Merge pull request #99 from bbockelm/keycache_manip

djw8605 · web-flow · commit b4ac8262263a · 2022-10-19T14:17:31.000-05:00
Provide an API enabling explicit manipulation of the keycache for the end user.
diff --git a/configs/export-symbols b/configs/export-symbols
@@ -3,6 +3,7 @@ global:
   scitoken*;
   validator*;
   enforcer*;
+  keycache*;
 
 local:
   *;
diff --git a/src/scitokens.cpp b/src/scitokens.cpp
@@ -455,3 +455,65 @@ int enforcer_test(const Enforcer enf, const SciToken scitoken, const Acl *acl, c
     }
     return 0;
 }
+
+
+int keycache_refresh_jwks(const char *issuer, char **err_msg)
+{
+    if (!issuer) {
+        if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
+        return -1;
+    }
+    try {
+        if (!scitokens::Validator::refresh_jwks(issuer)) {
+            if (err_msg) {*err_msg = strdup("Failed to refresh JWKS cache for issuer.");}
+            return -1;
+        }
+    } catch (std::exception &exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}
+
+
+int keycache_get_cached_jwks(const char *issuer, char **jwks, char **err_msg)
+{
+    if (!issuer) {
+        if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
+        return -1;
+    }
+    if (!jwks) {
+        if (err_msg) {*err_msg = strdup("JWKS output pointer may not be null.");}
+        return -1;
+    }
+    try {
+        *jwks = strdup(scitokens::Validator::get_jwks(issuer).c_str());
+    } catch(std::exception &exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}
+
+
+int keycache_set_jwks(const char *issuer, const char *jwks, char **err_msg)
+{
+    if (!issuer) {
+        if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
+        return -1;
+    }
+    if (!jwks) {
+        if (err_msg) {*err_msg = strdup("JWKS pointer may not be null.");}
+        return -1;
+    }
+    try {
+        if (!scitokens::Validator::store_jwks(issuer, jwks)) {
+            if (err_msg) {*err_msg = strdup("Failed to set the JWKS cache for issuer.");}
+            return -1;
+        }
+    } catch(std::exception &exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}
diff --git a/src/scitokens.h b/src/scitokens.h
@@ -127,6 +127,39 @@ void enforcer_acl_free(Acl *acls);
 
 int enforcer_test(const Enforcer enf, const SciToken sci, const Acl *acl, char **err_msg);
 
+
+/**
+ * API for explicity managing the key cache.
+ *
+ * This manipulates the keycache for the current eUID.
+ */
+
+
+/**
+ * Refresh the JWKS in the keycache for a given issuer; the refresh will occur
+ * even if the JWKS is not otherwise due for updates.
+ * - Returns 0 on success, nonzero on failure.
+ */
+int keycache_refresh_jwks(const char *issuer, char **err_msg);
+
+/**
+ * Retrieve the JWKS from the keycache for a given issuer.
+ * - Returns 0 if successful, nonzero on failure.
+ * - If the existing JWKS has expired - or does not exist - this does not trigger a new
+ *   download of the JWKS from the issuer.  Instead, it will return a JWKS object with
+ *   an empty set of keys.
+ * - `jwks` is an output variable set to the contents of the JWKS in the key cache.
+ */
+int keycache_get_cached_jwks(const char *issuer, char **jwks, char **err_msg);
+
+/**
+ * Replace any existing key cache entry with one provided by the user.
+ * The expiration and next update time of the user-provided JWKS will utilize
+ * the same rules as a download from an issuer with no explicit cache lifetime directives.
+ * - `jwks` is value that will be set in the cache.
+ */
+int keycache_set_jwks(const char *issuer, const char *jwks, char **err_msg);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/scitokens_internal.cpp b/src/scitokens_internal.cpp
@@ -439,6 +439,12 @@ normalize_absolute_path(const std::string &path) {
 }
 
 
+void get_default_expiry_time(int &next_update_delta, int &expiry_delta)
+{
+    next_update_delta = 600;
+    expiry_delta = 4*24*3600;
+}
+
 }
 
 
@@ -511,8 +517,49 @@ Validator::get_public_keys_from_web(const std::string &issuer, picojson::value &
 
     keys = json_obj;
 
-    next_update = now + 600;
-    expires = now + 4*24*3600;
+    int next_update_delta, expiry_delta;
+    get_default_expiry_time(next_update_delta, expiry_delta);
+    next_update = now + next_update_delta;
+    expires = now + expiry_delta;
+}
+
+
+std::string
+Validator::get_jwks(const std::string &issuer)
+{
+    auto now = std::time(NULL);
+    picojson::value jwks;
+    int64_t next_update;
+    if (get_public_keys_from_db(issuer, now, jwks, next_update)) {
+        return jwks.serialize();
+    }
+    return std::string("{\"keys\": []}");
+}
+
+
+bool
+Validator::refresh_jwks(const std::string &issuer)
+{
+    int64_t next_update, expires;
+    picojson::value keys;
+    get_public_keys_from_web(issuer, keys, next_update, expires);
+    return store_public_keys(issuer, keys, next_update, expires);
+}
+
+
+bool
+Validator::store_jwks(const std::string &issuer, const std::string &jwks_str)
+{
+    picojson::value jwks;
+    std::string err = picojson::parse(jwks, jwks_str);
+    auto now = std::time(NULL);
+    int next_update_delta, expiry_delta;
+    get_default_expiry_time(next_update_delta, expiry_delta);
+    int64_t next_update = now + next_update_delta, expires = now + expiry_delta;
+    if (!err.empty()) {
+        throw JsonException(err);
+    }
+    return store_public_keys(issuer, jwks, next_update, expires);
 }
 
 void
@@ -691,7 +738,9 @@ scitokens::Validator::store_public_ec_key(const std::string &issuer, const std::
     picojson::value top_value(top_obj);
 
     auto now = std::time(NULL);
-    return store_public_keys(issuer, top_value, now + 600, now + 4*3600);
+    int next_update_delta, expiry_delta;
+    get_default_expiry_time(next_update_delta, expiry_delta);
+    return store_public_keys(issuer, top_value, now + next_update_delta, now + expiry_delta);
 }
 
 
diff --git a/src/scitokens_internal.h b/src/scitokens_internal.h
@@ -516,10 +516,26 @@ class Validator {
      */
     static bool store_public_ec_key(const std::string &issuer, const std::string &kid, const std::string &key);
 
+    /**
+     * Store the contents of a JWKS for a given issuer.
+     */
+    static bool store_jwks(const std::string &issuer, const std::string &jwks);
+
+    /**
+     * Trigger a refresh of the JWKS or a given issuer.
+     */
+    static bool refresh_jwks(const std::string &issuer);
+
+    /**
+     * Fetch the contents of fa JWKS for a given issuer (do not trigger a refresh).
+     * Will return an empty JWKS if no valid JWKS is available.
+     */
+    static std::string get_jwks(const std::string &issuer);
+
 private:
     void get_public_key_pem(const std::string &issuer, const std::string &kid, std::string &public_pem, std::string &algorithm);
-    void get_public_keys_from_web(const std::string &issuer, picojson::value &keys, int64_t &next_update, int64_t &expires);
-    bool get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update);
+    static void get_public_keys_from_web(const std::string &issuer, picojson::value &keys, int64_t &next_update, int64_t &expires);
+    static bool get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update);
     static bool store_public_keys(const std::string &issuer, const picojson::value &keys, int64_t next_update, int64_t expires);
 
     bool m_validate_all_claims{true};
diff --git a/test/main.cpp b/test/main.cpp
@@ -1,5 +1,6 @@
 #include "../src/scitokens.h"
 
