Fix and test adding new issuers

Makefile

@@ -6,7 +6,7 @@ KMS_URL ?= https://127.0.0.1:8000
 KEYS_DIR ?= ${KMS_WORKSPACE}/sandbox_common
 RUN_BACK ?= true
 CCF_PLATFORM ?= virtual
-JWT_ISSUER_WORKSPACE ?= ${PWD}/jwt_issuer_workspace
+JWT_ISSUER_WORKSPACE ?= ${PWD}/jwt_issuers_workspace
 
 DEPLOYMENT_ENV ?= $(if $(shell echo $(KMS_URL) | grep -E '127.0.0.1|localhost'),local,cloud)
 

app.json

@@ -315,7 +315,7 @@
         "openapi": {
           "responses": {
             "200": {
-              "description": "Generate a heartbeat response"
+              "description": "Generate an auth response"
             }
           }
         }

governance/proposals/set_jwt_issuer.json

@@ -1,38 +1,38 @@
 {
-    "actions": [
-      {
-        "name": "set_jwt_issuer",
-        "args": {
-          "issuer": "http://Demo-jwt-issuer",
-          "key_filter": "all",
-          "jwks": {
-            "keys": [
-              ${JWK}
-            ]
-          }
+  "actions": [
+    {
+      "name": "set_jwt_issuer",
+      "args": {
+        "issuer":  "${JWT_ISSUER}",
+        "key_filter": "all",
+        "jwks": {
+          "keys": [
+            ${JWK}
+          ]
         }
-      },
-      {
-        "name": "set_jwt_validation_policy",
-        "args": {
-          "issuer": "http://Demo-jwt-issuer",
-          "validation_policy": {
-            "iss": "http://Demo-jwt-issuer",
-            "sub": "c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b",
-            "name": "Cool caller"
-          }
+      }
+    },
+    {
+      "name": "set_jwt_validation_policy",
+      "args": {
+        "issuer": "${JWT_ISSUER}",
+        "validation_policy": {
+          "iss": "${JWT_ISSUER}",
+          "sub": "c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b",
+          "name": "Cool caller"
         }
-      },
-      {
-        "name": "set_jwt_public_signing_keys",
-        "args": {
-          "issuer": "http://Demo-jwt-issuer",
-          "jwks": {
-            "keys": [
-              ${JWK}
-            ]
-          }
+      }
+    },
+    {
+      "name": "set_jwt_public_signing_keys",
+      "args": {
+        "issuer": "${JWT_ISSUER}",
+        "jwks": {
+          "keys": [
+            ${JWK}
+          ]
         }
       }
-    ]
+    }
+  ]
 }

requirements.txt

@@ -11,7 +11,7 @@ paramiko==3.5.0
 pyasn1==0.6.1
 PyJWT==2.9.0
 pre-commit==3.5.0
-setuptools==72.0.0
+setuptools==72.1.0
 pytest==8.3.3
 pytest-xdist==3.6.1
 python-dotenv==1.0.1

scripts/jwt_issuer/down.sh

@@ -9,3 +9,4 @@ docker compose -p ${UNIQUE_ID:-default} -f services/docker-compose.yml down jwt-
 
 unset JWT_ISSUER_WORKSPACE
 unset JWT_ISSUER
+unset JWT_TOKEN_ISSUER_URL

scripts/jwt_issuer/up.sh

@@ -9,11 +9,13 @@ jwt-issuer-up() {
     REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")"
     export JWT_ISSUER_WORKSPACE=${JWT_ISSUER_WORKSPACE:-$REPO_ROOT/jwt_issuers_workspace/${UNIQUE_ID:-default}/}
     mkdir -p $JWT_ISSUER_WORKSPACE
+    export JWT_TOKEN_ISSUER_URL="http://localhost:3000/token"
+    export JWT_ISSUER="http://Demo-jwt-issuer"
 
     docker compose -p ${UNIQUE_ID:-default} -f services/docker-compose.yml up jwt-issuer --wait "$@"
     sudo chown $USER:$USER -R $JWT_ISSUER_WORKSPACE
 
-    export JWT_ISSUER="$(cat $JWT_ISSUER_WORKSPACE/jwt_issuer_address)/token"
+    export JWT_TOKEN_ISSUER_URL="$(cat $JWT_ISSUER_WORKSPACE/jwt_issuer_address)/token"
 
     set +e
 }
@@ -22,5 +24,7 @@ jwt-issuer-up "$@"
 
 jq -n '{
     JWT_ISSUER_WORKSPACE: env.JWT_ISSUER_WORKSPACE,
+    JWT_TOKEN_ISSUER_URL: env.JWT_TOKEN_ISSUER_URL,
     JWT_ISSUER: env.JWT_ISSUER,
+
 }'

scripts/kms/endpoints/auth.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+set -ex
+
+auth() {
+    params=()
+    auth="jwt"
+    jwtprops=""
+
+    # Parse command-line arguments
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --auth)
+                auth="$2"
+                shift 2
+                ;;
+            --jwtprops)
+                jwtprops="$2"
+                shift 2
+                ;;
+            *)
+                echo "Unknown parameter: $1"
+                exit 1
+                ;;
+        esac
+    done
+
+    # Extract iss from jwtprops if present
+    if [[ "$jwtprops" == *"iss="* ]]; then
+        export JWT_ISSUER=$(echo "$jwtprops" | grep -oP '(?<=iss=)[^&]*')
+    fi
+
+    auth_arg=()
+    if [[ "$auth" == "member_cert" ]]; then
+        auth_arg=(--cert $KMS_MEMBER_CERT_PATH --key $KMS_MEMBER_PRIVK_PATH)
+    elif [[ "$auth" == "jwt" ]]; then
+        auth_arg=(-H "Authorization: Bearer $(curl -X POST $JWT_TOKEN_ISSUER_URL$jwtprops | jq -r '.access_token')")
+    fi
+
+    curl $KMS_URL/app/auth \
+        --cacert $KMS_SERVICE_CERT_PATH \
+        "${auth_arg[@]}" \
+        -H "Content-Type: application/json" \
+        -w '\n%{http_code}\n'
+}
+
+auth "$@"

scripts/kms/endpoints/key.sh

@@ -49,7 +49,7 @@ key() {
     if [[ "$auth" == "member_cert" ]]; then
         auth_arg=(--cert $KMS_MEMBER_CERT_PATH --key $KMS_MEMBER_PRIVK_PATH)
     elif [[ "$auth" == "jwt" ]]; then
-        auth_arg=(-H "Authorization: Bearer $(curl -X POST $JWT_ISSUER | jq -r '.access_token')")
+        auth_arg=(-H "Authorization: Bearer $(curl -X POST $JWT_TOKEN_ISSUER_URL | jq -r '.access_token')")
     fi
 
     curl $KMS_URL/app/key${query_string} \

scripts/kms/js_app_set.sh

@@ -22,6 +22,10 @@ js-app-set() {
       echo "$line" >> "$temp_file"
     fi
   done < $REPO_ROOT/governance/proposals/set_js_app.json
+
+  # Ensure the target directory exists
+  mkdir -p $WORKSPACE/proposals
+
   mv "$temp_file" $WORKSPACE/proposals/set_js_app.json
 
   # Submit the proposal

scripts/kms/jwt_issuer_trust.sh

@@ -8,6 +8,24 @@ jwt-issuer-trust() {
 
   REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")"
 
+  # Check for new issuer
+  while [[ $# -gt 0 ]]; do
+      case "$1" in
+          --iss)
+              JWT_ISSUER="$2"
+              shift 2
+              ;;
+          --iss=*)
+              JWT_ISSUER="${1#*=}"
+              shift 1
+              ;;
+          *)
+              echo "Unknown parameter: $1"
+              exit 1
+              ;;
+      esac
+  done
+
   # Populate the JWK of the token issuer
   PRIVATE_PEM="$JWT_ISSUER_WORKSPACE/private.pem"
   CERT_PEM="$JWT_ISSUER_WORKSPACE/cert.pem"

src/authorization/jwt/JwtValidator.ts

@@ -6,7 +6,6 @@ import { ServiceResult } from "../../utils/ServiceResult";
 import { IValidatorService } from "../IValidationService";
 import { JwtIdentityProviderEnum } from "./JwtIdentityProviderEnum";
 import { IJwtIdentityProvider } from "./IJwtIdentityProvider";
-import { DemoJwtProvider } from "./DemoJwtProvider";
 import { MsJwtProvider } from "./MsJwtProvider";
 import { Logger, LogContext } from "../../utils/Logger";
 
@@ -23,24 +22,25 @@ export class JwtValidator implements IValidatorService {
       JwtIdentityProviderEnum.MS_AAD,
       new MsJwtProvider("JwtProvider", this.logContext),
     );
-    this.identityProviders.set(
-      JwtIdentityProviderEnum.Demo,
-      new DemoJwtProvider("DemoJwtProvider"),
-    );
   }
 
