Continued CLI restoration and expansion for new microrm version.

Cargo.lock

@@ -73,9 +73,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.75"
+version = "1.0.80"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6"
+checksum = "5ad32ce52e4161730f7098c077cd2ed6229b5804ccf99e5366be1ab72a98b4e1"
 
 [[package]]
 name = "arrayref"
@@ -319,7 +319,7 @@ checksum = "a66537f1bb974b254c98ed142ff995236e81b9d0fe4db0575f46612cb15eb0f9"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
 ]
 
 [[package]]
@@ -834,7 +834,7 @@ checksum = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
 ]
 
 [[package]]
@@ -1256,9 +1256,9 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.18.0"
+version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"
+checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
 
 [[package]]
 name = "opaque-debug"
@@ -1338,7 +1338,7 @@ dependencies = [
  "pest_meta",
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
 ]
 
 [[package]]
@@ -1369,7 +1369,7 @@ checksum = "4359fd9c9171ec6e8c62926d6faaf553a8dc3f64e1507e76da7911b4f6a04405"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
 ]
 
 [[package]]
@@ -1478,9 +1478,9 @@ checksum = "dc375e1527247fe1a97d8b7156678dfe7c1af2fc075c9a4db3690ecd2a148068"
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.69"
+version = "1.0.78"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da"
+checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae"
 dependencies = [
  "unicode-ident",
 ]
@@ -1506,9 +1506,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.33"
+version = "1.0.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae"
+checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef"
 dependencies = [
  "proc-macro2",
 ]
@@ -1700,9 +1700,9 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 
 [[package]]
 name = "serde"
-version = "1.0.189"
+version = "1.0.197"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e422a44e74ad4001bdc8eede9a4570ab52f71190e9c076d14369f38b9200537"
+checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2"
 dependencies = [
  "serde_derive",
 ]
@@ -1718,13 +1718,13 @@ dependencies = [
 
 [[package]]
 name = "serde_derive"
-version = "1.0.189"
+version = "1.0.197"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e48d1f918009ce3145511378cf68d613e3b3d9137d67272562080d68a2b32d5"
+checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
 ]
 
 [[package]]
@@ -1738,9 +1738,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.107"
+version = "1.0.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b420ce6e3d8bd882e9b243c6eed35dbc9a6110c9769e74b584e0d68d1f20c65"
+checksum = "c5f09b1bd632ef549eaa9f60a1f8de742bdbc698e6cee2095fc84dde5f549ae0"
 dependencies = [
  "itoa",
  "ryu",
@@ -2080,9 +2080,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.38"
+version = "2.0.51"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b"
+checksum = "6ab617d94515e94ae53b8406c628598680aa0c9587474ecbe58188f7b345d66c"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2106,22 +2106,22 @@ checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d"
 
 [[package]]
 name = "thiserror"
-version = "1.0.49"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1177e8c6d7ede7afde3585fd2513e611227efd6481bd78d2e82ba1ce16557ed4"
+checksum = "1e45bcbe8ed29775f228095caf2cd67af7a4ccf756ebff23a306bf3e8b47b24b"
 dependencies = [
  "thiserror-impl",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "1.0.49"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10712f02019e9288794769fba95cd6847df9874d49d871d062172f9dd41bc4cc"
+checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
 ]
 
 [[package]]
@@ -2484,7 +2484,7 @@ dependencies = [
  "once_cell",
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
  "wasm-bindgen-shared",
 ]
 
@@ -2518,7 +2518,7 @@ checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.38",
+ "syn 2.0.51",
  "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]

src/cli.rs

@@ -2,7 +2,7 @@ use crate::{
     schema::{self, UIDCDatabase},
     config,
     UIDCError,
-    key, user_management, client_management, scope_management, group_management, token_management,
+    key::{self, KeyType}, user_management, client_management, scope_management, group_management, token_management,
 };
 use clap::{Parser, Subcommand};
 use microrm::prelude::*;
@@ -116,7 +116,7 @@ enum KeyCommand {
     /// Print details of all keys
     List,
     /// Generate a new key; see types subcommand for valid options.
-    Generate { keytype: String },
+    Generate { key_type: KeyType },
     /// List what keytypes are supported
     Types,
     /// Remove a key from use
@@ -133,14 +133,9 @@ impl KeyArgs {
     async fn run(&self, args: RunArgs) -> Result<(), UIDCError> {
         match &self.command {
             KeyCommand::List => key::list(&args.realm),
-            KeyCommand::Generate { keytype } => {
-                for (spec, kty) in key::KEY_TYPE_NAMES {
-                    if keytype == spec {
-                        key::generate_in(&args.realm, *kty)?;
-                        return Ok(())
-                    }
-                }
-                Err(UIDCError::Abort("invalid keytype; try running `uidc key types`"))
+            KeyCommand::Generate { key_type } => {
+                key::generate_in(&args.realm, *key_type)?;
+                return Ok(())
             },
             KeyCommand::Types => {
                 for (spec, _kty) in key::KEY_TYPE_NAMES {
@@ -157,7 +152,12 @@ impl KeyArgs {
 
 #[derive(Debug, Subcommand)]
 enum ClientCommand {
-    Create { name: String },
+    Create {
+        /// Name for the new client
+        name: String,
+        /// Signing key type to use for this client. Default is ed25519.
+        key_type: Option<KeyType>
+    },
     List,
     Inspect { name: String },
 }
@@ -171,8 +171,8 @@ struct ClientArgs {
 impl ClientArgs {
     async fn run(&self, args: RunArgs) -> Result<(), UIDCError> {
         match &self.command {
-            ClientCommand::Create { name } => {
-                client_management::create(&args.realm, name)
+            ClientCommand::Create { name, key_type } => {
+                client_management::create(&args.realm, name, key_type.unwrap_or(KeyType::Ed25519))
             }
             ClientCommand::List => {
                 todo!()
@@ -451,7 +451,7 @@ impl TokenArgs {
             TokenCommand::Inspect { token } => token_management::inspect_token(
                 &config,
                 &args.realm,
-                token.as_ref().map(|s| s.as_str()),
+                token.as_ref(),
             ),
         }
     }
@@ -474,14 +474,14 @@ impl RoleArgs {
     async fn run(&self, args: RunArgs) -> Result<(), UIDCError> {
         match &self.command {
             RoleCommand::List => {
-                todo!()
+                for role in args.realm.roles.get()? {
+                    println!(" - {}", role.shortname);
+                }
             },
-            _ => todo!(),
-            /*
             RoleCommand::Create { name } => {
-                let add_result = qi.add(&schema::Role {
-                    realm: args.realm_id,
+                let add_result = args.realm.roles.insert(schema::Role {
                     shortname: name.clone(),
+                    groups: Default::default(),
                 });
 
                 match add_result {
@@ -494,12 +494,8 @@ impl RoleArgs {
                 }
             }
             RoleCommand::Delete { name } => {
-                qi.delete()
-                    .by(schema::Role::Realm, &args.realm_id)
-                    .by(schema::Role::Shortname, name.as_str())
-                    .exec()?;
+                args.realm.roles.unique(name).delete()?;
             }
-            */
         }
         Ok(())
     }

src/client_management.rs

@@ -1,10 +1,14 @@
-use crate::{schema, UIDCError};
+use crate::{schema, UIDCError, key::KeyType};
 use microrm::prelude::*;
 
-pub fn create(realm: &schema::Realm, name: &String) -> Result<(), UIDCError> {
+pub fn create(realm: &schema::Realm, name: &String, key_type: KeyType) -> Result<(), UIDCError> {
+    let rng = ring::rand::SystemRandom::new();
+    let client_secret : [u8; 32] = ring::rand::generate(&rng).unwrap().expose();
+
     realm.clients.insert(schema::Client {
         shortname: name.into(),
-        secret: "".into(),
+        secret: base64::encode(&client_secret),
+        key_type: key_type.into(),
         redirects: Default::default(),
         scopes: Default::default(),
     })?;
@@ -14,6 +18,8 @@ pub fn create(realm: &schema::Realm, name: &String) -> Result<(), UIDCError> {
 pub fn inspect(realm: &schema::Realm, name: &String) -> Result<(), UIDCError> {
     if let Some(client) = realm.clients.unique(name).get()? {
         println!("Found client {name}");
+        println!("Client secret: {}", client.secret);
+        println!("Signature type: {:?}", client.key_type);
         println!("Valid redirect URIs:");
         for redirect in client.redirects.get()? {
             println!(" - {}", redirect.redirect);

