feat(Api): Replaced IdentityServer developper signing credentials with automatically generated ones

fix(Api): Fixed the API to properly verify the signature of Service Account JwTs
fix(Runner): Fixed the Do and For TaskExecutors to update the context upon changes

Fixes #373

Author: cdavernas

src/api/Synapse.Api.Application/ServiceAccountSigningKey.cs

@@ -0,0 +1,100 @@
+// Copyright © 2024-Present The Synapse Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License"),
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Microsoft.IdentityModel.Tokens;
+using System.Security.Cryptography;
+
+namespace Synapse.Api.Application;
+
+/// <summary>
+/// Expose static methods used to help manage the key used for signing service account JwTs
+/// </summary>
+public static class ServiceAccountSigningKey
+{
+
+    const string KeyDirectory = "keys";
+    const string PrivateKeyFile = "service_account_private.pem";
+    const string PublicKeyFile = "service_account_public.pem";
+
+    /// <summary>
+    /// Creates the Service Account JWT signing key if it does not exist
+    /// </summary>
+    public static void Initialize()
+    {
+        var keyPath = Path.Combine(AppContext.BaseDirectory, KeyDirectory);
+        if (!Directory.Exists(keyPath)) Directory.CreateDirectory(keyPath);
+        var privateKeyPath = Path.Combine(keyPath, PrivateKeyFile);
+        var publicKeyPath = Path.Combine(keyPath, PublicKeyFile);
+        if (!File.Exists(privateKeyPath) || !File.Exists(publicKeyPath)) GenerateKeyPair(privateKeyPath, publicKeyPath);
+    }
+
+    /// <summary>
+    /// Loads the private service account signing key
+    /// </summary>
+    /// <returns>The private service account signing key</returns>
+    public static SigningCredentials LoadPrivateKey()
+    {
+        var keyPath = Path.Combine(AppContext.BaseDirectory, KeyDirectory);
+        if (!Directory.Exists(keyPath)) Directory.CreateDirectory(keyPath);
+        var privateKeyPath = Path.Combine(keyPath, PrivateKeyFile);
+        var privateKey = File.ReadAllText(privateKeyPath)
+            .Replace("-----BEGIN PRIVATE KEY-----\n", string.Empty)
+            .Replace("-----END PRIVATE KEY-----", string.Empty)
+            .Replace("\n", string.Empty);
+        var privateKeyBytes = Convert.FromBase64String(privateKey);
+        var rsa = RSA.Create();
+        rsa.ImportRSAPrivateKey(privateKeyBytes, out _);
+        return new SigningCredentials(new RsaSecurityKey(rsa), SecurityAlgorithms.RsaSha256);
+    }
+
+    /// <summary>
+    /// Loads the public service account signing key
+    /// </summary>
+    /// <returns>The public service account signing key</returns>
+    public static SecurityKey LoadPublicKey()
+    {
+        var keyPath = Path.Combine(AppContext.BaseDirectory, KeyDirectory);
+        if (!Directory.Exists(keyPath)) Directory.CreateDirectory(keyPath);
+        var publicKeyPath = Path.Combine(keyPath, PublicKeyFile);
+        var publicKey = File.ReadAllText(publicKeyPath)
+            .Replace("-----BEGIN PUBLIC KEY-----\n", string.Empty)
+            .Replace("-----END PUBLIC KEY-----", string.Empty)
+            .Replace("\n", string.Empty);
+        var publicKeyBytes = Convert.FromBase64String(publicKey);
+        var rsa = RSA.Create();
+        rsa.ImportRSAPublicKey(publicKeyBytes, out _);
+        return new RsaSecurityKey(rsa);
+    }
+
+    static void GenerateKeyPair(string privateKeyPath, string publicKeyPath)
+    {
+        using var rsa = RSA.Create(2048);
+        var privateKey = ExportPrivateKey(rsa);
+        File.WriteAllText(privateKeyPath, privateKey);
+        var publicKey = ExportPublicKey(rsa);
+        File.WriteAllText(publicKeyPath, publicKey);
+    }
+
+    static string ExportPrivateKey(RSA rsa)
+    {
+        var privateKeyBytes = rsa.ExportRSAPrivateKey();
+        return $"-----BEGIN PRIVATE KEY-----\n{Convert.ToBase64String(privateKeyBytes, Base64FormattingOptions.InsertLineBreaks)}\n-----END PRIVATE KEY-----";
+    }
+
+    static string ExportPublicKey(RSA rsa)
+    {
+        var publicKeyBytes = rsa.ExportRSAPublicKey();
+        return $"-----BEGIN PUBLIC KEY-----\n{Convert.ToBase64String(publicKeyBytes, Base64FormattingOptions.InsertLineBreaks)}\n-----END PUBLIC KEY-----";
+    }
+
+}

