Use JWKS for list of trusted keys

[jschlyter]

Summary by CodeRabbit

• Documentation

  • Updated terminology in the README to reflect changes from trusted_keys to trusted_jwks.

• Configuration Changes

  • Renamed trusted_keys to trusted_jwks in nodeman.toml and tests/test.toml.
  • Commented out sections related to Vault and OTLP in nodeman.toml.

• Improvements

  • Enhanced error handling for the enroll_node function in nodeman/nodes.py.

• Refactor

  • Updated variable names and properties across multiple files to align with the new terminology.

[coderabbitai]

Warning

Rate limit exceeded

@jschlyter has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 20 minutes and 4 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between f64c9f2 and 0eaf30a.

📒 Files selected for processing (4)

• nodeman.toml (1 hunks)
• nodeman/server.py (1 hunks)
• tests/test.toml (1 hunks)
• tests/trusted_jwks.json (1 hunks)

Walkthrough

The pull request introduces a comprehensive renaming of trusted_keys to trusted_jwks across multiple files in the project. This change appears to standardize the terminology around JSON Web Keys (JWKs) in the node enrollment and configuration system. The modifications span configuration files, model definitions, server settings, and related code, ensuring consistent naming and potentially preparing for more structured key management using JWK specifications.

Changes

File	Change Summary
README.md	Renamed trusted_keys to trusted_jwks in enrollment response documentation
nodeman.toml	Updated trusted_keys field to trusted_jwks in [nodes] section
nodeman/models.py	Changed trusted_keys from list[PublicJwk] to dict[str, list[PublicJwk]]
nodeman/nodes.py	Renamed trusted_keys parameter to trusted_jwks in enroll_node function
nodeman/server.py	Renamed self.trusted_keys to self.trusted_jwks and updated related references
nodeman/settings.py	Updated trusted_keys attribute to trusted_jwks in NodesSettings class
tests/test.toml	Changed trusted_keys to trusted_jwks in configuration

Sequence Diagram

sequenceDiagram
    participant Client
    participant NodemanServer
    participant NodeConfiguration

    Client->>NodemanServer: Enrollment Request
    NodemanServer->>NodemanServer: Validate Trusted JWKs
    NodemanServer->>NodeConfiguration: Create Configuration
    NodeConfiguration-->>NodemanServer: Return Config with Trusted JWKs
    NodemanServer->>Client: Send Enrollment Response

Loading

Possibly related PRs

• Send enrollment key as JWK #34: Changes in nodeman/client.py related to handling enrollment key as a JWK, aligning with the current terminology update

Poem

🐰 Hop, hop, keys are changing their name,
From trusted keys to JWKS, what a frame!
A rabbit's dance of terminology bright,
Bringing clarity with cryptographic might!
JSON Web Keys now shine so clear! 🔑✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (3)

README.md (1)

24-24: Consider adding JWKSet format details

The documentation now correctly refers to trusted_jwks as a JWKSet, but it would be helpful to include:

• Expected JWKSet format and required fields
• Supported key types and algorithms
• Example JWKSet structure

nodeman/server.py (1)

45-53: Consider adding JWKS validation middleware

Given the security-critical nature of trusted keys, consider adding a validation middleware that:

1. Validates JWKS format and individual JWK entries
2. Verifies key algorithms and key usage
3. Implements key rotation policies
4. Monitors for expired or soon-to-expire keys

This would provide an additional security layer and better key management.

Would you like me to help design and implement this validation middleware?

nodeman/nodes.py (1)

Line range hint 149-149: Improve error message clarity for security failures.

The current error message "Node enrollment failed" is generic and could be more specific while still maintaining security. Consider a more descriptive message that doesn't leak sensitive information.

-        raise HTTPException(status.HTTP_400_BAD_REQUEST, detail="Node enrollment failed")
+        raise HTTPException(status.HTTP_400_BAD_REQUEST, detail="Node enrollment failed: Invalid or expired enrollment token")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3ecb950 and f64c9f2.

📒 Files selected for processing (7)

• README.md (1 hunks)
• nodeman.toml (1 hunks)
• nodeman/models.py (1 hunks)
• nodeman/nodes.py (1 hunks)
• nodeman/server.py (1 hunks)
• nodeman/settings.py (1 hunks)
• tests/test.toml (1 hunks)

🔇 Additional comments (3)

nodeman/models.py (1)

91-91: ⚠️ Potential issue

Significant data structure change requires careful migration

The change from list[PublicJwk] to dict[str, list[PublicJwk]] is more than just a rename - it's a breaking change that restructures how trusted keys are stored. This better aligns with standard JWKS format but requires careful migration of existing data.

Let's verify the impact on existing code:

nodeman/settings.py (1)

45-45: LGTM: Consistent rename of configuration field

The field rename from trusted_keys to trusted_jwks is straightforward and maintains the same type and behavior.

nodeman/nodes.py (1)

271-271: LGTM! Verify client compatibility with the renamed field.

The change from trusted_keys to trusted_jwks aligns with the standardization of JWK terminology. The implementation correctly uses the new field name while maintaining the same data source.

Let's verify the integration points:

✅ Verification successful

The change is consistent with the codebase schema and no legacy references remain

The verification confirms:

• No remaining references to trusted_keys exist in Python files
• The NodeConfiguration model in nodeman/models.py correctly defines the field as trusted_jwks: dict[str, list[PublicJwk]]

Let's verify the client-side handling:

---

Let's verify the client-side handling and tests specifically for the enrollment flow:

---

Let's check the test helper function _test_enroll since it's used by all enrollment tests:

---

Let's check the test configuration and app setup to see how the trusted_jwks is initialized:

---

The change is correctly implemented and consistent with the codebase

The verification confirms:

1. The field is properly defined in the NodesSettings model as trusted_jwks: FilePath
2. The field is correctly used in the node enrollment endpoint
3. No legacy references to trusted_keys remain in the codebase
4. The change is consistent with the application's configuration structure

The change from trusted_keys to trusted_jwks is a safe terminology standardization that:

• Maintains the same security model
• Is properly reflected in the configuration schema
• Has no remaining legacy references that could cause compatibility issues

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any remaining references to trusted_keys and verify NodeConfiguration schema updates

# Check for any remaining references to trusted_keys
echo "Checking for remaining trusted_keys references..."
rg "trusted_keys" --type py

# Look for NodeConfiguration schema/model definitions
echo "Checking NodeConfiguration definitions..."
rg "class NodeConfiguration" --type py -A 10

Length of output: 929

---

Script:

#!/bin/bash
# Check for client-side code that might be consuming NodeConfiguration
rg "NodeConfiguration" --type py -B 2 -A 2

# Look for any test files that might verify this behavior
fd "test.*\.py$" --exec rg "trusted_j[w]?k" {}

Length of output: 2133

---

Script:

#!/bin/bash
# Check enrollment tests
fd "test.*\.py$" --exec rg "def test.*enroll" -B 2 -A 10 {}

# Check the actual enrollment response handling in tests
fd "test.*\.py$" --exec rg "NodeConfiguration\(" -B 2 -A 5 {}

# Look for any mock data or fixtures that might be using the old field name
fd "test.*\.py$" --exec rg "trusted_(keys|jwks)" -B 2 {}

Length of output: 2557

---

Script:

#!/bin/bash
# Look for the test helper function implementation
rg "_test_enroll" -B 5 -A 20

# Check the test fixtures and configuration
fd "conftest\.py$|fixtures\.py$" --exec rg "trusted_(keys|jwks)" -B 2 -A 2 {}

# Look for any test data setup in the test files
fd "test.*\.py$" --exec rg "_test_enroll.*trusted" -B 10 -A 10 {}

Length of output: 5004

---

Script:

#!/bin/bash
# Check test configuration and app setup
rg "app\.trusted_jwks" -B 5 -A 2

# Look for app configuration in test files
fd "conftest\.py$" --exec rg "def.*app" -B 5 -A 15 {}

# Check settings initialization
rg "class.*Settings" -A 20 --type py

Length of output: 3699

[coderabbitai]

🛠️ Refactor suggestion

Add JWKS format validation before parsing

The code should validate the JWKS format before parsing to provide better error messages and prevent potential security issues.

         if filename := self.settings.nodes.trusted_jwks:
             try:
                 with open(filename) as fp:
-                    self.trusted_jwks = JWKSet.from_json(fp.read())
+                    content = fp.read()
+                    # Basic JWKS format validation
+                    if '"keys"' not in content:
+                        raise ValueError("Invalid JWKS format: missing 'keys' array")
+                    self.trusted_jwks = JWKSet.from_json(content)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if filename := self.settings.nodes.trusted_jwks:
	try:
	with open(filename) as fp:
	self.trusted_keys = JWKSet.from_json(fp.read())
	self.trusted_jwks = JWKSet.from_json(fp.read())
	if filename := self.settings.nodes.trusted_jwks:
	try:
	with open(filename) as fp:
	content = fp.read()
	# Basic JWKS format validation
	if '"keys"' not in content:
	raise ValueError("Invalid JWKS format: missing 'keys' array")
	self.trusted_jwks = JWKSet.from_json(content)

[coderabbitai]

⚠️ Potential issue

Improve error handling for JSON parsing

The current error handling only catches OSError (file operations) but should also handle JSON parsing errors explicitly.

             try:
                 with open(filename) as fp:
                     self.trusted_jwks = JWKSet.from_json(fp.read())
-            except OSError as exc:
-                logger.error("Failed to read trusted keys from %s", filename)
+            except OSError as exc:
+                logger.error("Failed to read trusted keys file: %s", filename, exc_info=True)
+                raise
+            except ValueError as exc:
+                logger.error("Invalid JWKS format in %s: %s", filename, exc, exc_info=True)
                 raise exc

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	self.trusted_jwks = JWKSet.from_json(fp.read())
	except OSError as exc:
	logger.error("Failed to read trusted keys from %s", filename)
	raise exc
	self.trusted_jwks = JWKSet.from_json(fp.read())
	except OSError as exc:
	logger.error("Failed to read trusted keys file: %s", filename, exc_info=True)
	raise
	except ValueError as exc:
	logger.error("Invalid JWKS format in %s: %s", filename, exc, exc_info=True)
	raise exc

[coderabbitai]

⚠️ Potential issue

Initialize with empty JWKSet instead of empty list

The initial value should be a JWKSet object to match the type after loading from file.

-        self.trusted_jwks = []
+        self.trusted_jwks = JWKSet()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	self.trusted_jwks = []
	self.trusted_jwks = JWKSet()