From 0efb6521de691e8422a884014955a9e22ac6a657 Mon Sep 17 00:00:00 2001 From: Sasha Chernomordik Date: Sun, 2 Jan 2022 21:44:10 +0200 Subject: [PATCH 1/2] Add new server name to jwks (nginx) endpoint The server name exposes HTTPS endpoint with static chained certificate --- ci/docker-compose.yml | 4 + ci/oauth/jwks/cert-chain/README.md | 18 ++++ ci/oauth/jwks/cert-chain/ca-chain.cert.pem | 98 +++++++++++++++++++ .../chained.mycompany.local.cert.pem | 32 ++++++ .../chained.mycompany.local.key.pem | 51 ++++++++++ ci/oauth/jwks/cert-chain/root.cert.pem | 33 +++++++ ci/oauth/jwks/nginx.conf | 19 ++++ dev/docker-compose.yml | 6 +- 8 files changed, 260 insertions(+), 1 deletion(-) create mode 100644 ci/oauth/jwks/cert-chain/README.md create mode 100644 ci/oauth/jwks/cert-chain/ca-chain.cert.pem create mode 100644 ci/oauth/jwks/cert-chain/chained.mycompany.local.cert.pem create mode 100644 ci/oauth/jwks/cert-chain/chained.mycompany.local.key.pem create mode 100644 ci/oauth/jwks/cert-chain/root.cert.pem diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml index f0bf43156f..68cd0b9935 100644 --- a/ci/docker-compose.yml +++ b/ci/docker-compose.yml @@ -139,6 +139,10 @@ services: jwks: image: nginx + networks: + default: + aliases: + - chained.mycompany.local volumes: - jwks-volume:/usr/share/nginx/html - ./oauth/jwks/nginx.conf:/etc/nginx/conf.d/default.conf diff --git a/ci/oauth/jwks/cert-chain/README.md b/ci/oauth/jwks/cert-chain/README.md new file mode 100644 index 0000000000..3dae35a7e5 --- /dev/null +++ b/ci/oauth/jwks/cert-chain/README.md @@ -0,0 +1,18 @@ +# Regenerating Test Certificates + +To regenerate these certificate: + +- Clone [conjurdemos/conjur-intro](https://github.com/conjurdemos/conjur-intro) + repository. +- Go to `tools/simple-certificates` directory. +- Run `./generate_certificates 2 chained`. +- Copy relevant certificates from `certificates/` directory to here and build + full chain bundle + + ```bash + cp ./certificates/nodes/chained.mycompany.local/chained.mycompany.local.cert.pem ./ + cp ./certificates/nodes/chained.mycompany.local/chained.mycompany.local.key.pem ./ + cp ./certificates/root/certs/root.cert.pem ./ + cp chained.mycompany.local.cert.pem ca-chain.cert.pem + cat ./certificates/ca-chain.cert.pem >> ./ca-chain.cert.pem + ``` diff --git a/ci/oauth/jwks/cert-chain/ca-chain.cert.pem b/ci/oauth/jwks/cert-chain/ca-chain.cert.pem new file mode 100644 index 0000000000..12b6110768 --- /dev/null +++ b/ci/oauth/jwks/cert-chain/ca-chain.cert.pem @@ -0,0 +1,98 @@ +-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UEBhMCVVMx +FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcMBk5ld3RvbjERMA8GA1UE +CgwIQ3liZXJBcmsxDzANBgNVBAsMBkNvbmp1cjEaMBgGA1UEAwwRSW50ZXJtZWRp +YXRlIENBIDEwHhcNMjIwMTAyMTg0OTU1WhcNMjMwMTAyMTg0OTU1WjBsMQswCQYD +VQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEPMA0GA1UEBwwGTmV3dG9u +MREwDwYDVQQKDAhDeWJlckFyazEPMA0GA1UECwwGQ29uanVyMRAwDgYDVQQDDAdj +aGFpbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8YYpFoh6CUY7 +LwvC7DRwzOww7S4L0GcU4cvqaMyyLueJA+rMcXsrhE8z4zNhq8x37vqKCV3NCyXu +MZwDUcVeN3DI4c+FXi2LNHjTZxq/RDKselOzDWziIj9LOafDjR7j9GxRS5IfACK9 +ZlYJuOHITdrdyprIrZfyf9b464N+wDzKtVYCcrjb8Rw5sBeooAnrh7nqf4dVwKxa +QJXIuM5lqiqg9JkLSIvPSDYzgKWtzG5CXXhg5IkOHn4+JpH6ikk477ovlPyafMAH +DeOBXWVBtSEbYT8Std8b1lgBfdgz+myafF8MEhEWqcU6MmC/V9rTB4aYqWW2VZls +grnzXJQIvxG0TP7i2IgrWCfjG47pMt+nO/bRTrIkjtTWD80iYclfd9Xd5D/raThe +LcGccsBw1lVWafRctLd19D8AthoFT0Wo9GuWnXERXA3hwKzK0m7P5LcmXlCAVTLv +bHoAwtWf2NSchnwm5yHi5FKg9N+jajMMPe3slCHVOL+ZXZpljKUjglVHrc9GCPEK +Y4MmEjC0FuSIIeLofWrxx6k4nPv4c0bFlbtapfxTD7VCNT8F084pmgagwd0UXTUT +QHhdeEsa0kNTOYv18C99mKoA2VvbpVk55CftKRMg8C1aSbQHnP3JyAnX56CpUeS9 +GVPoaEoZo7+6F+1sa39MV6KPc+GxNT8CAwEAAaMvMC0wKwYDVR0RBCQwIoIHY2hh +aW5lZIIXY2hhaW5lZC5teWNvbXBhbnkubG9jYWwwDQYJKoZIhvcNAQELBQADggIB +AAxNWFre9kvTGBQ64WnNq1Z7iigCcy958dhIy+ULnOCMUi2zVzFjr6ttlqtZgxE2 +aS8BxYeECT/jhe/0dOpyqxVkrN8D6rSXf5GbbrhOPNZgbBO0EmqrOaFe+Etuo1ig +rBhZqWP/YH6rcyK92iuOlP3EuahxOQhy2fP+RrkzdgLTz2NXTQA001VmX/mMRLd/ +PLnsGcVR802VZqOQjyTOc08E+dl2efQ8qDPbUaq+xmq1THrze7PCEY0twJYjX1BO +tjMO8UJSOVJkOrlSQKNWX4FJAkdVBb0iVqQlELkKaKLPo3jUG2lbic2dK49IHkMH +/atukxAxyhtROYC9Af54d01QcAqSBG/MvM0qGbPCf1+qg/K/WWybhr5y/85n6m3T +NEIewRoENQTHlMshOeYcOlpB0TTZkc38ClyKRmwHAQXdI/ePVnLkmkPh2CfVMy68 +ONJj6wV7K11fsGsHQxiB37r9g4ZZIizwxpiKvESHtPZVQLgc1hCCFAbJ68LnEsVw +SUO1kXcbjyabZvbB02SX7SKLfSAfHbm99kGMQCFm1XBW7PO3ze/JNauWqrzkpFzf +ma97MYK5BUjcdaE3x1SPw0pSY20vCWfuTo2eIDYTDn37MH5qURq5UpzngjciCGBc +peFIQzTqDMMDFRBcxrA6UasFg1nZoJan+vvecr3M+IPN +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFszCCA5ugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx +FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxETAPBgNVBAoMCEN5YmVyQXJrMQ8wDQYD +VQQLDAZDb25qdXIxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjIwMTAyMTg0OTUxWhcN +MzExMjMxMTg0OTUxWjB2MQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz +ZXR0czEPMA0GA1UEBwwGTmV3dG9uMREwDwYDVQQKDAhDeWJlckFyazEPMA0GA1UE +CwwGQ29uanVyMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAMD7xMEX4wNAIqXrSigVQIzsRb0bI9nqI7wh +dqn/biYzA0yJHOuCTOysBYulcv8IAYhBGtWHm+Rhv1rXew16gyLsNhoKY+Wpr5kF +/ZeS8hmOC7ahedioH7y1tmnt1BUffpuFU4mqm1Z8vkvyDfpoP/pRyJMD97Rob0ax +FJfMUz6vLxs7y5IRTs5sPJD9vcm8UU8rHSJYdXX/eiGl0Imdz9mB31jpGEhEpIHT +xBUZ2sUkc/AyAzSNlAhXJhTZtpiG2NyY+pFNqHXFiQeSQVJT8jSEfAPumpOA+804 +ZHEkFBZU3qmVVf2lXV4dS5u60DQZdfpYTkhT2btWKNP6tg/8HJ5QmXlU3ERebkFH +85ytgNq3BHWNWwnrO7AttuFw8MdluIMsw2eaciXlh7sK05dESzXONpB0QKKFQpnF +BlKHK4UzyhUJFXnaKxFqhTscCOo7sXMYQK8If53l4sXXvJvqmEzMnPRxnRfikWtc +eZiOq6cF6nJpK0b4bVMANEYVZLef8cOKQN8HNgJwCBSzlXV8R3Rg5S1sP1NNp4p9 +PL+1VVf5bdrcy/ZDNINlDDOIQ6gfTW44kleoavwrxwnQJbL4T3WDNqSEsNfYXllP +IL4pO6LSpDVcQnjbgQ+d3bh3NAGxLS4f4GRBJKzkcdWIPypnnDeayVgfqqzLlcIq +tUPEAd//AgMBAAGjZjBkMB0GA1UdDgQWBBSnVLUSlK7xiVZ6+xqiObmsvmNh2jAf +BgNVHSMEGDAWgBTGMR9OVvhcwDqBUNRBZCfAfNuTrjASBgNVHRMBAf8ECDAGAQH/ +AgEUMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAl+ljtdrlOJT0 +Znop+kMBzPTcLAkc9rAQF42q+mMHzcT+WJ28fpAx5AGWWx62DE0YLp+Z2CURBZ+i +8xv6FeZ+OF2WLz4S62rp+cSCw171QrmdUMNFTQaGI8g+QMZBvJhuorbKXeJ97gwv +J4w7EetDt1KDEo3VqQ+tW9tdDCPaID0878mZ+ppDIJvKM0bftem2N1QVZ7Wd9iux +MmF0QClWzLk8dELyCM2CCSA3m3jPnefuF9qKTga/W4XM/OfoM40+iLvGoaMBBue6 +THqyvAarZg0zvekv4asTnmLEjqnLNuZV8V/oCH8QB3BojyM6LSscQOCjX/uxKDSg +kRh7X1zdl9FWUb5CzSi1kgffUSt5NdhgCGUcQWey9yVM1tJEDzGhu+oCIjWp0WKs +EsynVKZWOVN6Hmp+iPvKU+aygoNt6h2VMsnO1LXEhTm3rDbEuZGP32Td199RaogL +6/ThfHDFBP0tQNzhUbPAvY0aQu0n8wVwp5GXri+0Kkli5weMQ2rZFNV2JoTEhH+k +dAksMDHmRzvJaIXHSl0qt2r04x6eFyZtunmNqhp6X7HA2N5LYEeTjm9n902YBqrq +ROo15BZjWHBwtOSmizBpadbiedXnbY6Lp5LutRtZ5dzieKRE53/qYnJMPEnoMP6R +SgMHCfxtwIOMG932IXHD9NPsYbmpDGc= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFpzCCA4+gAwIBAgIUR7WKn63Ip0GoQjCqxwRzI56u+rMwDQYJKoZIhvcNAQEL +BQAwWzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxETAPBgNV +BAoMCEN5YmVyQXJrMQ8wDQYDVQQLDAZDb25qdXIxEDAOBgNVBAMMB1Jvb3QgQ0Ew +HhcNMjIwMTAyMTg0OTQ4WhcNNDExMjI4MTg0OTQ4WjBbMQswCQYDVQQGEwJVUzEW +MBQGA1UECAwNTWFzc2FjaHVzZXR0czERMA8GA1UECgwIQ3liZXJBcmsxDzANBgNV +BAsMBkNvbmp1cjEQMA4GA1UEAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAJ3UeK77Uta+TuyXhE8gdE3s5xluhP91U+EW0FYAEHhIxQ3V +PFO7XvLG4Q06j9mjX49WeUJFhiXRAP0gw2AKz1+iS06bp5RhyvRK/a6bM9XTnKnP +hzSi9T6XBktOgMtwW4yRo9NqSHtFTLXFfNGeeSFOsCFSSVrVhX6GGH47taRcXW8g +dEut5mHB75sr9SZoSRkclD+lwtHFhF+vh8LTs/Z9CmnJg+7M4BQt728r+LKDHNUC +fJHm+XyotyAivbBFA3ev9Nhp0lnjQM81lSbjR5SIctCzeX+C2qmfeQPguN2fwoi+ +F5KVxBv227952KAEgn2nBvkODhZo4425iNDKvBcbvW1jPavc/PD8gT1mB0Mnxc5H +AKAafe0Db5qtSrDRHP15b6fmV1hdJ5MP2KD84fo4U1UEk98KprYyAvbYUO+jVCpW +QCtKjobGc1otXPg5jp5oydwHHTaWDEExmxqKeOdTFIdNZxq/sOKMoqw/Q+W11B43 +ossTd8h5cY+xbnyzidl8PyWwfmkxHbgo9kmYbISWRU4uHKmw8ZsiAfMnIo/wYm/r +mOqQU6U1elWQ+TFrWcLOROuJfqXqsO1lzLna3R+kEGhap6I6GabbW3+csPn2mq2S +4ja5iRIHWBRrk2fhRKmDCZK9bMK1uVauNOfukFT+EtdEwW9ySENDsxPV0It5AgMB +AAGjYzBhMB0GA1UdDgQWBBTGMR9OVvhcwDqBUNRBZCfAfNuTrjAfBgNVHSMEGDAW +gBTGMR9OVvhcwDqBUNRBZCfAfNuTrjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB +/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAeAyIM+FM1Zu8l29S0LIkiTGk2OpR +OrWVZNAh+QWY8bnKkWmlsjvoSdWoojk+Xa9l7I+PmgqudPJIzyCkHRn8xEde9m5J +im/QMQrFquebrna4EhSiXNHRoq2PVPTws3pLy4WSeGfa+cwwIYpSGHVpO1QPjGVL +nBbxxnkitwkMMD8U5QGX3No+hvhQijRhbKCtD5jJK9I3SA6ZDQkV5sV6N4b9Gs9H +xDyb5wwLHgzGNjh1mtW1+RvzVSBAd1PSV65N7HmEBi/pFNlLwZEjA7ZRwjKQYeqV +6bB3P5hstE2eKO5bb83oOXCAJyjVvYh/3ogtS/LbuCyG87YragmGdoTn2macZWg/ +yVfsCapkuO0adq/hjrmrRAGBVIHRKpbzqAmlAjKtPfa24Zw8M6mAbWteljtiUdwS +bKgLLJKFUSC9lHmYFucGVyYBXlrANjuUi+9Is8dcXY9aHm+XUs8gl6HzlKZ20Dij +Tp4UPtjImCTI2xGQhextrH8YvsD75J5qn4+2nGtrv9KQ8OM0AW5K2JO6xfXY+Km7 +PnLh/TtaY31nzU0i7ehlH4x2xHLsN7nMZ076FAMkab4VNxgN3CgYkKF0wb+n+nlo +i9WZBiNwIyRSFtbspV+q6E9jvx5UrYmcFxWjyduRyTc9Wj4JERwVwCiGFICSdcj/ +izp6jGT+Q8sHiFc= +-----END CERTIFICATE----- diff --git a/ci/oauth/jwks/cert-chain/chained.mycompany.local.cert.pem b/ci/oauth/jwks/cert-chain/chained.mycompany.local.cert.pem new file mode 100644 index 0000000000..c8f76605f5 --- /dev/null +++ b/ci/oauth/jwks/cert-chain/chained.mycompany.local.cert.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UEBhMCVVMx +FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcMBk5ld3RvbjERMA8GA1UE +CgwIQ3liZXJBcmsxDzANBgNVBAsMBkNvbmp1cjEaMBgGA1UEAwwRSW50ZXJtZWRp +YXRlIENBIDEwHhcNMjIwMTAyMTg0OTU1WhcNMjMwMTAyMTg0OTU1WjBsMQswCQYD +VQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEPMA0GA1UEBwwGTmV3dG9u +MREwDwYDVQQKDAhDeWJlckFyazEPMA0GA1UECwwGQ29uanVyMRAwDgYDVQQDDAdj +aGFpbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8YYpFoh6CUY7 +LwvC7DRwzOww7S4L0GcU4cvqaMyyLueJA+rMcXsrhE8z4zNhq8x37vqKCV3NCyXu +MZwDUcVeN3DI4c+FXi2LNHjTZxq/RDKselOzDWziIj9LOafDjR7j9GxRS5IfACK9 +ZlYJuOHITdrdyprIrZfyf9b464N+wDzKtVYCcrjb8Rw5sBeooAnrh7nqf4dVwKxa +QJXIuM5lqiqg9JkLSIvPSDYzgKWtzG5CXXhg5IkOHn4+JpH6ikk477ovlPyafMAH +DeOBXWVBtSEbYT8Std8b1lgBfdgz+myafF8MEhEWqcU6MmC/V9rTB4aYqWW2VZls +grnzXJQIvxG0TP7i2IgrWCfjG47pMt+nO/bRTrIkjtTWD80iYclfd9Xd5D/raThe +LcGccsBw1lVWafRctLd19D8AthoFT0Wo9GuWnXERXA3hwKzK0m7P5LcmXlCAVTLv +bHoAwtWf2NSchnwm5yHi5FKg9N+jajMMPe3slCHVOL+ZXZpljKUjglVHrc9GCPEK +Y4MmEjC0FuSIIeLofWrxx6k4nPv4c0bFlbtapfxTD7VCNT8F084pmgagwd0UXTUT +QHhdeEsa0kNTOYv18C99mKoA2VvbpVk55CftKRMg8C1aSbQHnP3JyAnX56CpUeS9 +GVPoaEoZo7+6F+1sa39MV6KPc+GxNT8CAwEAAaMvMC0wKwYDVR0RBCQwIoIHY2hh +aW5lZIIXY2hhaW5lZC5teWNvbXBhbnkubG9jYWwwDQYJKoZIhvcNAQELBQADggIB +AAxNWFre9kvTGBQ64WnNq1Z7iigCcy958dhIy+ULnOCMUi2zVzFjr6ttlqtZgxE2 +aS8BxYeECT/jhe/0dOpyqxVkrN8D6rSXf5GbbrhOPNZgbBO0EmqrOaFe+Etuo1ig +rBhZqWP/YH6rcyK92iuOlP3EuahxOQhy2fP+RrkzdgLTz2NXTQA001VmX/mMRLd/ +PLnsGcVR802VZqOQjyTOc08E+dl2efQ8qDPbUaq+xmq1THrze7PCEY0twJYjX1BO +tjMO8UJSOVJkOrlSQKNWX4FJAkdVBb0iVqQlELkKaKLPo3jUG2lbic2dK49IHkMH +/atukxAxyhtROYC9Af54d01QcAqSBG/MvM0qGbPCf1+qg/K/WWybhr5y/85n6m3T +NEIewRoENQTHlMshOeYcOlpB0TTZkc38ClyKRmwHAQXdI/ePVnLkmkPh2CfVMy68 +ONJj6wV7K11fsGsHQxiB37r9g4ZZIizwxpiKvESHtPZVQLgc1hCCFAbJ68LnEsVw +SUO1kXcbjyabZvbB02SX7SKLfSAfHbm99kGMQCFm1XBW7PO3ze/JNauWqrzkpFzf +ma97MYK5BUjcdaE3x1SPw0pSY20vCWfuTo2eIDYTDn37MH5qURq5UpzngjciCGBc +peFIQzTqDMMDFRBcxrA6UasFg1nZoJan+vvecr3M+IPN +-----END CERTIFICATE----- diff --git a/ci/oauth/jwks/cert-chain/chained.mycompany.local.key.pem b/ci/oauth/jwks/cert-chain/chained.mycompany.local.key.pem new file mode 100644 index 0000000000..f32219f07f --- /dev/null +++ b/ci/oauth/jwks/cert-chain/chained.mycompany.local.key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKgIBAAKCAgEA8YYpFoh6CUY7LwvC7DRwzOww7S4L0GcU4cvqaMyyLueJA+rM +cXsrhE8z4zNhq8x37vqKCV3NCyXuMZwDUcVeN3DI4c+FXi2LNHjTZxq/RDKselOz +DWziIj9LOafDjR7j9GxRS5IfACK9ZlYJuOHITdrdyprIrZfyf9b464N+wDzKtVYC +crjb8Rw5sBeooAnrh7nqf4dVwKxaQJXIuM5lqiqg9JkLSIvPSDYzgKWtzG5CXXhg +5IkOHn4+JpH6ikk477ovlPyafMAHDeOBXWVBtSEbYT8Std8b1lgBfdgz+myafF8M +EhEWqcU6MmC/V9rTB4aYqWW2VZlsgrnzXJQIvxG0TP7i2IgrWCfjG47pMt+nO/bR +TrIkjtTWD80iYclfd9Xd5D/raTheLcGccsBw1lVWafRctLd19D8AthoFT0Wo9GuW +nXERXA3hwKzK0m7P5LcmXlCAVTLvbHoAwtWf2NSchnwm5yHi5FKg9N+jajMMPe3s +lCHVOL+ZXZpljKUjglVHrc9GCPEKY4MmEjC0FuSIIeLofWrxx6k4nPv4c0bFlbta +pfxTD7VCNT8F084pmgagwd0UXTUTQHhdeEsa0kNTOYv18C99mKoA2VvbpVk55Cft +KRMg8C1aSbQHnP3JyAnX56CpUeS9GVPoaEoZo7+6F+1sa39MV6KPc+GxNT8CAwEA +AQKCAgEA8WUj3++b+XUGZikdMzPeohJXfFcPW8YLavqCWSht1s93dEDTAYEXp2/5 +7lVGg40jOemS2XW1IDVS8qZ58tqPJl5FiNv+8ngWr+UrdduX2zPCi6joRrzS72PP +bdqtani7YWp5fkyXS21tW8EWioCv0JC2KG+3rzk1GGzl8Y5FuyGHgOJsI/l7amrJ +haS/1uTTUZ6SL9A19xLMSczrBzrTBdcBdDcavfFuxT/XDfeJ089H6WANh50sTXHj +8GzquhghHgk60W//gDv1UP5YJ96yY7SpRvLhYoGRsxPWuc7DdMHjTfc5ez01J42G +cx+bXtXJIbZ3EqgkKz3i5G2yPI+AhHa+ACOjKXql4biaRX/3op3UAqFme7g0sWwS +JVanYF/AHRrmrgo8jicCkntlmRm9A3ipt22UTTtn3+Hn03f3XKfjJXo0loEtoqFz +aoFm1p7bZMP5ueneoXrzP79ZFtXkVYclI1W3JevHt+By8JoOe9VoPYmHnYbXDdBW +UZwKgyy+OoKUTDuiaMcuiWmI/o8RZPdY5yAHWEgsH9/APPd0c9P6lfp7BE13Fb8J +zgoOiQfVccwjryW5CmOfe6BgfYvnQRHXOonuyrIYFdNICM7CwA6R28fzuuYwYyZu +piDD+RvAtc2cQkSwpZ+44ToDR/3Dog7L7GD3AgD+aQFk/TriQBECggEBAPp0EbEZ +EVrZRgS1Av9PM96CrPAh3TSlnehtSUymkYnbYqKj4sTF5PEa1zshpN99hzTs6U3c +5rzvK9tCM04B59klHlH1As03l0/d1wfmlWgtXWY9CwU31Hed6lZMgahKNu2HZ/p9 +QEQLwrhUPnxf6UlJHBJ5r0jIURYg6McA8v9c0Xq5qHkNS5DEmQQEmVzx2jqgC5bl +41TNru9aQhwGUKLIMXkdmbt/L2FBCiob1D54wKdD8Xpuvc4WbStXPoI7gJ7gnGBu +N4otHG32WJs2fTZ6zTPdAo5hUe+w94eM1HC1Y6D8GqrytmL8mfYSEmZ+31PmWh1+ +TTnIWFTluAtTG5sCggEBAPbfd5InjoP8OF3F4p4yzLcAFbkqCKbiBnSBSFjt2F13 +kq7gpKvnZaOg4XT2ZcvKYntOYvVCiQepa7Onalr5j36WbzSdH1W1QBVPdbithbyY +rmK7M0dvco3avasDY4DpkCE+LXrMQdN+Hh+rm/DBNbfibxHu+kVwuEPI0Y1ZLOoU +W+p3U4KsAEWQ7eHCKhM8tuVmHpAtL251a3r75BR5sVyDfBxXBOtfI5zRSaUckzDt +ydW3DRVNKYqrsUalQvuzRNGmUahW94rILjZP4eC/3N1t99QeZY8zuFJOQ4UedGot +8D8cMaIil4ja7+3k9dPNC0bO1/yEp0u2Z//DZJ7pQS0CggEBAJylSAN6aE5oItEC +3hMNWKXNGZk/tPketPsQj43viIuuuax70HO+Sok6fm+vhU17V7uUif93MKHu/YEv +kKMzse0wuBwOoGf2Yx9C4yE/6Sa1aPtvJptm5e7CyDSduWKmuGAsFq6m9DEbIfjk +SAjGfESoA3TSwv1EvOKYRr9hKprpVOPrhyHfXOn47LOEpN9rLVEJlPYWZu89jjKK +Q1r/4CNQDxFvoB2TWPD9GvxnV4KTR/vWFQy8gt6JTFKVSLVvveyhE22EwhwcRvHH +6Hd7xyjx+bJ8gwLGf9bo2ojfXmf4K44e4BcXo1eaIjmz5+pPZCM3qhlUS7zeP9Ep +tMjwfA0CggEACoJ87qXsdUX5iFRyT1XOTUQdqKJXd/NLXw5Z7B9EBMagYf2CRSc2 +tn6U2ovazZAyHRm7MMHCX6cgxKct6e2R5Eu3NEA0I0vyDHYzhscsWFkPo3hguHvQ +HqXfSTZ9t/E5h5DEEuQ7MSu/UI3Xt6oiBVAIdnT8BpTD427bLO9M8DIpr5Og5IE6 +CbwfxGqlq+f7yUxNpMmnqUYqazPqA80iddPLJtG1jeeg9n4aaoMK6RxWaVi/n9aH +HDYu99j1Pw3ksiAofcgmBax7+yfvb8f7ORoDYO5iWHRVNnvKeBJR1mtaPPWQT1y1 +osffSvtiU7/46OzJWSC0lo6PYt4InJNFiQKCAQEA9C6Zb6QIfRc2cCnJ+6NIbBUz +wI3nePIzCVU+N1qYpelBZ+1hzq6sNeLJTLqMYv2IS/HKjmIOpX/PFfJr2oCW7lN9 +OlwlrcOkUo6mxIlA42QONW6ZCEefMERL9SywQQIX1pxEjXL74eow507fAS9exnbe +Cvq+YQkX5lQbodN7PlUkDjtGZkj5kX7Xlv6zZKw4hPp6JGLEWNGI7HQ5kXEcTIom +GF+njoFU0oPpy5WwIuvFF21hq8iNsHNnzXIdm1FY+8nstuLhMFNG75boh3TTRn4I +riRmz7kscYuvotG7kXmNXGTR+HgytBvumV1QH/vIjaiv9E8/ArNNNuxeWzrv3w== +-----END RSA PRIVATE KEY----- diff --git a/ci/oauth/jwks/cert-chain/root.cert.pem b/ci/oauth/jwks/cert-chain/root.cert.pem new file mode 100644 index 0000000000..0134cafb1f --- /dev/null +++ b/ci/oauth/jwks/cert-chain/root.cert.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFpzCCA4+gAwIBAgIUKvIIXCsqPdU3g6Bf5/4hBfrxVT0wDQYJKoZIhvcNAQEL +BQAwWzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxETAPBgNV +BAoMCEN5YmVyQXJrMQ8wDQYDVQQLDAZDb25qdXIxEDAOBgNVBAMMB1Jvb3QgQ0Ew +HhcNMjExMjA1MTcyNjU1WhcNNDExMTMwMTcyNjU1WjBbMQswCQYDVQQGEwJVUzEW +MBQGA1UECAwNTWFzc2FjaHVzZXR0czERMA8GA1UECgwIQ3liZXJBcmsxDzANBgNV +BAsMBkNvbmp1cjEQMA4GA1UEAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBANW6gfRw6yrVFspZXvgW4TorwvqYa9n7aJS7xrG3QOlJBzkU +d9d04pdv7vS04VHKTgc/zQCx2GIs53gaN6mXO3saPmSKCdaNFX0y9RdLHPWBlrMq +uJdbMaPjeG/Lfn/I/JitSpG6Hf4YVGYT/UC5USH2jTbSHqzBCUErTrquw1t0+ePX +fQnT2EpCmOQA8/nyTHIPmjrm4fhplDDcVWwti0YtCToXmpdEvrbXnlPYiK8O4riP +XN/OiKk08EsX4X7axSHKAyTAKSXX/xWIj3U25+CI19HWVcqXCSkCti8O/cxtBVhi +GYO4fyMH4USMpRBGLusccI3av2gOp6EAD0pFzcHTxTJc3YzUSMZfZDKFZUQ5r1jh +bGnDZCbiAv/A6v8hOsAmF14C8GuccidOfI2TZj2ISPsZWsdssdOIpZyQwji9v+MV +K1VeBqNBvPxYe0WMBQJ57TvNfQ9RFVfNGk6+Dx4gbvqUEIPM5zKliC9KLOvdB7Gh +Rslf/HTEwabTpnsisJXSQ1pmOOcjl/9T+00VT1Fiil3cgGf45IHUK+gbYjrgV/I3 +hVV4mvwhJfhG9pr5zAigvVhrEC+9niMR/i6tWUSP4ojSGdIGJwSxpfVd/TEYn0dH +LXqjQ2EhkDHfVFUnjIZh7MAcYXrPHs7BY02Fu3xpLyOAihwRIXzAzv8L8/dPAgMB +AAGjYzBhMB0GA1UdDgQWBBQOZk4GEkVFjiSp9+nQfG2zbFf/4TAfBgNVHSMEGDAW +gBQOZk4GEkVFjiSp9+nQfG2zbFf/4TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB +/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAwNaa3SCnasMlWwAOE5mOs9G+BQ6H +eobuJAUK9VTjcAkhPvQ6WG0rsaWBZ9RrnrWYBJx1JDWNFRlcNPH0tfSJr75v7d/h +vCbvaBvcLQW/4isi4Mm2eVfuMkU2+mjzWuaUqSJRLdwfU/c6fXfaBdzBOE7I+nHR +mbW1SxHJyJAqMGXb2eU8D9XTZLjsfdNg/wpPbCtr5Hbk3bavLZTCdyA43PR7kPBb +defIMGmn+YMFl0SP7TGtGyKRCXNDCDpXnHoAh6u7Z2Ft5TdV9nJy9rBvcXyibcJm +hP7UK0cRSltxM36NFqQbENacZzWGYxQqVD5E8Bvw5+8bU33XFooNqOApOntbekWR +v9R3BRv3b9vQcoMGWgV44ZTkKY2+CccpvQYvv+HW7+RNnBQp4ikMsdbyNBzd9Nq1 +eMkALb8qYAkapcqvWsZWH2Qo4NsIgZzO67mFPsxk+Ust3apipUjrfIPRmaL6Tjnf +PKkJLo+i8m7BSqLqkYqR1Qf3C4WcUvAAAKDhTPnhvglHdvVBaKV5eWm7Lsroc2tF +tEENKFgDIQN3vbPQPBpEuRWkFBrHOTy/UGyOy09MDPu74Qpfk3ksI2q/xmysUF2x +WfqV3vGwTds42UnzOEL9uVrz+m6sBrMN0047MQp1ltUrfkTCcW+TuARTQioaoNvb +c6LWl34xJnd/fhM= +-----END CERTIFICATE----- diff --git a/ci/oauth/jwks/nginx.conf b/ci/oauth/jwks/nginx.conf index 9561d2ad5b..fec265b393 100644 --- a/ci/oauth/jwks/nginx.conf +++ b/ci/oauth/jwks/nginx.conf @@ -18,3 +18,22 @@ server { root /usr/share/nginx/html; } } + +server { + listen 443 ssl; + server_name chained.mycompany.local; + access_log /var/log/nginx/access.log; + + ssl_certificate /tmp/cert-chain/ca-chain.cert.pem; + ssl_certificate_key /tmp/cert-chain/chained.mycompany.local.key.pem; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } +} diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml index cb1c32f88a..2ad9197a96 100644 --- a/dev/docker-compose.yml +++ b/dev/docker-compose.yml @@ -149,11 +149,15 @@ services: jwks: image: nginx + networks: + default: + aliases: + - chained.mycompany.local ports: - 8880:80 volumes: - jwks-volume:/usr/share/nginx/html - - ../ci/oauth/jwks/nginx.conf:/etc/nginx/conf.d/defualt.conf + - ../ci/oauth/jwks/nginx.conf:/etc/nginx/conf.d/default.conf - ../ci/oauth/jwks:/tmp entrypoint: sleep command: infinity From 87f41ea2da5a870a8709f343bec3b29cece62564 Mon Sep 17 00:00:00 2001 From: Sasha Chernomordik Date: Tue, 4 Jan 2022 10:56:56 +0200 Subject: [PATCH 2/2] Integration tests of ca-cert variable Skip tests that's waiting for feature implementation --- cucumber.yml | 1 + .../features/authn_jwt_ca_cert.feature | 110 ++++++++++++++++++ .../features/step_definitions/certs_steps.rb | 14 +++ .../features/support/certs_helper.rb | 45 +++++++ 4 files changed, 170 insertions(+) create mode 100644 cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature create mode 100644 cucumber/authenticators_jwt/features/step_definitions/certs_steps.rb create mode 100644 cucumber/authenticators_jwt/features/support/certs_helper.rb diff --git a/cucumber.yml b/cucumber.yml index 081cb591cb..a93c50ec68 100644 --- a/cucumber.yml +++ b/cucumber.yml @@ -122,6 +122,7 @@ authenticators_azure: > authenticators_jwt: > --format pretty + --tags "not @skip" -r cucumber/api/features/step_definitions/user_steps.rb -r cucumber/api/features/step_definitions/request_steps.rb -r cucumber/api/features/support/step_def_transforms.rb diff --git a/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature b/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature new file mode 100644 index 0000000000..9216bcc945 --- /dev/null +++ b/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature @@ -0,0 +1,110 @@ +Feature: JWT Authenticator - ca-cert variable tests + + Validate the authenticator behavior when ca-cert variable is configured. + All tests are using status API for validation. + + Background: + Given I initialize JWKS endpoint with file "ca-cert.json" + And I load a policy: + """ + - !policy + id: conjur/authn-jwt/raw + body: + - !webservice + - !variable jwks-uri + - !webservice status + """ + + Scenario: ONYX-15311: Self-signed jwks-uri no ca-cert variable + Given I am the super-user + And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert.json" + When I GET "/authn-jwt/raw/cucumber/status" + Then the HTTP response status code is 500 + And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://jwks/ca-cert.json'. Reason: '#'>" + + @skip + @sanity + Scenario: ONYX-15312: Self-signed jwks-uri with valid ca-cert variable value + Given I am the super-user + And I extend the policy with: + """ + - !variable conjur/authn-jwt/raw/ca-cert + """ + And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert.json" + And I fetch root certificate from https://jwks endpoint as "self" + And I successfully set authn-jwt "ca-cert" variable value to the "self" certificate + When I GET "/authn-jwt/raw/cucumber/status" + Then the HTTP response status code is 200 + And the HTTP response content type is "application/json" + And the authenticator status check succeeds + + @skip + Scenario Outline: ONYX-15313/6: Self-signed jwks-uri with ca-cert contains bundle includes the valid certificate + Given I am the super-user + And I extend the policy with: + """ + - !variable conjur/authn-jwt/raw/ca-cert + """ + And I successfully set authn-jwt "jwks-uri" variable to value "" + And I fetch root certificate from https://jwks endpoint as "self" + And I fetch root certificate from https://chained.mycompany.local endpoint as "chained" + And I bundle the next certificates as "bundle": + """ + chained + self + """ + And I successfully set authn-jwt "ca-cert" variable value to the "bundle" certificate + When I GET "/authn-jwt/raw/cucumber/status" + Then the HTTP response status code is 200 + And the HTTP response content type is "application/json" + And the authenticator status check succeeds + Examples: + | jwks-uri | + | https://jwks/ca-cert.json | + | https://chained.mycompany.local/ca-cert.json | + + Scenario: ONYX-15314: Chained jwks-uri no ca-cert variable + Given I am the super-user + And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert.json" + When I GET "/authn-jwt/raw/cucumber/status" + Then the HTTP response status code is 500 + And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://chained.mycompany.local/ca-cert.json'. Reason: '#'>" + + @skip + @sanity + Scenario: ONYX-15315: Self-signed jwks-uri with valid ca-cert variable value + Given I am the super-user + And I extend the policy with: + """ + - !variable conjur/authn-jwt/raw/ca-cert + """ + And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert.json" + And I fetch root certificate from https://chained.mycompany.local endpoint as "chained" + And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate + When I GET "/authn-jwt/raw/cucumber/status" + Then the HTTP response status code is 200 + And the HTTP response content type is "application/json" + And the authenticator status check succeeds + + Scenario: ONYX-15317: Google's jwks-uri no ca-cert variable + Given I am the super-user + And I successfully set authn-jwt "jwks-uri" variable to value "https://www.googleapis.com/oauth2/v3/certs" + When I GET "/authn-jwt/raw/cucumber/status" + Then the HTTP response status code is 200 + And the HTTP response content type is "application/json" + And the authenticator status check succeeds + + @skip + @sanity + Scenario: ONYX-15318: Google's jwks-uri with invalid ca-cert variable value + Given I am the super-user + And I extend the policy with: + """ + - !variable conjur/authn-jwt/raw/ca-cert + """ + And I successfully set authn-jwt "jwks-uri" variable to value "https://www.googleapis.com/oauth2/v3/certs" + And I fetch root certificate from https://chained.mycompany.local endpoint as "chained" + And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate + When I GET "/authn-jwt/raw/cucumber/status" + Then the HTTP response status code is 500 + And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://www.googleapis.com/oauth2/v3/certs'. Reason: '#'>" diff --git a/cucumber/authenticators_jwt/features/step_definitions/certs_steps.rb b/cucumber/authenticators_jwt/features/step_definitions/certs_steps.rb new file mode 100644 index 0000000000..6bfeeaba29 --- /dev/null +++ b/cucumber/authenticators_jwt/features/step_definitions/certs_steps.rb @@ -0,0 +1,14 @@ +Given(/^I fetch root certificate from https:\/\/([^"]*) endpoint as "([^"]*)"$/) do |hostname, key| + fetch_and_store_root_certificate(hostname: hostname, key: key) +end + +Given(/^I successfully set authn\-jwt "([^"]*)" variable value to the "([^"]*)" certificate$/) do |variable, key| + create_jwt_secret( + variable_name: variable, + value: get_certificate_by_key(key: key) + ) +end + +Given(/^I bundle the next certificates as "([^"]*)":$/) do |key, keys| + bundle_certificates(keys: keys.split("\n"), key: key) +end diff --git a/cucumber/authenticators_jwt/features/support/certs_helper.rb b/cucumber/authenticators_jwt/features/support/certs_helper.rb new file mode 100644 index 0000000000..f090cc78b2 --- /dev/null +++ b/cucumber/authenticators_jwt/features/support/certs_helper.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +require 'openssl' +require 'socket' + +# Utility methods for certificate manipulations +module CertsHelper + + def fetch_and_store_root_certificate(hostname:, key:) + chain = get_certificate_chain(hostname) + certs[key] = chain.find { |c| c.issuer == c.subject }.to_s + end + + def get_certificate_by_key(key:) + certs[key] + end + + def bundle_certificates(keys:, key:) + certs[key] = "" + keys.each { |k| certs[key] += certs[k] } + end + + private + + def certs + @certs ||= {} + end + + def get_certificate_chain(connect_hostname) + host, port = connect_hostname.split(':') + port ||= 443 + + sock = TCPSocket.new(host, port.to_i) + ssock = OpenSSL::SSL::SSLSocket.new(sock) + ssock.hostname = host + ssock.connect + ssock.peer_cert_chain + ensure + ssock&.close + sock&.close + end + +end + +World(CertsHelper)