fix(security): lock down signing-key file permissions
Private JWK files were written under the default umask (observed 0664 — group and world readable). Create the key directory 0700, chmod private key files (private_jwks.json, token_jwks.json) to 0600 after they are written, and refuse to start if a pre-existing private key is group/world accessible. Tests now use an isolated per-test key directory. Refs: porchlight-91i Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
cba63280fb
commit
c7550cbf09
4 changed files with 67 additions and 6 deletions
|
|
@ -1,5 +1,6 @@
|
|||
"""idpyoidc Server initialization."""
|
||||
|
||||
import os
|
||||
from pathlib import Path
|
||||
|
||||
from idpyoidc.server import Server
|
||||
|
|
@ -144,8 +145,32 @@ def _build_server_config(settings: Settings) -> dict:
|
|||
}
|
||||
|
||||
|
||||
_PRIVATE_KEY_FILES = ("private_jwks.json", "token_jwks.json")
|
||||
|
||||
|
||||
def create_oidc_server(settings: Settings) -> Server:
|
||||
"""Create and configure an idpyoidc Server instance."""
|
||||
"""Create and configure an idpyoidc Server instance.
|
||||
|
||||
Private signing keys are written to ``signing_key_path``; lock the directory
|
||||
to 0700 and the private key files to 0600, and refuse to start if a
|
||||
pre-existing private key is group/world accessible (a key disclosure).
|
||||
"""
|
||||
key_path = Path(settings.signing_key_path)
|
||||
key_path.mkdir(parents=True, exist_ok=True)
|
||||
os.chmod(key_path, 0o700)
|
||||
|
||||
# Fail on pre-existing keys with loose permissions (left by a prior run).
|
||||
for name in _PRIVATE_KEY_FILES:
|
||||
f = key_path / name
|
||||
if f.exists() and (f.stat().st_mode & 0o077):
|
||||
raise RuntimeError(f"Insecure permission on {f}: private key is group/world accessible")
|
||||
|
||||
config = _build_server_config(settings)
|
||||
server = Server(conf=config)
|
||||
|
||||
# Lock down any keys idpyoidc just wrote (umask may have left them 0644).
|
||||
for name in _PRIVATE_KEY_FILES:
|
||||
f = key_path / name
|
||||
if f.exists():
|
||||
os.chmod(f, 0o600)
|
||||
return server
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue