kumahq · jakubdyszkiewicz · Oct 28, 2021 · Oct 22, 2021 · Oct 22, 2021 · Oct 25, 2021
@@ -13,14 +13,14 @@ import (
 
 const bearerPrefix = "Bearer "
 
-func UserTokenAuthenticator(issuer issuer.UserTokenIssuer) authn.Authenticator {
+func UserTokenAuthenticator(validator issuer.UserTokenValidator) authn.Authenticator {
 	return func(request *restful.Request, response *restful.Response, chain *restful.FilterChain) {
 		authnHeader := request.Request.Header.Get("authorization")
 		if user.FromCtx(request.Request.Context()) == nil && // do not overwrite existing user
 			authnHeader != "" &&
 			strings.HasPrefix(authnHeader, bearerPrefix) {
 			token := strings.TrimPrefix(authnHeader, bearerPrefix)
-			u, err := issuer.Validate(token)
+			u, err := validator.Validate(token)
 			if err != nil {
 				rest_errors.HandleError(response, &rest_errors.Unauthenticated{}, "invalid authentication data: "+err.Error())
 				return

@@ -17,7 +17,6 @@ const KeyIDHeader = "kid" // standard JWT header that indicates which signing ke
 
 type UserTokenIssuer interface {
 	Generate(identity user.User, validFor time.Duration) (Token, error)
-	Validate(token Token) (user.User, error)
 }
 
 // jwtTokenIssuer generates and validates User Tokens.
@@ -27,13 +26,11 @@ type UserTokenIssuer interface {
 // A new token is always generated by using the latest signing key.
 type jwtTokenIssuer struct {
 	signingKeyManager SigningKeyManager
-	revocations       TokenRevocations
 }
 
-func NewUserTokenIssuer(signingKeyAccessor SigningKeyManager, revocations TokenRevocations) UserTokenIssuer {
+func NewUserTokenIssuer(signingKeyAccessor SigningKeyManager) UserTokenIssuer {
 	return &jwtTokenIssuer{
 		signingKeyManager: signingKeyAccessor,
-		revocations:       revocations,
 	}
 }
 
@@ -61,46 +58,11 @@ func (j *jwtTokenIssuer) Generate(identity user.User, validFor time.Duration) (T
 		},
 	}
 
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, c)
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, c)
 	token.Header[KeyIDHeader] = strconv.Itoa(serialNumber)
 	tokenString, err := token.SignedString(signingKey)
 	if err != nil {
 		return "", errors.Wrap(err, "could not sign a token")
 	}
 	return tokenString, nil
 }
-
-func (j *jwtTokenIssuer) Validate(rawToken Token) (user.User, error) {
-	c := &claims{}
-	token, err := jwt.ParseWithClaims(rawToken, c, func(token *jwt.Token) (interface{}, error) {
-		serialNumberRaw := token.Header["kid"]
-		if serialNumberRaw == nil {
-			return nil, errors.New("kid header not found")
-		}
-		serialNumber, err := strconv.Atoi(serialNumberRaw.(string))
-		if err != nil {
-			return nil, err
-		}
-		signingKey, err := j.signingKeyManager.GetSigningKey(serialNumber)
-		if err != nil {
-			return nil, errors.Wrapf(err, "could not get signing key with serial number %d. The signing key most likely has been rotated, regenerate the token", serialNumber)
-		}
-		return signingKey, nil
-	})
-	if err != nil {
-		return user.User{}, errors.Wrap(err, "could not parse token")
-	}
-	if !token.Valid {
-		return user.User{}, errors.New("token is not valid")
-	}
-
-	revoked, err := j.revocations.IsRevoked(c.ID)
-	if err != nil {
-		return user.User{}, errors.Wrap(err, "could not check if the token is revoked")
-	}
-	if revoked {
-		return user.User{}, errors.New("token is revoked")
-	}
-
-	return c.User, nil
-}
@@ -24,6 +24,7 @@ import (
 var _ = Describe("User token issuer", func() {
 
 	var issuer UserTokenIssuer
+	var validator UserTokenValidator
 	var store core_store.ResourceStore
 	var signingKeyManager SigningKeyManager
 
@@ -33,7 +34,8 @@ var _ = Describe("User token issuer", func() {
 		store = memory.NewStore()
 		secretManager := secret_manager.NewGlobalSecretManager(secret_store.NewSecretStore(store), cipher.None())
 		signingKeyManager = NewSigningKeyManager(secretManager)
-		issuer = NewUserTokenIssuer(signingKeyManager, NewTokenRevocations(secretManager))
+		issuer = NewUserTokenIssuer(signingKeyManager)
+		validator = NewUserTokenValidator(NewSigningKeyAccessor(secretManager), NewTokenRevocations(secretManager))
 
