290 | 
291 | ## Build Linux Binary
292 | 
293 | ```
294 | docker build -t jwtproxy .
295 | docker run -it --rm -v "$PWD/bin":/go/bin -w /go --entrypoint /bin/bash jwtproxy -c "go install -v github.com/quay/jwtproxy/cmd/jwtproxy"
296 | ```
297 | 


--------------------------------------------------------------------------------
/bill-of-materials.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"project": "github.com/quay/jwtproxy",
 4 | 		"license": "Apache License 2.0",
 5 | 		"confidence": 1
 6 | 	},
 7 | 	{
 8 | 		"project": "github.com/sirupsen/logrus",
 9 | 		"license": "MIT License",
10 | 		"confidence": 1
11 | 	},
12 | 	{
13 | 		"project": "github.com/coreos/go-oidc",
14 | 		"license": "Apache License 2.0",
15 | 		"confidence": 1
16 | 	},
17 | 	{
18 | 		"project": "github.com/coreos/go-systemd/journal",
19 | 		"license": "Apache License 2.0",
20 | 		"confidence": 0.997
21 | 	},
22 | 	{
23 | 		"project": "github.com/coreos/goproxy",
24 | 		"license": "BSD 3-clause \"New\" or \"Revised\" License",
25 | 		"confidence": 0.966
26 | 	},
27 | 	{
28 | 		"project": "github.com/coreos/pkg",
29 | 		"license": "Apache License 2.0",
30 | 		"confidence": 1
31 | 	},
32 | 	{
33 | 		"project": "github.com/gregjones/httpcache",
34 | 		"license": "MIT License",
35 | 		"confidence": 0.989
36 | 	},
37 | 	{
38 | 		"project": "github.com/jonboulle/clockwork",
39 | 		"license": "Apache License 2.0",
40 | 		"confidence": 1
41 | 	},
42 | 	{
43 | 		"project": "github.com/patrickmn/go-cache",
44 | 		"license": "MIT License",
45 | 		"confidence": 0.989
46 | 	},
47 | 	{
48 | 		"project": "github.com/tylerb/graceful",
49 | 		"license": "MIT License",
50 | 		"confidence": 1
51 | 	},
52 | 	{
53 | 		"project": "golang.org/x/net/netutil",
54 | 		"license": "BSD 3-clause \"New\" or \"Revised\" License",
55 | 		"confidence": 0.966
56 | 	},
57 | 	{
58 | 		"project": "gopkg.in/square/go-jose.v2/cipher",
59 | 		"license": "Apache License 2.0",
60 | 		"confidence": 1
61 | 	},
62 | 	{
63 | 		"project": "gopkg.in/square/go-jose.v2/json",
64 | 		"license": "BSD 3-clause \"New\" or \"Revised\" License",
65 | 		"confidence": 0.966
66 | 	},
67 | 	{
68 | 		"project": "gopkg.in/yaml.v2",
69 | 		"license": "GNU Lesser General Public License v3.0",
70 | 		"confidence": 0.953
71 | 	}
72 | ]
73 | 


--------------------------------------------------------------------------------
/cmd/jwtproxy/main.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package main
16 | 
17 | import (
18 | 	"flag"
19 | 	"os"
20 | 	"os/signal"
21 | 	"syscall"
22 | 
23 | 	log "github.com/sirupsen/logrus"
24 | 
25 | 	"github.com/quay/jwtproxy"
26 | 	"github.com/quay/jwtproxy/config"
27 | 
28 | 	_ "github.com/quay/jwtproxy/jwt/claims/static"
29 | 	_ "github.com/quay/jwtproxy/jwt/keyserver/keyregistry"
30 | 	_ "github.com/quay/jwtproxy/jwt/keyserver/keyregistry/keycache/memory"
31 | 	_ "github.com/quay/jwtproxy/jwt/keyserver/preshared"
32 | 	_ "github.com/quay/jwtproxy/jwt/noncestorage/local"
33 | 	_ "github.com/quay/jwtproxy/jwt/privatekey/autogenerated"
34 | 	_ "github.com/quay/jwtproxy/jwt/privatekey/preshared"
35 | )
36 | 
37 | func main() {
38 | 	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
39 | 	flagConfigPath := flag.String("config", "", "Load configuration from the specified yaml file.")
40 | 	flagLogLevel := flag.String("log-level", "info", "Define the logging level.")
41 | 	flag.Parse()
42 | 
43 | 	// Load configuration.
44 | 	config, err := config.Load(*flagConfigPath)
45 | 	if err != nil {
46 | 		flag.Usage()
47 | 		log.Fatalf("Failed to load configuration: %s", err)
48 | 	}
49 | 
50 | 	// Initialize logging system.
51 | 	level, err := log.ParseLevel(*flagLogLevel)
52 | 	if err != nil {
53 | 		log.Fatalf("Failed to parse the log level: %s", err)
54 | 	}
55 | 	log.SetLevel(level)
56 | 
57 | 	// Run proxies until SIGINT/SIGTERM is received and then shutdown gracefully.
58 | 	run(config)
59 | }
60 | 
61 | func run(config *config.Config) {
62 | 	// Nothing to run? Abort.
63 | 	var verifierEnabled bool
64 | 	for _, verifierCfg := range config.VerifierProxies {
65 | 		if verifierCfg.Enabled {
66 | 			verifierEnabled = true
67 | 			break
68 | 		}
69 | 	}
70 | 
71 | 	if !verifierEnabled && !config.SignerProxy.Enabled {
72 | 		log.Error("No proxy is enabled. Terminating.")
73 | 		return
74 | 	}
75 | 
76 | 	// Create shutdown channel and make it listen to SIGINT and SIGTERM.
77 | 	shutdown := make(chan os.Signal)
78 | 	signal.Notify(shutdown, syscall.SIGINT, syscall.SIGTERM)
79 | 
80 | 	// Run proxies.
81 | 	stopper, abort := jwtproxy.RunProxies(config)
82 | 
83 | 	// Wait for stop signal.
84 | 	select {
85 | 	case <-shutdown:
86 | 		log.Info("Received stop signal. Stopping gracefully...")
87 | 	case aborted := <-abort:
88 | 		log.Error(aborted)
89 | 	}
90 | 
91 | 	stopped := stopper.Stop()
92 | 
93 | 	// Restore the original behavior in case we need to force shutdown.
94 | 	signal.Reset(syscall.SIGINT, syscall.SIGTERM)
95 | 
96 | 	// Wait for everything to stop.
97 | 	<-stopped
98 | }
99 | 


--------------------------------------------------------------------------------
/code-of-conduct.md:
--------------------------------------------------------------------------------
 1 | ## CoreOS Community Code of Conduct
 2 | 
 3 | ### Contributor Code of Conduct
 4 | 
 5 | As contributors and maintainers of this project, and in the interest of
 6 | fostering an open and welcoming community, we pledge to respect all people who
 7 | contribute through reporting issues, posting feature requests, updating
 8 | documentation, submitting pull requests or patches, and other activities.
 9 | 
10 | We are committed to making participation in this project a harassment-free
11 | experience for everyone, regardless of level of experience, gender, gender
12 | identity and expression, sexual orientation, disability, personal appearance,
13 | body size, race, ethnicity, age, religion, or nationality.
14 | 
15 | Examples of unacceptable behavior by participants include:
16 | 
17 | * The use of sexualized language or imagery
18 | * Personal attacks
19 | * Trolling or insulting/derogatory comments
20 | * Public or private harassment
21 | * Publishing others' private information, such as physical or electronic addresses, without explicit permission
22 | * Other unethical or unprofessional conduct.
23 | 
24 | Project maintainers have the right and responsibility to remove, edit, or
25 | reject comments, commits, code, wiki edits, issues, and other contributions
26 | that are not aligned to this Code of Conduct. By adopting this Code of Conduct,
27 | project maintainers commit themselves to fairly and consistently applying these
28 | principles to every aspect of managing this project. Project maintainers who do
29 | not follow or enforce the Code of Conduct may be permanently removed from the
30 | project team.
31 | 
32 | This code of conduct applies both within project spaces and in public spaces
33 | when an individual is representing the project or its community.
34 | 
35 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
36 | reported by contacting a project maintainer, Brandon Philips
37 | <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
38 | 
39 | This Code of Conduct is adapted from the Contributor Covenant
40 | (http://contributor-covenant.org), version 1.2.0, available at
41 | http://contributor-covenant.org/version/1/2/0/
42 | 
43 | ### CoreOS Events Code of Conduct
44 | 
45 | CoreOS events are working conferences intended for professional networking and
46 | collaboration in the CoreOS community. Attendees are expected to behave
47 | according to professional standards and in accordance with their employer’s
48 | policies on appropriate workplace behavior.
49 | 
50 | While at CoreOS events or related social networking opportunities, attendees
51 | should not engage in discriminatory or offensive speech or actions including
52 | but not limited to gender, sexuality, race, age, disability, or religion.
53 | Speakers should be especially aware of these concerns.
54 | 
55 | CoreOS does not condone any statements by speakers contrary to these standards.
56 | CoreOS reserves the right to deny entrance and/or eject from an event (without
57 | refund) any individual found to be engaging in discriminatory or offensive
58 | speech or actions.
59 | 
60 | Please bring any concerns to the immediate attention of designated on-site
61 | staff, Brandon Philips <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
62 | 


--------------------------------------------------------------------------------
/config.example.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright 2016 CoreOS, Inc
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | jwtproxy:
16 |   signer_proxy:
17 |     enabled: true
18 |     listen_addr: :8080
19 |     shutdown_timeout: 1m
20 | 
21 |     # CA used to forge certificates used by
22 |     # the proxy's MITM mechanism.
23 |     ca_key_file: ca.key
24 |     ca_crt_file: ca.crt
25 | 
26 |     # Certificates to be trusted by the proxy when its MITM mechanism communicates with remotes.
27 |     # This is optional. Specifying it currently replaces system root certificates entirely.
28 |     trusted_certificates:
29 |     - localhost.crt
30 | 
31 |     # Whether the remotes' certificate chain and host name should be verified.
32 |     insecure_skip_verify: false
33 | 
34 |     signer:
35 |       issuer: jwtproxy
36 |       expiration_time: 5m
37 |       max_skew: 1m
38 |       nonce_length: 32 # length of generated nonces
39 |       # private_key:
40 |       #   type: preshared
41 |       #   options:
42 |       #     key_id: mykey
43 |       #     private_key_path: mykey.key
44 |       private_key:
45 |         type: autogenerated
46 |         options:
47 |           rotate_every: 12h
48 |           key_server:
49 |             type: keyregistry
50 |             options:
51 |               registry: http://localhost:8888/
52 | 
53 |   verifier_proxies:
54 |   - enabled: true
55 |     listen_addr: :8081
56 |     shutdown_timeout: 1m
57 | 
58 |     # Key pair used to terminate TLS.
59 |     key_file: localhost.key
60 |     crt_file: localhost.crt
61 | 
62 |     verifier:
63 |       upstream: http://localhost:9090/
64 |       audience: https://localhost:8081/ # host used to talk to the verifier proxy
65 |       max_skew: 1m # maximum accepted skew for the iat claim
66 |       max_ttl: 5m # maximum expiration duration that a JWT can be signed for to be accepted
67 |       #key_server:
68 |       #  type: preshared
69 |       #  options:
70 |       #    issuer: jwtproxy
71 |       #    key_id: mykey
72 |       #    public_key_path: mykey.crt
73 |       key_server:
74 |         type: keyregistry
75 |         options:
76 |           registry: http://localhost:8888/
77 |       nonce_storage:
78 |         type: local
79 |         options:
80 |           purge_interval: 1m # interval between expired expired nonce cleanups
81 |       claims_verifiers:
82 |       - type: static
83 |         options:
84 |           iss: jwtproxy
85 | 


--------------------------------------------------------------------------------
/config/config.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package config
 16 | 
 17 | import (
 18 | 	"io/ioutil"
 19 | 	"net/url"
 20 | 	"os"
 21 | 	"time"
 22 | 
 23 | 	"gopkg.in/yaml.v2"
 24 | )
 25 | 
 26 | // URL is a custom URL type that allows validation at configuration load time.
 27 | type URL struct {
 28 | 	*url.URL
 29 | }
 30 | 
 31 | // UnmarshalYAML implements the yaml.Unmarshaler interface for URLs.
 32 | func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error {
 33 | 	var s string
 34 | 	if err := unmarshal(&s); err != nil {
 35 | 		return err
 36 | 	}
 37 | 
 38 | 	urlp, err := url.Parse(s)
 39 | 	if err != nil {
 40 | 		return err
 41 | 	}
 42 | 	u.URL = urlp
 43 | 	return nil
 44 | }
 45 | 
 46 | // MarshalYAML implements the yaml.Marshaler interface for URLs.
 47 | func (u URL) MarshalYAML() (interface{}, error) {
 48 | 	if u.URL != nil {
 49 | 		return u.String(), nil
 50 | 	}
 51 | 	return nil, nil
 52 | }
 53 | 
 54 | type DefaultVerifierProxyConfig VerifierProxyConfig
 55 | 
 56 | // UnmarshalYAML implements the yaml.Unmarshaler interface for URLs.
 57 | func (cfg *VerifierProxyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
 58 | 	tempCfg := DefaultVerifierProxyConfig{
 59 | 		Enabled:         true,
 60 | 		ListenAddr:      ":8082",
 61 | 		SocketPermission: 0755,
 62 | 		ShutdownTimeout: 5 * time.Second,
 63 | 		Verifier: VerifierConfig{
 64 | 			MaxSkew: 5 * time.Minute,
 65 | 			MaxTTL:  5 * time.Minute,
 66 | 			NonceStorage: RegistrableComponentConfig{
 67 | 				Type: "local",
 68 | 				Options: map[string]interface{}{
 69 | 					"PurgeInterval": 1 * time.Minute,
 70 | 				},
 71 | 			},
 72 | 		},
 73 | 	}
 74 | 
 75 | 	if err := unmarshal(&tempCfg); err != nil {
 76 | 		return err
 77 | 	}
 78 | 
 79 | 	*cfg = VerifierProxyConfig(tempCfg)
 80 | 
 81 | 	return nil
 82 | }
 83 | 
 84 | // Represents a config file, which may have configuration for other programs
 85 | // as a top level key.
 86 | type configFile struct {
 87 | 	JWTProxy Config
 88 | }
 89 | 
 90 | // Config is the global configuration
 91 | type Config struct {
 92 | 	SignerProxy     SignerProxyConfig     `yaml:"signer_proxy"`
 93 | 	VerifierProxies []VerifierProxyConfig `yaml:"verifier_proxies"`
 94 | }
 95 | 
 96 | type VerifierProxyConfig struct {
 97 | 	Enabled         bool           `yaml:"enabled"`
 98 | 	ListenAddr      string         `yaml:"listen_addr"`
 99 | 	SocketPermission os.FileMode   `yaml:"socket_permission"`
100 | 	ShutdownTimeout time.Duration  `yaml:"shutdown_timeout"`
101 | 	CrtFile         string         `yaml:"crt_file"`
102 | 	KeyFile         string         `yaml:"key_file"`
103 | 	Verifier        VerifierConfig `yaml:"verifier"`
104 | }
105 | 
106 | type SignerProxyConfig struct {
107 | 	Enabled             bool          `yaml:"enabled"`
108 | 	ListenAddr          string        `yaml:"listen_addr"`
109 | 	SocketPermission    os.FileMode   `yaml:"socket_permission"`
110 | 	ShutdownTimeout     time.Duration `yaml:"shutdown_timeout"`
111 | 	CAKeyFile           string        `yaml:"ca_key_file"`
112 | 	CACrtFile           string        `yaml:"ca_crt_file"`
113 | 	TrustedCertificates []string      `yaml:"trusted_certificates"`
114 | 	InsecureSkipVerify  bool          `yaml:"insecure_skip_verify"`
115 | 	Signer              SignerConfig  `yaml:"signer"`
116 | }
117 | 
118 | type VerifierConfig struct {
119 | 	Upstream        URL                          `yaml:"upstream"`
120 | 	Audience        URL                          `yaml:"audience"`
121 | 	MaxSkew         time.Duration                `yaml:"max_skew"`
122 | 	MaxTTL          time.Duration                `yaml:"max_ttl"`
123 | 	KeyServer       RegistrableComponentConfig   `yaml:"key_server"`
124 | 	NonceStorage    RegistrableComponentConfig   `yaml:"nonce_storage"`
125 | 	ClaimsVerifiers []RegistrableComponentConfig `yaml:"claims_verifiers"`
126 | }
127 | 
128 | type SignerParams struct {
129 | 	Issuer         string        `yaml:"issuer"`
130 | 	ExpirationTime time.Duration `yaml:"expiration_time"`
131 | 	MaxSkew        time.Duration `yaml:"max_skew"`
132 | 	NonceLength    int           `yaml:"nonce_length"`
133 | }
134 | 
135 | type SignerConfig struct {
136 | 	SignerParams `yaml:",inline"`
137 | 	PrivateKey   RegistrableComponentConfig `yaml:"private_key"`
138 | }
139 | 
140 | type RegistrableComponentConfig struct {
141 | 	Type    string                 `yaml:"type"`
142 | 	Options map[string]interface{} `yaml:"options"`
143 | }
144 | 
145 | // DefaultConfig is a configuration that can be used as a fallback value.
146 | func DefaultConfig() Config {
147 | 	return Config{
148 | 		SignerProxy: SignerProxyConfig{
149 | 			Enabled:         true,
150 | 			ListenAddr:      ":8080",
151 | 			SocketPermission: 0755,
152 | 			ShutdownTimeout: 5 * time.Second,
153 | 			Signer: SignerConfig{
154 | 				SignerParams: SignerParams{
155 | 					Issuer:         "jwtproxy",
156 | 					ExpirationTime: 5 * time.Minute,
157 | 					MaxSkew:        1 * time.Minute,
158 | 					NonceLength:    32,
159 | 				},
160 | 			},
161 | 		},
162 | 	}
163 | }
164 | 
165 | // Load is a shortcut to open a file, read it, and generate a Config.
166 | // It supports relative and absolute paths. Given "", it returns DefaultConfig.
167 | func Load(path string) (config *Config, err error) {
168 | 	var cfgFile configFile
169 | 	cfgFile.JWTProxy = DefaultConfig()
170 | 	if path == "" {
171 | 		return &cfgFile.JWTProxy, nil
172 | 	}
173 | 
174 | 	f, err := os.Open(os.ExpandEnv(path))
175 | 	if err != nil {
176 | 		return
177 | 	}
178 | 	defer f.Close()
179 | 
180 | 	d, err := ioutil.ReadAll(f)
181 | 	if err != nil {
182 | 		return
183 | 	}
184 | 
185 | 	err = yaml.Unmarshal(d, &cfgFile)
186 | 	if err != nil {
187 | 		return
188 | 	}
189 | 	config = &cfgFile.JWTProxy
190 | 
191 | 	return
192 | }
193 | 


--------------------------------------------------------------------------------
/examples/httpserver/Procfile:
--------------------------------------------------------------------------------
1 | web:       go get github.com/rif/spark                    && $GOPATH/bin/spark -port 8081 "Welcome to this authenticated web service."
2 | signer:    go get github.com/quay/jwtproxy/cmd/jwtproxy && $GOPATH/bin/jwtproxy -config $(pwd)/signer.yaml
3 | verifier:  go get github.com/quay/jwtproxy/cmd/jwtproxy && $GOPATH/bin/jwtproxy -config $(pwd)/verifier.yaml
4 | 


