Re-implement JWT generation script using pyjwt

local-dev/api-data-watcher-pusher/Dockerfile

@@ -1,12 +1,10 @@
 FROM alpine:3.11
 
-RUN apk add --no-cache mysql-client tini openssl bash wget curl nodejs nodejs-npm \
-    && npm config set unsafe-perm true \
-    && npm -g install jwtgen
+RUN apk add --no-cache tini bash wget py3-jwt
 
 ENV JWTSECRET=super-secret-string \
     JWTAUDIENCE=api.dev
 
-COPY api-watch-push.sh create_jwt.sh /home/
+COPY api-watch-push.sh create_jwt.py /home/
 
 CMD ["tini", "--", "/home/api-watch-push.sh"]

local-dev/api-data-watcher-pusher/api-watch-push.sh

@@ -8,7 +8,7 @@ populate_kubernetes_gql_file_path="/api-data/03-populate-api-data-kubernetes.gql
 send_graphql_query() {
     local file_path=${1}
 
-    API_ADMIN_JWT_TOKEN=$(/home/create_jwt.sh)
+    API_ADMIN_JWT_TOKEN=$(/home/create_jwt.py)
 
     bearer="Authorization: bearer $API_ADMIN_JWT_TOKEN"
 

local-dev/api-data-watcher-pusher/create_jwt.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+
+import os
+import jwt
+
+payload = {'role': 'admin', 'iss': 'api-data-watcher-pusher',
+           'aud': os.environ['JWTAUDIENCE'], 'sub': 'api-data-watcher-pusher'}
+
+print(jwt.encode(payload, os.environ['JWTSECRET'], algorithm='HS256').decode())

services/auto-idler/Dockerfile

@@ -3,11 +3,9 @@ FROM ${IMAGE_REPO:-lagoon}/oc
 
 ENV LAGOON=auto-idler
 
-RUN apk add --no-cache tini jq openssl bash curl nodejs nodejs-npm \
-    && npm config set unsafe-perm true \
-    && npm -g install jwtgen
+RUN apk add --no-cache tini jq bash curl py3-jwt
 
-COPY create_jwt.sh idle-services.sh idle-clis.sh openshift-clis.sh openshift-services.sh /
+COPY create_jwt.py idle-services.sh idle-clis.sh openshift-clis.sh openshift-services.sh /
 
 ENV JWTSECRET=super-secret-string \
     JWTAUDIENCE=api.dev \

services/auto-idler/create_jwt.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+
+import os
+import jwt
+
+payload = {'role': 'admin', 'iss': 'auto-idler',
+           'aud': os.environ['JWTAUDIENCE'], 'sub': 'auto-idler'}
+
+print(jwt.encode(payload, os.environ['JWTSECRET'], algorithm='HS256').decode())

services/auto-idler/idle-clis.sh

@@ -9,7 +9,7 @@ prefixwith() {
 }
 
 # Create an JWT Admin Token to talk to the API
-API_ADMIN_JWT_TOKEN=$(./create_jwt.sh)
+API_ADMIN_JWT_TOKEN=$(./create_jwt.py)
 BEARER="Authorization: bearer $API_ADMIN_JWT_TOKEN"
 
 # Load all projects and their environments
@@ -45,4 +45,4 @@ do
 done
 sleep 5
 # clean up the tmp file
-rm $TMP_DATA
+rm $TMP_DATA

services/auto-idler/idle-services.sh

@@ -10,7 +10,7 @@ prefixwith() {
 }
 
 # Create an JWT Admin Token to talk to the API
-API_ADMIN_JWT_TOKEN=$(./create_jwt.sh)
+API_ADMIN_JWT_TOKEN=$(./create_jwt.py)
 BEARER="Authorization: bearer $API_ADMIN_JWT_TOKEN"
 
 # Load all projects and their environments, but only development environments

services/ssh/Dockerfile

@@ -28,7 +28,7 @@ ENV LAGOON=ssh \
 COPY services/ssh/libnss-mysql-1.5.tar.gz /tmp/libnss-mysql-1.5.tar.gz
 
 RUN apt-get update \
-    && apt-get install -y curl build-essential libmysqlclient-dev ssh curl vim jq \
+    && apt-get install -y curl build-essential libmysqlclient-dev ssh curl vim jq python3-jwt \
     && ln -s /usr/lib/x86_64-linux-gnu/libmysqlclient.so /usr/lib/libmysqlclient.so \
     && mkdir /tmp/libnss-mysql \
     && tar -xzf /tmp/libnss-mysql-1.5.tar.gz -C /tmp/libnss-mysql --strip-components=1 \
@@ -73,7 +73,7 @@ COPY services/ssh/authorize.sh /authorize.sh
 RUN chmod 755 /authorize.sh
 
 # create_60_sec_jwt to create a JWT Admin Token which is valid for 60 secs
-COPY services/ssh/create_60_sec_jwt.sh /create_60_sec_jwt.sh
+COPY services/ssh/create_60_sec_jwt.py /create_60_sec_jwt.py
 
 # Create /authorize.env file and give api right to write it, it will be filled
 # within docker-entrypoint with all environment variables and then sourced

services/ssh/authorize.sh

@@ -11,7 +11,7 @@
 # variables during the container entrypoint.
 source /authorize.env
 
-API_ADMIN_TOKEN=$(/create_60_sec_jwt.sh)
+API_ADMIN_TOKEN=$(/create_60_sec_jwt.py)
 
 # This token will be required for accessing the sshKeys in the lagoon api
 bearer="Authorization: bearer $API_ADMIN_TOKEN"

services/ssh/create_60_sec_jwt.py

@@ -0,0 +1,11 @@
+#!/usr/bin/env python3
+
+import os
+import jwt
+from datetime import datetime, timezone, timedelta
+
+iat = datetime.now(timezone.utc)
+exp = iat + timedelta(minutes=1)
+payload = {'exp': exp, 'iat': iat, 'role': 'admin', 'aud': os.environ['JWTAUDIENCE'], 'sub': 'ssh'}
+
+print(jwt.encode(payload, os.environ['JWTSECRET'], algorithm='HS256').decode())

services/storage-calculator/Dockerfile

@@ -3,11 +3,9 @@ FROM ${IMAGE_REPO:-lagoon}/oc
 
 ENV LAGOON=storage-calculator
 
-RUN apk add --no-cache tini jq openssl bash curl nodejs nodejs-npm \
-    && npm config set unsafe-perm true \
-    && npm -g install jwtgen
+RUN apk add --no-cache tini jq bash curl py3-jwt
 
-COPY create_jwt.sh calculate-storage.sh /
+COPY create_jwt.py calculate-storage.sh /
 
 ENV JWTSECRET=super-secret-string \
     JWTAUDIENCE=api.dev \

services/storage-calculator/calculate-storage.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-API_ADMIN_JWT_TOKEN=$(./create_jwt.sh)
+API_ADMIN_JWT_TOKEN=$(./create_jwt.py)
 BEARER="Authorization: bearer $API_ADMIN_JWT_TOKEN"
 
 # Load all projects and their environments

services/storage-calculator/create_jwt.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+
+import os
+import jwt
+
+payload = {'role': 'admin', 'iss': 'storage-calculator',
+           'aud': os.environ['JWTAUDIENCE'], 'sub': 'storage-calculator'}
+
+print(jwt.encode(payload, os.environ['JWTSECRET'], algorithm='HS256').decode())