chore: Generate JWT_SIGNATURE_KEY for session shared (#2152)

* Generate JWT_SIGNATURE_KEY for session shared * fix
pagopa · Jun 18, 2024 · 0fb6d3c · 0fb6d3c
1 parent 51225d8
commit 0fb6d3c
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 17 deletions.
diff --git a/src/domains/shared-app/04_apim_io_wallet_session.tf b/src/domains/shared-app/04_apim_io_wallet_session.tf
@@ -13,16 +13,26 @@ resource "azurerm_api_management_named_value" "wallet_personal_data_vault_api_ke
 }
 
 data "azurerm_key_vault_secret" "wallet_jwt_signing_key_secret" {
-  name         = "wallet-session-jwt-signing-key"
+  name         = "pagopa-wallet-session-jwt-signature-key-private-key"
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+resource "azurerm_api_management_named_value" "pagopa-wallet-jwt-signing-key" {
+  name                = "pagopa-wallet-session-jwt-signing-key"
+  api_management_name = local.pagopa_apim_name
+  resource_group_name = local.pagopa_apim_rg
+  display_name        = "pagopa-wallet-session-jwt-signing-key"
+  value               = replace(trim(trim(trimspace(data.azurerm_key_vault_secret.wallet_jwt_signing_key_secret.value), "-----BEGIN RSA PRIVATE KEY-----"), "-----END RSA PRIVATE KEY-----"), "\n", " /")
+  secret              = true
+}
+
+## DEPRECATED TO REMOVE use 👆👆
 resource "azurerm_api_management_named_value" "wallet-jwt-signing-key" {
   name                = "wallet-session-jwt-signing-key"
   api_management_name = local.pagopa_apim_name
   resource_group_name = local.pagopa_apim_rg
   display_name        = "wallet-session-jwt-signing-key"
-  value               = data.azurerm_key_vault_secret.wallet_jwt_signing_key_secret.value
+  value               = replace(trim(trim(trimspace(data.azurerm_key_vault_secret.wallet_jwt_signing_key_secret.value), "-----BEGIN RSA PRIVATE KEY-----"), "-----END RSA PRIVATE KEY-----"), "\n", " /")
   secret              = true
 }
 
@@ -112,6 +122,8 @@ module "apim_session_wallet_api_v1" {
 #######################################################################
 
 resource "azapi_resource" "fragment_chk_jwt_session_token" {
+  depends_on = [azurerm_api_management_named_value.wallet-jwt-signing-key]
+
   # provider  = azapi.apim
   type      = "Microsoft.ApiManagement/service/policyFragments@2022-04-01-preview"
   name      = "jwt-chk-wallet-session"
@@ -130,4 +142,5 @@ resource "azapi_resource" "fragment_chk_jwt_session_token" {
   lifecycle {
     ignore_changes = [output]
   }
+
 }
diff --git a/src/domains/shared-app/README.md b/src/domains/shared-app/README.md
@@ -75,6 +75,7 @@
 | [azurerm_api_management_api_version_set.session_wallet_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource |
 | [azurerm_api_management_group.technical_support_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_group) | resource |
 | [azurerm_api_management_named_value.ecommerce_io_pm_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
+| [azurerm_api_management_named_value.pagopa-wallet-jwt-signing-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
 | [azurerm_api_management_named_value.wallet-jwt-signing-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
 | [azurerm_api_management_named_value.wallet_personal_data_vault_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
 | [azurerm_api_management_product_group.technical_support_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product_group) | resource |

diff --git a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
@@ -162,7 +162,7 @@
                     var jwtPayloadBase64UrlEncoded = Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(payload))).Replace("/", "_").Replace("+", "-"). Replace("=", "");
                     
                     // Construct the Base64Url-encoded signature                
-                    var signature = new HMACSHA512(Convert.FromBase64String("{{wallet-session-jwt-signing-key}}")).ComputeHash(Encoding.UTF8.GetBytes($"{jwtHeaderBase64UrlEncoded}.{jwtPayloadBase64UrlEncoded}"));
+                    var signature = new HMACSHA512(Convert.FromBase64String("{{pagopa-wallet-session-jwt-signing-key}}")).ComputeHash(Encoding.UTF8.GetBytes($"{jwtHeaderBase64UrlEncoded}.{jwtPayloadBase64UrlEncoded}"));
                     var jwtSignatureBase64UrlEncoded = Convert.ToBase64String(signature).Replace("/", "_").Replace("+", "-"). Replace("=", "");
 
                     // Return the HMAC SHA512-signed JWT as the value for the Authorization header

diff --git a/src/domains/shared-app/api/session-wallet/v1/_fragment_policiy_chk_jwt.tpl.xml b/src/domains/shared-app/api/session-wallet/v1/_fragment_policiy_chk_jwt.tpl.xml
@@ -1,7 +1,7 @@
 <fragment>
       <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true" output-token-variable-name="jwtToken">
         <issuer-signing-keys>
-            <key>{{wallet-session-jwt-signing-key}}</key>
+            <key>{{pagopa-wallet-session-jwt-signing-key}}</key>
         </issuer-signing-keys>
         <required-claims>
           <claim name="userId" match="all">

diff --git a/src/domains/shared-common/.terraform.lock.hcl b/src/domains/shared-common/.terraform.lock.hcl
diff --git a/src/domains/shared-common/02_security.tf b/src/domains/shared-common/02_security.tf
@@ -345,6 +345,22 @@ resource "azurerm_key_vault_secret" "nodo5_slack_webhook_url" {
   }
 }
 
+# Wallet secrets ( JWT_SIGNATURE_KEY and PDV Tokenizer key )
+
+#tfsec:ignore:azure-keyvault-ensure-secret-expiry:exp:2022-05-01 # already ignored, maybe a bug in tfsec
+module "pagopa_wallet_jwt" {
+  source = "github.com/pagopa/terraform-azurerm-v3//jwt_keys?ref=v8.21.0"
+  # Save on KV : 
+  #  - pagopa-wallet-session-jwt-signature-key-private-key
+  #  - pagopa-wallet-session-jwt-signature-key-public-key
+  jwt_name         = "pagopa-wallet-session-jwt-signature-key"
+  key_vault_id     = module.key_vault.id
+  cert_common_name = "pagoPA platform session wallet token for IO"
+  cert_password    = ""
+
+  tags = var.tags
+}
+# JWT_SIGNATURE_KEY   = trimspace(module.pagopa_wallet_jwt.jwt_private_key_pem) # to avoid unwanted changes
 
 
 resource "azurerm_key_vault_secret" "wallet_session_pdv_api_key" {
@@ -359,15 +375,3 @@ resource "azurerm_key_vault_secret" "wallet_session_pdv_api_key" {
   }
 }
 
-
-resource "azurerm_key_vault_secret" "wallet_session_jwt_signing_key" {
-  name         = "wallet-session-jwt-signing-key"
-  value        = "<TO UPDATE MANUALLY ON PORTAL>"
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
diff --git a/src/domains/shared-common/README.md b/src/domains/shared-common/README.md
@@ -166,6 +166,7 @@ No outputs.
 | <a name="module_iuvgenerator_cosmosdb_account"></a> [iuvgenerator\_cosmosdb\_account](#module\_iuvgenerator\_cosmosdb\_account) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_account | v7.60.0 |
 | <a name="module_iuvgenerator_cosmosdb_snet"></a> [iuvgenerator\_cosmosdb\_snet](#module\_iuvgenerator\_cosmosdb\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.60.0 |
 | <a name="module_key_vault"></a> [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v7.60.0 |
+| <a name="module_pagopa_wallet_jwt"></a> [pagopa\_wallet\_jwt](#module\_pagopa\_wallet\_jwt) | github.com/pagopa/terraform-azurerm-v3//jwt_keys | v8.21.0 |
 | <a name="module_poc_reporting_enrollment_sa"></a> [poc\_reporting\_enrollment\_sa](#module\_poc\_reporting\_enrollment\_sa) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v7.60.0 |
 | <a name="module_taxonomy_sa"></a> [taxonomy\_sa](#module\_taxonomy\_sa) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v7.60.0 |
 | <a name="module_taxonomy_storage_snet"></a> [taxonomy\_storage\_snet](#module\_taxonomy\_storage\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.60.0 |
@@ -205,7 +206,6 @@ No outputs.
 | [azurerm_key_vault_secret.redis_hostname](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.redis_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.storage_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
-| [azurerm_key_vault_secret.wallet_session_jwt_signing_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.wallet_session_pdv_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
 | [azurerm_private_endpoint.taxonomy_blob_private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |