oidc provider (jwt vending only)

sorah · sorah · commit 4348b9b2de10 · 2023-04-29T00:41:45.000+09:00
#58
diff --git a/.gitignore b/.gitignore
@@ -24,6 +24,8 @@
 # Ignore master key for decrypting credentials and more.
 /config/master.key
 
+/tmp/oidc.key
+
 /public/packs
 node_modules/
 
diff --git a/app/controllers/api/oidc_controller.rb b/app/controllers/api/oidc_controller.rb
@@ -0,0 +1,23 @@
+# Dumb OIDC implementation. Returns JWK set and metadata for AWS IAM consumption.
+class Api::OidcController < Api::ApplicationController
+  def show_configuration
+    expires_in(60, public: true, 's-maxage': 86400*365)
+    render(json: {
+      issuer: "https://#{request.host}",
+      jwks_uri: "https://#{request.host}/api/oidc/jwks",
+      response_types_supported: ["id_token"],
+      subject_types_supported: ["public"],
+      claims_supported: ["iss","aud","sub","jti","iat","nbf","exp"],
+      id_token_signing_alg_values_supported:["RS256"],
+    })
+  end
+
+  def show_jwks
+    expires_in(60, public: true, 's-maxage': 86400*365)
+    render(json: {
+      keys: [
+        OidcSigningKey.public_jwk,
+      ],
+    })
+  end
+end
diff --git a/app/models/oidc_signing_key.rb b/app/models/oidc_signing_key.rb
@@ -0,0 +1,27 @@
+module OidcSigningKey
+  def self.pkey
+    key = Rails.configuration.x.oidc.signing_key
+    raise "no config.x.oidc.signing_key" unless key
+    raise "should be RSA key" unless key.is_a?(OpenSSL::PKey::RSA)
+    key
+  end
+
+  def self.kid
+    @kid ||= "to1x#{hash}"
+  end
+
+  def self.hash
+    @hash ||= OpenSSL::Digest.hexdigest('sha256', pkey.public_key.to_der)
+  end
+
+  def self.public_jwk
+    @jwk ||= {
+      kid: kid,
+      kty: 'RSA',
+      use: "sig",
+      alg: "RS256",
+      n: Base64.urlsafe_encode64(pkey.public_key.n.to_s(2), padding: false),
+      e: Base64.urlsafe_encode64(pkey.public_key.e.to_s(2), padding: false),
+    }
+  end
+end
diff --git a/config/application.rb b/config/application.rb
@@ -14,6 +14,9 @@
 # require "action_cable/engine"
 # require "rails/test_unit/railtie"
 
+require 'openssl'
+require 'securerandom'
+
 require_relative '../lib/outpost_local'
 
 # Require the gems listed in Gemfile, including any gems
diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -7,6 +7,7 @@
   config.x.staff_only = ENV['TAKEOUT_STAFF_ONLY'] == '1'
   config.x.staff_only_stream = ENV['TAKEOUT_STAFF_ONLY_STREAM'] == '1'
   config.x.chime.user_role_arn = ENV['TAKEOUT_USER_ROLE_ARN']
+  config.x.chime.use_oidc = ENV['TAKEOUT_CHIME_USE_OIDC'] == '1'
   config.x.default_avatar_url = 'https://takeout.rubykaigi.org/assets/dummy-avatar.jpg'
   config.x.avatar_prefix = ENV['TAKEOUT_AVATAR_PREFIX']
   config.x.s3.public_bucket = ENV['TAKEOUT_S3_BUCKET'] || 'rk-takeout-app'
@@ -20,6 +21,9 @@
   config.x.control.password = ENV['TAKEOUT_CONTROL_PASSWORD']
   config.x.kiosk.password = ENV['TAKEOUT_KIOSK_PASSWORD']
 
+  config.x.oidc.signing_key = ENV['OIDC_SIGNING_KEY']&.yield_self { |der| OpenSSL::PKey::RSA.new(der.unpack1('m*'), '') } \
+    || (Rails.root.join('tmp', 'oidc.key').read rescue nil)&.yield_self { |pem| OpenSSL::PKey::RSA.new(pem, '') }
+
   config.active_job.queue_adapter = ENV.fetch('ENABLE_SHORYUKEN', '1') == '1' ? :inline : :shoryuken
 
