[public-api] Refactor JWT Sign/Verify to be reusable for OIDC - WEB-206 (#17327)

* [public-api] Refactor JWT Sign/Verify to be reusable for OIDC

* fix

Author: easyCZ

components/public-api-server/pkg/auth/jwt.go

@@ -0,0 +1,43 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+type SessionClaims struct {
+	jwt.RegisteredClaims
+}
+
+func NewSessionJWT(subject uuid.UUID, issuer string, issuedAt, expiry time.Time) *jwt.Token {
+	return jwt.NewWithClaims(jwt.SigningMethodRS256, &SessionClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    issuer,
+			Subject:   subject.String(),
+			IssuedAt:  jwt.NewNumericDate(issuedAt),
+			ExpiresAt: jwt.NewNumericDate(expiry),
+		},
+	})
+}
+
+func VerifySessionJWT(token string, verifier jws.Verifier, expectedIssuer string) (*SessionClaims, error) {
+	parsed, err := verifier.Verify(token, &SessionClaims{}, jwt.WithIssuer(expectedIssuer))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse jwt: %w", err)
+	}
+
+	claims, ok := parsed.Claims.(*SessionClaims)
+	if !ok {
+		return nil, fmt.Errorf("unknown jwt claims: %w", jwt.ErrTokenInvalidClaims)
+	}
+
+	return claims, nil
+}

components/public-api-server/pkg/auth/jwt_test.go

@@ -0,0 +1,62 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package auth
+
+import (
+	"testing"
+	"time"
+
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws/jwstest"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSessionJWT(t *testing.T) {
+	var (
+		subject  = uuid.New()
+		issuer   = "some-issuer"
+		issuedAt = time.Now()
+		expiry   = issuedAt.Add(time.Hour)
+	)
+	token := NewSessionJWT(subject, issuer, issuedAt, expiry)
+	require.Equal(t, &SessionClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    issuer,
+			Subject:   subject.String(),
+			ExpiresAt: jwt.NewNumericDate(expiry),
+			IssuedAt:  jwt.NewNumericDate(issuedAt),
+		},
+	}, token.Claims)
+}
+
+func TestVerifySessionJWT(t *testing.T) {
+	var (
+		subject  = uuid.New()
+		issuer   = "some-issuer"
+		issuedAt = time.Now()
+		expiry   = issuedAt.Add(time.Hour)
+	)
+	token := NewSessionJWT(subject, issuer, issuedAt, expiry)
+
+	keyset := jwstest.GenerateKeySet(t)
+	rsa256, err := jws.NewRSA256(keyset)
+	require.NoError(t, err)
+
+	signed, err := rsa256.Sign(token)
+	require.NoError(t, err)
+
+	claims, err := VerifySessionJWT(signed, rsa256, issuer)
+	require.NoError(t, err)
+	require.Equal(t, &SessionClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    issuer,
+			Subject:   subject.String(),
+			ExpiresAt: jwt.NewNumericDate(expiry),
+			IssuedAt:  jwt.NewNumericDate(issuedAt),
+		},
+	}, claims)
+}

components/public-api-server/pkg/auth/session_jwt.go

@@ -0,0 +1,35 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package jwstest
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"testing"
+
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"
+	"github.com/stretchr/testify/require"
+)
+
+func GenerateKeySet(t *testing.T) jws.KeySet {
+	return jws.KeySet{
+		Signing: GenerateRSAPrivateKey(t, "0001"),
+		Validating: []jws.Key{
+			GenerateRSAPrivateKey(t, "0002"),
+			GenerateRSAPrivateKey(t, "0003"),
+		},
+	}
+}
+
+func GenerateRSAPrivateKey(t *testing.T, id string) jws.Key {
+	t.Helper()
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+	return jws.Key{
+		ID:      id,
+		Private: privateKey,
+	}
+}