src/jwt.rs

@@ -1,3 +1,28 @@
+use crate::key::ParsedKey;
+
+fn jwt_algorithm(pk: &ParsedKey) -> &'static str {
+    match pk {
+        ParsedKey::Ed25519 { key_id: _, keypair: _ } => "EdDSA",
+        ParsedKey::RSA { key_id: _, keypair: _ } => "RS256",
+    }
+}
+
+#[derive(serde::Serialize, serde::Deserialize)]
+pub struct JWTHeader {
+    pub alg: Option<String>,
+    pub typ: String,
+    pub kid: Option<String>,
+}
+
+impl JWTHeader {
+    pub fn parse(full_jwt: &str) -> Option<Self> {
+        let header_raw = full_jwt.split(".").next()?;
+        let header_decoded = base64::decode_config(header_raw.as_bytes(), base64::URL_SAFE_NO_PAD).ok()?;
+
+        serde_json::from_slice(header_decoded.as_slice()).ok()
+    }
+}
+
 #[derive(serde::Serialize, serde::Deserialize)]
 pub struct JWTData<'l> {
     pub sub: &'l str,
@@ -16,8 +41,6 @@ impl<'l> Into<String> for JWTData<'l> {
     }
 }
 
-pub const DEFAULT_HEADER: &'static str = r#"{"alg": "EdDSA", "typ": "JWT"}"#;
-
 pub struct JWT {
     pub header: String,
     pub unencoded_data: Vec<u8>,
@@ -26,8 +49,8 @@ pub struct JWT {
 }
 
 impl JWT {
-    pub fn verify<B: std::convert::AsRef<[u8]>>(
-        with: &ring::signature::UnparsedPublicKey<B>,
+    pub fn verify(
+        with: &ParsedKey,
         from: &str,
     ) -> Option<Self> {
         let header_split = from.find(".")?;
@@ -43,7 +66,7 @@ impl JWT {
 
         let decoded_signature =
             base64::decode_config(signature.as_bytes(), base64::URL_SAFE_NO_PAD).ok()?;
-        with.verify(to_verify.as_ref(), decoded_signature.as_ref())
+        with.verify_signature(to_verify.as_ref(), decoded_signature.as_ref())
             .ok()?;
 
         // if we got this far, the verification passed
@@ -59,20 +82,26 @@ impl JWT {
         serde_json::from_slice(self.unencoded_data.as_slice()).ok()
     }
 
-    pub fn sign(with: &ring::signature::Ed25519KeyPair, data: JWTData) -> Self {
-        let header = base64::encode_config(DEFAULT_HEADER, base64::URL_SAFE_NO_PAD);
+    pub fn sign(with: &ParsedKey, data: JWTData) -> Self {
+        let header = JWTHeader {
+            alg: Some(jwt_algorithm(with).into()),
+            typ: "JWT".into(),
+            kid: Some(with.key_id().into()),
+        };
+        let header_data = base64::encode_config(serde_json::to_vec(&header).unwrap(), base64::URL_SAFE_NO_PAD);
+
         let unencoded_data = Into::<String>::into(data);
         let data = base64::encode_config(unencoded_data.as_bytes(), base64::URL_SAFE_NO_PAD);
 
         let mut to_sign = vec![];
-        to_sign.extend(header.as_bytes());
+        to_sign.extend(header_data.as_bytes());
         to_sign.extend(".".as_bytes());
         to_sign.extend(data.as_bytes());
         let signature =
-            base64::encode_config(with.sign(&to_sign).as_ref(), base64::URL_SAFE_NO_PAD);
+            base64::encode_config(with.generate_signature(&to_sign).expect("couldn't sign data"), base64::URL_SAFE_NO_PAD);
 
