fix(openid): Generate openid keys on npm postinstall to file

config/dev.json

@@ -93,12 +93,7 @@
     "fmt": "pretty"
   },
   "openid": {
-    "key": {
-      "kty": "RSA",
-      "kid": "2015.12.02-1",
-      "n":"xaQHsKpu1KSK-YEMoLzZS7Xxciy3fsGrhrrqW_JBrq3IRmeGLaqlE80zcpIVnStyp9tbet2niYTemt8ug591YWO5Y-S0EgQyFTxnGjzNOvAL6Cd2iGie9QeSehfFLNyRPdQiadYw07fw-h5gweMpVJv8nTgS-Bcorlw9JQM6Il1cUpbP0Lt-F_5qrzlaOiTEAAb4JGOusVh0n-MZfKt7w0mikauMH5KfhflwQDn4YTzRkWJzlldXr1Cs0ZkYzOwS4Hcoku7vd6lqCUO0GgZvkuvCFqdVKzpa4CGboNdfIjcGVF4f1CTQaQ0ao51cwLzq1pgi5aWYhVH7lJcm6O_BQw",
-      "e":"AQAB",
-      "d":"EM21aavT6Hhk6Hm0XSYxQ2KguJhcsYY90yKpMlASjYtw76t1mQRdLKXRrfgFpms_QE5CJNwblnGZi4lWJxKzpCgaZwfW14FL0Mpl6bEpsc0e9goE5ewfN64BIihLN1k5cAxNMLppRFbrQhi7GUD7DpqEi8lss3Mknk5xVGhF1Q38i5wSPLaLNgdt7QUIRdCCsrVFwnj83e8Rmmchr2-LXg2P_2KbVwdKfLuDiaYgDr2OELiK3VZa3WMexLrQHXGf1bvuK9xg6DNQ5Oe3slNWe7a0cpNR5oPX8HjqREmKciCFxHSA5o0ogyu5YvVjvZuh4Fm1iAM1fJNzYpabd_D8IQ"
-    }
+    "keyFile": "../config/key.json",
+    "key": {}
   }
 }

config/test.json

@@ -51,19 +51,10 @@
     "fmt": "pretty"
   },
   "openid": {
-    "key": {
-      "kty": "RSA",
-      "kid": "2015.12.16-1",
-      "n":"xaQHsKpu1KSK-YEMoLzZS7Xxciy3fsGrhrrqW_JBrq3IRmeGLaqlE80zcpIVnStyp9tbet2niYTemt8ug591YWO5Y-S0EgQyFTxnGjzNOvAL6Cd2iGie9QeSehfFLNyRPdQiadYw07fw-h5gweMpVJv8nTgS-Bcorlw9JQM6Il1cUpbP0Lt-F_5qrzlaOiTEAAb4JGOusVh0n-MZfKt7w0mikauMH5KfhflwQDn4YTzRkWJzlldXr1Cs0ZkYzOwS4Hcoku7vd6lqCUO0GgZvkuvCFqdVKzpa4CGboNdfIjcGVF4f1CTQaQ0ao51cwLzq1pgi5aWYhVH7lJcm6O_BQw",
-      "e":"AQAB",
-      "d":"EM21aavT6Hhk6Hm0XSYxQ2KguJhcsYY90yKpMlASjYtw76t1mQRdLKXRrfgFpms_QE5CJNwblnGZi4lWJxKzpCgaZwfW14FL0Mpl6bEpsc0e9goE5ewfN64BIihLN1k5cAxNMLppRFbrQhi7GUD7DpqEi8lss3Mknk5xVGhF1Q38i5wSPLaLNgdt7QUIRdCCsrVFwnj83e8Rmmchr2-LXg2P_2KbVwdKfLuDiaYgDr2OELiK3VZa3WMexLrQHXGf1bvuK9xg6DNQ5Oe3slNWe7a0cpNR5oPX8HjqREmKciCFxHSA5o0ogyu5YvVjvZuh4Fm1iAM1fJNzYpabd_D8IQ"
-    },
-    "oldKey": {
-      "kty": "RSA",
-      "kid": "2015.12.02-1",
-      "n":"xaQHsKpu1KSK-YEMoLzZS7Xxciy3esGrhrrqW_JBrq3IRmeGLaqlE80zcpIVnStyp9tbet2niYTemt8ug591YWO5Y-S0EgQyFTxnGjzNOvAL6Cd2iGie9QeSehfFLNyRPdQiadYw07fw-h5gweMpVJs8nTgS-Bcorlw9JQM6Il1cUpbP0Lt-F_5qrzlaOiTEAAb4JGOusVh0n-MZfKt7w0mikauMH5KfhflwQDn4YTzRkWJzlldXr1Cs0ZkYzOwS4Hcoku7vd6lqCUO0GgZvkuvCFqdVKzpa4CGboNdfIjcGVF4f1CTQaQ0ao51cwLzq1pgi5aWYhVH7lJcm6O_BQw",
-      "e":"AQAC"
-    }
+    "keyFile": "../config/key.json",
+    "oldKeyFile": "../config/oldKey.json",
+    "key": {},
+    "oldKey": {}
   },
   "serviceClients": [
     {

