handle nil jwks URI in database (#1020)

google · Sep 22, 2020 · 6f097ad · 6f097ad
1 parent 8a6164f
commit 6f097ad
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 7 deletions.
diff --git a/internal/admin/healthauthority/form.go b/internal/admin/healthauthority/form.go
@@ -34,7 +34,7 @@ func (f *formData) PopulateHealthAuthority(ha *model.HealthAuthority) {
 	ha.Issuer = f.Issuer
 	ha.Audience = f.Audience
 	ha.Name = f.Name
-	ha.JwksURI = f.JwksURI
+	ha.SetJWKS(f.JwksURI)
 }
 
 type keyFormData struct {

diff --git a/internal/verification/database/health_authority_db_test.go b/internal/verification/database/health_authority_db_test.go
@@ -42,6 +42,7 @@ func TestAddRetrieveHealthAuthority(t *testing.T) {
 		Issuer:   "doh.mystate.gov",
 		Audience: "ens.usacovid.org",
 		Name:     "My State Department of Healthiness",
+		JwksURI:  nil,
 	}
 
 	haDB := New(testDB)
@@ -79,6 +80,7 @@ func TestAddRetrieveHealthAuthorityKeys(t *testing.T) {
 		Audience: "ens.usacovid.org",
 		Name:     "My State Department of Healthiness",
 	}
+	want.SetJWKS("https://www.example.com/.auth/keys.json")
 
 	haDB := New(testDB)
 	if err := haDB.AddHealthAuthority(ctx, want); err != nil {

diff --git a/internal/verification/model/health_authority.go b/internal/verification/model/health_authority.go
@@ -32,7 +32,15 @@ type HealthAuthority struct {
 	Audience string
 	Name     string
 	Keys     []*HealthAuthorityKey
-	JwksURI  string
+	JwksURI  *string
+}
+
+func (ha *HealthAuthority) SetJWKS(uri string) {
+	if uri == "" {
+		ha.JwksURI = nil
+		return
+	}
+	ha.JwksURI = &uri
 }
 
 // Validate returns an error if the HealthAuthority struct is not valid.

diff --git a/pkg/jwks/jwks.go b/pkg/jwks/jwks.go
@@ -77,13 +77,17 @@ func NewManager(ctx context.Context, db *database.DB) (*Manager, error) {
 
 // getKeys reads the keys for a single HealthAuthority from its jwks server.
 func (mgr *Manager) getKeys(ctx context.Context, ha *model.HealthAuthority) ([]byte, error) {
-	if len(ha.JwksURI) == 0 {
+	if ha.JwksURI == nil {
+		return nil, nil
+	}
+	jwksURI := *ha.JwksURI
+	if len(jwksURI) == 0 {
 		return nil, nil
 	}
 
 	reqCtxt, done := context.WithTimeout(ctx, 5*time.Second)
 	defer done()
-	req, err := http.NewRequestWithContext(reqCtxt, "GET", ha.JwksURI, nil)
+	req, err := http.NewRequestWithContext(reqCtxt, "GET", jwksURI, nil)
 	if err != nil {
 		return nil, fmt.Errorf("creating connection: %w", err)
 	}
@@ -179,7 +183,7 @@ func findKeyMods(ha *model.HealthAuthority, rxKeys []string) (deadKeys []int, ne
 func (mgr *Manager) updateHA(ctx context.Context, ha *model.HealthAuthority) error {
 	logger := mgr.logger.With("health_authority_name", ha.Name, "health_authority_id", ha.ID)
 
-	if len(ha.JwksURI) == 0 {
+	if ha.JwksURI == nil || len(*ha.JwksURI) == 0 {
 		logger.Infow("skipping jwks, no URI specified")
 		return nil
 	}

diff --git a/pkg/jwks/jwks_test.go b/pkg/jwks/jwks_test.go
@@ -132,7 +132,8 @@ func TestUpdateHA(t *testing.T) {
 			if err != nil {
 				t.Fatalf("[%d] unexpected error: %v", i, err)
 			}
-			ha := &model.HealthAuthority{JwksURI: ts.URL}
+			jwksURI := ts.URL
+			ha := &model.HealthAuthority{JwksURI: &jwksURI}
 
 			// Test networking.
 			rxKeys, err := mgr.getKeys(ctx, ha)
@@ -170,7 +171,7 @@ func TestUpdateHA(t *testing.T) {
 			//
 			// Now test end-to-end.
 			//
-			test.ha.JwksURI = ts.URL
+			test.ha.JwksURI = &jwksURI
 
 			// Add the HealthAuthority & Keys to the DB. Note, we need to remove all
 			// keys from the testing HealthAuthority before adding it to the DB as it's