Fix and test adding new issuers

app.json

@@ -315,7 +315,7 @@
         "openapi": {
           "responses": {
             "200": {
-              "description": "Generate a heartbeat response"
+              "description": "Generate an auth response"
             }
           }
         }

governance/proposals/set_jwt_issuer.json

@@ -1,38 +1,38 @@
 {
-    "actions": [
-      {
-        "name": "set_jwt_issuer",
-        "args": {
-          "issuer": "http://Demo-jwt-issuer",
-          "key_filter": "all",
-          "jwks": {
-            "keys": [
-              ${JWK}
-            ]
-          }
+  "actions": [
+    {
+      "name": "set_jwt_issuer",
+      "args": {
+        "issuer":  "${JWT_TOKEN_ISSUER_URL}",
+        "key_filter": "all",
+        "jwks": {
+          "keys": [
+            ${JWK}
+          ]
         }
-      },
-      {
-        "name": "set_jwt_validation_policy",
-        "args": {
-          "issuer": "http://Demo-jwt-issuer",
-          "validation_policy": {
-            "iss": "http://Demo-jwt-issuer",
-            "sub": "c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b",
-            "name": "Cool caller"
-          }
+      }
+    },
+    {
+      "name": "set_jwt_validation_policy",
+      "args": {
+        "issuer": "${JWT_TOKEN_ISSUER_URL}",
+        "validation_policy": {
+          "iss": "${JWT_TOKEN_ISSUER_URL}",
+          "sub": "c0d8e9a7-6b8e-4e1f-9e4a-3b2c1d0f5a6b",
+          "name": "Cool caller"
         }
-      },
-      {
-        "name": "set_jwt_public_signing_keys",
-        "args": {
-          "issuer": "http://Demo-jwt-issuer",
-          "jwks": {
-            "keys": [
-              ${JWK}
-            ]
-          }
+      }
+    },
+    {
+      "name": "set_jwt_public_signing_keys",
+      "args": {
+        "issuer": "${JWT_TOKEN_ISSUER_URL}",
+        "jwks": {
+          "keys": [
+            ${JWK}
+          ]
         }
       }
-    ]
+    }
+  ]
 }

scripts/ccf/az-cleanroom-aci/down.sh

@@ -38,6 +38,8 @@ az-cleanroom-aci-down() {
     unset KMS_SERVICE_CERT_PATH
     unset KMS_MEMBER_CERT_PATH
     unset KMS_MEMBER_PRIVK_PATH
+    unset KMS_USER_CERT_PATH
+    unset KMS_USER_PRIVK_PATH
 
     set +e
 }

scripts/ccf/az-cleanroom-aci/up.sh

@@ -39,6 +39,10 @@ az-cleanroom-aci-up() {
     export KMS_SERVICE_CERT_PATH="$WORKSPACE/service_cert.pem"
     export KMS_MEMBER_CERT_PATH="$WORKSPACE/ccf-operator_cert.pem"
     export KMS_MEMBER_PRIVK_PATH="$WORKSPACE/ccf-operator_privk.pem"
+    export KMS_USER_CERT_PATH="$WORKSPACE/sandbox_common/user0_cert.pem"
+    export KMS_USER_PRIVK_PATH="$WORKSPACE/sandbox_common/user0_privk.pem"
+    export JWT_TOKEN_ISSUER_URL="http://localhost:3000/token"
+    export JWT_ISSUER="http://Demo-jwt-issuer"
 
     sudo cp $KMS_SERVICE_CERT_PATH /usr/local/share/ca-certificates/kms_ca.crt
     sudo update-ca-certificates
@@ -55,5 +59,9 @@ jq -n '{
     KMS_URL: env.KMS_URL,
     KMS_SERVICE_CERT_PATH: env.KMS_SERVICE_CERT_PATH,
     KMS_MEMBER_CERT_PATH: env.KMS_MEMBER_CERT_PATH,
-    KMS_MEMBER_PRIVK_PATH: env.KMS_MEMBER_PRIVK_PATH
+    KMS_MEMBER_PRIVK_PATH: env.KMS_MEMBER_PRIVK_PATH,
+    KMS_USER_CERT_PATH: env.KMS_USER_CERT_PATH,
+    KMS_USER_PRIVK_PATH: env.KMS_USER_PRIVK_PATH,
+    JWT_TOKEN_ISSUER_URL: env.JWT_TOKEN_ISSUER_URL,
+    JWT_ISSUER: env.JWT_ISSUER,
 }'

scripts/ccf/sandbox_local/down.sh

@@ -13,6 +13,8 @@ ccf-sandbox-local-down() {
     unset KMS_SERVICE_CERT_PATH
     unset KMS_MEMBER_CERT_PATH
     unset KMS_MEMBER_PRIVK_PATH
+    unset KMS_USER_CERT_PATH
+    unset KMS_USER_PRIVK_PATH
 
     set +e
 }

scripts/ccf/sandbox_local/up.sh

@@ -18,6 +18,10 @@ ccf-sandbox-local-up() {
     export KMS_SERVICE_CERT_PATH="$WORKSPACE/sandbox_common/service_cert.pem"
     export KMS_MEMBER_CERT_PATH="$WORKSPACE/sandbox_common/member0_cert.pem"
     export KMS_MEMBER_PRIVK_PATH="$WORKSPACE/sandbox_common/member0_privk.pem"
+    export KMS_USER_CERT_PATH="$WORKSPACE/sandbox_common/user0_cert.pem"
+    export KMS_USER_PRIVK_PATH="$WORKSPACE/sandbox_common/user0_privk.pem"
+    export JWT_TOKEN_ISSUER_URL="http://localhost:3000/token"
+    export JWT_ISSUER="http://Demo-jwt-issuer"
 
     set +e
 }
@@ -29,5 +33,10 @@ jq -n '{
     KMS_URL: env.KMS_URL,
     KMS_SERVICE_CERT_PATH: env.KMS_SERVICE_CERT_PATH,
     KMS_MEMBER_CERT_PATH: env.KMS_MEMBER_CERT_PATH,
-    KMS_MEMBER_PRIVK_PATH: env.KMS_MEMBER_PRIVK_PATH
+    KMS_MEMBER_PRIVK_PATH: env.KMS_MEMBER_PRIVK_PATH,
+    KMS_USER_CERT_PATH: env.KMS_USER_CERT_PATH,
+    KMS_USER_PRIVK_PATH: env.KMS_USER_PRIVK_PATH,
+    JWT_TOKEN_ISSUER_URL: env.JWT_TOKEN_ISSUER_URL,
+    JWT_ISSUER: env.JWT_ISSUER,
+
 }'

scripts/jwt_issuer/up.sh

@@ -14,7 +14,8 @@ jwt-issuer-up() {
 
     sudo chown $USER:$USER -R $JWT_ISSUER_WORKSPACE
 
-    export JWT_ISSUER="http://localhost:3000/token"
+    export JWT_TOKEN_ISSUER_URL="http://localhost:3000/token"
+    export JWT_ISSUER="http://Demo-jwt-issuer"
 
     set +e
 }
@@ -23,5 +24,5 @@ jwt-issuer-up
 
 jq -n '{
     JWT_ISSUER_WORKSPACE: env.JWT_ISSUER_WORKSPACE,
-    JWT_ISSUER: env.JWT_ISSUER,
+    JWT_TOKEN_ISSUER_URL: env.JWT_TOKEN_ISSUER_URL,
 }'

scripts/kms/endpoints/auth.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+auth() {
+    params=()
+    auth="jwt"
+    jwtprops=""
+
+    # Parse command-line arguments
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --auth)
+                auth="$2"
+                shift 2
+                ;;
+            --jwtprops)
+                jwtprops="$2"
+                shift 2
+                ;;
+            *)
+                echo "Unknown parameter: $1"
+                exit 1
+                ;;
+        esac
+    done
+
+    # Extract iss from jwtprops if present
+    if [[ "$jwtprops" == *"iss="* ]]; then
+        export JWT_TOKEN_ISSUER_URL=$(echo "$jwtprops" | grep -oP '(?<=iss=)[^&]*')
+    fi
+
+    auth_arg=()
+    if [[ "$auth" == "member_cert" ]]; then
+        auth_arg=(--cert $KMS_MEMBER_CERT_PATH --key $KMS_MEMBER_PRIVK_PATH)
+    elif [[ "$auth" == "user_cert" ]]; then
+        auth_arg=(--cert $KMS_USER_CERT_PATH --key $KMS_USER_PRIVK_PATH)
+    elif [[ "$auth" == "jwt" ]]; then
+        auth_arg=(-H "Authorization: Bearer $(curl -X POST $JWT_TOKEN_ISSUER_URL$jwtprops | jq -r '.access_token')")
+    fi
+
+    curl $KMS_URL/app/auth \
+        --cacert $KMS_SERVICE_CERT_PATH \
+        "${auth_arg[@]}" \
+        -H "Content-Type: application/json" \
+        -w '\n%{http_code}\n'
+}
+
+auth "$@"

scripts/kms/endpoints/key.sh

@@ -49,7 +49,7 @@ key() {
     if [[ "$auth" == "member_cert" ]]; then
         auth_arg=(--cert $KMS_MEMBER_CERT_PATH --key $KMS_MEMBER_PRIVK_PATH)
     elif [[ "$auth" == "jwt" ]]; then
-        auth_arg=(-H "Authorization: Bearer $(curl -X POST $JWT_ISSUER | jq -r '.access_token')")
+        auth_arg=(-H "Authorization: Bearer $(curl -X POST $JWT_TOKEN_ISSUER_URL | jq -r '.access_token')")
     fi
 
     curl $KMS_URL/app/key${query_string} \

scripts/kms/jwt_issuer_trust.sh

@@ -8,6 +8,24 @@ jwt-issuer-trust() {
 
   REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")"
 
