Added support for JWT generated by IDPs like Keycloak

[mcharest-mcn]

RSA Support

I was unable to use RSA256 to validate signed requests because the only supported encryption method was HMAC which is a symmetrical and I'm unable to exchange private key securely. In theory, it should also support the other asymmetrical key types, but I have not tested them.

To support RSA (and IDPs like Keycloak), I've added two new configuration parameters : PREST_JWT_WELLKNOWN and PREST_JWT_JWKS.

PREST_JWT_WELLKNOWN

Takes an URL to the well-known configuration of your IDP (ex: https://accounts.google.com/.well-known/openid-configuration) and is able to fetch the JWKS from your IDP. It will then verify if the key used to sign the received token is in the JWKS and verify the signature with said key.

PREST_JWT_JWKS

Instead of providing a well-known URL, you can set the JWKS yourself. It will have the same subsequent behavior as for the PREST_JWT_WELLKNOWN parameter.
Ex :

{
  "keys": [
    {
      "n": "vcP1njqmR82oUndYDYxPF2HO-foOvDT8W8swcBYcgVQ0L1dPOlXz1lgQipJ0G7w9fXqilxsFHTs_MmXuGWQ2m3Wr16dpfPRFAN0ixj0ozzN_ZsF7OSdF6ZMZIJb3ObPt70i_emqEcd5ApITQ4PFvAhpZrBZCrW1z4aceoE1xC3rDV6qjA6pQr9u5A9J8Qj2a4LBG9mAPZCHQt4z50nhAVieKXhBoqKBoDplxj6yqzTTEUi1j-R0Z0NEJUIgt1_ErVsVMOWRKE6-BG39Zu9mvg2UAzxcitjOwa4n_spSgRleIliUJDNu-YpCEwj-5S_cX8DyHxCpvGp4ZBxPq1DUgqQ",
      "alg": "RS256",
      "use": "sig",
      "e": "AQAB",
      "kty": "RSA",
      "kid": "08bf5c3772dd4e7a727a101bf520f6575cac326f"
    }
  ]
}

Unit tests fix

I changed the version of Go used in the docker image for the tests. It needed to be updated to at least 1.20 for the golang.org/x/exp module.

I also included tweaks to the docker-compose to be able to run it using podman instead of Docker.

Summary by CodeRabbit

• New Features
  • Enhanced JWT handling by adding functionality to fetch JWKS from a well-known URL, improving app security.
• Tests
  • Expanded testing coverage for JWT configurations and key management, including RSA encryption handling.
• Chores
  • Updated Dockerfile to use golang:1.22 and included postgresql-client installation for an updated development environment.

[pull-request-quantifier-deprecated]

This PR has 210 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

---

Quantification details

Label      : Large
Size       : +202 -8
Percentile : 61%

Total files changed: 9

Change summary by file extension:
.go : +163 -3
.mod : +11 -2
.sum : +23 -0
.yml : +4 -2
testdata/Dockerfile : +1 -1

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

• Fast and predictable releases to production:
  • Optimal size changes are more likely to be reviewed faster with fewer
    iterations.
  • Similarity in low PR complexity drives similar review times.
• Review quality is likely higher as complexity is lower:
  • Bugs are more likely to be detected.
  • Code inconsistencies are more likely to be detected.
• Knowledge sharing is improved within the participants:
  • Small portions can be assimilated better.
• Better engineering practices are exercised:
  • Solving big problems by dividing them in well contained, smaller problems.
  • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

• Use the PullRequestQuantifier to quantify your PR accurately
  • Create a context profile for your repo using the context generator
  • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
  • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
  • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
• Change your engineering behaviors
  • For PRs that fall outside of the desired spectrum, review the details and check if:
    • Your PR could be split in smaller, self-contained PRs instead
    • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

• One line was added: +1 -0
• One line was deleted: +0 -1
• One line was modified: +1 -1 (git diff doesn't know about modified, it will
  interpret that line like one addition plus one deletion)
• Change percentiles: Change characteristics (addition, deletion, modification)
  of this PR in relation to all other PRs within the repository.

---

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

The recent updates introduce enhanced JWT handling capabilities, focusing on the management of JSON Web Key Sets (JWKS) for improved security and flexibility in authentication mechanisms. These changes include fetching JWKS from a designated URL, setting JWKS in the application's configuration, and expanding test coverage to ensure robust JWT functionality. Additionally, the middleware has been updated to utilize JWKS for token validation, replacing the previous algorithm-specific method. The infrastructure also sees an update with the Docker environment moving to a newer Golang version and adding PostgreSQL client tools.

Changes

Files	Change Summary
config/config.go middlewares/middlewares.go	Introduced JWKS handling for JWT, replacing algorithm-specific settings.
config/config_test.go middlewares/middlewares_test.go	Enhanced testing for JWT configuration and JWKS, including mock JWKS fetching and token validation.
testdata/Dockerfile	Updated Golang version to 1.20 and added PostgreSQL client.

🐰✨

In the land of code, where the bits align,
A rabbit hopped, with a change so fine.
JWTs dance, with keys so bright,
Through middleware nights, to secure the site.
"To the future," it thumped, with a joyful tweak,
A leap in tech, for the security we seek.
🌟🐾

---

Recent Review Details

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between fee30e7 and 03330b2.

Files selected for processing (1)

• config/config_test.go (3 hunks)

Files not summarized due to errors (1)

• config/config_test.go: Error: Message exceeds token limit

Additional comments not posted (2)

config/config_test.go (2)

99-122: Ensure the test server for JWKS responds with appropriate error codes for different scenarios.

Consider enhancing the robustness of your test by including scenarios where the server responds with error codes other than http.StatusOK. This will help ensure that your error handling logic is correctly implemented.

---

124-129: Review the handling of the JWKS configuration in the test environment.

The test setup for PREST_JWT_JWKS correctly sets and verifies the JWKS configuration. This is crucial for ensuring that the application can handle JWTs as expected.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Review Status

Actionable comments generated: 4

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 366719f and 0cc0bd4.

Files ignored due to path filters (3)

• go.mod is excluded by: !**/*.mod
• go.sum is excluded by: !**/*.sum
• testdata/docker-compose.yml is excluded by: !**/*.yml

Files selected for processing (6)

• config/config.go (5 hunks)
• config/config_test.go (2 hunks)
• middlewares/config.go (1 hunks)
• middlewares/middlewares.go (3 hunks)
• middlewares/middlewares_test.go (2 hunks)
• testdata/Dockerfile (1 hunks)

Additional comments: 6

testdata/Dockerfile (1)

• 1-4: The update to golang:1.20 aligns with the PR's objectives to support the golang.org/x/exp module. The addition of postgresql-client is logical for database interactions, but consider verifying if it's necessary for all users or if it could be optional.

middlewares/config.go (1)

• 40-40: The switch to using config.PrestConf.JWTJWKS aligns with the PR's objectives to support RSA encryption and JWKS for JWT validation. Consider adding comments or documentation to clarify the use of JWTJWKS for future maintainers.

middlewares/middlewares_test.go (1)

• 100-100: The tests for RSA key handling and JWKS are crucial for the new JWT validation mechanism. It's good to see coverage for these scenarios. Consider adding tests for other key types as mentioned in the TODO comment to ensure comprehensive test coverage.

middlewares/middlewares.go (1)

• 148-188: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [126-185]

The modifications to JwtMiddleware align with the PR's objectives to support RSA encryption and JWKS for JWT validation. The handling of different key types and the parsing of JWKSet JSON are well-implemented. Consider enhancing error handling and validation of the JWKS parsing logic to ensure robustness, especially in cases where the key is not found in the JWKS.

config/config.go (2)

• 91-92: The addition of JWTWellKnown and JWTJWKS fields to the Prest struct is a crucial part of supporting JWTs from IDPs. It's good to see these fields being introduced. However, it would be beneficial to add comments explaining their purpose and usage for future maintainers.

Consider adding comments to these fields to improve code readability and maintainability.

