feat: add different kinds of jwt generations

OpenSrcerer · OpenSrcerer · commit a6f0bc88a624 · 2024-02-20T22:14:37.000+02:00
diff --git a/src/main/kotlin/online/danielstefani/paddy/jwt/JwtController.kt b/src/main/kotlin/online/danielstefani/paddy/jwt/JwtController.kt
@@ -0,0 +1,25 @@
+package online.danielstefani.paddy.jwt
+
+import jakarta.ws.rs.*
+import jakarta.ws.rs.core.MediaType
+import online.danielstefani.paddy.jwt.dto.JwtRequestDto
+import online.danielstefani.paddy.jwt.dto.JwtResponseDto
+
+@Path("/jwt")
+@Consumes(MediaType.APPLICATION_JSON)
+@Produces(MediaType.TEXT_PLAIN)
+class JwtController(
+    private val jwtService: JwtService
+) {
+
+    /*
+    Mint a new JWT with permissions as required by the internal caller.
+    Reminder that this is supposed to be called from inside the VPC.
+     */
+    @POST
+    @Path("/")
+    fun getJwt(dto: JwtRequestDto): JwtResponseDto {
+        return jwtService.makeJwt(dto.subject, dto.jwtType)
+    }
+
+}
diff --git a/src/main/kotlin/online/danielstefani/paddy/jwt/JwtService.kt b/src/main/kotlin/online/danielstefani/paddy/jwt/JwtService.kt
@@ -1,9 +1,11 @@
-package online.danielstefani.paddy.security
+package online.danielstefani.paddy.jwt
 
 import io.quarkus.logging.Log
 import io.vertx.core.json.JsonObject
 import io.vertx.ext.auth.impl.jose.JWT
 import jakarta.enterprise.context.ApplicationScoped
+import online.danielstefani.paddy.jwt.dto.JwtResponseDto
+import online.danielstefani.paddy.jwt.dto.JwtType
 import java.nio.charset.StandardCharsets
 import java.security.Signature
 import java.security.interfaces.RSAPublicKey
@@ -15,9 +17,9 @@ class JwtService(
     private val keychainHolder: KeychainHolder
 ) {
     fun makeJwt(
-        sub: String,
-        jwtLifetimeSeconds: Long = 31540000
-    ): String {
+        subject: String,
+        jwtType: JwtType
+    ): JwtResponseDto {
         val (privateKey, _) = keychainHolder.keypair()
 
         val jwtHeader: String = Base64.getUrlEncoder().withoutPadding().encodeToString(
@@ -30,20 +32,20 @@ class JwtService(
 
         val jwtPayloadTemplate = """
             {
-                "sub": "$sub",
+                "sub": "$subject",
                 "iss": "https://danielstefani.online",
                 "iat": %s,
                 "exp": %s,
-                "aud": "Paddy MQTT Broker Clients"
+                "aud": "${jwtType.audience}"
             }
             
             """.trimIndent().replace(" ", "").replace("\n", "")
 
+        val now = Instant.now().epochSecond
+        val expiry = Instant.now().plusSeconds(jwtType.lifetime).epochSecond
         val jwtPayload: String = Base64.getUrlEncoder().withoutPadding().encodeToString(
             String.format(
-                jwtPayloadTemplate,
-                Instant.now().epochSecond,
-                Instant.now().plusSeconds(jwtLifetimeSeconds).epochSecond
+                jwtPayloadTemplate, now, expiry
             ).replace(" ", "").replace("\n", "")
                 .toByteArray(StandardCharsets.UTF_8)
         )
@@ -58,7 +60,7 @@ class JwtService(
             signature.sign()
         )
 
-        return "$jwtContent.$jwtSignature"
+        return JwtResponseDto("$jwtContent.$jwtSignature", expiry)
     }
 
     fun makeJwks(): String {
diff --git a/src/main/kotlin/online/danielstefani/paddy/jwt/KeychainHolder.kt b/src/main/kotlin/online/danielstefani/paddy/jwt/KeychainHolder.kt
@@ -1,4 +1,4 @@
-package online.danielstefani.paddy.security
+package online.danielstefani.paddy.jwt
 
 import jakarta.enterprise.context.ApplicationScoped
 import online.danielstefani.paddy.configuration.JwksConfiguration
diff --git a/src/main/kotlin/online/danielstefani/paddy/jwt/dto/JwtRequestDto.kt b/src/main/kotlin/online/danielstefani/paddy/jwt/dto/JwtRequestDto.kt
@@ -0,0 +1,6 @@
+package online.danielstefani.paddy.jwt.dto
+
+data class JwtRequestDto(
+    val subject: String,
+    val jwtType: JwtType
+)
diff --git a/src/main/kotlin/online/danielstefani/paddy/jwt/dto/JwtResponseDto.kt b/src/main/kotlin/online/danielstefani/paddy/jwt/dto/JwtResponseDto.kt
@@ -0,0 +1,6 @@
+package online.danielstefani.paddy.jwt.dto
+
+data class JwtResponseDto(
+    val jwt: String,
+    val absoluteExpiryUnixSeconds: Long
+)
diff --git a/src/main/kotlin/online/danielstefani/paddy/jwt/dto/JwtType.kt b/src/main/kotlin/online/danielstefani/paddy/jwt/dto/JwtType.kt
@@ -0,0 +1,10 @@
+package online.danielstefani.paddy.jwt.dto
+
+enum class JwtType(
+    val lifetime: Long,
+    val audience: String
+) {
+    ADMIN(31540000, "paddy~internal"),
+    PAD(31540000, "paddy~pad"),
+    USER(3600, "paddy~user")
+}
diff --git a/src/main/kotlin/online/danielstefani/paddy/security/http/HttpAuthenticationController.kt b/src/main/kotlin/online/danielstefani/paddy/security/http/HttpAuthenticationController.kt
@@ -6,7 +6,7 @@ import jakarta.ws.rs.Path
 import jakarta.ws.rs.Produces
 import jakarta.ws.rs.core.MediaType
 import online.danielstefani.paddy.security.AbstractAuthorizationController
-import online.danielstefani.paddy.security.JwtService
+import online.danielstefani.paddy.jwt.JwtService
 import online.danielstefani.paddy.security.dto.AuthorizationRequestDto
 import online.danielstefani.paddy.security.dto.AuthorizationResultDto
 import org.jboss.resteasy.reactive.RestResponse
@@ -16,7 +16,8 @@ import java.time.Instant
 @Consumes(MediaType.APPLICATION_JSON)
 @Produces(MediaType.APPLICATION_JSON)
 class HttpAuthenticationController(
-    private val jwtService: JwtService) : AbstractAuthorizationController() {
+    private val jwtService: JwtService
+) : AbstractAuthorizationController() {
 
     @POST
     @Path("/validate")
diff --git a/src/main/kotlin/online/danielstefani/paddy/security/mqtt/MqttAuthenticationController.kt b/src/main/kotlin/online/danielstefani/paddy/security/mqtt/MqttAuthenticationController.kt
@@ -4,7 +4,7 @@ import jakarta.ws.rs.GET
 import jakarta.ws.rs.Path
 import jakarta.ws.rs.Produces
 import jakarta.ws.rs.core.MediaType
-import online.danielstefani.paddy.security.JwtService
+import online.danielstefani.paddy.jwt.JwtService
 
 
 @Path("/")
@@ -21,14 +21,4 @@ class MqttAuthenticationController(
     fun getJwks(): String {
         return jwtService.makeJwks()
     }
-
-    /*
-    Mint a new JWT. Should be called only by the backend
-    as these JWTs have permissions to connect to all topics.
-     */
-    @GET
-    @Path("/admin-jwt")
-    fun getJwt(): String {
-        return jwtService.makeJwt("paddy-backend")
-    }
 }
diff --git a/src/main/kotlin/online/danielstefani/paddy/security/mqtt/MqttAuthorizationController.kt b/src/main/kotlin/online/danielstefani/paddy/security/mqtt/MqttAuthorizationController.kt
@@ -7,7 +7,7 @@ import jakarta.ws.rs.Path
 import jakarta.ws.rs.Produces
 import jakarta.ws.rs.core.MediaType
 import online.danielstefani.paddy.security.AbstractAuthorizationController
-import online.danielstefani.paddy.security.JwtService
+import online.danielstefani.paddy.jwt.JwtService
 import online.danielstefani.paddy.security.dto.AuthorizationRequestDto
 import online.danielstefani.paddy.security.dto.AuthorizationResultDto
 import org.jboss.resteasy.reactive.RestResponse
@@ -16,7 +16,8 @@ import org.jboss.resteasy.reactive.RestResponse
 @Consumes(MediaType.APPLICATION_JSON)
 @Produces(MediaType.APPLICATION_JSON)
 class MqttAuthorizationController(
-    private val jwtService: JwtService) : AbstractAuthorizationController() {
+    private val jwtService: JwtService
+) : AbstractAuthorizationController() {
 
     @POST
     @Path("/verify")

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package online.danielstefani.paddy.security`
	`1`	`+package online.danielstefani.paddy.jwt`
`2`	`2`
`3`	`3`	`import jakarta.enterprise.context.ApplicationScoped`
`4`	`4`	`import online.danielstefani.paddy.configuration.JwksConfiguration`