+  # Check for new issuer
+  while [[ $# -gt 0 ]]; do
+      case "$1" in
+          --iss)
+              JWT_TOKEN_ISSUER_URL="$2"
+              shift 2
+              ;;
+          --iss=*)
+              JWT_TOKEN_ISSUER_URL="${1#*=}"
+              shift 1
+              ;;
+          *)
+              echo "Unknown parameter: $1"
+              exit 1
+              ;;
+      esac
+  done
+
   # Populate the JWK of the token issuer
   PRIVATE_PEM="$JWT_ISSUER_WORKSPACE/private.pem"
   CERT_PEM="$JWT_ISSUER_WORKSPACE/cert.pem"

src/authorization/jwt/JwtValidator.ts

@@ -6,7 +6,6 @@ import { ServiceResult } from "../../utils/ServiceResult";
 import { IValidatorService } from "../IValidationService";
 import { JwtIdentityProviderEnum } from "./JwtIdentityProviderEnum";
 import { IJwtIdentityProvider } from "./IJwtIdentityProvider";
-import { DemoJwtProvider } from "./DemoJwtProvider";
 import { MsJwtProvider } from "./MsJwtProvider";
 import { Logger, LogContext } from "../../utils/Logger";
 
@@ -23,24 +22,25 @@ export class JwtValidator implements IValidatorService {
       JwtIdentityProviderEnum.MS_AAD,
       new MsJwtProvider("JwtProvider", this.logContext),
     );
-    this.identityProviders.set(
-      JwtIdentityProviderEnum.Demo,
-      new DemoJwtProvider("DemoJwtProvider"),
-    );
   }
 
+  /*
+    * Validate the request
+    * @param request request to validate with JWT
+    * */
   validate(request: ccfapp.Request<any>): ServiceResult<string> {
     const jwtCaller = request.caller as unknown as ccfapp.JwtAuthnIdentity;
     Logger.debug(
       `Authorization: JWT jwtCaller (JwtValidator)-> ${<JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer}`,
       this.logContext
     );
+    Logger.info(`JWT content: ${JSON.stringify(jwtCaller.jwt)}`, this.logContext);
     const provider = this.identityProviders.get(
-      <JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer,
+      JwtIdentityProviderEnum.MS_AAD
     );
 
     if (!provider) {
-      const error = `Authorization: JWT validation provider is undefined (JwtValidator) for ${<JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer}`;
+      const error = `Authorization: JWT validation provider ${JwtIdentityProviderEnum.MS_AAD} is undefined (JwtValidator) for ${<JwtIdentityProviderEnum>jwtCaller.jwt.keyIssuer}`;
       Logger.error(error, this.logContext);
       return ServiceResult.Failed(
         { errorMessage: error, errorType: "caller error" },

src/authorization/jwt/MsJwtProvider.ts

@@ -36,7 +36,7 @@ export const authorizeJwt = (
         errorMessage,
         errorType: "AuthenticationError",
       },
-      500,
+      401,
       logContext
     );
   }

test/system-test/endpoints.py

@@ -53,3 +53,7 @@ def keyReleasePolicy(**kwargs):
 
 def settingsPolicy(**kwargs):
     return call_endpoint("settingsPolicy", **kwargs)
+
+
+def auth(**kwargs):
+    return call_endpoint("auth", **kwargs)

test/system-test/test_auth.py

@@ -0,0 +1,47 @@
+from endpoints import auth
+from utils import apply_kms_constitution, trust_jwt_issuer
+
+
+def test_auth_member_cert(setup_kms):
+    status_code, auth_json = auth(auth="member_cert")
+    print(auth_json)
+    assert status_code == 200
+    assert auth_json["auth"]["policy"] == "member_cert"
+
+
+def test_auth_user_cert(setup_kms):
+    status_code, auth_json = auth(auth="user_cert")
+    print(auth_json)
+    assert status_code == 200
+    assert auth_json["auth"]["policy"] == "user_cert"
+
+
+def test_auth_jwt(setup_kms, setup_jwt_issuer):
+    apply_kms_constitution()
+    trust_jwt_issuer()
+    status_code, auth_json = auth(auth="jwt")
+    print(auth_json)
+    assert status_code == 200
+    assert auth_json["auth"]["policy"] == "jwt"
+
+
+def test_auth_jwt_new_issuer(setup_kms, setup_jwt_issuer):
+    issuer = "https://new-issuer"
+    apply_kms_constitution()
+    trust_jwt_issuer(iss=issuer)
+    status_code, auth_json = auth(auth="jwt", jwtprops=f"?iss={issuer}")
+    print(auth_json)
+    assert status_code == 200
+
+
+def test_auth_jwt_wrong_iss(setup_kms, setup_jwt_issuer):
+    apply_kms_constitution()
+    trust_jwt_issuer()
+    status_code, auth_json = auth(auth="jwt", jwtprops="?iss=test")
+    print(auth_json)
+    assert status_code == 401
+
+
+if __name__ == "__main__":
+    import pytest
+    pytest.main([__file__, "-s"])