diff --git a/cmd/dex/config.go b/cmd/dex/config.go index d60c540a..8861ddef 100644 --- a/cmd/dex/config.go +++ b/cmd/dex/config.go @@ -14,6 +14,7 @@ import ( "github.com/dexidp/dex/pkg/featureflags" "github.com/dexidp/dex/server" + "github.com/dexidp/dex/server/signer" "github.com/dexidp/dex/storage" "github.com/dexidp/dex/storage/ent" "github.com/dexidp/dex/storage/etcd" @@ -36,7 +37,7 @@ type Config struct { Frontend server.WebConfig `json:"frontend"` // Signer configuration controls signing of JWT tokens issued by Dex. - Signer server.SignerConfig `json:"signer"` + Signer Signer `json:"signer"` // StaticConnectors are user defined connectors specified in the ConfigMap // Write operations, like updating a connector, will fail. @@ -373,6 +374,74 @@ func (s *Storage) UnmarshalJSON(b []byte) error { return nil } +// Signer holds app's signer configuration. +type Signer struct { + Type string `json:"type"` + Config SignerConfig `json:"config"` +} + +// SignerConfig is a configuration that can create a signer. +type SignerConfig interface{} + +var ( + _ SignerConfig = (*signer.LocalConfig)(nil) + _ SignerConfig = (*signer.VaultConfig)(nil) +) + +var signerConfigs = map[string]func() SignerConfig{ + "local": func() SignerConfig { return new(signer.LocalConfig) }, + "vault": func() SignerConfig { return new(signer.VaultConfig) }, +} + +// UnmarshalJSON allows Signer to implement the unmarshaler interface to +// dynamically determine the type of the signer config. +func (s *Signer) UnmarshalJSON(b []byte) error { + var signerData struct { + Type string `json:"type"` + Config json.RawMessage `json:"config"` + } + if err := json.Unmarshal(b, &signerData); err != nil { + return fmt.Errorf("parse signer: %v", err) + } + + f, ok := signerConfigs[signerData.Type] + if !ok { + return fmt.Errorf("unknown signer type %q", signerData.Type) + } + + signerConfig := f() + if len(signerData.Config) != 0 { + data := []byte(signerData.Config) + if featureflags.ExpandEnv.Enabled() { + var rawMap map[string]interface{} + if err := json.Unmarshal(signerData.Config, &rawMap); err != nil { + return fmt.Errorf("unmarshal config for env expansion: %v", err) + } + + // Recursively expand environment variables in the map + expandEnvInMap(rawMap) + + // Marshal the expanded map back to JSON + expandedData, err := json.Marshal(rawMap) + if err != nil { + return fmt.Errorf("marshal expanded config: %v", err) + } + + data = expandedData + } + + if err := json.Unmarshal(data, signerConfig); err != nil { + return fmt.Errorf("parse signer config: %v", err) + } + } + + *s = Signer{ + Type: signerData.Type, + Config: signerConfig, + } + return nil +} + // Connector is a magical type that can unmarshal YAML dynamically. The // Type field determines the connector type, which is then customized for Config. type Connector struct { diff --git a/cmd/dex/config_test.go b/cmd/dex/config_test.go index ffde8196..017cb23c 100644 --- a/cmd/dex/config_test.go +++ b/cmd/dex/config_test.go @@ -1,6 +1,7 @@ package main import ( + "encoding/json" "log/slog" "os" "testing" @@ -11,6 +12,7 @@ import ( "github.com/dexidp/dex/connector/mock" "github.com/dexidp/dex/connector/oidc" "github.com/dexidp/dex/server" + "github.com/dexidp/dex/server/signer" "github.com/dexidp/dex/storage" "github.com/dexidp/dex/storage/sql" ) @@ -469,3 +471,117 @@ logger: t.Errorf("got!=want: %s", diff) } } + +func TestSignerConfigUnmarshal(t *testing.T) { + tests := []struct { + name string + config string + wantErr bool + check func(*Config) error + }{ + { + name: "local signer with rotation period", + config: ` +issuer: http://127.0.0.1:5556/dex +storage: + type: memory +web: + http: 0.0.0.0:5556 +signer: + type: local + config: + keysRotationPeriod: 6h +enablePasswordDB: true +`, + wantErr: false, + check: func(c *Config) error { + if c.Signer.Type != "local" { + t.Errorf("expected signer type 'local', got %q", c.Signer.Type) + } + if localConfig, ok := c.Signer.Config.(*signer.LocalConfig); !ok { + t.Error("expected LocalConfig") + } else if localConfig.KeysRotationPeriod != "6h" { + t.Errorf("expected keys rotation period '6h', got %q", localConfig.KeysRotationPeriod) + } + return nil + }, + }, + { + name: "vault signer", + config: ` +issuer: http://127.0.0.1:5556/dex +storage: + type: memory +web: + http: 0.0.0.0:5556 +signer: + type: vault + config: + addr: http://localhost:8200 + token: test-token + keyName: test-key +enablePasswordDB: true +`, + wantErr: false, + check: func(c *Config) error { + if c.Signer.Type != "vault" { + t.Errorf("expected signer type 'vault', got %q", c.Signer.Type) + } + if vaultConfig, ok := c.Signer.Config.(*signer.VaultConfig); !ok { + t.Error("expected VaultConfig") + } else { + if vaultConfig.Addr != "http://localhost:8200" { + t.Errorf("expected addr 'http://localhost:8200', got %q", vaultConfig.Addr) + } + if vaultConfig.Token != "test-token" { + t.Errorf("expected token 'test-token', got %q", vaultConfig.Token) + } + if vaultConfig.KeyName != "test-key" { + t.Errorf("expected keyName 'test-key', got %q", vaultConfig.KeyName) + } + } + return nil + }, + }, + { + name: "default to local when no signer specified", + config: ` +issuer: http://127.0.0.1:5556/dex +storage: + type: memory +web: + http: 0.0.0.0:5556 +enablePasswordDB: true +`, + wantErr: false, + check: func(c *Config) error { + if c.Signer.Type != "local" { + t.Errorf("expected signer type 'local', got %q", c.Signer.Type) + } + return nil + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + var c Config + data, err := yaml.YAMLToJSON([]byte(tt.config)) + if err != nil { + t.Fatalf("failed to convert yaml to json: %v", err) + } + + err = json.Unmarshal(data, &c) + if (err != nil) != tt.wantErr { + t.Errorf("Unmarshal() error = %v, wantErr %v", err, tt.wantErr) + return + } + + if err == nil && tt.check != nil { + if err := tt.check(&c); err != nil { + t.Errorf("check failed: %v", err) + } + } + }) + } +} diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go index b0c49dc3..36a10e77 100644 --- a/cmd/dex/serve.go +++ b/cmd/dex/serve.go @@ -37,6 +37,7 @@ import ( "github.com/dexidp/dex/api/v2" "github.com/dexidp/dex/pkg/featureflags" "github.com/dexidp/dex/server" + "github.com/dexidp/dex/server/signer" "github.com/dexidp/dex/storage" ) @@ -290,6 +291,65 @@ func runServe(options serveOptions) error { healthChecker := gosundheit.New() + // Parse expiry durations + var idTokensValidFor = 24 * time.Hour // default + if c.Expiry.IDTokens != "" { + var err error + idTokensValidFor, err = time.ParseDuration(c.Expiry.IDTokens) + if err != nil { + return fmt.Errorf("invalid config value %q for id token expiry: %v", c.Expiry.IDTokens, err) + } + logger.Info("config id tokens", "valid_for", idTokensValidFor) + } + + // Create signer + var signerInstance signer.Signer + switch c.Signer.Type { + case "vault": + vaultConfig, ok := c.Signer.Config.(*signer.VaultConfig) + if !ok { + return fmt.Errorf("invalid vault signer config") + } + signerInstance, err = vaultConfig.Open(context.Background()) + if err != nil { + return fmt.Errorf("failed to open vault signer: %v", err) + } + logger.Info("signer configured", "type", "vault") + case "local": + localConfig, ok := c.Signer.Config.(*signer.LocalConfig) + if !ok { + return fmt.Errorf("invalid local signer config") + } + if localConfig.KeysRotationPeriod == "" { + return fmt.Errorf("failed to open local signer: signer.config.keysRotationPeriod must be specified") + } + if c.Expiry.SigningKeys != "" { + logger.Warn("both expiry.signingKeys and signer.config.keysRotationPeriod specified, using signer.config.keysRotationPeriod") + } + signerInstance, err = localConfig.Open(context.Background(), s, idTokensValidFor, now, logger) + if err != nil { + return fmt.Errorf("failed to open local signer: %v", err) + } + logger.Info("signer configured", "type", "local", "keys_rotation_period", localConfig.KeysRotationPeriod) + case "": // Default to local signer + // Handle deprecated expiry.signingKeys configuration + if c.Expiry.SigningKeys != "" { + logger.Warn("config expiry.signingKeys will be removed in a future release", + "use_instead", "signer.config.keysRotationPeriod", + "current_value", c.Expiry.SigningKeys, "deprecated", true) + } else { + c.Expiry.SigningKeys = "6h" + } + localConfig := signer.LocalConfig{KeysRotationPeriod: c.Expiry.SigningKeys} + signerInstance, err = localConfig.Open(context.Background(), s, idTokensValidFor, now, logger) + if err != nil { + return fmt.Errorf("failed to open local signer: %v", err) + } + logger.Info("signer