Use JWKS for list of trusted keys (#37)

* Use JWKS for list of trusted keys

* Rename

* Update nodeman/server.py

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Signed-off-by: Jakob Schlyter <[email protected]>

---------

Signed-off-by: Jakob Schlyter <[email protected]>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

README.md

@@ -21,7 +21,7 @@ The enrollment response is a dictionary containing at least the following proper
 - `x509_ca_certificate`, X.509 CA Certificate Bundle (PEM)
 - `mqtt_broker`, MQTT broker address (URI)
 - `mqtt_topics`, Dictionary of per application MQTT configuration topic
-- `trusted_keys`, List of JWKs used for signing data from core services
+- `trusted_jwks`, JWKSet with keys used for signing data from core services
 
 
 ## Renewal

nodeman.toml

@@ -24,7 +24,7 @@ provisioner_private_key ="provisioner_private.json"
 
 [nodes]
 domain = "dev.dnstapir.se"
-trusted_keys = "tests/trusted_keys.json"
+trusted_jwks = "tests/trusted_jwks.json"
 mqtt_broker = "mqtts://localhost"
 
 [nodes.mqtt_topics]

nodeman/models.py

@@ -88,4 +88,4 @@ class NodeConfiguration(NodeCertificate):
         default={},
         examples=[{"edm": "configuration/node.example.com/edm", "pop": "configuration/node.example.com/pop"}],
     )
-    trusted_keys: list[PublicJwk] = Field(title="Trusted keys")
+    trusted_jwks: dict[str, list[PublicJwk]] = Field(title="Trusted JWKS")

nodeman/nodes.py

@@ -272,7 +272,7 @@ async def enroll_node(
         name=name,
         mqtt_broker=request.app.settings.nodes.mqtt_broker,
         mqtt_topics=request.app.settings.nodes.mqtt_topics,
-        trusted_keys=request.app.trusted_keys.get("keys", []),
+        trusted_jwks=request.app.trusted_jwks,
         x509_certificate=node_certificate.x509_certificate,
         x509_ca_certificate=node_certificate.x509_ca_certificate,
         x509_certificate_serial_number=node_certificate.x509_certificate_serial_number,

nodeman/server.py

@@ -42,15 +42,16 @@ def __init__(self, settings: Settings):
         else:
             self.logger.info("Configured without OpenTelemetry")
 
-        self.trusted_keys = []
-        if filename := self.settings.nodes.trusted_keys:
+        self.trusted_jwks = []
+        if filename := self.settings.nodes.trusted_jwks:
             try:
                 with open(filename) as fp:
-                    self.trusted_keys = JWKSet.from_json(fp.read())
+                    self.trusted_jwks = JWKSet.from_json(fp.read())
             except OSError as exc:
                 logger.error("Failed to read trusted keys from %s", filename)
                 raise exc
-            self.logger.info("Found %d trusted keys", len(self.trusted_keys.get("keys", [])))
+            keys = self.trusted_jwks["keys"] if isinstance(self.trusted_jwks, dict) else []
+            self.logger.info("Found %d trusted keys", len(keys))
         else:
             self.logger.warning("Starting without trusted keys")
 

nodeman/settings.py

@@ -42,7 +42,7 @@ class InternalCaSettings(BaseModel):
 
 class NodesSettings(BaseModel):
     domain: str = Field(default="example.com")
-    trusted_keys: FilePath | None = Field(default=None)
+    trusted_jwks: FilePath | None = Field(default=None)
     mqtt_broker: MqttUrl = Field(default="mqtt://localhost")
     mqtt_topics: dict[str, str] = Field(default={})
 

tests/test.toml

@@ -3,7 +3,7 @@ server =  "mongomock://localhost/nodes"
 
 [nodes]
 domain = "test.dnstapir.se"
-trusted_keys = "tests/trusted_keys.json"
+trusted_jwks = "tests/trusted_jwks.json"
 mqtt_broker = "mqtts://localhost"
 
 [[users]]

tests/trusted_keys.json → tests/trusted_jwks.json

@@ -14,4 +14,4 @@
                         "y": "bxf0CaW2ZScHZ0MG8VRftM3su8LfBzCygnKNi6Z7_TQ"
                 }
         ]
-}
+}