 		Expect(signingKeyManager.CreateDefaultSigningKey()).To(Succeed())
 		core.Now = func() time.Time {
@@ -61,7 +63,7 @@ var _ = Describe("User token issuer", func() {
 		Expect(err).ToNot(HaveOccurred())
 
 		// then
-		_, err = issuer.Validate(token1)
+		_, err = validator.Validate(token1)
 		Expect(err).ToNot(HaveOccurred())
 
 		// when new signing key with higher serial number is created
@@ -73,21 +75,21 @@ var _ = Describe("User token issuer", func() {
 		Expect(err).ToNot(HaveOccurred())
 
 		// then all tokens are valid because 2 signing keys are present in the system
-		_, err = issuer.Validate(token1)
+		_, err = validator.Validate(token1)
 		Expect(err).ToNot(HaveOccurred())
-		_, err = issuer.Validate(token2)
+		_, err = validator.Validate(token2)
 		Expect(err).ToNot(HaveOccurred())
 
 		// when first signing key is deleted
 		err = store.Delete(context.Background(), system.NewGlobalSecretResource(), core_store.DeleteBy(SigningKeyResourceKey(DefaultSerialNumber)))
 		Expect(err).ToNot(HaveOccurred())
 
 		// then old tokens are no longer valid
-		_, err = issuer.Validate(token1)
+		_, err = validator.Validate(token1)
 		Expect(err).To(MatchError("could not parse token: could not get signing key with serial number 1. The signing key most likely has been rotated, regenerate the token: there is no signing key in the Control Plane"))
 
 		// and new token is valid because new signing key is present
-		_, err = issuer.Validate(token2)
+		_, err = validator.Validate(token2)
 		Expect(err).ToNot(HaveOccurred())
 	})
 
@@ -102,7 +104,7 @@ var _ = Describe("User token issuer", func() {
 
 		// when
 		now = now.Add(60*time.Second + 1*time.Second)
-		_, err = issuer.Validate(token)
+		_, err = validator.Validate(token)
 
 		// then
 		Expect(err.Error()).To(ContainSubstring("could not parse token: token is expired"))
@@ -117,7 +119,7 @@ var _ = Describe("User token issuer", func() {
 
 		token, err := issuer.Generate(id, 60*time.Second)
 		Expect(err).ToNot(HaveOccurred())
-		_, err = issuer.Validate(token)
+		_, err = validator.Validate(token)
 		Expect(err).ToNot(HaveOccurred())
 
 		// when id of the token is added to revocation list
@@ -136,7 +138,7 @@ var _ = Describe("User token issuer", func() {
 		Expect(err).ToNot(HaveOccurred())
 
 		// then
-		_, err = issuer.Validate(token)
+		_, err = validator.Validate(token)
 		Expect(err).To(MatchError("token is revoked"))
 	})
 })
@@ -2,6 +2,8 @@ package issuer
 
 import (
 	"context"
+	"crypto/rsa"
+	"crypto/x509"
 	"fmt"
 	"sort"
 	"strconv"
@@ -32,17 +34,12 @@ func SigningKeyResourceKey(serialNumber int) model.ResourceKey {
 	}
 }
 
-func IsSigningKeyResource(resKey model.ResourceKey) bool {
-	return strings.HasPrefix(resKey.Name, signingKeyPrefix) && resKey.Mesh == ""
-}
-
 // SigningKeyManager manages User Token's signing keys.
 // We can have many signing keys in the system.
 // Example: "user-token-signing-key-1", "user-token-signing-key-2" etc.
 // The latest key is  a key with a higher serial number (number at the end of the name)
 type SigningKeyManager interface {
-	GetSigningKey(serialNumber int) ([]byte, error)
-	GetLatestSigningKey() ([]byte, int, error)
+	GetLatestSigningKey() (*rsa.PrivateKey, int, error)
 	CreateDefaultSigningKey() error
 	CreateSigningKey(serialNumber int) error
 }
@@ -59,18 +56,7 @@ type signingKeyManager struct {
 
 var _ SigningKeyManager = &signingKeyManager{}
 
-func (s *signingKeyManager) GetSigningKey(serialNumber int) ([]byte, error) {
-	resource := system.NewGlobalSecretResource()
-	if err := s.manager.Get(context.Background(), resource, store.GetBy(SigningKeyResourceKey(serialNumber))); err != nil {
-		if store.IsResourceNotFound(err) {
-			return nil, SigningKeyNotFound
-		}
-		return nil, errors.Wrap(err, "could not retrieve signing key from secret manager")
-	}
-	return resource.Spec.GetData().GetValue(), nil
-}
-
-func (s *signingKeyManager) GetLatestSigningKey() ([]byte, int, error) {
+func (s *signingKeyManager) GetLatestSigningKey() (*rsa.PrivateKey, int, error) {
 	resources := system.GlobalSecretResourceList{}
 	if err := s.manager.List(context.Background(), &resources); err != nil {
 		return nil, 0, errors.Wrap(err, "could not retrieve signing key from secret manager")
@@ -94,7 +80,11 @@ func (s *signingKeyManager) GetLatestSigningKey() ([]byte, int, error) {
 		return nil, 0, err
 	}
 
-	return signingKeys[0].Spec.GetData().GetValue(), serialNumber, nil
+	key, err := x509.ParsePKCS1PrivateKey(signingKeys[0].Spec.GetData().GetValue())
+	if err != nil {
+		return nil, 0, err
+	}
+	return key, serialNumber, nil
 }
 
 func (s *signingKeyManager) CreateDefaultSigningKey() error {

diff --git a/pkg/plugins/authn/api-server/tokens/issuer/singing_key_accessor.go b/pkg/plugins/authn/api-server/tokens/issuer/singing_key_accessor.go
@@ -0,0 +1,44 @@
+package issuer
+
+import (
+	"context"
+	"crypto/rsa"
+	"crypto/x509"
+
+	"github.com/pkg/errors"
+
+	"github.com/kumahq/kuma/pkg/core/resources/apis/system"
+	"github.com/kumahq/kuma/pkg/core/resources/manager"
+	"github.com/kumahq/kuma/pkg/core/resources/store"
+)
+
+type SigningKeyAccessor interface {
+	GetSigningPublicKey(serialNumber int) (*rsa.PublicKey, error)
+}
+
+type signingKeyAccessor struct {
+	resManager manager.ResourceManager
+}
+
+var _ SigningKeyAccessor = &signingKeyAccessor{}
+
+func NewSigningKeyAccessor(resManager manager.ResourceManager) SigningKeyAccessor {
+	return &signingKeyAccessor{
+		resManager: resManager,
+	}
+}
+
+func (s *signingKeyAccessor) GetSigningPublicKey(serialNumber int) (*rsa.PublicKey, error) {
+	resource := system.NewGlobalSecretResource()
+	if err := s.resManager.Get(context.Background(), resource, store.GetBy(SigningKeyResourceKey(serialNumber))); err != nil {
+		if store.IsResourceNotFound(err) {
+			return nil, SigningKeyNotFound
+		}
+		return nil, errors.Wrap(err, "could not retrieve signing key")
+	}
+	key, err := x509.ParsePKCS1PrivateKey(resource.Spec.GetData().GetValue())
+	if err != nil {
+		return nil, err
+	}
+	return &key.PublicKey, nil
+}
@@ -0,0 +1,61 @@
+package issuer
+
+import (
+	"strconv"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/pkg/errors"
+
+	"github.com/kumahq/kuma/pkg/core/user"
+)
+
+type UserTokenValidator interface {
+	Validate(token Token) (user.User, error)
+}
+
+func NewUserTokenValidator(keyAccessor SigningKeyAccessor, revocations TokenRevocations) UserTokenValidator {
+	return &jwtTokenValidator{
+		keyAccessor: keyAccessor,
+		revocations: revocations,
+	}
+}
+
+type jwtTokenValidator struct {
+	keyAccessor SigningKeyAccessor
+	revocations TokenRevocations
+}
+
+func (j *jwtTokenValidator) Validate(rawToken Token) (user.User, error) {
+	c := &claims{}
+	token, err := jwt.ParseWithClaims(rawToken, c, func(token *jwt.Token) (interface{}, error) {
+		serialNumberRaw := token.Header[KeyIDHeader]
+		if serialNumberRaw == nil {
+			return nil, errors.New("kid header not found")
+		}
+		serialNumber, err := strconv.Atoi(serialNumberRaw.(string))
+		if err != nil {
+			return nil, err
+		}
+		key, err := j.keyAccessor.GetSigningPublicKey(serialNumber)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not get signing key with serial number %d. The signing key most likely has been rotated, regenerate the token", serialNumber)
+		}
+		return key, nil
+	})
+	if err != nil {
+		return user.User{}, errors.Wrap(err, "could not parse token")
+	}
+	if !token.Valid {
+		return user.User{}, errors.New("token is not valid")
+	}
+
+	revoked, err := j.revocations.IsRevoked(c.ID)
+	if err != nil {
+		return user.User{}, errors.Wrap(err, "could not check if the token is revoked")
+	}
+	if revoked {
+		return user.User{}, errors.New("token is revoked")
+	}
+
+	return c.User, nil
+}
@@ -6,7 +6,6 @@ import (
 	"github.com/kumahq/kuma/pkg/api-server/authn"
 	config_rbac "github.com/kumahq/kuma/pkg/config/rbac"
 	"github.com/kumahq/kuma/pkg/core/plugins"
-	"github.com/kumahq/kuma/pkg/core/resources/manager"
 	"github.com/kumahq/kuma/pkg/plugins/authn/api-server/tokens/issuer"
 	"github.com/kumahq/kuma/pkg/plugins/authn/api-server/tokens/rbac"
 	"github.com/kumahq/kuma/pkg/plugins/authn/api-server/tokens/ws/server"
@@ -32,7 +31,11 @@ func init() {
 }
 
