fix get JWK

use http.DefaultTransport.(*http.Transport).Clone()

Author: jkralik

bundle/client/grpc/main.go

@@ -18,7 +18,6 @@ import (
 	"github.com/plgd-dev/go-coap/v2/message"
 	"github.com/plgd-dev/kit/codec/json"
 	kitNetGrpc "github.com/plgd-dev/kit/net/grpc"
-	"github.com/plgd-dev/kit/net/http/transport"
 )
 
 func toJSON(v interface{}) string {
@@ -86,7 +85,7 @@ func main() {
 		InsecureSkipVerify: true,
 	}
 	if *accesstoken == "" {
-		t := transport.NewDefaultTransport()
+		t := http.DefaultTransport.(*http.Transport).Clone()
 		t.TLSClientConfig = &tlsCfg
 		c := http.Client{
 			Transport: t,

certificate-authority/refImpl/refImpl.go

@@ -10,8 +10,8 @@ import (
 	grpc_zap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap"
 	grpc_ctxtags "github.com/grpc-ecosystem/go-grpc-middleware/tags"
 
+	"github.com/plgd-dev/cloud/pkg/security/jwt"
 	"github.com/plgd-dev/kit/security/certManager"
-	"github.com/plgd-dev/kit/security/jwt"
 
 	"github.com/plgd-dev/cloud/certificate-authority/pb"
 	"github.com/plgd-dev/cloud/certificate-authority/service"

cloud2cloud-connector/store/linkedCloud.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/plgd-dev/cloud/authorization/oauth"
 	"github.com/plgd-dev/cloud/cloud2cloud-connector/events"
-	"github.com/plgd-dev/kit/net/http/transport"
 	"golang.org/x/oauth2"
 )
 
@@ -87,7 +86,7 @@ func (l LinkedCloud) GetHTTPClient() *http.Client {
 	for _, ca := range l.Endpoint.RootCAs {
 		pool.AppendCertsFromPEM([]byte(ca))
 	}
-	t := transport.NewDefaultTransport()
+	t := http.DefaultTransport.(*http.Transport).Clone()
 	t.TLSClientConfig = &tls.Config{
 		RootCAs:            pool,
 		InsecureSkipVerify: l.Endpoint.InsecureSkipVerify,

cloud2cloud-gateway/service/emitEvent.go

@@ -15,14 +15,13 @@ import (
 
 	"github.com/plgd-dev/cloud/cloud2cloud-gateway/store"
 	"github.com/plgd-dev/kit/log"
-	"github.com/plgd-dev/kit/net/http/transport"
 )
 
 type incrementSubscriptionSequenceNumberFunc func(ctx context.Context) (uint64, error)
 type emitEventFunc func(ctx context.Context, eventType events.EventType, s store.Subscription, incrementSubscriptionSequenceNumber incrementSubscriptionSequenceNumberFunc, rep interface{}) (remove bool, err error)
 
 func createEmitEventFunc(tls *tls.Config, timeout time.Duration) emitEventFunc {
-	trans := transport.NewDefaultTransport()
+	trans := http.DefaultTransport.(*http.Transport).Clone()
 	trans.TLSClientConfig = tls
 	client := netHttp.Client{
 		Transport: trans,

coap-gateway/service/devicesStatusUpdater.go

@@ -108,7 +108,6 @@ func (u *devicesStatusUpdater) run() {
 					d.expires = expires
 				}
 			}
-			log.Debugf("update devices statuses to online takes: %v", time.Now().Sub(now))
 		}
 	}
 }

grpc-gateway/refImpl/refImpl.go

@@ -15,9 +15,9 @@ import (
 	"google.golang.org/grpc"
 
 	"github.com/plgd-dev/cloud/grpc-gateway/service"
+	"github.com/plgd-dev/cloud/pkg/security/jwt"
 	"github.com/plgd-dev/kit/log"
 	kitNetGrpc "github.com/plgd-dev/kit/net/grpc"
-	"github.com/plgd-dev/kit/security/jwt"
 	"google.golang.org/grpc/credentials"
 )
 

http-gateway/test/test.go

@@ -11,8 +11,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/plgd-dev/kit/net/http/transport"
-
 	"github.com/jtacoma/uritemplates"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/plgd-dev/cloud/coap-gateway/schema/device/status"
@@ -118,7 +116,7 @@ func (c *requestBuilder) Build() *http.Request {
 }
 
 func HTTPDo(t *testing.T, req *http.Request) *http.Response {
-	trans := transport.NewDefaultTransport()
+	trans := http.DefaultTransport.(*http.Transport).Clone()
 	trans.TLSClientConfig = &tls.Config{
 		InsecureSkipVerify: true,
 	}