+#include <memory>
 #include <gtest/gtest.h>
 
 namespace {
@@ -58,6 +59,95 @@ TEST(SciTokenTest, SignToken) {
 }
 
 
+class KeycacheTest : public ::testing::Test
+{
+    protected:
+        std::string demo_scitokens_url = "https://demo.scitokens.org";
+
+        void SetUp() override {
+            char *err_msg;
+            auto rv = keycache_set_jwks(demo_scitokens_url.c_str(), demo_scitokens.c_str(), &err_msg);
+            ASSERT_TRUE(rv == 0);
+        }
+
+        // Reference copy of the keys at https://demo.scitokens.org/oauth2/certs; may need
+        // to be updated periodically.
+        std::string demo_scitokens = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"kid\":\"key-rs256\",\"kty\":\"RSA\",\"n\":\"uGDGTLXnqh3mfopjys6sFUBvFl3F4Qt6NEYphq_u_aBhtN1X9NEyb78uB_I1KjciJNGLIQU0ECsJiFx6qV1hR9xE1dPyrS3bU92AVtnBrvzUtTU-aUZAmZQiuAC_rC0-z_TOQr6qJkkUgZtxR9n9op55ZBpRfZD5dzhkW4Dm146vfTKt0D4cIMoMNJS5xQx9nibeB4E8hryZDW_fPeD0XZDcpByNyP0jFDYkxdUtQFvyRpz4WMZ4ejUfvW3gf4LRAfGZJtMnsZ7ZW4RfoQbhiXKMfWeBEjQDiXh0r-KuZLykxhYJtpf7fTnPna753IzMgRMmW3F69iQn2LQN3LoSMw==\",\"use\":\"sig\"},{\"alg\":\"ES256\",\"kid\":\"key-es256\",\"kty\":\"EC\",\"use\":\"sig\",\"x\":\"ncSCrGTBTXXOhNiAOTwNdPjwRz1hVY4saDNiHQK9Bh4=\",\"y\":\"sCsFXvx7FAAklwq3CzRCBcghqZOFPB2dKUayS6LY_Lo=\"}]}";
+        std::string demo_scitokens2 = "{\"keys\":[{\"alg\":\"ES256\",\"kid\":\"key-es256\",\"kty\":\"EC\",\"use\":\"sig\",\"x\":\"ncSCrGTBTXXOhNiAOTwNdPjwRz1hVY4saDNiHQK9Bh4=\",\"y\":\"sCsFXvx7FAAklwq3CzRCBcghqZOFPB2dKUayS6LY_Lo=\"}]}";
+};
+
+
+TEST_F(KeycacheTest, RefreshTest) {
+    char *err_msg;
+    auto rv = keycache_refresh_jwks(demo_scitokens_url.c_str(), &err_msg);
+    ASSERT_TRUE(rv == 0);
+
+    char *output_jwks;
+    rv = keycache_get_cached_jwks(demo_scitokens_url.c_str(), &output_jwks, &err_msg);
+    ASSERT_TRUE(rv == 0);
+    ASSERT_TRUE(output_jwks != nullptr);
+    std::string output_jwks_str(output_jwks);
+    free(output_jwks);
+
+    EXPECT_EQ(demo_scitokens, output_jwks_str);
+}
+
+
+TEST_F(KeycacheTest, RefreshInvalid)
+{
+    char *err_msg, *jwks;
+    auto rv = keycache_refresh_jwks("https://demo.scitokens.org/invalid", &err_msg);
+    ASSERT_FALSE(rv == 0);
+
+    rv = keycache_get_cached_jwks("https://demo.scitokens.org/invalid", &jwks, &err_msg);
+    ASSERT_TRUE(rv == 0);
+    ASSERT_TRUE(jwks != nullptr);
+    std::string jwks_str(jwks);
+    free(jwks);
+
+    EXPECT_EQ(jwks_str, "{\"keys\": []}");
+}
+
+
+TEST_F(KeycacheTest, GetInvalid)
+{
+    char *err_msg, *jwks;
+    auto rv = keycache_get_cached_jwks("https://demo.scitokens.org/unknown", &jwks, &err_msg);
+    ASSERT_TRUE(rv == 0);
+    ASSERT_TRUE(jwks != nullptr);
+    std::string jwks_str(jwks);
+    free(jwks);
+}
+
+
+TEST_F(KeycacheTest, GetTest) {
+    char *err_msg, *jwks;
+    auto rv = keycache_get_cached_jwks(demo_scitokens_url.c_str(), &jwks, &err_msg);
+    ASSERT_TRUE(rv == 0);
+    ASSERT_TRUE(jwks != nullptr);
+    std::string jwks_str(jwks);
+    free(jwks);
+
+    EXPECT_EQ(demo_scitokens, jwks_str);
+}
+
+
+TEST_F(KeycacheTest, SetGetTest) {
+    char *err_msg;
+    auto rv = keycache_set_jwks(demo_scitokens_url.c_str(), demo_scitokens2.c_str(), &err_msg);
+    ASSERT_TRUE(rv == 0);
+
+    char *jwks;
+    rv = keycache_get_cached_jwks(demo_scitokens_url.c_str(), &jwks, &err_msg);
+    ASSERT_TRUE(rv == 0);
+    ASSERT_TRUE(jwks != nullptr);
+    std::string jwks_str(jwks);
+    free(jwks);
+
+    EXPECT_EQ(demo_scitokens2, jwks_str);
+}
+
+
 class SerializeTest : public ::testing::Test {
     protected:
         void SetUp() override {