lib/config.js

@@ -154,6 +154,16 @@ const conf = convict({
     }
   },
   openid: {
+    keyFile: {
+      doc: 'Path to Private key JWK to sign id_tokens',
+      format: String,
+      default: ''
+    },
+    oldKeyFile: {
+      doc: 'Path to previous key that was used to sign id_tokens',
+      format: String,
+      default: ''
+    },
     key: {
       doc: 'Private JWK to sign id_tokens',
       default: {}
@@ -251,6 +261,15 @@ conf.get('serviceClients').forEach(function(client) {
   assert.equal(typeof client.jku, 'string', 'client jku required');
 });
 
+// Replace openid key if file specified
+if (conf.get('openid.keyFile')){
+  conf.set('openid.key', require(conf.get('openid.keyFile')));
+}
+
+if (conf.get('openid.oldKeyFile')){
+  conf.set('openid.oldKey', require(conf.get('openid.oldKeyFile')));
+}
+
 var key = conf.get('openid.key');
 assert.equal(key.kty, 'RSA', 'openid.key.kty must be RSA');
 assert(key.kid, 'openid.key.kid is required');

package.json

@@ -6,7 +6,8 @@
   "scripts": {
     "start": "grunt server --node-env=dev",
     "test": "grunt test --node-env=test",
-    "outdated": "npm outdated --depth 0"
+    "outdated": "npm outdated --depth 0",
+    "postinstall": "node scripts/gen_keys"
   },
   "repository": {
     "type": "git",
@@ -22,7 +23,6 @@
     "node": ">=0.10.0"
   },
   "dependencies": {
-    "urijs": "^1.16.1",
     "bluebird": "^2.9.14",
     "buf": "0.1.0",
     "convict": "0.8",
@@ -33,7 +33,8 @@
     "mozlog": "^2.0.2",
     "mysql": "^2.5.5",
     "mysql-patcher": "^0.7.0",
-    "request": "^2.54.0"
+    "request": "^2.54.0",
+    "urijs": "^1.16.1"
   },
   "devDependencies": {
     "blanket": "1.1.6",
@@ -53,6 +54,7 @@
     "load-grunt-tasks": "^3.1.0",
     "mocha-text-cov": "^0.1.0",
     "nock": "^1.2.1",
+    "node-rsa": "^0.2.30",
     "proxyquire": "^1.6.0",
     "read": "^1.0.5",
     "sinon": "^1.15.4",

scripts/gen_keys.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+
+ Usage:
+ scripts/gen_keys.js
+
+ Will create these files
+
+ ./config/key.json
+ ./config/oldKey.json
+
+ If these files already exist, this script will show an error message
+ and exit. You must remove both keys if you want to generate a new
+ keypair.
+ */
+
+const fs = require('fs');
+const assert = require('assert');
+
+const NodeRSA = require('node-rsa');
+
+const keyPath = './config/key.json';
+const oldKeyPath = './config/oldKey.json';
+
+try {
+  var keysExist = fs.existsSync(keyPath) && fs.existsSync(oldKeyPath);
+  assert(!keysExist, 'keys already exists');
+} catch (e) {
+  process.exit();
+}
+
+function main(cb) {
+  var key = new NodeRSA({b: 2048});
+
+  var genKey = {
+    kty: 'RSA',
+    kid: '2015.12.16-1',
+    n: key.keyPair.n.toString(),
+    e: key.keyPair.e.toString(),
+    d: key.keyPair.d.toString()
+  };
+
+  var genOldKey = {
+    kty: 'RSA',
+    kid: '2015.12.16-2',
+    n: key.keyPair.n.toString(),
+    e: key.keyPair.e.toString()
+  };
+
+  fs.writeFileSync(keyPath, JSON.stringify(genKey));
+  console.log('Key saved:', keyPath); //eslint-disable-line no-console
+
+  fs.writeFileSync(oldKeyPath, JSON.stringify(genOldKey));
+  console.log('OldKey saved:', oldKeyPath); //eslint-disable-line no-console
+  cb();
+}
+
+module.exports = main;
+
+if (require.main === module) {
+  main(function () {
+  });
+}