• 182-183: Setting default values for jwt.wellknown and jwt.jwks in the configuration is a good practice. However, ensure that these defaults are documented in the project's configuration documentation to inform users about the existence and purpose of these new settings.

Update the project's documentation to include information about the new jwt.wellknown and jwt.jwks configuration settings.

[coderabbitai]

The test case for PREST_JWT_WELLKNOWN sets an environment variable and verifies the configuration parsing. However, it lacks an assertion to ensure that the JWKS is fetched correctly based on the well-known URL. This is crucial for validating the new functionality introduced in the PR.

Consider adding an assertion to verify that the JWKS is fetched and correctly parsed into the configuration.

[mcharest-mcn]

I would have to mock a well-known URL response. Which I might need help with.

[coderabbitai]

@mcharest-mcn: To mock a well-known URL response in your tests, you can use the httptest package from the Go standard library. This package allows you to create a mock HTTP server, which you can configure to return the expected JWKS response for your test. Here's a basic example of how you could implement it:

package config_test

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestParseWithMockWellKnown(t *testing.T) {
	// Start a mock HTTP server
	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Respond with a mock JWKS JSON when the well-known URL is called
		w.WriteHeader(http.StatusOK)
		w.Header().Set("Content-Type", "application/json")
		w.Write([]byte(`{"keys": [{"kty": "RSA", ...}]}`)) // Simplified JWKS response
	}))
	defer server.Close()

	// Use the mock server's URL as the well-known URL
	t.Setenv("PREST_JWT_WELLKNOWN", server.URL)
	// Continue with your test setup and assertions...
}

This example demonstrates how to start a mock HTTP server that listens for requests and responds with a predefined JWKS JSON. You replace the ... in the JWKS JSON with the actual content you need for your tests. By setting the PREST_JWT_WELLKNOWN environment variable to the mock server's URL, your code under test will make requests to the mock server instead of the real well-known URL.

This approach allows you to test the functionality that fetches and parses the JWKS without making actual HTTP requests to external services, ensuring your tests are fast and reliable.

[coderabbitai]

This test case for PREST_JWT_JWKS directly sets the JWKS in the configuration. It's good to see that the JWKS string is being tested for correct parsing. However, the test could be enhanced by verifying that the JWKS is correctly utilized in JWT validation logic, ensuring that the keys are properly loaded and can be used to validate tokens.

To improve test coverage, consider adding a test case that validates a JWT using the JWKS set through this configuration.

[mcharest-mcn]

This test is done in the middleware tests.

[coderabbitai]

@mcharest-mcn: Thank you for the clarification. I found the relevant middleware test files (utils_test.go, middlewares_test.go, and config_test.go) that likely cover JWT validation using JWKS as you mentioned. This approach ensures comprehensive testing by separating configuration parsing tests from middleware logic tests. If there's anything more specific within these tests you'd like to discuss or any other aspect of the PR, feel free to let me know!

Analysis chain

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Search for test files related to JWT middleware that might include JWT validation using JWKS.
rg --files-with-matches 'JWT' | grep 'middleware.*_test.go'

Length of output: 144

[coderabbitai]

The fetchJWKS function is a key addition to the project, enabling the fetching of JWKS from a well-known URL. The implementation correctly handles HTTP requests, JSON parsing, and error handling. However, there are a few areas for improvement:

• The use of log.Errorf for logging errors is appropriate, but consider also implementing a retry mechanism for transient network errors.
• The function directly modifies the cfg.JWTJWKS field. It might be more maintainable to return the JWKS as a result and let the caller decide how to use it, improving the function's reusability and testability.

Refactor the fetchJWKS function to include a retry mechanism for transient errors and return the JWKS instead of directly modifying the configuration.

[pull-request-quantifier-deprecated]

This PR has 235 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

---

Quantification details

Label      : Large
Size       : +227 -8
Percentile : 63.5%

Total files changed: 9

Change summary by file extension:
.go : +188 -3
.mod : +11 -2
.sum : +23 -0
.yml : +4 -2
testdata/Dockerfile : +1 -1

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

• Fast and predictable releases to production:
  • Optimal size changes are more likely to be reviewed faster with fewer
    iterations.
  • Similarity in low PR complexity drives similar review times.
• Review quality is likely higher as complexity is lower:
  • Bugs are more likely to be detected.
  • Code inconsistencies are more likely to be detected.
• Knowledge sharing is improved within the participants:
  • Small portions can be assimilated better.
• Better engineering practices are exercised:
  • Solving big problems by dividing them in well contained, smaller problems.
  • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

• Use the PullRequestQuantifier to quantify your PR accurately
  • Create a context profile for your repo using the context generator
  • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
  • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
  • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
• Change your engineering behaviors
  • For PRs that fall outside of the desired spectrum, review the details and check if:
    • Your PR could be split in smaller, self-contained PRs instead
    • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

• One line was added: +1 -0
• One line was deleted: +0 -1
• One line was modified: +1 -1 (git diff doesn't know about modified, it will
  interpret that line like one addition plus one deletion)
• Change percentiles: Change characteristics (addition, deletion, modification)
  of this PR in relation to all other PRs within the repository.

---

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.

[coderabbitai]

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 0cc0bd4 and 7b33dbd.

Files selected for processing (1)

• config/config_test.go (3 hunks)

Files not summarized due to errors (1)

• config/config_test.go: Error: Message exceeds token limit

Additional comments: 2

config/config_test.go (2)

• 99-119: The test case for PREST_JWT_WELLKNOWN effectively simulates a JWKS server and a well-known configuration server, setting up the environment for testing the configuration parsing for JWT well-known URLs. This is a comprehensive approach to testing the new feature. However, it would be beneficial to also verify that the fetched JWKS is correctly utilized in JWT validation logic, ensuring that the keys are properly loaded and can be used to validate tokens. This could be part of integration tests rather than unit tests if not already covered.
• 121-126: The test for PREST_JWT_JWKS directly sets the JWKS in the configuration and verifies that it is correctly parsed. This is a straightforward and necessary test for ensuring the JWKS configuration works as expected. Given the previous discussion in the PR comments, it's clear that JWT validation using JWKS is tested elsewhere, specifically in middleware tests. It's good practice to separate configuration parsing tests from middleware logic tests, ensuring comprehensive testing coverage.

[coderabbitai]

The Test_fetchJWKS function tests the JWKS fetching functionality by simulating a JWKS server. This is crucial for ensuring that the application can dynamically load JWKS for JWT validation. The test is well-structured and covers the essential aspects of the JWKS fetching process. However, it would be beneficial to include negative test cases as well, such as handling server errors or invalid JWKS data, to ensure robust error handling in the JWKS fetching logic.

[mcharest-mcn]

I received a comment by @arxdsilva about middlewares/config.go where I should have kept
JwtMiddleware(config.PrestConf.JWTKey, config.PrestConf.JWTAlgo) but the modified function in middlewares.go manages the two situations. The JWTAlgo has disappeared because it was not used in the JwtMiddleware function anyway.

[mcharest-mcn]

Just a check for the integration of this pull request. Are there any more work to do?

[arxdsilva]

can you split this conversion into a variable? just to make sure that it never panics:

uri, ok := wellKnown["jwks_uri"].(string)
...
JWKSet, err := jwk.Fetch(context.Background(),uri)

[mcharest-mcn]

Done in latest commit.
fee30e7

[arxdsilva]

could you rename this to JWTWellKnownURL ?

[mcharest-mcn]

Done in latest commit.
fee30e7

[arxdsilva]

please add context to this call with a 5s timeout

[mcharest-mcn]

Done in latest commit.
fee30e7

[arxdsilva]

@mcharest-mcn thanks for the contribution, I feel that once these points are addressed we can merge it.

[coderabbitai]

Actionable comments posted: 3

[coderabbitai]

Actionable comments posted: 1

[arxdsilva]

thanks @mcharest-mcn !

[Noroz-77]

c801f55