feat(server): add JWT-based authorization mode

This mode is an alternative to whitelist authorization mode.
It extracts the JWT from the authorization header (bearer token),
validates token's signature, claimed expiry times and additional
(user-configurable) claims.

Author: kubkon

crates/notary/client/src/client.rs

@@ -7,6 +7,7 @@ use http_body_util::{BodyExt as _, Either, Empty, Full};
 use hyper::{
     body::{Bytes, Incoming},
     client::conn::http1::Parts,
+    header::AUTHORIZATION,
     Request, Response, StatusCode,
 };
 use hyper_util::rt::TokioIo;
@@ -136,6 +137,10 @@ pub struct NotaryClient {
     /// in notary server.
     #[builder(setter(into, strip_option), default)]
     api_key: Option<String>,
+    /// JWT token used to callnotary server endpoints if JWT authorization is enabled
+    /// in notary server.
+    #[builder(setter(into, strip_option), default)]
+    jwt: Option<String>,
     /// The duration of notarization request timeout in seconds.
     #[builder(default = "60")]
     request_timeout: usize,
@@ -290,6 +295,11 @@ impl NotaryClient {
                     configuration_request_builder.header(X_API_KEY_HEADER, api_key);
             }
 
+            if let Some(jwt) = &self.jwt {
+                configuration_request_builder =
+                    configuration_request_builder.header(AUTHORIZATION, format!("Bearer {jwt}"));
+            }
+
             let configuration_request = configuration_request_builder
                 .body(Either::Left(Full::new(Bytes::from(
                     configuration_request_payload,

crates/notary/server/Cargo.toml

@@ -32,6 +32,7 @@ config = { version = "0.14", features = ["yaml"] }
 csv = { version = "1.3" }
 eyre = { version = "0.6" }
 futures-util = { workspace = true }
+jsonwebtoken = { version = "9.3.1", features = ["use_pem"] }
 http = { workspace = true }
 http-body-util = { workspace = true }
 hyper = { workspace = true, features = ["client", "http1", "server"] }
@@ -45,6 +46,7 @@ pkcs8 = { workspace = true, features = ["pem"] }
 rustls = { workspace = true }
 rustls-pemfile = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
 serde_yaml = { version = "0.9" }
 sha1 = { version = "0.10" }
 structopt = { version = "0.3" }

crates/notary/server/README.md

@@ -145,12 +145,33 @@ After calling the configuration endpoint above, the prover can proceed to start
 Currently, both the private key (and cert) used to establish a TLS connection with the prover, and the private key used by the notary server to sign the notarized transcript, are hardcoded PEM keys stored in this repository. Though the paths of these keys can be changed in the config (`notary-key` field) to use different keys instead.
 
 #### Authorization
-An optional authorization module is available to only allow requests with a valid API key attached in the custom HTTP header `X-API-Key`. The API key whitelist path (as well as the flag to enable/disable this module) can be changed in the config (`authorization` field).
+An optional authorization module is available to only allow requests with a valid credential attached. Currently, two modes are supported: whitelist and JWT.
+
+Please note that only *one* mode can be active at any one time.
+
+##### Whitelist mode
+In whitelist mode, an API key is attached in the custom HTTP header `X-API-Key`. The API key whitelist path (as well as the flag to enable/disable this module) can be changed in the config (`authorization` field).
 
 Hot reloading of the whitelist is supported, i.e. modification of the whitelist file will be automatically applied without needing to restart the server. Please take note of the following
 - Avoid using auto save mode when editing the whitelist to prevent spamming hot reloads
 - Once the edit is saved, ensure that it has been reloaded successfully by checking the server log
 
+##### JWT mode
+In JWT mode, JSON Web Token is attached in the standard `Authorization` HTTP header as a bearer token. The path to decoding key as well as custom user claims can be changed in the 
+config (`authorization` field).
+
+An example JWT config may look something like this:
+
+```yaml
+authorization:
+  enabled: true
+  jwt:
+    public_key_pem_path: "./fixture/auth/jwt.key.pub"
+    claims:
+      - name: sub
+        values: ["tlsnotary"]
+```
+
 #### Optional TLS
 TLS between the prover and the notary is currently manually handled in this server, though it can be turned off if any of the following is true
 - This server is run locally

crates/notary/server/config/config.yaml

@@ -43,6 +43,11 @@ logging:
 
