[jwt] Installer configures expiry & issuer WEB-102 (#17314)

* [jwt] Installer configures expiry & issuer

* Fix

* Fix

* retest

* Fix

* Fix

* Fix

Author: easyCZ

components/public-api/go/config/config.go

@@ -4,7 +4,9 @@
 
 package config
 
-import "github.com/gitpod-io/gitpod/common-go/baseserver"
+import (
+	"github.com/gitpod-io/gitpod/common-go/baseserver"
+)
 
 type Configuration struct {
 	// PublicURL is the URL under which the API server is publicly reachable
@@ -45,7 +47,13 @@ type RedisConfiguration struct {
 }
 
 type AuthConfiguration struct {
-	PKI AuthPKIConfiguration `json:"pki"`
+	PKI     AuthPKIConfiguration `json:"pki"`
+	Session SessionConfig        `json:"session"`
+}
+
+type SessionConfig struct {
+	LifetimeSeconds int64  `json:"lifetimeSeconds"`
+	Issuer          string `json:"issuer"`
 }
 
 type AuthPKIConfiguration struct {

components/server/src/auth/jwt.spec.ts

@@ -9,7 +9,6 @@ import { AuthJWT, sign, verify } from "./jwt";
 import { Container } from "inversify";
 import { Config } from "../config";
 import * as crypto from "crypto";
-import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
 import * as chai from "chai";
 
 const expect = chai.expect;
@@ -23,12 +22,15 @@ class TestAuthJWT {
     private validatingKeyPair2 = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 });
 
     private config: Config = {
-        hostUrl: new GitpodHostUrl("https://mp-server-d7650ec945.preview.gitpod-dev.com"),
         auth: {
             pki: {
                 signing: toKeyPair("0001", this.signingKeyPair),
                 validating: [toKeyPair("0002", this.validatingKeyPair1), toKeyPair("0003", this.validatingKeyPair2)],
             },
+            session: {
+                issuer: "https://mp-server-d7650ec945.preview.gitpod-dev.com",
+                lifetimeSeconds: 7 * 24 * 60 * 60,
+            },
         },
     } as Config;
 
@@ -76,7 +78,7 @@ class TestAuthJWT {
         const encoded = await sign({}, keypair.privateKey, {
             algorithm: "RS512",
             expiresIn: "1d",
-            issuer: this.config.hostUrl.toStringWoRootSlash(),
+            issuer: this.config.auth.session.issuer,
             keyid: keypair.id,
             subject,
         });

components/server/src/auth/jwt.ts

@@ -14,11 +14,16 @@ const algorithm: jsonwebtoken.Algorithm = "RS512";
 export class AuthJWT {
     @inject(Config) protected config: Config;
 
-    async sign(subject: string, payload: object | Buffer, expiresIn: string = `${24 * 7}h`): Promise<string> {
+    async sign(
+        subject: string,
+        payload: object | Buffer,
+        expirySeconds: number = this.config.auth.session.lifetimeSeconds,
+        issuer: string = this.config.auth.session.issuer,
+    ): Promise<string> {
         const opts: jsonwebtoken.SignOptions = {
             algorithm,
-            expiresIn,
-            issuer: this.config.hostUrl.toStringWoRootSlash(),
+            expiresIn: expirySeconds,
+            issuer,
             subject,
             keyid: this.config.auth.pki.signing.id,
         };

components/server/src/config.ts

@@ -51,6 +51,11 @@ export type Config = Omit<
                 publicKey: string;
             }[];
         };
+
+        session: {
+            lifetimeSeconds: number;
+            issuer: string;
+        };
     };
 };
 
@@ -250,6 +255,10 @@ export interface ConfigSerialized {
 
     auth: {
         pki: AuthPKIConfig;
+        session: {
+            lifetimeSeconds: number;
+            issuer: string;
+        };
     };
 }
 