   # In the development environment your application's code is reloaded any time
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -12,6 +12,7 @@
     config.x.avatar_prefix = ENV.fetch('TAKEOUT_AVATAR_PREFIX', nil) # TODO:
 
     config.x.chime.user_role_arn = ENV.fetch('TAKEOUT_USER_ROLE_ARN')
+    config.x.chime.use_oidc = ENV['TAKEOUT_CHIME_USE_OIDC'] == '1'
 
     config.x.s3.public_bucket = ENV.fetch('TAKEOUT_S3_BUCKET')
     config.x.s3.public_prefix = ENV.fetch('TAKEOUT_S3_PREFIX')
@@ -20,6 +21,8 @@
     config.x.control.password = ENV.fetch('TAKEOUT_CONTROL_PASSWORD')
     config.x.kiosk.password = ENV.fetch('TAKEOUT_KIOSK_PASSWORD')
 
+    config.x.oidc.signing_key = ENV.fetch('OIDC_SIGNING_KEY').yield_self { |der| OpenSSL::PKey::RSA.new(der.unpack1('m*'), '') }
+
     config.x.sentry.dsn = ENV['SENTRY_DSN']
     config.x.release_meta.commit = ENV['HEROKU_SLUG_COMMIT'] || ENV['RELEASE_COMMIT'] || Rails.root.join('REVISION').then { _1.exist? ? _1.read : nil } || 'COMMIT_UNKNOWN'
     config.x.release_meta.version = ENV['HEROKU_RELEASE_VERSION']
diff --git a/config/routes.rb b/config/routes.rb
@@ -39,6 +39,8 @@
 
   resources :avatars, only: %i(show), param: :handle
 
+  get '.well-known/openid-configuration' => 'api/oidc#show_configuration'
+
   scope path: 'control', module: 'control' do
     get 'chime_users/:handle' => 'chime_users#lookup'
   end
@@ -84,6 +86,10 @@
 
       resources :attendees, only: %i(index show update)
     end
+
+    scope path: 'oidc' do
+      get :jwks, to: 'oidc#show_jwks'
+    end
   end
 
   if Rails.env.development? || ENV['TAKEOUT_ENABLE_OUTPOST_LOCAL'] == '1'
diff --git a/tf/cloudfront.tf b/tf/cloudfront.tf
@@ -154,6 +154,50 @@ resource "aws_cloudfront_distribution" "takeout-rk-o" {
     viewer_protocol_policy = "redirect-to-https"
   }
 
+  ordered_cache_behavior {
+    path_pattern     = "/.well-known/openid-configuration"
+    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "takeout-app"
+
+    forwarded_values {
+      query_string = true
+      headers      = []
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl     = 0
+    default_ttl = 0
+    max_ttl     = 31536000
+
+    compress               = true
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
+  ordered_cache_behavior {
+    path_pattern     = "/api/oidc/jwks"
+    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "takeout-app"
+
+    forwarded_values {
+      query_string = true
+      headers      = []
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl     = 0
+    default_ttl = 0
+    max_ttl     = 31536000
+
+    compress               = true
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
   ordered_cache_behavior {
     path_pattern     = "/api/tracks/*/chat_message_pin"
     allowed_methods  = ["GET", "HEAD", "OPTIONS"]
diff --git a/tf/iam_TakeoutUser.tf b/tf/iam_TakeoutUser.tf
@@ -16,6 +16,21 @@ data "aws_iam_policy_document" "TakeoutUser-trust" {
       ]
     }
   }
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
+    principals {
+      type = "Federated"
+      identifiers = [
+        "arn:aws:iam::${local.aws_account_id}:oidc-provider/takeout.rubykaigi.org",
+      ]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "takeout.rubykaigi.org:sub"
+      values   = ["takeout-app-user"]
+    }
+  }
 }
 
 resource "aws_iam_role_policy" "TakeoutUser" {

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,21 @@ data "aws_iam_policy_document" "TakeoutUser-trust" {`
`16`	`16`	`]`
`17`	`17`	`}`
`18`	`18`	`}`
	`19`	`+ statement {`
	`20`	`+ effect = "Allow"`
	`21`	`+ actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]`
	`22`	`+ principals {`
	`23`	`+ type = "Federated"`
	`24`	`+ identifiers = [`
	`25`	`+ "arn:aws:iam::${local.aws_account_id}:oidc-provider/takeout.rubykaigi.org",`
	`26`	`+ ]`
	`27`	`+ }`
	`28`	`+ condition {`
	`29`	`+ test = "StringEquals"`
	`30`	`+ variable = "takeout.rubykaigi.org:sub"`
	`31`	`+ values = ["takeout-app-user"]`
	`32`	`+ }`
	`33`	`+ }`
`19`	`34`	`}`
`20`	`35`
`21`	`36`	`resource "aws_iam_role_policy" "TakeoutUser" {`