Adjust id token config to save private key to file

.gitignore

@@ -20,6 +20,7 @@ vendor/cache/
 config/database.yml
 .rvmrc_custom
 .rvmrc.local
+oidc_key.pem
 
 # Mailing list stuff
 config/email_offset

app/controllers/api/openid_connect/id_tokens_controller.rb

@@ -8,7 +8,7 @@ module Api
       private
 
       def build_jwk
-        JSON::JWK.new(Api::OpenidConnect::IdTokenConfig.public_key, use: :sig)
+        JSON::JWK.new(Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY, use: :sig)
       end
     end
   end

app/models/api/openid_connect/id_token.rb

@@ -12,7 +12,7 @@ module Api
       end
 
       def to_jwt(options={})
-        to_response_object(options).to_jwt OpenidConnect::IdTokenConfig.private_key
+        to_response_object(options).to_jwt OpenidConnect::IdTokenConfig::PRIVATE_KEY
       end
 
       def to_response_object(options={})

features/step_definitions/auth_code_steps.rb

@@ -30,7 +30,7 @@ When /^I parse the tokens and use it obtain user info$/ do
   access_token = client_json["access_token"]
   encoded_id_token = client_json["id_token"]
   decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                Api::OpenidConnect::IdTokenConfig.public_key
+                                                                Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
   expect(decoded_token.sub).to eq(@me.diaspora_handle)
   get api_openid_connect_user_info_path, access_token: access_token
 end

lib/api/openid_connect/id_token_config.rb

 module Api
   module OpenidConnect
     class IdTokenConfig
-      @@key = OpenSSL::PKey::RSA.new(2048)
-      def self.public_key
-        @@key.public_key
-      end
-      def self.private_key
-        @@key
+      private_key = OpenSSL::PKey::RSA.new(2048)
+      key_file_path = File.join(Rails.root, "config", "oidc_key.pem")
+      if File.exist?(key_file_path)
+        private_key = OpenSSL::PKey::RSA.new(File.read(key_file_path))
+      else
+        open key_file_path, "w" do |io|
+          io.write private_key.to_pem
+        end
+        File.chmod(0600, key_file_path)
       end
+      PRIVATE_KEY = private_key
+      PUBLIC_KEY = private_key.public_key
     end
   end
 end

spec/controllers/api/openid_connect/authorizations_controller_spec.rb

@@ -146,7 +146,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
           expect(response.location).to have_content("id_token=")
           encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
           decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                        Api::OpenidConnect::IdTokenConfig.public_key
+                                                                        Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
           expect(decoded_token.nonce).to eq("4130930983")
           expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
         end
@@ -164,7 +164,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
           expect(response.location).to have_content("id_token=")
           encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
           decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                        Api::OpenidConnect::IdTokenConfig.public_key
+                                                                        Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
           expect(decoded_token.nonce).to eq("4130930983")
           expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
         end
@@ -196,7 +196,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
         it "should return the id token in a fragment" do
           encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
           decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                        Api::OpenidConnect::IdTokenConfig.public_key
+                                                                        Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
           expect(decoded_token.nonce).to eq("4180930983")
           expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
         end
@@ -204,7 +204,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
         it "should return a valid access token in a fragment" do
           encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
           decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                        Api::OpenidConnect::IdTokenConfig.public_key
+                                                                        Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
           access_token = response.location[/(?<=access_token=)[^&]+/]
           access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
           expect(decoded_token.at_hash).to eq(access_token_check_num)
@@ -227,7 +227,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
           expect(response.location).to have_content("id_token=")
           encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
           decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                        Api::OpenidConnect::IdTokenConfig.public_key
+                                                                        Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
           expect(decoded_token.nonce).to eq("4180930983")
           expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
         end

spec/controllers/api/openid_connect/id_tokens_controller_spec.rb

@@ -13,7 +13,7 @@ describe Api::OpenidConnect::IdTokensController, type: :controller do
         JSON::JWK.decode jwk
       end
       public_key = public_keys.first
-      expect(Api::OpenidConnect::IdTokenConfig.private_key.public_key.to_s).to eq(public_key.to_s)
+      expect(Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY.to_s).to eq(public_key.to_s)
     end
   end
 end

spec/lib/api/openid_connect/token_endpoint_spec.rb

@@ -21,7 +21,7 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
         json = JSON.parse(response.body)
         encoded_id_token = json["id_token"]
         decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                      Api::OpenidConnect::IdTokenConfig.public_key
+                                                                      Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
         expected_guid = bob.pairwise_pseudonymous_identifiers.find_by(sector_identifier: "https://example.com/uri").guid
         expect(decoded_token.sub).to eq(expected_guid)
         expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
@@ -31,7 +31,7 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
         json = JSON.parse(response.body)
         encoded_id_token = json["id_token"]
         decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
-                                                                      Api::OpenidConnect::IdTokenConfig.public_key
+                                                                      Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
         access_token = json["access_token"]
         access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
         expect(decoded_token.at_hash).to eq(access_token_check_num)