IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Signing Key persistence (#75487)

Browse Source 
* signing key wip

use db keyset storage

add signing_key table

add testing for key storage

add ES256 key tests

Remove caching and implement UpdateOrCreate

Stabilize interfaces

* Encrypt private keys

* Fixup signer

* Fixup ext_jwt

* Add GetOrCreatePrivate with automatic key rotation

* use GetOrCreate for ext_jwt

* use GetOrCreate in id

* catch invalid block type

* fix broken test

* remove key generator

* reduce public interface of signing service
This commit is contained in:
Jo
2023-10-04 10:37:27 +02:00
committed by GitHub
parent 0eac9aff7f
commit 44fa0697ce
16 changed files with 663 additions and 335 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/services/auth/idimpl/signer.go
View File

@@ -10,14 +10,20 @@ import (
"github.com/grafana/grafana/pkg/services/signingkeys"
)
const idSignerKeyPrefix = "id"
var _ auth.IDSigner = (*LocalSigner)(nil)
func ProvideLocalSigner(keyService signingkeys.Service) (*LocalSigner, error) {
key := keyService.GetServerPrivateKey() // FIXME: replace with signing specific key
id, key, err := keyService.GetOrCreatePrivateKey(context.Background(), idSignerKeyPrefix, jose.ES256)
if err != nil {
return nil, err
}
// FIXME: Handle key rotation
signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, &jose.SignerOptions{
ExtraHeaders: map[jose.HeaderKey]interface{}{
"kid": "default", // FIXME: replace with specific key id
"kid": id,
},
})
if err != nil {