user key sign with client credential flow

Author: binarycodes

ssh-hostkey-signer/pom.xml

@@ -20,14 +20,18 @@
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
         <version>3.4.4</version>
-        <relativePath />
+        <relativePath/>
     </parent>
 
     <dependencies>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -37,6 +41,10 @@
             <artifactId>ssh-signer-common-lib</artifactId>
             <version>${ssh-signer-common-lib.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

ssh-hostkey-signer/src/main/java/io/binarycodes/homelab/ApplicationProperties.java

@@ -0,0 +1,13 @@
+package io.binarycodes.homelab;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "app")
+public record ApplicationProperties(String serverUrl,
+                                    String keycloakUrl,
+                                    String realmName,
+                                    String clientId,
+                                    String clientSecret,
+                                    String grantType,
+                                    String tokenUrl) {
+}

ssh-hostkey-signer/src/main/java/io/binarycodes/homelab/AuthService.java

@@ -0,0 +1,64 @@
+package io.binarycodes.homelab;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.binarycodes.homelab.lib.DeviceFlowToken;
+import lombok.extern.log4j.Log4j2;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Service;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.web.client.RestClient;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Optional;
+
+@Log4j2
+@Service
+public class AuthService {
+    private final ApplicationProperties applicationProperties;
+
+    @Autowired
+    public AuthService(ApplicationProperties applicationProperties) {
+        this.applicationProperties = applicationProperties;
+    }
+
+    private RestClient getRestClient() {
+        return RestClient.builder()
+                .baseUrl(applicationProperties.keycloakUrl())
+                .build();
+    }
+
+    public Optional<String> fetchAuthToken() {
+        var paramMap = new LinkedMultiValueMap<>();
+        paramMap.add("client_id", applicationProperties.clientId());
+        paramMap.add("client_secret", applicationProperties.clientSecret());
+        paramMap.add("grant_type", applicationProperties.grantType());
+
+        var response = getRestClient().post()
+                .uri(applicationProperties.tokenUrl())
+                .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+                .body(paramMap)
+                .retrieve()
+                .onStatus(status -> !status.is2xxSuccessful(), (httpRequest, httpResponse) -> {
+                    var errorResponse = new String(httpResponse.getBody()
+                            .readAllBytes(), StandardCharsets.UTF_8);
+                    log.debug(errorResponse);
+                })
+                .toEntity(String.class);
+
+        if (!response.getStatusCode()
+                .is2xxSuccessful()) {
+            return Optional.empty();
+        }
+
+        try {
+            var accessTokenResponse = new ObjectMapper().readValue(response.getBody(), DeviceFlowToken.class);
+            return Optional.ofNullable(accessTokenResponse.getAccessToken());
+        } catch (JsonProcessingException e) {
+            log.error(e.getMessage(), e);
+        }
+
+        return Optional.empty();
+    }
+}

ssh-hostkey-signer/src/main/java/io/binarycodes/homelab/SignerService.java

@@ -0,0 +1,63 @@
+package io.binarycodes.homelab;
+
+import io.binarycodes.homelab.lib.SignPublicKeyRequest;
+import io.binarycodes.homelab.lib.SignedPublicKeyDownload;
+import lombok.extern.log4j.Log4j2;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Service;
+import org.springframework.web.client.RestClient;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+@Log4j2
+@Service
+public class SignerService {
+    private final ApplicationProperties applicationProperties;
+
+    @Autowired
+    public SignerService(ApplicationProperties applicationProperties) {
+        this.applicationProperties = applicationProperties;
+    }
+
+    public void signMyKey(String token, String publicKeyFilePath, String principalName) throws IOException {
+        var absolutePublicKeyPath = Path.of(publicKeyFilePath)
+                .toAbsolutePath();
+
+        var fileName = absolutePublicKeyPath.getFileName()
+                .toString();
+        var publicKey = Files.readString(absolutePublicKeyPath);
+
+        var signPublicKeyRequest = new SignPublicKeyRequest(fileName, publicKey, principalName);
+
+        var restClient = RestClient.builder()
+                .baseUrl(applicationProperties.serverUrl())
+                .defaultHeader(HttpHeaders.AUTHORIZATION, "Bearer %s".formatted(token))
+                .build();
+
+        var response = restClient.post()
+                .uri("/rest/key/hostSign")
+                .contentType(MediaType.APPLICATION_JSON)
+                .body(signPublicKeyRequest)
+                .retrieve()
+                .toEntity(SignedPublicKeyDownload.class);
+
+        var signedPublicKeyDownload = response.getBody();
+        if (response.getStatusCode()
+                .is2xxSuccessful() && signedPublicKeyDownload != null) {
+
+            var writeToPath = absolutePublicKeyPath.resolveSibling(signedPublicKeyDownload.filename());
+            Files.writeString(writeToPath, signedPublicKeyDownload.signedKey());
+
+            log.info("Key is signed and placed at - " + signedPublicKeyDownload.filename());
+        } else {
+            log.error("Error processing request");
+            log.error(response.getStatusCode()
+                    .getClass());
+        }
+    }
+
+}

ssh-hostkey-signer/src/main/java/io/binarycodes/homelab/SpringBootConsoleApplication.java