@@ -394,6 +403,7 @@ export namespace ConfigFile {
             },
             auth: {
                 pki: authPKI,
+                session: config.auth.session,
             },
         };
     }

install/installer/pkg/components/auth/config.go

@@ -0,0 +1,37 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	corev1 "k8s.io/api/core/v1"
+)
+
+type Config struct {
+	PKI PKIConfig `json:"pki"`
+
+	// Configration parameters for user sessions
+	Session SessionConfig `json:"session"`
+}
+
+type SessionConfig struct {
+	// How long shoud the session be valid for?
+	LifetimeSeconds int64  `json:"lifetimeSeconds"`
+	Issuer          string `json:"issuer"`
+}
+
+func GetConfig(ctx *common.RenderContext) ([]corev1.Volume, []corev1.VolumeMount, Config) {
+	volumes, mounts, pki := getPKI()
+	return volumes, mounts, Config{
+		PKI: pki,
+		Session: SessionConfig{
+			LifetimeSeconds: int64((7 * 24 * time.Hour).Seconds()),
+			Issuer:          fmt.Sprintf("https://%s", ctx.Config.Domain),
+		},
+	}
+}

install/installer/pkg/components/auth/keypair.go

@@ -59,7 +59,7 @@ func keypair(ctx *common.RenderContext) ([]runtime.Object, error) {
 	}, nil
 }
 
-func GetPKI() ([]corev1.Volume, []corev1.VolumeMount, PKIConfig) {
+func getPKI() ([]corev1.Volume, []corev1.VolumeMount, PKIConfig) {
 	dir := "/secrets/auth-pki"
 	signingDir := path.Join(dir, "signing")
 

install/installer/pkg/components/public-api-server/configmap.go

@@ -49,7 +49,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 	_, _, databaseSecretMountPath := common.DatabaseEnvSecret(ctx.Config)
 
-	_, _, authPKI := auth.GetPKI()
+	_, _, authCfg := auth.GetConfig(ctx)
 
 	cfg := config.Configuration{
 		PublicURL:                         fmt.Sprintf("https://api.%s", ctx.Config.Domain),
@@ -66,11 +66,15 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		Auth: config.AuthConfiguration{
 			PKI: config.AuthPKIConfiguration{
 				Signing: config.KeyPair{
-					ID:             authPKI.Signing.ID,
-					PublicKeyPath:  authPKI.Signing.PublicKeyPath,
-					PrivateKeyPath: authPKI.Signing.PrivateKeyPath,
+					ID:             authCfg.PKI.Signing.ID,
+					PublicKeyPath:  authCfg.PKI.Signing.PublicKeyPath,
+					PrivateKeyPath: authCfg.PKI.Signing.PrivateKeyPath,
 				},
 			},
+			Session: config.SessionConfig{
+				LifetimeSeconds: authCfg.Session.LifetimeSeconds,
+				Issuer:          authCfg.Session.Issuer,
+			},
 		},
 		Server: &baseserver.Configuration{
 			Services: baseserver.ServicesConfiguration{

install/installer/pkg/components/public-api-server/configmap_test.go

@@ -7,6 +7,7 @@ package public_api_server
 import (
 	"fmt"
 	"testing"
+	"time"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/components/redis"
 	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
@@ -65,6 +66,10 @@ func TestConfigMap(t *testing.T) {
 					PrivateKeyPath: "/secrets/auth-pki/signing/tls.key",
 				},
 			},
+			Session: config.SessionConfig{
+				LifetimeSeconds: int64((24 * 7 * time.Hour).Seconds()),
+				Issuer:          "https://test.domain.everything.awesome.is",
+			},
 		},
 		Server: &baseserver.Configuration{
 			Services: baseserver.ServicesConfiguration{

install/installer/pkg/components/public-api-server/deployment.go

@@ -92,9 +92,9 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 		return nil
 	})
 
-	authPKIVolumes, authPKIMounts, _ := auth.GetPKI()
-	volumes = append(volumes, authPKIVolumes...)
-	volumeMounts = append(volumeMounts, authPKIMounts...)
+	authVolumes, authMounts, _ := auth.GetConfig(ctx)
+	volumes = append(volumes, authVolumes...)
+	volumeMounts = append(volumeMounts, authMounts...)
 