configured", "type", "local", "keys_rotation_period", localConfig.KeysRotationPeriod) + default: + return fmt.Errorf("unknown signer type %q", c.Signer.Type) + } + serverConfig := server.Config{ AllowedGrantTypes: c.OAuth2.GrantTypes, SupportedResponseTypes: c.OAuth2.ResponseTypes, @@ -307,24 +367,10 @@ func runServe(options serveOptions) error { PrometheusRegistry: prometheusRegistry, HealthChecker: healthChecker, ContinueOnConnectorFailure: featureflags.ContinueOnConnectorFailure.Enabled(), - Signer: c.Signer, - } - if c.Expiry.SigningKeys != "" { - signingKeys, err := time.ParseDuration(c.Expiry.SigningKeys) - if err != nil { - return fmt.Errorf("invalid config value %q for signing keys expiry: %v", c.Expiry.SigningKeys, err) - } - logger.Info("config signing keys", "expire_after", signingKeys) - serverConfig.RotateKeysAfter = signingKeys - } - if c.Expiry.IDTokens != "" { - idTokens, err := time.ParseDuration(c.Expiry.IDTokens) - if err != nil { - return fmt.Errorf("invalid config value %q for id token expiry: %v", c.Expiry.IDTokens, err) - } - logger.Info("config id tokens", "valid_for", idTokens) - serverConfig.IDTokensValidFor = idTokens + Signer: signerInstance, + IDTokensValidFor: idTokensValidFor, } + if c.Expiry.AuthRequests != "" { authRequests, err := time.ParseDuration(c.Expiry.AuthRequests) if err != nil { diff --git a/examples/config-dev.yaml b/examples/config-dev.yaml index f611ac18..7bb0f2eb 100644 --- a/examples/config-dev.yaml +++ b/examples/config-dev.yaml @@ -184,9 +184,13 @@ staticPasswords: # Settings for signing JWT tokens. Available options: # - "local": use local keys (only RSA keys supported) # - "vault": use Vault Transit backend (RSA and EC keys supported) -# signer: +signer: + type: local + config: + keysRotationPeriod: "6h" +# signer # type: vault -# vault: +# config: # addr: http://127.0.0.1:8200 # token: root # keyName: dex-key diff --git a/server/oauth2.go b/server/oauth2.go index 6164f5ae..394e4e59 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -25,6 +25,7 @@ import ( "github.com/dexidp/dex/connector" "github.com/dexidp/dex/server/internal" + "github.com/dexidp/dex/server/signer" "github.com/dexidp/dex/storage" ) @@ -699,7 +700,7 @@ func validateConnectorID(connectors []storage.Connector, connectorID string) boo // signerKeySet implements the oidc.KeySet interface backed by the Dex signer type signerKeySet struct { - signer Signer + signer signer.Signer } func (s *signerKeySet) VerifySignature(ctx context.Context, jwt string) (payload []byte, err error) { diff --git a/server/refreshhandlers.go b/server/refreshhandlers.go index de8d9b7b..b47bd52c 100644 --- a/server/refreshhandlers.go +++ b/server/refreshhandlers.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "log/slog" "net/http" "strings" "time" @@ -13,6 +14,76 @@ import ( "github.com/dexidp/dex/storage" ) +type RefreshTokenPolicy struct { + rotateRefreshTokens bool // enable rotation + + absoluteLifetime time.Duration // interval from token creation to the end of its life + validIfNotUsedFor time.Duration // interval from last token update to the end of its life + reuseInterval time.Duration // interval within which old refresh token is allowed to be reused + + now func() time.Time + + logger *slog.Logger +} + +func NewRefreshTokenPolicy(logger *slog.Logger, rotation bool, validIfNotUsedFor, absoluteLifetime, reuseInterval string) (*RefreshTokenPolicy, error) { + r := RefreshTokenPolicy{now: time.Now, logger: logger} + var err error + + if validIfNotUsedFor != "" { + r.validIfNotUsedFor, err = time.ParseDuration(validIfNotUsedFor) + if err != nil { + return nil, fmt.Errorf("invalid config value %q for refresh token valid if not used for: %v", validIfNotUsedFor, err) + } + logger.Info("config refresh tokens", "valid_if_not_used_for", validIfNotUsedFor) + } + + if absoluteLifetime != "" { + r.absoluteLifetime, err = time.ParseDuration(absoluteLifetime) + if err != nil { + return nil, fmt.Errorf("invalid config value %q for refresh tokens absolute lifetime: %v", absoluteLifetime, err) + } + logger.Info("config refresh tokens", "absolute_lifetime", absoluteLifetime) + } + + if reuseInterval != "" { + r.reuseInterval, err = time.ParseDuration(reuseInterval) + if err != nil { + return nil, fmt.Errorf("invalid