add support for fetching keys from a JWKS endpoint

This requires changing a few function signatures and plumbing some
things together.

Notably, I don't want to have a second service discovery client and send
duplicate calls off, so I shared the service discovery client from the
CyberArk client and added caching of responses to the service discovery
client.

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>

Author: SgtCoDFish

internal/cyberark/client_test.go

@@ -32,9 +32,9 @@ func TestCyberArkClient_PutSnapshot_MockAPI(t *testing.T) {
 		Secret:    "somepassword",
 	}
 
-	discoveryClient := servicediscovery.New(httpClient)
+	discoveryClient := servicediscovery.New(httpClient, cfg.Subdomain)
 
-	serviceMap, tenantUUID, err := discoveryClient.DiscoverServices(t.Context(), cfg.Subdomain)
+	serviceMap, tenantUUID, err := discoveryClient.DiscoverServices(t.Context())
 	if err != nil {
 		t.Fatalf("failed to discover mock services: %v", err)
 	}
@@ -76,9 +76,9 @@ func TestCyberArkClient_PutSnapshot_RealAPI(t *testing.T) {
 	cfg, err := cyberark.LoadClientConfigFromEnvironment()
 	require.NoError(t, err)
 
-	discoveryClient := servicediscovery.New(httpClient)
+	discoveryClient := servicediscovery.New(httpClient, cfg.Subdomain)
 
-	serviceMap, tenantUUID, err := discoveryClient.DiscoverServices(t.Context(), cfg.Subdomain)
+	serviceMap, tenantUUID, err := discoveryClient.DiscoverServices(t.Context())
 	if err != nil {
 		t.Fatalf("failed to discover services: %v", err)
 	}

internal/cyberark/identity/cmd/testidentity/main.go

@@ -50,8 +50,8 @@ func run(ctx context.Context) error {
 	var rootCAs *x509.CertPool
 	httpClient := http_client.NewDefaultClient(version.UserAgent(), rootCAs)
 
-	sdClient := servicediscovery.New(httpClient)
-	services, _, err := sdClient.DiscoverServices(ctx, subdomain)
+	sdClient := servicediscovery.New(httpClient, subdomain)
+	services, _, err := sdClient.DiscoverServices(ctx)
 	if err != nil {
 		return fmt.Errorf("while performing service discovery: %s", err)
 	}

internal/cyberark/identity/identity_test.go

@@ -53,7 +53,7 @@ func TestLoginUsernamePassword_RealAPI(t *testing.T) {
 	arktesting.SkipIfNoEnv(t)
 	subdomain := os.Getenv("ARK_SUBDOMAIN")
 	httpClient := http.DefaultClient
-	services, _, err := servicediscovery.New(httpClient).DiscoverServices(t.Context(), subdomain)
+	services, _, err := servicediscovery.New(httpClient, subdomain).DiscoverServices(t.Context())
 	require.NoError(t, err)
 
 	loginUsernamePasswordTests(t, func(t testing.TB) inputs {

internal/cyberark/servicediscovery/discovery.go

@@ -9,6 +9,8 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"sync"
+	"time"
 
 	arkapi "github.com/jetstack/preflight/internal/cyberark/api"
 	"github.com/jetstack/preflight/pkg/version"
@@ -35,21 +37,34 @@ const (
 // users to fetch URLs for various APIs available in CyberArk. This client is specialised to
 // fetch only API endpoints, since only API endpoints are required by the Venafi Kubernetes Agent currently.
 type Client struct {
-	client  *http.Client
-	baseURL string
+	client    *http.Client
+	baseURL   string
+	subdomain string
+
+	cachedResponse      *Services
+	cachedTenantID      string
+	cachedResponseTime  time.Time
+	cachedResponseMutex sync.Mutex
 }
 
 // New creates a new CyberArk Service Discovery client. If the ARK_DISCOVERY_API
 // environment variable is set, it is used as the base URL for the service
 // discovery API. Otherwise, the production URL is used.
-func New(httpClient *http.Client) *Client {
+func New(httpClient *http.Client, subdomain string) *Client {
 	baseURL := os.Getenv("ARK_DISCOVERY_API")
 	if baseURL == "" {
 		baseURL = ProdDiscoveryAPIBaseURL
 	}
+
 	client := &Client{
-		client:  httpClient,
-		baseURL: baseURL,
+		client:    httpClient,
+		baseURL:   baseURL,
+		subdomain: subdomain,
+
+		cachedResponse:      nil,
+		cachedTenantID:      "",
+		cachedResponseTime:  time.Time{},
+		cachedResponseMutex: sync.Mutex{},
 	}
 
 	return client
@@ -93,17 +108,24 @@ type Services struct {
 	DiscoveryContext ServiceEndpoint
 }
 
-// DiscoverServices fetches from the service discovery service for a given subdomain
+// DiscoverServices fetches from the service discovery service for the configured subdomain
 // and parses the CyberArk Identity API URL and Inventory API URL.
 // It also returns the Tenant ID UUID corresponding to the subdomain.
-func (c *Client) DiscoverServices(ctx context.Context, subdomain string) (*Services, string, error) {
+func (c *Client) DiscoverServices(ctx context.Context) (*Services, string, error) {
+	c.cachedResponseMutex.Lock()
+	defer c.cachedResponseMutex.Unlock()
+
+	if c.cachedResponse != nil && time.Since(c.cachedResponseTime) < 1*time.Hour {
+		return c.cachedResponse, c.cachedTenantID, nil
+	}
+
 	u, err := url.Parse(c.baseURL)
 	if err != nil {
 		return nil, "", fmt.Errorf("invalid base URL for service discovery: %w", err)
 	}
 
 	u.Path = path.Join(u.Path, "api/public/tenant-discovery")
-	u.RawQuery = url.Values{"bySubdomain": []string{subdomain}}.Encode()
+	u.RawQuery = url.Values{"bySubdomain": []string{c.subdomain}}.Encode()
 
 	endpoint := u.String()
 
@@ -127,7 +149,7 @@ func (c *Client) DiscoverServices(ctx context.Context, subdomain string) (*Servi
 		// a 404 error is returned with an empty JSON body "{}" if the subdomain is unknown; at the time of writing, we haven't observed
 		// any other errors and so we can't special case them
 		if resp.StatusCode == http.StatusNotFound {
-			return nil, "", fmt.Errorf("got an HTTP 404 response from service discovery; maybe the subdomain %q is incorrect or does not exist?", subdomain)
+			return nil, "", fmt.Errorf("got an HTTP 404 response from service discovery; maybe the subdomain %q is incorrect or does not exist?", c.subdomain)
 		}
 
 		return nil, "", fmt.Errorf("got unexpected status code %s from request to service discovery API", resp.Status)
@@ -167,8 +189,14 @@ func (c *Client) DiscoverServices(ctx context.Context, subdomain string) (*Servi
 	}
 	//TODO: Should add a check for discoveryContextAPI too?
 
-	return &Services{
+	services := &Services{
 		Identity:         ServiceEndpoint{API: identityAPI},
 		DiscoveryContext: ServiceEndpoint{API: discoveryContextAPI},
-	}, discoveryResp.TenantID, nil
+	}
+
+	c.cachedResponse = services
+	c.cachedTenantID = discoveryResp.TenantID
+	c.cachedResponseTime = time.Now()
+
+	return services, discoveryResp.TenantID, nil
 }

internal/cyberark/servicediscovery/discovery_test.go

@@ -64,9 +64,9 @@ func Test_DiscoverIdentityAPIURL(t *testing.T) {
 				},
 			})
 
-			client := New(httpClient)
+			client := New(httpClient, testSpec.subdomain)
 
