cmd: Allows import of PEM/DER/JSON encoded keys

Closes #98

Signed-off-by: arekkas <aeneas@ory.am>

Author: arekkas

cmd/cli/handler_client.go

@@ -45,7 +45,7 @@ func newClientHandler(c *config.Config) *ClientHandler {
 }
 
 func (h *ClientHandler) newClientManager(cmd *cobra.Command) *hydra.OAuth2Api {
-	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlashOrFail(cmd))
 
 	fakeTlsTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
 	c.Configuration.Transport = &http.Transport{

cmd/cli/handler_helper.go

@@ -30,11 +30,14 @@ import (
 )
 
 func checkResponse(response *hydra.APIResponse, err error, expectedStatusCode int) {
-	pkg.Must(err, "Command failed because error \"%s\" occurred.\n", err)
+	if response != nil {
+		pkg.Must(err, "Command failed because calling \"%s %s\" resulted in error \"%s\" occurred.\n%s\n", response.Request.Method, response.RequestURL, err, response.Payload)
+	} else {
+		pkg.Must(err, "Command failed because error \"%s\" occurred and no response is available.\n", err)
+	}
 
 	if response.StatusCode != expectedStatusCode {
-		fmt.Fprintf(os.Stderr, "Command failed because status code %d was expeceted but code %d was received.\n", expectedStatusCode, response.StatusCode)
-		fmt.Fprintf(os.Stderr, "The server responded with:\n%s\n", response.Payload)
+		fmt.Fprintf(os.Stderr, "Command failed because calling \"%s %s\" resulted in status code \"%d\" but code \"%d\" was expected.\n%s\n", response.Request.Method, response.RequestURL, expectedStatusCode, response.StatusCode, response.Payload)
 		os.Exit(1)
 		return
 	}

cmd/cli/handler_introspection.go

@@ -51,7 +51,7 @@ func (h *IntrospectionHandler) Introspect(cmd *cobra.Command, args []string) {
 		return
 	}
 
-	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlashOrFail(cmd))
 
 	clientID, _ := cmd.Flags().GetString("client-id")
 	clientSecret, _ := cmd.Flags().GetString("client-secret")

cmd/cli/handler_jwk.go

@@ -21,21 +21,29 @@
 package cli
 
 import (
+	"bytes"
 	"crypto/tls"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
+	"os"
 
+	"github.com/mendsley/gojwk"
 	"github.com/ory/hydra/config"
+	"github.com/ory/hydra/pkg"
 	hydra "github.com/ory/hydra/sdk/go/hydra/swagger"
+	"github.com/pborman/uuid"
 	"github.com/spf13/cobra"
+	"gopkg.in/square/go-jose.v2"
 )
 
 type JWKHandler struct {
 	Config *config.Config
 }
 
 func (h *JWKHandler) newJwkManager(cmd *cobra.Command) *hydra.JsonWebKeyApi {
-	c := hydra.NewJsonWebKeyApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+	c := hydra.NewJsonWebKeyApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlashOrFail(cmd))
 
 	skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
 	c.Configuration.Transport = &http.Transport{
@@ -76,6 +84,114 @@ func (h *JWKHandler) CreateKeys(cmd *cobra.Command, args []string) {
 	fmt.Printf("%s\n", formatResponse(keys))
 }
 
+func toSDKFriendlyJSONWebKey(key interface{}, kid string, use string, public bool) jose.JSONWebKey {
+	if jwk, ok := key.(*jose.JSONWebKey); ok {
+		key = jwk.Key
+		if jwk.KeyID != "" {
+			kid = jwk.KeyID
+		}
+		if jwk.Use != "" {
+			use = jwk.Use
+		}
+	}
+
+	var err error
+	var jwk *gojwk.Key
+	if public {
+		jwk, err = gojwk.PublicKey(key)
+		pkg.Must(err, "Unable to convert public key to JSON Web Key because %s", err)
+	} else {
+		jwk, err = gojwk.PrivateKey(key)
+		pkg.Must(err, "Unable to convert private key to JSON Web Key because %s", err)
+	}
+
+	return jose.JSONWebKey{
+		KeyID:     kid,
+		Use:       use,
+		Algorithm: jwk.Alg,
+		Key:       key,
+	}
+}
+
+func (h *JWKHandler) ImportKeys(cmd *cobra.Command, args []string) {
+	if len(args) < 2 {
+		fmt.Println(cmd.UsageString())
+		return
+	}
+
+	id := args[0]
+	use, _ := cmd.Flags().GetString("use")
+	client := &http.Client{}
+
+	if skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify"); skipTLSTermination {
+		client.Transport = &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSTermination}}
+	}
+
+	u := h.Config.GetClusterURLWithoutTailingSlashOrFail(cmd) + "/keys/" + id
+	request, err := http.NewRequest("GET", u, nil)
+	pkg.Must(err, "Unable to initialize HTTP request")
+
+	if term, _ := cmd.Flags().GetBool("fake-tls-termination"); term {
+		request.Header.Set("X-Forwarded-Proto", "https")
+	}
+
+	if token, _ := cmd.Flags().GetString("access-token"); token != "" {
+		request.Header.Set("Authorization", "Bearer "+token)
+	}
+
+	response, err := client.Do(request)
+	pkg.Must(err, "Unable to fetch data from %s because %s", u, err)
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusNotFound {
+		fmt.Printf("Expected status code 200 or 404 but got %d while fetching data from %s.\n", response.StatusCode, u)
+		os.Exit(1)
+	}
+
+	var set jose.JSONWebKeySet
+	pkg.Must(json.NewDecoder(response.Body).Decode(&set), "Unable to decode payload to JSON")
+
+	for _, path := range args[1:] {
+		file, err := ioutil.ReadFile(path)
+		pkg.Must(err, "Unable to read file %s", path)
+
+		if key, privateErr := pkg.LoadPrivateKey(file); privateErr != nil {
+			key, publicErr := pkg.LoadPublicKey(file)
+			if publicErr != nil {
+				fmt.Printf("Unable to read key from file %s. Decoding file to private key failed with reason \"%s\" and decoding it to public key failed with reason \"%s\".\n", path, privateErr, publicErr)
+				os.Exit(1)
+			}
+
+			set.Keys = append(set.Keys, toSDKFriendlyJSONWebKey(key, "public:"+uuid.New(), use, true))
+		} else {
+			set.Keys = append(set.Keys, toSDKFriendlyJSONWebKey(key, "private:"+uuid.New(), use, false))
+		}
+
+		fmt.Printf("Successfully loaded key from file %s\n", path)
+	}
+
+	body, err := json.Marshal(&set)
+	pkg.Must(err, "Unable to encode JSON Web Keys to JSON")
+
+	request, err = http.NewRequest("PUT", u, bytes.NewReader(body))
+	pkg.Must(err, "Unable to initialize HTTP request")
+
+	if term, _ := cmd.Flags().GetBool("fake-tls-termination"); term {
+		request.Header.Set("X-Forwarded-Proto", "https")
+	}
+
+	if token, _ := cmd.Flags().GetString("access-token"); token != "" {
+		request.Header.Set("Authorization", "Bearer "+token)
+	}
+	request.Header.Set("Content-Type", "application/json")
+
+	response, err = client.Do(request)
+	pkg.Must(err, "Unable to post data to %s because %s", u, err)
+	defer response.Body.Close()
+
+	fmt.Println("Keys successfully imported!")
+}
+
 func (h *JWKHandler) GetKeys(cmd *cobra.Command, args []string) {
 	m := h.newJwkManager(cmd)
 	if len(args) != 1 {

cmd/cli/handler_token.go

@@ -36,7 +36,7 @@ type TokenHandler struct {
 }
 
 func (h *TokenHandler) newTokenManager(cmd *cobra.Command) *hydra.OAuth2Api {
-	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlashOrFail(cmd))
 
 	skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
 	c.Configuration.Transport = &http.Transport{
@@ -64,7 +64,7 @@ func (h *TokenHandler) RevokeToken(cmd *cobra.Command, args []string) {
 		return
 	}
 
-	handler := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+	handler := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlashOrFail(cmd))
 
 	skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
 	handler.Configuration.Transport = &http.Transport{

cmd/keys_import.go

@@ -0,0 +1,42 @@
+// Copyright © 2018 NAME HERE <EMAIL ADDRESS>
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// keysImportCmd represents the import command
+var keysImportCmd = &cobra.Command{
+	Use:   "import <set> <file-1> [<file-2> [<file-3 [<...>]]]",
+	Short: "Imports cryptographic keys of any format to the JSON Web Key Store",
+	Long: `This command allows you to import cryptographic keys to the JSON Web Key Store.
+
+Currently supported formats are raw JSON Web Keys or PEM/DER encoded data. If the JSON Web Key Set exists already,
+the imported keys will be added to that set. Otherwise, a new set will be created.
+
+Please be aware that importing a private key does not automatically import its public key as well.
+
+Examples:
+	hydra keys import my-set ./path/to/jwk.json ./path/to/jwk-2.json
+	hydra keys import my-set ./path/to/rsa.key ./path/to/rsa.pub
+`,
+	Run: cmdHandler.Keys.ImportKeys,
+}
+
+func init() {
+	keysCmd.AddCommand(keysImportCmd)
+	keysImportCmd.Flags().String("use", "sig", "Sets the \"use\" value of the JSON Web Key if not \"use\" value was defined by the key itself")
+}

cmd/root_test.go

@@ -87,6 +87,8 @@ func TestExecute(t *testing.T) {
 		{args: []string{"keys", "rotate", "--endpoint", endpoint, "foo"}},
 		{args: []string{"keys", "get", "--endpoint", endpoint, "foo"}},
 		{args: []string{"keys", "delete", "--endpoint", endpoint, "foo"}},
+		{args: []string{"keys", "import", "--endpoint", endpoint, "import-1", "../test/stub/ecdh.key", "../test/stub/ecdh.pub"}},
+		{args: []string{"keys", "import", "--endpoint", endpoint, "import-2", "../test/stub/rsa.key", "../test/stub/rsa.pub"}},
 		{args: []string{"token", "revoke", "--endpoint", endpoint, "--client-secret", "foobar", "--client-id", "foobarbaz", "foo"}},
 		{args: []string{"token", "client", "--endpoint", endpoint, "--client-secret", "foobar", "--client-id", "foobarbaz"}},
 		{args: []string{"help", "migrate", "sql"}},

cmd/token_client.go

@@ -76,8 +76,8 @@ var tokenClientCmd = &cobra.Command{
 
 		scopes, _ := cmd.Flags().GetStringSlice("scope")
 
