grafana/pkg/services/auth/idimpl/signer.go

package idimpl

import (
	"context"

	"github.com/go-jose/go-jose/v3"
	"github.com/go-jose/go-jose/v3/jwt"

	"github.com/grafana/grafana/pkg/services/auth"
	"github.com/grafana/grafana/pkg/services/signingkeys"
)

const idSignerKeyPrefix = "id"

var _ auth.IDSigner = (*LocalSigner)(nil)

func ProvideLocalSigner(keyService signingkeys.Service) (*LocalSigner, error) {
	id, key, err := keyService.GetOrCreatePrivateKey(context.Background(), idSignerKeyPrefix, jose.ES256)
	if err != nil {
		return nil, err
	}

	// FIXME: Handle key rotation
	signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, &jose.SignerOptions{
		ExtraHeaders: map[jose.HeaderKey]interface{}{
			"kid": id,
		},
	})
	if err != nil {
		return nil, err
	}

	return &LocalSigner{
		signer: signer,
	}, nil
}

type LocalSigner struct {
	signer jose.Signer
}

func (s *LocalSigner) SignIDToken(ctx context.Context, claims *auth.IDClaims) (string, error) {
	builder := jwt.Signed(s.signer).Claims(claims.Claims)

	token, err := builder.CompactSerialize()
	if err != nil {
		return "", err
	}

	return token, nil
}
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`package idimpl`

			`import (`
			`"context"`

			`"github.com/go-jose/go-jose/v3"`
			`"github.com/go-jose/go-jose/v3/jwt"`

			`"github.com/grafana/grafana/pkg/services/auth"`
			`"github.com/grafana/grafana/pkg/services/signingkeys"`
			`)`

Auth: Signing Key persistence (#75487) * signing key wip use db keyset storage add signing_key table add testing for key storage add ES256 key tests Remove caching and implement UpdateOrCreate Stabilize interfaces * Encrypt private keys * Fixup signer * Fixup ext_jwt * Add GetOrCreatePrivate with automatic key rotation * use GetOrCreate for ext_jwt * use GetOrCreate in id * catch invalid block type * fix broken test * remove key generator * reduce public interface of signing service 2023-10-04 16:37:27 +08:00			`const idSignerKeyPrefix = "id"`

IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`var _ auth.IDSigner = (*LocalSigner)(nil)`

			`func ProvideLocalSigner(keyService signingkeys.Service) (*LocalSigner, error) {`
Auth: Signing Key persistence (#75487) * signing key wip use db keyset storage add signing_key table add testing for key storage add ES256 key tests Remove caching and implement UpdateOrCreate Stabilize interfaces * Encrypt private keys * Fixup signer * Fixup ext_jwt * Add GetOrCreatePrivate with automatic key rotation * use GetOrCreate for ext_jwt * use GetOrCreate in id * catch invalid block type * fix broken test * remove key generator * reduce public interface of signing service 2023-10-04 16:37:27 +08:00			`id, key, err := keyService.GetOrCreatePrivateKey(context.Background(), idSignerKeyPrefix, jose.ES256)`
			`if err != nil {`
			`return nil, err`
			`}`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00
Auth: Signing Key persistence (#75487) * signing key wip use db keyset storage add signing_key table add testing for key storage add ES256 key tests Remove caching and implement UpdateOrCreate Stabilize interfaces * Encrypt private keys * Fixup signer * Fixup ext_jwt * Add GetOrCreatePrivate with automatic key rotation * use GetOrCreate for ext_jwt * use GetOrCreate in id * catch invalid block type * fix broken test * remove key generator * reduce public interface of signing service 2023-10-04 16:37:27 +08:00			`// FIXME: Handle key rotation`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, &jose.SignerOptions{`
			`ExtraHeaders: map[jose.HeaderKey]interface{}{`
Auth: Signing Key persistence (#75487) * signing key wip use db keyset storage add signing_key table add testing for key storage add ES256 key tests Remove caching and implement UpdateOrCreate Stabilize interfaces * Encrypt private keys * Fixup signer * Fixup ext_jwt * Add GetOrCreatePrivate with automatic key rotation * use GetOrCreate for ext_jwt * use GetOrCreate in id * catch invalid block type * fix broken test * remove key generator * reduce public interface of signing service 2023-10-04 16:37:27 +08:00			`"kid": id,`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`},`
			`})`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &LocalSigner{`
			`signer: signer,`
			`}, nil`
			`}`

			`type LocalSigner struct {`
			`signer jose.Signer`
			`}`

			`func (s LocalSigner) SignIDToken(ctx context.Context, claims auth.IDClaims) (string, error) {`
			`builder := jwt.Signed(s.signer).Claims(claims.Claims)`

			`token, err := builder.CompactSerialize()`
			`if err != nil {`
			`return "", err`
			`}`

			`return token, nil`
			`}`