new configuration version

2024-10-31 16:32:31 +00:00 · 2024-10-31 16:32:31 +00:00 · 4eaa9e2430
parent e7def29b6a
commit 4eaa9e2430
3 changed files with 15 additions and 2 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml
@ -46,7 +46,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-88ce7fd041e9106c6f5b1f1cb0892a56f30d8993"
+    tag: "r-605d91273a27806035012a52e1c36c5421092a85"
    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
    credentials: "git-credentials"
  keystores:
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/recovery_pdf_session_processing.lua
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/recovery_pdf_session_processing.lua
@ -22,7 +22,10 @@ function inputHeader(request, response)
       local jwtHandler = nevis.util.jwt.new()

       local publickey = param_auth_signer_key:gsub("<br>", "\n")
-       trace:debug("publickey: '" .. publickey .. "'")
+       trace:debug("public key: '" .. publickey .. "'")
+
+       local newPublickey = param_auth_signer_new_key:gsub("<br>", "\n")
+       trace:debug("new public key: '" .. newPublickey .. "'")

       local base64 = nevis.crypto.base64.new()
       token = base64:decode(token)
@ -30,6 +33,11 @@ function inputHeader(request, response)

       local verified = jwtHandler:verifySignature(token, "rs256", publickey)

+       if not verified and newPublickey ~= "none" then
+          trace:notice("AGOV: Check key rotation, using new public key to validate JWT token")
+          verified = jwtHandler:verifySignature(token, "rs256", newPublickey)
+       end
+
       if not verified then
          trace:error("Blocking request: Invalid JWT : '" .. token .. "'")
          response:setBody("Blocking request: Invalid JWT")
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml
@ -541,6 +541,11 @@
            <param-name>param_auth_signer_key</param-name>
            <param-value>-----BEGIN PUBLIC KEY-----&lt;br&gt;MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvxncA6FeBG4LsoyaUceW&lt;br&gt;McMKp2/pu7sgTCTigv7JCgHWlV1+RYLHnXq/j4dtyOWqb4l2Mbc99Kbj4nJt779G&lt;br&gt;yPn6XrRKy8xPZ/T3enFz4d5zBPtN3dgPQt2Qz9bh9xE45HjT31f0qTqNs3C+VQU7&lt;br&gt;nlN/IkWhSAlBBTZdotQ9O8eHUnunnRs3WfLBgMs1uR3Ue27pXvtWuJo/d20kfumH&lt;br&gt;hbAWEGcM9hgvO7HyMeNVKobdBVZepDzDgXEXav22gmGTYcwzCf5HX9yzaqSMkbth&lt;br&gt;dvjnT9ovHpNgkzTJDSu6SiUTh8HuRsmCrHC4jsvJqS4dXDWYYXAS8aX9Fs8/uYvS&lt;br&gt;8wIDAQAB&lt;br&gt;-----END PUBLIC KEY-----</param-value>
        </init-param>
+        <!-- source: pattern://db89acad30d11cbc950a87c7 -->
+        <init-param>
+            <param-name>param_auth_signer_new_key</param-name>
+            <param-value>none</param-value>
+        </init-param>
    </filter>
    <!-- source: pattern://cc7f74cd87053a74a70588ad, pattern://cc7f74cd87053a74a70588ad#filters -->
    <filter>