+  /*
+    * Validate the request
+    * @param request request to validate with JWT
+    * */
   validate(request: ccfapp.Request<any>): ServiceResult<string> {
     const jwtCaller = request.caller as unknown as ccfapp.JwtAuthnIdentity;
     Logger.debug(
       `Authorization: JWT jwtCaller (JwtValidator)-> ${<JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer}`,
       this.logContext
     );
+    Logger.info(`JWT content: ${JSON.stringify(jwtCaller.jwt)}`, this.logContext);
     const provider = this.identityProviders.get(
-      <JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer,
+      JwtIdentityProviderEnum.MS_AAD
     );
 
     if (!provider) {
-      const error = `Authorization: JWT validation provider is undefined (JwtValidator) for ${<JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer}`;
+      const error = `Authorization: JWT validation provider ${JwtIdentityProviderEnum.MS_AAD} is undefined (JwtValidator) for ${<JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer}`;
       Logger.error(error, this.logContext);
       return ServiceResult.Failed(
         { errorMessage: error, errorType: "caller error" },

src/authorization/jwt/MsJwtProvider.ts

@@ -36,7 +36,7 @@ export const authorizeJwt = (
         errorMessage,
         errorType: "AuthenticationError",
       },
-      500,
+      401,
       logContext
     );
   }

test/system-test/conftest.py

@@ -55,7 +55,7 @@ def setup_jwt_issuer():
             ["./scripts/jwt_issuer/up.sh", "--build"],
             env={
                 **os.environ,
-                "JWT_ISSUER_WORKSPACE": f"{REPO_ROOT}/jwt_issuer_workspace",
+                "JWT_ISSUER_WORKSPACE": f"{REPO_ROOT}/jwt_issuers_workspace",
             },
         )
         yield

test/system-test/endpoints.py

@@ -53,3 +53,7 @@ def keyReleasePolicy(**kwargs):
 
 def settingsPolicy(**kwargs):
     return call_endpoint("settingsPolicy", **kwargs)
+
+
+def auth(**kwargs):
+    return call_endpoint("auth", **kwargs)

test/system-test/test_auth.py

@@ -0,0 +1,36 @@
+from endpoints import auth
+from utils import apply_kms_constitution, trust_jwt_issuer
+
+
+def test_auth_member_cert(setup_kms):
+    status_code, auth_json = auth(auth="member_cert")
+    assert status_code == 200
+    assert auth_json["auth"]["policy"] == "member_cert"
+
+
+def test_auth_jwt(setup_kms, setup_jwt_issuer):
+    apply_kms_constitution()
+    trust_jwt_issuer()
+    status_code, auth_json = auth(auth="jwt")
+    assert status_code == 200
+    assert auth_json["auth"]["policy"] == "jwt"
+
+
+def test_auth_jwt_new_issuer(setup_kms, setup_jwt_issuer):
+    issuer = "https://new-issuer"
+    apply_kms_constitution()
+    trust_jwt_issuer(iss=issuer)
+    status_code, auth_json = auth(auth="jwt", jwtprops=f"?iss={issuer}")
+    assert status_code == 200
+
+
+def test_auth_jwt_wrong_iss(setup_kms, setup_jwt_issuer):
+    apply_kms_constitution()
+    trust_jwt_issuer()
+    status_code, auth_json = auth(auth="jwt", jwtprops="?iss=test")
+    assert status_code == 401
+
+
+if __name__ == "__main__":
+    import pytest
+    pytest.main([__file__, "-s"])

test/system-test/utils.py

@@ -78,9 +78,12 @@ def remove_key_release_policy():
     )
 
 
-def trust_jwt_issuer():
+def trust_jwt_issuer(iss=""):
+    command = ["scripts/kms/jwt_issuer_trust.sh"]
+    if iss:
+        command.extend(["--iss", iss])
     subprocess.run(
-        "scripts/kms/jwt_issuer_trust.sh",
+        command,
         cwd=REPO_ROOT,
         check=True,
     )

test/utils/jwt/README.md

@@ -0,0 +1,9 @@
+# Token issuer
+
+## Request
+```
+curl -X POST ${AadEndpoint:-http://localhost:3000/token} \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "client_id=${ClientApplicationId:-}&client_secret=${ClientSecret:-}&scope=${ApiIdentifierUri:-}/.default&grant_type=client_credentials" \
+    -w "\n"
+```