keypairs/keyfetch/uncached/fetch.go

// Package uncached provides uncached versions of go-keypairs/keyfetch
package uncached

import (
	"bytes"
	"encoding/json"
	"crypto/rsa"
	"crypto/ecdsa"
	"errors"
	"io"
	"io/ioutil"
	"net"
	"net/http"
	"strings"
	"time"

	"git.rootprojects.org/root/keypairs"
)

// URLishKey is TODO
var URLishKey = "_kid_url"

// JWKMapByID is TODO
type JWKMapByID = map[string]map[string]string

// PublicKeysMap is TODO
type PublicKeysMap = map[string]keypairs.PublicKeyDeprecated

// OIDCJWKs gets the OpenID Connect configuration from the baseURL and then calls JWKs with the specified jwks_uri
func OIDCJWKs(baseURL string) (JWKMapByID, PublicKeysMap, error) {
	baseURL = normalizeBaseURL(baseURL)
	oidcConf := struct {
		JWKSURI string `json:"jwks_uri"`
	}{}

	// must come in as https://<domain>/
	url := baseURL + ".well-known/openid-configuration"
	err := safeFetch(url, func(body io.Reader) error {
		decoder := json.NewDecoder(body)
		decoder.UseNumber()
		return decoder.Decode(&oidcConf)
	})
	if nil != err {
		return nil, nil, err
	}

	return JWKs(oidcConf.JWKSURI)
}

// WellKnownJWKs calls JWKs with baseURL + /.well-known/jwks.json as constructs the jwks_uri
func WellKnownJWKs(baseURL string) (JWKMapByID, PublicKeysMap, error) {
	baseURL = normalizeBaseURL(baseURL)
	url := baseURL + ".well-known/jwks.json"

	return JWKs(url)
}

// JWKs fetches and parses a jwks.json (assuming well-known format)
func JWKs(jwksurl string) (JWKMapByID, PublicKeysMap, error) {
	keys := PublicKeysMap{}
	maps := JWKMapByID{}
	resp := struct {
		Keys []map[string]interface{} `json:"keys"`
	}{
		Keys: make([]map[string]interface{}, 0, 1),
	}

	if err := safeFetch(jwksurl, func(body io.Reader) error {
		decoder := json.NewDecoder(body)
		decoder.UseNumber()
		return decoder.Decode(&resp)
	}); nil != err {
		return nil, nil, err
	}

	for i := range resp.Keys {
		k := resp.Keys[i]
		m := getStringMap(k)

		key, err := keypairs.NewJWKPublicKey(m)

		if nil != err {
			return nil, nil, err
		}
		keys[keypairs.Thumbprint(key.Key())] = key
		maps[keypairs.Thumbprint(key.Key())] = m
	}

	return maps, keys, nil
}

// PEM fetches and parses a PEM (assuming well-known format)
func PEM(pemurl string) (map[string]string, keypairs.PublicKey, error) {
	var pubd keypairs.PublicKeyDeprecated
	if err := safeFetch(pemurl, func(body io.Reader) error {
		pem, err := ioutil.ReadAll(body)
		if nil != err {
			return err
		}
		pubd, err = keypairs.ParsePublicKey(pem)
		if nil != err {
			return err
		}
		return nil
	}); nil != err {
		return nil, nil, err
	}

	jwk := map[string]interface{}{}
	pub := pubd.Key()
	body := bytes.NewBuffer(keypairs.MarshalJWKPublicKey(pub))
	decoder := json.NewDecoder(body)
	decoder.UseNumber()
	_ = decoder.Decode(&jwk)

	m := getStringMap(jwk)
	m["kid"] = keypairs.Thumbprint(pub)
	// TODO is this just junk?
	m[URLishKey] = pemurl

	switch pub.(type) {
	case *ecdsa.PublicKey:
		//p.KID = pemurl
	case *rsa.PublicKey:
		//p.KID = pemurl
	default:
		return nil, nil, errors.New("impossible key type")
	}

	return m, pub, nil
}

// Fetch retrieves a single JWK (plain, bare jwk) from a URL (off-spec)
func Fetch(url string) (map[string]string, keypairs.PublicKeyDeprecated, error) {
	var m map[string]interface{}
	if err := safeFetch(url, func(body io.Reader) error {
		decoder := json.NewDecoder(body)
		decoder.UseNumber()
		return decoder.Decode(&m)
	}); nil != err {
		return nil, nil, err
	}

	n := getStringMap(m)
	key, err := keypairs.NewJWKPublicKey(n)
	if nil != err {
		return nil, nil, err
	}

	return n, key, nil
}

func getStringMap(m map[string]interface{}) map[string]string {
	n := make(map[string]string)

	// TODO get issuer from x5c, if exists

	// convert map[string]interface{} to map[string]string
	for j := range m {
		switch s := m[j].(type) {
		case string:
			n[j] = s
		default:
			// safely ignore
		}
	}

	return n
}

type decodeFunc func(io.Reader) error

// TODO: also limit the body size
func safeFetch(url string, decoder decodeFunc) error {
	var netTransport = &http.Transport{
		Dial: (&net.Dialer{
			Timeout: 5 * time.Second,
		}).Dial,
		TLSHandshakeTimeout: 5 * time.Second,
	}
	var client = &http.Client{
		Timeout:   time.Second * 10,
		Transport: netTransport,
	}

	req, err := http.NewRequest("GET", url, nil)
	req.Header.Set("User-Agent", "go-keypairs/keyfetch")
	req.Header.Set("Accept", "application/json;q=0.9,*/*;q=0.8")
	res, err := client.Do(req)
	if nil != err {
		return err
	}
	defer res.Body.Close()

	return decoder(res.Body)
}

func normalizeBaseURL(iss string) string {
	return strings.TrimRight(iss, "/") + "/"
}
refactor 2019-02-21 00:10:42 +00:00			`// Package uncached provides uncached versions of go-keypairs/keyfetch`
			`package uncached`

			`import (`
v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`"bytes"`
refactor 2019-02-21 00:10:42 +00:00			`"encoding/json"`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`"crypto/rsa"`
			`"crypto/ecdsa"`
v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`"errors"`
refactor 2019-02-21 00:10:42 +00:00			`"io"`
v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`"io/ioutil"`
refactor 2019-02-21 00:10:42 +00:00			`"net"`
			`"net/http"`
normalize trailing / on issuer and baseURL 2019-02-22 21:40:46 +00:00			`"strings"`
refactor 2019-02-21 00:10:42 +00:00			`"time"`

update canonical import path 2020-05-10 18:34:01 +00:00			`"git.rootprojects.org/root/keypairs"`
refactor 2019-02-21 00:10:42 +00:00			`)`

move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`// URLishKey is TODO`
			`var URLishKey = "_kid_url"`

			`// JWKMapByID is TODO`
			`type JWKMapByID = map[string]map[string]string`

			`// PublicKeysMap is TODO`
			`type PublicKeysMap = map[string]keypairs.PublicKeyDeprecated`

refactor 2019-02-21 00:10:42 +00:00			`// OIDCJWKs gets the OpenID Connect configuration from the baseURL and then calls JWKs with the specified jwks_uri`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`func OIDCJWKs(baseURL string) (JWKMapByID, PublicKeysMap, error) {`
normalize trailing / on issuer and baseURL 2019-02-22 21:40:46 +00:00			`baseURL = normalizeBaseURL(baseURL)`
refactor 2019-02-21 00:10:42 +00:00			`oidcConf := struct {`
			JWKSURI string `json:"jwks_uri"`
			`}{}`

			`// must come in as https://<domain>/`
			`url := baseURL + ".well-known/openid-configuration"`
			`err := safeFetch(url, func(body io.Reader) error {`
			`decoder := json.NewDecoder(body)`
			`decoder.UseNumber()`
			`return decoder.Decode(&oidcConf)`
			`})`
			`if nil != err {`
			`return nil, nil, err`
			`}`

			`return JWKs(oidcConf.JWKSURI)`
			`}`

			`// WellKnownJWKs calls JWKs with baseURL + /.well-known/jwks.json as constructs the jwks_uri`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`func WellKnownJWKs(baseURL string) (JWKMapByID, PublicKeysMap, error) {`
normalize trailing / on issuer and baseURL 2019-02-22 21:40:46 +00:00			`baseURL = normalizeBaseURL(baseURL)`
add user agent 2019-03-08 21:28:23 +00:00			`url := baseURL + ".well-known/jwks.json"`
refactor 2019-02-21 00:10:42 +00:00
add user agent 2019-03-08 21:28:23 +00:00			`return JWKs(url)`
refactor 2019-02-21 00:10:42 +00:00			`}`

			`// JWKs fetches and parses a jwks.json (assuming well-known format)`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`func JWKs(jwksurl string) (JWKMapByID, PublicKeysMap, error) {`
			`keys := PublicKeysMap{}`
			`maps := JWKMapByID{}`
refactor 2019-02-21 00:10:42 +00:00			`resp := struct {`
			Keys []map[string]interface{} `json:"keys"`
			`}{`
			`Keys: make([]map[string]interface{}, 0, 1),`
			`}`

			`if err := safeFetch(jwksurl, func(body io.Reader) error {`
			`decoder := json.NewDecoder(body)`
			`decoder.UseNumber()`
			`return decoder.Decode(&resp)`
			`}); nil != err {`
			`return nil, nil, err`
			`}`

			`for i := range resp.Keys {`
			`k := resp.Keys[i]`
			`m := getStringMap(k)`

go lint and update docs 2020-04-10 17:59:44 +00:00			`key, err := keypairs.NewJWKPublicKey(m)`

			`if nil != err {`
refactor 2019-02-21 00:10:42 +00:00			`return nil, nil, err`
			`}`
transitioning to go1.15 PublicKey interface 2020-10-21 09:38:05 +00:00			`keys[keypairs.Thumbprint(key.Key())] = key`
			`maps[keypairs.Thumbprint(key.Key())] = m`
refactor 2019-02-21 00:10:42 +00:00			`}`

			`return maps, keys, nil`
			`}`

v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`// PEM fetches and parses a PEM (assuming well-known format)`
transitioning to go1.15 PublicKey interface 2020-10-21 09:38:05 +00:00			`func PEM(pemurl string) (map[string]string, keypairs.PublicKey, error) {`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`var pubd keypairs.PublicKeyDeprecated`
v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`if err := safeFetch(pemurl, func(body io.Reader) error {`
			`pem, err := ioutil.ReadAll(body)`
			`if nil != err {`
			`return err`
			`}`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`pubd, err = keypairs.ParsePublicKey(pem)`
			`if nil != err {`
			`return err`
			`}`
			`return nil`
v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`}); nil != err {`
			`return nil, nil, err`
			`}`

			`jwk := map[string]interface{}{}`
transitioning to go1.15 PublicKey interface 2020-10-21 09:38:05 +00:00			`pub := pubd.Key()`
v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`body := bytes.NewBuffer(keypairs.MarshalJWKPublicKey(pub))`
			`decoder := json.NewDecoder(body)`
			`decoder.UseNumber()`
			`_ = decoder.Decode(&jwk)`

			`m := getStringMap(jwk)`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`m["kid"] = keypairs.Thumbprint(pub)`
			`// TODO is this just junk?`
			`m[URLishKey] = pemurl`

			`switch pub.(type) {`
			`case *ecdsa.PublicKey:`
			`//p.KID = pemurl`
			`case *rsa.PublicKey:`
			`//p.KID = pemurl`
v0.2.0: add support for fetching /pem 2019-03-15 23:52:53 +00:00			`default:`
			`return nil, nil, errors.New("impossible key type")`
			`}`

			`return m, pub, nil`
			`}`

refactor 2019-02-21 00:10:42 +00:00			`// Fetch retrieves a single JWK (plain, bare jwk) from a URL (off-spec)`
move away from PublicKeyDeprecated 2020-10-21 09:16:34 +00:00			`func Fetch(url string) (map[string]string, keypairs.PublicKeyDeprecated, error) {`
refactor 2019-02-21 00:10:42 +00:00			`var m map[string]interface{}`
			`if err := safeFetch(url, func(body io.Reader) error {`
			`decoder := json.NewDecoder(body)`
			`decoder.UseNumber()`
			`return decoder.Decode(&m)`
			`}); nil != err {`
			`return nil, nil, err`
			`}`

			`n := getStringMap(m)`
			`key, err := keypairs.NewJWKPublicKey(n)`
			`if nil != err {`
			`return nil, nil, err`
			`}`

			`return n, key, nil`
			`}`

			`func getStringMap(m map[string]interface{}) map[string]string {`
			`n := make(map[string]string)`

			`// TODO get issuer from x5c, if exists`

			`// convert map[string]interface{} to map[string]string`
			`for j := range m {`
			`switch s := m[j].(type) {`
			`case string:`
			`n[j] = s`
			`default:`
			`// safely ignore`
			`}`
			`}`

			`return n`
			`}`

			`type decodeFunc func(io.Reader) error`

			`// TODO: also limit the body size`
			`func safeFetch(url string, decoder decodeFunc) error {`
			`var netTransport = &http.Transport{`
			`Dial: (&net.Dialer{`
			`Timeout: 5 * time.Second,`
			`}).Dial,`
			`TLSHandshakeTimeout: 5 * time.Second,`
			`}`
add user agent 2019-03-08 21:28:23 +00:00			`var client = &http.Client{`
refactor 2019-02-21 00:10:42 +00:00			`Timeout: time.Second * 10,`
			`Transport: netTransport,`
			`}`

add user agent 2019-03-08 21:28:23 +00:00			`req, err := http.NewRequest("GET", url, nil)`
			`req.Header.Set("User-Agent", "go-keypairs/keyfetch")`
			`req.Header.Set("Accept", "application/json;q=0.9,/;q=0.8")`
			`res, err := client.Do(req)`
refactor 2019-02-21 00:10:42 +00:00			`if nil != err {`
			`return err`
			`}`
			`defer res.Body.Close()`

			`return decoder(res.Body)`
			`}`
normalize trailing / on issuer and baseURL 2019-02-22 21:40:46 +00:00
			`func normalizeBaseURL(iss string) string {`
			`return strings.TrimRight(iss, "/") + "/"`
			`}`