config value %q for refresh tokens reuse interval: %v", reuseInterval, err) + } + logger.Info("config refresh tokens", "reuse_interval", reuseInterval) + } + + r.rotateRefreshTokens = !rotation + logger.Info("config refresh tokens rotation", "enabled", r.rotateRefreshTokens) + return &r, nil +} + +func (r *RefreshTokenPolicy) RotationEnabled() bool { + return r.rotateRefreshTokens +} + +func (r *RefreshTokenPolicy) CompletelyExpired(lastUsed time.Time) bool { + if r.absoluteLifetime == 0 { + return false // expiration disabled + } + return r.now().After(lastUsed.Add(r.absoluteLifetime)) +} + +func (r *RefreshTokenPolicy) ExpiredBecauseUnused(lastUsed time.Time) bool { + if r.validIfNotUsedFor == 0 { + return false // expiration disabled + } + return r.now().After(lastUsed.Add(r.validIfNotUsedFor)) +} + +func (r *RefreshTokenPolicy) AllowedToReuse(lastUsed time.Time) bool { + if r.reuseInterval == 0 { + return false // expiration disabled + } + return !r.now().After(lastUsed.Add(r.reuseInterval)) +} + func contains(arr []string, item string) bool { for _, itemFromArray := range arr { if itemFromArray == item { diff --git a/server/refreshhandlers_test.go b/server/refreshhandlers_test.go index f937769c..78bec27c 100644 --- a/server/refreshhandlers_test.go +++ b/server/refreshhandlers_test.go @@ -3,6 +3,7 @@ package server import ( "bytes" "encoding/json" + "log/slog" "net/http" "net/http/httptest" "net/url" @@ -207,3 +208,25 @@ func TestRefreshTokenExpirationScenarios(t *testing.T) { }) } } + +func TestRefreshTokenPolicy(t *testing.T) { + lastTime := time.Now() + l := slog.New(slog.DiscardHandler) + + r, err := NewRefreshTokenPolicy(l, true, "1m", "1m", "1m") + require.NoError(t, err) + + t.Run("Allowed", func(t *testing.T) { + r.now = func() time.Time { return lastTime } + require.Equal(t, true, r.AllowedToReuse(lastTime)) + require.Equal(t, false, r.ExpiredBecauseUnused(lastTime)) + require.Equal(t, false, r.CompletelyExpired(lastTime)) + }) + + t.Run("Expired", func(t *testing.T) { + r.now = func() time.Time { return lastTime.Add(2 * time.Minute) } + require.Equal(t, false, r.AllowedToReuse(lastTime)) + require.Equal(t, true, r.ExpiredBecauseUnused(lastTime)) + require.Equal(t, true, r.CompletelyExpired(lastTime)) + }) +} diff --git a/server/server.go b/server/server.go index 8eb3ea0b..e923e3e0 100644 --- a/server/server.go +++ b/server/server.go @@ -2,7 +2,6 @@ package server import ( "context" - "crypto/rsa" "encoding/json" "errors" "fmt" @@ -45,6 +44,7 @@ import ( "github.com/dexidp/dex/connector/oidc" "github.com/dexidp/dex/connector/openshift" "github.com/dexidp/dex/connector/saml" + "github.com/dexidp/dex/server/signer" "github.com/dexidp/dex/storage" "github.com/dexidp/dex/web" ) @@ -96,7 +96,6 @@ type Config struct { // If enabled, the connectors selection page will always be shown even if there's only one AlwaysShowLoginScreen bool - RotateKeysAfter time.Duration // Defaults to 6 hours. IDTokensValidFor time.Duration // Defaults to 24 hours AuthRequestsValidFor time.Duration // Defaults to 24 hours DeviceRequestsValidFor time.Duration // Defaults to 5 minutes @@ -116,7 +115,8 @@ type Config struct { Logger *slog.Logger - Signer SignerConfig + // Signer is used to sign tokens. + Signer signer.Signer PrometheusRegistry *prometheus.Registry @@ -158,12 +158,6 @@ type WebConfig struct { Extra map[string]string } -// SignerConfig holds the server's signer configuration. -type SignerConfig struct { - Type string `json:"type"` - Vault VaultSignerConfig `json:"vault"` -} - func value(val, defaultValue time.Duration) time.Duration { if val == 0 { return defaultValue @@ -209,25 +203,15 @@ type Server struct { logger *slog.Logger - signer Signer + signer signer.Signer } // NewServer constructs a server from the provided config. func NewServer(ctx context.Context, c Config) (*Server, error) { - return newServer(ctx, c, defaultRotationStrategy( - value(c.RotateKeysAfter, 6*time.Hour), - value(c.IDTokensValidFor, 24*time.Hour), - )) + return newServer(ctx, c) } -// NewServerWithKey constructs a server from the provided config and a static signing key. -func NewServerWithKey(ctx context.Context, c Config, privateKey *rsa.PrivateKey) (*Server, error) { - return