consul/test/integration/consul-container/libs/utils/helpers.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package utils

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"encoding/pem"
	"fmt"

	"github.com/go-jose/go-jose/v3"
	"github.com/go-jose/go-jose/v3/jwt"
	"github.com/hashicorp/consul/api"
)

func ApplyDefaultProxySettings(c *api.Client) (bool, error) {
	req := &api.ProxyConfigEntry{
		Name: "global",
		Kind: "proxy-defaults",
		Config: map[string]any{
			"protocol": "tcp",
		},
	}
	ok, _, err := c.ConfigEntries().Set(req, &api.WriteOptions{})
	return ok, err
}

// Generates a private and public key pair that is for signing
// JWT.
func GenerateKey() (pub, priv string, err error) {
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

	if err != nil {
		return "", "", fmt.Errorf("error generating private key: %w", err)
	}

	{
		derBytes, err := x509.MarshalECPrivateKey(privateKey)
		if err != nil {
			return "", "", fmt.Errorf("error marshaling private key: %w", err)
		}
		priv = string(pem.EncodeToMemory(&pem.Block{
			Type:  "EC PRIVATE KEY",
			Bytes: derBytes,
		}))
	}
	{
		derBytes, err := x509.MarshalPKIXPublicKey(privateKey.Public())
		if err != nil {
			return "", "", fmt.Errorf("error marshaling public key: %w", err)
		}
		pub = string(pem.EncodeToMemory(&pem.Block{
			Type:  "PUBLIC KEY",
			Bytes: derBytes,
		}))
	}

	return pub, priv, nil
}

// SignJWT will bundle the provided claims into a signed JWT. The provided key
// is assumed to be ECDSA.
//
// If no private key is provided, it will generate a private key. These can
// be retrieved via the SigningKeys() method.
func SignJWT(privKey string, claims jwt.Claims, privateClaims interface{}) (string, error) {
	var err error
	if privKey == "" {
		_, privKey, err = GenerateKey()
		if err != nil {
			return "", err
		}
	}
	var key *ecdsa.PrivateKey
	block, _ := pem.Decode([]byte(privKey))
	if block != nil {
		key, err = x509.ParseECPrivateKey(block.Bytes)
		if err != nil {
			return "", err
		}
	}

	sig, err := jose.NewSigner(
		jose.SigningKey{Algorithm: jose.ES256, Key: key},
		(&jose.SignerOptions{}).WithType("JWT"),
	)
	if err != nil {
		return "", err
	}

	raw, err := jwt.Signed(sig).
		Claims(claims).
		Claims(privateClaims).
		CompactSerialize()
	if err != nil {
		return "", err
	}

	return raw, nil
}

// newJWKS converts a pem-encoded public key into JWKS data suitable for a
// verification endpoint response
func NewJWKS(pubKey string) (*jose.JSONWebKeySet, error) {
	block, _ := pem.Decode([]byte(pubKey))
	if block == nil || block.Type != "PUBLIC KEY" {
		return nil, fmt.Errorf("unable to decode public key")
	}

	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		return nil, err
	}
	return &jose.JSONWebKeySet{
		Keys: []jose.JSONWebKey{
			{
				Key: pub,
			},
		},
	}, nil
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00
test: refactor testcontainers and add peering integ tests (#15084) 2022-11-01 19:03:23 +00:00			`package utils`

			`import (`
Add first integration test for jwt auth with intention (#18005) 2023-07-06 11:27:30 +00:00			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"fmt"`

			`"github.com/go-jose/go-jose/v3"`
			`"github.com/go-jose/go-jose/v3/jwt"`
test: refactor testcontainers and add peering integ tests (#15084) 2022-11-01 19:03:23 +00:00			`"github.com/hashicorp/consul/api"`
			`)`

			`func ApplyDefaultProxySettings(c *api.Client) (bool, error) {`
			`req := &api.ProxyConfigEntry{`
			`Name: "global",`
			`Kind: "proxy-defaults",`
			`Config: map[string]any{`
			`"protocol": "tcp",`
			`},`
			`}`
			`ok, _, err := c.ConfigEntries().Set(req, &api.WriteOptions{})`
			`return ok, err`
			`}`
Add first integration test for jwt auth with intention (#18005) 2023-07-06 11:27:30 +00:00
			`// Generates a private and public key pair that is for signing`
			`// JWT.`
			`func GenerateKey() (pub, priv string, err error) {`
			`privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`

			`if err != nil {`
			`return "", "", fmt.Errorf("error generating private key: %w", err)`
			`}`

			`{`
			`derBytes, err := x509.MarshalECPrivateKey(privateKey)`
			`if err != nil {`
			`return "", "", fmt.Errorf("error marshaling private key: %w", err)`
			`}`
			`priv = string(pem.EncodeToMemory(&pem.Block{`
			`Type: "EC PRIVATE KEY",`
			`Bytes: derBytes,`
			`}))`
			`}`
			`{`
			`derBytes, err := x509.MarshalPKIXPublicKey(privateKey.Public())`
			`if err != nil {`
			`return "", "", fmt.Errorf("error marshaling public key: %w", err)`
			`}`
			`pub = string(pem.EncodeToMemory(&pem.Block{`
			`Type: "PUBLIC KEY",`
			`Bytes: derBytes,`
			`}))`
			`}`

			`return pub, priv, nil`
			`}`

			`// SignJWT will bundle the provided claims into a signed JWT. The provided key`
			`// is assumed to be ECDSA.`
			`//`
			`// If no private key is provided, it will generate a private key. These can`
			`// be retrieved via the SigningKeys() method.`
			`func SignJWT(privKey string, claims jwt.Claims, privateClaims interface{}) (string, error) {`
			`var err error`
			`if privKey == "" {`
			`_, privKey, err = GenerateKey()`
			`if err != nil {`
			`return "", err`
			`}`
			`}`
			`var key *ecdsa.PrivateKey`
			`block, _ := pem.Decode([]byte(privKey))`
			`if block != nil {`
			`key, err = x509.ParseECPrivateKey(block.Bytes)`
			`if err != nil {`
			`return "", err`
			`}`
			`}`

			`sig, err := jose.NewSigner(`
			`jose.SigningKey{Algorithm: jose.ES256, Key: key},`
			`(&jose.SignerOptions{}).WithType("JWT"),`
			`)`
			`if err != nil {`
			`return "", err`
			`}`

			`raw, err := jwt.Signed(sig).`
			`Claims(claims).`
			`Claims(privateClaims).`
			`CompactSerialize()`
			`if err != nil {`
			`return "", err`
			`}`

			`return raw, nil`
			`}`

			`// newJWKS converts a pem-encoded public key into JWKS data suitable for a`
			`// verification endpoint response`
			`func NewJWKS(pubKey string) (*jose.JSONWebKeySet, error) {`
			`block, _ := pem.Decode([]byte(pubKey))`
			`if block == nil \|\| block.Type != "PUBLIC KEY" {`
			`return nil, fmt.Errorf("unable to decode public key")`
			`}`

			`pub, err := x509.ParsePKIXPublicKey(block.Bytes)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &jose.JSONWebKeySet{`
			`Keys: []jose.JSONWebKey{`
			`{`
			`Key: pub,`
			`},`
			`},`
			`}, nil`
			`}`