changed sub conflict checking when getting keys

2017-11-02 16:11:18 -06:00 · 2017-11-02 16:11:18 -06:00 · 19d153283e
commit 19d153283e
parent 0e23100233
1 changed files with 51 additions and 46 deletions
--- a/jwks.js
+++ b/jwks.js
@ -33,58 +33,63 @@ function thumbprint(jwk) {
  return PromiseA.resolve(makeB64UrlSafe(hash));
 }

+function sanitizeJwk(jwk) {
+  // We need to sanitize the key to make sure we don't deliver any private keys fields if
+  // we were given a key we could use to sign tokens on behalf of the user. We also don't
+  // want to deliver the sub or any other PPIDs.
+  var whitelist = ['kty', 'alg', 'kid', 'use'];
+  if (jwk.kty === 'EC') {
+    whitelist = whitelist.concat(['crv', 'x', 'y']);
+  } else if (jwk.kty === 'RSA') {
+    whitelist = whitelist.concat(['e', 'n']);
+  }
+
+  var result = {};
+  whitelist.forEach(function (key) {
+    result[key] = jwk[key];
+  });
+  return result;
+}
+
 function create(app) {
  var restful = {};
+
+  async function getRawKey(req) {
+    var store = await req.getSiteStore();
+
+    if (req.params.kid === req.experienceId) {
+      return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
+    }
+
+    // The keys are stored by the issuer PPID, but the sub we have might be a different PPID
+    // for a 3rd party. As such we need to look up the subject in the grants to get the issuer
+    // PPID and to make sure there wasn't some kind of error that allowed multiple users to
+    // somehow use the same PPID.
+    var results = await Promise.all([
+      store.IssuerOauth3OrgGrants.find({ sub:    req.params.sub }),
+      store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }),
+    ]);
+    var subList = [].concat.apply([], results).map(grant => grant.sub);
+    subList = subList.filter((sub, ind, list) => list.indexOf(sub) === ind);
+    if (!subList.length) {
+      throw new OpErr("unknown PPID '" + req.params.sub + "'");
+    }
+    if (subList.length > 1) {
+      // This should not ever happen since there is a check for PPID collisions when saving
+      // grants, but it's probably better to have this check anyway just incase something
+      // happens that isn't currently accounted for.
+      throw new OpErr('PPID collision - unable to safely retrieve keys');
+    }
+
+    return store.IssuerOauth3OrgJwks.get(subList[0] + '/' + req.params.kid);
+  }
+
  restful.get = function (req, res) {
-    // The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so
-    // we need to look up the issuer PPID using the 3rd party PPID.
-    var promise = req.getSiteStore().then(function (store) {
-      if (req.params.kid === req.experienceId) {
-        return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
-      }
-
-      // First we check to see if the key is being requested by the `sub` that we as the issuer use
-      // to identify the user, and if not then we need to look up the specified `sub` to see if
-      // we can determine which (if any) account it's associated with.
-      return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) {
-        if (jwk) {
-          return jwk;
-        }
-
-        return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
-          if (!results.length) {
-            throw new OpErr("unknown PPID '"+req.params.sub+"'");
-          }
-          if (results.length > 1) {
-            // This should not ever happen since there is a check for PPID collisions when saving
-            // grants, but it's probably better to have this check anyway just incase something
-            // happens that isn't currently accounted for.
-            throw new OpErr('PPID collision - unable to safely retrieve keys');
-          }
-
-          return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
-        });
-      });
-    }).then(function (jwk) {
+    var promise = PromiseA.resolve(getRawKey(req)).then(function (jwk) {
      if (!jwk) {
        throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);
      }
-
-      // We need to sanitize the key to make sure we don't deliver any private keys fields if
-      // we were given a key we could use to sign tokens on behalf of the user. We also don't
-      // want to deliver the sub or any other PPIDs.
-      var whitelist = [ 'kty', 'alg', 'kid', 'use' ];
-      if (jwk.kty === 'EC') {
-        whitelist = whitelist.concat([ 'crv', 'x', 'y' ]);
-      } else if (jwk.kty === 'RSA') {
-        whitelist = whitelist.concat([ 'e', 'n' ]);
-      }
-
-      var result = {};
-      whitelist.forEach(function (key) {
-        result[key] = jwk[key];
-      });
-      return result;
+      return sanitizeJwk(jwk);
    });

    app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");