feat(notary): add JWT-based authorization mode (#817)

* feat(server): add JWT-based authorization mode

This mode is an alternative to whitelist authorization mode.
It extracts the JWT from the authorization header (bearer token),
validates token's signature, claimed expiry times and additional
(user-configurable) claims.

* Fix formatting and lints

* Address review comments

* feat(server): remove JwtClaimType config property

* Fix missing README comments

* Address review comments

* Address review comments

---------

Co-authored-by: yuroitaki <[email protected]>

Author: Jakub Konka

Cargo.lock

@@ -7,6 +7,7 @@ use http_body_util::{BodyExt as _, Either, Empty, Full};
 use hyper::{
     body::{Bytes, Incoming},
     client::conn::http1::Parts,
+    header::AUTHORIZATION,
     Request, Response, StatusCode,
 };
 use hyper_util::rt::TokioIo;
@@ -137,6 +138,10 @@ pub struct NotaryClient {
     /// in notary server.
     #[builder(setter(into, strip_option), default)]
     api_key: Option<String>,
+    /// JWT token used to call notary server endpoints if JWT authorization is
+    /// enabled in notary server.
+    #[builder(setter(into, strip_option), default)]
+    jwt: Option<String>,
     /// The duration of notarization request timeout in seconds.
     #[builder(default = "60")]
     request_timeout: usize,
@@ -291,6 +296,11 @@ impl NotaryClient {
                     configuration_request_builder.header(X_API_KEY_HEADER, api_key);
             }
 
+            if let Some(jwt) = &self.jwt {
+                configuration_request_builder =
+                    configuration_request_builder.header(AUTHORIZATION, format!("Bearer {jwt}"));
+            }
+
             let configuration_request = configuration_request_builder
                 .body(Either::Left(Full::new(Bytes::from(
                     configuration_request_payload,

crates/notary/client/src/client.rs

@@ -32,6 +32,7 @@ http = { workspace = true }
 http-body-util = { workspace = true }
 hyper = { workspace = true, features = ["client", "http1", "server"] }
 hyper-util = { workspace = true, features = ["full"] }
+jsonwebtoken = { version = "9.3.1", features = ["use_pem"] }
 k256 = { workspace = true }
 notify = { version = "6.1.1", default-features = false, features = [
 	"macos_kqueue",
@@ -43,9 +44,11 @@ rand06-compat = { workspace = true }
 rustls = { workspace = true }
 rustls-pemfile = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
 serde_yaml = { version = "0.9" }
 sha1 = { version = "0.10" }
 structopt = { version = "0.3" }
+strum = { version = "0.27", features = ["derive"] }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["full"] }
 tokio-rustls = { workspace = true }

crates/notary/server/Cargo.toml

@@ -90,7 +90,7 @@ log:
 
 auth:
   enabled: false
-  whitelist_path: null
+  whitelist: null
 ```
 ⚠️ By default, `notarization.private_key_path` is `null`, which means a **random, ephemeral** signing key will be generated at runtime (see [Signing](#signing) for more details).
 
@@ -168,10 +168,35 @@ TLS needs to be turned on between the prover and the notary for security purpose
 The toggle to turn on TLS, as well as paths to the TLS private key and certificate can be defined in the config (`tls` field).
 
 ### Authorization
-An optional authorization module is available to only allow requests with a valid API key attached in the custom HTTP header `X-API-Key`. The API key whitelist path, as well as the flag to enable/disable this module, can be changed in the config (`authorization` field).
+An optional authorization module is available to only allow requests with a valid credential attached. Currently, two modes are supported: whitelist and JWT.
+
+Please note that only *one* mode can be active at any one time.
+
+#### Whitelist mode
+In whitelist mode, a valid API key needs to be attached in the custom HTTP header `X-API-Key`. The path of the API key whitelist, as well as the flag to enable/disable this module, can be changed in the config (`auth` field).
 
 Hot reloading of the whitelist is supported, i.e. changes to the whitelist file are automatically applied without needing to restart the server.
 
+#### JWT mode
+In JWT mode, JSON Web Token is attached in the standard `Authorization` HTTP header as a bearer token. The algorithm, the path to verifying key, as well as custom user claims, can be changed in the config (`auth` field).
+
+Care should be taken when defining custom user claims as the middleware will:
+- accept any claim if no custom claim is defined,
+- as long as user defined claims are found, other unknown claims will be ignored.
+
+An example JWT config may look something like this:
+
+```yaml
+auth:
+  enabled: true
+  jwt:
+    algorithm: "RS256"
+    public_key_path: "./fixture/auth/jwt.key.pub"
+    claims:
+      - name: sub
+        values: ["tlsnotary"]
+```
+
 ### Logging
 The default logging strategy of this server is set to `DEBUG` verbosity level for the crates that are useful for most debugging scenarios, i.e. using the following filtering logic.
 

crates/notary/server/README.md

@@ -15,6 +15,7 @@ paths:
       security:
         - {} # make security optional
         - ApiKeyAuth: []
+        - BearerAuth: []
       responses:
         '200':
           description: Ok response from server
@@ -38,6 +39,7 @@ paths:
       security:
         - {} # make security optional
         - ApiKeyAuth: []
+        - BearerAuth: []
       responses:
         '200':
           description: Info response from server
@@ -60,6 +62,7 @@ paths:
       security:
         - {} # make security optional
         - ApiKeyAuth: []
+        - BearerAuth: []
       parameters:
       - in: header
         name: Content-Type
@@ -212,4 +215,9 @@ components:
       type: apiKey
       in: header
       name: X-API-Key
-      description: Whitelisted API key if auth module is turned on
+      description: Whitelisted API key if auth module is turned on and in whitelist mode
+    BearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      description: JSON Web Token if auth module is turned on and in JWT mode