         Self {
-            header,
+            header: header_data,
             unencoded_data: unencoded_data.as_bytes().into(),
             encoded_data: data,
             signature,

src/key.rs

@@ -1,3 +1,5 @@
+use std::{cell::RefCell, sync::Arc};
+
 use crate::{schema, UIDCError};
 use ring::signature::{Ed25519KeyPair, KeyPair};
 use sha2::Digest;
@@ -9,19 +11,37 @@ pub enum KeyError {
 }
 
 #[non_exhaustive]
-#[derive(Clone, Copy, Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Clone, Copy, Debug, PartialEq, serde::Serialize, serde::Deserialize)]
 pub enum KeyType {
     RSA2048,
     RSA4096,
     Ed25519,
 }
 
+impl std::fmt::Display for KeyType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        <Self as std::fmt::Debug>::fmt(self, f)
+    }
+}
+
 pub const KEY_TYPE_NAMES : &'static [(&'static str, KeyType)] = &[
     ("rsa2048", KeyType::RSA2048),
     ("rsa4096", KeyType::RSA4096),
     ("ed25519", KeyType::Ed25519),
 ];
 
+impl std::str::FromStr for KeyType {
+    type Err = UIDCError;
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        for (spec, kty) in KEY_TYPE_NAMES {
+            if s == *spec {
+                return Ok(*kty)
+            }
+        }
+        Err(UIDCError::Abort("invalid keytype"))
+    }
+}
+
 pub enum ParsedKey {
     Ed25519 { key_id: String, keypair: ring::signature::Ed25519KeyPair },
     RSA { key_id: String, keypair: ring::signature::RsaKeyPair }
@@ -53,16 +73,90 @@ impl ParsedKey {
     pub fn verify_signature(&self, data: &[u8], signature: &[u8]) -> Result<bool, UIDCError> {
         use ring::signature::VerificationAlgorithm;
         match self {
-            Self::Ed25519 { key_id, keypair } => {
+            Self::Ed25519 { keypair, .. } => {
                 Ok(ring::signature::ED25519.verify(keypair.public_key().as_ref().into(), data.into(), signature.into()).is_ok())
             },
-            Self::RSA { key_id, keypair } => {
+            Self::RSA { keypair, .. } => {
                 Ok(ring::signature::RSA_PKCS1_2048_8192_SHA256.verify(keypair.public_key().as_ref().into(), data.into(), signature.into()).is_ok())
             },
         }
     }
 }
 
+pub struct RealmKeys {
+    realm: schema::Realm,
+    // key cache, to avoid reparsing the key data repeatedly
+    keys: RefCell<Vec<(KeyType, Arc<ParsedKey>)>>,
+}
+
+impl RealmKeys {
+    pub fn new(realm: schema::Realm) -> Self {
+        Self { realm, keys: vec![].into() }
+    }
+
+    pub fn by_key_id(&mut self, id: &String) -> Result<Option<Arc<ParsedKey>>, UIDCError> {
+        // check the cache
+        for key in self.keys.borrow().iter() {
+            if key.1.key_id() == id {
+                return Ok(Some(key.1.clone()))
+            }
+        }
+
+        // then check the database
+        let key = self.realm.keys.with(schema::Key::KeyId, id).first().get()?;
+
+        if let Some(key) = key {
+            let parsed = Arc::new(match key.key_type.as_ref() {
+                KeyType::RSA2048
+                | KeyType::RSA4096 => {
+                    todo!()
+                },
+                KeyType::Ed25519 => {
+                    ParsedKey::Ed25519 { key_id: key.key_id.clone(), keypair: Ed25519KeyPair::from_pkcs8(&key.secret_data).map_err(|_| UIDCError::Abort("could not load ed25519 key from database"))? }
+                },
+            });
+
+            self.keys.borrow_mut().push((*key.key_type.as_ref(), parsed.clone()));
+
+            Ok(Some(parsed))
+        }
+        else {
+            Ok(None)
+        }
+    }
+
+    pub fn by_type(&mut self, kty: KeyType) -> Result<Option<Arc<ParsedKey>>, UIDCError> {
+        // check the cache
+        for key in self.keys.borrow().iter() {
+            if key.0 == kty {
+                return Ok(Some(key.1.clone()))
+            }
+        }
+
+        // then check the database
+        let key = self.realm.keys.with(schema::Key::KeyType, &kty.into()).first().get()?;
+
+        if let Some(key) = key {
+            let parsed = Arc::new(match kty {
+                KeyType::RSA2048
+                | KeyType::RSA4096 => {
+                    ParsedKey::RSA { key_id: key.key_id.clone(), keypair: ring::signature::RsaKeyPair::from_pkcs8(&key.secret_data).map_err(|_| UIDCError::Abort("could not load RSA key from database"))? }
+                },
+                KeyType::Ed25519 => {
+                    ParsedKey::Ed25519 { key_id: key.key_id.clone(), keypair: Ed25519KeyPair::from_pkcs8(&key.secret_data).map_err(|_| UIDCError::Abort("could not load ed25519 key from database"))? }
+                },
+            });
+
+            self.keys.borrow_mut().push((kty, parsed.clone()));
+
+            Ok(Some(parsed))
+        }
+        else {
+            Ok(None)
+        }
+    }
+}
+
 fn pubkey_id(data: &[u8]) -> String {
     let mut key_hasher = sha2::Sha256::new();
     key_hasher.update(data);
@@ -129,7 +223,7 @@ pub fn generate_in(realm: &schema::Realm, kty: KeyType) -> Result<ParsedKey, UID
             realm.keys.insert(schema::Key {
                 key_id: key_id.clone(),
                 key_type: kty.into(),
-                // no public data for EdDSA keys
+                // no separate public data for EdDSA keys
                 public_data: vec![],
                 secret_data: keydata,
                 expiry
@@ -151,12 +245,5 @@ pub fn list(realm: &schema::Realm) -> Result<(), UIDCError> {
 
 pub fn remove(realm: &schema::Realm, key_id: &String) -> Result<(), UIDCError> {
     realm.keys.with(schema::Key::KeyId, key_id).delete()?;
-    /*for key in realm.keys.get()? {
-        if key.key_id != key_id { continue }
-        println!("Deleting key...");
-        realm.keys.dissociate_with(key.id())?;
-        break
-    }*/
-
     Ok(())
 }

src/schema.rs

@@ -72,16 +72,17 @@ impl Relation for GroupRoleRelation {
     const NAME: &'static str = "GroupRole";
 }
 
-#[derive(Debug, Default, Entity)]
+#[derive(Clone, Debug, Default, Entity)]
 pub struct Realm {
     #[unique]
     pub shortname: String,
-    pub users: AssocMap<User>,
-    pub groups: AssocMap<Group>,
-    pub roles: AssocMap<Role>,
+
     pub clients: AssocMap<Client>,
+    pub groups: AssocMap<Group>,
     pub keys: AssocMap<Key>,
+    pub roles: AssocMap<Role>,
     pub scopes: AssocMap<Scope>,
+    pub users: AssocMap<User>,
 }
 
 #[derive(Debug, Entity)]
@@ -123,6 +124,7 @@ pub struct Client {
     #[unique]
     pub shortname: String,
     pub secret: String,
+    pub key_type: Serialized<KeyType>,
     pub redirects: AssocMap<ClientRedirect>,
     pub scopes: AssocMap<Scope>,
 }

src/token.rs

@@ -15,7 +15,7 @@ impl From<microrm::Error> for TokenError {
 }
 
 impl From<ring::error::KeyRejected> for TokenError {
-    fn from(value: ring::error::KeyRejected) -> Self {
+    fn from(_value: ring::error::KeyRejected) -> Self {
         Self::InternalError("could not load realm key")
     }
 }
@@ -49,6 +49,7 @@ pub fn generate_auth_token<'a>(
     requested_roles.dedup();
 
     // find the intersection between requested roles and the ones the user actually has
+
     let resulting_roles = requested_roles
         .into_iter()
         .filter(|req| user_roles.contains(req))
@@ -67,20 +68,11 @@ pub fn generate_auth_token<'a>(
         .into(),
     };
 
-    /*
-    let key = key::get_signing_key_in(realm)?;
+    let mut realmkeys = key::RealmKeys::new(realm.clone());
 
