Move signature keys out of resources (#84) (#93)

.gitignore

@@ -6,3 +6,5 @@
 *.der
 *.pem
 application-secrets.*
+/keys
+/repos

api/src/main/java/org/accula/api/auth/jwt/crypto/EcKeys.java

@@ -2,6 +2,8 @@
 
 import lombok.SneakyThrows;
 
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.security.Key;
 import java.security.KeyFactory;
 import java.security.interfaces.ECPrivateKey;
@@ -21,23 +23,24 @@ private EcKeys() {
     }
 
     @SneakyThrows
-    private static <T extends Key, U extends KeySpec> T key(final byte[] keyBytes,
+    private static <T extends Key, U extends KeySpec> T key(final Path keyPath,
                                                             final Function<byte[], U> specProducer,
                                                             final BiFunction<KeyFactory, U, T> keyProducer) {
+        final var keyBytes = Files.readAllBytes(keyPath);
         final var spec = specProducer.apply(keyBytes);
         final var factory = KeyFactory.getInstance("EC");
 
         return keyProducer.apply(factory, spec);
     }
 
     @SuppressWarnings("NullableProblems")
-    public static ECPrivateKey privateKey(final byte[] keyBytes) {
-        return (ECPrivateKey) key(keyBytes, PKCS8EncodedKeySpec::new, KeyFactory::generatePrivate);
+    public static ECPrivateKey privateKey(final Path keyPath) {
+        return (ECPrivateKey) key(keyPath, PKCS8EncodedKeySpec::new, KeyFactory::generatePrivate);
     }
 
     @SuppressWarnings("NullableProblems")
-    public static ECPublicKey publicKey(final byte[] keyBytes) {
-        return (ECPublicKey) key(keyBytes, X509EncodedKeySpec::new, KeyFactory::generatePublic);
+    public static ECPublicKey publicKey(final Path keyPath) {
+        return (ECPublicKey) key(keyPath, X509EncodedKeySpec::new, KeyFactory::generatePublic);
     }
 
     @FunctionalInterface

api/src/main/java/org/accula/api/config/JwtProperties.java

@@ -3,6 +3,7 @@
 import lombok.Data;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
+import java.nio.file.Path;
 import java.time.Duration;
 
 @ConfigurationProperties("accula.jwt")
@@ -14,8 +15,8 @@ public final class JwtProperties {
 
     @Data
     public static final class Signature {
-        private String publicKey;
-        private String privateKey;
+        private Path publicKey;
+        private Path privateKey;
     }
 
     @Data

api/src/main/java/org/accula/api/config/WebSecurityConfig.java

@@ -16,7 +16,6 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
-import org.springframework.core.io.ClassPathResource;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
@@ -33,7 +32,6 @@
 import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
 import org.springframework.web.server.WebFilter;
 
-import java.io.IOException;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
 import java.util.Collections;
@@ -101,17 +99,13 @@ clientRegistrations, pathMatchers(GET, "/api/login/{registrationId}")))
     }
 
     @Bean
-    public ECPublicKey publicKey() throws IOException {
-        final var resource = new ClassPathResource(jwtProperties.getSignature().getPublicKey());
-        final var bytes = resource.getInputStream().readAllBytes();
-        return EcKeys.publicKey(bytes);
+    public ECPublicKey publicKey() {
+        return EcKeys.publicKey(jwtProperties.getSignature().getPublicKey());
     }
 
     @Bean
-    public ECPrivateKey privateKey() throws IOException {
-        final var resource = new ClassPathResource(jwtProperties.getSignature().getPrivateKey());
-        final var bytes = resource.getInputStream().readAllBytes();
-        return EcKeys.privateKey(bytes);
+    public ECPrivateKey privateKey() {
+        return EcKeys.privateKey(jwtProperties.getSignature().getPrivateKey());
     }
 
     @Bean

api/src/main/resources/application.properties

@@ -12,3 +12,5 @@ DB_PASS=postgres
 DB_NAME=accula
 REPOS_PATH=repos/
 WEBHOOK_SECRET=accula
+JWT_SIGNATURE_PUBLIC_KEY=keys/accula.public.der
+JWT_SIGNATURE_PRIVATE_KEY=keys/accula.private.der

api/src/main/resources/application.yml

@@ -36,8 +36,8 @@ server:
 accula:
   jwt:
     signature:
-      publicKey: accula.public.der
-      privateKey: accula.private.der
+      publicKey: ${JWT_SIGNATURE_PUBLIC_KEY}
+      privateKey: ${JWT_SIGNATURE_PRIVATE_KEY}
     issuer: accula
     expiresIn:
       access: 1m

docker-compose.yml

@@ -1,7 +1,7 @@
 version: '3'
 services:
   web:
-    build: web
+    image: vaddya/accula_web
     expose:
       - 80
     depends_on:
@@ -30,12 +30,12 @@ services:
       - DB_PASS=postgres
       - DB_NAME=accula
       - REPOS_PATH=/app/repos/
+      - JWT_SIGNATURE_PUBLIC_KEY=/app/keys/accula.public.der
+      - JWT_SIGNATURE_PRIVATE_KEY=/app/keys/accula.private.der
     volumes:
       - ./repos:/app/repos
   postgres:
     image: postgres:11
-    ports:
-      - "5432:5432"
     environment:
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=postgres