JWT Feature (#367)

* JWT as a middleware authenticator

* Nil check for JWT

* user credentials verification

* Integration test for JWT

* signature invalid issue fixed

* Removed unwanted debug changes

* Removes debug prints

* test code refactor

* Documentation for JWT

* Doc page

* Spelling correction

* Doc corrections

* Spell correction

* Spell correction

* config read issues fixed

* Sample config added to document

* Doc correction

* Spell corrections

* Client authorization sidebar change in docs

* Client authorization sidebar change in docs

* Client authorization sidebar change in docs

* SidebarHeader code alignment change

* token expiry optional

* token expiry description added

* doc update on tok_expiry

* minor changes as per discussion

* doc tab corrections

* tok_exp changes as per discussion

* minor variable name changes

* credentials check logic updated

* sg add an integration test for jwt

* login endpoint added

* login serve issue fix

* fix jwt integration test

* add more jwt tests

* username and password error messages match

* unit test case for Login handler

* AuthHandler UT

* JWT and authorized_keys are mutually exclusive, can't use both

* sg-integrationtest add bad input test

* JWT users per PKH & credentials rotation

* Unit tests

* nil check for jwt users list

* UT refactor

* fix integration test

* per PKH config change

* error messages got JWT label

* secert validation changes

* fix jwt unit test new secret length constraint

* fix jwt unit test new secret length constraint

* fix jwt unit test

* fix integration test - new secret constraint

* add (failing) jwt password rotation integration test

* secret & password validation changes

* add jwt per pkh integration tests

* new and old user cred accepted in parallel till the exp time

* integration test - add password complexity 16 characters

* integrationtest - fix password rotation testcase - requires new secret

* fix for issue #372

* error message added

* fix broken test

* fix broken test

* old expiry logic change

* fix password rotation integration test

* tidy test

* small jwt doc improvements

* jwt doc fix typo

* bump octez version in integration tests

* update octez version in integration tests

---------

Co-authored-by: stephengaudet <[email protected]>
Co-authored-by: stephengaudet <[email protected]>

Author: 3 people

Diff for: cmd/commands/serve.go

@@ -2,10 +2,12 @@ package commands
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"time"
 
 	"github.com/ecadlabs/signatory/pkg/auth"
+	"github.com/ecadlabs/signatory/pkg/middlewares"
 	"github.com/ecadlabs/signatory/pkg/server"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -24,6 +26,17 @@ func NewServeCommand(c *Context) *cobra.Command {
 				Signer:  c.signatory,
 			}
 
+			if c.config.Server.JWTConfig != nil {
+				if c.config.Server.AuthorizedKeys != nil {
+					return fmt.Errorf("cannot use both JWT and static authorized keys")
+				}
+				mw := middlewares.NewMiddleware(c.config.Server.JWTConfig)
+				if err := c.config.Server.JWTConfig.CheckUpdateNewCred(); err != nil {
+					return err
+				}
+				srvConf.MidWare = mw
+			}
+
 			if c.config.Server.AuthorizedKeys != nil {
 				ak, err := auth.StaticAuthorizedKeys(c.config.Server.AuthorizedKeys.List()...)
 				if err != nil {

Diff for: docs/jwt_auth.md

@@ -0,0 +1,163 @@
+---
+id: jwt
+title: JWT
+---
+
+# JWT - Signatory interaction
+
+The diagram represents a sequence of interactions between a client and a Signatory service, which appears to be a service that handles cryptographic signing operations. Here is a breakdown of the sequence of interactions:
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant Signatory
+    Client->>Signatory: Provide credentials
+    Signatory->>Client: Verify credentials
+    Note over Signatory: Create JWT
+    Signatory->>Client: Send JWT
+    Note over Client: Store JWT
+    Client->>Signatory: Request signing operation (include JWT)
+    Signatory->>Signatory: Validate JWT signature
+    Note over Signatory: Check claims (public key, roles, permissions)
+    alt JWT is valid and client is authorized
+        Signatory->>Signatory: Sign operation with private key
+        Signatory->>Client: Send signed operation
+    else JWT is invalid or client is unauthorized
+        Signatory->>Client: Access denied (error message)
+    end
+```
+
+1. The client provides its credentials to the Signatory service.
+2. The Signatory service verifies the credentials provided by the client.
+3. If the credentials are valid, the Signatory service creates a JSON Web Token (JWT) and sends it to the client.
+4. The client stores the JWT for later use.
+5. The client requests a signing operation from the Signatory service, and includes the JWT in the request.
+6. The Signatory service validates the JWT signature and checks the claims in the JWT (such as the public key, roles, and permissions).
+7. If the JWT is valid and the client is authorized, the Signatory service signs the operation with its private key and sends the signed operation back to the client.
+8. If the JWT is invalid or the client is unauthorized, the Signatory service sends an access denied error message to the client.
+9. When the token expires or any other token authentication failures happen, the client can start again from 1. 
+
+## Sample Signatory JWT configuration
+
+`jwt_exp` is the time duration (in minutes) for which the token is valid and it is optional. When not provided the token expiry is 60 minutes, otherwise it is `current time + jwt_exp`.   
+
+`secret` is the secret used to sign the JWT token.
+
+```yaml
+server:
+  address: :6732
+  utility_address: :9583
+  jwt:
+    users:
+      user_name1:
+        password: password1
+        secret: secret1
+        jwt_exp: 234
+      user_name2:
+        password: password2
+        secret: secret2
+        jwt_exp: 73
+```
+
+## Sample client code which used in the integration test.
+
+```go
+        //Send user credentials to receive a new token
+        url := "http://localhost:6732/login" + pub.Hash().String()
+		client := &http.Client{}
+
+		req, err := http.NewRequest("POST", url, nil)
+		require.NoError(t, err)
+
+		req.Header.Add("Content-Type", "application/json")
+		req.Header.Add("username", "user1")
+		req.Header.Add("password", "pass123")
+		time.Sleep(2 * time.Second)
+
+		res, err := client.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, 201, res.StatusCode)
+
+		body, err := ioutil.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.NotEmpty(t, body)
+
+		res.Body.Close()
+
+		// Send request using received token
+
+		client = &http.Client{}
+
+		req, err = http.NewRequest("GET", url, nil)
+		require.NoError(t, err)
+
+		req.Header.Add("Content-Type", "application/json")
+		req.Header.Add("Authorization", "Bearer "+string(body))
+		req.Header.Add("username", "user1")
+		time.Sleep(2 * time.Second)
+
+		res, err = client.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, 200, res.StatusCode)
+
+		defer res.Body.Close()
+		body, err = ioutil.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.NotEmpty(t, body)
+
+		fmt.Println("Response-GET-PKH: ", string(body))
+```
+
+## Credentials rotation
+
+The credentials can be rotated by updating the configuration file and restarting the Signatory service.
+
+Older credentials can be removed from the configuration file after the new credentials are added and signatory is up and serving. The Signatory service will continue to accept the older credentials until the `old_cred_exp` time expires. If any error occurs with expiry time, the Signatory service will stop accepting the older credentials immediately. The `old_cred_exp` field is `GMT` expressed in `YYYY-MM-DD hh:mm:ss` format.
+
+### sample configuration file:
+
+```yaml
+server:
+  address: :6732
+  utility_address: :9583
+  jwt:
+    users:
+      user_name1:
+        password: password1
+        secret: secret1
+        jwt_exp: 234
+        old_cred_exp: "2006-01-02 15:04:05"
+        new_data:
+          password: password1
+          secret: secret1
+          jwt_exp: 35
+```
+
+## JWT users for each PKH
+
+The JWT users can be configured for each PKH in the configuration file. Even if the JWT client provides a valid token, the request will be rejected if the user is not configured for that PKH requested for signing.
+If no JWT users are configured for a PKH, then any JWT token will be accepted for that PKH.
+
+### sample configuration file:
+
+```yaml
+tezos:
+  tz3cbDCwrqFqfx1dBhHoXTwZ9FG3MDrtyMs6:
+    jwt_users:
+      - user_name1
+      - user_name2
+    log_payloads: true
+    allow:
+      block:
+      endorsement:
+      preendorsement:
+      generic:
+        - transaction
+        - reveal
+```
+
+## Important security note:
+
+TLS should be taken care by the user who configures JWT as the authentication mechanism in Signatory for the clients.
+
+The configuration file also contains sensitive information when using JWT with Signatory, so that file must also be secure.

Diff for: go.mod

@@ -43,6 +43,7 @@ require (
 	github.com/enceve/crypto v0.0.0-20160707101852-34d48bb93815 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang-jwt/jwt/v5 v5.0.0-rc.1
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect

Diff for: go.sum

@@ -45,6 +45,8 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.11.2 h1:q3SHpufmypg+erIExEKUmsgmhDTyhcJ38oeKGACXohU=
 github.com/go-playground/validator/v10 v10.11.2/go.mod h1:NieE624vt4SCTJtD87arVLvdmjPAeV8BQlHtMnw9D7s=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v5 v5.0.0-rc.1 h1:tDQ1LjKga657layZ4JLsRdxgvupebc0xuPwRNuTfUgs=
 github.com/golang-jwt/jwt/v5 v5.0.0-rc.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=

Diff for: integration_test/.env.current

@@ -1,2 +1,2 @@
-export OCTEZ_VERSION=${ARCH}_v16.0-rc3
+export OCTEZ_VERSION=${ARCH}_v16.1
 export PROTOCOL=Mumbai

Diff for: integration_test/.env.next

@@ -1,2 +1,2 @@
-export OCTEZ_VERSION=${ARCH}_v17.0-beta1
+export OCTEZ_VERSION=${ARCH}_v17.0
 export PROTOCOL=Nairobi

Diff for: integration_test/config.go

@@ -16,17 +16,37 @@ type Config struct {
 	Tezos  TezosConfig             `yaml:"tezos"`
 }
 
+type JwtConfig struct {
+	Users map[string]*JwtUserData `yaml:"users"`
+}
+
+type JwtUserData struct {
+	Password string      `yaml:"password"`
+	Secret   string      `yaml:"secret"`
+	Exp      uint64      `yaml:"jwt_exp"`
+	CredExp  string      `yaml:"old_cred_exp,omitempty"`
+	NewCred  *JwtNewCred `yaml:"new_data,omitempty"`
+}
+
+type JwtNewCred struct {
+	Password string `yaml:"password"`
+	Secret   string `yaml:"secret"`
+	Exp      uint64 `yaml:"jwt_exp"`
+}
+
 type ServerConfig struct {
-	Address        string   `yaml:"address"`
-	UtilityAddress string   `yaml:"utility_address"`
-	Keys           []string `yaml:"authorized_keys,omitempty"`
+	Address        string    `yaml:"address"`
+	UtilityAddress string    `yaml:"utility_address"`
+	Keys           []string  `yaml:"authorized_keys,omitempty"`
+	Jwt            JwtConfig `yaml:"jwt,omitempty"`
 }
 
 type TezosConfig = map[string]*TezosPolicy
 
 type TezosPolicy struct {
 	Allow       map[string][]string `yaml:"allow"`
 	LogPayloads bool                `yaml:"log_payloads"`
+	JwtUsers    []string            `yaml:"jwt_users,omitempty"`
 }
 
 type VaultConfig struct {