Skip to content
Snippets Groups Projects
Commit 87aff048 authored by John Franklin's avatar John Franklin
Browse files

Manage private keys with key_asymmetric.

parent 2f96f72e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
composer.json
+ 1
0
View file @ 87aff048
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
"source": "https://git.drupalcode.org/project/login_gov" "source": "https://git.drupalcode.org/project/login_gov"
}, },
"require": { "require": {
"drupal/key_asymmetric": "^1.1",
"drupal/openid_connect": "^2.0", "drupal/openid_connect": "^2.0",
"firebase/php-jwt": "^6.3" "firebase/php-jwt": "^6.3"
} }
......
config/schema/login_gov.schema.yml
+ 3
3
View file @ 87aff048
...@@ -30,7 +30,7 @@ openid_connect.client.plugin.login_gov: ...@@ -30,7 +30,7 @@ openid_connect.client.plugin.login_gov:
force_reauth: force_reauth:
type: boolean type: boolean
label: 'Force reauthorization' label: 'Force reauthorization'
private_key: key_private_key:
type: text type: string
label: 'Private key in PEM format' label: 'Key ID from Key Module'
login_gov.info.yml
+ 1
0
View file @ 87aff048
...@@ -5,3 +5,4 @@ core_version_requirement: ^8.8 || ^9 ...@@ -5,3 +5,4 @@ core_version_requirement: ^8.8 || ^9
package: 'User authentication' package: 'User authentication'
dependencies: dependencies:
- openid_connect:openid_connect (>=2.0) - openid_connect:openid_connect (>=2.0)
- key_asymmetric:key_asymmetric
login_gov.install 0 → 100644
+ 45
0
View file @ 87aff048
<?php
/**
* @file
* Contains update functions for the login_gov module.
*/
use Drupal\key\Entity\Key;
/**
* Implements hook_update_N().
*
* Convert old private keys to Key entities.
*/
function login_gov_update_9001(&$sandbox) {
$clients = \Drupal::entityTypeManager()->getStorage('openid_connect_client')->loadByProperties(['plugin' => 'login_gov']);
foreach ($clients as $id => $client) {
$settings = $client->get('settings');
// Skip entries without a private key.
if (empty($settings['private_key'])) {
continue;
}
// Choose a new unique key id.
$key_id = $id . '_private_key';
$index = 1;
while (Key::load($key_id)) {
$key_id = $id . '_private_key_' . $index++;
}
// Generate a new Private key object.
Key::create([
'id' => $key_id,
'label' => $client->label() . ' private key',
'description' => 'Automatically converted from Login.gov config.',
'key_type' => 'asymmetric_private',
'key_type_settings' => key_asymmetric_get_key_properties($settings['private_key']),
'key_provider_settings' => ['key_value' => $settings['private_key']],
])->save();
// Update the client to use the new key.
$client->set('settings', [
'key_private_key' => $key_id,
'private_key' => NULL,
]);
$client->save();
}
}
src/Plugin/OpenIDConnectClient/OpenIDConnectLoginGovClient.php
+ 12
7
View file @ 87aff048
...@@ -8,6 +8,7 @@ use Drupal\Core\Form\FormStateInterface; ...@@ -8,6 +8,7 @@ use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\GeneratedUrl; use Drupal\Core\GeneratedUrl;
use Drupal\Core\Link; use Drupal\Core\Link;
use Drupal\Core\Url; use Drupal\Core\Url;
use Drupal\key\Entity\Key;
use Drupal\openid_connect\Plugin\OpenIDConnectClientBase; use Drupal\openid_connect\Plugin\OpenIDConnectClientBase;
use Firebase\JWT\JWK; use Firebase\JWT\JWK;
use Firebase\JWT\JWT; use Firebase\JWT\JWT;
...@@ -94,7 +95,7 @@ class OpenIDConnectLoginGovClient extends OpenIDConnectClientBase { ...@@ -94,7 +95,7 @@ class OpenIDConnectLoginGovClient extends OpenIDConnectClientBase {
'count' => 1, 'count' => 1,
'units' => 'y', 'units' => 'y',
], ],
'private_key' => '', 'key_private_key' => NULL,
]; ];
} }
...@@ -178,11 +179,12 @@ class OpenIDConnectLoginGovClient extends OpenIDConnectClientBase { ...@@ -178,11 +179,12 @@ class OpenIDConnectLoginGovClient extends OpenIDConnectClientBase {
'#description' => $this->t('Require the user to login again to Login.gov. <em>Requires login.gov administrator approval.</em>'), '#description' => $this->t('Require the user to login again to Login.gov. <em>Requires login.gov administrator approval.</em>'),
]; ];
$form['private_key'] = [ $form['key_private_key'] = [
'#title' => $this->t('Private key in PEM format'), '#title' => $this->t('Key from Key'),
'#type' => 'textarea', '#type' => 'key_select',
'#default_value' => $this->configuration['private_key'], '#default_value' => $this->configuration['key_private_key'],
'#description' => $this->t('Need to put this someplace more secure.'), '#key_filters' => ['type' => ['asymmetric_private']],
'#description' => ' ' . $this->t('A Private key managed by the @key_module.', ['@key_module' => Link::fromTextAndUrl($this->t('Key module'), Url::fromRoute('entity.key.collection'))->toString()]),
]; ];
// Add some custom CSS. // Add some custom CSS.
...@@ -261,7 +263,10 @@ class OpenIDConnectLoginGovClient extends OpenIDConnectClientBase { ...@@ -261,7 +263,10 @@ class OpenIDConnectLoginGovClient extends OpenIDConnectClientBase {
* The private key in PEM format. * The private key in PEM format.
*/ */
protected function getPrivateKey(): ?string { protected function getPrivateKey(): ?string {
return $this->configuration['private_key']; $key = Key::load($this->configuration['key_private_key']);
// Return the key's KeyValue, or fall back to the old configuration if there
// is no Key.
return $key ? $key->getKeyValue() : $this->configuration['private_key'];
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment