Merge pull request #944 from neicnordic/feature/issue_699

[auth] Make the TTL of  the resigned token configurable

.github/integration/scripts/charts/values.yaml

@@ -33,6 +33,7 @@ global:
     jwtAlg: ES256
     jwtKey: jwt.key
     jwtPub: jwt.pub
+    jwtTTL: 168
     resignJwt: true
   broker:
     durable: true

.github/integration/sda/config.yaml

@@ -22,6 +22,7 @@ auth:
     issuer: "https://auth:8888"
     privateKey: /shared/keys/jwt.key
     signatureAlg: ES256
+    tokenTTL: 168
   publicFile: "/shared/c4gh.pub.pem"
   resignJwt:
   s3Inbox: "http://inbox:8000"

charts/sda-svc/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: sda-svc
-version: 0.26.7
+version: 0.27.0
 appVersion: v0.3.87
 kubeVersion: '>= 1.26.0'
 description: Components for Sensitive Data Archive (SDA) installation

charts/sda-svc/README.md

@@ -79,6 +79,7 @@ Parameter | Description | Default
 `global.auth.jwtAlg` | Key type to sign the JWT, available options are RS265 & ES256, Must match the key type |`"ES256"`
 `global.auth.jwtKey` | Private key used to sign the JWT. |`""`
 `global.auth.jwtPub` | Public key ues to verify the JWT. |`""`
+`global.auth.jwtTTL` | TTL of the resigned token (hours). |`168`
 `global.auth.resignJWT` | Resign the LS-AAI JWTs. |`true`
 `global.auth.useTLS` | Run a TLS secured server. |`true`
 `global.auth.corsOrigins` | Domain name allowed for cross-domain requests. |`""`

charts/sda-svc/templates/auth-deploy.yaml

@@ -128,6 +128,8 @@ spec:
           value: "{{ template "jwtPath" . }}/{{ .Values.global.auth.jwtKey }}"
         - name: AUTH_JWT_SIGNATUREALG
           value: {{ .Values.global.auth.jwtAlg }}
+        - name: AUTH_JWT_TOKENTTL
+          value: {{ .Values.global.auth.jwtTTL | quote }}
       {{- end }}
         - name: AUTH_PUBLICFILE
           value: "{{ template "c4ghPath" . }}/{{ .Values.global.c4gh.publicFile }}"

charts/sda-svc/values.yaml

@@ -147,6 +147,8 @@ global:
     jwtKey:
     # @param jwtPub, name of the public signing key
     jwtPub:
+    # @param jwtTTL, TTL of the resigned token (hours)
+    jwtTTL: 168
     # @param resignJwt, if true (or empty) the jwt will be resigned with the jwtKey
     resignJwt: false
     # @param corsOrigins, domain name of allowed origin for cross-domain requests

sda/cmd/auth/auth.md

@@ -25,6 +25,7 @@ The following settings can be configured for deploying the service, either by us
 | `AUTH_JWT_ISSUER`       | Issuer of JWT tokens                                                                 | `http://auth:8080`                      |
 | `AUTH_JWT_PRIVATEKEY`   | Path to private key for signing the JWT token                                        | `keys/sign-jwt.key`                     |
 | `AUTH_JWT_SIGNATUREALG` | Algorithm used to sign the JWT token. ES256 (ECDSA) or RS256 (RSA) are supported     | `ES256`                                 |
+| `AUTH_JWT_TOKENTTL`     | TTL of the resigned token in hours                                                   | `168`                                   |
 | `AUTH_RESIGNJWT`        | Set to `false` to serve the raw OIDC JWT, i.e. without re-signing it                 | `""`                                    |
 | `AUTH_S3INBOX`          | S3 inbox host                                                                        | `http://s3.example.com`                 |
 | `LOG_LEVEL`             | Log level                                                                            | `info`                                  |

sda/cmd/auth/main.go

@@ -142,7 +142,7 @@ func (auth AuthHandler) postEGA(ctx iris.Context) {
 		if ok {
 			log.WithFields(log.Fields{"authType": "cega", "user": username}).Info("Valid password entered by user")
 			claims := map[string]interface{}{
-				jwt.ExpirationKey: time.Now().UTC().Add(200 * time.Hour),
+				jwt.ExpirationKey: time.Now().UTC().Add(time.Duration(auth.Config.JwtTTL) * time.Hour),
 				jwt.IssuedAtKey:   time.Now().UTC(),
 				jwt.IssuerKey:     auth.Config.JwtIssuer,
 				jwt.SubjectKey:    username,

sda/internal/config/config.go

@@ -117,6 +117,7 @@ type AuthConf struct {
 	JwtIssuer       string
 	JwtPrivateKey   string
 	JwtSignatureAlg string
+	JwtTTL          int
 	Server          ServerConfig
 	S3Inbox         string
 	ResignJwt       bool
@@ -228,7 +229,7 @@ func NewConfig(app string) (*Config, error) {
 		}
 
 		if viper.GetBool("auth.resignJwt") {
-			requiredConfVars = append(requiredConfVars, []string{"auth.jwt.issuer", "auth.jwt.privateKey", "auth.jwt.signatureAlg"}...)
+			requiredConfVars = append(requiredConfVars, []string{"auth.jwt.issuer", "auth.jwt.privateKey", "auth.jwt.signatureAlg", "auth.jwt.tokenTTL"}...)
 		}
 	case "ingest":
 		requiredConfVars = []string{
@@ -494,6 +495,7 @@ func NewConfig(app string) (*Config, error) {
 			c.Auth.JwtPrivateKey = viper.GetString("auth.jwt.privateKey")
 			c.Auth.JwtSignatureAlg = viper.GetString("auth.jwt.signatureAlg")
 			c.Auth.JwtIssuer = viper.GetString("auth.jwt.issuer")
+			c.Auth.JwtTTL = viper.GetInt("auth.jwt.tokenTTL")
 
 			if _, err := os.Stat(c.Auth.JwtPrivateKey); err != nil {
 				return nil, err

sda/internal/config/config_test.go

@@ -414,13 +414,15 @@ func (suite *ConfigTestSuite) TestConfigAuth_CEGA() {
 	viper.Set("auth.jwt.Issuer", "http://auth:8080")
 	viper.Set("auth.Jwt.privateKey", "nonexistent-key-file")
 	viper.Set("auth.Jwt.signatureAlg", "ES256")
+	viper.Set("auth.Jwt.tokenTTL", 168)
 	_, err = NewConfig("auth")
 	assert.ErrorContains(suite.T(), err, "no such file or directory")
 
 	viper.Set("auth.publicFile", ECPath+"/ec.pub")
 	viper.Set("auth.Jwt.privateKey", ECPath+"/ec")
 	c, err := NewConfig("auth")
 	assert.Equal(suite.T(), c.Auth.JwtPrivateKey, fmt.Sprintf("%s/ec", ECPath))
+	assert.Equal(suite.T(), c.Auth.JwtTTL, 168)
 	assert.NoError(suite.T(), err, "unexpected failure")
 }