new configuration version

This commit is contained in:
haburger 2024-10-31 16:32:31 +00:00
parent e7def29b6a
commit 4eaa9e2430
3 changed files with 15 additions and 2 deletions

View File

@ -46,7 +46,7 @@ spec:
podDisruptionBudget: podDisruptionBudget:
maxUnavailable: "50%" maxUnavailable: "50%"
git: git:
tag: "r-88ce7fd041e9106c6f5b1f1cb0892a56f30d8993" tag: "r-605d91273a27806035012a52e1c36c5421092a85"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp" dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
credentials: "git-credentials" credentials: "git-credentials"
keystores: keystores:

View File

@ -24,12 +24,20 @@ function inputHeader(request, response)
local publickey = param_auth_signer_key:gsub("<br>", "\n") local publickey = param_auth_signer_key:gsub("<br>", "\n")
trace:debug("public key: '" .. publickey .. "'") trace:debug("public key: '" .. publickey .. "'")
local newPublickey = param_auth_signer_new_key:gsub("<br>", "\n")
trace:debug("new public key: '" .. newPublickey .. "'")
local base64 = nevis.crypto.base64.new() local base64 = nevis.crypto.base64.new()
token = base64:decode(token) token = base64:decode(token)
trace:debug("token: " .. token) trace:debug("token: " .. token)
local verified = jwtHandler:verifySignature(token, "rs256", publickey) local verified = jwtHandler:verifySignature(token, "rs256", publickey)
if not verified and newPublickey ~= "none" then
trace:notice("AGOV: Check key rotation, using new public key to validate JWT token")
verified = jwtHandler:verifySignature(token, "rs256", newPublickey)
end
if not verified then if not verified then
trace:error("Blocking request: Invalid JWT : '" .. token .. "'") trace:error("Blocking request: Invalid JWT : '" .. token .. "'")
response:setBody("Blocking request: Invalid JWT") response:setBody("Blocking request: Invalid JWT")

View File

@ -541,6 +541,11 @@
<param-name>param_auth_signer_key</param-name> <param-name>param_auth_signer_key</param-name>
<param-value>-----BEGIN PUBLIC KEY-----&lt;br&gt;MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvxncA6FeBG4LsoyaUceW&lt;br&gt;McMKp2/pu7sgTCTigv7JCgHWlV1+RYLHnXq/j4dtyOWqb4l2Mbc99Kbj4nJt779G&lt;br&gt;yPn6XrRKy8xPZ/T3enFz4d5zBPtN3dgPQt2Qz9bh9xE45HjT31f0qTqNs3C+VQU7&lt;br&gt;nlN/IkWhSAlBBTZdotQ9O8eHUnunnRs3WfLBgMs1uR3Ue27pXvtWuJo/d20kfumH&lt;br&gt;hbAWEGcM9hgvO7HyMeNVKobdBVZepDzDgXEXav22gmGTYcwzCf5HX9yzaqSMkbth&lt;br&gt;dvjnT9ovHpNgkzTJDSu6SiUTh8HuRsmCrHC4jsvJqS4dXDWYYXAS8aX9Fs8/uYvS&lt;br&gt;8wIDAQAB&lt;br&gt;-----END PUBLIC KEY-----</param-value> <param-value>-----BEGIN PUBLIC KEY-----&lt;br&gt;MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvxncA6FeBG4LsoyaUceW&lt;br&gt;McMKp2/pu7sgTCTigv7JCgHWlV1+RYLHnXq/j4dtyOWqb4l2Mbc99Kbj4nJt779G&lt;br&gt;yPn6XrRKy8xPZ/T3enFz4d5zBPtN3dgPQt2Qz9bh9xE45HjT31f0qTqNs3C+VQU7&lt;br&gt;nlN/IkWhSAlBBTZdotQ9O8eHUnunnRs3WfLBgMs1uR3Ue27pXvtWuJo/d20kfumH&lt;br&gt;hbAWEGcM9hgvO7HyMeNVKobdBVZepDzDgXEXav22gmGTYcwzCf5HX9yzaqSMkbth&lt;br&gt;dvjnT9ovHpNgkzTJDSu6SiUTh8HuRsmCrHC4jsvJqS4dXDWYYXAS8aX9Fs8/uYvS&lt;br&gt;8wIDAQAB&lt;br&gt;-----END PUBLIC KEY-----</param-value>
</init-param> </init-param>
<!-- source: pattern://db89acad30d11cbc950a87c7 -->
<init-param>
<param-name>param_auth_signer_new_key</param-name>
<param-value>none</param-value>
</init-param>
</filter> </filter>
<!-- source: pattern://cc7f74cd87053a74a70588ad, pattern://cc7f74cd87053a74a70588ad#filters --> <!-- source: pattern://cc7f74cd87053a74a70588ad, pattern://cc7f74cd87053a74a70588ad#filters -->
<filter> <filter>