Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix and test adding new issuers #260

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

Conversation

beejones
Copy link
Contributor

Fixed the bug that a new issuer was not found.
Added auth tests
Test adding a new issuer
Test calling with a wrong issuer
Changed our test issuer to access properties to be put into the token

@@ -14,7 +14,8 @@ jwt-issuer-up() {

sudo chown $USER:$USER -R $JWT_ISSUER_WORKSPACE

export JWT_ISSUER="http://localhost:3000/token"
export JWT_TOKEN_ISSUER_URL="http://localhost:3000/token"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain the difference between these two things? They're both URLs and I presume they both issue tokens so maybe we can think of a better naming scheme?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also not super keen on JWT_TOKEN because the T in JWT stands for token.

So we have JSON Web Token Token Issuer

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JWT_ISSUER is the name used in CCF for registering the JWT issuer.
JWT_TOKEN_ISSUER_URL is the actual url of the endpoint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is very common to talk about JWT tokens. Just do a search for "JWT token".

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JWT_ISSUER is the name used in CCF for registering the JWT issuer. JWT_TOKEN_ISSUER_URL is the actual url of the endpoint.

Ah thanks for the explanation, that makes sense

it is very common to talk about JWT tokens. Just do a search for "JWT token".

Being common doesn't make it correct or less redundant, and I wouldn't claim it's more common that just JWT, jwt.io always just says JWT.

How about we use

  • JWT_ISSUER_URL which is the URL which issues JWTs
  • JWT_ISSUER_NAME which is the name of the thing which issues JWTs (for CCF)
    • We could make it clearly a name by making it not look like a URL?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe CCF requires this to be a url. Need to check this.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it needs to be a URL, could it just be the actual URL so we only need one variable instead of two?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed.
{
bool validate_issuer(
const std::string& iss,
const std::optionalstd::string& tid,
std::string constraint)
{
LOG_DEBUG_FMT(
"Verify token.iss {} and token.tid {} against published key issuer {}",
iss,
tid,
constraint);

const auto issuer_url = ::http::parse_url_full(constraint);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it needs to be a URL, could it just be the actual URL so we only need one variable instead of two?

See #260 (comment)

Copy link
Collaborator

@DomAyre DomAyre Dec 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand it's a test JWT issuer, but why can't both values be http://localhost:3000/token? In which case the JWT issuer up script only needs to emit one value not two? Isn't it also kind of wrong to have a pretend URL for the issuer which doesn't match it's actual URL?

I've tested this locally with a couple of small changes to the issuer and it works fine

@@ -8,6 +8,24 @@ jwt-issuer-trust() {

REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")"

# Check for new issuer
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my own understanding, the scheme is:

  • If you call this without --iss it will use JWT_TOKEN_ISSUER_URL which will have been set if you bring up a local test JWT issuer
  • If you have some external JWT issuer you can just specify it with this --iss flag?

If my understanding is correct I really like this scheme!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For an external one we need to set JWT_TOKEN_ISSUER_URL to the token endpoint.
--iss will the name for the iss property in the token. CCF uses this to register the issuer.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So is it equivalent to setting JWT_ISSUER? In which case why are we mixing methods? I think we either allow fully specifying which JWT issuer we're trusting via command line params or we just require the env variables to be changed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a test adding a new issuer implemented by our test token issuer.
For this case I needed to specify the issuer JWT_ISSUER and keep the url to the test token url.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that addresses my point about mixed methods, for the test you could set both env variables for the test, or you could provider command line params for both and specify them for the test?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now we've decided to unify JWT_ISSUER this goes away

@DomAyre DomAyre self-assigned this Dec 12, 2024
@beejones
Copy link
Contributor Author

scripts/jwt_issuer/up.sh Outdated Show resolved Hide resolved
scripts/jwt_issuer/up.sh Outdated Show resolved Hide resolved
@DomAyre
Copy link
Collaborator

DomAyre commented Dec 13, 2024

tests: https://github.com/microsoft/privacy-sandbox-dev/actions/runs/12313566584

@beejones I think the privacy-sandbox-dev CI is currently broken, I'm looking into it now and I'll update when it's fixed

@DomAyre
Copy link
Collaborator

DomAyre commented Dec 17, 2024

Now privacy-sandbox-dev CI is fixed, here is a run for this PR
https://github.com/microsoft/privacy-sandbox-dev/actions/runs/12369513461

@DomAyre
Copy link
Collaborator

DomAyre commented Dec 17, 2024

Merged the fixes in main to this PR, re-running privacy-sandbox-dev CI
https://github.com/microsoft/privacy-sandbox-dev/actions/runs/12370752558

@DomAyre DomAyre mentioned this pull request Dec 17, 2024
3 tasks

## Request
```
curl -X POST ${AadEndpoint:-http://localhost:3000/token} \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs updating since #266

@@ -9,11 +9,13 @@ jwt-issuer-up() {
REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")"
export JWT_ISSUER_WORKSPACE=${JWT_ISSUER_WORKSPACE:-$REPO_ROOT/jwt_issuers_workspace/${UNIQUE_ID:-default}/}
mkdir -p $JWT_ISSUER_WORKSPACE
export JWT_TOKEN_ISSUER_URL="http://localhost:3000/token"
export JWT_ISSUER="http://Demo-jwt-issuer"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only use JWT_ISSUER

@@ -9,3 +9,4 @@ docker compose -p ${UNIQUE_ID:-default} -f services/docker-compose.yml down jwt-

unset JWT_ISSUER_WORKSPACE
unset JWT_ISSUER
unset JWT_TOKEN_ISSUER_URL
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will update this too when we combine JWT_ISSUER into one value

@@ -9,11 +9,13 @@ jwt-issuer-up() {
REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")"
export JWT_ISSUER_WORKSPACE=${JWT_ISSUER_WORKSPACE:-$REPO_ROOT/jwt_issuers_workspace/${UNIQUE_ID:-default}/}
mkdir -p $JWT_ISSUER_WORKSPACE
export JWT_TOKEN_ISSUER_URL="http://localhost:3000/token"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We set it twice

# Licensed under the MIT license.

set -ex

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove +x

@@ -22,6 +22,10 @@ js-app-set() {
echo "$line" >> "$temp_file"
fi
done < $REPO_ROOT/governance/proposals/set_js_app.json

# Ensure the target directory exists
mkdir -p $WORKSPACE/proposals
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can revisit this when all other changes are addressed, this shouldn't be necessary and it might hide other issues

@@ -55,7 +55,7 @@ def setup_jwt_issuer():
["./scripts/jwt_issuer/up.sh", "--build"],
env={
**os.environ,
"JWT_ISSUER_WORKSPACE": f"{REPO_ROOT}/jwt_issuer_workspace",
"JWT_ISSUER_WORKSPACE": f"{REPO_ROOT}/jwt_issuers_workspace",
Copy link
Collaborator

@DomAyre DomAyre Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can match the default in up.sh (/default/)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants