feat!: drop support for storing JWK on the filesystem (#1088)

backend/internal/utils/jwk/key_provider.go

@@ -28,22 +28,14 @@ func GetKeyProvider(db *gorm.DB, envConfig *common.EnvConfigSchema, instanceID s
 		return nil, fmt.Errorf("failed to load encryption key: %w", err)
 	}
 
-	// Get the key provider
-	switch envConfig.KeysStorage {
-	case "file", "":
-		keyProvider = &KeyProviderFile{}
-	case "database":
-		keyProvider = &KeyProviderDatabase{}
-	default:
-		return nil, fmt.Errorf("invalid key storage '%s'", envConfig.KeysStorage)
-	}
+	keyProvider = &KeyProviderDatabase{}
 	err = keyProvider.Init(KeyProviderOpts{
 		DB:        db,
 		EnvConfig: envConfig,
 		Kek:       kek,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to init key provider of type '%s': %w", envConfig.KeysStorage, err)
+		return nil, fmt.Errorf("failed to init key provider: %w", err)
 	}
 
 	return keyProvider, nil

backend/internal/utils/jwk/key_provider_file.go

@@ -1,202 +0,0 @@
-package jwk
-
-import (
-	"encoding/base64"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"github.com/lestrrat-go/jwx/v3/jwk"
-
-	"github.com/pocket-id/pocket-id/backend/internal/common"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
-	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
-)
-
-const (
-	// PrivateKeyFile is the path in the data/keys folder where the key is stored
-	// This is a JSON file containing a key encoded as JWK
-	PrivateKeyFile = "jwt_private_key.json"
-
-	// PrivateKeyFileEncrypted is the path in the data/keys folder where the encrypted key is stored
-	// This is a encrypted JSON file containing a key encoded as JWK
-	PrivateKeyFileEncrypted = "jwt_private_key.json.enc"
-)
-
-type KeyProviderFile struct {
-	envConfig *common.EnvConfigSchema
-	kek       []byte
-}
-
-func (f *KeyProviderFile) Init(opts KeyProviderOpts) error {
-	f.envConfig = opts.EnvConfig
-	f.kek = opts.Kek
-
-	return nil
-}
-
-func (f *KeyProviderFile) LoadKey() (jwk.Key, error) {
-	if len(f.kek) > 0 {
-		return f.loadEncryptedKey()
-	}
-	return f.loadKey()
-}
-
-func (f *KeyProviderFile) SaveKey(key jwk.Key) error {
-	if len(f.kek) > 0 {
-		return f.saveKeyEncrypted(key)
-	}
-	return f.saveKey(key)
-}
-
-func (f *KeyProviderFile) loadKey() (jwk.Key, error) {
-	var key jwk.Key
-
-	// First, check if we have a JWK file
-	// If we do, then we just load that
-	jwkPath := f.jwkPath()
-	ok, err := utils.FileExists(jwkPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if private key file exists at path '%s': %w", jwkPath, err)
-	}
-	if !ok {
-		// File doesn't exist, no key was loaded
-		return nil, nil
-	}
-
-	data, err := os.ReadFile(jwkPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read private key file at path '%s': %w", jwkPath, err)
-	}
-
-	key, err = jwk.ParseKey(data)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse private key file at path '%s': %w", jwkPath, err)
-	}
-
-	return key, nil
-}
-
-func (f *KeyProviderFile) loadEncryptedKey() (key jwk.Key, err error) {
-	// First, check if we have an encrypted JWK file
-	// If we do, then we just load that
-	encJwkPath := f.encJwkPath()
-	ok, err := utils.FileExists(encJwkPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if encrypted private key file exists at path '%s': %w", encJwkPath, err)
-	}
-	if ok {
-		encB64, err := os.ReadFile(encJwkPath)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read encrypted private key file at path '%s': %w", encJwkPath, err)
-		}
-
-		// Decode from base64
-		enc := make([]byte, base64.StdEncoding.DecodedLen(len(encB64)))
-		n, err := base64.StdEncoding.Decode(enc, encB64)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read encrypted private key file at path '%s': not a valid base64-encoded file: %w", encJwkPath, err)
-		}
-
-		// Decrypt the data
-		data, err := cryptoutils.Decrypt(f.kek, enc[:n], nil)
-		if err != nil {
-			return nil, fmt.Errorf("failed to decrypt private key file at path '%s': %w", encJwkPath, err)
-		}
-
-		// Parse the key
-		key, err = jwk.ParseKey(data)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse encrypted private key file at path '%s': %w", encJwkPath, err)
-		}
-
-		return key, nil
-	}
-
-	// Check if we have an un-encrypted JWK file
-	key, err = f.loadKey()
-	if err != nil {
-		return nil, fmt.Errorf("failed to load un-encrypted key file: %w", err)
-	}
-	if key == nil {
-		// No key exists, encrypted or un-encrypted
-		return nil, nil
-	}
-
-	// If we are here, we have loaded a key that was un-encrypted
-	// We need to replace the plaintext key with the encrypted one before we return
-	err = f.saveKeyEncrypted(key)
-	if err != nil {
-		return nil, fmt.Errorf("failed to save encrypted key file: %w", err)
-	}
-	jwkPath := f.jwkPath()
-	err = os.Remove(jwkPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to remove un-encrypted key file at path '%s': %w", jwkPath, err)
-	}
-
-	return key, nil
-}
-
-func (f *KeyProviderFile) saveKey(key jwk.Key) error {
-	err := os.MkdirAll(f.envConfig.KeysPath, 0700)
-	if err != nil {
-		return fmt.Errorf("failed to create directory '%s' for key file: %w", f.envConfig.KeysPath, err)
-	}
-
-	jwkPath := f.jwkPath()
-	keyFile, err := os.OpenFile(jwkPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return fmt.Errorf("failed to create key file at path '%s': %w", jwkPath, err)
-	}
-	defer keyFile.Close()
-
-	// Write the JSON file to disk
-	err = EncodeJWK(keyFile, key)
-	if err != nil {
-		return fmt.Errorf("failed to write key file at path '%s': %w", jwkPath, err)
-	}
-
-	return nil
-}
-
-func (f *KeyProviderFile) saveKeyEncrypted(key jwk.Key) error {
-	err := os.MkdirAll(f.envConfig.KeysPath, 0700)
-	if err != nil {
-		return fmt.Errorf("failed to create directory '%s' for encrypted key file: %w", f.envConfig.KeysPath, err)
-	}
-
-	// Encode the key to JSON
-	data, err := EncodeJWKBytes(key)
-	if err != nil {
-		return fmt.Errorf("failed to encode key to JSON: %w", err)
-	}
-
-	// Encrypt the key then encode to Base64
-	enc, err := cryptoutils.Encrypt(f.kek, data, nil)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt key: %w", err)
-	}
-	encB64 := make([]byte, base64.StdEncoding.EncodedLen(len(enc)))
-	base64.StdEncoding.Encode(encB64, enc)
-
-	// Write to disk
-	encJwkPath := f.encJwkPath()
-	err = os.WriteFile(encJwkPath, encB64, 0600)
-	if err != nil {
-		return fmt.Errorf("failed to write encrypted key file at path '%s': %w", encJwkPath, err)
-	}
-
-	return nil
-}
-
-func (f *KeyProviderFile) jwkPath() string {
-	return filepath.Join(f.envConfig.KeysPath, PrivateKeyFile)
-}
-
-func (f *KeyProviderFile) encJwkPath() string {
-	return filepath.Join(f.envConfig.KeysPath, PrivateKeyFileEncrypted)
-}
-
-// Compile-time interface check
-var _ KeyProvider = (*KeyProviderFile)(nil)

backend/internal/utils/jwk/key_provider_file_test.go

@@ -1,320 +0,0 @@
-package jwk
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"encoding/base64"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/lestrrat-go/jwx/v3/jwk"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/pocket-id/pocket-id/backend/internal/common"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
-	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
-)
-
-func TestKeyProviderFile_LoadKey(t *testing.T) {
-	// Generate a test key to use in our tests
-	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	require.NoError(t, err)
-
-	key, err := jwk.Import(pk)
-	require.NoError(t, err)
-
-	t.Run("LoadKey with no existing key", func(t *testing.T) {
-		tempDir := t.TempDir()
-
-		provider := &KeyProviderFile{}
-		err := provider.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-		})
-		require.NoError(t, err)
-
-		// Load key when none exists
-		loadedKey, err := provider.LoadKey()
-		require.NoError(t, err)
-		assert.Nil(t, loadedKey, "Expected nil key when no key exists")
-	})
-
-	t.Run("LoadKey with no existing key (with kek)", func(t *testing.T) {
-		tempDir := t.TempDir()
-
-		provider := &KeyProviderFile{}
-		err = provider.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-			Kek: makeKEK(t),
-		})
-		require.NoError(t, err)
-
-		// Load key when none exists
-		loadedKey, err := provider.LoadKey()
-		require.NoError(t, err)
-		assert.Nil(t, loadedKey, "Expected nil key when no key exists")
-	})
-
-	t.Run("LoadKey with unencrypted key", func(t *testing.T) {
-		tempDir := t.TempDir()
-
-		provider := &KeyProviderFile{}
-		err := provider.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-		})
-		require.NoError(t, err)
-
-		// Save a key
-		err = provider.SaveKey(key)
-		require.NoError(t, err)
-
-		// Make sure the key file exists
-		keyPath := filepath.Join(tempDir, PrivateKeyFile)
-		exists, err := utils.FileExists(keyPath)
-		require.NoError(t, err)
-		assert.True(t, exists, "Expected key file to exist")
-
-		// Load the key
-		loadedKey, err := provider.LoadKey()
-		require.NoError(t, err)
-		assert.NotNil(t, loadedKey, "Expected non-nil key when key exists")
-
-		// Verify the loaded key is the same as the original
-		keyBytes, err := EncodeJWKBytes(key)
-		require.NoError(t, err)
-
-		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
-		require.NoError(t, err)
-
-		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key")
-	})
-
-	t.Run("LoadKey with encrypted key", func(t *testing.T) {
-		tempDir := t.TempDir()
-
-		provider := &KeyProviderFile{}
-		err = provider.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-			Kek: makeKEK(t),
-		})
-		require.NoError(t, err)
-
-		// Save a key (will be encrypted)
-		err = provider.SaveKey(key)
-		require.NoError(t, err)
-
-		// Make sure the encrypted key file exists
-		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
-		exists, err := utils.FileExists(encKeyPath)
-		require.NoError(t, err)
-		assert.True(t, exists, "Expected encrypted key file to exist")
-
-		// Make sure the unencrypted key file does not exist
-		keyPath := filepath.Join(tempDir, PrivateKeyFile)
-		exists, err = utils.FileExists(keyPath)
-		require.NoError(t, err)
-		assert.False(t, exists, "Expected unencrypted key file to not exist")
-
-		// Load the key
-		loadedKey, err := provider.LoadKey()
-		require.NoError(t, err)
-		assert.NotNil(t, loadedKey, "Expected non-nil key when encrypted key exists")
-
-		// Verify the loaded key is the same as the original
-		keyBytes, err := EncodeJWKBytes(key)
-		require.NoError(t, err)
-
-		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
-		require.NoError(t, err)
-
-		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key")
-	})
-
-	t.Run("LoadKey replaces unencrypted key with encrypted key when kek is provided", func(t *testing.T) {
-		tempDir := t.TempDir()
-
-		// First, create an unencrypted key
-		providerNoKek := &KeyProviderFile{}
-		err := providerNoKek.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-		})
-		require.NoError(t, err)
-
-		// Save an unencrypted key
-		err = providerNoKek.SaveKey(key)
-		require.NoError(t, err)
-
-		// Verify unencrypted key exists
-		keyPath := filepath.Join(tempDir, PrivateKeyFile)
-		exists, err := utils.FileExists(keyPath)
-		require.NoError(t, err)
-		assert.True(t, exists, "Expected unencrypted key file to exist")
-
-		// Now create a provider with a kek
-		kek := make([]byte, 32)
-		_, err = rand.Read(kek)
-		require.NoError(t, err)
-
-		providerWithKek := &KeyProviderFile{}
-		err = providerWithKek.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-			Kek: kek,
-		})
-		require.NoError(t, err)
-
-		// Load the key - this should convert the unencrypted key to encrypted
-		loadedKey, err := providerWithKek.LoadKey()
-		require.NoError(t, err)
-		assert.NotNil(t, loadedKey, "Expected non-nil key when loading and converting key")
-
-		// Verify the unencrypted key no longer exists
-		exists, err = utils.FileExists(keyPath)
-		require.NoError(t, err)
-		assert.False(t, exists, "Expected unencrypted key file to be removed")
-
-		// Verify the encrypted key file exists
-		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
-		exists, err = utils.FileExists(encKeyPath)
-		require.NoError(t, err)
-		assert.True(t, exists, "Expected encrypted key file to exist after conversion")
-
-		// Verify the key data
-		keyBytes, err := EncodeJWKBytes(key)
-		require.NoError(t, err)
-
-		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
-		require.NoError(t, err)
-
-		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key after conversion")
-	})
-}
-
-func TestKeyProviderFile_SaveKey(t *testing.T) {
-	// Generate a test key to use in our tests
-	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	require.NoError(t, err)
-
-	key, err := jwk.Import(pk)
-	require.NoError(t, err)
-
-	t.Run("SaveKey unencrypted", func(t *testing.T) {
-		tempDir := t.TempDir()
-
-		provider := &KeyProviderFile{}
-		err := provider.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-		})
-		require.NoError(t, err)
-
-		// Save the key
-		err = provider.SaveKey(key)
-		require.NoError(t, err)
-
-		// Verify the key file exists
-		keyPath := filepath.Join(tempDir, PrivateKeyFile)
-		exists, err := utils.FileExists(keyPath)
-		require.NoError(t, err)
-		assert.True(t, exists, "Expected key file to exist")
-
-		// Verify the content of the key file
-		data, err := os.ReadFile(keyPath)
-		require.NoError(t, err)
-
-		parsedKey, err := jwk.ParseKey(data)
-		require.NoError(t, err)
-
-		// Compare the saved key with the original
-		keyBytes, err := EncodeJWKBytes(key)
-		require.NoError(t, err)
-
-		parsedKeyBytes, err := EncodeJWKBytes(parsedKey)
-		require.NoError(t, err)
-
-		assert.Equal(t, keyBytes, parsedKeyBytes, "Expected saved key to match original key")
-	})
-
-	t.Run("SaveKey encrypted", func(t *testing.T) {
-		tempDir := t.TempDir()
-
-		// Generate a 64-byte kek
-		kek := makeKEK(t)
-
-		provider := &KeyProviderFile{}
-		err = provider.Init(KeyProviderOpts{
-			EnvConfig: &common.EnvConfigSchema{
-				KeysPath: tempDir,
-			},
-			Kek: kek,
-		})
-		require.NoError(t, err)
-
-		// Save the key (will be encrypted)
-		err = provider.SaveKey(key)
-		require.NoError(t, err)
-
-		// Verify the encrypted key file exists
-		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
-		exists, err := utils.FileExists(encKeyPath)
-		require.NoError(t, err)
-		assert.True(t, exists, "Expected encrypted key file to exist")
-
-		// Verify the unencrypted key file doesn't exist
-		keyPath := filepath.Join(tempDir, PrivateKeyFile)
-		exists, err = utils.FileExists(keyPath)
-		require.NoError(t, err)
-		assert.False(t, exists, "Expected unencrypted key file to not exist")
-
-		// Manually decrypt the encrypted key file to verify it contains the correct key
-		encB64, err := os.ReadFile(encKeyPath)
-		require.NoError(t, err)
-
-		// Decode from base64
-		enc := make([]byte, base64.StdEncoding.DecodedLen(len(encB64)))
-		n, err := base64.StdEncoding.Decode(enc, encB64)
-		require.NoError(t, err)
-		enc = enc[:n] // Trim any padding
-
-		// Decrypt the data
-		data, err := cryptoutils.Decrypt(kek, enc, nil)
-		require.NoError(t, err)
-
-		// Parse the key
-		parsedKey, err := jwk.ParseKey(data)
-		require.NoError(t, err)
-
-		// Compare the decrypted key with the original
-		keyBytes, err := EncodeJWKBytes(key)
-		require.NoError(t, err)
-
-		parsedKeyBytes, err := EncodeJWKBytes(parsedKey)
-		require.NoError(t, err)
-
-		assert.Equal(t, keyBytes, parsedKeyBytes, "Expected decrypted key to match original key")
-	})
-}
-
-func makeKEK(t *testing.T) []byte {
-	t.Helper()
-
-	// Generate a 32-byte kek
-	kek := make([]byte, 32)
-	_, err := rand.Read(kek)
-	require.NoError(t, err)
-	return kek
-}