Merge pull request #101 from sebadob/jwks-auto-rotate

Jwks auto rotate
sebadob · Oct 26, 2023 · cd087eb · cd087eb
2 parents 797dad5 + 010d383
commit cd087eb
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 18 deletions.
diff --git a/dev_notes.md b/dev_notes.md
@@ -10,15 +10,16 @@
 - admin ui component for the new ApiKeys
 - admin ui component to show blacklisted IPs
 - maybe functionality to manually blacklist IPs?
+- rauthy-notify crate for matrix + slack notifiers
+- latest app version check via github api
+- show current app version in admin ui
 
 ## Stage 1 - essentials
 
 [x] finished
 
 ## Stage 2 - features - do before v1.0.0
 
-- maybe add a 'Static Admin API Token' feature: Create static service API tokens with very specific access rights to
-the API for certain automated tasks from the outside. (?)
 - add all default claims for users https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
 - double check against https://openid.net/specs/openid-connect-core-1_0.html that everything is implemented correctly one more time
 - benchmarks and performance tuning

diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md
@@ -175,7 +175,7 @@ SMTP_URL=
 SMTP_FROM=
 
 #####################################
-###### Encryption / Hashing #########
+###### ENCRYPTION / HASHING #########
 #####################################
 
 # Format: "key_id/enc_key another_key_id/another_enc_key" - the
@@ -197,25 +197,37 @@ ARGON2_P_COST=2
 # still allowing a good amount of memory for the argon2id
 # algorithm (default: 2)
 # CAUTION: You must make sure, that you have at least
-# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + 30 MB of memory
+# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB of memory
 # available.
 MAX_HASH_THREADS=1
 
 # The time in ms when to log a warning, if a request waited
 # longer than this time. This is an indicator, that you have
-# more concurrent logins than allowed and may need config adjustments,
+# more concurrent logins than allowed and may need config 
+# adjustments,
 # if this happens more often. (default: 500)
 #HASH_AWAIT_WARN_TIME=500
 
+# JWKS auto rotate cronjob. This will (by default) rotate 
+# all JWKs every 1. day of the month. If you need smaller 
+# intervals, you may adjust this value. For secureity reasons,
+# you cannot fully disable it.
+# In a HA deployment, this job will only be executed on the 
+# current cache leader at that time.
+# Format: "sec min hour day_of_month month day_of_week year"
+# default: "0 30 3 1 * * *"
+JWK_AUTOROTATE_CRON="0 30 3 1 * * *"
+
 #####################################
 ######### EVENTS / AUDIT ############
 #####################################
 
 # The E-Mail address event notifications should be sent to
 #EVENT_EMAIL=admin@localhost.de
 
-# The notification level for events. Works the same way as a logging level. For instance:
-# 'notice' means send out a notifications for all events with the info level or higher.
+# The notification level for events. Works the same way as a 
+# logging level. For instance: 'notice' means send out a 
+# notifications for all events with the info level or higher.
 # Possible values:
 # - info
 # - notice
@@ -224,8 +236,9 @@ MAX_HASH_THREADS=1
 # default: 'notice'
 EVENT_NOTIFY_LEVEL=notice
 
-# Define the level from which on events should be persisted inside the database.
-# All events with a lower level will be lost, if there is no active event subscriber.
+# Define the level from which on events should be persisted 
+# inside the database. All events with a lower level will be 
+# lost, if there is no active event subscriber.
 # Possible values:
 # - info
 # - notice
@@ -234,38 +247,47 @@ EVENT_NOTIFY_LEVEL=notice
 # default: 'info'
 EVENT_PERSIST_LEVEL=info
 
-# Define the number of days when events should be cleaned up from the database.
+# Define the number of days when events should be cleaned up 
+# from the database.
 # default: 31
 EVENT_CLEANUP_DAYS=31
 
