From 4ee314fbb7ec8166eda91f4901cbf550ba911809 Mon Sep 17 00:00:00 2001
From: Malte Finsterwalder <malte@holi.team>
Date: Thu, 24 Aug 2023 10:50:57 +0200
Subject: [PATCH] HOLI-5652 pull JWT public key from environment/secret
---
.envrc.local.template | 4 ++++
data/homeserver.yaml.template | 15 +--------------
terraform/environments/deployment_server.tf | 9 +++++++++
3 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/.envrc.local.template b/.envrc.local.template
index 62ef3c2..1610981 100644
--- a/.envrc.local.template
+++ b/.envrc.local.template
@@ -26,3 +26,7 @@ export HOLI_CHAT_MACAROON_SECRET_KEY=
# ip range used within the docker-compose container, needs to be unblocked in order for Synapse to be able to resolve Sygnal
export HOLI_CHAT_IP_RANGE_WHITELIST="- '172.16.0.0/12'"
+
+# can be downloaded from ORY https://dev-auth.holi.social/.well-known/jwks.json (for production: https://auth.holi.social/.well-known/jwks.json)
+# this is the ORY staging keyset
+export HOLI_CHAT_ORY_PUBLIC_JWT_KEYS='{"keys":[{"use": "sig", "kty": "RSA", "kid": "147ad542-5980-4a1a-bb23-b163b731a3cc", "alg": "RS256", "n": "xOYw-BTlL7EVScqYqxwUubSWY_6FEMcO88wXIxvnLTN7ldgvxocCfgWoM15oq5nwdCe3v3z_hoBY9nPeqYEYyN2Axz1OhKzvzPSy5_lAJfYMpIiaYpYFYvrR5L7QnOwdUi6QNzXnZS6-gGqQz6mTNpFpEcoo313eznhkMq9w72bDYHobjdsuSUGd_qF3QnWC9pn9f4xprwErJIdPU-jSjKwA7T1NWuB2z0SbAI2ScX2MXBNi3aZUJpYivWHWi90l76_XbgNszAveY2vj05QV7E2nivLsmBdW8Y3OtLTtjnRT8kNOkCPYoSsH8Pv1kGvEjvlJNmvK8AJufjVgiChUQm5xwce77Jp3Zzwb47vUt4Y4ZLY8kBOmLsF7nESZuUz3fA8C3-dTdj1RKrzdzcho8puUGZHEPgYSXc2PVeA6mdayn3gc6dlo_sKy8ysDAQwBI68YZJUNxYBPnpXc0ODU0K972TB-Bg6hbLMc6l24anLLza81wMm_H5h7DAgbRTGdFAGE3Wy75Jv0-ngso5I5aTG5DAkSHxNCbBwtIV-eh0aH_E2KS9xHAYnd1gfoiqB83JxgGLjeJDOA8turZnJkRuFh7tMq2MBFShzwr9EBsIKVfYi57K22U19GXVenvOxdQMxNofxhihM-yqawppZAecarLahHP570RpbBQsTcCWk", "e": "AQAB"}]}'
diff --git a/data/homeserver.yaml.template b/data/homeserver.yaml.template
index db174d6..a274975 100644
--- a/data/homeserver.yaml.template
+++ b/data/homeserver.yaml.template
@@ -48,20 +48,7 @@ sso:
jwt_config:
enabled: true
- secret:
- {
- "keys":
- [
- {
- "use": "sig",
- "kty": "RSA",
- "kid": "147ad542-5980-4a1a-bb23-b163b731a3cc",
- "alg": "RS256",
- "n": "xOYw-BTlL7EVScqYqxwUubSWY_6FEMcO88wXIxvnLTN7ldgvxocCfgWoM15oq5nwdCe3v3z_hoBY9nPeqYEYyN2Axz1OhKzvzPSy5_lAJfYMpIiaYpYFYvrR5L7QnOwdUi6QNzXnZS6-gGqQz6mTNpFpEcoo313eznhkMq9w72bDYHobjdsuSUGd_qF3QnWC9pn9f4xprwErJIdPU-jSjKwA7T1NWuB2z0SbAI2ScX2MXBNi3aZUJpYivWHWi90l76_XbgNszAveY2vj05QV7E2nivLsmBdW8Y3OtLTtjnRT8kNOkCPYoSsH8Pv1kGvEjvlJNmvK8AJufjVgiChUQm5xwce77Jp3Zzwb47vUt4Y4ZLY8kBOmLsF7nESZuUz3fA8C3-dTdj1RKrzdzcho8puUGZHEPgYSXc2PVeA6mdayn3gc6dlo_sKy8ysDAQwBI68YZJUNxYBPnpXc0ODU0K972TB-Bg6hbLMc6l24anLLza81wMm_H5h7DAgbRTGdFAGE3Wy75Jv0-ngso5I5aTG5DAkSHxNCbBwtIV-eh0aH_E2KS9xHAYnd1gfoiqB83JxgGLjeJDOA8turZnJkRuFh7tMq2MBFShzwr9EBsIKVfYi57K22U19GXVenvOxdQMxNofxhihM-yqawppZAecarLahHP570RpbBQsTcCWk",
- "e": "AQAB",
- },
- ],
- }
+ secret: ${HOLI_CHAT_ORY_PUBLIC_JWT_KEYS}
algorithm: "RS256"
subject_claim: "ident"
diff --git a/terraform/environments/deployment_server.tf b/terraform/environments/deployment_server.tf
index 7b62dcd..276be5f 100644
--- a/terraform/environments/deployment_server.tf
+++ b/terraform/environments/deployment_server.tf
@@ -106,6 +106,15 @@ resource "google_cloud_run_service" "chat_server" {
}
}
}
+ env {
+ name = "HOLI_CHAT_ORY_PUBLIC_JWT_KEYS"
+ value_from {
+ secret_key_ref {
+ key = "latest"
+ name = local.environment_name == "production" ? "HOLI_CHAT_ORY_PUBLIC_JWT_KEYS_PRODUCTION" : "HOLI_CHAT_ORY_PUBLIC_JWT_KEYS_DEVELOPMENT"
+ }
+ }
+ }
resources {
limits = {
# cpu can only be scaled down to 1000m as long as container_concurrency is set to != 1
--
GitLab