--------------------------------------------------------------------------------
/examples/httpserver/README.md:
--------------------------------------------------------------------------------
 1 | # HTTP Server
 2 | 
 3 | This example demonstrates authenticating a web service using jwtproxy.
 4 | 
 5 | ```
 6 | client <--> signer proxy <--> verifier proxy <--> web service
 7 | ```
 8 | 
 9 | Three components are deployed using the Procfile contained in this example folder:
10 | - **A simple web server**: The web server provides a web service on which we want to add authentication.
11 | - **A forward proxy**: Used by the web service clients, the proxy signs every requests to our web service by adding a JWT.
12 | - **A reverse proxy**: The reverse proxy receives requests, validates JWTs and forwards the requests to the web server.
13 | 
14 | ### Pre-requisites
15 | 
16 | To run this example, you need [Go] and a working [Go environment] and [goreman].
17 | 
18 | [Go 1.6]: https://github.com/golang/go/releases
19 | [Go environment]: https://golang.org/doc/code.html
20 | [goreman]: https://github.com/mattn/goreman
21 | 
22 | ### Configuration
23 | 
24 | For the sake of simplicity, this example uses a pre-shared key pair to sign and verify the requests. Two configuration files are used, one for the signer and one for the verifier, respectively `signer.yaml` and `verifier.yaml`. It is recommended that you inspect them to understand how jwtproxy works.
25 | 
26 | ### Run
27 | 
28 | Simply execute the Procfile:
29 | 
30 | ```
31 | goreman start
32 | ```
33 | 
34 | ### Test
35 | 
36 | Using curl, we send a request for the web service to the verifier proxy address. The verifier proxy will verify the authentication token and forward it upon success to our web service. We also specify that a forward proxy has to be used - it will sign our requests.
37 | 
38 | ```
39 | curl --proxy localhost:3128 http://localhost:8080/
40 | ```
41 | 
42 | ### Learn more
43 | 
44 | Extensive documentation can be found in the [README].
45 | To learn more about the different configuration parameters, you may read [config.example.yaml].
46 | 
47 | [README]: ../../README.md
48 | [config.example.yaml]: ../../config.example.yaml
49 | 


--------------------------------------------------------------------------------
/examples/httpserver/mykey.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIEFTCCAv2gAwIBAgIJALM32kF9XINSMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
 3 | BAYTAlVTMQswCQYDVQQIEwJOWTEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTEVMBMG
 4 | A1UEChMMQ29yZW9zLCBJbmMuMRkwFwYDVQQDFBBqd3Rwcm94eV9leGFtcGxlMB4X
 5 | DTE2MDUwNDE3MzUwMloXDTE3MDUwNDE3MzUwMlowZDELMAkGA1UEBhMCVVMxCzAJ
 6 | BgNVBAgTAk5ZMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MRUwEwYDVQQKEwxDb3Jl
 7 | b3MsIEluYy4xGTAXBgNVBAMUEGp3dHByb3h5X2V4YW1wbGUwggEiMA0GCSqGSIb3
 8 | DQEBAQUAA4IBDwAwggEKAoIBAQDfqrznv6bhNVevmoCx20C+m5Iy1koq31GieXV5
 9 | DGsOVngJzh/JEC5ZPlrCDvO4SNNW/cdMhOYagQOaCKdkCVg9rxf0BOx7Qa8Coh0c
10 | bJGMoHvbnJa1woorO53rE81O4En4hXW/NmtsAHH25utjfJ63Eaq2ifywZ/ynXhMF
11 | kqbKUZxasq6vzOoWhJh2DZ+i8I1QJogICz2sC0laYK9UqIaPB6ZpuGUqMFvdR+VM
12 | 5WQwaAchD7JFLcRvoaCH1vLTKuIJk8e5p1Er88F6/kgLeG10FF9zxHX66bzC0hzh
13 | e4kMGNmifzBCNKV6p4m3hwBVG4eeYDc6S2tOP3Zf/xQSmj6vAgMBAAGjgckwgcYw
14 | HQYDVR0OBBYEFC7Mlj5jDJAgVlhO9trpRcUaGDLjMIGWBgNVHSMEgY4wgYuAFC7M
15 | lj5jDJAgVlhO9trpRcUaGDLjoWikZjBkMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
16 | TlkxFjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxFTATBgNVBAoTDENvcmVvcywgSW5j
17 | LjEZMBcGA1UEAxQQand0cHJveHlfZXhhbXBsZYIJALM32kF9XINSMAwGA1UdEwQF
18 | MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFQ/F4qeZvu9IIls9w06Itt2edlV6Jfx
19 | +y7X2v1XF+tXHUaOXbBn6lfIgElX/s1UYGVUpHAWK8gNTSmhRF1XuWoDJyBwSxZb
20 | fn9WYnwyGuylHIzEsVW4ChvOL8ZCBKOv8p3n2l3nMPsBg9TerzVLzp1Nn9IUBHDu
21 | oSPucVrsmSsjjHFRS3l4srs97sPrZnJXrZmaN9bWpgUVcsNQ2oqL95jHlhmvnw4h
22 | Qb9PC/mUtoCGQzBqTCtNzOA774S6phJNRFVGRdXwMqiV+UpwFu0KnqeMpcA4BDWe
23 | jMeWCpUYJlA3ulaZjNi4Q6ioMy7/7G+0aLTkxDeVDwYYgfHqjLDHezw=
24 | -----END CERTIFICATE-----
25 | 


--------------------------------------------------------------------------------
/examples/httpserver/mykey.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEowIBAAKCAQEA36q857+m4TVXr5qAsdtAvpuSMtZKKt9Ronl1eQxrDlZ4Cc4f
 3 | yRAuWT5awg7zuEjTVv3HTITmGoEDmginZAlYPa8X9ATse0GvAqIdHGyRjKB725yW
 4 | tcKKKzud6xPNTuBJ+IV1vzZrbABx9ubrY3yetxGqton8sGf8p14TBZKmylGcWrKu
 5 | r8zqFoSYdg2fovCNUCaICAs9rAtJWmCvVKiGjwemabhlKjBb3UflTOVkMGgHIQ+y
 6 | RS3Eb6Ggh9by0yriCZPHuadRK/PBev5IC3htdBRfc8R1+um8wtIc4XuJDBjZon8w
 7 | QjSleqeJt4cAVRuHnmA3OktrTj92X/8UEpo+rwIDAQABAoIBAAHdCEnd/OPvb9WU
 8 | sfHJY9aysRsfUerdhW6XGHVztwidi855GyavrdMsg9EOEtW8NZaJ8rkeelRKMt97
 9 | pvlcYpHQ/aAY0meMeorJEvkDporHY4DG4zKMdl451uz4c0Nu9u7NHdgD+g0iS9DE
10 | x71CcogP654ttB88Hoy+aeYn/J++3lJ+ReHaJRNOABDL/OOxDqAMTx3C1UFOWRGT
11 | sYquxxwWU1xE8JUmLXtB9jg+diSo6nS2HRil6j9cO6P8TFfJW6VkDlETtdH891xD
12 | 60q7WDeMPo8fP0i0dPAGeVlt9fmImhvJ9u5kgXIHTqaLk5v4BpiDdA/L0EsklAZs
13 | WBJYK9ECgYEA/CcayMCUVFGfYkS3yPur6WIcjNLhHnn3NdI3FX+ugB2nRs8gMBKN
14 | HqIWETznXkzPBpkq4fVX6HxTisoCUoJNYdhLtsZtCWIoE7XRMISG7HvF4fVJMgj+
15 | UlyMkck5dfecJ7AuuuSXhwCRCUlaABwB0vUdBFax2tb8nsbAU7aMvvMCgYEA4xRe
16 | hUorBZ3xsol07j80jOf5fnT0MeKOvjvZXpQfobNIQGFAmWM8uybTXN/ZRSD9wPCn
17 | A4ef/RxW/jIjPdCJXwVZFRuJkRKR2FQMep8GoG8ujquVVNi48iToEEwoGPGFTW0f
18 | W+Eo6qa++XdyUgTCO3D5yUcOvQdDO3dQVhLLyFUCgYBNZl+FYf/mBgwLqRZVHlO9
19 | 1vz2iUDLDxtALR/1fHT/JJsVVD0IJJmm3pAxiGVo/+DIoLmWFK6AUbF/N9UQqKjC
20 | MRfEqhIMQFIXAseMwhF8g93RJ27pafNPKtOHaKI3wOLxF9awTbzpltXuaNK0l+RD
21 | cjQPAeGkUDvJLS8aQz3e2wKBgQCcfvc9SQYpUta1woGxiCHBUkXh3txEXO0fMcP2
22 | qIK8QAB1ThDlJT0/hdx4z1S/jaMUC0Yu6pNaLuPNP+SFv2hM8jSYlWfTcUbOHe6T
23 | u3EntDgT3zCFTu73AnRkdvfTaPADkkbgXWaDgPNwnd9NozXxHUUocC46G/07yFi3
24 | WTDUGQKBgHaDWintEOTVThpBxbNNFDRb1N01raXUMRT1ifIOux8+tdxzP4LjSgF4
25 | 5+icDQ1j2GXbJfmj3X6zTkU90ynfzboqrFyS8hYoFQsOQhmDe9qNSeO1bXmig1HV
26 | rySJ4P8KT0QvEzSUbm72wVBF0GHZ/SgE+zVXnLDtORrC47cd3U2u
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/examples/httpserver/mykey.pub:
--------------------------------------------------------------------------------
 1 | -----BEGIN PUBLIC KEY-----
 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36q857+m4TVXr5qAsdtA
 3 | vpuSMtZKKt9Ronl1eQxrDlZ4Cc4fyRAuWT5awg7zuEjTVv3HTITmGoEDmginZAlY
 4 | Pa8X9ATse0GvAqIdHGyRjKB725yWtcKKKzud6xPNTuBJ+IV1vzZrbABx9ubrY3ye
 5 | txGqton8sGf8p14TBZKmylGcWrKur8zqFoSYdg2fovCNUCaICAs9rAtJWmCvVKiG
 6 | jwemabhlKjBb3UflTOVkMGgHIQ+yRS3Eb6Ggh9by0yriCZPHuadRK/PBev5IC3ht
 7 | dBRfc8R1+um8wtIc4XuJDBjZon8wQjSleqeJt4cAVRuHnmA3OktrTj92X/8UEpo+
 8 | rwIDAQAB
 9 | -----END PUBLIC KEY-----
10 | 


--------------------------------------------------------------------------------
/examples/httpserver/reverseProxy.key:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/quay/jwtproxy/7e2a1590bfe34640d9a23fe40c61e0156d4cafad/examples/httpserver/reverseProxy.key


--------------------------------------------------------------------------------
/examples/httpserver/signer.yaml:
--------------------------------------------------------------------------------
 1 | jwtproxy:
 2 |   signer_proxy:
 3 |     listen_addr: :3128
 4 | 
 5 |     signer:
 6 |       issuer: jwtproxy
 7 |       expiration_time: 5m
 8 |       max_skew: 1m
 9 |       nonce_length: 32
10 |       private_key:
11 |         type: preshared
12 |         options:
13 |           key_id: mykey
14 |           private_key_path: mykey.key
15 | 
16 |     # To sign requests to HTTPS endpoints, we need to
17 |     # specify a CA certificate (trusted by the clients)
18 |     # and its private key that the MITM mechanism will use.
19 |     #ca_key_file: ca.key
20 |     #ca_crt_file: ca.crt
21 | 
22 |   verifier_proxies:
23 |   - enabled: false
24 | 


--------------------------------------------------------------------------------
/examples/httpserver/verifier.yaml:
--------------------------------------------------------------------------------
 1 | jwtproxy:
 2 |   verifier_proxies:
 3 |   - listen_addr: :8080
 4 | 
 5 |     verifier:
 6 |       upstream: http://localhost:8081/
 7 |       audience: http://localhost:8080/ # host used to talk to the verifier proxy
 8 |       max_skew: 1m
 9 |       max_ttl: 5m
10 |       key_server:
11 |         type: preshared
12 |         options:
13 |           issuer: jwtproxy
14 |           key_id: mykey
15 |           public_key_path: mykey.pub
16 |       claims_verifiers:
17 |       - type: static
18 |         options:
19 |           iss: jwtproxy
20 | 
21 |     # Key pair used to terminate TLS.
22 |     #key_file: localhost.key
23 |     #crt_file: localhost.crt
24 | 
25 |   signer_proxy:
26 |     enabled: false
27 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/README.md:
--------------------------------------------------------------------------------
 1 | # Authenticated nginx server on Kubernetes
 2 | 
 3 | This example demonstrates authenticating an nginx server using jwtproxy on Kubernetes.
 4 | 
 5 | In this example, we will deploy a pod that contains a unexposed nginx server and a verifier proxy, exposed on the port 80. Because the nginx server is unexposed, the only way to access it externally (i.e. outside the pod) is to go through the reverse proxy, which enforce authentication by validating JWTs. A service will also be created to enable external access (i.e. outside the cluster) to the service.
 6 | 
 7 | ### Pre-requisites
 8 | 
 9 | To run this example, you need a working [Kubernetes] cluster.
10 | 
11 | 
12 | For the sake of simplicity, this example uses a pre-shared key pair to sign and verify the requests.
13 | 
14 | [Kubernetes]: http://kubernetes.io/
15 | 
16 | ### Deploy
17 | 
18 | First of all, we create two Kubernetes secrets:
19 | - **secret-nginx-config**: Contains an nginx virtual host configuration file to make our web server listen on port 8080 (in the pod only) and serve a static response,
20 | - **secret-jwtproxy-config**: Contains the verifier proxy configuration that will listen on port 80 (externally), verify requests' authentication and forward them to nginx.
21 | 
22 | ```
23 | $ kubectl create secret generic secret-nginx-config --from-file nginx.conf
24 | $ kubectl create secret generic secret-verifier-config --from-file verifier.yaml --from-file mykey.pub
25 | ```
26 | 
27 | And then, we deploy the pod and service that expose our secured web service:
28 | 
29 | ```
30 | $ kubectl create -f nginx-app.yaml
31 | ```
32 | 
33 | ### Test
34 | 
35 | To demonstrate a bit further, we'll deploy a second pod that will send requests to our web service at regular intervals, via a signer proxy that will provide authentication.
36 | 
37 | ```
38 | $ kubectl create secret generic secret-tester-config --from-file signer.yaml --from-file mykey.key
39 | $ kubectl create -f tester-app.yaml
40 | ```
41 | 
42 | As soon as the pod is deployed, we can watch the logs and read the responses to our authenticated requests.
43 | 
44 | ```
45 | $ kubectl logs -f tester tester
46 | Welcome to this authenticated web service.
47 | Welcome to this authenticated web service.
48 | Welcome to this authenticated web service.
49 | ```
50 | 
51 | ### Learn more
52 | 
53 | Extensive documentation can be found in the [README].
54 | To learn more about the different configuration parameters, you may read [config.example.yaml].
55 | 
56 | [README]: ../../README
57 | [config.example.yaml]: ../../config.example.yaml
58 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/mykey.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEowIBAAKCAQEA36q857+m4TVXr5qAsdtAvpuSMtZKKt9Ronl1eQxrDlZ4Cc4f
 3 | yRAuWT5awg7zuEjTVv3HTITmGoEDmginZAlYPa8X9ATse0GvAqIdHGyRjKB725yW
 4 | tcKKKzud6xPNTuBJ+IV1vzZrbABx9ubrY3yetxGqton8sGf8p14TBZKmylGcWrKu
 5 | r8zqFoSYdg2fovCNUCaICAs9rAtJWmCvVKiGjwemabhlKjBb3UflTOVkMGgHIQ+y
 6 | RS3Eb6Ggh9by0yriCZPHuadRK/PBev5IC3htdBRfc8R1+um8wtIc4XuJDBjZon8w
 7 | QjSleqeJt4cAVRuHnmA3OktrTj92X/8UEpo+rwIDAQABAoIBAAHdCEnd/OPvb9WU
 8 | sfHJY9aysRsfUerdhW6XGHVztwidi855GyavrdMsg9EOEtW8NZaJ8rkeelRKMt97
 9 | pvlcYpHQ/aAY0meMeorJEvkDporHY4DG4zKMdl451uz4c0Nu9u7NHdgD+g0iS9DE
10 | x71CcogP654ttB88Hoy+aeYn/J++3lJ+ReHaJRNOABDL/OOxDqAMTx3C1UFOWRGT
11 | sYquxxwWU1xE8JUmLXtB9jg+diSo6nS2HRil6j9cO6P8TFfJW6VkDlETtdH891xD
12 | 60q7WDeMPo8fP0i0dPAGeVlt9fmImhvJ9u5kgXIHTqaLk5v4BpiDdA/L0EsklAZs
13 | WBJYK9ECgYEA/CcayMCUVFGfYkS3yPur6WIcjNLhHnn3NdI3FX+ugB2nRs8gMBKN
14 | HqIWETznXkzPBpkq4fVX6HxTisoCUoJNYdhLtsZtCWIoE7XRMISG7HvF4fVJMgj+
15 | UlyMkck5dfecJ7AuuuSXhwCRCUlaABwB0vUdBFax2tb8nsbAU7aMvvMCgYEA4xRe
16 | hUorBZ3xsol07j80jOf5fnT0MeKOvjvZXpQfobNIQGFAmWM8uybTXN/ZRSD9wPCn
17 | A4ef/RxW/jIjPdCJXwVZFRuJkRKR2FQMep8GoG8ujquVVNi48iToEEwoGPGFTW0f
18 | W+Eo6qa++XdyUgTCO3D5yUcOvQdDO3dQVhLLyFUCgYBNZl+FYf/mBgwLqRZVHlO9
19 | 1vz2iUDLDxtALR/1fHT/JJsVVD0IJJmm3pAxiGVo/+DIoLmWFK6AUbF/N9UQqKjC
20 | MRfEqhIMQFIXAseMwhF8g93RJ27pafNPKtOHaKI3wOLxF9awTbzpltXuaNK0l+RD
21 | cjQPAeGkUDvJLS8aQz3e2wKBgQCcfvc9SQYpUta1woGxiCHBUkXh3txEXO0fMcP2
22 | qIK8QAB1ThDlJT0/hdx4z1S/jaMUC0Yu6pNaLuPNP+SFv2hM8jSYlWfTcUbOHe6T
23 | u3EntDgT3zCFTu73AnRkdvfTaPADkkbgXWaDgPNwnd9NozXxHUUocC46G/07yFi3
24 | WTDUGQKBgHaDWintEOTVThpBxbNNFDRb1N01raXUMRT1ifIOux8+tdxzP4LjSgF4
25 | 5+icDQ1j2GXbJfmj3X6zTkU90ynfzboqrFyS8hYoFQsOQhmDe9qNSeO1bXmig1HV
26 | rySJ4P8KT0QvEzSUbm72wVBF0GHZ/SgE+zVXnLDtORrC47cd3U2u
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/mykey.pub:
--------------------------------------------------------------------------------
 1 | -----BEGIN PUBLIC KEY-----
 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36q857+m4TVXr5qAsdtA
 3 | vpuSMtZKKt9Ronl1eQxrDlZ4Cc4fyRAuWT5awg7zuEjTVv3HTITmGoEDmginZAlY
 4 | Pa8X9ATse0GvAqIdHGyRjKB725yWtcKKKzud6xPNTuBJ+IV1vzZrbABx9ubrY3ye
 5 | txGqton8sGf8p14TBZKmylGcWrKur8zqFoSYdg2fovCNUCaICAs9rAtJWmCvVKiG
 6 | jwemabhlKjBb3UflTOVkMGgHIQ+yRS3Eb6Ggh9by0yriCZPHuadRK/PBev5IC3ht
 7 | dBRfc8R1+um8wtIc4XuJDBjZon8wQjSleqeJt4cAVRuHnmA3OktrTj92X/8UEpo+
 8 | rwIDAQAB
 9 | -----END PUBLIC KEY-----
10 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/nginx-app.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: nginx
 5 | spec:
 6 |   type: NodePort
 7 |   ports:
 8 |   - port: 80
 9 |     protocol: TCP
10 |     name: http
11 |   selector:
12 |     app: nginx
13 | ---
14 | apiVersion: v1
15 | kind: Pod
16 | metadata:
17 |   name: nginx
18 |   labels:
19 |     app: nginx
20 | spec:
21 |   volumes:
22 |   - name: secret-nginx-volume
23 |     secret:
24 |       secretName: secret-nginx-config
25 |   - name: secret-verifier-volume
26 |     secret:
27 |       secretName: secret-verifier-config
28 |   containers:
29 |   - name: nginx
30 |     image: nginx
31 |     volumeMounts:
32 |     - mountPath: /etc/nginx/conf.d/
33 |       name: secret-nginx-volume
34 |   - name: jwtproxy
35 |     image: quay.io/quay/jwtproxy
36 |     ports:
37 |     - containerPort: 80
38 |     args:
39 |     - -config
40 |     - /etc/jwtproxy/verifier.yaml
41 |     volumeMounts:
42 |     - mountPath: /etc/jwtproxy/
43 |       name: secret-verifier-volume
44 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/nginx.conf:
--------------------------------------------------------------------------------
1 | server{
2 |     listen 8080;
3 | 
4 |     location / {
5 |       return 200 "Welcome to this authenticated web service.\n";
6 |     }
7 | }
8 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/signer.yaml:
--------------------------------------------------------------------------------
 1 | jwtproxy:
 2 |   signer_proxy:
 3 |     listen_addr: :3128
 4 |     shutdown_timeout: 3s
 5 | 
 6 |     signer:
 7 |       issuer: jwtproxy
 8 |       expiration_time: 5m
 9 |       max_skew: 1m
10 |       nonce_length: 32
11 |       private_key:
12 |         type: preshared
13 |         options:
14 |           key_id: mykey
15 |           private_key_path: /etc/jwtproxy/mykey.key
16 | 
17 |     # To sign requests to HTTPS endpoints, we need to
18 |     # specify a CA certificate (trusted by the clients)
19 |     # and its private key that the MITM mechanism will use.
20 |     #ca_key_file: ca.key
21 |     #ca_crt_file: ca.crt
22 | 
23 |   verifier_proxies:
24 |   - enabled: false
25 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/tester-app.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: tester
 5 | spec:
 6 |   volumes:
 7 |   - name: secret-tester-volume
 8 |     secret:
 9 |       secretName: secret-tester-config
10 |   containers:
11 |   - name: jwtproxy
12 |     image: quay.io/quay/jwtproxy
13 |     args:
14 |     - -config
15 |     - /etc/jwtproxy/signer.yaml
16 |     volumeMounts:
17 |     - mountPath: /etc/jwtproxy/
18 |       name: secret-tester-volume
19 |   - name: tester
20 |     image: alpine:edge
21 |     command:
22 |     - sh
23 |     - -c
24 |     - while :; do http_proxy=http://localhost:3128 wget -qO- -Y on http://nginx/; sleep 5; done
25 | 


--------------------------------------------------------------------------------
/examples/kubernetes-httpserver/verifier.yaml:
--------------------------------------------------------------------------------
 1 | jwtproxy:
 2 |   verifier_proxies:
 3 |   - listen_addr: :80
 4 | 
 5 |     verifier:
 6 |       upstream: http://localhost:8080/
 7 |       audience: http://nginx/ # host used to talk to the verifier proxy
 8 |       max_skew: 1m
 9 |       max_ttl: 5m
10 |       key_server:
11 |         type: preshared
12 |         options:
13 |           issuer: jwtproxy
14 |           key_id: mykey
15 |           public_key_path: /etc/jwtproxy/mykey.pub
16 |       claims_verifiers:
17 |       - type: static
18 |         options:
19 |           iss: jwtproxy
20 | 
21 |     # Key pair used to terminate TLS.
22 |     #key_file: localhost.key
23 |     #crt_file: localhost.crt
24 | 
25 |   signer_proxy:
26 |     enabled: false
27 | 


--------------------------------------------------------------------------------
/glide.lock:
--------------------------------------------------------------------------------
 1 | hash: e9be2167eed774041b7d368bb6054c64cdb94699fa91b7beffb739c50f4cf583
 2 | updated: 2019-05-14T12:30:21.525021-04:00
 3 | imports:
 4 | - name: github.com/coreos/go-oidc
 5 |   version: f427f54ef96beaa1db5fabbe4fff00de535d5494
 6 |   subpackages:
 7 |   - http
 8 |   - jose
 9 |   - key
10 |   - oauth2
11 |   - oidc
12 | - name: github.com/coreos/go-systemd
13 |   version: 7b2428fec40033549c68f54e26e89e7ca9a9ce31
14 |   subpackages:
15 |   - journal
16 | - name: github.com/coreos/goproxy
17 |   version: 25fe2597a3d151ba954d9b3c0fd4663e79de48cc
18 | - name: github.com/coreos/pkg
19 |   version: 1914e367e85eaf0c25d495b48e060dfe6190f8d0
20 |   subpackages:
21 |   - capnslog
22 |   - health
23 |   - httputil
24 |   - timeutil
25 | - name: github.com/davecgh/go-spew
26 |   version: 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d
27 |   subpackages:
28 |   - spew
29 | - name: github.com/gregjones/httpcache
30 |   version: 4b02602f71f4346dfbd3ef8f4d15cc2a318b32c1
31 | - name: github.com/jonboulle/clockwork
32 |   version: ed104f61ea4877bea08af6f759805674861e968d
33 | - name: github.com/patrickmn/go-cache
34 |   version: a3647f8e31d79543b2d0f0ae2fe5c379d72cedc0
35 | - name: github.com/pmezard/go-difflib
36 |   version: 792786c7400a136282c1664665ae0a8db921c6c2
37 |   subpackages:
38 |   - difflib
39 | - name: github.com/sirupsen/logrus
40 |   version: ba1b36c82c5e05c4f912a88eab0dcd91a171688f
41 | - name: github.com/stretchr/testify
42 |   version: c5d7a69bf8a2c9c374798160849c071093e41dd1
43 |   subpackages:
44 |   - assert
45 | - name: github.com/tylerb/graceful
46 |   version: 4654dfbb6ad53cb5e27f37d99b02e16c1872fbbb
47 | - name: golang.org/x/net
48 |   version: 024ed629fd292398cfd43c9678a5bf004f7defdc
49 |   subpackages:
50 |   - netutil
51 | - name: golang.org/x/sys
52 |   version: a60af9cbbc6ab800af4f2be864a31f423a0ae1f2
53 |   subpackages:
54 |   - unix
55 | - name: gopkg.in/square/go-jose.v2
56 |   version: 77e6c51d4de65c9a8d5a27a99e0e2721b12f1a2c
57 |   subpackages:
58 |   - cipher
59 |   - json
60 | - name: gopkg.in/yaml.v2
61 |   version: a83829b6f1293c91addabc89d0571c246397bbf4
62 | testImports: []
63 | 


--------------------------------------------------------------------------------
/glide.yaml:
--------------------------------------------------------------------------------
 1 | package: github.com/quay/jwtproxy
 2 | import:
 3 | - package: github.com/sirupsen/logrus
 4 |   version: ^0.10.0
 5 | - package: github.com/coreos/go-oidc
 6 |   version: f427f54ef96beaa1db5fabbe4fff00de535d5494
 7 |   subpackages:
 8 |   - http
 9 |   - jose
10 |   - key
11 |   - oauth2
12 |   - oidc
13 | - package: github.com/coreos/go-systemd
14 |   version: ^5.0.0
15 |   subpackages:
16 |   - journal
17 | - package: github.com/coreos/goproxy
18 |   version: 25fe2597a3d151ba954d9b3c0fd4663e79de48cc
19 | - package: github.com/coreos/pkg
20 |   version: 1914e367e85eaf0c25d495b48e060dfe6190f8d0
21 |   subpackages:
22 |   - capnslog
23 |   - health
24 |   - httputil
25 |   - timeutil
26 | - package: github.com/davecgh/go-spew
27 |   version: 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d
28 |   subpackages:
29 |   - spew
30 | - package: github.com/gregjones/httpcache
31 |   version: 4b02602f71f4346dfbd3ef8f4d15cc2a318b32c1
32 | - package: github.com/jonboulle/clockwork
33 |   version: ed104f61ea4877bea08af6f759805674861e968d
34 | - package: github.com/patrickmn/go-cache
35 |   version: ^2.0.0
36 | - package: github.com/pmezard/go-difflib
37 |   version: ^1.0.0
38 |   subpackages:
39 |   - difflib
40 | - package: github.com/stretchr/testify
41 |   version: c5d7a69bf8a2c9c374798160849c071093e41dd1
42 |   subpackages:
43 |   - assert
44 | - package: github.com/tylerb/graceful
45 |   version: ^1.2.5
46 | - package: golang.org/x/net
47 |   version: 024ed629fd292398cfd43c9678a5bf004f7defdc
48 |   subpackages:
49 |   - netutil
50 | - package: golang.org/x/sys
51 |   version: a60af9cbbc6ab800af4f2be864a31f423a0ae1f2
52 |   subpackages:
53 |   - unix
54 | - package: gopkg.in/square/go-jose.v2
55 |   version: 77e6c51d4de65c9a8d5a27a99e0e2721b12f1a2c
56 |   subpackages:
57 |   - cipher
58 |   - json
59 | - package: gopkg.in/yaml.v2
60 |   version: a83829b6f1293c91addabc89d0571c246397bbf4
61 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/quay/jwtproxy/v2
 2 | 
 3 | go 1.16
 4 | 
 5 | require (
 6 | 	github.com/coreos/go-oidc v0.0.0-20160330172125-f427f54ef96b
 7 | 	github.com/coreos/go-systemd v0.0.0-20160202211425-7b2428fec400 // indirect
 8 | 	github.com/coreos/goproxy v0.0.0-20170222233530-25fe2597a3d1
 9 | 	github.com/coreos/pkg v0.0.0-20160314094717-1914e367e85e // indirect
10 | 	github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2 // indirect
11 | 	github.com/elazarl/goproxy v0.0.0-20210801061803-8e322dfb79c4 // indirect
12 | 	github.com/elazarl/goproxy/ext v0.0.0-20210801061803-8e322dfb79c4 // indirect
13 | 	github.com/gregjones/httpcache v0.0.0-20160313132734-4b02602f71f4
14 | 	github.com/jonboulle/clockwork v0.0.0-20151121001658-ed104f61ea48 // indirect
15 | 	github.com/kylelemons/godebug v1.1.0 // indirect
16 | 	github.com/patrickmn/go-cache v2.1.0+incompatible
17 | 	github.com/pmezard/go-difflib v1.0.0 // indirect
18 | 	github.com/quay/jwtproxy v0.0.4
19 | 	github.com/sirupsen/logrus v0.11.5
20 | 	github.com/stretchr/testify v1.1.4-0.20160418225827-c5d7a69bf8a2
21 | 	github.com/tylerb/graceful v1.2.15
22 | 	golang.org/x/net v0.0.0-20160403195514-024ed629fd29 // indirect
23 | 	golang.org/x/sys v0.0.0-20160402023915-a60af9cbbc6a // indirect
24 | 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
25 | 	gopkg.in/square/go-jose.v2 v2.0.0-20160419061419-77e6c51d4de6
26 | 	gopkg.in/yaml.v2 v2.0.0-20160301204022-a83829b6f129
27 | )
28 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/coreos/go-oidc v0.0.0-20160330172125-f427f54ef96b h1:8wBHwBSZQMAy7nBEPD0vL/YsaWgk8Ql2mRS9WMfhveE=
 2 | github.com/coreos/go-oidc v0.0.0-20160330172125-f427f54ef96b/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 3 | github.com/coreos/go-systemd v0.0.0-20160202211425-7b2428fec400 h1:hCPDBaGzL6ZFsJtA1LWF9zBccjuenjI9hY/RHTw7BQ8=
 4 | github.com/coreos/go-systemd v0.0.0-20160202211425-7b2428fec400/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 5 | github.com/coreos/goproxy v0.0.0-20170222233530-25fe2597a3d1 h1:VkFoecg+HyrJ4wtRGu+yUpb8F/D5cwQ0c8V7bpHbNA4=
 6 | github.com/coreos/goproxy v0.0.0-20170222233530-25fe2597a3d1/go.mod h1:P9/RgQivLjHe7WUGOIbjfdis83SPgi6T9uCHcZKD4vw=
 7 | github.com/coreos/pkg v0.0.0-20160314094717-1914e367e85e h1:tLoWlLW8vKfnDIIgN16Ir5i+gt8TVGNz1BIulegQsLA=
 8 | github.com/coreos/pkg v0.0.0-20160314094717-1914e367e85e/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 9 | github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2 h1:5zdDAMuB3gvbHB1m2BZT9+t9w+xaBmK3ehb7skDXcwM=
10 | github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
11 | github.com/elazarl/goproxy v0.0.0-20210801061803-8e322dfb79c4 h1:lS3P5Nw3oPO05Lk2gFiYUOL3QPaH+fRoI1wFOc4G1UY=
12 | github.com/elazarl/goproxy v0.0.0-20210801061803-8e322dfb79c4/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
13 | github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
14 | github.com/elazarl/goproxy/ext v0.0.0-20210801061803-8e322dfb79c4 h1:jLY5dBmGEgdHm34NvYB0jQC+M4D+C0cB1C8/5aRdPcw=
15 | github.com/elazarl/goproxy/ext v0.0.0-20210801061803-8e322dfb79c4/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
16 | github.com/gregjones/httpcache v0.0.0-20160313132734-4b02602f71f4 h1:tyGF0+JYF0fgy6ZjVUlRj6WJClc7HhGMEYRUSBsyQDQ=
17 | github.com/gregjones/httpcache v0.0.0-20160313132734-4b02602f71f4/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
18 | github.com/jonboulle/clockwork v0.0.0-20151121001658-ed104f61ea48 h1:zOrm/46W/aI9qWRc9S7eoHpMB30SFPLtqqBCbnNTiiU=
19 | github.com/jonboulle/clockwork v0.0.0-20151121001658-ed104f61ea48/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
20 | github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
21 | github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
22 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
23 | github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
24 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
25 | github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
26 | github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
27 | github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
28 | github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
29 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
30 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
31 | github.com/quay/jwtproxy v0.0.4 h1:M7YZxrqLaY0MA20AkWqH+1HGFjxQPLmNrC8TjrkfbwQ=
32 | github.com/quay/jwtproxy v0.0.4/go.mod h1:Q0Zg96r0uvf49Ny3uRJ0Y09CCdtXU54LBntn6NZLShg=
33 | github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
34 | github.com/sirupsen/logrus v0.11.5 h1:X30KsLZ9eg2X2fViSIWKcjKTdyYnmFZHlfxEdvW34Gc=
35 | github.com/sirupsen/logrus v0.11.5/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
36 | github.com/stretchr/testify v1.1.4-0.20160418225827-c5d7a69bf8a2 h1:gkVizhFKAI/CiasTQFtsR9vApnDj/q2V2h5s9uw+gSk=
37 | github.com/stretchr/testify v1.1.4-0.20160418225827-c5d7a69bf8a2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
38 | github.com/tylerb/graceful v1.2.15 h1:B0x01Y8fsJpogzZTkDg6BDi6eMf03s01lEKGdrv83oA=
39 | github.com/tylerb/graceful v1.2.15/go.mod h1:LPYTbOYmUTdabwRt0TGhLllQ0MUNbs0Y5q1WXJOI9II=
40 | golang.org/x/net v0.0.0-20160403195514-024ed629fd29 h1:W9mRIOMnefGPZ+eESn6okKVzMv/jpUA/m1VvP87BsMk=
41 | golang.org/x/net v0.0.0-20160403195514-024ed629fd29/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
42 | golang.org/x/sys v0.0.0-20160402023915-a60af9cbbc6a h1:9FQGJpE2vJ8LyqeRH0fYJQ40ooWmR7lGPalEE9opLZw=
43 | golang.org/x/sys v0.0.0-20160402023915-a60af9cbbc6a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
44 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
45 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
46 | gopkg.in/square/go-jose.v2 v2.0.0-20160419061419-77e6c51d4de6 h1:RyAf/XLLLyl4slUANLPdRW5IUcoZVKcHL0F6jiAP9Ps=
47 | gopkg.in/square/go-jose.v2 v2.0.0-20160419061419-77e6c51d4de6/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
48 | gopkg.in/yaml.v2 v2.0.0-20160301204022-a83829b6f129 h1:RBgb9aPUbZ9nu66ecQNIBNsA7j3mB5h8PNDIfhPjaJg=
49 | gopkg.in/yaml.v2 v2.0.0-20160301204022-a83829b6f129/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
50 | 


--------------------------------------------------------------------------------
/jwt/claims/static/static.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package static
16 | 
17 | import (
18 | 	"fmt"
19 | 	"net/http"
20 | 	"reflect"
21 | 
22 | 	"github.com/coreos/go-oidc/jose"
23 | 	log "github.com/sirupsen/logrus"
24 | 
25 | 	"github.com/quay/jwtproxy/config"
26 | 	"github.com/quay/jwtproxy/jwt/claims"
27 | 	"github.com/quay/jwtproxy/stop"
28 | )
29 | 
30 | func init() {
31 | 	claims.Register("static", constructor)
32 | }
33 | 
34 | type Static struct {
35 | 	requiredClaims map[string]interface{}
36 | }
37 | 
38 | func (scv *Static) Handle(req *http.Request, claims jose.Claims) error {
39 | 	log.Debugf("Verifying %d claims", len(scv.requiredClaims))
40 | 	for name, requiredValue := range scv.requiredClaims {
41 | 		log.Debugf("Verifying claim named: %s", name)
42 | 		// Look for the claim in the JWT claims.
43 | 		if found, ok := claims[name]; ok {
44 | 			if !reflect.DeepEqual(found, requiredValue) {
45 | 				return fmt.Errorf("Claim did not have the required value: %s", name)
46 | 			}
47 | 		} else {
48 | 			return fmt.Errorf("Required claim not found: %s", name)
49 | 		}
50 | 	}
51 | 
52 | 	return nil
53 | }
54 | 
55 | func (scv *Static) Stop() <-chan struct{} {
56 | 	return stop.AlreadyDone
57 | }
58 | 
59 | func constructor(registrableComponentConfig config.RegistrableComponentConfig) (claims.Verifier, error) {
60 | 	return &Static{
61 | 		requiredClaims: registrableComponentConfig.Options,
62 | 	}, nil
63 | }
64 | 


--------------------------------------------------------------------------------
/jwt/claims/verifier.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package claims
16 | 
17 | import (
18 | 	"fmt"
19 | 	"net/http"
20 | 
21 | 	"github.com/coreos/go-oidc/jose"
22 | 
23 | 	"github.com/quay/jwtproxy/config"
24 | 	"github.com/quay/jwtproxy/stop"
25 | )
26 | 
27 | type Constructor func(config.RegistrableComponentConfig) (Verifier, error)
28 | 
29 | type Verifier interface {
30 | 	stop.Stoppable
31 | 	Handle(*http.Request, jose.Claims) error
32 | }
33 | 
34 | var verifierTypes = make(map[string]Constructor)
35 | 
36 | func Register(name string, vc Constructor) {
37 | 	if vc == nil {
38 | 		panic("server: could not register nil Verifier Constructor")
39 | 	}
40 | 	if _, dup := verifierTypes[name]; dup {
41 | 		panic("server: could not register duplicate Verifier Constructor type: " + name)
42 | 	}
43 | 	verifierTypes[name] = vc
44 | }
45 | 
46 | func New(cfg config.RegistrableComponentConfig) (Verifier, error) {
47 | 	vc, ok := verifierTypes[cfg.Type]
48 | 	if !ok {
49 | 		return nil, fmt.Errorf("server: unknown Verifier Constructor type %q (forgotten import?)", cfg.Type)
50 | 	}
51 | 	return vc(cfg)
52 | }
53 | 


--------------------------------------------------------------------------------
/jwt/jwt.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package jwt
 16 | 
 17 | import (
 18 | 	"errors"
 19 | 	"math/rand"
 20 | 	"net/http"
 21 | 	"net/url"
 22 | 	"strings"
 23 | 	"time"
 24 | 
 25 | 	"github.com/coreos/go-oidc/jose"
 26 | 	"github.com/coreos/go-oidc/key"
 27 | 	"github.com/coreos/go-oidc/oidc"
 28 | 	log "github.com/sirupsen/logrus"
 29 | 
 30 | 	"github.com/quay/jwtproxy/config"
 31 | 	"github.com/quay/jwtproxy/jwt/keyserver"
 32 | 	"github.com/quay/jwtproxy/jwt/noncestorage"
 33 | )
 34 | 
 35 | const (
 36 | 	nonceBytes   = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/"
 37 | 	nonceIdxBits = 6                   // 6 bits to represent a nonce index
 38 | 	nonceIdxMask = 1<<nonceIdxBits - 1 // All 1-bits, as many as nonceIdxBits
 39 | 	nonceIdxMax  = 63 / nonceIdxBits   // # of nonce indices fitting in 63 bits
 40 | )
 41 | 
 42 | var randSource rand.Source
 43 | 
 44 | func init() {
 45 | 	randSource = rand.NewSource(time.Now().UnixNano())
 46 | }
 47 | 
 48 | func Sign(req *http.Request, key *key.PrivateKey, params config.SignerParams) error {
 49 | 	// Create Claims.
 50 | 	claims := jose.Claims{
 51 | 		"iss": params.Issuer,
 52 | 		"aud": req.URL.Scheme + "://" + req.URL.Host,
 53 | 		"iat": time.Now().Unix(),
 54 | 		"nbf": time.Now().Add(-params.MaxSkew).Unix(),
 55 | 		"exp": time.Now().Add(params.ExpirationTime).Unix(),
 56 | 		"jti": generateNonce(params.NonceLength),
 57 | 	}
 58 | 
 59 | 	// Create JWT.
 60 | 	jwt, err := jose.NewSignedJWT(claims, key.Signer())
 61 | 	if err != nil {
 62 | 		return err
 63 | 	}
 64 | 
 65 | 	// Add it as a header in the request.
 66 | 	req.Header.Add("Authorization", "Bearer "+jwt.Encode())
 67 | 
 68 | 	return nil
 69 | }
 70 | 
 71 | func Verify(req *http.Request, keyServer keyserver.Reader, nonceVerifier noncestorage.NonceStorage, audience *url.URL, maxSkew time.Duration, maxTTL time.Duration) (jose.Claims, error) {
 72 | 	// Extract token from request.
 73 | 	token, err := oidc.ExtractBearerToken(req)
 74 | 	if err != nil {
 75 |                 username, password, ok := req.BasicAuth()
 76 |                 if !ok && username == "oauth2" {
 77 | 		        return nil, errors.New("No JWT found")
 78 |                 }
 79 | 		token = password
 80 | 	}
 81 | 
 82 | 	// Parse token.
 83 | 	jwt, err := jose.ParseJWT(token)
 84 | 	if err != nil {
 85 | 		return nil, errors.New("Could not parse JWT")
 86 | 	}
 87 | 
 88 | 	claims, err := jwt.Claims()
 89 | 	if err != nil {
 90 | 		return nil, errors.New("Could not parse JWT claims")
 91 | 	}
 92 | 
 93 | 	// Verify claims.
 94 | 	now := time.Now().UTC()
 95 | 	kid, exists := jwt.Header["kid"]
 96 | 	if !exists {
 97 | 		return nil, errors.New("Missing 'kid' claim")
 98 | 	}
 99 | 	iss, exists, err := claims.StringClaim("iss")
100 | 	if !exists || err != nil {
101 | 		return nil, errors.New("Missing or invalid 'iss' claim")
102 | 	}
103 | 	aud, exists, err := claims.StringClaim("aud")
104 | 	if !exists || err != nil || !verifyAudience(aud, audience) {
105 | 		return nil, errors.New("Missing or invalid 'aud' claim")
106 | 	}
107 | 	exp, exists, err := claims.TimeClaim("exp")
108 | 	if !exists || err != nil || exp.Before(now) {
109 | 		return nil, errors.New("Missing or invalid 'exp' claim")
110 | 	}
111 | 	nbf, exists, err := claims.TimeClaim("nbf")
112 | 	if !exists || err != nil || nbf.After(now) {
113 | 		return nil, errors.New("Missing or invalid 'nbf' claim")
114 | 	}
115 | 	iat, exists, err := claims.TimeClaim("iat")
116 | 	if !exists || err != nil || iat.Add(-maxSkew).After(now) {
117 | 		return nil, errors.New("Missing or invalid 'iat' claim")
118 | 	}
119 | 	if exp.Sub(iat) > maxTTL {
120 | 		return nil, errors.New("Invalid 'exp' claim (too long)")
121 | 	}
122 | 	jti, exists, err := claims.StringClaim("jti")
123 | 	if !exists || err != nil || !nonceVerifier.Verify(jti, exp) {
124 | 		return nil, errors.New("Missing or invalid 'jti' claim")
125 | 	}
126 | 
127 | 	// Verify signature.
128 | 	publicKey, err := keyServer.GetPublicKey(iss, kid)
129 | 	if err == keyserver.ErrPublicKeyNotFound {
130 | 		return nil, err
131 | 	} else if err != nil {
132 | 		log.Errorf("Could not get public key from key server: %s", err)
133 | 		return nil, errors.New("Unexpected key server error")
134 | 	}
135 | 
136 | 	verifier, err := publicKey.Verifier()
137 | 	if err != nil {
138 | 		log.Errorf("Could not create JWT verifier for public key '%s': %s", publicKey.ID(), err)
139 | 		return nil, errors.New("Unexpected verifier initialization failure")
140 | 	}
141 | 
142 | 	if verifier.Verify(jwt.Signature, []byte(jwt.Data())) != nil {
143 | 		return nil, errors.New("Invalid JWT signature")
144 | 	}
145 | 
146 | 	return claims, nil
147 | }
148 | 
149 | func verifyAudience(actual string, expected *url.URL) bool {
150 | 	actualURL, err := url.Parse(actual)
151 | 	if err != nil {
152 | 		return false
153 | 	}
154 | 	return strings.EqualFold(actualURL.Scheme+"://"+actualURL.Host, expected.Scheme+"://"+expected.Host)
155 | }
156 | 
157 | // https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-golang
158 | func generateNonce(n int) string {
159 | 	b := make([]byte, n)
160 | 	for i, cache, remain := n-1, randSource.Int63(), nonceIdxMax; i >= 0; {
161 | 		if remain == 0 {
162 | 			cache, remain = randSource.Int63(), nonceIdxMax
163 | 		}
164 | 		if idx := int(cache & nonceIdxMask); idx < len(nonceBytes) {
165 | 			b[i] = nonceBytes[idx]
166 | 			i--
167 | 		}
168 | 		cache >>= nonceIdxBits
169 | 		remain--
170 | 	}
171 | 	return string(b)
172 | }
173 | 


--------------------------------------------------------------------------------
/jwt/jwt_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package jwt
 16 | 
 17 | import (
 18 | 	"crypto/x509"
 19 | 	"encoding/pem"
 20 | 	"errors"
 21 | 	"math/big"
 22 | 	"net/http"
 23 | 	"net/url"
 24 | 	"testing"
 25 | 	"time"
 26 | 
 27 | 	"github.com/coreos/go-oidc/jose"
 28 | 	"github.com/coreos/go-oidc/key"
 29 | 	"github.com/coreos/go-oidc/oidc"
 30 | 	"github.com/quay/jwtproxy/config"
 31 | 	"github.com/quay/jwtproxy/stop"
 32 | 	"github.com/stretchr/testify/assert"
 33 | )
 34 | 
 35 | const privateKey = `
 36 | -----BEGIN RSA PRIVATE KEY-----
 37 | MIIBOAIBAAJAZ8S1IuX54K3bLtLuf47+etBSCcutD0GzUbog92BDmJwHlEiIPsdC
 38 | VEoHN0FnV3EXSuaBpoV2mQkwDcoyq9xWkwIDAQABAkBY47x25KIkwUlc1vvO8WM1
 39 | OXbNRVg+FX3SqKrMvf2poAfGIPM9tRwrvzs8vSTcXQus9EnUnem1LWIDUkFOSXKB
 40 | AiEAqLwPnbLlly8LP+vHt6FaYcAlEAHBAE7iT22qQAVjIHECIQCdb1H0IOt9y/HB
 41 | T+yXf/F/x37RfcVvujR8/ql+YqTpQwIgf+8m//CWN0zKAMsqgEZsmtTuxPYveaZV
 42 | 3NdPUH9FK2ECID7TUqgSjwdHYLVdGLQoiY4NZW1iPGzmqNWMpsTZxqeTAiBjSNOD
 43 | im92fadzPg+oTXIQIjlHhGgf7CKb5VwFuH9+gA==
 44 | -----END RSA PRIVATE KEY-----
 45 | `
 46 | 
 47 | type testService struct {
 48 | 	// privatekey
 49 | 	privkey        *key.PrivateKey
 50 | 	sendBadPrivKey bool
 51 | 
 52 | 	// keyserver
 53 | 	issuer        string
 54 | 	sendBadPubKey bool
 55 | 
 56 | 	// noncestorage
 57 | 	refuseNonce bool
 58 | }
 59 | 
 60 | func (ts *testService) GetPrivateKey() (*key.PrivateKey, error) {
 61 | 	p := *ts.privkey
 62 | 	if ts.sendBadPrivKey {
 63 | 		p.PrivateKey.D.Add(p.PrivateKey.D, big.NewInt(1))
 64 | 	}
 65 | 
 66 | 	return &p, nil
 67 | }
 68 | 
 69 | func (ts *testService) GetPublicKey(issuer string, keyID string) (*key.PublicKey, error) {
 70 | 	if ts.issuer != issuer || ts.privkey.KeyID != keyID {
 71 | 		return nil, errors.New("unknown public key")
 72 | 	}
 73 | 
 74 | 	jwk := ts.privkey.JWK()
 75 | 	if ts.sendBadPubKey {
 76 | 		jwk.Exponent = jwk.Exponent + 1
 77 | 	}
 78 | 
 79 | 	return key.NewPublicKey(jwk), nil
 80 | }
 81 | 
 82 | func (ts *testService) Verify(nonce string, expiration time.Time) bool {
 83 | 	return !ts.refuseNonce
 84 | }
 85 | 
 86 | func (ts *testService) Stop() <-chan struct{} {
 87 | 	return stop.AlreadyDone
 88 | }
 89 | 
 90 | func TestJWT(t *testing.T) {
 91 | 	// Create a request to sign.
 92 | 	req, _ := http.NewRequest("GET", "http://foo.bar:6666/ez", nil)
 93 | 
 94 | 	// Create a public/private key pair used to sign/verify.
 95 | 	pkb, _ := pem.Decode([]byte(privateKey))
 96 | 	pkr, _ := x509.ParsePKCS1PrivateKey(pkb.Bytes)
 97 | 	pk := &key.PrivateKey{
 98 | 		KeyID:      "foo",
 99 | 		PrivateKey: pkr,
100 | 	}
101 | 
102 | 	// Create a test service to act as a keyserver and as a privatekey provider.
103 | 	services := &testService{
104 | 		privkey:        pk,
105 | 		sendBadPrivKey: false,
106 | 		issuer:         "issuer",
107 | 		sendBadPubKey:  false,
108 | 		refuseNonce:    false,
109 | 	}
110 | 
111 | 	// Create a default (and valid) configuration to sign and verify requests.
112 | 	aud, _ := url.Parse("http://foo.bar:6666/ez")
113 | 	defaultConfig := &signAndVerifyParams{
114 | 		services: services,
115 | 		signerParams: config.SignerParams{
116 | 			Issuer:         services.issuer,
117 | 			ExpirationTime: 1 * time.Minute,
118 | 			MaxSkew:        1 * time.Minute,
119 | 			NonceLength:    8,
120 | 		},
121 | 		aud:     aud,
122 | 		maxSkew: time.Minute,
123 | 		maxTTL:  5 * time.Minute,
124 | 	}
125 | 
126 | 	// Basic sign / verify.
127 | 	assert.Nil(t, signAndVerify(t, req, *defaultConfig, nil))
128 | 
129 | 	// Alter a claim.
130 | 	claimModifier := func(req *http.Request) {
131 | 		token, err := oidc.ExtractBearerToken(req)
132 | 		assert.Nil(t, err)
133 | 
134 | 		jwt, err := jose.ParseJWT(token)
135 | 		assert.Nil(t, err)
136 | 
137 | 		claims, err := jwt.Claims()
138 | 		assert.Nil(t, err)
139 | 
140 | 		// Alter the nonce.
141 | 		claims.Add("jti", "foo")
142 | 
143 | 		// Create a new JWT having the same headers and signature but altered claims.
144 | 		// This is the only way to encode the claims with jose.
145 | 		modifiedJWT, err := jose.NewJWT(jwt.Header, claims)
146 | 		assert.Nil(t, err)
147 | 		modifiedJWT.Signature = jwt.Signature
148 | 
149 | 		req.Header.Set("Authorization", "Bearer "+modifiedJWT.Encode())
150 | 	}
151 | 	assert.Error(t, signAndVerify(t, req, *defaultConfig, claimModifier))
152 | 
153 | 	// Invalid nonce.
154 | 	cfg := *defaultConfig
155 | 	cfg.services.refuseNonce = true
156 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
157 | 
158 | 	// Wrong audience.
159 | 	cfg = *defaultConfig
160 | 	cfg.aud, _ = url.Parse("http://dummy.silly/")
161 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
162 | 
163 | 	req2, _ := http.NewRequest("GET", "http://silly.dummy/", nil)
164 | 	assert.Error(t, signAndVerify(t, req2, cfg, nil))
165 | 
166 | 	// Signed for too long.
167 | 	cfg = *defaultConfig
168 | 	cfg.maxTTL = 30 * time.Second
169 | 	assert.Error(t, signAndVerify(t, req2, cfg, nil))
170 | 
171 | 	// Expired.
172 | 	cfg = *defaultConfig
173 | 	cfg.signerParams.ExpirationTime = -time.Second
174 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
175 | 
176 | 	// Used too early.
177 | 	// Abuse the signer's MaxSkew parameter to make the JWT valid only after a minute.
178 | 	cfg = *defaultConfig
179 | 	cfg.signerParams.MaxSkew = -time.Minute
180 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
181 | 
182 | 	// Issued in the future.
183 | 	// Abuse the verifier's MaxSkew parameter to make the JWT looks like it has been signed in the
184 | 	// future.
185 | 	cfg = *defaultConfig
186 | 	cfg.maxSkew = -time.Minute
187 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
188 | 
189 | 	// Mismatch public/private keys.
190 | 	cfg = *defaultConfig
191 | 	cfg.services.sendBadPubKey = true
192 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
193 | 
194 | 	cfg = *defaultConfig
195 | 	cfg.services.sendBadPrivKey = true
196 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
197 | 
198 | 	// Wrong issuer (leads to a bad/unknown private key).
199 | 	cfg = *defaultConfig
200 | 	cfg.signerParams.Issuer = "dummy"
201 | 	assert.Error(t, signAndVerify(t, req, cfg, nil))
202 | }
203 | 
204 | type signAndVerifyParams struct {
205 | 	services *testService
206 | 
207 | 	// Sign.
208 | 	signerParams config.SignerParams
209 | 
210 | 	// Verify.
211 | 	aud     *url.URL
212 | 	maxSkew time.Duration
213 | 	maxTTL  time.Duration
214 | }
215 | 
216 | type requestModifier func(req *http.Request)
217 | 
218 | func signAndVerify(t *testing.T, req *http.Request, p signAndVerifyParams, modify requestModifier) error {
219 | 	// Sign.
220 | 	pk, _ := p.services.GetPrivateKey()
221 | 	assert.Nil(t, Sign(req, pk, p.signerParams))
222 | 
223 | 	// Modify signed request.
224 | 	if modify != nil {
225 | 		modify(req)
226 | 	}
227 | 
228 | 	// Verify.
229 | 	_, err := Verify(req, p.services, p.services, p.aud, p.maxSkew, p.maxTTL)
230 | 	return err
231 | }
232 | 


--------------------------------------------------------------------------------
/jwt/keyserver/keyregistry/README.md:
--------------------------------------------------------------------------------
  1 | # Key Server Specification
  2 | 
  3 | This document covers what exactly it means for a server to be JWK public keys registry compliant. This is intended as an extension to the [JWK set spec](https://tools.ietf.org/html/rfc7517#section-5). 
  4 | 
  5 | ## Terminology
  6 | | Term | Definition |
  7 | |---|---|
  8 | | private key | The private half of an asymmetric key which can be used to generate unforgeable signatures. |
  9 | | public key | The public half of an asymmetric key which can be shared and is used to verify a signature made with a private key. |
 10 | | key id | (**kid**) A unique opaque string which is used to refer to a key by name. This is often implemented as a fingerprint of the key. |
 11 | | issuer | (**iss**) An isssuer is the entity responsible for minting and signing a JWT. In JWK key server parlance, this is the holder of the private key. |
 12 | | service | This is synonymous with issuer for JWT purposes, but is made more generic in the key server routes |
 13 | 
 14 | ## Operations
 15 | 
 16 | The following operations can be performed against the specified endpoints of a JWK key server compliant server.
 17 | 
 18 | ### List All Public Keys for a Service
 19 | 
 20 | ```
 21 | GET /services/<service_name>/keys
 22 | ```
 23 | 
 24 | Example response:
 25 | 
 26 | ```
 27 | 200 OK
 28 | 
 29 | {
 30 |   keys: [
 31 |     { 
 32 |       <JWK contents>
 33 |     },
 34 |     {
 35 |       <JWK contents>
 36 |     }   
 37 |   ]
 38 | }
 39 | ```
 40 | 
 41 | This call is guaranteed to always return a response, even if the service is unknown.
 42 | 
 43 | ### Fetch a Single Public Key by ID
 44 | 
 45 | ```
 46 | GET /services/<service_name>/keys/<key_id>
 47 | ```
 48 | 
 49 | Response if they key is **published and approved**:
 50 | 
 51 | ```
 52 | 200 OK
 53 | 
 54 | Cache-Control: max-age=<cache time in seconds>
 55 | 
 56 | {
 57 |   <JWK content>
 58 | }
 59 | ```
 60 | 
 61 | Response if the key was published but **awaiting approval**:
 62 | 
 63 | ```
 64 | 409 Conflict
 65 | ```
 66 | 
 67 | Response if the key was previously approved, but is now **expired**:
 68 | 
 69 | ```
 70 | 403 Forbidden
 71 | ```
 72 | 
 73 | Response if the key is **unknown**:
 74 | 
 75 | ```
 76 | 404 Unknown
 77 | ```
 78 | 
 79 | ### Publish a New Public Key for a Service
 80 | 
 81 | Publishing a new JWK requires that the request be authorized by a signed JWT. The server requires that the key id be specified as a `kid` JWT header, and that the `iss` issuer claim match the `<service_name>`. If this is a brand new key, the request must be self-signed (i.e. the JWT signature was made by the private key for which we're attempting to publish a public key). If this is a key rotation request, the request must be signed by a key which appears in the key list for this service (i.e. is currently approved and unexpired).
 82 | 
 83 | The optional argument `expiration` specifies the [unix time](https://en.wikipedia.org/wiki/Unix_time) as an integer number of seconds since the epoch at which time the key will expire.
 84 | 
 85 | The optional argument `rotation` is for guidance only, and specifies the anticipated amount of time as an integer number of seconds between key rotations. A key server can use this value to determine if an origin server missed a rotation request, and therefore may be unhealthy.
 86 | 
 87 | **NOTE:** Successfully rotating a key revokes the key that we signed the rotation request with when successful.
 88 | 
 89 | ```
 90 | PUT /services/<service_name>/keys/<key_id>[?expiration=<timestamp>[&rotation=<seconds>]]
 91 | 
 92 | Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
 93 | 
 94 | {
 95 |   <JWK contents>
 96 | }
 97 | ```
 98 | 
 99 | Response when a **new key** is published and **requires approval**:
100 | 
101 | ```
102 | 202 Accepted
103 | ```
104 | 
105 | Response when an **existing key** is successfully **replaced**:
106 | 
107 | ```
108 | 200 OK
109 | ```
110 | 
111 | Response when the request is signed with an **inappropriate key**:
112 | 
113 | ```
114 | 403 Forbidden
115 | ```
116 | 
117 | All other failures are interpreted as client errors:
118 | 
119 | ```
120 | 400 Bad Request
121 | ```
122 | 
123 | ### Revoke a Published Key
124 | 
125 | **NOTE:** There is no cache invalidation or revocation list mechanism in place. There are no guarantees that a revoked key will not be interpreted as successful by clients with a cached copy of the key until the key finally expires.
126 | 
127 | Revoking a public key requires that the request be authorized with a JWT which was signed by the key being revoked.
128 | 
129 | ```
130 | DELETE /services/<service_name>/keys/<key_id>
131 | ```
132 | 
133 | Response when the key is **successfully revoked**:
134 | 
135 | ```
136 | 204 No Content
137 | ```
138 | 
139 | Response when the request is not properly self signed:
140 | 
141 | ```
142 | 403 Forbidden
143 | ```
144 | 
145 | All other failures are interpreted as client errors:
146 | 
147 | ```
148 | 400 Bad Request
149 | ```
150 | 
151 | ## Client Use Cases
152 | 
153 | There are two primary ways that we intend the key server to be used. In the verifier use case, we use the key server to validate a request that we've already received. In the manager use case, we autogenerate a key, publish it, and then autorotate it on a schedule.
154 | 
155 | ### Verifier
156 | 
157 | This is how the client is expected to use the key server to verify the origin of a JWT:
158 | 
159 | 1. Receive a request signed with a JWT
160 | 2. Extract the `kid` JWT header
161 | 3. Extract the `iss` issuer claim from the JWT body
162 | 4. Fetch the public key from `/services/<iss>/keys/<kid>`
163 | 	* If the public key is unknown, the request fails
164 | 5. Use the public key to verify the signature on the JWT
165 | 	* If the signature does not validate with the public key, the request fails 
166 | 
167 | ### Manager
168 | 
169 | This is roughly how a client can use the publish and fetch endpoints to publish and autorotate a key:
170 | 
171 | 1. Generate a new public/private key pair
172 | 2. Serialize the public portion as a JWK
173 | 3. Generate a JWT, setting all of the strict jwt claims:
174 | 	* `iss`: our own service issuer name
175 | 	* `aud`: the scheme and hostname of the key server, e.g. `https://mykeyserver.com`
176 | 	* `exp`: an expiration time a short while from now, but not too short
177 | 	* `iat`: the time at which the JWT was generated
178 | 	* `nbf`: a short time in the past to accommodate clock skew
179 | 4. Sign the JWT with the private portion of our new key pair
180 | 5. Set the `kid` claim in our JWT headers to be the opaque ID string for our new key
181 | 6. `PUT /services/<iss>/keys/<kid>` -> 202
182 | 7. Poll `GET /services/<iss>/keys/<kid>` until 409 responses turn into 200
183 | 8. Our key is now published and approved
184 | 
185 | Rotating a key:
186 | 
187 | 1. Generate a new public/priate key pair
188 | 2. Follow the steps above to create a JWT with the required claims
189 | 3. Sign the JWT with the private portion of our **previously approved and still active key**
190 | 4. `PUT /services/<iss>/keys/<kid>` -> 200
191 | 5. Our new key is now active, and our previous key is revoked.
192 | 


--------------------------------------------------------------------------------
/jwt/keyserver/keyregistry/keycache/keycache.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package keycache
16 | 
17 | import (
18 | 	"fmt"
19 | 
20 | 	"github.com/gregjones/httpcache"
21 | 
22 | 	"github.com/quay/jwtproxy/config"
23 | 	"github.com/quay/jwtproxy/stop"
24 | )
25 | 
26 | type Constructor func(config.RegistrableComponentConfig) (Cache, error)
27 | 
28 | type Cache interface {
29 | 	stop.Stoppable
30 | 	httpcache.Cache
31 | }
32 | 
33 | var keycaches = make(map[string]Constructor)
34 | 
35 | func RegisterCache(name string, c Constructor) {
36 | 	if c == nil {
37 | 		panic("server: could not register nil ReaderConstructor")
38 | 	}
39 | 	if _, dup := keycaches[name]; dup {
40 | 		panic("server: could not register duplicate ReaderConstructor: " + name)
41 | 	}
42 | 	keycaches[name] = c
43 | }
44 | 
45 | func NewCache(cfg config.RegistrableComponentConfig) (Cache, error) {
46 | 	c, ok := keycaches[cfg.Type]
47 | 	if !ok {
48 | 		return nil, fmt.Errorf("server: unknown Cache type %q (forgotten import?)", cfg.Type)
49 | 	}
50 | 	return c(cfg)
51 | }
52 | 


--------------------------------------------------------------------------------
/jwt/keyserver/keyregistry/keycache/memory/memory.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package memory
16 | 
17 | import (
18 | 	"github.com/gregjones/httpcache"
19 | 	log "github.com/sirupsen/logrus"
20 | 
21 | 	"github.com/quay/jwtproxy/config"
22 | 	"github.com/quay/jwtproxy/jwt/keyserver/keyregistry/keycache"
23 | 	"github.com/quay/jwtproxy/stop"
24 | )
25 | 
26 | func init() {
27 | 	keycache.RegisterCache("memory", constructor)
28 | }
29 | 
30 | type cache struct {
31 | 	*httpcache.MemoryCache
32 | }
33 | 
34 | func constructor(registrableComponentConfig config.RegistrableComponentConfig) (keycache.Cache, error) {
35 | 	log.Debug("Initializing in-memory key cache.")
36 | 
37 | 	return &cache{
38 | 		MemoryCache: httpcache.NewMemoryCache(),
39 | 	}, nil
40 | }
41 | 
42 | func (c *cache) Stop() <-chan struct{} {
43 | 	return stop.AlreadyDone
44 | }
45 | 


--------------------------------------------------------------------------------
/jwt/keyserver/keyregistry/keyregistry.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package keyregistry
 16 | 
 17 | import (
 18 | 	"bytes"
 19 | 	"encoding/json"
 20 | 	"fmt"
 21 | 	"io"
 22 | 	"io/ioutil"
 23 | 	"net/http"
 24 | 	"net/url"
 25 | 	"path"
 26 | 	"strconv"
 27 | 	"sync"
 28 | 	"time"
 29 | 
 30 | 	"github.com/coreos/go-oidc/key"
 31 | 	"github.com/gregjones/httpcache"
 32 | 	log "github.com/sirupsen/logrus"
 33 | 	"gopkg.in/yaml.v2"
 34 | 
 35 | 	"github.com/quay/jwtproxy/config"
 36 | 	"github.com/quay/jwtproxy/jwt"
 37 | 	"github.com/quay/jwtproxy/jwt/keyserver"
 38 | 	"github.com/quay/jwtproxy/jwt/keyserver/keyregistry/keycache"
 39 | )
 40 | 
 41 | func init() {
 42 | 	keyserver.RegisterReader("keyregistry", constructReader)
 43 | 	keyserver.RegisterManager("keyregistry", constructManager)
 44 | }
 45 | 
 46 | type client struct {
 47 | 	cache        keycache.Cache
 48 | 	registry     *url.URL
 49 | 	signerParams config.SignerParams
 50 | 	stopping     chan struct{}
 51 | 	inFlight     *sync.WaitGroup
 52 | 	httpClient   *http.Client
 53 | }
 54 | 
 55 | type Config struct {
 56 | 	Registry config.URL `yaml:"registry"`
 57 | }
 58 | 
 59 | type ReaderConfig struct {
 60 | 	Config `yaml:",inline"'`
 61 | 	Cache  *config.RegistrableComponentConfig `yaml:"cache"`
 62 | }
 63 | 
 64 | func (krc *client) GetPublicKey(issuer string, keyID string) (*key.PublicKey, error) {
 65 | 	// Query key registry for a public key matching the given issuer and key ID.
 66 | 	pubkeyURL := krc.absURL("services", issuer, "keys", keyID)
 67 | 	pubkeyReq, err := krc.prepareRequest("GET", pubkeyURL, nil)
 68 | 	if err != nil {
 69 | 		return nil, err
 70 | 	}
 71 | 	resp, err := krc.httpClient.Do(pubkeyReq)
 72 | 	if err != nil {
 73 | 		return nil, err
 74 | 	}
 75 | 	defer resp.Body.Close()
 76 | 	if resp.StatusCode != http.StatusOK {
 77 | 		switch resp.StatusCode {
 78 | 		case http.StatusNotFound:
 79 | 			return nil, keyserver.ErrPublicKeyNotFound
 80 | 		case http.StatusForbidden:
 81 | 			return nil, keyserver.ErrPublicKeyExpired
 82 | 		default:
 83 | 			bodyBytes, bodyErr := ioutil.ReadAll(resp.Body)
 84 | 			if bodyErr != nil {
 85 | 				bodyBytes = []byte{}
 86 | 			}
 87 | 
 88 | 			rerr := fmt.Errorf("Got unexpected response from key server: %v: %s", resp.StatusCode, string(bodyBytes))
 89 | 			return nil, rerr
 90 | 		}
 91 | 	}
 92 | 
 93 | 	// Decode the public key we received as a JSON-encoded JWK.
 94 | 	var pk key.PublicKey
 95 | 	jsonDecoder := json.NewDecoder(resp.Body)
 96 | 	err = jsonDecoder.Decode(&pk)
 97 | 	if err != nil {
 98 | 		return nil, err
 99 | 	}
100 | 
101 | 	return &pk, nil
102 | }
103 | 
104 | func (krc *client) VerifyPublicKey(keyID string) error {
105 | 	_, err := krc.GetPublicKey(krc.signerParams.Issuer, keyID)
106 | 	return err
107 | }
108 | 
109 | func (krc *client) PublishPublicKey(key *key.PublicKey, policy *keyserver.KeyPolicy, signingKey *key.PrivateKey) *keyserver.PublishResult {
110 | 	// Create a channel that will track the response status.
111 | 	publishResult := keyserver.NewPublishResult()
112 | 	krc.inFlight.Add(1)
113 | 
114 | 	go func() {
115 | 		defer krc.inFlight.Done()
116 | 		// Serialize the jwk as the body.
117 | 		body, err := json.Marshal(key)
118 | 		if err != nil {
119 | 			publishResult.SetError(err)
120 | 			return
121 | 		}
122 | 
123 | 		// Create an HTTP request to the key server to publish a new key.
124 | 		publishURL := krc.absURL("services", krc.signerParams.Issuer, "keys", key.ID())
125 | 
126 | 		queryParams := publishURL.Query()
127 | 		if policy.Expiration != nil {
128 | 			log.Debug("Adding expiration time: ", policy.Expiration)
129 | 			queryParams.Add("expiration", strconv.FormatInt(policy.Expiration.Unix(), 10))
130 | 		}
131 | 		if policy.RotationPolicy != nil {
132 | 			log.Debug("Adding rotation time: ", policy.RotationPolicy)
133 | 			queryParams.Add("rotation", strconv.Itoa(int(policy.RotationPolicy.Seconds())))
134 | 		}
135 | 		publishURL.RawQuery = queryParams.Encode()
136 | 
137 | 		resp, err := krc.signAndDo("PUT", publishURL, bytes.NewReader(body), signingKey)
138 | 		if err != nil {
139 | 			publishResult.SetError(err)
140 | 			return
141 | 		}
142 | 
143 | 		switch resp.StatusCode {
144 | 		case http.StatusOK:
145 | 			// Published successfully.
146 | 			publishResult.Success()
147 | 			return
148 | 		case http.StatusAccepted:
149 | 			monPublishLog := log.WithFields(log.Fields{
150 | 				"keyID":        key.ID()[0:10],
151 | 				"signingKeyID": signingKey.ID()[0:10],
152 | 			})
153 | 
154 | 			// Our key couldn't be published immediately because it requires
155 | 			// approval. Loop until it becomes approved or the whole process
156 | 			// gets canceled.
157 | 			monPublishLog.Debug("Monitoring publish status")
158 | 			monURL := krc.absURL("services", krc.signerParams.Issuer, "keys", key.ID())
159 | 
160 | 			pollPeriod := time.NewTicker(1 * time.Second)
161 | 			defer pollPeriod.Stop()
162 | 
163 | 			for {
164 | 				select {
165 | 				case <-pollPeriod.C:
166 | 					checkReq, err := krc.prepareRequest("GET", monURL, nil)
167 | 					if err != nil {
168 | 						publishResult.SetError(err)
169 | 						return
170 | 					}
171 | 
172 | 					checkPublished, err := krc.httpClient.Do(checkReq)
173 | 					if err != nil {
174 | 						publishResult.SetError(err)
175 | 						return
176 | 					}
177 | 
178 | 					switch checkPublished.StatusCode {
179 | 					case http.StatusOK:
180 | 						publishResult.Success()
181 | 						return
182 | 					case http.StatusConflict:
183 | 						monPublishLog.Debug("Key not yet approved, waiting")
184 | 					default:
185 | 						checkPublishedErr := fmt.Errorf(
186 | 							"Unexpected response code when checking approval status %d",
187 | 							checkPublished.StatusCode,
188 | 						)
189 | 						publishResult.SetError(checkPublishedErr)
190 | 						return
191 | 					}
192 | 
193 | 				case <-publishResult.WaitForCancel():
194 | 					monPublishLog.Debug("Canceling key publication monitor goroutine")
195 | 					canceledErr := fmt.Errorf("Key publication monitor canceled")
196 | 					publishResult.SetError(canceledErr)
197 | 					return
198 | 				case <-krc.stopping:
199 | 					monPublishLog.Debug("Candeling key publication due to shutdown")
200 | 					shutdownErr := fmt.Errorf("Shutting down")
201 | 					publishResult.SetError(shutdownErr)
202 | 					return
203 | 				}
204 | 			}
205 | 
206 | 		default:
207 | 			publishServerError := fmt.Errorf(
208 | 				"Unexpected response code when publishing key: %d ",
209 | 				resp.StatusCode,
210 | 			)
211 | 			publishResult.SetError(publishServerError)
212 | 			return
213 | 		}
214 | 	}()
215 | 
216 | 	return publishResult
217 | }
218 | 
219 | func (krc *client) DeletePublicKey(signingKey *key.PrivateKey) error {
220 | 	url := krc.absURL("services", krc.signerParams.Issuer, "keys", signingKey.ID())
221 | 
222 | 	resp, err := krc.signAndDo("DELETE", url, nil, signingKey)
223 | 	if err != nil {
224 | 		return err
225 | 	}
226 | 
227 | 	if resp.StatusCode != 204 {
228 | 		return fmt.Errorf("Unexpected response code when deleting public key: %d", resp.StatusCode)
229 | 	}
230 | 
231 | 	return nil
232 | }
233 | 
234 | func (krc *client) Stop() <-chan struct{} {
235 | 	finished := make(chan struct{})
236 | 	// Stop the in flight requests
237 | 	close(krc.stopping)
238 | 	go func() {
239 | 		krc.inFlight.Wait()
240 | 
241 | 		// Now stop the cache
242 | 		if krc.cache != nil {
243 | 			<-krc.cache.Stop()
244 | 		}
245 | 
246 | 		close(finished)
247 | 	}()
248 | 	return finished
249 | }
250 | 
251 | func (krc *client) signAndDo(method string, url *url.URL, body io.Reader, signingKey *key.PrivateKey) (*http.Response, error) {
252 | 	// Create an HTTP request to the key server to publish a new key.
253 | 	req, err := krc.prepareRequest(method, url, body)
254 | 	if err != nil {
255 | 		return nil, err
256 | 	}
257 | 
258 | 	// Sign it with the specified private key and config.
259 | 	err = jwt.Sign(req, signingKey, krc.signerParams)
260 | 	if err != nil {
261 | 		return nil, err
262 | 	}
263 | 
264 | 	// Execute the request, if it returns a 200, close the channel immediately.
265 | 	return krc.httpClient.Do(req)
266 | }
267 | 
268 | func (krc *client) prepareRequest(method string, url *url.URL, body io.Reader) (*http.Request, error) {
269 | 	// Create an HTTP request to the key server to publish a new key.
270 | 	req, err := http.NewRequest(method, url.String(), body)
271 | 	if err != nil {
272 | 		return nil, err
273 | 	}
274 | 
275 | 	if method == "PUT" || method == "POST" {
276 | 		req.Header.Add("Content-Type", "application/json")
277 | 	}
278 | 
279 | 	// Add our user agent.
280 | 	req.Header.Set("User-Agent", "KeyRegistryClient/0.1.0")
281 | 
282 | 	return req, nil
283 | }
284 | 
285 | func (krc *client) absURL(pathParams ...string) *url.URL {
286 | 	escaped := make([]string, 0, len(pathParams)+1)
287 | 	escaped = append(escaped, krc.registry.Path)
288 | 	for _, pathParam := range pathParams {
289 | 		escaped = append(escaped, url.QueryEscape(pathParam))
290 | 	}
291 | 
292 | 	absPath := path.Join(escaped...)
293 | 	relurl, err := url.Parse(absPath)
294 | 	if err != nil {
295 | 		panic(err)
296 | 	}
297 | 	return krc.registry.ResolveReference(relurl)
298 | }
299 | 
300 | func constructReader(registrableComponentConfig config.RegistrableComponentConfig) (keyserver.Reader, error) {
301 | 	bytes, err := yaml.Marshal(registrableComponentConfig.Options)
302 | 	if err != nil {
303 | 		return nil, err
304 | 	}
305 | 	var cfg ReaderConfig
306 | 	err = yaml.Unmarshal(bytes, &cfg)
307 | 	if err != nil {
308 | 		return nil, err
309 | 	}
310 | 
311 | 	// Construct the public key cache.
312 | 	cacheConfig := config.RegistrableComponentConfig{
313 | 		Type: "memory",
314 | 	}
315 | 	if cfg.Cache != nil {
316 | 		cacheConfig = *cfg.Cache
317 | 	}
318 | 
319 | 	cache, err := keycache.NewCache(cacheConfig)
320 | 	if err != nil {
321 | 		return nil, fmt.Errorf("Unable to construct cache: %s", err)
322 | 	}
323 | 
324 | 	httpClient := &http.Client{
325 | 		Transport: httpcache.NewTransport(cache),
326 | 	}
327 | 
328 | 	return &client{
329 | 		registry:   cfg.Registry.URL,
330 | 		inFlight:   &sync.WaitGroup{},
331 | 		stopping:   make(chan struct{}),
332 | 		cache:      cache,
333 | 		httpClient: httpClient,
334 | 	}, nil
335 | }
336 | 
337 | func constructManager(registrableComponentConfig config.RegistrableComponentConfig, signerParams config.SignerParams) (keyserver.Manager, error) {
338 | 	bytes, err := yaml.Marshal(registrableComponentConfig.Options)
339 | 	if err != nil {
340 | 		return nil, err
341 | 	}
342 | 	var cfg Config
343 | 	err = yaml.Unmarshal(bytes, &cfg)
344 | 	if err != nil {
345 | 		return nil, err
346 | 	}
347 | 
348 | 	return &client{
349 | 		registry:     cfg.Registry.URL,
350 | 		signerParams: signerParams,
351 | 		inFlight:     &sync.WaitGroup{},
352 | 		stopping:     make(chan struct{}),
353 | 		httpClient:   http.DefaultClient,
354 | 	}, nil
355 | }
356 | 