 authorization:
   enabled: false
-  whitelist_csv_path: "./fixture/auth/whitelist.csv"
+  whitelist: "./fixture/auth/whitelist.csv"
+  # jwt:
+  #   public_key_pem_path: "./fixture/auth/jwt.key.pub"
+  #   claims:
+  #     - name: sub
+  #       values: ["tlsnotary"]
 
 concurrency: 32

crates/notary/server/fixture/auth/jwt.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAxkfGQo2iyUK6sV84rvsb6d4IlorFaX4WDwDnEP/zU2Pduwf7
+kV39x6oqJzNjmfXm/RkcaAZXQdbvjBA9uwM7cd2Z7hMWLT3oix66Qv9d3+PWcdJt
+TUVK710+QflZJqOEFOt30eNHm/8pN6z1P6YSZvYpHMVlCC7tL8OLWcMH9gYmUH6c
+WOdzCaCigdQD1CqE9TG7jZlIepiWI7QMD7v/yN8tZoV8EzW25JdGPe4gtetBl1O+
+QoAUpuQp7JSUxV4RR8HArGGSQ0OHHZMcfWx/CoLBUyXlmSCC21sSl634l7+HUM6U
+/dHo1b+XSMpjjVCTjd0lDFCU+kiLtapdcCiJDijSj+a4xkJP+uvxpTZuB6A4W31e
+DeKPIeutPAwcnw8UktdX6eiAt1ONAxB+ytZNcdrAUbMdIcocrMxgyPtCWBgDX1LK
+fpPlRTBRI50mdFkIOp9dh02ijpWAYXaFA65aI8Tqh9j3wzbvFsCWpBfK7Zcbl7BZ
+skAvXCjnPHDdup5sesnYrhOOG4jo2/nho7AmEEkvZVDyH9jDPrA6imljFX1gpKvW
+mtERY7eor3gPI6FFOUh8qwEOB4lTsj9DUd75vvRlaPU7ibvFTdLVoRiXkAraKR59
+WmcOpAfut9yOxNaE+M25jY/Jj+crptEt0MmezfowRimt3wpQ0C7i6hCBgrMCAwEA
+AQKCAgAx05WR4e/XbapmqkwfRMEV+xLjacoEIYg/ivWGAxvNh9oPhwkD1b/RbgSb
+x0EvTmkWjznhNj61L+MQqoAov74vdgWZmzhGdDk8xKL/9RZNDf80qTGIanJTRnY/
+s/5gRFULwMRifR/gprVf5VnX/c7ACvn33e7uqIQ4LYaWLvmQLKlyLu7xNHBnKfPM
+dk/kAC9bQn0kLzHUhQWtwTAKwC6d9t981OyCE0x7kzw2keGsdYsNESFNqswFyG50
+oj3kfygOhTT63KYZux14JCDTr/EY3hTg5TQWT+IyZ2d7sF85GwtRFijAxAAjvrqw
+sxNjTq1VyA3oU1OstZBOPZqvdbBC6ZpIiWyPE5j+H4R2/rxnKc/nwI+PXU5L1qKf
+kB8yUsXxZQA9KY48VU3Z3WZxGWZwoU8Z+WUN6rJknZkVfk14GdQrf6BNyUVQk/Rd
+W1bGZB11CHH80LRdsx5T7B2gwq41EJ33+8Hd8S/9YeSWMnHKkpH39bjMu328jn8U
+0TaXQ8H/ZMwEmDZ74nmct4VnmF09dxdIHILKyohjGuU9nUBXnXw8orJPXgFlOkmn
+G55/sMqDwnnz9O7wGptY3Vx7xCO4I9N4CijUw065dyZaY6wzyph9dAurnDu0MmA7
+o0JwnhI2iKwPU8hq6nm2Ku2YNz7f0O5v5NMtw5z4lrOo4TX6MQKCAQEA/eLuS+dz