-			services, _, err := client.DiscoverServices(ctx, testSpec.subdomain)
+			services, _, err := client.DiscoverServices(ctx)
 			if testSpec.expectedError != nil {
 				assert.EqualError(t, err, testSpec.expectedError.Error())
 				assert.Nil(t, services)

internal/envelope/keyfetch/client.go

@@ -0,0 +1,156 @@
+package keyfetch
+
+import (
+	"context"
+	"crypto/rsa"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/lestrrat-go/jwx/v3/jwk"
+
+	"github.com/jetstack/preflight/internal/cyberark/servicediscovery"
+)
+
+const (
+	// minRSAKeySize is the minimum RSA key size in bits; we'd expect that keys will be larger but 2048 is a sane floor
+	// to enforce to ensure that a weak key can't accidentally be used
+	minRSAKeySize = 2048
+)
+
+// KeyFetcher is an interface for fetching public keys.
+type KeyFetcher interface {
+	// FetchKey retrieves a public key from the key source.
+	FetchKey(ctx context.Context) (PublicKey, error)
+}
+
+// Compile-time check that Client implements KeyFetcher
+var _ KeyFetcher = (*Client)(nil)
+
+// PublicKey represents an RSA public key retrieved from the key server.
+type PublicKey struct {
+	// KeyID is the unique identifier for this key
+	KeyID string
+
+	// Key is the actual RSA public key
+	Key *rsa.PublicKey
+}
+
+// Client fetches public keys from a CyberArk HTTP endpoint that provides keys in JWKS format.
+// It can be expanded in future to support other key types and formats, but for now it only supports RSA keys
+// and ignored other types.
+type Client struct {
+	discoveryClient *servicediscovery.Client
+
+	// httpClient is the HTTP client used for requests
+	httpClient *http.Client
+}
+
+// NewClient creates a new key fetching client.
+// Uses CyberArk service discovery to derive the JWKS endpoint
+func NewClient(discoveryClient *servicediscovery.Client) *Client {
+	return &Client{
+		discoveryClient: discoveryClient,
+		httpClient: &http.Client{
+			Timeout: 10 * time.Second,
+		},
+	}
+}
+
+// FetchKey retrieves the public keys from the configured endpoint.
+// It returns a slice of PublicKey structs containing the key material and metadata.
+func (c *Client) FetchKey(ctx context.Context) (PublicKey, error) {
+	services, _, err := c.discoveryClient.DiscoverServices(ctx)
+	if err != nil {
+		return PublicKey{}, fmt.Errorf("failed to get services from discovery client: %w", err)
+	}
+
+	endpoint, err := url.JoinPath(services.DiscoveryContext.API, "foo")
+	if err != nil {
+		return PublicKey{}, fmt.Errorf("failed to construct endpoint URL: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
+	if err != nil {
+		return PublicKey{}, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return PublicKey{}, fmt.Errorf("failed to fetch keys from %s: %w", endpoint, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return PublicKey{}, fmt.Errorf("unexpected status code %d from %s: %s", resp.StatusCode, endpoint, string(body))
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return PublicKey{}, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	keySet, err := jwk.Parse(body)
+	if err != nil {
+		return PublicKey{}, fmt.Errorf("failed to parse JWKs response: %w", err)
+	}
+
+	for i := range keySet.Len() {
+		key, ok := keySet.Key(i)
+		if !ok {
+			continue
+		}
+
+		// Only process RSA keys
+		if key.KeyType().String() != "RSA" {
+			continue
+		}
+
+		var rawKey any
+		if err := jwk.Export(key, &rawKey); err != nil {
+			// skip unparseable keys
+			continue
+		}
+
+		rsaKey, ok := rawKey.(*rsa.PublicKey)
+		if !ok {
+			// only process RSA keys (for now)
+			continue
+		}
+
+		if rsaKey.N.BitLen() < minRSAKeySize {
+			// skip keys that are too small to be secure
+			continue
+		}
+
+		kid, ok := key.KeyID()
+		if !ok {
+			// skip any keys which don't have an ID
+			continue
+		}
+
+		alg, ok := key.Algorithm()
+		if !ok {
+			// skip any keys which don't have an algorithm specified
+			continue
+		}
+
+		if alg.String() != "RSA-OAEP-256" {
+			// we only use RSA keys for RSA-OAEP-256
+			continue
+		}
+
+		// return the first valid key we find
+		return PublicKey{
+			KeyID: kid,
+			Key:   rsaKey,
+		}, nil
+	}
+
+	return PublicKey{}, fmt.Errorf("no valid RSA keys found at %s", endpoint)
+}