--------------------------------------------------------------------------------
/jwt/keyserver/keyserver.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package keyserver
16 | 
17 | import (
18 | 	"errors"
19 | 	"fmt"
20 | 	"time"
21 | 
22 | 	"github.com/coreos/go-oidc/key"
23 | 
24 | 	"github.com/quay/jwtproxy/config"
25 | 	"github.com/quay/jwtproxy/stop"
26 | )
27 | 
28 | var (
29 | 	ErrPublicKeyNotFound = errors.New("Could not find any matching public key")
30 | 	ErrPublicKeyExpired  = errors.New("Key has expired.")
31 | )
32 | 
33 | type ReaderConstructor func(config.RegistrableComponentConfig) (Reader, error)
34 | type ManagerConstructor func(config.RegistrableComponentConfig, config.SignerParams) (Manager, error)
35 | 
36 | type Reader interface {
37 | 	stop.Stoppable
38 | 	GetPublicKey(issuer string, keyID string) (*key.PublicKey, error)
39 | }
40 | 
41 | type KeyPolicy struct {
42 | 	Expiration     *time.Time
43 | 	RotationPolicy *time.Duration
44 | }
45 | 
46 | type Manager interface {
47 | 	stop.Stoppable
48 | 	VerifyPublicKey(keyID string) error
49 | 	PublishPublicKey(key *key.PublicKey, policy *KeyPolicy, signingKey *key.PrivateKey) *PublishResult
50 | 	DeletePublicKey(toRevoke *key.PrivateKey) error
51 | }
52 | 
53 | var readers = make(map[string]ReaderConstructor)
54 | var managers = make(map[string]ManagerConstructor)
55 | 
56 | func RegisterReader(name string, rc ReaderConstructor) {
57 | 	if rc == nil {
58 | 		panic("server: could not register nil ReaderConstructor")
59 | 	}
60 | 	if _, dup := readers[name]; dup {
61 | 		panic("server: could not register duplicate ReaderConstructor: " + name)
62 | 	}
63 | 	readers[name] = rc
64 | }
65 | 
66 | func NewReader(cfg config.RegistrableComponentConfig) (Reader, error) {
67 | 	rc, ok := readers[cfg.Type]
68 | 	if !ok {
69 | 		return nil, fmt.Errorf("server: unknown ReaderConstructor %q (forgotten import?)", cfg.Type)
70 | 	}
71 | 	return rc(cfg)
72 | }
73 | 
74 | func RegisterManager(name string, mc ManagerConstructor) {
75 | 	if mc == nil {
76 | 		panic("server: could not register nil ManagerConstructor")
77 | 	}
78 | 	if _, dup := managers[name]; dup {
79 | 		panic("server: could not register duplicate ManagerConstructor: " + name)
80 | 	}
81 | 	managers[name] = mc
82 | }
83 | 
84 | func NewManager(cfg config.RegistrableComponentConfig, signerParams config.SignerParams) (Manager, error) {
85 | 	mc, ok := managers[cfg.Type]
86 | 	if !ok {
87 | 		return nil, fmt.Errorf("server: unknown ManagerConstructor %q (forgotten import?)", cfg.Type)
88 | 	}
89 | 	return mc(cfg, signerParams)
90 | }
91 | 


--------------------------------------------------------------------------------
/jwt/keyserver/preshared/preshared.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package preshared
 16 | 
 17 | import (
 18 | 	"crypto/rsa"
 19 | 	"crypto/x509"
 20 | 	"encoding/pem"
 21 | 	"errors"
 22 | 	"fmt"
 23 | 	"io/ioutil"
 24 | 	"strings"
 25 | 
 26 | 	"github.com/coreos/go-oidc/jose"
 27 | 	"github.com/coreos/go-oidc/key"
 28 | 	"gopkg.in/yaml.v2"
 29 | 
 30 | 	"github.com/quay/jwtproxy/config"
 31 | 	"github.com/quay/jwtproxy/jwt/keyserver"
 32 | 	"github.com/quay/jwtproxy/stop"
 33 | )
 34 | 
 35 | func init() {
 36 | 	keyserver.RegisterReader("preshared", constructor)
 37 | }
 38 | 
 39 | type Preshared struct {
 40 | 	*key.PublicKey
 41 | 	Issuer string
 42 | }
 43 | 
 44 | type Config struct {
 45 | 	Issuer        string `yaml:"issuer"`
 46 | 	KeyID         string `yaml:"key_id"`
 47 | 	PublicKeyPath string `yaml:"public_key_path"`
 48 | }
 49 | 
 50 | func constructor(registrableComponentConfig config.RegistrableComponentConfig) (keyserver.Reader, error) {
 51 | 	var cfg Config
 52 | 	bytes, err := yaml.Marshal(registrableComponentConfig.Options)
 53 | 	if err != nil {
 54 | 		return nil, err
 55 | 	}
 56 | 	err = yaml.Unmarshal(bytes, &cfg)
 57 | 	if err != nil {
 58 | 		return nil, err
 59 | 	}
 60 | 
 61 | 	publicKey, err := loadPublicKey(cfg.PublicKeyPath)
 62 | 	if err != nil {
 63 | 		return nil, err
 64 | 	}
 65 | 
 66 | 	return &Preshared{
 67 | 		Issuer: cfg.Issuer,
 68 | 		PublicKey: key.NewPublicKey(jose.JWK{
 69 | 			ID:       cfg.KeyID,
 70 | 			Use:      "sig",
 71 | 			Type:     "RSA",
 72 | 			Alg:      "RS256",
 73 | 			Modulus:  publicKey.N,
 74 | 			Exponent: publicKey.E,
 75 | 		}),
 76 | 	}, nil
 77 | }
 78 | 
 79 | func (preshared *Preshared) GetPublicKey(issuer string, keyID string) (*key.PublicKey, error) {
 80 | 	if !strings.EqualFold(issuer, preshared.Issuer) || !strings.EqualFold(keyID, preshared.ID()) {
 81 | 		return nil, errors.New("unknown public key")
 82 | 	}
 83 | 	return preshared.PublicKey, nil
 84 | }
 85 | 
 86 | func (preshared *Preshared) Stop() <-chan struct{} {
 87 | 	return stop.AlreadyDone
 88 | }
 89 | 
 90 | func loadPublicKey(path string) (*rsa.PublicKey, error) {
 91 | 	publicKeyData, err := ioutil.ReadFile(path)
 92 | 	if err != nil {
 93 | 		return nil, err
 94 | 	}
 95 | 
 96 | 	publicKeyBlock, _ := pem.Decode(publicKeyData)
 97 | 	if publicKeyBlock == nil {
 98 | 		return nil, errors.New("bad public key data")
 99 | 	}
100 | 
101 | 	if publicKeyBlock.Type != "PUBLIC KEY" {
102 | 		return nil, fmt.Errorf("unknown key type : %s", publicKeyBlock.Type)
103 | 	}
104 | 
105 | 	publicKey, err := x509.ParsePKIXPublicKey(publicKeyBlock.Bytes)
106 | 	if err != nil {
107 | 		return nil, err
108 | 	}
109 | 
110 | 	rsaPublicKey, ok := publicKey.(*rsa.PublicKey)
111 | 	if !ok {
112 | 		return nil, errors.New("parsed public key doesn't appear to be an RSA public key")
113 | 	}
114 | 
115 | 	return rsaPublicKey, nil
116 | }
117 | 


--------------------------------------------------------------------------------
/jwt/keyserver/result.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package keyserver
16 | 
17 | type PublishResult struct {
18 | 	errorOrNil chan error
19 | 	cancelPub  chan struct{}
20 | }
21 | 
22 | func NewPublishResult() *PublishResult {
23 | 	return &PublishResult{
24 | 		errorOrNil: make(chan error, 1),
25 | 		cancelPub:  make(chan struct{}),
26 | 	}
27 | }
28 | 
29 | func (pr *PublishResult) Success() {
30 | 	pr.errorOrNil <- nil
31 | 	close(pr.errorOrNil)
32 | }
33 | 
34 | func (pr *PublishResult) Cancel() {
35 | 	close(pr.cancelPub)
36 | }
37 | 
38 | func (pr *PublishResult) SetError(err error) {
39 | 	pr.errorOrNil <- err
40 | 	close(pr.errorOrNil)
41 | }
42 | 
43 | func (pr *PublishResult) Result() <-chan error {
44 | 	return pr.errorOrNil
45 | }
46 | 
47 | func (pr *PublishResult) WaitForCancel() <-chan struct{} {
48 | 	return pr.cancelPub
49 | }
50 | 


--------------------------------------------------------------------------------
/jwt/noncestorage/local/local.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package local
16 | 
17 | import (
18 | 	"time"
19 | 
20 | 	"gopkg.in/yaml.v2"
21 | 
22 | 	"github.com/quay/jwtproxy/config"
23 | 	"github.com/quay/jwtproxy/jwt/noncestorage"
24 | 	"github.com/quay/jwtproxy/stop"
25 | 	"github.com/patrickmn/go-cache"
26 | )
27 | 
28 | func init() {
29 | 	noncestorage.Register("local", constructor)
30 | }
31 | 
32 | type Local struct {
33 | 	*cache.Cache
34 | }
35 | 
36 | type Config struct {
37 | 	PurgeInterval time.Duration `yaml:"purge_interval"`
38 | }
39 | 
40 | func constructor(registrableComponentConfig config.RegistrableComponentConfig) (noncestorage.NonceStorage, error) {
41 | 	var cfg Config
42 | 	bytes, err := yaml.Marshal(registrableComponentConfig.Options)
43 | 	if err != nil {
44 | 		return nil, err
45 | 	}
46 | 	err = yaml.Unmarshal(bytes, &cfg)
47 | 	if err != nil {
48 | 		return nil, err
49 | 	}
50 | 
51 | 	return &Local{
52 | 		Cache: cache.New(cache.NoExpiration, cfg.PurgeInterval),
53 | 	}, nil
54 | }
55 | 
56 | func (ln *Local) Verify(nonce string, expiration time.Time) bool {
57 | 	if _, found := ln.Get(nonce); found {
58 | 		return false
59 | 	}
60 | 	ln.Set(nonce, struct{}{}, expiration.Sub(time.Now()))
61 | 	return true
62 | }
63 | 
64 | func (ln *Local) Stop() <-chan struct{} {
65 | 	return stop.AlreadyDone
66 | }
67 | 


--------------------------------------------------------------------------------
/jwt/noncestorage/noncestorage.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package noncestorage
16 | 
17 | import (
18 | 	"fmt"
19 | 	"time"
20 | 
21 | 	"github.com/quay/jwtproxy/config"
22 | 	"github.com/quay/jwtproxy/stop"
23 | )
24 | 
25 | type Constructor func(config.RegistrableComponentConfig) (NonceStorage, error)
26 | 
27 | type NonceStorage interface {
28 | 	stop.Stoppable
29 | 	Verify(nonce string, expiration time.Time) bool
30 | }
31 | 
32 | var storages = make(map[string]Constructor)
33 | 
34 | func Register(name string, nsc Constructor) {
35 | 	if nsc == nil {
36 | 		panic("server: could not register nil NonceStorage")
37 | 	}
38 | 	if _, dup := storages[name]; dup {
39 | 		panic("server: could not register duplicate NonceStorage: " + name)
40 | 	}
41 | 	storages[name] = nsc
42 | }
43 | 
44 | func New(cfg config.RegistrableComponentConfig) (NonceStorage, error) {
45 | 	nsc, ok := storages[cfg.Type]
46 | 	if !ok {
47 | 		return nil, fmt.Errorf("server: unknown NonceStorage %q (forgotten import?)", cfg.Type)
48 | 	}
49 | 	return nsc(cfg)
50 | }
51 | 


--------------------------------------------------------------------------------
/jwt/privatekey/autogenerated/autogenerated.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package autogenerated
 16 | 
 17 | import (
 18 | 	"crypto"
 19 | 	"crypto/rsa"
 20 | 	"encoding/base64"
 21 | 	"errors"
 22 | 	"fmt"
 23 | 	"io/ioutil"
 24 | 	"os"
 25 | 	"path"
 26 | 	"sync"
 27 | 	"time"
 28 | 
 29 | 	"github.com/coreos/go-oidc/key"
 30 | 	log "github.com/sirupsen/logrus"
 31 | 	jose "gopkg.in/square/go-jose.v2"
 32 | 	"gopkg.in/yaml.v2"
 33 | 
 34 | 	"github.com/quay/jwtproxy/config"
 35 | 	"github.com/quay/jwtproxy/jwt/keyserver"
 36 | 	"github.com/quay/jwtproxy/jwt/privatekey"
 37 | )
 38 | 
 39 | func init() {
 40 | 	privatekey.Register("autogenerated", constructor)
 41 | }
 42 | 
 43 | type Autogenerated struct {
 44 | 	active  *key.PrivateKey
 45 | 	pending *key.PrivateKey
 46 | 	manager keyserver.Manager
 47 | 	keyLock sync.Mutex
 48 | 	stopCh  chan struct{}
 49 | 	doneCh  chan struct{}
 50 | 	keyPath string
 51 | }
 52 | 
 53 | type Config struct {
 54 | 	RotationInterval time.Duration                     `yaml:"rotate_every"`
 55 | 	KeyServer        config.RegistrableComponentConfig `yaml:"key_server"`
 56 | 	KeyFolder        string                            `yaml:"key_folder"`
 57 | }
 58 | 
 59 | func constructor(registrableComponentConfig config.RegistrableComponentConfig, signerParams config.SignerParams) (privatekey.PrivateKey, error) {
 60 | 	cfg := Config{
 61 | 		RotationInterval: 12 * time.Hour,
 62 | 	}
 63 | 	bytes, err := yaml.Marshal(registrableComponentConfig.Options)
 64 | 	if err != nil {
 65 | 		return nil, err
 66 | 	}
 67 | 	err = yaml.Unmarshal(bytes, &cfg)
 68 | 	if err != nil {
 69 | 		return nil, err
 70 | 	}
 71 | 
 72 | 	manager, err := keyserver.NewManager(cfg.KeyServer, signerParams)
 73 | 	if err != nil {
 74 | 		return nil, err
 75 | 	}
 76 | 
 77 | 	privateKeyPath := keyPath(cfg.KeyFolder, signerParams.Issuer)
 78 | 
 79 | 	var activeKey *key.PrivateKey
 80 | 
 81 | 	// Load the private key, or leave nil if there was no stored PK.
 82 | 	storedPrivateKey, err := loadPrivateKey(privateKeyPath)
 83 | 	if err == nil {
 84 | 		// Let's verify the key we found on disk.
 85 | 		err := manager.VerifyPublicKey(storedPrivateKey.ID())
 86 | 		if err == nil {
 87 | 			// We verified the key, nothing more to do
 88 | 			log.Debug("Successfully loaded and verified private key at path: ", privateKeyPath)
 89 | 			activeKey = storedPrivateKey
 90 | 		} else {
 91 | 			switch err {
 92 | 			case keyserver.ErrPublicKeyNotFound:
 93 | 				log.Debug("Public Key not found - generating a new key")
 94 | 			case keyserver.ErrPublicKeyExpired:
 95 | 				log.WithError(err).Fatal("Public key has expired; delete or renew it.")
 96 | 			default:
 97 | 				log.WithError(err).Fatal(err.Error())
 98 | 			}
 99 | 		}
100 | 	} else {
101 | 		log.Debug("Unable to load private key: ", err)
102 | 	}
103 | 
104 | 	ag := &Autogenerated{
105 | 		active:  activeKey,
106 | 		pending: nil,
107 | 		manager: manager,
108 | 		stopCh:  make(chan struct{}),
109 | 		doneCh:  make(chan struct{}),
110 | 		keyPath: privateKeyPath,
111 | 	}
112 | 
113 | 	publicationResult := keyserver.NewPublishResult()
114 | 	if activeKey == nil {
115 | 		log.Debug("Boostrapping publication with a new key")
116 | 		publicationResult = ag.attemptPublish(nil, cfg.RotationInterval)
117 | 	}
118 | 
119 | 	go ag.publishAndRotate(cfg.RotationInterval, publicationResult)
120 | 
121 | 	return ag, nil
122 | }
123 | 
124 | func (ag *Autogenerated) GetPrivateKey() (*key.PrivateKey, error) {
125 | 	ag.keyLock.Lock()
126 | 	defer ag.keyLock.Unlock()
127 | 
128 | 	if ag.active == nil {
129 | 		return nil, errors.New("No key is yet active")
130 | 	}
131 | 	return ag.active, nil
132 | }
133 | 
134 | func (ag *Autogenerated) Stop() <-chan struct{} {
135 | 	close(ag.stopCh)
136 | 
137 | 	ag.keyLock.Lock()
138 | 	defer ag.keyLock.Unlock()
139 | 
140 | 	if ag.pending != nil {
141 | 		ag.revokeKey(ag.pending)
142 | 	}
143 | 
144 | 	return ag.doneCh
145 | }
146 | 
147 | func keyPath(basePath, issuer string) string {
148 | 	if basePath == "" {
149 | 		configPath := os.Getenv("XDG_CONFIG_HOME")
150 | 		if configPath == "" {
151 | 			configPath = path.Join(os.Getenv("HOME"), ".config")
152 | 		}
153 | 		basePath = path.Join(configPath, "jwtproxy")
154 | 	}
155 | 	return path.Join(basePath, fmt.Sprintf("%s.jwk", issuer))
156 | }
157 | 
158 | func loadPrivateKey(keyPath string) (*key.PrivateKey, error) {
159 | 	pkContents, err := ioutil.ReadFile(keyPath)
160 | 	if err != nil {
161 | 		return nil, err
162 | 	}
163 | 
164 | 	jwk := jose.JSONWebKey{}
165 | 	if err := jwk.UnmarshalJSON(pkContents); err != nil {
166 | 		return nil, err
167 | 	}
168 | 
169 | 	pk := key.PrivateKey{
170 | 		KeyID:      jwk.KeyID,
171 | 		PrivateKey: jwk.Key.(*rsa.PrivateKey),
172 | 	}
173 | 	if err := pk.PrivateKey.Validate(); err != nil {
174 | 		return nil, err
175 | 	}
176 | 
177 | 	pk.PrivateKey.Precompute()
178 | 
179 | 	return &pk, nil
180 | }
181 | 
182 | func savePrivateKey(key *key.PrivateKey, keyPath string) error {
183 | 	err := os.MkdirAll(path.Dir(keyPath), os.ModeDir|0755)
184 | 	if err != nil {
185 | 		log.Warn("Unable to create private key file directory: ", err)
186 | 		return err
187 | 	}
188 | 
189 | 	pkFile, err := os.OpenFile(keyPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
190 | 	if err != nil {
191 | 		log.Warn("Unable to open private key file to save: ", err)
192 | 		return err
193 | 	}
194 | 	defer pkFile.Close()
195 | 
196 | 	jwk := jose.JSONWebKey{
197 | 		Key:       key.PrivateKey,
198 | 		KeyID:     key.KeyID,
199 | 		Algorithm: "rsa",
200 | 		Use:       "",
201 | 	}
202 | 
203 | 	jwkJson, err := jwk.MarshalJSON()
204 | 	if err != nil {
205 | 		log.Warn("Unable to encode private key: ", err)
206 | 		return err
207 | 	}
208 | 
209 | 	pkFile.Write(jwkJson)
210 | 	log.Debug("Successfully saved private key to: ", keyPath)
211 | 	return nil
212 | }
213 | 
214 | // Attempt to publish a new key, if the signing key is nil we will self-sign
215 | // the key.
216 | func (ag *Autogenerated) attemptPublish(signingKey *key.PrivateKey, rotateInterval time.Duration) *keyserver.PublishResult {
217 | 	// We want to do this outside of the lock since it may take some time.
218 | 	candidate, err := key.GeneratePrivateKey()
219 | 
220 | 	candidateJwk := jose.JSONWebKey{
221 | 		Key:       candidate.PrivateKey,
222 | 		KeyID:     candidate.KeyID,
223 | 		Algorithm: "rsa",
224 | 		Use:       "",
225 | 	}
226 | 	thumbprint, err := candidateJwk.Thumbprint(crypto.SHA256)
227 | 	candidate.KeyID = base64.URLEncoding.EncodeToString(thumbprint)
228 | 
229 | 	if err != nil {
230 | 		immediateResult := keyserver.NewPublishResult()
231 | 		immediateResult.SetError(fmt.Errorf("Unable to generate new key: %s", err))
232 | 		return immediateResult
233 | 	}
234 | 
235 | 	if ag.pending != nil {
236 | 		log.Debug("Best effort revoking unapproved key due to rotation")
237 | 		go ag.revokeKey(ag.pending)
238 | 	}
239 | 
240 | 	ag.keyLock.Lock()
241 | 	defer ag.keyLock.Unlock()
242 | 
243 | 	ag.pending = candidate
244 | 	pendingPublic := key.NewPublicKey(ag.pending.JWK())
245 | 
246 | 	if signingKey == nil {
247 | 		signingKey = ag.pending
248 | 	}
249 | 
250 | 	policy := &keyserver.KeyPolicy{}
251 | 	if rotateInterval > 0 {
252 | 		log.Debug("Adding rotation policy: ", rotateInterval)
253 | 		expirationTime := time.Now().Add(rotateInterval * 2)
254 | 		policy.Expiration = &expirationTime
255 | 		policy.RotationPolicy = &rotateInterval
256 | 	}
257 | 
258 | 	return ag.manager.PublishPublicKey(pendingPublic, policy, signingKey)
259 | }
260 | 
261 | // Caller MUST NOT hold the ag.keyLock.
262 | func (ag *Autogenerated) getLogger() *log.Entry {
263 | 	ag.keyLock.Lock()
264 | 	defer ag.keyLock.Unlock()
265 | 
266 | 	var activeKeyID interface{}
267 | 	if ag.active != nil {
268 | 		activeKeyID = ag.active.ID()[0:10]
269 | 	}
270 | 
271 | 	var pendingKeyID interface{}
272 | 	if ag.pending != nil {
273 | 		pendingKeyID = ag.pending.ID()[0:10]
274 | 	}
275 | 
276 | 	return log.WithFields(log.Fields{
277 | 		"activeKey":  activeKeyID,
278 | 		"pendingKey": pendingKeyID,
279 | 	})
280 | }
281 | 
282 | func (ag *Autogenerated) publishAndRotate(rotateInterval time.Duration, publicationResult *keyserver.PublishResult) {
283 | 	defer close(ag.doneCh)
284 | 
285 | 	// Create a channel that will tell us when we should rotate the key,
286 | 	// or never if `rotateInterval` is non-positive.
287 | 	timeToPublish := make(<-chan time.Time)
288 | 	if rotateInterval > 0 {
289 | 		ticker := time.NewTicker(rotateInterval)
290 | 		defer ticker.Stop()
291 | 		timeToPublish = ticker.C
292 | 	} else {
293 | 		log.Info("Key rotation is disabled")
294 | 	}
295 | 
296 | 	for {
297 | 		select {
298 | 		case <-ag.stopCh:
299 | 			ag.getLogger().Info("Shutting down key publisher")
300 | 			publicationResult.Cancel()
301 | 			return
302 | 		case <-timeToPublish:
303 | 			// Start the publication process.
304 | 			ag.getLogger().Debug("Generating new key")
305 | 			publicationResult.Cancel()
306 | 			publicationResult = ag.attemptPublish(ag.active, rotateInterval)
307 | 
308 | 		case publishError := <-publicationResult.Result():
309 | 			if publishError != nil {
310 | 				ag.getLogger().WithError(publishError).Fatal("Error publishing key")
311 | 			} else {
312 | 				// Publication was successful, swap the pending key to active.
313 | 				ag.keyLock.Lock()
314 | 				toSave := ag.pending
315 | 				ag.active = ag.pending
316 | 				ag.pending = nil
317 | 				ag.keyLock.Unlock()
318 | 				ag.getLogger().Debug("Successfully published key")
319 | 
320 | 				// Asynchronously save the key to disk, best effort.
321 | 				go savePrivateKey(toSave, ag.keyPath)
322 | 
323 | 				// We want to disable the publication error case for now.
324 | 				publicationResult = keyserver.NewPublishResult()
325 | 			}
326 | 		}
327 | 	}
328 | }
329 | 
330 | func (ag *Autogenerated) revokeKey(toRevoke *key.PrivateKey) error {
331 | 	err := ag.manager.DeletePublicKey(toRevoke)
332 | 	if err != nil {
333 | 		log.Errorf("Unable to revoke pending key: ", err)
334 | 		return err
335 | 	}
336 | 	log.Debugf("Successfully revoked pending key")
337 | 	return nil
338 | }
339 | 


--------------------------------------------------------------------------------
/jwt/privatekey/preshared/preshared.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package preshared
 16 | 
 17 | import (
 18 | 	"crypto/rsa"
 19 | 	"crypto/x509"
 20 | 	"encoding/pem"
 21 | 	"errors"
 22 | 	"fmt"
 23 | 	"io/ioutil"
 24 | 
 25 | 	"github.com/coreos/go-oidc/key"
 26 | 	"gopkg.in/yaml.v2"
 27 | 
 28 | 	"github.com/quay/jwtproxy/config"
 29 | 	"github.com/quay/jwtproxy/jwt/privatekey"
 30 | 	"github.com/quay/jwtproxy/stop"
 31 | )
 32 | 
 33 | func init() {
 34 | 	privatekey.Register("preshared", constructor)
 35 | }
 36 | 
 37 | type Preshared struct {
 38 | 	*key.PrivateKey
 39 | }
 40 | 
 41 | type Config struct {
 42 | 	KeyID          string `yaml:"key_id"`
 43 | 	PrivateKeyPath string `yaml:"private_key_path"`
 44 | }
 45 | 
 46 | func constructor(registrableComponentConfig config.RegistrableComponentConfig, _ config.SignerParams) (privatekey.PrivateKey, error) {
 47 | 	var cfg Config
 48 | 	bytes, err := yaml.Marshal(registrableComponentConfig.Options)
 49 | 	if err != nil {
 50 | 		return nil, err
 51 | 	}
 52 | 	err = yaml.Unmarshal(bytes, &cfg)
 53 | 	if err != nil {
 54 | 		return nil, err
 55 | 	}
 56 | 
 57 | 	privateKey, err := loadPrivateKey(cfg.PrivateKeyPath)
 58 | 	if err != nil {
 59 | 		return nil, err
 60 | 	}
 61 | 
 62 | 	return &Preshared{
 63 | 		PrivateKey: &key.PrivateKey{
 64 | 			KeyID:      cfg.KeyID,
 65 | 			PrivateKey: privateKey,
 66 | 		},
 67 | 	}, nil
 68 | }
 69 | 
 70 | func (preshared *Preshared) GetPrivateKey() (*key.PrivateKey, error) {
 71 | 	return preshared.PrivateKey, nil
 72 | }
 73 | 
 74 | func (preshared *Preshared) Stop() <-chan struct{} {
 75 | 	return stop.AlreadyDone
 76 | }
 77 | 
 78 | func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
 79 | 	privateKeyData, err := ioutil.ReadFile(path)
 80 | 	if err != nil {
 81 | 		return nil, err
 82 | 	}
 83 | 
 84 | 	privateKeyBlock, _ := pem.Decode(privateKeyData)
 85 | 	if privateKeyBlock == nil {
 86 | 		return nil, errors.New("bad private key data")
 87 | 	}
 88 | 
 89 | 	if privateKeyBlock.Type != "RSA PRIVATE KEY" {
 90 | 		return nil, fmt.Errorf("unknown key type : %s", privateKeyBlock.Type)
 91 | 	}
 92 | 
 93 | 	privateKey, err := x509.ParsePKCS1PrivateKey(privateKeyBlock.Bytes)
 94 | 	if err != nil {
 95 | 		return nil, err
 96 | 	}
 97 | 
 98 | 	if err := privateKey.Validate(); err != nil {
 99 | 		return nil, err
100 | 	}
101 | 
102 | 	privateKey.Precompute()
103 | 
104 | 	return privateKey, err
105 | }
106 | 


--------------------------------------------------------------------------------
/jwt/privatekey/privatekey.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package privatekey
16 | 
17 | import (
18 | 	"fmt"
19 | 
20 | 	"github.com/coreos/go-oidc/key"
21 | 
22 | 	"github.com/quay/jwtproxy/config"
23 | 	"github.com/quay/jwtproxy/stop"
24 | )
25 | 
26 | type PrivateKey interface {
27 | 	stop.Stoppable
28 | 	GetPrivateKey() (*key.PrivateKey, error)
29 | }
30 | 
31 | type Constructor func(config.RegistrableComponentConfig, config.SignerParams) (PrivateKey, error)
32 | 
33 | var privatekeys = make(map[string]Constructor)
34 | 
35 | func Register(name string, pkc Constructor) {
36 | 	if pkc == nil {
37 | 		panic("server: could not register nil Constructor")
38 | 	}
39 | 	if _, dup := privatekeys[name]; dup {
40 | 		panic("server: could not register duplicate Constructor: " + name)
41 | 	}
42 | 	privatekeys[name] = pkc
43 | }
44 | 
45 | func New(cfg config.RegistrableComponentConfig, params config.SignerParams) (PrivateKey, error) {
46 | 	pkc, ok := privatekeys[cfg.Type]
47 | 	if !ok {
48 | 		return nil, fmt.Errorf("server: unknown Constructor %q (forgotten import?)", cfg.Type)
49 | 	}
50 | 	return pkc(cfg, params)
51 | }
52 | 


--------------------------------------------------------------------------------
/jwt/proxy_handlers.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package jwt
 16 | 
 17 | import (
 18 | 	"errors"
 19 | 	"fmt"
 20 | 	"net"
 21 | 	"net/http"
 22 | 	"net/url"
 23 | 	"strings"
 24 | 
 25 | 	"github.com/coreos/goproxy"
 26 | 	log "github.com/sirupsen/logrus"
 27 | 
 28 | 	"github.com/quay/jwtproxy/config"
 29 | 	"github.com/quay/jwtproxy/jwt/claims"
 30 | 	"github.com/quay/jwtproxy/jwt/keyserver"
 31 | 	"github.com/quay/jwtproxy/jwt/noncestorage"
 32 | 	"github.com/quay/jwtproxy/jwt/privatekey"
 33 | 	"github.com/quay/jwtproxy/proxy"
 34 | 	"github.com/quay/jwtproxy/stop"
 35 | )
 36 | 
 37 | type StoppableProxyHandler struct {
 38 | 	proxy.Handler
 39 | 	stopFunc func() <-chan struct{}
 40 | }
 41 | 
 42 | func NewJWTSignerHandler(cfg config.SignerConfig) (*StoppableProxyHandler, error) {
 43 | 	// Verify config (required keys that have no defaults).
 44 | 	if cfg.PrivateKey.Type == "" {
 45 | 		return nil, errors.New("no private key provider specified")
 46 | 	}
 47 | 
 48 | 	// Get the private key that will be used for signing.
 49 | 	privateKeyProvider, err := privatekey.New(cfg.PrivateKey, cfg.SignerParams)
 50 | 	if err != nil {
 51 | 		return nil, err
 52 | 	}
 53 | 
 54 | 	// Create a proxy.Handler that will add a JWT to http.Requests.
 55 | 	handler := func(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
 56 | 		privateKey, err := privateKeyProvider.GetPrivateKey()
 57 | 		if err != nil {
 58 | 			return r, errorResponse(r, err)
 59 | 		}
 60 | 
 61 | 		if err := Sign(r, privateKey, cfg.SignerParams); err != nil {
 62 | 			return r, errorResponse(r, err)
 63 | 		}
 64 | 		return r, nil
 65 | 	}
 66 | 
 67 | 	return &StoppableProxyHandler{
 68 | 		Handler:  handler,
 69 | 		stopFunc: privateKeyProvider.Stop,
 70 | 	}, nil
 71 | }
 72 | 
 73 | func NewJWTVerifierHandler(cfg config.VerifierConfig) (*StoppableProxyHandler, error) {
 74 | 	// Verify config (required keys that have no defaults).
 75 | 	if cfg.Upstream.URL == nil {
 76 | 		return nil, errors.New("no upstream specified")
 77 | 	}
 78 | 	if cfg.Audience.URL == nil {
 79 | 		return nil, errors.New("no audience specified")
 80 | 	}
 81 | 	if cfg.KeyServer.Type == "" {
 82 | 		return nil, errors.New("no key server specified")
 83 | 	}
 84 | 
 85 | 	stopper := stop.NewGroup()
 86 | 
 87 | 	// Create a KeyServer that will provide public keys for signature verification.
 88 | 	keyServer, err := keyserver.NewReader(cfg.KeyServer)
 89 | 	if err != nil {
 90 | 		return nil, err
 91 | 	}
 92 | 	stopper.Add(keyServer)
 93 | 
 94 | 	// Create a NonceStorage that will create nonces for signing.
 95 | 	nonceStorage, err := noncestorage.New(cfg.NonceStorage)
 96 | 	if err != nil {
 97 | 		return nil, err
 98 | 	}
 99 | 	stopper.Add(nonceStorage)
100 | 
101 | 	// Create an appropriate routing policy.
102 | 	route := newRouter(cfg.Upstream.URL)
103 | 
104 | 	// Create the required list of claims.Verifier.
105 | 	var claimsVerifiers []claims.Verifier
106 | 	if cfg.ClaimsVerifiers != nil {
107 | 		claimsVerifiers = make([]claims.Verifier, 0, len(cfg.ClaimsVerifiers))
108 | 
109 | 		for _, verifierConfig := range cfg.ClaimsVerifiers {
110 | 			verifier, err := claims.New(verifierConfig)
111 | 			if err != nil {
112 | 				return nil, fmt.Errorf("could not instantiate claim verifier: %s", err)
113 | 			}
114 | 
115 | 			stopper.Add(verifier)
116 | 			claimsVerifiers = append(claimsVerifiers, verifier)
117 | 		}
118 | 	} else {
119 | 		log.Info("No claims verifiers specified, upstream should be configured to verify authorization")
120 | 	}
121 | 
122 | 	// Create a reverse proxy.Handler that will verify JWT from http.Requests.
123 | 	handler := func(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
124 | 		signedClaims, err := Verify(r, keyServer, nonceStorage, cfg.Audience.URL, cfg.MaxSkew, cfg.MaxTTL)
125 | 		if err != nil {
126 | 			return r, goproxy.NewResponse(r, goproxy.ContentTypeText, http.StatusForbidden, fmt.Sprintf("jwtproxy: unable to verify request: %s", err))
127 | 		}
128 | 
129 | 		// Run through the claims verifiers.
130 | 		for _, verifier := range claimsVerifiers {
131 | 			err := verifier.Handle(r, signedClaims)
132 | 			if err != nil {
133 | 				return r, goproxy.NewResponse(r, goproxy.ContentTypeText, http.StatusForbidden, fmt.Sprintf("Error verifying claims: %s", err))
134 | 			}
135 | 		}
136 | 
137 | 		// Route the request to upstream.
138 | 		route(r, ctx)
139 | 
140 | 		return r, nil
141 | 	}
142 | 
143 | 	return &StoppableProxyHandler{
144 | 		Handler:  handler,
145 | 		stopFunc: stopper.Stop,
146 | 	}, nil
147 | }
148 | 
149 | func (sph *StoppableProxyHandler) Stop() <-chan struct{} {
150 | 	return sph.stopFunc()
151 | }
152 | 
153 | func errorResponse(r *http.Request, err error) *http.Response {
154 | 	return goproxy.NewResponse(r, goproxy.ContentTypeText, http.StatusBadGateway, fmt.Sprintf("jwtproxy: unable to sign request: %s", err))
155 | }
156 | 
157 | type router func(r *http.Request, ctx *goproxy.ProxyCtx)
158 | 
159 | func newRouter(upstream *url.URL) router {
160 | 	if strings.HasPrefix(upstream.String(), "unix:") {
161 | 		// Upstream is an UNIX socket.
162 | 		// - Use a goproxy.RoundTripper that has an "unix" net.Dial.
163 | 		// - Rewrite the request's scheme to be "http" and the host to be the encoded path to the
164 | 		//   socket.
165 | 		sockPath := strings.TrimPrefix(upstream.String(), "unix:")
166 | 		roundTripper := newUnixRoundTripper(sockPath)
167 | 		return func(r *http.Request, ctx *goproxy.ProxyCtx) {
168 | 			ctx.RoundTripper = roundTripper
169 | 			r.URL.Scheme = "http"
170 | 			r.URL.Host = sockPath
171 | 		}
172 | 	}
173 | 
174 | 	// Upstream is an HTTP or HTTPS endpoint.
175 | 	// - Set the request's scheme and host to the upstream ones.
176 | 	// - Prepend the request's path with the upstream path.
177 | 	// - Merge query values from request and upstream.
178 | 	return func(r *http.Request, ctx *goproxy.ProxyCtx) {
179 | 		r.URL.Scheme = upstream.Scheme
180 | 		r.URL.Host = upstream.Host
181 | 		r.URL.Path = singleJoiningSlash(upstream.Path, r.URL.Path)
182 | 
183 | 		upstreamQuery := upstream.RawQuery
184 | 		if upstreamQuery == "" || r.URL.RawQuery == "" {
185 | 			r.URL.RawQuery = upstreamQuery + r.URL.RawQuery
186 | 		} else {
187 | 			r.URL.RawQuery = upstreamQuery + "&" + r.URL.RawQuery
188 | 		}
189 | 	}
190 | }
191 | 
192 | func singleJoiningSlash(a, b string) string {
193 | 	aslash := strings.HasSuffix(a, "/")
194 | 	bslash := strings.HasPrefix(b, "/")
195 | 	switch {
196 | 	case aslash && bslash:
197 | 		return a + b[1:]
198 | 	case !aslash && !bslash:
199 | 		return a + "/" + b
200 | 	}
201 | 	return a + b
202 | }
203 | 
204 | type unixRoundTripper struct {
205 | 	*http.Transport
206 | }
207 | 
208 | func newUnixRoundTripper(sockPath string) *unixRoundTripper {
209 | 	dialer := func(network, addr string) (net.Conn, error) {
210 | 		return net.Dial("unix", sockPath)
211 | 	}
212 | 
213 | 	return &unixRoundTripper{
214 | 		Transport: &http.Transport{Dial: dialer},
215 | 	}
216 | }
217 | 
218 | func (urt *unixRoundTripper) RoundTrip(req *http.Request, ctx *goproxy.ProxyCtx) (*http.Response, error) {
219 | 	return urt.Transport.RoundTrip(req)
220 | }
221 | 


--------------------------------------------------------------------------------
/jwtproxy.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package jwtproxy
 16 | 
 17 | import (
 18 | 	"fmt"
 19 | 	"os"
 20 | 	"time"
 21 | 
 22 | 	log "github.com/sirupsen/logrus"
 23 | 
 24 | 	"github.com/quay/jwtproxy/config"
 25 | 	"github.com/quay/jwtproxy/jwt"
 26 | 	"github.com/quay/jwtproxy/proxy"
 27 | 	"github.com/quay/jwtproxy/stop"
 28 | )
 29 | 
 30 | // RunProxies is an utility function that starts both the JWT verifier and signer proxies
 31 | // in their own goroutines and returns a stop.Group intance that give the caller the ability to
 32 | // stop them gracefully.
 33 | // Potential startup errors are sent to the abort chan.
 34 | func RunProxies(config *config.Config) (*stop.Group, chan error) {
 35 | 	stopper := stop.NewGroup()
 36 | 	abort := make(chan error)
 37 | 
 38 | 	if config.SignerProxy.Enabled {
 39 | 		go StartForwardProxy(config.SignerProxy, stopper, abort)
 40 | 	}
 41 | 
 42 | 	for _, verifierConfig := range config.VerifierProxies {
 43 | 		if verifierConfig.Enabled {
 44 | 			go StartReverseProxy(verifierConfig, stopper, abort)
 45 | 		}
 46 | 	}
 47 | 
 48 | 	return stopper, abort
 49 | }
 50 | 
 51 | // StartForwardProxy starts a new signer proxy in its own goroutine.
 52 | // Also adds a graceful stop function to the specified stop.Group.
 53 | // Potential startup errors are sent to the abort chan.
 54 | func StartForwardProxy(fpConfig config.SignerProxyConfig, stopper *stop.Group, abort chan<- error) {
 55 | 	// Create signer.
 56 | 	signer, err := jwt.NewJWTSignerHandler(fpConfig.Signer)
 57 | 	if err != nil {
 58 | 		abort <- fmt.Errorf("Failed to create JWT signer: %s", err)
 59 | 		return
 60 | 	}
 61 | 
 62 | 	// Create forward proxy.
 63 | 	forwardProxy, err := proxy.NewProxy(signer.Handler, fpConfig.CAKeyFile, fpConfig.CACrtFile, fpConfig.InsecureSkipVerify, fpConfig.TrustedCertificates)
 64 | 	if err != nil {
 65 | 		stopper.Add(signer)
 66 | 		abort <- fmt.Errorf("Failed to create forward proxy: %s", err)
 67 | 		return
 68 | 	}
 69 | 
 70 | 	startProxy(
 71 | 		abort,
 72 | 		fpConfig.ListenAddr,
 73 | 		"",
 74 | 		"",
 75 | 		fpConfig.ShutdownTimeout,
 76 | 		"forward",
 77 | 		forwardProxy,
 78 | 		fpConfig.SocketPermission,
 79 | 	)
 80 | 
 81 | 	forwardStopper := func() <-chan struct{} {
 82 | 		done := make(chan struct{})
 83 | 		go func() {
 84 | 			<-forwardProxy.Stop()
 85 | 			<-signer.Stop()
 86 | 			close(done)
 87 | 		}()
 88 | 		return done
 89 | 	}
 90 | 	stopper.AddFunc(forwardStopper)
 91 | }
 92 | 
 93 | // StartReverseProxy starts a new verifier proxy in its own goroutine.
 94 | // Also adds a graceful stop function to the specified stop.Group.
 95 | // Potential startup errors will be sent to the abort chan.
 96 | func StartReverseProxy(rpConfig config.VerifierProxyConfig, stopper *stop.Group, abort chan<- error) {
 97 | 	// Create verifier.
 98 | 	verifier, err := jwt.NewJWTVerifierHandler(rpConfig.Verifier)
 99 | 	if err != nil {
100 | 		abort <- fmt.Errorf("Failed to create JWT verifier: %s", err)
101 | 		return
102 | 	}
103 | 
104 | 	// Create reverse proxy.
105 | 	reverseProxy, err := proxy.NewReverseProxy(verifier.Handler)
106 | 	if err != nil {
107 | 		stopper.Add(verifier)
108 | 		abort <- fmt.Errorf("Failed to create reverse proxy: %s", err)
109 | 		return
110 | 	}
111 | 
112 | 	startProxy(
113 | 		abort,
114 | 		rpConfig.ListenAddr,
115 | 		rpConfig.CrtFile,
116 | 		rpConfig.KeyFile,
117 | 		rpConfig.ShutdownTimeout,
118 | 		"reverse",
119 | 		reverseProxy,
120 | 		rpConfig.SocketPermission,
121 | 	)
122 | 
123 | 	reverseStopper := func() <-chan struct{} {
124 | 		done := make(chan struct{})
125 | 		go func() {
126 | 			<-reverseProxy.Stop()
127 | 			<-verifier.Stop()
128 | 			close(done)
129 | 		}()
130 | 		return done
131 | 	}
132 | 	stopper.AddFunc(reverseStopper)
133 | }
134 | 
135 | func startProxy(abort chan<- error, listenAddr, crtFile, keyFile string, shutdownTimeout time.Duration, proxyName string, proxy *proxy.Proxy, socketPermission os.FileMode) {
136 | 	go func() {
137 | 		log.Infof("Starting %s proxy (Listening on '%s')", proxyName, listenAddr)
138 | 		if err := proxy.Serve(listenAddr, crtFile, keyFile, shutdownTimeout, socketPermission); err != nil {
139 | 			failedToStart := fmt.Errorf("Failed to start %s proxy: %s", proxyName, err)
140 | 			abort <- failedToStart
141 | 		}
142 | 	}()
143 | }
144 | 


--------------------------------------------------------------------------------
/proxy/proxy.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2016 CoreOS, Inc
  2 | //
  3 | // Licensed under the Apache License, Version 2.0 (the "License");
  4 | // you may not use this file except in compliance with the License.
  5 | // You may obtain a copy of the License at
  6 | //
  7 | //     http://www.apache.org/licenses/LICENSE-2.0
  8 | //
  9 | // Unless required by applicable law or agreed to in writing, software
 10 | // distributed under the License is distributed on an "AS IS" BASIS,
 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | // See the License for the specific language governing permissions and
 13 | // limitations under the License.
 14 | 
 15 | package proxy
 16 | 
 17 | import (
 18 | 	"crypto/tls"
 19 | 	"crypto/x509"
 20 | 	"errors"
 21 | 	"fmt"
 22 | 	"io/ioutil"
 23 | 	"net"
 24 | 	"net/http"
 25 | 	"os"
 26 | 	"strings"
 27 | 	"time"
 28 | 
 29 | 	"github.com/coreos/goproxy"
 30 | 	"github.com/quay/jwtproxy/stop"
 31 | 	log "github.com/sirupsen/logrus"
 32 | 	"github.com/tylerb/graceful"
 33 | )
 34 | 
 35 | // This tls.Config is borrowed from the CockroachDB project.
 36 | var defaultTLSConfig = tls.Config{
 37 | 	// This is Go's default list of cipher suites (as of go 1.8.3),
 38 | 	// with the following differences:
 39 | 	//
 40 | 	// - 3DES-based cipher suites have been removed. This cipher is
 41 | 	//   vulnerable to the Sweet32 attack and is sometimes reported by
 42 | 	//   security scanners. (This is arguably a false positive since
 43 | 	//   it will never be selected: Any TLS1.2 implementation MUST
 44 | 	//   include at least one cipher higher in the priority list, but
 45 | 	//   there's also no reason to keep it around)
 46 | 	// - AES is always prioritized over ChaCha20. Go makes this decision
 47 | 	//   by default based on the presence or absence of hardware AES
 48 | 	//   acceleration.
 49 | 	//   TODO(bdarnell): do the same detection here. See
 50 | 	//   https://github.com/golang/go/issues/21167
 51 | 	//
 52 | 	// Note that some TLS cipher suite guidance (such as Mozilla's[1])
 53 | 	// recommend replacing the CBC_SHA suites below with CBC_SHA384 or
 54 | 	// CBC_SHA256 variants. We do not do this because Go does not
 55 | 	// currerntly implement the CBC_SHA384 suites, and its CBC_SHA256
 56 | 	// implementation is vulnerable to the Lucky13 attack and is disabled
 57 | 	// by default.[2]
 58 | 	//
 59 | 	// [1]: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
 60 | 	// [2]: https://github.com/golang/go/commit/48d8edb5b21db190f717e035b4d9ab61a077f9d7
 61 | 	PreferServerCipherSuites: true,
 62 | 	CipherSuites: []uint16{
 63 | 		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 64 | 		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 65 | 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 66 | 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 67 | 		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 68 | 		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 69 | 		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 70 | 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 71 | 		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 72 | 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 73 | 		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
 74 | 		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 75 | 		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 76 | 		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 77 | 	},
 78 | 
 79 | 	MinVersion: tls.VersionTLS12,
 80 | }
 81 | 
 82 | type Handler func(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response)
 83 | 
 84 | type Proxy struct {
 85 | 	*goproxy.ProxyHttpServer
 86 | 	grace           *graceful.Server
 87 | 	shutdownTimeout time.Duration
 88 | 	started         bool
 89 | }
 90 | 
 91 | func (proxy *Proxy) Serve(listenAddr, crtFile, keyFile string, shutdownTimeout time.Duration, socketPermission os.FileMode) error {
 92 | 	tlsConfig := defaultTLSConfig
 93 | 
 94 | 	// Create a graceful server.
 95 | 	proxy.grace = &graceful.Server{
 96 | 		NoSignalHandling: true,
 97 | 		Server: &http.Server{
 98 | 			Addr:      listenAddr,
 99 | 			Handler:   proxy.ProxyHttpServer,
100 | 			TLSConfig: &tlsConfig,
101 | 		},
102 | 	}
103 | 	proxy.shutdownTimeout = shutdownTimeout
104 | 
105 | 	// Create an appropriate net.Listener.
106 | 	var err error
107 | 	var listener net.Listener
108 | 
109 | 	if strings.HasPrefix(listenAddr, "unix:") {
110 | 		if crtFile != "" && keyFile != "" {
111 | 			return errors.New("Proxy is configured to terminate TLS but proxy listens on an UNIX socket.")
112 | 		}
113 | 
114 | 		unixFile := strings.TrimPrefix(listenAddr, "unix:")
115 | 
116 | 		listener, err = net.Listen("unix", unixFile)
117 | 		if err != nil {
118 | 			return err
119 | 		}
120 | 
121 | 		os.Chmod(unixFile, socketPermission)
122 | 
123 | 		defer os.Remove(unixFile)
124 | 	} else {
125 | 		if crtFile != "" && keyFile != "" {
126 | 			listener, err = proxy.grace.ListenTLS(crtFile, keyFile)
127 | 			if err != nil {
128 | 				return err
129 | 			}
130 | 		} else {
131 | 			listener, err = net.Listen("tcp", listenAddr)
132 | 			if err != nil {
133 | 				return err
134 | 			}
135 | 		}
136 | 	}
137 | 
138 | 	// Serve traffic.
139 | 	proxy.started = true
140 | 	defer func() { proxy.started = false }()
141 | 
142 | 	if err = proxy.grace.Serve(listener); err != nil {
143 | 		if opErr, ok := err.(*net.OpError); !ok || (ok && opErr.Op != "accept") {
144 | 			return err
145 | 		}
146 | 	}
147 | 
148 | 	return nil
149 | }
150 | 
151 | func (proxy *Proxy) Stop() <-chan struct{} {
152 | 	if proxy.started {
153 | 		proxy.grace.Stop(proxy.shutdownTimeout)
154 | 		return proxy.grace.StopChan()
155 | 	}
156 | 	return stop.AlreadyDone
157 | }
158 | 
159 | func NewProxy(proxyHandler Handler, caKeyPath, caCertPath string, insecureSkipVerify bool, trustedCertificatePaths []string) (*Proxy, error) {
160 | 	var err error
161 | 
162 | 	// Initialize the forward proxy's MITM handler using the specified CA key pair.
163 | 	var mitmHandler goproxy.FuncHttpsHandler
164 | 	if caKeyPath == "" || caCertPath == "" {
165 | 		mitmHandler = rejectMITMHandler()
166 | 		log.Warning("No CA keypair specified, the proxy will not be able to forward requests to TLS endpoints.")
167 | 	} else {
168 | 		mitmHandler, err = setupMITMHandler(caKeyPath, caCertPath)
169 | 		if err != nil {
170 | 			return nil, err
171 | 		}
172 | 	}
173 | 
174 | 	// Create a forward proxy.
175 | 	proxy := goproxy.NewProxyHttpServer()
176 | 	proxy.Tr, err = setupClientTransport(insecureSkipVerify, trustedCertificatePaths)
177 | 	if err != nil {
178 | 		return nil, err
179 | 	}
180 | 	proxy.Verbose = log.GetLevel() == log.DebugLevel
181 | 
182 | 	// Handle HTTPs requests with MITM and the specified handler.
183 | 	proxy.OnRequest().DoFunc(proxyHandler)
184 | 	proxy.OnRequest().HandleConnect(mitmHandler)
185 | 
186 | 	return &Proxy{ProxyHttpServer: proxy}, nil
187 | }
188 | 
189 | func NewReverseProxy(proxyHandler Handler) (*Proxy, error) {
190 | 	// Create a reverse proxy.
191 | 	reverseProxy := goproxy.NewReverseProxyHttpServer()
192 | 	reverseProxy.Tr = http.DefaultTransport.(*http.Transport)
193 | 	reverseProxy.Verbose = log.GetLevel() == log.DebugLevel
194 | 
195 | 	// Handle requests with the specified handler.
196 | 	reverseProxy.OnRequest().DoFunc(proxyHandler)
197 | 
198 | 	return &Proxy{ProxyHttpServer: reverseProxy}, nil
199 | }
200 | 
201 | func setupMITMHandler(caKeyPath, caCertPath string) (goproxy.FuncHttpsHandler, error) {
202 | 	ca, err := readCA(caKeyPath, caCertPath)
203 | 	if err != nil {
204 | 		return nil, err
205 | 	}
206 | 
207 | 	return func(host string, ctx *goproxy.ProxyCtx) (*goproxy.ConnectAction, string) {
208 | 		return &goproxy.ConnectAction{
209 | 			Action:    goproxy.ConnectMitm,
210 | 			TLSConfig: goproxy.TLSConfigFromCA(ca),
211 | 		}, host
212 | 	}, nil
213 | }
214 | 
215 | func rejectMITMHandler() goproxy.FuncHttpsHandler {
216 | 	return func(host string, ctx *goproxy.ProxyCtx) (*goproxy.ConnectAction, string) {
217 | 		return &goproxy.ConnectAction{
218 | 			Action: goproxy.ConnectReject,
219 | 		}, host
220 | 	}
221 | }
222 | 
223 | func setupClientTransport(insecureSkipVerify bool, certificatePaths []string) (*http.Transport, error) {
224 | 	tlsConfig := defaultTLSConfig
225 | 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
226 | 
227 | 	// If any certificates are specified, load them. Otherwise, system-wide certificates are to be
228 | 	// used.
229 | 	if len(certificatePaths) > 0 {
230 | 		// TODO: Instead of creating an empty certificate pool, thus overriding entirely the system
231 | 		// pool, we should start from a pool populated by the system roots. This will be possible
232 | 		// in Go 1.7 using x509.SystemCertPool().
233 | 		// See https://go-review.googlesource.com/#/c/21293/
234 | 		tlsConfig.RootCAs = x509.NewCertPool()
235 | 
236 | 		for _, certificatePath := range certificatePaths {
237 | 			if certificate, err := ioutil.ReadFile(certificatePath); err == nil {
238 | 				tlsConfig.RootCAs.AppendCertsFromPEM(certificate)
239 | 			} else {
240 | 				return nil, fmt.Errorf("Could not load certificate '%s': %s", certificatePath, err)
241 | 			}
242 | 		}
243 | 	}
244 | 
245 | 	return &http.Transport{
246 | 		TLSClientConfig: &tlsConfig,
247 | 	}, nil
248 | }
249 | 
250 | func readCA(caKeyPath, caCertPath string) (*tls.Certificate, error) {
251 | 	caCert, err := ioutil.ReadFile(caCertPath)
252 | 	if err != nil {
253 | 		return nil, err
254 | 	}
255 | 
256 | 	caKey, err := ioutil.ReadFile(caKeyPath)
257 | 	if err != nil {
258 | 		return nil, err
259 | 	}
260 | 
261 | 	ca, err := tls.X509KeyPair(caCert, caKey)
262 | 	if err != nil {
263 | 		return nil, err
264 | 	}
265 | 
266 | 	ca.Leaf, err = x509.ParseCertificate(ca.Certificate[0])
267 | 	return &ca, err
268 | }
269 | 


--------------------------------------------------------------------------------
/stop/stopper.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2016 CoreOS, Inc
 2 | //
 3 | // Licensed under the Apache License, Version 2.0 (the "License");
 4 | // you may not use this file except in compliance with the License.
 5 | // You may obtain a copy of the License at
 6 | //
 7 | //     http://www.apache.org/licenses/LICENSE-2.0
 8 | //
 9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | 
15 | package stop
16 | 
17 | import (
18 | 	"sync"
19 | )
20 | 
21 | var AlreadyDone <-chan struct{}
22 | 
23 | func init() {
24 | 	closeMe := make(chan struct{})
25 | 	close(closeMe)
26 | 	AlreadyDone = closeMe
27 | }
28 | 
29 | type Stoppable interface {
30 | 	Stop() <-chan struct{}
31 | }
32 | 
33 | type Group struct {
34 | 	stoppables     []StopperFunc
35 | 	stoppablesLock sync.Mutex
36 | }
37 | 
38 | type StopperFunc func() <-chan struct{}
39 | 
40 | func NewGroup() *Group {
41 | 	return &Group{
42 | 		stoppables: make([]StopperFunc, 0),
43 | 	}
44 | }
45 | 
46 | func (cg *Group) Add(toAdd Stoppable) {
47 | 	cg.stoppablesLock.Lock()
48 | 	defer cg.stoppablesLock.Unlock()
49 | 
50 | 	cg.stoppables = append(cg.stoppables, toAdd.Stop)
51 | }
52 | 
53 | func (cg *Group) AddFunc(toAddFunc StopperFunc) {
54 | 	cg.stoppablesLock.Lock()
55 | 	defer cg.stoppablesLock.Unlock()
56 | 
57 | 	cg.stoppables = append(cg.stoppables, toAddFunc)
58 | }
59 | 
60 | func (cg *Group) Stop() <-chan struct{} {
61 | 	cg.stoppablesLock.Lock()
62 | 	defer cg.stoppablesLock.Unlock()
63 | 
64 | 	whenDone := make(chan struct{})
65 | 
66 | 	waitChannels := make([]<-chan struct{}, 0, len(cg.stoppables))
67 | 	for _, toStop := range cg.stoppables {
68 | 		waitFor := toStop()
69 | 		if waitFor == nil {
70 | 			panic("Someone returned a nil chan from Stop")
71 | 		}
72 | 		waitChannels = append(waitChannels, waitFor)
73 | 	}
74 | 
75 | 	cg.stoppables = make([]StopperFunc, 0)
76 | 
77 | 	go func() {
78 | 		for _, waitForMe := range waitChannels {
79 | 			<-waitForMe
80 | 		}
81 | 		close(whenDone)
82 | 	}()
83 | 	return whenDone
84 | }
85 | 


--------------------------------------------------------------------------------