+mrLEpKCDi63y1G6SYDM+mHWaN3B/y6XVgVjGyZWvebMIol5nGo0URdUHqXVw4krt
+Hjr3AulSASr4s75wfk2bVwVuUQfCQrM+zvqBcApWJq+Ve7LEIYRchr8+vlyqiBBV
+IV/XyL/KshSXKDscf/1J881M+ZxuGCfqQ0TADJ7592nHCXcDJ8XJXkPRQQEN2QwT
+DGdYDIo276IfbiY2MAjCQRvzdGUocfeNZ5SYXOODhS2n99aLWsK3uXG74+tzFZhl
+5fJVjxuipZVO4ycEHX8BYqikXQzQKe8UW2Z2Xhb4CQCDw58KXbLShhtRB16m7HJN
+2nPXQYN2S6OMawKCAQEAx+5Ww2MPGLa5gvuJTE/qK4pXHrOGA/QM55qqtMlCPZEz
+8/3qgcbkKAQL0GJe8Xlsuu0oKBYxIZQnimxlUAFq776b62s5DJuKMA5WhgTRO7Zg
+mV5FZUtx+1H9W7GQsDWYlMjUmZOCvefu5qXOLH5gr9AS3Ckyfq1i8xwvAyXRr/4B
+jAFtSUgQpbkFhjQtjEVcFEdJhz4OtIbXD0AWgMPSysH2ABZf+tht27mEvAuBCKzn
+qa3aQuR5+D7fuDIN9To5QlFUX52vY+xLiaHgUuqC1Ud7y5TKlfNuG+IbYAUWTddS
+j62m1G7xBAAAn+D6PX8egQe8EeTWBUaX159YlX102QKCAQEA4C5atsF4DfietLNb
+lKITksrUC4gUVLE7bIq0/ZDAV0eZuHSpDrAtBpqPNh2u8f6qllKyS89XU2NDq9l0
+ZL2Z/7VARfanHQ8Zmwlb2mPGKSN/2fv2mJBgUWrHzsS+oukKMTNIDX9GfILR2lyo
+UdjmpEqV3to8S8BToPElMcVFEQMLBdn25SYM72mcaqk2JzuA8YJJxQbpZwF1+RSu
+b6jbUfsBzCZfyPgyX+vW69NolDbc1uC6yIVJFQnn4UugyWoJO7cy1rXL/GCgdg4z
+7zxI/UD9XEJCaeh5wgRHZ0/JzO9Lw8dKW0COGNU9ZQE67dn/EZ/di1lfL28sepfn
+g+C1YwKCAQBnOzJDeq991ENfVV+kLpM73hdzu8BT5DyRjbPc2xo/zeykbBQc5ERE
+QSqUc2aQimDQ98lHQYYmz2fHOobpU4ISvjmlydxQHTOx8oVMd8pNabLhHeL5FYaJ
+/OCz6rBJu7LICBZ2IctdIReisjQNl0d3IBnM4dy3ufEglAnWNz3ZAG9uCgKS1wn5
+d9pZXDG0fs+3jMNzeGCBaCo9Lpsv62y40oOhsevnCr9Wt6jIq6v5fcW0QBc1eOFd
+g6Fiaz33xBNyoanOIQ5Bqu2p6BJ63ammVF2gVXhxCpts/EekQZwtnyN7Gm/Mumfp
+59JquvCatjta5lJ+bsjvOm8Gn7lOntOpAoIBAFQqUgq5XllVEAyvsdUrXhv0zTb+
+AeM49hHcGPL3S/pOkiHqsbCfjJe1v5Jqcm579s/O4lqtuL2e4INNqOVmxkOfRbFh
+oRioUrdAsWv8t2Q6CkXhwoK59kJwitOaF00OyixxdCO9WY6qhg+ZZgZDiLnM7V7b
+u8zMvwgqDKD3+7tTjM318bEyE4MCooh9vVD3CxOcdc7oe9TnZvxyuUIRB6UBEyTg
+jfvGcyDTSzW3P4SetKOqenk0HuDTPGHtGjYpRnKFfRRcHOqo3p/l1Z+l08alLNAS
+wAREawpeuKGx9/ZrhTrqgLTkbx7lSwP9aTKPQka1CtGvgSUohqQ3OPrG0Jk=
+-----END RSA PRIVATE KEY-----

