From 0377278ea0614684b3b7a67b3a0176a50899a435 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <w.hottgenroth@krohne.com>
Date: Thu, 6 May 2021 16:37:32 +0200
Subject: [PATCH] pubkey stuff

---
 auth.py      | 16 ++++++++++++++--
 openapi.yaml | 13 +++++++++++++
 readme.md    | 13 +++++++++++++
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 readme.md

diff --git a/auth.py b/auth.py
index f1fa522..5ef8c65 100755
--- a/auth.py
+++ b/auth.py
@@ -13,7 +13,9 @@ DB_HOST = os.environ["DB_HOST"]
 DB_NAME = os.environ["DB_NAME"]
 
 JWT_ISSUER = os.environ["JWT_ISSUER"]
-JWT_SECRET = os.environ["JWT_SECRET"]
+
+
+
 
 
 class NoUserException(Exception): 
@@ -28,6 +30,13 @@ class PasswordMismatchException(Exception):
 
 UserEntry = namedtuple('UserEntry', ['id', 'login', 'expiry', 'claims'])
 
+JWT_PRIV_KEY = ""
+with open('/opt/app/config/authservice.key', 'r') as f:
+    JWT_PRIV_KEY = f.readlines()
+
+JWT_PUB_KEY = ""
+with open('/opt/app/config/authservice.pub', 'r') as f:
+    JWT_PUB_KEY = f.readlines()
 
 
 def getUserEntryFromDB(application: str, login: str):
@@ -103,7 +112,7 @@ def generateToken(**args):
             # print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1]))
             payload[claim[0]] = claim[1]
 
-        return jwt.encode(payload, JWT_SECRET, algorithm='RS256')
+        return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
     except NoUserException:
         print("ERROR: generateToken: no user found, login or application wrong")
         raise werkzeug.exceptions.Unauthorized()
@@ -119,3 +128,6 @@ def generateToken(**args):
     except Exception as e:
         print("ERROR: generateToken: unspecific exception: {}".format(str(e)))
         raise werkzeug.exceptions.Unauthorized()
+
+def getPubKey():
+    return JWT_PUB_KEY
diff --git a/openapi.yaml b/openapi.yaml
index b547750..f153239 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -35,6 +35,19 @@ paths:
                 type: string
       security:
       - jwt: ['secret']
+  /pubkey:
+    get:
+      tags: [ "JWT" ]
+      summary: Get the public key of this issuer
+      operationId: auth.getPubKey
+      responses:
+        '200':
+          description: public key
+          content:
+            'text/plain':
+              schema:
+                type: string
+
 
 components:
   securitySchemes:
diff --git a/readme.md b/readme.md
new file mode 100644
index 0000000..bb7dcc7
--- /dev/null
+++ b/readme.md
@@ -0,0 +1,13 @@
+Generate the RSA key pair using:
+
+
+Private key (keep it secret!):
+
+   openssl genrsa -out authservice.pem 2048
+
+
+Extract the public key (publish it):
+
+   openssl rsa -in authservice.pem -outform PEM -pubout -out authservice.pub
+
+