feat: refactor signer configuration with local and vault options (#4532)

Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>

Author: nabokihms

cmd/dex/config.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/dexidp/dex/pkg/featureflags"
 	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/ent"
 	"github.com/dexidp/dex/storage/etcd"
@@ -36,7 +37,7 @@ type Config struct {
 	Frontend server.WebConfig `json:"frontend"`
 
 	// Signer configuration controls signing of JWT tokens issued by Dex.
-	Signer server.SignerConfig `json:"signer"`
+	Signer Signer `json:"signer"`
 
 	// StaticConnectors are user defined connectors specified in the ConfigMap
 	// Write operations, like updating a connector, will fail.
@@ -373,6 +374,74 @@ func (s *Storage) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+// Signer holds app's signer configuration.
+type Signer struct {
+	Type   string       `json:"type"`
+	Config SignerConfig `json:"config"`
+}
+
+// SignerConfig is a configuration that can create a signer.
+type SignerConfig interface{}
+
+var (
+	_ SignerConfig = (*signer.LocalConfig)(nil)
+	_ SignerConfig = (*signer.VaultConfig)(nil)
+)
+
+var signerConfigs = map[string]func() SignerConfig{
+	"local": func() SignerConfig { return new(signer.LocalConfig) },
+	"vault": func() SignerConfig { return new(signer.VaultConfig) },
+}
+
+// UnmarshalJSON allows Signer to implement the unmarshaler interface to
+// dynamically determine the type of the signer config.
+func (s *Signer) UnmarshalJSON(b []byte) error {
+	var signerData struct {
+		Type   string          `json:"type"`
+		Config json.RawMessage `json:"config"`
+	}
+	if err := json.Unmarshal(b, &signerData); err != nil {
+		return fmt.Errorf("parse signer: %v", err)
+	}
+
+	f, ok := signerConfigs[signerData.Type]
+	if !ok {
+		return fmt.Errorf("unknown signer type %q", signerData.Type)
+	}
+
+	signerConfig := f()
+	if len(signerData.Config) != 0 {
+		data := []byte(signerData.Config)
+		if featureflags.ExpandEnv.Enabled() {
+			var rawMap map[string]interface{}
+			if err := json.Unmarshal(signerData.Config, &rawMap); err != nil {
+				return fmt.Errorf("unmarshal config for env expansion: %v", err)
+			}
+
+			// Recursively expand environment variables in the map
+			expandEnvInMap(rawMap)
+
+			// Marshal the expanded map back to JSON
+			expandedData, err := json.Marshal(rawMap)
+			if err != nil {
+				return fmt.Errorf("marshal expanded config: %v", err)
+			}
+
+			data = expandedData
+		}
+
+		if err := json.Unmarshal(data, signerConfig); err != nil {
+			return fmt.Errorf("parse signer config: %v", err)
+		}
+	}
+
+	*s = Signer{
+		Type:   signerData.Type,
+		Config: signerConfig,
+	}
+	return nil
+}
+
 // Connector is a magical type that can unmarshal YAML dynamically. The
 // Type field determines the connector type, which is then customized for Config.
 type Connector struct {

cmd/dex/config_test.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/json"
 	"log/slog"
 	"os"
 	"testing"
@@ -11,6 +12,7 @@ import (
 	"github.com/dexidp/dex/connector/mock"
 	"github.com/dexidp/dex/connector/oidc"
 	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
 )
@@ -469,3 +471,117 @@ logger:
 		t.Errorf("got!=want: %s", diff)
 	}
 }
+
+func TestSignerConfigUnmarshal(t *testing.T) {
+	tests := []struct {
+		name    string
+		config  string
+		wantErr bool
+		check   func(*Config) error
+	}{
+		{
+			name: "local signer with rotation period",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+signer:
+  type: local
+  config:
+    keysRotationPeriod: 6h
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				if c.Signer.Type != "local" {
+					t.Errorf("expected signer type 'local', got %q", c.Signer.Type)
+				}
+				if localConfig, ok := c.Signer.Config.(*signer.LocalConfig); !ok {
+					t.Error("expected LocalConfig")
+				} else if localConfig.KeysRotationPeriod != "6h" {
+					t.Errorf("expected keys rotation period '6h', got %q", localConfig.KeysRotationPeriod)
+				}
+				return nil
+			},
+		},
+		{
+			name: "vault signer",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+signer:
+  type: vault
+  config:
+    addr: http://localhost:8200
+    token: test-token
+    keyName: test-key
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				if c.Signer.Type != "vault" {
+					t.Errorf("expected signer type 'vault', got %q", c.Signer.Type)
+				}
+				if vaultConfig, ok := c.Signer.Config.(*signer.VaultConfig); !ok {
+					t.Error("expected VaultConfig")
+				} else {
+					if vaultConfig.Addr != "http://localhost:8200" {
+						t.Errorf("expected addr 'http://localhost:8200', got %q", vaultConfig.Addr)
+					}
+					if vaultConfig.Token != "test-token" {
+						t.Errorf("expected token 'test-token', got %q", vaultConfig.Token)
+					}
+					if vaultConfig.KeyName != "test-key" {
+						t.Errorf("expected keyName 'test-key', got %q", vaultConfig.KeyName)
+					}
+				}
+				return nil
+			},
+		},
+		{
+			name: "default to local when no signer specified",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				if c.Signer.Type != "" {
+					t.Errorf("expected signer type '', got %q", c.Signer.Type)
+				}
+				return nil
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var c Config
+			data, err := yaml.YAMLToJSON([]byte(tt.config))
+			if err != nil {
+				t.Fatalf("failed to convert yaml to json: %v", err)
+			}
+
+			err = json.Unmarshal(data, &c)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Unmarshal() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if err == nil && tt.check != nil {
+				if err := tt.check(&c); err != nil {
+					t.Errorf("check failed: %v", err)
+				}
+			}
+		})
+	}
+}

cmd/dex/serve.go

@@ -37,6 +37,7 @@ import (
 	"github.com/dexidp/dex/api/v2"
 	"github.com/dexidp/dex/pkg/featureflags"
 	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 )
 
@@ -290,6 +291,65 @@ func runServe(options serveOptions) error {
 
 	healthChecker := gosundheit.New()
 
+	// Parse expiry durations
+	idTokensValidFor := 24 * time.Hour // default
+	if c.Expiry.IDTokens != "" {
+		var err error
+		idTokensValidFor, err = time.ParseDuration(c.Expiry.IDTokens)
+		if err != nil {
+			return fmt.Errorf("invalid config value %q for id token expiry: %v", c.Expiry.IDTokens, err)
+		}
+		logger.Info("config id tokens", "valid_for", idTokensValidFor)
+	}
+
+	// Create signer
+	var signerInstance signer.Signer
+	switch c.Signer.Type {
+	case "vault":
+		vaultConfig, ok := c.Signer.Config.(*signer.VaultConfig)
+		if !ok {
+			return fmt.Errorf("invalid vault signer config")
+		}
+		signerInstance, err = vaultConfig.Open(context.Background())
+		if err != nil {
+			return fmt.Errorf("failed to open vault signer: %v", err)
+		}
+		logger.Info("signer configured", "type", "vault")
+	case "local":
+		localConfig, ok := c.Signer.Config.(*signer.LocalConfig)
+		if !ok {
+			return fmt.Errorf("invalid local signer config")
+		}
+		if localConfig.KeysRotationPeriod == "" {
+			return fmt.Errorf("failed to open local signer: signer.config.keysRotationPeriod must be specified")
+		}
+		if c.Expiry.SigningKeys != "" {
+			logger.Warn("both expiry.signingKeys and signer.config.keysRotationPeriod specified, using signer.config.keysRotationPeriod")
+		}
+		signerInstance, err = localConfig.Open(context.Background(), s, idTokensValidFor, now, logger)
+		if err != nil {
+			return fmt.Errorf("failed to open local signer: %v", err)
+		}
+		logger.Info("signer configured", "type", "local", "keys_rotation_period", localConfig.KeysRotationPeriod)
+	case "": // Default to local signer
+		// Handle deprecated expiry.signingKeys configuration
+		if c.Expiry.SigningKeys != "" {
+			logger.Warn("config expiry.signingKeys will be removed in a future release",
+				"use_instead", "signer.config.keysRotationPeriod",
+				"current_value", c.Expiry.SigningKeys, "deprecated", true)
+		} else {
+			c.Expiry.SigningKeys = "6h"
+		}
+		localConfig := signer.LocalConfig{KeysRotationPeriod: c.Expiry.SigningKeys}
+		signerInstance, err = localConfig.Open(context.Background(), s, idTokensValidFor, now, logger)
+		if err != nil {
+			return fmt.Errorf("failed to open local signer: %v", err)
+		}
+		logger.Info("signer configured", "type", "local", "keys_rotation_period", localConfig.KeysRotationPeriod)
+	default:
+		return fmt.Errorf("unknown signer type %q", c.Signer.Type)
+	}
+
 	serverConfig := server.Config{
 		AllowedGrantTypes:          c.OAuth2.GrantTypes,
 		SupportedResponseTypes:     c.OAuth2.ResponseTypes,
@@ -307,24 +367,10 @@ func runServe(options serveOptions) error {
 		PrometheusRegistry:         prometheusRegistry,
 		HealthChecker:              healthChecker,
 		ContinueOnConnectorFailure: featureflags.ContinueOnConnectorFailure.Enabled(),
-		Signer:                     c.Signer,
-	}
-	if c.Expiry.SigningKeys != "" {
-		signingKeys, err := time.ParseDuration(c.Expiry.SigningKeys)
-		if err != nil {
-			return fmt.Errorf("invalid config value %q for signing keys expiry: %v", c.Expiry.SigningKeys, err)
-		}
-		logger.Info("config signing keys", "expire_after", signingKeys)
-		serverConfig.RotateKeysAfter = signingKeys
-	}
-	if c.Expiry.IDTokens != "" {
-		idTokens, err := time.ParseDuration(c.Expiry.IDTokens)
-		if err != nil {
-			return fmt.Errorf("invalid config value %q for id token expiry: %v", c.Expiry.IDTokens, err)
-		}
-		logger.Info("config id tokens", "valid_for", idTokens)
-		serverConfig.IDTokensValidFor = idTokens
+		Signer:                     signerInstance,
+		IDTokensValidFor:           idTokensValidFor,
 	}
+
 	if c.Expiry.AuthRequests != "" {
 		authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
 		if err != nil {

examples/config-dev.yaml

@@ -184,9 +184,13 @@ staticPasswords:
 # Settings for signing JWT tokens. Available options:
 # - "local": use local keys (only RSA keys supported)
 # - "vault": use Vault Transit backend (RSA and EC keys supported)
-# signer:
+signer:
+  type: local
+  config:
+    keysRotationPeriod: "6h"
+# signer
 #   type: vault
-#   vault:
+#   config:
 #     addr: http://127.0.0.1:8200
 #     token: root
 #     keyName: dex-key