Initial work on changing to oauth

oxidecomputer · Sep 8, 2023 · 6a38743 · 6a38743
1 parent 0cc1b8d
commit 6a38743
Show file tree

Hide file tree

Showing 31 changed files with 1,424 additions and 695 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -48,6 +48,7 @@ octorust = "0.7.0-rc.1"
 partial-struct = { git = "https://github.com/oxidecomputer/partial-struct" }
 progenitor = { git = "https://github.com/oxidecomputer/progenitor" }
 progenitor-client = { git = "https://github.com/oxidecomputer/progenitor" }
+rand = "0.8.5"
 rand_core = "0.6"
 regex = "1.7.1"
 reqwest = { version = "0.11", features = ["json", "stream"] }

diff --git a/rfd-api/Cargo.toml b/rfd-api/Cargo.toml
@@ -16,13 +16,15 @@ dropshot = { workspace = true }
 dropshot-authorization-header = { path = "../dropshot-authorization-header" }
 dropshot-verified-body = { workspace = true, features = ["github"] }
 google-cloudkms1 = { workspace = true }
+hex = { workspace = true }
 http = { workspace = true }
 hyper = { workspace = true }
 hyper-tls = { workspace = true }
 jsonwebtoken = { workspace = true }
 oauth2 = { workspace = true }
 octorust = { workspace = true }
 partial-struct = { workspace = true }
+rand = { workspace = true, features = ["std"] }
 rand_core = { workspace = true, features = ["std"] }
 regex = { workspace = true }
 reqwest = { workspace = true }

diff --git a/rfd-api/src/authn/jwt.rs b/rfd-api/src/authn/jwt.rs
@@ -19,7 +19,7 @@ use thiserror::Error;
 use tracing::instrument;
 use uuid::Uuid;
 
-use crate::{config::JwtKey, context::ApiContext, ApiPermissions};
+use crate::{config::AsymmetricKey, context::ApiContext, ApiPermissions};
 
 #[derive(Debug, Error)]
 pub enum JwtError {
@@ -168,7 +168,7 @@ pub enum CloudKmsError {
 
 // Signer that relies on a private key stored in GCP, and a locally store JWK. This signer never
 // has direct access to the private key
-pub struct CloudKmSigner {
+pub struct CloudKmsSigner {
     client: CloudKMS<HttpsConnector<HttpConnector>>,
     key_name: String,
     header: Header,
@@ -187,7 +187,7 @@ pub struct CloudKmsSignatureResponse {
 }
 
 #[async_trait]
-impl JwtSigner for CloudKmSigner {
+impl JwtSigner for CloudKmsSigner {
     type Claims = Claims;
 
     #[instrument(skip(self, claims), err(Debug))]
@@ -302,10 +302,10 @@ fn pem_to_jwk(id: &str, pem: &str) -> Result<Jwk, SignerError> {
 
 #[instrument(skip(key), err(Debug))]
 pub async fn key_to_signer(
-    key: &JwtKey,
+    key: &AsymmetricKey,
 ) -> Result<Box<dyn JwtSigner<Claims = Claims>>, SignerError> {
     Ok(match key {
-        JwtKey::Local {
+        AsymmetricKey::Local {
             kid,
             private,
             public,
@@ -322,7 +322,7 @@ pub async fn key_to_signer(
                 jwk,
             })
         }
-        JwtKey::Ckms {
+        AsymmetricKey::Ckms {
             kid,
             version,
             key,
@@ -399,7 +399,7 @@ pub async fn key_to_signer(
 
             tracing::trace!(?header, ?jwk, "Generated Cloud KMS signer");
 
-            Box::new(CloudKmSigner {
+            Box::new(CloudKmsSigner {
                 client: gcp_kms,
                 key_name,
                 header,