src/api/Synapse.Api.Http/Extensions/IServiceCollectionExtensions.cs

@@ -16,6 +16,7 @@
 using Microsoft.OpenApi.Models;
 using Neuroglia;
 using Neuroglia.Security.Services;
+using Synapse.Api.Application;
 using Synapse.Api.Application.Services;
 using Synapse.Api.Http.Controllers;
 using Synapse.Core.Api.Services;
@@ -36,6 +37,7 @@ public static class IServiceCollectionExtensions
     /// <returns>The configured <see cref="IServiceCollection"/></returns>
     public static IServiceCollection AddSynapseHttpApi(this IServiceCollection services)
     {
+        ServiceAccountSigningKey.Initialize();
         services.AddHttpContextAccessor();
         services.AddScoped<IUserAccessor, HttpContextUserAccessor>();
         services.AddControllers()
@@ -45,7 +47,7 @@ public static IServiceCollection AddSynapseHttpApi(this IServiceCollection servi
             })
             .AddApplicationPart(typeof(WorkflowsController).Assembly);
         services.AddIdentityServer()
-            .AddDeveloperSigningCredential()
+            .AddSigningCredential(ServiceAccountSigningKey.LoadPrivateKey())
             .AddInMemoryApiResources(SynapseApiDefaults.OpenIDConnect.ApiResources.AsEnumerable())
             .AddInMemoryIdentityResources(SynapseApiDefaults.OpenIDConnect.IdentityResources.AsEnumerable())
             .AddInMemoryApiScopes(SynapseApiDefaults.OpenIDConnect.ApiScopes.AsEnumerable())

src/api/Synapse.Api.Server/Program.cs

@@ -39,10 +39,11 @@
     {
         NameClaimType = JwtClaimTypes.Name,
         RoleClaimType = JwtClaimTypes.Role,
-        //ValidAudience = "api", //todo
-        ValidateAudience = false, //todo
+        ValidAudience = "api",
+        ValidateAudience = false,
         ValidIssuer = options.Authority,
-        ValidateIssuer = true
+        ValidateIssuer = true,
+        IssuerSigningKey = ServiceAccountSigningKey.LoadPublicKey()
     };
 });
 authentication.AddPolicyScheme(FallbackPolicySchemeDefaults.AuthenticationScheme, FallbackPolicySchemeDefaults.AuthenticationScheme, options =>
@@ -144,7 +145,7 @@
 {
     app.MapFallbackToFile("index.html");
     app.MapFallbackToFile("/workflows/details/{namespace}/{name}/{version?}/{instanceName?}", "index.html");
-    app.MapFallbackToFile("/workflow-intances/{instanceName?}", "index.html");
+    app.MapFallbackToFile("/workflow-instances/{instanceName?}", "index.html");
 }
 
 await app.RunAsync();

src/api/Synapse.Api.Server/tempkey.jwk

@@ -63,12 +63,12 @@ public record OAuth2Token
     /// Gets the UTC date and time at which the <see cref="OAuth2Token"/> expires
     /// </summary>
     [DataMember(Order = 6, Name = "expires_on"), JsonPropertyName("expires_on"), JsonPropertyOrder(6), YamlMember(Alias = "expires_on", Order = 6)]
-    public virtual DateTime ExpiresAt { get; set; }
+    public virtual DateTime? ExpiresAt { get; set; }
 
