From 781aea61933b0b27c27cb5ccfcd66aa63e2cca91 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 4 Jan 2019 20:16:11 +0000 Subject: [PATCH] Add configuration options for JWS provider This commit only introduces a new group for JWT configuration options that are specific to JWS. Even though the configuration group is named after JWT, the configuration options are specific to JWS. If keystone supports JWE token in the future, we will add new configuration options for key specific to that implementation as opposed to reusing JWS keys. It does not wire anything up to the actual token provider code. That will come in a later patch. bp json-web-tokens Change-Id: I8c9b249138a32f096d5edc84772099e9d780687b --- keystone/conf/__init__.py | 2 ++ keystone/conf/jwt_tokens.py | 58 +++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 keystone/conf/jwt_tokens.py diff --git a/keystone/conf/__init__.py b/keystone/conf/__init__.py index 01590e5fe6..b6aa8c02e1 100644 --- a/keystone/conf/__init__.py +++ b/keystone/conf/__init__.py @@ -35,6 +35,7 @@ from keystone.conf import fernet_receipts from keystone.conf import fernet_tokens from keystone.conf import identity from keystone.conf import identity_mapping +from keystone.conf import jwt_tokens from keystone.conf import ldap from keystone.conf import memcache from keystone.conf import oauth1 @@ -72,6 +73,7 @@ conf_modules = [ fernet_tokens, identity, identity_mapping, + jwt_tokens, ldap, memcache, oauth1, diff --git a/keystone/conf/jwt_tokens.py b/keystone/conf/jwt_tokens.py new file mode 100644 index 0000000000..d46f815b9c --- /dev/null +++ b/keystone/conf/jwt_tokens.py @@ -0,0 +1,58 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from keystone.conf import utils + + +jws_public_key_repository = cfg.StrOpt( + 'jws_public_key_repository', + default='/etc/keystone/jws-keys/public', + help=utils.fmt(""" +Directory containing public keys for validating JWS token signatures. This +directory must exist in order for keystone's server process to start. It must +also be readable by keystone's server process. It must contain at least one +public key that corresponds to a private key in `keystone.conf [jwt_tokens] +jws_private_key_repository`. This option is only applicable in deployments +issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`. +""")) +jws_private_key_repository = cfg.StrOpt( + 'jws_private_key_repository', + default='/etc/keystone/jws-keys/private', + help=utils.fmt(""" +Directory containing private keys for signing JWS tokens. This directory must +exist in order for keystone's server process to start. It must also be readable +by keystone's server process. It must contain at least one private key that +corresponds to a public key in `keystone.conf [jwt_tokens] +jws_public_key_repository`. In the event there are multiple private keys in +this directory, keystone will use a key named `private.pem` to sign tokens. In +the future, keystone may support the ability to sign tokens with multiple +private keys. For now, only a key named `private.pem` within this directory is +required to issue JWS tokens. This option is only applicable in deployments +issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`. +""")) + + +GROUP_NAME = __name__.split('.')[-1] +ALL_OPTS = [ + jws_public_key_repository, + jws_private_key_repository +] + + +def register_opts(conf): + conf.register_opts(ALL_OPTS, group=GROUP_NAME) + + +def list_opts(): + return {GROUP_NAME: ALL_OPTS}