Parameterize jwk path

p0-security · Aug 31, 2023 · 05a9c34 · 05a9c34
1 parent 4b4d152
commit 05a9c34
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 18 deletions.
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -1,4 +1,5 @@
 on:
+  pull_request: {}
   workflow_call:
     outputs:
       docker_image_tags:

diff --git a/cli/index.ts b/cli/index.ts
@@ -48,6 +48,12 @@ void yargs(hideBin(process.argv))
           demandOption: true,
           describe: "The clientId used to identify this client",
         })
+        .option("jwkPath", {
+          type: "string",
+          demandOption: true,
+          describe:
+            "The path to the directory on the file system where JWK is stored",
+        })
         .option("tunnelHost", {
           type: "string",
           demandOption: true,
@@ -67,13 +73,14 @@ void yargs(hideBin(process.argv))
       const {
         targetUrl,
         clientId,
+        jwkPath,
         tunnelHost: host,
         tunnelPort: port,
         insecure,
       } = args;
       const backoff = new Backoff(1, 3000); // Aggressively retry starting at 1ms delay
       const client = new JsonRpcClient(
-        { targetUrl, clientId },
+        { targetUrl, clientId, jwkPath },
         { host, port, insecure, backoff }
       );
       logger.info({ args }, "Running JSON-RPC client");

diff --git a/client/index.ts b/client/index.ts
@@ -24,6 +24,7 @@ export class JsonRpcClient {
   #targetUrl: string;
   #targetHostName: string;
   #clientId: string;
+  #jwkPath: string;
   #logger: Logger;
 
   #backoff?: Backoff;
@@ -32,7 +33,7 @@ export class JsonRpcClient {
   #isShutdown: boolean = false;
 
   constructor(
-    proxyConfig: { targetUrl: string; clientId: string },
+    proxyConfig: { targetUrl: string; clientId: string; jwkPath: string },
     tunnelConfig: {
       host: string;
       port: number;
@@ -41,10 +42,11 @@ export class JsonRpcClient {
     }
   ) {
     this.#logger = createLogger({ name: "JsonRpcClient" });
-    const { targetUrl, clientId } = proxyConfig;
+    const { targetUrl, clientId, jwkPath } = proxyConfig;
     this.#targetUrl = targetUrl;
     this.#targetHostName = new URL(targetUrl).hostname;
     this.#clientId = clientId;
+    this.#jwkPath = jwkPath;
     const { host, port, insecure, backoff } = tunnelConfig;
     this.#webSocketUrl = `ws${!insecure ? "s" : ""}://${host}:${port}`;
     this.#backoff = backoff;
@@ -69,7 +71,7 @@ export class JsonRpcClient {
   }
 
   async create() {
-    const token = await jwt(this.#clientId);
+    const token = await jwt(this.#jwkPath, this.#clientId);
     const clientSocket = new WebSocket(this.#webSocketUrl, {
       headers: { Authorization: `Bearer ${token}` },
     });

diff --git a/client/jwks.ts b/client/jwks.ts
@@ -8,9 +8,9 @@ const ALG = "ES384"; // Elliptic curve with 384-bit SHA
 
 const logger = pinoLogger({ name: "jwks" });
 
-const loadKey = async () => {
+const loadKey = async (path: string) => {
   try {
-    const data = await fs.readFile(privateKeyFile(), {
+    const data = await fs.readFile(privateKeyFile(path), {
       encoding: "utf-8",
     });
     const key = jose.importJWK(JSON.parse(data));
@@ -21,18 +21,18 @@ const loadKey = async () => {
   }
 };
 
-const generateKey = async () => {
+const generateKey = async (path: string) => {
   const { publicKey, privateKey } = await jose.generateKeyPair(ALG);
   await fs.writeFile(
-    privateKeyFile(),
+    privateKeyFile(path),
     JSON.stringify(await jose.exportJWK(privateKey), undefined, 2),
     {
       encoding: "utf-8",
     }
   );
-  await fs.chmod(privateKeyFile(), "400");
+  await fs.chmod(privateKeyFile(path), "400");
   await fs.writeFile(
-    publicKeyFile(),
+    publicKeyFile(path),
     JSON.stringify(await jose.exportJWK(publicKey), undefined, 2),
     {
       encoding: "utf-8",
@@ -41,14 +41,14 @@ const generateKey = async () => {
   return privateKey;
 };
 
-const ensureKey = async () => {
-  const existing = await loadKey();
+const ensureKey = async (path: string) => {
+  const existing = await loadKey(path);
   if (existing) return existing;
-  return await generateKey();
+  return await generateKey(path);
 };
 
-export const jwt = async (clientId: string) => {
-  const key = await ensureKey();
+export const jwt = async (path: string, clientId: string) => {
+  const key = await ensureKey(path);
   const jwt = await new jose.SignJWT({ "tunnel-id": "my-tunnel-id" })
     .setProtectedHeader({ alg: ALG })
     .setIssuedAt(Math.floor(Date.now() * 1e-3))

diff --git a/server/__tests__/e2e.test.ts b/server/__tests__/e2e.test.ts
@@ -26,7 +26,11 @@ const runServer = (initContext?: InitContext) => {
 const runClient = async (waitUntilConnected?: boolean): Promise<Client> => {
   const httpServer = testHttpServer(TARGET_PORT);
   const jsonRpcClient = new JsonRpcClient(
-    { targetUrl: `http://localhost:${TARGET_PORT}`, clientId: "testClientId" },
+    {
+      targetUrl: `http://localhost:${TARGET_PORT}`,
+      clientId: "testClientId",
+      jwkPath: "/tmp",
+    },
     {
       host: "localhost",
       port: SERVER_RPC_PORT,

diff --git a/util/jwk-file.ts b/util/jwk-file.ts
@@ -1,2 +1,2 @@
-export const privateKeyFile = () => `jwk.private.json`;
-export const publicKeyFile = () => `jwk.public.json`;
+export const privateKeyFile = (path: string) => `${path}/jwk.private.json`;
+export const publicKeyFile = (path: string) => `${path}/jwk.public.json`;