@@ -4,17 +4,38 @@
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
+
+import java.io.IOException;
 
 @Log4j2
 @SpringBootApplication
+@ConfigurationPropertiesScan
 public class SpringBootConsoleApplication implements CommandLineRunner {
+    private final SignerService signerService;
+    private final AuthService authService;
+
+    public SpringBootConsoleApplication(SignerService signerService, AuthService authService) {
+        this.signerService = signerService;
+        this.authService = authService;
+    }
 
     public static void main(String[] args) {
         SpringApplication.run(SpringBootConsoleApplication.class, args);
     }
 
     @Override
-    public void run(String... args) throws Exception {
-        log.info("started the command line app");
+    public void run(String... args) {
+        var tokenResponse = authService.fetchAuthToken();
+        tokenResponse.ifPresentOrElse(token -> {
+            try {
+                signerService.signMyKey(token, args[0], args[1]);
+            } catch (IOException e) {
+                log.error(e.getMessage(), e);
+            }
+        }, () -> {
+            log.error("Error getting auth token.");
+        });
+
     }
 }

ssh-hostkey-signer/src/main/resources/application-dev.yml

@@ -0,0 +1,5 @@
+APP_SERVER_URL: http://localhost:8080
+APP_KEYCLOAK_URL: http://localhost:8090
+APP_REALM_NAME: my-test-realm
+APP_CLIENT_ID: my-test-client
+APP_CLIENT_SECRET: UTRtYkyYN1nbgdPPbBru1FDVsE8ye5JE

ssh-hostkey-signer/src/main/resources/application.yml

@@ -2,9 +2,22 @@ spring:
   profiles:
     active: @spring.profiles.active@
   main:
+    banner-mode: off
     web-application-type: NONE
 
 logging:
   level:
-    org: error
+    io:
+      binarycodes: error
+    org:
+      atmosphere: error
+      springframework: error
 
+app:
+  server-url: ${APP_SERVER_URL}
+  keycloak-url: ${APP_KEYCLOAK_URL}
+  realm-name: ${APP_REALM_NAME}
+  client-id: ${APP_CLIENT_ID}
+  client-secret: ${APP_CLIENT_SECRET}
+  grant-type: client_credentials
+  token-url:  /realms/${app.realm-name}/protocol/openid-connect/token

ssh-key-signer-server/src/main/resources/application-dev.yml

@@ -1,5 +1,5 @@
 OAUTH_CLIENT: my-test-client
-OAUTH_CLIENT_SECRET: fu3hZgzTNHjUIGzZETKuHwQzNT9ptbFG
+OAUTH_CLIENT_SECRET: UTRtYkyYN1nbgdPPbBru1FDVsE8ye5JE
 OAUTH_URL: http://localhost:8090
 OAUTH_REALM: my-test-realm
 

ssh-userkey-signer/pom.xml

@@ -40,12 +40,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter</artifactId>
         </dependency>
-
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-web</artifactId>
         </dependency>
-
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -55,12 +53,10 @@
             <artifactId>ssh-signer-common-lib</artifactId>
             <version>${ssh-signer-common-lib.version}</version>
         </dependency>
-
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
         </dependency>
-
         <dependency>
             <groupId>pro.leaco.qrcode</groupId>
             <artifactId>console-qrcode</artifactId>

ssh-userkey-signer/src/main/java/io/binarycodes/homelab/AuthService.java

@@ -29,12 +29,9 @@ public AuthService(ApplicationProperties applicationProperties) {
         this.applicationProperties = applicationProperties;
     }
 
-
-    public String startDeviceFlowAuth() {
+    public Optional<String> startDeviceFlowAuth() {
         return initiateDeviceFlow().map(this::displayLoginInfo)
-                .map(this::waitForToken)
-                .map(token -> token.orElse(""))
-                .orElse("");
+                .flatMap(this::waitForToken);
     }
 
     private RestClient getRestClient() {
@@ -43,7 +40,6 @@ private RestClient getRestClient() {
                 .build();
     }
 
-
     private DeviceFlowStartResponse displayLoginInfo(DeviceFlowStartResponse deviceFlowStartResponse) {
         System.out.println(deviceFlowStartResponse.getVerificationUriComplete());
 
@@ -104,7 +100,6 @@ private Optional<String> fetchAuthToken(DeviceFlowStartResponse deviceFlowStartR
             return Optional.empty();
         }
 
-
         try {
             var accessTokenResponse = new ObjectMapper().readValue(response.getBody(), DeviceFlowToken.class);
             return Optional.ofNullable(accessTokenResponse.getAccessToken());
@@ -142,6 +137,4 @@ private Optional<DeviceFlowStartResponse> initiateDeviceFlow() {
 
         return Optional.empty();
     }
-
-
 }