-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kbs: token: add verifier with JSON Web Keys #458
kbs: token: add verifier with JSON Web Keys #458
Conversation
d19c338
to
c719019
Compare
Can you add a meaningfull description? Thanks. |
@Xynnn007 a bit offtopic but is there a reason why
|
4c7b9bb
to
52f2f06
Compare
done |
I did not remember the concrete reason for it is a long time ago -- but I think it makes sense to use a common crate for the same functions. |
I was also wondering if it let us to drop |
52f2f06
to
13f51b3
Compare
For some verifier like IBMSE, |
OK. I was mainly referring to the CoCo tokenverifier code. |
@jialez0 PTAL |
13f51b3
to
1623b3b
Compare
rebased + force pushed. however, this change is relatively independent and does not add any new dependencies. are there any concerns or reasons to wait with this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only two left comments.
kbs/src/token/jwk.rs
Outdated
} | ||
|
||
pub async fn get_jwks_from_file_or_url(p: &str) -> Result<jwk::JwkSet, JwksGetError> { | ||
match Url::parse(p) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not first
let url = Url::parse(p).map_err(...)?;
// then
match url {
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the current match
combines all checks under it. It is an error also when some insecure scheme is used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. A first impression is
// failed to parse
let url = Url::parse(p).map_err(...)?;
if url.scheme() == "https" {
...
}
if url.scheme() == "file" && Path::new(url.path()).exists() {
...
}
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can move the error check arm to be the first one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
moved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I second Ding's original suggestion here. I would just get the error check out of the way in the beginning rather than adding another set of brackets. This will also allow you to return a more specific error.
I think it tends to be more readable to use match statements more like switch statements and to avoid chaining them together unless it really fits the fundamental logic of the function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just updated this part too, thanks for the feedback!
what's the other one? |
@mythi it is #458 (comment) |
1623b3b
to
91f239a
Compare
thanks, it's easy to miss comments in resolved conversations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments on style but looks good overall.
kbs/src/token/jwk.rs
Outdated
} | ||
|
||
pub async fn get_jwks_from_file_or_url(p: &str) -> Result<jwk::JwkSet, JwksGetError> { | ||
match Url::parse(p) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I second Ding's original suggestion here. I would just get the error check out of the way in the beginning rather than adding another set of brackets. This will also allow you to return a more specific error.
I think it tends to be more readable to use match statements more like switch statements and to avoid chaining them together unless it really fits the fundamental logic of the function.
kbs/src/token/jwk.rs
Outdated
_ => Some(keyset), | ||
} | ||
} | ||
None => None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't use a match here since there is really no logic in this case. You can just use map
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. With the type change of trusted_certs_paths
, we can simply write as
pub async fn new(config: AttestationTokenVerifierConfig) -> Result<Self> {
let keys = stream::iter(config.trusted_certs_paths)
.filter_map(|p| async move {
match get_jwks_from_file_or_url(&p).await {
Ok(jwkset) => Some(jwkset.keys),
Err(e) => {
warn!("error getting JWKS: {e:?}");
None
}
}
})
.concat()
.await;
Ok(Self { trusted_certs: jwk::JwkSet { keys } })
}
where futures_util
crate is needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, I guess I blindly followed the CoCo
approach so it ended up looking the same
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where
futures_util
crate is needed.
the proposal looks nice but I wonder if this is justified for the functionality here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What the stream::iter
does, is try to do get_jwks_from_file_or_url
concurrently rather than serially if multiple paths in trusted_certs_paths
are given. This makes sense to me. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My use-case is with one URL only but I understand we may have several trusted_certs_path
in the future where parallelism might help to improve the KBS startup time.
kbs/src/token/jwk.rs
Outdated
_ => Some(keyset), | ||
} | ||
} | ||
None => None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. With the type change of trusted_certs_paths
, we can simply write as
pub async fn new(config: AttestationTokenVerifierConfig) -> Result<Self> {
let keys = stream::iter(config.trusted_certs_paths)
.filter_map(|p| async move {
match get_jwks_from_file_or_url(&p).await {
Ok(jwkset) => Some(jwkset.keys),
Err(e) => {
warn!("error getting JWKS: {e:?}");
None
}
}
})
.concat()
.await;
Ok(Self { trusted_certs: jwk::JwkSet { keys } })
}
where futures_util
crate is needed.
8e051d9
to
a96ff5f
Compare
This is useful if any token verifier needs initialization data pulled remotely. Signed-off-by: Mikko Ylinen <[email protected]>
a96ff5f
to
03691a3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment on Ding's thread, but generally this seems fine.
4c917b1
to
8d81645
Compare
Let's merge this if you are happy with it @Xynnn007 |
Add a new token verifier that uses JSON Web Keys (JWK) from the configured JWK Set sources. JWK Sets can be provided locally using file:// URL schema or they can be downloaded automatically via OpenID Connect configuration URLs providing a pointer via "jwks_uri". Signed-off-by: Mikko Ylinen <[email protected]>
8d81645
to
ce55948
Compare
Add a new token verifier that uses JSON Web Keys (JWK) from
the configured JWK Set sources.
JWK Sets can be provided locally using file:// URL schema
or they can be downloaded automatically via OpenID Connect configuration
https:// URLs providing a pointer via "jwks_uri".