 	labels := common.CustomizeLabel(ctx, Component, common.TypeMetaDeployment)
 	return []runtime.Object{

install/installer/pkg/components/server/configmap.go

@@ -189,7 +189,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 	_, _, adminCredentialsPath := getAdminCredentials()
 
-	_, _, authPKI := auth.GetPKI()
+	_, _, authCfg := auth.GetConfig(ctx)
 
 	// todo(sje): all these values are configurable
 	scfg := ConfigSerialized{
@@ -291,9 +291,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 			CredentialsPath:         adminCredentialsPath,
 		},
 		ShowSetupModal: showSetupModal,
-		Auth: AuthConfig{
-			PKI: authPKI,
-		},
+		Auth:           authCfg,
 	}
 
 	fc, err := common.ToJSONString(scfg)

install/installer/pkg/components/server/configmap_test.go

@@ -7,6 +7,7 @@ package server
 import (
 	"encoding/json"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -31,7 +32,7 @@ func TestConfigMap(t *testing.T) {
 		JWTSecret                         string
 		SessionSecret                     string
 		GitHubApp                         experimental.GithubApp
-		Auth                              AuthConfig
+		Auth                              auth.Config
 	}
 
 	expectation := Expectation{
@@ -54,18 +55,23 @@ func TestConfigMap(t *testing.T) {
 			WebhookSecret:   "some-webhook-secret",
 			CertSecretName:  "some-cert-secret-name",
 		},
-		Auth: AuthConfig{
+		Auth: auth.Config{
 			PKI: auth.PKIConfig{
 				Signing: auth.KeyPair{
 					ID:             "0001",
 					PrivateKeyPath: "/secrets/auth-pki/signing/tls.key",
 					PublicKeyPath:  "/secrets/auth-pki/signing/tls.crt",
 				},
 			},
+			Session: auth.SessionConfig{
+				LifetimeSeconds: int64((7 * 24 * time.Hour).Seconds()),
+				Issuer:          "https://awesome.domain",
+			},
 		},
 	}
 
 	ctx, err := common.NewRenderContext(config.Config{
+		Domain: "awesome.domain",
 		Workspace: config.Workspace{
 			WorkspaceImage: expectation.WorkspaceImage,
 		},

install/installer/pkg/components/server/deployment.go

@@ -259,9 +259,9 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 	volumes = append(volumes, adminCredentialsVolume)
 	volumeMounts = append(volumeMounts, adminCredentialsMount)
 
-	authPKIVolumes, authPKIMounts, _ := auth.GetPKI()
-	volumes = append(volumes, authPKIVolumes...)
-	volumeMounts = append(volumeMounts, authPKIMounts...)
+	authVolumes, authMounts, _ := auth.GetConfig(ctx)
+	volumes = append(volumes, authVolumes...)
+	volumeMounts = append(volumeMounts, authMounts...)
 