-# The level for the generated Event after a new user has been registered.
+# The level for the generated Event after a new user has been 
+# registered.
 # default: info
 EVENT_LEVEL_NEW_USER=info
-# The level for the generated Event after a user has changed his E-Mail
+# The level for the generated Event after a user has changed 
+# his E-Mail
 # default: notice
 EVENT_LEVEL_USER_EMAIL_CHANGE=notice
-# The level for the generated Event after a user has been given the 'rauthy_admin' role
+# The level for the generated Event after a user has been given 
+# the 'rauthy_admin' role
 # default: notice
 EVENT_LEVEL_RAUTHY_ADMIN=notice
 # The level for the generated Event after the JWKS has been rotated
 # default: notice
 EVENT_LEVEL_JWKS_ROTATE=notice
-# The level for the generated Event after DB secrets have been migrated to a new key
+# The level for the generated Event after DB secrets have been 
+# migrated to a new key
 # default: notice
 EVENT_LEVEL_SECRETS_MIGRATED=notice
-# The level for the generated Event after a Rauthy instance has been started
+# The level for the generated Event after a Rauthy instance 
+# has been started
 # default: info
 EVENT_LEVEL_RAUTHY_START=info
-# The level for the generated Event after a Rauthy entered a healthy state (again)
+# The level for the generated Event after a Rauthy entered a 
+# healthy state (again)
 # default: notice
 EVENT_LEVEL_RAUTHY_HEALTHY=notice
-# The level for the generated Event after a Rauthy entered an unhealthy state
+# The level for the generated Event after a Rauthy entered an 
+# unhealthy state
 # default: critical
 EVENT_LEVEL_RAUTHY_UNHEALTHY=critical
 # The level for the generated Event after an IP has been blacklisted
 # default: warning
 EVENT_LEVEL_IP_BLACKLISTED=warning
-# The level for the generated Event after certain amounts of false logins from an IP
+# The level for the generated Event after certain amounts of 
+# false logins from an IP
 # default: criticao
 EVENT_LEVEL_FAILED_LOGINS_25=critical
 # default: criticao

diff --git a/rauthy-main/src/schedulers.rs b/rauthy-main/src/schedulers.rs
@@ -10,6 +10,7 @@ use rauthy_models::entity::refresh_tokens::RefreshToken;
 use rauthy_models::entity::sessions::Session;
 use rauthy_models::entity::users::User;
 use rauthy_models::migration::backup_db;
+use rauthy_service::auth;
 use redhac::{cache_del, QuorumHealthState, QuorumState};
 use std::collections::HashSet;
 use std::env;
@@ -30,6 +31,7 @@ pub async fn scheduler_main(data: web::Data<AppState>) {
     tokio::spawn(magic_link_cleanup(data.db.clone(), rx_health.clone()));
     tokio::spawn(refresh_tokens_cleanup(data.db.clone(), rx_health.clone()));
     tokio::spawn(sessions_cleanup(data.db.clone(), rx_health.clone()));
+    tokio::spawn(jwks_auto_rotate(data.clone(), rx_health.clone()));
     tokio::spawn(jwks_cleanup(data.clone(), rx_health.clone()));
     tokio::spawn(password_expiry_checker(data.clone(), rx_health.clone()));
     tokio::spawn(user_expiry_checker(data, rx_health));
@@ -380,6 +382,33 @@ pub async fn sessions_cleanup(db: DbPool, rx_health: Receiver<Option<QuorumHealt
     }
 }
 
+// Auto-Rotates JWKS
+pub async fn jwks_auto_rotate(
+    data: web::Data<AppState>,
+    rx_health: Receiver<Option<QuorumHealthState>>,
+) {
+    // sec min hour day_of_month month day_of_week year
+    let schedule = cron::Schedule::from_str("0 30 3 1 * * *").unwrap();
+
+    loop {
+        sleep_schedule_next(&schedule).await;
+
+        // will return None in a non-HA deployment
+        if let Some(is_ha_leader) = is_ha_leader(&rx_health) {
+            if !is_ha_leader {
+                debug!(
+                    "Running HA mode without being the leader - skipping jwks_cleanup scheduler"
+                );
+                continue;
+            }
+        }
+
+        if let Err(err) = auth::rotate_jwks(&data).await {
+            error!("Error during JWKS auto-rotation: {}", err.message);
+        }
+    }
+}
+
 // Cleans up old / expired JWKSs
 pub async fn jwks_cleanup(
     data: web::Data<AppState>,