     /// <summary>
     /// Gets a boolean indicating whether or not the <see cref="OAuth2Token"/> has expired
     /// </summary>
     [IgnoreDataMember, JsonIgnore, YamlIgnore]
-    public virtual bool HasExpired => DateTime.UtcNow > this.ExpiresAt;
+    public virtual bool HasExpired => this.ExpiresAt.HasValue ? DateTime.UtcNow > this.ExpiresAt : DateTime.UtcNow > this.CreatedAt.Add(TimeSpan.FromSeconds(this.Ttl));
 
 }

src/core/Synapse.Core.Infrastructure/OAuth2Token.cs

@@ -13,12 +13,12 @@
 
 using IdentityModel.Client;
 using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
 using Neuroglia.Serialization;
 using ServerlessWorkflow.Sdk;
 using ServerlessWorkflow.Sdk.Models.Authentication;
 using System.Collections.Concurrent;
-using System.IdentityModel.Tokens.Jwt;
 using System.Net.Mime;
 using System.Security.Claims;
 using System.Text;
@@ -59,6 +59,8 @@ public class OAuth2TokenManager(ILogger<OAuth2TokenManager> logger, IJsonSeriali
     public virtual async Task<OAuth2Token> GetTokenAsync(OAuth2AuthenticationSchemeDefinitionBase configuration, CancellationToken cancellationToken = default)
     {
         ArgumentNullException.ThrowIfNull(configuration);
+        var tokenKey = $"{configuration.Client?.Id}@{configuration.Authority}";
+        if (this.Tokens.TryGetValue(tokenKey, out var token) && token != null && !token.HasExpired) return token;
         Uri tokenEndpoint;
         if (configuration is OpenIDConnectSchemeDefinition)
         {
@@ -68,7 +70,6 @@ public virtual async Task<OAuth2Token> GetTokenAsync(OAuth2AuthenticationSchemeD
         }
         else if (configuration is OAuth2AuthenticationSchemeDefinition oauth2) tokenEndpoint = oauth2.Endpoints.Token;
         else throw new NotSupportedException($"The specified scheme type '{configuration.GetType().FullName}' is not supported in this context");
-        var tokenKey = $"{configuration.Client?.Id}@{configuration.Authority}";
         var properties = new Dictionary<string, string>()
         {
             { "grant_type", configuration.Grant }
@@ -113,15 +114,10 @@ public virtual async Task<OAuth2Token> GetTokenAsync(OAuth2AuthenticationSchemeD
             properties["actor_token"] = configuration.Actor.Token;
             properties["actor_token_type"] = configuration.Actor.Type;
         }
-        if (this.Tokens.TryGetValue(tokenKey, out var token) && token != null)
+        if (token != null && token.HasExpired && !string.IsNullOrWhiteSpace(token.RefreshToken))
         {
-            if (token.HasExpired
-                && !string.IsNullOrWhiteSpace(token.RefreshToken))
-            {
-                properties["grant_type"] = "refresh_token";
-                properties["refresh_token"] = token.RefreshToken;
-            }
-            else return token;
+            properties["grant_type"] = "refresh_token";
+            properties["refresh_token"] = token.RefreshToken;
         }
         using var content = configuration.Request.Encoding switch
         {
@@ -168,15 +164,23 @@ protected virtual string CreateClientAssertionJwt(string clientId, string audien
         ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
         ArgumentException.ThrowIfNullOrWhiteSpace(audience);
         ArgumentNullException.ThrowIfNull(signingCredentials);
-        var tokenHandler = new JwtSecurityTokenHandler();
         var claims = new List<Claim>
         {
             new(JwtRegisteredClaimNames.Sub, clientId),
             new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
             new(JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)
         };
-        var token = new JwtSecurityToken(clientId, audience, claims, DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5), signingCredentials);
-        return tokenHandler.WriteToken(token);
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Subject = new ClaimsIdentity(claims),
+            Issuer = clientId,
+            Audience = audience,
+            NotBefore = DateTime.UtcNow,
+            Expires = DateTime.UtcNow.AddMinutes(5),
+            SigningCredentials = signingCredentials
+        };
+        var tokenHandler = new JsonWebTokenHandler();
+        return tokenHandler.CreateToken(tokenDescriptor);
     }
 