 	return []runtime.Object{
 		&appsv1.Deployment{

install/installer/pkg/components/server/types.go

@@ -14,32 +14,32 @@ import (
 
 // ConfigSerialized interface from components/server/src/config.ts
 type ConfigSerialized struct {
-	Version                           string     `json:"version"`
-	HostURL                           string     `json:"hostUrl"`
-	InstallationShortname             string     `json:"installationShortname"`
-	DevBranch                         string     `json:"devBranch"`
-	InsecureNoDomain                  bool       `json:"insecureNoDomain"`
-	License                           string     `json:"license"`
-	DefinitelyGpDisabled              bool       `json:"definitelyGpDisabled"`
-	EnableLocalApp                    bool       `json:"enableLocalApp"`
-	DisableDynamicAuthProviderLogin   bool       `json:"disableDynamicAuthProviderLogin"`
-	MaxEnvvarPerUserCount             int32      `json:"maxEnvvarPerUserCount"`
-	MaxConcurrentPrebuildsPerRef      int32      `json:"maxConcurrentPrebuildsPerRef"`
-	MakeNewUsersAdmin                 bool       `json:"makeNewUsersAdmin"`
-	DefaultBaseImageRegistryWhitelist []string   `json:"defaultBaseImageRegistryWhitelist"`
-	RunDbDeleter                      bool       `json:"runDbDeleter"`
-	ContentServiceAddr                string     `json:"contentServiceAddr"`
-	UsageServiceAddr                  string     `json:"usageServiceAddr"`
-	IDEServiceAddr                    string     `json:"ideServiceAddr"`
-	MaximumEventLoopLag               float64    `json:"maximumEventLoopLag"`
-	VSXRegistryUrl                    string     `json:"vsxRegistryUrl"`
-	StripeSecretsFile                 string     `json:"stripeSecretsFile"`
-	StripeConfigFile                  string     `json:"stripeConfigFile"`
-	EnablePayment                     bool       `json:"enablePayment"`
-	LinkedInSecretsFile               string     `json:"linkedInSecretsFile"`
-	PATSigningKeyFile                 string     `json:"patSigningKeyFile"`
-	ShowSetupModal                    bool       `json:"showSetupModal"`
-	Auth                              AuthConfig `json:"auth"`
+	Version                           string      `json:"version"`
+	HostURL                           string      `json:"hostUrl"`
+	InstallationShortname             string      `json:"installationShortname"`
+	DevBranch                         string      `json:"devBranch"`
+	InsecureNoDomain                  bool        `json:"insecureNoDomain"`
+	License                           string      `json:"license"`
+	DefinitelyGpDisabled              bool        `json:"definitelyGpDisabled"`
+	EnableLocalApp                    bool        `json:"enableLocalApp"`
+	DisableDynamicAuthProviderLogin   bool        `json:"disableDynamicAuthProviderLogin"`
+	MaxEnvvarPerUserCount             int32       `json:"maxEnvvarPerUserCount"`
+	MaxConcurrentPrebuildsPerRef      int32       `json:"maxConcurrentPrebuildsPerRef"`
+	MakeNewUsersAdmin                 bool        `json:"makeNewUsersAdmin"`
+	DefaultBaseImageRegistryWhitelist []string    `json:"defaultBaseImageRegistryWhitelist"`
+	RunDbDeleter                      bool        `json:"runDbDeleter"`
+	ContentServiceAddr                string      `json:"contentServiceAddr"`
+	UsageServiceAddr                  string      `json:"usageServiceAddr"`
+	IDEServiceAddr                    string      `json:"ideServiceAddr"`
+	MaximumEventLoopLag               float64     `json:"maximumEventLoopLag"`
+	VSXRegistryUrl                    string      `json:"vsxRegistryUrl"`
+	StripeSecretsFile                 string      `json:"stripeSecretsFile"`
+	StripeConfigFile                  string      `json:"stripeConfigFile"`
+	EnablePayment                     bool        `json:"enablePayment"`
+	LinkedInSecretsFile               string      `json:"linkedInSecretsFile"`
+	PATSigningKeyFile                 string      `json:"patSigningKeyFile"`
+	ShowSetupModal                    bool        `json:"showSetupModal"`
+	Auth                              auth.Config `json:"auth"`
 
 	WorkspaceHeartbeat         WorkspaceHeartbeat         `json:"workspaceHeartbeat"`
 	WorkspaceDefaults          WorkspaceDefaults          `json:"workspaceDefaults"`
@@ -66,10 +66,6 @@ type CodeSyncResources struct {
 	RevLimit int32 `json:"revLimit"`
 }
 
-type AuthConfig struct {
-	PKI auth.PKIConfig `json:"pki"`
-}
-
 type CodeSync struct {
 	RevLimit     int32                        `json:"revLimit"`
 	ContentLimit int32                        `json:"contentLimit"`