crates/notary/server/fixture/auth/jwt.key.pub

@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxkfGQo2iyUK6sV84rvsb
+6d4IlorFaX4WDwDnEP/zU2Pduwf7kV39x6oqJzNjmfXm/RkcaAZXQdbvjBA9uwM7
+cd2Z7hMWLT3oix66Qv9d3+PWcdJtTUVK710+QflZJqOEFOt30eNHm/8pN6z1P6YS
+ZvYpHMVlCC7tL8OLWcMH9gYmUH6cWOdzCaCigdQD1CqE9TG7jZlIepiWI7QMD7v/
+yN8tZoV8EzW25JdGPe4gtetBl1O+QoAUpuQp7JSUxV4RR8HArGGSQ0OHHZMcfWx/
+CoLBUyXlmSCC21sSl634l7+HUM6U/dHo1b+XSMpjjVCTjd0lDFCU+kiLtapdcCiJ
+DijSj+a4xkJP+uvxpTZuB6A4W31eDeKPIeutPAwcnw8UktdX6eiAt1ONAxB+ytZN
+cdrAUbMdIcocrMxgyPtCWBgDX1LKfpPlRTBRI50mdFkIOp9dh02ijpWAYXaFA65a
+I8Tqh9j3wzbvFsCWpBfK7Zcbl7BZskAvXCjnPHDdup5sesnYrhOOG4jo2/nho7Am
+EEkvZVDyH9jDPrA6imljFX1gpKvWmtERY7eor3gPI6FFOUh8qwEOB4lTsj9DUd75
+vvRlaPU7ibvFTdLVoRiXkAraKR59WmcOpAfut9yOxNaE+M25jY/Jj+crptEt0Mme
+zfowRimt3wpQ0C7i6hCBgrMCAwEAAQ==
+-----END PUBLIC KEY-----

crates/notary/server/openapi.yaml

@@ -15,6 +15,7 @@ paths:
       security:
         - {} # make security optional
         - ApiKeyAuth: []
+        - BearerAuth: []
       responses:
         '200':
           description: Ok response from server
@@ -38,6 +39,7 @@ paths:
       security:
         - {} # make security optional
         - ApiKeyAuth: []
+        - BearerAuth: []
       responses:
         '200':
           description: Info response from server
@@ -60,6 +62,7 @@ paths:
       security:
         - {} # make security optional
         - ApiKeyAuth: []
+        - BearerAuth: []
       parameters:
       - in: header
         name: Content-Type
@@ -212,4 +215,9 @@ components:
       type: apiKey
       in: header
       name: X-API-Key
-      description: Whitelisted API key if auth module is turned on
+      description: Whitelisted API key if auth module is turned on and in whitelist mode
+    BearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: JSON Web Token if auth module is turned on and in JWT mode

crates/notary/server/src/config.rs

@@ -36,8 +36,55 @@ impl Default for NotaryServerProperties {
 pub struct AuthorizationProperties {
     /// Switch to turn on or off auth middleware
     pub enabled: bool,
+    /// Authorization mode to use: JWT or whitelist
+    #[serde(flatten)]
+    pub mode: Option<AuthorizationModeProperties>,
+}
+
+#[derive(Clone, Debug, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+pub enum AuthorizationModeProperties {
+    /// JWT authorization properties
+    Jwt(JwtAuthorizationProperties),
     /// File path of the whitelist API key csv
-    pub whitelist_csv_path: Option<String>,
+    Whitelist(String),
+}
+
+impl AuthorizationModeProperties {
+    pub fn as_whitelist(&self) -> Option<String> {
+        match self {
+            Self::Jwt(..) => None,
+            Self::Whitelist(path) => Some(path.clone()),
+        }
+    }
+}
+
+#[derive(Clone, Debug, Deserialize, Default)]
+pub struct JwtAuthorizationProperties {
+    /// File path to JWT public key for verifying token signatures
+    pub public_key_pem_path: String,
+    /// Set of required JWT claims
+    #[serde(default)]
+    pub claims: Vec<JwtClaim>,
+}
+
+#[derive(Clone, Debug, Deserialize, Default)]
+pub struct JwtClaim {
+    /// Name of the claim
+    pub name: String,
+    /// Optional set of expected values for the claim
+    #[serde(default)]
+    pub values: Vec<String>,
+    /// Optional expected type for the claim
+    #[serde(default)]
+    pub value_type: JwtClaimValueType,
+}
+
+#[derive(Clone, Debug, Deserialize, Default)]
+#[serde(rename_all = "kebab-case")]
+pub enum JwtClaimValueType {
+    #[default]
+    String,
 }
 
 #[derive(Clone, Debug, Deserialize, Default)]