pkg/security/jwt/claims.go

@@ -0,0 +1,56 @@
+package jwt
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/plgd-dev/kit/strings"
+)
+
+type Claims struct {
+	ClientID string      `json:"client_id"`
+	Email    string      `json:"email"`
+	Scope    interface{} `json:"scope"`
+	StandardClaims
+}
+
+func (c Claims) GetScope() []string {
+	return strings.ToSlice(c.Scope)
+}
+
+// https://tools.ietf.org/html/rfc7519#section-4.1
+type StandardClaims struct {
+	Audience  interface{} `json:"aud,omitempty"`
+	ExpiresAt int64       `json:"exp,omitempty"`
+	Id        string      `json:"jti,omitempty"`
+	IssuedAt  int64       `json:"iat,omitempty"`
+	Issuer    string      `json:"iss,omitempty"`
+	NotBefore int64       `json:"nbf,omitempty"`
+	Subject   string      `json:"sub,omitempty"`
+}
+
+func (c StandardClaims) GetAudience() []string {
+	return strings.ToSlice(c.Audience)
+}
+
+func (c StandardClaims) Valid() error {
+	now := timeFunc().Unix()
+	if now > c.ExpiresAt {
+		return fmt.Errorf("token is expired")
+	}
+	if now < c.IssuedAt {
+		return fmt.Errorf("token used before issued")
+	}
+	if now < c.NotBefore {
+		return fmt.Errorf("token is not valid yet")
+	}
+	return nil
+}
+
+var timeFunc = time.Now
+
+func SetTimeFunc(f func() time.Time) (restore func()) {
+	prev := timeFunc
+	timeFunc = f
+	return func() { timeFunc = prev }
+}

pkg/security/jwt/claims_test.go

@@ -0,0 +1,64 @@
+package jwt
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestValid(t *testing.T) {
+	c := testClaims()
+	require.NoError(t, c.Valid())
+}
+
+func TestExpired(t *testing.T) {
+	c := testClaims()
+	c.StandardClaims.ExpiresAt = now.Add(-time.Hour).Unix()
+	require.Error(t, c.Valid())
+}
+
+func TestIssuedLater(t *testing.T) {
+	c := testClaims()
+	c.StandardClaims.IssuedAt = now.Add(time.Hour).Unix()
+	require.Error(t, c.Valid())
+}
+
+func TestNotBefore(t *testing.T) {
+	c := testClaims()
+	c.StandardClaims.NotBefore = now.Add(time.Hour).Unix()
+	require.Error(t, c.Valid())
+}
+
+func TestEmptyAudience(t *testing.T) {
+	c := testClaims()
+	require.Nil(t, c.GetAudience())
+}
+
+func TestAudienceOfOne(t *testing.T) {
+	aud := "test"
+	c := testClaims()
+	c.Audience = aud
+	require.Equal(t, []string{aud}, c.GetAudience())
+}
+
+func TestAudienceOfTwo(t *testing.T) {
+	c := testClaims()
+	c.Audience = []interface{}{"test1", "test2"}
+	require.Equal(t, []string{"test1", "test2"}, c.GetAudience())
+}
+
+var now = time.Now()
+
+func testClaims() Claims {
+	return Claims{
+		ClientID: "testClientID",
+		Email:    "testEmail",
+		Scope:    []string{"testScope"},
+		StandardClaims: StandardClaims{
+			ExpiresAt: now.Add(time.Hour).Unix(),
+			IssuedAt:  now.Unix(),
+			NotBefore: now.Unix(),
+		},
+	}
+}

pkg/security/jwt/jwk.go

@@ -0,0 +1,85 @@
+package jwt
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/lestrrat-go/jwx/jwk"
+)
+
+type KeyCache struct {
+	url  string
+	http *http.Client
+	m    sync.Mutex
+	keys *jwk.Set
+}
+
+func NewKeyCache(url string, tls *tls.Config) *KeyCache {
+	t := http.DefaultTransport.(*http.Transport).Clone()
+	t.MaxIdleConns = 100
+	t.MaxConnsPerHost = 100
+	t.MaxIdleConnsPerHost = 100
+	t.IdleConnTimeout = time.Second * 30
+	t.TLSClientConfig = tls
+	client := &http.Client{
+		Transport: t,
+		Timeout:   time.Second * 10,
+	}
+	return &KeyCache{url: url, http: client}
+}
+
+func (c *KeyCache) GetOrFetchKey(token *jwt.Token) (interface{}, error) {
+	if k, err := c.GetKey(token); err == nil {
+		return k, nil
+	}
+	if err := c.FetchKeys(); err != nil {
+		return nil, err
+	}
+	return c.GetKey(token)
+}
+
+func (c *KeyCache) GetKey(token *jwt.Token) (interface{}, error) {
+	key, err := c.LookupKey(token)
+	if err != nil {
+		return nil, err
+	}
+	var v interface{}
+	return v, key.Raw(&v)
+}
+
+func (c *KeyCache) LookupKey(token *jwt.Token) (jwk.Key, error) {
+	id, ok := token.Header["kid"].(string)
+	if !ok {
+		return nil, fmt.Errorf("missing key id in token")
+	}
+
+	c.m.Lock()
+	defer c.m.Unlock()
+
+	if c.keys == nil {
+		return nil, fmt.Errorf("empty JWK cache")
+	}
+	for _, key := range c.keys.LookupKeyID(id) {
+		if key.Algorithm() == token.Method.Alg() {
+			return key, nil
+		}
+	}
+	return nil, fmt.Errorf("could not find JWK")
+}
+
+func (c *KeyCache) FetchKeys() error {
+	keys, err := jwk.FetchHTTP(c.url, jwk.WithHTTPClient(c.http))
+	if err != nil {
+		return fmt.Errorf("could not fetch JWK: %w", err)
+	}
+
+	c.m.Lock()
+	defer c.m.Unlock()
+
+	c.keys = keys
+	return nil
+}