 }

src/core/Synapse.Core.Infrastructure/Services/OAuth2TokenManager.cs

@@ -10,13 +10,13 @@
 
   <ItemGroup>
 	<PackageReference Include="IdentityModel" Version="7.0.0" />
+	<PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.0.2" />
 	<PackageReference Include="Neuroglia.Data.Expressions.Abstractions" Version="4.15.3" />
 	<PackageReference Include="Neuroglia.Data.Infrastructure.Redis" Version="4.15.3" />
 	<PackageReference Include="Neuroglia.Data.Infrastructure.ResourceOriented.Redis" Version="4.15.3" />
 	<PackageReference Include="Neuroglia.Mediation" Version="4.15.3" />
 	<PackageReference Include="Neuroglia.Plugins" Version="4.15.3" />
 	<PackageReference Include="ServerlessWorkflow.Sdk.IO" Version="1.0.0-alpha2.12" />
-	<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.0.2" />
   </ItemGroup>
 
   <ItemGroup>

src/core/Synapse.Core.Infrastructure/Synapse.Core.Infrastructure.csproj

@@ -103,6 +103,7 @@ protected virtual async Task OnSubtaskCompletedAsync(ITaskExecutor executor, Can
         var output = executor.Task.Output!;
         var nextDefinition = this.Task.Definition.Do.GetTaskAfter(last);
         this.Executors.Remove(executor);
+        if (this.Task.ContextData != executor.Task.ContextData) await this.Task.SetContextDataAsync(executor.Task.ContextData, cancellationToken).ConfigureAwait(false);
         if (nextDefinition == null || nextDefinition.Value == null)
         {
             await this.SetResultAsync(output, last.Next == FlowDirective.End ? FlowDirective.End : this.Task.Definition.Then, cancellationToken).ConfigureAwait(false);

src/runner/Synapse.Runner/Services/Executors/DoTaskExecutor.cs

@@ -122,6 +122,7 @@ protected virtual async Task OnIterationCompletedAsync(ITaskExecutor executor, C
         var last = executor.Task.Instance;
         var output = executor.Task.Output!;
         this.Executors.Remove(executor);
+        if (this.Task.ContextData != executor.Task.ContextData) await this.Task.SetContextDataAsync(executor.Task.ContextData, cancellationToken).ConfigureAwait(false);
         await executor.DisposeAsync().ConfigureAwait(false);
         var index = int.Parse(last.Reference.OriginalString.Split('/', StringSplitOptions.RemoveEmptyEntries)[^2]) + 1;
         if (index == this.Collection.Count)
@@ -161,4 +162,4 @@ protected virtual async Task OnIterationCompletedAsync(ITaskExecutor executor, C
         }
     }
 
-}
+}

src/runner/Synapse.Runner/Services/Executors/ForTaskExecutor.cs

@@ -34,6 +34,8 @@ internal class MockSynapseApiClient(IServiceProvider serviceProvider)
 
     public IDocumentApiClient Documents { get; } = ActivatorUtilities.CreateInstance<MockDocumentApiClient>(serviceProvider);
 
+    public ICloudEventApiClient Events { get; } = ActivatorUtilities.CreateInstance<MockEventApiClient>(serviceProvider);
+
     public INamespacedResourceApiClient<ServiceAccount> ServiceAccounts => throw new NotImplementedException();
 
     public IUserApiClient Users => throw new NotImplementedException();