-    let key = qi
-        .get()
-        .by(schema::Key::Realm, &realm.id())
-        .one()?
-        .ok_or(TokenError::InternalError("no signing key for realm"))?;
-    let kpair = ring::signature::Ed25519KeyPair::from_pkcs8(key.keydata.as_slice())
-        .map_err(Into::<TokenError>::into)?;
+    let key = realmkeys.by_type(*client.key_type.as_ref())?.ok_or(UIDCError::Abort("no matching signing key for realm"))?;
 
-    Ok(jwt::JWT::sign(&kpair, token).into_string())
-    */
-    todo!()
+    Ok(jwt::JWT::sign(&key, token).into_string())
 }
 
 pub fn generate_refresh_token<'a>(

src/token_management.rs

@@ -1,6 +1,5 @@
-use crate::{config::Config, jwt, schema, token, UIDCError};
+use crate::{config::Config, schema, token, UIDCError, jwt, key};
 use microrm::prelude::*;
-use ring::signature::KeyPair;
 
 pub fn create_auth_token(
     realm: &schema::Realm,
@@ -41,30 +40,38 @@ pub fn create_refresh_token(
 pub fn inspect_token(
     config: &Config,
     realm: &schema::Realm,
-    token: Option<&str>,
+    token: Option<&String>,
 ) -> Result<(), UIDCError> {
-    todo!()
-    /*
-    let key = qi
-        .get()
-        .by(schema::Key::Realm, &realm_id)
-        .one()?
-        .ok_or(UIDCError::Abort("no key for realm"))?;
+    let token = match token {
+        Some(token) => token.clone(),
+        None => rpassword::prompt_password("Enter token: ").unwrap(),
+    };
 
-    let kpair = ring::signature::Ed25519KeyPair::from_pkcs8(key.keydata.as_slice())
-        .map_err(|_| UIDCError::Abort("could not load key"))?;
+    let header = jwt::JWTHeader::parse(token.as_str()).ok_or(UIDCError::Abort("failed to parse JWT header"))?;
 
-    let pubkey = ring::signature::UnparsedPublicKey::new(
-        &ring::signature::ED25519,
-        kpair.public_key().as_ref(),
-    );
+    let mut realmkeys = key::RealmKeys::new(realm.clone());
 
-    let token = match token {
-        Some(token) => token.to_string(),
-        None => rpassword::prompt_password("Enter token: ").unwrap(),
+    let mut pk = None;
+
+    if let Some(kid) = header.kid {
+        pk = realmkeys.by_key_id(&kid)?;
+    }
+    if pk.is_none() {
+        if let Some(_alg) = header.alg {
+            todo!("algorithm fallback")
+            // pk = realmkeys.by_type(&kid)?;
+        }
+    }
+
+    let jwt = if let Some(key) = pk {
+        jwt::JWT::verify(&key, token.as_str())
+    }
+    else {
+        println!("No matching realm key found!");
+        return Ok(());
     };
 
-    let jwt = jwt::JWT::verify(&pubkey, token.as_str());
+    // let jwt = jwt::JWT::verify(&pubkey, token.as_str());
     if jwt.is_none() {
         println!("Signature validation against realm key failed!");
     } else if let Some(claims) = jwt.as_ref().and_then(jwt::JWT::claims) {
@@ -75,16 +82,12 @@ pub fn inspect_token(
         println!(
             " - issued at   : {} [{}]",
             claims.iat,
-            chrono::DateTime::<chrono::Utc>::from_timestamp(claims.iat as i64, 0)
-                .unwrap()
-                .to_rfc2822()
+            time::OffsetDateTime::from_unix_timestamp(claims.iat as i64).unwrap()
         );
         println!(
             " - expires at  : {} [{}]",
             claims.exp,
-            chrono::DateTime::<chrono::Utc>::from_timestamp(claims.exp as i64, 0)
-                .unwrap()
-                .to_rfc2822()
+            time::OffsetDateTime::from_unix_timestamp(claims.exp as i64).unwrap()
         );
         for claim in claims.extras {
             println!(" - {:12}: {}", claim.0, claim.1);
@@ -92,5 +95,6 @@ pub fn inspect_token(
     } else {
         println!("Claim parsing failed!");
     }
-    Ok(())*/
+
+    Ok(())
 }