130 lines
4.4 KiB
Diff
130 lines
4.4 KiB
Diff
From 1e9b52cdb513ed5d9b72f1babf3de860f6a30168 Mon Sep 17 00:00:00 2001
|
|
From: Cropi <alakatos@redhat.com>
|
|
Date: Wed, 21 Jan 2026 12:19:54 +0100
|
|
Subject: [PATCH] Refactor(kbs): replace jwt-simple with jsonwebtoken in Admin
|
|
API
|
|
|
|
Migrate the KBS Admin API authentication from `jwt-simple` to the
|
|
`jsonwebtoken` library to reduce dependency burden.
|
|
|
|
Changes details:
|
|
- kbs/admin: Refactor `Admin` struct to store `DecodingKey` instead of
|
|
`Ed25519PublicKey`.
|
|
- kbs/admin: Update validation logic to use `jsonwebtoken::decode` with
|
|
EdDSA algorithm validation.
|
|
- kbs/admin: Update error handling to wrap `jsonwebtoken` errors.
|
|
- kbs/Cargo.toml: Remove `jwt-simple` dependency.
|
|
- Cargo.toml: Remove `jwt-simple` from workspace dependencies.
|
|
|
|
Note: The `kbs-client` tool, which still depends on `jwt-simple`, is
|
|
currently excluded from the workspace `members` list. If we ever decide
|
|
to ship that as well we need to do additional work.
|
|
|
|
THIS PATCH COULD BE UPSTREAMED
|
|
---
|
|
Cargo.toml | 3 ---
|
|
kbs/Cargo.toml | 2 +-
|
|
kbs/src/admin/error.rs | 4 ++--
|
|
kbs/src/admin/mod.rs | 16 +++++++---------
|
|
4 files changed, 10 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/Cargo.toml b/Cargo.toml
|
|
index 31b3e75..d76a061 100644
|
|
--- a/Cargo.toml
|
|
+++ b/Cargo.toml
|
|
@@ -26,9 +26,6 @@ config = "0.14.1"
|
|
ear = "0.3.0"
|
|
env_logger = "0.10.0"
|
|
hex = "0.4.3"
|
|
-jwt-simple = { version = "0.12", default-features = false, features = [
|
|
- "pure-rust",
|
|
-] }
|
|
kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "c35306f", default-features = false }
|
|
# TODO: Change this to kbs-types release
|
|
kbs-types = { "git" = "https://github.com/virtee/kbs-types.git", rev = "e3cc706" }
|
|
diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
|
|
index 1bd4adf..93a8061 100644
|
|
--- a/kbs/Cargo.toml
|
|
+++ b/kbs/Cargo.toml
|
|
@@ -56,7 +56,7 @@ cryptoki = { version = "0.10.0", optional = true }
|
|
env_logger.workspace = true
|
|
hex.workspace = true
|
|
jsonwebtoken = { workspace = true, default-features = false }
|
|
-jwt-simple.workspace = true
|
|
+
|
|
kbs-types.workspace = true
|
|
kms = { workspace = true, default-features = false }
|
|
lazy_static.workspace = true
|
|
diff --git a/kbs/src/admin/error.rs b/kbs/src/admin/error.rs
|
|
index 2c21f63..440851e 100644
|
|
--- a/kbs/src/admin/error.rs
|
|
+++ b/kbs/src/admin/error.rs
|
|
@@ -13,14 +13,14 @@ pub enum Error {
|
|
#[error("Admin Token verification failed")]
|
|
JwtVerificationFailed {
|
|
#[source]
|
|
- source: jwt_simple::Error,
|
|
+ source: jsonwebtoken::errors::Error,
|
|
},
|
|
|
|
#[error("`auth_public_key` is not set in the config file")]
|
|
NoPublicKeyGiven,
|
|
|
|
#[error("Failed to parse admin public key")]
|
|
- ParsePublicKey(#[from] jwt_simple::Error),
|
|
+ ParsePublicKey(#[from] jsonwebtoken::errors::Error),
|
|
|
|
#[error("Failed to parse HTTP Auth Bearer header")]
|
|
ParseAuthHeaderFailed(#[from] actix_web::error::ParseError),
|
|
diff --git a/kbs/src/admin/mod.rs b/kbs/src/admin/mod.rs
|
|
index f5a376a..cda7675 100644
|
|
--- a/kbs/src/admin/mod.rs
|
|
+++ b/kbs/src/admin/mod.rs
|
|
@@ -5,11 +5,8 @@
|
|
use actix_web::{http::header::Header, HttpRequest};
|
|
use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
|
|
use config::AdminConfig;
|
|
-use jwt_simple::{
|
|
- claims::NoCustomClaims,
|
|
- common::VerificationOptions,
|
|
- prelude::{Ed25519PublicKey, EdDSAPublicKeyLike},
|
|
-};
|
|
+use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
|
|
+use serde_json::Value;
|
|
|
|
pub mod config;
|
|
pub mod error;
|
|
@@ -18,7 +15,7 @@ use log::warn;
|
|
|
|
#[derive(Default, Clone)]
|
|
pub struct Admin {
|
|
- public_key: Option<Ed25519PublicKey>,
|
|
+ public_key: Option<DecodingKey>,
|
|
}
|
|
|
|
impl TryFrom<AdminConfig> for Admin {
|
|
@@ -32,7 +29,7 @@ impl TryFrom<AdminConfig> for Admin {
|
|
|
|
let key_path = value.auth_public_key.ok_or(Error::NoPublicKeyGiven)?;
|
|
let user_public_key_pem = std::fs::read_to_string(key_path)?;
|
|
- let key = Ed25519PublicKey::from_pem(&user_public_key_pem)?;
|
|
+ let key = DecodingKey::from_ed_pem(user_public_key_pem.as_bytes())?;
|
|
Ok(Self {
|
|
public_key: Some(key),
|
|
})
|
|
@@ -49,8 +46,9 @@ impl Admin {
|
|
|
|
let token = bearer.token();
|
|
|
|
- let _claims = public_key
|
|
- .verify_token::<NoCustomClaims>(token, Some(VerificationOptions::default()))
|
|
+ let validation = Validation::new(Algorithm::EdDSA);
|
|
+
|
|
+ let _claims = decode::<Value>(token, public_key, &validation)
|
|
.map_err(|e| Error::JwtVerificationFailed { source: e })?;
|
|
|
|
Ok(())
|
|
--
|
|
2.52.0
|
|
|