 func (c plugin) NewAuthenticator(context plugins.PluginContext) (authn.Authenticator, error) {
-	return UserTokenAuthenticator(tokenIssuer(context.ResourceManager())), nil
+	validator := issuer.NewUserTokenValidator(
+		issuer.NewSigningKeyAccessor(context.ResourceManager()),
+		issuer.NewTokenRevocations(context.ResourceManager()),
+	)
+	return UserTokenAuthenticator(validator), nil
 }
 
 func (c plugin) BeforeBootstrap(*plugins.MutablePluginContext, plugins.PluginConfig) error {
@@ -47,11 +50,8 @@ func (c plugin) AfterBootstrap(context *plugins.MutablePluginContext, config plu
 	if !ok {
 		return errors.Errorf("no RBAC strategy for type %q", context.Config().RBAC.Type)
 	}
-	webService := server.NewWebService(tokenIssuer(context.ResourceManager()), accessFn(context))
+	tokenIssuer := issuer.NewUserTokenIssuer(issuer.NewSigningKeyManager(context.ResourceManager()))
+	webService := server.NewWebService(tokenIssuer, accessFn(context))
 	context.APIManager().Add(webService)
 	return nil
 }
-
-func tokenIssuer(resManager manager.ResourceManager) issuer.UserTokenIssuer {
-	return issuer.NewUserTokenIssuer(issuer.NewSigningKeyManager(resManager), issuer.NewTokenRevocations(resManager))
-}
@@ -32,16 +32,16 @@ func (n *noopGenerateUserTokenAccess) ValidateGenerate(*user.User) error {
 var _ = Describe("Auth Tokens WS", func() {
 
 	var userTokenClient client.UserTokenClient
-	var userTokenIssuer issuer.UserTokenIssuer
+	var userTokenValidator issuer.UserTokenValidator
 
 	BeforeEach(func() {
 		store := memory.NewStore()
 		manager := secret_manager.NewGlobalSecretManager(secret_store.NewSecretStore(store), cipher.None())
 		signingKeyManager := issuer.NewSigningKeyManager(manager)
-		userTokenIssuer = issuer.NewUserTokenIssuer(signingKeyManager, issuer.NewTokenRevocations(manager))
+		userTokenValidator = issuer.NewUserTokenValidator(issuer.NewSigningKeyAccessor(manager), issuer.NewTokenRevocations(manager))
 
 		Expect(signingKeyManager.CreateDefaultSigningKey()).To(Succeed())
-		ws := server.NewWebService(userTokenIssuer, &noopGenerateUserTokenAccess{})
+		ws := server.NewWebService(issuer.NewUserTokenIssuer(signingKeyManager), &noopGenerateUserTokenAccess{})
 
 		container := restful.NewContainer()
 		container.Add(ws)
@@ -64,7 +64,7 @@ var _ = Describe("Auth Tokens WS", func() {
 
 		// then
 		Expect(err).ToNot(HaveOccurred())
-		u, err := userTokenIssuer.Validate(token)
+		u, err := userTokenValidator.Validate(token)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(u.Name).To(Equal("john.doe@example.com"))
 		Expect(u.Groups).To(Equal([]string{"team-a"}))