newServer(ctx, c, staticRotationStrategy( - privateKey, - )) -} - -func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) (*Server, error) { +func newServer(ctx context.Context, c Config) (*Server, error) { issuerURL, err := url.Parse(c.Issuer) if err != nil { return nil, fmt.Errorf("server: can't parse issuer URL") @@ -326,19 +310,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) templates: tmpls, passwordConnector: c.PasswordConnector, logger: c.Logger, - } - - // Initialize signer - if c.Signer.Type == "vault" { - s.signer, err = newVaultSigner(c.Signer.Vault) - if err != nil { - return nil, fmt.Errorf("failed to initialize vault signer: %v", err) - } - s.logger.Info("signer configured", "type", "vault") - } else { - // Default to local signer - s.signer = newLocalSigner(c.Storage, rotationStrategy, now, c.Logger) - s.logger.Info("signer configured", "type", "local") + signer: c.Signer, } // Retrieves connector objects in backend storage. This list includes the static connectors diff --git a/server/signer_local.go b/server/signer/local.go similarity index 77% rename from server/signer_local.go rename to server/signer/local.go index 3d9f5e0d..a210aaa0 100644 --- a/server/signer_local.go +++ b/server/signer/local.go @@ -1,4 +1,4 @@ -package server +package signer import ( "context" @@ -11,22 +11,34 @@ import ( "github.com/dexidp/dex/storage" ) -// localSigner signs payloads using keys stored in the Dex storage. -// It manages key rotation and storage using the existing keyRotator logic. -type localSigner struct { - storage storage.Storage - rotator *keyRotator - logger *slog.Logger +// LocalConfig holds configuration for the local signer. +type LocalConfig struct { + // KeysRotationPeriod defines the duration of time after which the signing keys will be rotated. + KeysRotationPeriod string `json:"keysRotationPeriod"` } -// newLocalSigner creates a new local signer and starts the key rotation loop. -func newLocalSigner(s storage.Storage, strategy rotationStrategy, now func() time.Time, logger *slog.Logger) *localSigner { +// Open creates a new local signer. +func (c *LocalConfig) Open(_ context.Context, s storage.Storage, idTokenValidFor time.Duration, now func() time.Time, logger *slog.Logger) (Signer, error) { + rotateKeysAfter, err := time.ParseDuration(c.KeysRotationPeriod) + if err != nil { + return nil, fmt.Errorf("invalid config value %q for local signer rotation period: %v", c.KeysRotationPeriod, err) + } + + strategy := defaultRotationStrategy(rotateKeysAfter, idTokenValidFor) r := &keyRotator{s, strategy, now, logger} return &localSigner{ storage: s, rotator: r, logger: logger, - } + }, nil +} + +// localSigner signs payloads using keys stored in the Dex storage. +// It manages key rotation and storage using the existing keyRotator logic. +type localSigner struct { + storage storage.Storage + rotator *keyRotator + logger *slog.Logger } // Start begins key rotation in a new goroutine, closing once the context is canceled. diff --git a/server/rotation.go b/server/signer/rotation.go similarity index 63% rename from server/rotation.go rename to server/signer/rotation.go index 70d7a9bf..f32b9f66 100644 --- a/server/rotation.go +++ b/server/signer/rotation.go @@ -1,4 +1,4 @@ -package server +package signer import ( "context" @@ -147,73 +147,3 @@ func (k keyRotator) rotate() error { k.logger.Info("keys rotated", "next_rotation", nextRotation) return nil } - -type RefreshTokenPolicy struct { - rotateRefreshTokens bool // enable rotation - - absoluteLifetime time.Duration // interval from token creation to the end of its life - validIfNotUsedFor time.Duration // interval from last token update to the end of its life - reuseInterval time.Duration // interval within which old refresh token is allowed to be reused - - now func() time.Time - - logger *slog.Logger -} - -func NewRefreshTokenPolicy(logger *slog.Logger, rotation bool, validIfNotUsedFor, absoluteLifetime, reuseInterval string) (*RefreshTokenPolicy, error) { - r := RefreshTokenPolicy{now: time.Now, logger: logger} - var err error - - if validIfNotUsedFor != "" { - r.validIfNotUsedFor, err = time.ParseDuration(validIfNotUsedFor) - if err != nil { - return nil, fmt.Errorf("invalid config value %q for refresh token valid if not used for: %v", validIfNotUsedFor, err) - } - logger.Info("config