Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audience key in JWTs #733

Merged
merged 33 commits into from
May 9, 2019
Merged

Audience key in JWTs #733

merged 33 commits into from
May 9, 2019

Conversation

greenape
Copy link
Member

@greenape greenape commented May 9, 2019

Closes #727

I have:

  • Formatted any Python files with black
  • Brought the branch up to date with master
  • Added any relevant Github labels
  • Added tests for any new additions
  • Added or updated any relevant documentation
  • Added an Architectural Decision Record (ADR), if appropriate
  • Added an MPLv2 License Header if appropriate
  • Updated the Changelog

Description

This adds an audience key to the JWTs (required to use public key signing for the link between flowauth and flowapi while not allowing tokens to be used for different servers than intended).

The audience key is the name of the server, so when adding a server in FlowAuth, this will now need to match the FLOWAPI_IDENTIFIER env var passed into the flowapi container.

@greenape greenape added enhancement New feature or request FlowAuth Issues related to FlowAuth FlowAPI Issues related to the FlowKit API security labels May 9, 2019
@codecov
Copy link

codecov bot commented May 9, 2019

Codecov Report

Merging #733 into master will decrease coverage by 2.33%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master    #733      +/-   ##
=========================================
- Coverage   93.74%   91.4%   -2.34%     
=========================================
  Files         130       7     -123     
  Lines        6473     838    -5635     
  Branches      683       0     -683     
=========================================
- Hits         6068     766    -5302     
+ Misses        283      72     -211     
+ Partials      122       0     -122
Impacted Files Coverage Δ
flowauth/backend/flowauth/token_management.py 94.11% <100%> (+0.61%) ⬆️
flowclient/flowclient/client.py 83.57% <0%> (-10.63%) ⬇️
...e/server/query_schemas/joined_spatial_aggregate.py
...achine/core/server/query_schemas/daily_location.py
...e/flowmachine/features/raster/raster_statistics.py
flowmachine/flowmachine/core/custom_query.py
flowmachine/flowmachine/core/server/server.py
...hine/features/location/unique_subscriber_counts.py
...ne/core/server/query_schemas/radius_of_gyration.py
...owmachine/features/subscriber/subscriber_degree.py
... and 113 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8cfcf21...d8ef87e. Read the comment docs.

@codecov
Copy link

codecov bot commented May 9, 2019
edited
Loading

Codecov Report

Merging #733 into master will increase coverage by 0.03%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #733      +/-   ##
==========================================
+ Coverage   93.74%   93.78%   +0.03%     
==========================================
  Files         130      130              
  Lines        6473     6514      +41     
  Branches      683      685       +2     
==========================================
+ Hits         6068     6109      +41     
  Misses        283      283              
  Partials      122      122
Impacted Files Coverage Δ
flowapi/flowapi/config.py 95% <100%> (+0.26%) ⬆️
flowauth/backend/flowauth/token_management.py 94.11% <100%> (+0.61%) ⬆️
flowkit_jwt_generator/flowkit_jwt_generator/jwt.py 100% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 59fb473...b11982c. Read the comment docs.

maxalbert
maxalbert reviewed May 9, 2019
View reviewed changes
flowapi/flowapi/config.py Outdated Show resolved Hide resolved
greenape and others added 3 commits May 9, 2019 15:14
@greenape
Fix comparison test
55d0ad4
@greenape
Rename var
48b37b6
@greenape @maxalbert
make binascii match more obvious
9649b99 
Co-Authored-By: maxalbert <maxalbert@users.noreply.github.com>
greenape and others added 2 commits May 9, 2019 15:18
@greenape @maxalbert
Remove unrequired __all__
6b6856f 
Co-Authored-By: maxalbert <maxalbert@users.noreply.github.com>
@greenape
Missed one!
7f0aea9
maxalbert
maxalbert reviewed May 9, 2019
View reviewed changes
flowkit_jwt_generator/tests/test_keypairs.py
"""
private_key, public_key = generate_keypair()
rsa_private_key = load_private_key(private_key.decode())
assert private_key == rsa_private_key.private_bytes(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this simply duplicating the implementation? Still good to have the test, I just wonder whether there is an independent way of testing it (e.g. to encrypt & decrypt a small sample message and test that we get the original result?) But if not this is probably the easiest way to test things.

@maxalbert maxalbert mentioned this pull request May 9, 2019
Closed
maxalbert
maxalbert reviewed May 9, 2019
View reviewed changes
flowauth/backend/flowauth/token_management.py Outdated
identity_claim_key="identity",
user_claims_key="user_claims",
json_encoder=JSONEncoder,
audience=server.name,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Forgot to change this to flowapi_identifier?

maxalbert
maxalbert approved these changes May 9, 2019
View reviewed changes
Copy link
Contributor

@maxalbert maxalbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! 🏅

@greenape @maxalbert
Missed a rename
23c5e0b 
Co-Authored-By: maxalbert <maxalbert@users.noreply.github.com>
@greenape greenape added the ready-to-merge Label indicating a PR is OK to automerge label May 9, 2019
@mergify mergify bot merged commit 7ec5492 into master May 9, 2019
@mergify mergify bot deleted the public-key-tokens branch May 9, 2019 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxalbert maxalbert maxalbert approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request FlowAPI Issues related to the FlowKit API FlowAuth Issues related to FlowAuth ready-to-merge Label indicating a PR is OK to automerge security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Audience key in tokens
2 participants
@greenape @maxalbert