-		cu, err := url.Parse(c.GetClusterURLWithoutTailingSlash(cmd))
-		pkg.Must(err, `Unable to parse cluster url ("%s"): %s`, c.GetClusterURLWithoutTailingSlash(cmd), err)
+		cu, err := url.Parse(c.GetClusterURLWithoutTailingSlashOrFail(cmd))
+		pkg.Must(err, `Unable to parse cluster url ("%s"): %s`, c.GetClusterURLWithoutTailingSlashOrFail(cmd), err)
 
 		clientID, _ := cmd.Flags().GetString("client-id")
 		clientSecret, _ := cmd.Flags().GetString("client-secret")

cmd/token_user.go

@@ -76,13 +76,13 @@ var tokenUserCmd = &cobra.Command{
 		}
 
 		if backend == "" {
-			bu, err := url.Parse(c.GetClusterURLWithoutTailingSlash(cmd))
-			pkg.Must(err, `Unable to parse cluster url ("%s"): %s`, c.GetClusterURLWithoutTailingSlash(cmd), err)
+			bu, err := url.Parse(c.GetClusterURLWithoutTailingSlashOrFail(cmd))
+			pkg.Must(err, `Unable to parse cluster url ("%s"): %s`, c.GetClusterURLWithoutTailingSlashOrFail(cmd), err)
 			backend = urlx.AppendPaths(bu, "/oauth2/token").String()
 		}
 		if frontend == "" {
-			fu, err := url.Parse(c.GetClusterURLWithoutTailingSlash(cmd))
-			pkg.Must(err, `Unable to parse cluster url ("%s"): %s`, c.GetClusterURLWithoutTailingSlash(cmd), err)
+			fu, err := url.Parse(c.GetClusterURLWithoutTailingSlashOrFail(cmd))
+			pkg.Must(err, `Unable to parse cluster url ("%s"): %s`, c.GetClusterURLWithoutTailingSlashOrFail(cmd), err)
 			frontend = urlx.AppendPaths(fu, "/oauth2/auth").String()
 		}
 

pkg/jose-utils.go

@@ -0,0 +1,102 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pkg
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+
+	"gopkg.in/square/go-jose.v2"
+)
+
+func LoadJSONWebKey(json []byte, pub bool) (*jose.JSONWebKey, error) {
+	var jwk jose.JSONWebKey
+	err := jwk.UnmarshalJSON(json)
+	if err != nil {
+		return nil, err
+	}
+	if !jwk.Valid() {
+		return nil, errors.New("invalid JWK key")
+	}
+	if jwk.IsPublic() != pub {
+		return nil, errors.New("priv/pub JWK key mismatch")
+	}
+	return &jwk, nil
+}
+
+// LoadPublicKey loads a public key from PEM/DER/JWK-encoded data.
+func LoadPublicKey(data []byte) (interface{}, error) {
+	input := data
+
+	block, _ := pem.Decode(data)
+	if block != nil {
+		input = block.Bytes
+	}
+
+	// Try to load SubjectPublicKeyInfo
+	pub, err0 := x509.ParsePKIXPublicKey(input)
+	if err0 == nil {
+		return pub, nil
+	}
+
+	cert, err1 := x509.ParseCertificate(input)
+	if err1 == nil {
+		return cert.PublicKey, nil
+	}
+
+	jwk, err2 := LoadJSONWebKey(data, true)
+	if err2 == nil {
+		return jwk, nil
+	}
+
+	return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s' and '%s'", err0, err1, err2)
+}
+
+// LoadPrivateKey loads a private key from PEM/DER/JWK-encoded data.
+func LoadPrivateKey(data []byte) (interface{}, error) {
+	input := data
+
+	block, _ := pem.Decode(data)
+	if block != nil {
+		input = block.Bytes
+	}
+
+	var priv interface{}
+	priv, err0 := x509.ParsePKCS1PrivateKey(input)
+	if err0 == nil {
+		return priv, nil
+	}
+
+	priv, err1 := x509.ParsePKCS8PrivateKey(input)
+	if err1 == nil {
+		return priv, nil
+	}
+
+	priv, err2 := x509.ParseECPrivateKey(input)
+	if err2 == nil {
+		return priv, nil
+	}
+
+	jwk, err3 := LoadJSONWebKey(input, false)
+	if err3 == nil {
+		return jwk, nil
+	}
+
+	return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s', '%s' and '%s'", err0, err1, err2, err3)
+}