refresh tokens", "valid_if_not_used_for", validIfNotUsedFor) - } - - if absoluteLifetime != "" { - r.absoluteLifetime, err = time.ParseDuration(absoluteLifetime) - if err != nil { - return nil, fmt.Errorf("invalid config value %q for refresh tokens absolute lifetime: %v", absoluteLifetime, err) - } - logger.Info("config refresh tokens", "absolute_lifetime", absoluteLifetime) - } - - if reuseInterval != "" { - r.reuseInterval, err = time.ParseDuration(reuseInterval) - if err != nil { - return nil, fmt.Errorf("invalid config value %q for refresh tokens reuse interval: %v", reuseInterval, err) - } - logger.Info("config refresh tokens", "reuse_interval", reuseInterval) - } - - r.rotateRefreshTokens = !rotation - logger.Info("config refresh tokens rotation", "enabled", r.rotateRefreshTokens) - return &r, nil -} - -func (r *RefreshTokenPolicy) RotationEnabled() bool { - return r.rotateRefreshTokens -} - -func (r *RefreshTokenPolicy) CompletelyExpired(lastUsed time.Time) bool { - if r.absoluteLifetime == 0 { - return false // expiration disabled - } - return r.now().After(lastUsed.Add(r.absoluteLifetime)) -} - -func (r *RefreshTokenPolicy) ExpiredBecauseUnused(lastUsed time.Time) bool { - if r.validIfNotUsedFor == 0 { - return false // expiration disabled - } - return r.now().After(lastUsed.Add(r.validIfNotUsedFor)) -} - -func (r *RefreshTokenPolicy) AllowedToReuse(lastUsed time.Time) bool { - if r.reuseInterval == 0 { - return false // expiration disabled - } - return !r.now().After(lastUsed.Add(r.reuseInterval)) -} diff --git a/server/rotation_test.go b/server/signer/rotation_test.go similarity index 71% rename from server/rotation_test.go rename to server/signer/rotation_test.go index c7e6bada..1974d996 100644 --- a/server/rotation_test.go +++ b/server/signer/rotation_test.go @@ -1,4 +1,4 @@ -package server +package signer import ( "context" @@ -7,8 +7,6 @@ import ( "testing" "time" - "github.com/stretchr/testify/require" - "github.com/dexidp/dex/storage" "github.com/dexidp/dex/storage/memory" ) @@ -97,25 +95,3 @@ func TestKeyRotator(t *testing.T) { } } } - -func TestRefreshTokenPolicy(t *testing.T) { - lastTime := time.Now() - l := slog.New(slog.DiscardHandler) - - r, err := NewRefreshTokenPolicy(l, true, "1m", "1m", "1m") - require.NoError(t, err) - - t.Run("Allowed", func(t *testing.T) { - r.now = func() time.Time { return lastTime } - require.Equal(t, true, r.AllowedToReuse(lastTime)) - require.Equal(t, false, r.ExpiredBecauseUnused(lastTime)) - require.Equal(t, false, r.CompletelyExpired(lastTime)) - }) - - t.Run("Expired", func(t *testing.T) { - r.now = func() time.Time { return lastTime.Add(2 * time.Minute) } - require.Equal(t, false, r.AllowedToReuse(lastTime)) - require.Equal(t, true, r.ExpiredBecauseUnused(lastTime)) - require.Equal(t, true, r.CompletelyExpired(lastTime)) - }) -} diff --git a/server/signer.go b/server/signer/signer.go similarity index 97% rename from server/signer.go rename to server/signer/signer.go index d38abb1f..eedcf24c 100644 --- a/server/signer.go +++ b/server/signer/signer.go @@ -1,8 +1,7 @@ -package server +package signer import ( "context" - "github.com/go-jose/go-jose/v4" ) @@ -10,13 +9,10 @@ import ( type Signer interface { // Sign signs the provided payload. Sign(ctx context.Context, payload []byte) (string, error) - // ValidationKeys returns the current public keys used for signature validation. ValidationKeys(ctx context.Context) ([]*jose.JSONWebKey, error) - // Algorithm returns the signing algorithm used by this signer. Algorithm(ctx context.Context) (jose.SignatureAlgorithm, error) - // Start starts any background tasks required by the signer (e.g., key rotation). Start(ctx context.Context) } diff --git a/server/signer/utils.go b/server/signer/utils.go new file mode 100644 index 00000000..6d607a10 --- /dev/null +++ b/server/signer/utils.go @@ -0,0 +1,58 @@ +package signer + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rsa" + "errors" + "fmt" + + "github.com/go-jose/go-jose/v4" +) + +func signatureAlgorithm(jwk *jose.JSONWebKey) (alg jose.SignatureAlgorithm, err error) { + if jwk.Key == nil { + return alg, errors.New("no signing key") + } + switch key := jwk.Key.(type) { + case *rsa.PrivateKey: + // Because OIDC mandates that we support RS256, we always return that + // value. In the future, we might want to make this configurable on a + // per client basis. For example allowing PS256 or ECDSA variants. + // + // See https://github.com/dexidp/dex/issues/692 + return jose.RS256, nil + case *ecdsa.PrivateKey: + // We don't actually support ECDSA keys yet, but they're tested for + // in case we want to in the future. + // + // These values are prescribed depending on the ECDSA key type. We + // can't return different values. + switch key.Params() { + case elliptic.P256().Params(): + return jose.ES256, nil + case elliptic.P384().Params(): + return jose.ES384, nil + case elliptic.P521().Params(): + return jose.ES512, nil + default: + return alg, errors.New("unsupported ecdsa curve") + } + default: + return alg, fmt.Errorf("unsupported signing key type %T", key) + } +} + +func signPayload(key *jose.JSONWebKey, alg jose.SignatureAlgorithm, payload []byte) (jws string, err error) { + signingKey := jose.SigningKey{Key: key, Algorithm: alg} + + signer, err := jose.NewSigner(signingKey, &jose.SignerOptions{}) + if err != nil { + return "", fmt.Errorf("new signer: %v", err) + } + signature, err := signer.Sign(payload) + if err != nil { + return "", fmt.Errorf("signing payload: %v", err) + } + return signature.CompactSerialize() +} diff --git a/server/signer_vault.go b/server/signer/vault.go similarity index 95% rename from server/signer_vault.go rename to server/signer/vault.go index eacaf37c..9694615b 100644 --- a/server/signer_vault.go +++ b/server/signer/vault.go @@ -1,4 +1,4 @@ -package server +package signer import ( "context" @@ -21,18 +21,18 @@ import ( vault "github.com/openbao/openbao/api/v2" ) -// VaultSignerConfig holds configuration for the Vault signer. -type VaultSignerConfig struct { +// VaultConfig holds configuration for the Vault signer. +type VaultConfig struct { Addr string `json:"addr"` Token string `json:"token"` KeyName string `json:"keyName"` } -// UnmarshalJSON unmarshals a VaultSignerConfig and applies environment variables. +// UnmarshalJSON unmarshals a VaultConfig and applies environment variables. // If Addr or Token are not provided in the config, they are read from VAULT_ADDR // and VAULT_TOKEN environment variables respectively. -func (c *VaultSignerConfig) UnmarshalJSON(data []byte) error { - type Alias VaultSignerConfig +func (c *VaultConfig) UnmarshalJSON(data []byte) error { + type Alias VaultConfig aux := &struct { *Alias }{ @@ -59,6 +59,11 @@ func (c *VaultSignerConfig) UnmarshalJSON(data []byte) error { return nil } +// Open creates a new Vault signer. +func (c *VaultConfig) Open(ctx context.Context) (Signer, error) { + return newVaultSigner(*c) +} + // vaultSigner signs payloads using HashiCorp Vault's Transit backend. type vaultSigner struct { client *vault.Client @@ -66,7 +71,7 @@ type vaultSigner struct { } // newVaultSigner creates a new Vault signer that uses Transit backend for signing. -func newVaultSigner(c VaultSignerConfig) (*vaultSigner, error) { +func newVaultSigner(c VaultConfig) (*vaultSigner, error) { config := vault.DefaultConfig() config.Address = c.Addr diff --git a/server/signer_vault_integration_test.go b/server/signer/vault_integration_test.go similarity index 99% rename from server/signer_vault_integration_test.go rename to server/signer/vault_integration_test.go index 49ac219c..84f824ae 100644 --- a/server/signer_vault_integration_test.go +++ b/server/signer/vault_integration_test.go @@ -1,4 +1,4 @@ -package server +package signer import ( "context" @@ -136,7 +136,7 @@ func TestVaultSignerConformance_SigningAndVerification(t *testing.T) { defer cleanupTests(t, ctx, client, keyName) // Create signer - signerConfig := VaultSignerConfig{ + signerConfig := VaultConfig{ Addr: config.addr, Token: config.token, KeyName: keyName, @@ -283,7 +283,7 @@ func TestVaultSignerConformance_KeyRotation(t *testing.T) { defer cleanupTests(t, ctx, client, keyName) // Create signer - signerConfig := VaultSignerConfig{ + signerConfig := VaultConfig{ Addr: config.addr, Token: config.token, KeyName: keyName, @@ -412,7 +412,7 @@ func TestVaultSignerConformance_PublicKeyDiscovery(t *testing.T) { defer cleanupTests(t, ctx, client, keyName) // Create signer - signerConfig := VaultSignerConfig{ + signerConfig := VaultConfig{ Addr: config.addr, Token: config.token, KeyName: keyName, diff --git a/server/signer_vault_test.go b/server/signer/vault_test.go similarity index 88% rename from server/signer_vault_test.go rename to server/signer/vault_test.go index 050a672c..f0e06908 100644 --- a/server/signer_vault_test.go +++ b/server/signer/vault_test.go @@ -1,4 +1,4 @@ -package server +package signer import ( "encoding/json" @@ -6,7 +6,7 @@ import ( "testing" ) -func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) { +func TestVaultConfigUnmarshalJSON_WithEnvVars(t *testing.T) { // Save original environment variables originalAddr := os.Getenv("VAULT_ADDR") originalToken := os.Getenv("VAULT_TOKEN") @@ -22,13 +22,13 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) { tests := []struct { name string json string - want VaultSignerConfig + want VaultConfig wantErr bool }{ { name: "empty config uses env vars", json: `{"keyName": "signing-key"}`, - want: VaultSignerConfig{ + want: VaultConfig{ Addr: "http://vault.example.com:8200", Token: "s.xxxxxxxxxxxxxxxx", KeyName: "signing-key", @@ -38,7 +38,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) { { name: "config values override env vars", json: `{"addr": "http://custom.vault.com:8200", "token": "s.custom", "keyName": "signing-key"}`, - want: VaultSignerConfig{ + want: VaultConfig{ Addr: "http://custom.vault.com:8200", Token: "s.custom", KeyName: "signing-key", @@ -48,7 +48,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) { { name: "partial config uses env vars for missing values", json: `{"addr": "http://custom.vault.com:8200", "keyName": "signing-key"}`, - want: VaultSignerConfig{ + want: VaultConfig{ Addr: "http://custom.vault.com:8200", Token: "s.xxxxxxxxxxxxxxxx", KeyName: "signing-key", @@ -58,7 +58,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) { { name: "empty token in config uses env var", json: `{"addr": "http://custom.vault.com:8200", "token": "", "keyName": "signing-key"}`, - want: VaultSignerConfig{ + want: VaultConfig{ Addr: "http://custom.vault.com:8200", Token: "s.xxxxxxxxxxxxxxxx", KeyName: "signing-key", @@ -69,7 +69,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - var got VaultSignerConfig + var got VaultConfig err := json.Unmarshal([]byte(tt.json), &got) if (err != nil) != tt.wantErr { @@ -90,7 +90,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) { } } -func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) { +func TestVaultConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) { // Save original environment variables originalAddr := os.Getenv("VAULT_ADDR") originalToken := os.Getenv("VAULT_TOKEN") @@ -106,13 +106,13 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) { tests := []struct { name string json string - want VaultSignerConfig + want VaultConfig wantErr bool }{ { name: "config values used when env vars not set", json: `{"addr": "http://vault.example.com:8200", "token": "s.xxxxxxxxxxxxxxxx", "keyName": "signing-key"}`, - want: VaultSignerConfig{ + want: VaultConfig{ Addr: "http://vault.example.com:8200", Token: "s.xxxxxxxxxxxxxxxx", KeyName: "signing-key", @@ -122,7 +122,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) { { name: "empty config when env vars not set", json: `{"keyName": "signing-key"}`, - want: VaultSignerConfig{ + want: VaultConfig{ Addr: "", Token: "", KeyName: "signing-key", @@ -132,7 +132,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) { { name: "only keyName required in config", json: `{"keyName": "my-key"}`, - want: VaultSignerConfig{ + want: VaultConfig{ Addr: "", Token: "", KeyName: "my-key", @@ -143,7 +143,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - var got VaultSignerConfig + var got VaultConfig err := json.Unmarshal([]byte(tt.json), &got) if (err != nil) != tt.wantErr { @@ -164,7 +164,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) { } } -func TestVaultSignerConfigUnmarshalJSON_InvalidJSON(t *testing.T) { +func TestVaultConfigUnmarshalJSON_InvalidJSON(t *testing.T) { tests := []struct { name string json string @@ -184,7 +184,7 @@ func TestVaultSignerConfigUnmarshalJSON_InvalidJSON(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - var got VaultSignerConfig + var got VaultConfig err := json.Unmarshal([]byte(tt.json), &got) if (err != nil) != tt.wantErr {