fixup: Do not leak DecodingKey

Author: tankyleo

rust/auth-impls/src/lib.rs

@@ -14,12 +14,10 @@
 use api::auth::{AuthResponse, Authorizer};
 use api::error::VssError;
 use async_trait::async_trait;
-use jsonwebtoken::{decode, Algorithm, Validation};
+use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 
-pub use jsonwebtoken::DecodingKey;
-
 /// A JWT based authorizer, only allows requests with verified 'JsonWebToken' signed by the given
 /// issuer key.
 ///
@@ -43,9 +41,11 @@ pub(crate) struct Claims {
 const BEARER_PREFIX: &str = "Bearer ";
 
 impl JWTAuthorizer {
-	/// Create new instance of [`JWTAuthorizer`]
-	pub async fn new(jwt_issuer_key: DecodingKey) -> Self {
-		Self { jwt_issuer_key }
+	/// Creates a new instance of [`JWTAuthorizer`], fails on failure to parse the PEM formatted RSA public key
+	pub async fn new(rsa_pem: &str) -> Result<Self, String> {
+		let jwt_issuer_key =
+			DecodingKey::from_rsa_pem(rsa_pem.as_bytes()).map_err(|e| e.to_string())?;
+		Ok(Self { jwt_issuer_key })
 	}
 }
 
@@ -76,7 +76,7 @@ mod tests {
 	use crate::JWTAuthorizer;
 	use api::auth::Authorizer;
 	use api::error::VssError;
-	use jsonwebtoken::{encode, Algorithm, DecodingKey, EncodingKey, Header};
+	use jsonwebtoken::{encode, Algorithm, EncodingKey, Header};
 	use serde::{Deserialize, Serialize};
 	use std::collections::HashMap;
 	use std::time::SystemTime;
@@ -134,7 +134,7 @@ mod tests {
 		)
 		.expect("Failed to create Encoding Key.");
 
-		let decoding_key = DecodingKey::from_rsa_pem(
+		let decoding_key = String::from(
 			"-----BEGIN PUBLIC KEY-----\
 			MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysGpKU+I9i9b+QZSANu/\
 			ExaA6w4qiQdFZaXeReiz49r1oDfABwKIFW9gK/kNnrnL9H8P+pYfj7jqUJ/glmgq\
@@ -143,12 +143,10 @@ mod tests {
 			8YsTa5piV8KgJpG/rwYTGXuu3lcCmnWwjmbeDq1zFFrCDDVkaIHkGJgRuFIDPXaH\
 			yUw5H2HvKlP94ySbvTDLXWZj6TyzHEHDbstqs4DgvurB/bIhi/dQ7zK3EIXL8KRB\
 			hwIDAQAB\
-			-----END PUBLIC KEY-----"
-				.as_bytes(),
-		)
-		.expect("Failed to create Decoding Key.");
+			-----END PUBLIC KEY-----",
+		);
 
-		let jwt_authorizer = JWTAuthorizer::new(decoding_key).await;
+		let jwt_authorizer = JWTAuthorizer::new(&decoding_key).await.unwrap();
 
 		let valid_jwt_token =
 			encode(&Header::new(Algorithm::RS256), &claims, &valid_encoding_key).unwrap();

rust/server/src/main.rs

@@ -10,25 +10,24 @@
 #![deny(missing_docs)]
 
 use std::net::SocketAddr;
+use std::sync::Arc;
 
 use tokio::net::TcpListener;
 use tokio::signal::unix::SignalKind;
 
 use hyper::server::conn::http1;
 use hyper_util::rt::TokioIo;
 
-use crate::vss_service::VssService;
 use api::auth::{Authorizer, NoopAuthorizer};
 use api::kv_store::KvStore;
-use auth_impls::{DecodingKey, JWTAuthorizer};
+use auth_impls::JWTAuthorizer;
 use impls::postgres_store::{Certificate, PostgresPlaintextBackend, PostgresTlsBackend};
-use std::sync::Arc;
+use util::config::{Config, ServerConfig};
+use vss_service::VssService;
 
 mod util;
 mod vss_service;
 
-use util::config::{Config, ServerConfig};
-
 fn main() {
 	let args: Vec<String> = std::env::args().collect();
 	if args.len() != 2 {
@@ -79,15 +78,15 @@ fn main() {
 		};
 		let rsa_pem = rsa_pem_env.or(jwt_auth_config.map(|config| config.rsa_pem));
 		let authorizer: Arc<dyn Authorizer> = if let Some(pem) = rsa_pem {
-			let rsa_public_key = match DecodingKey::from_rsa_pem(pem.as_bytes()) {
-				Ok(p) => p,
+			let authorizer = match JWTAuthorizer::new(pem.as_str()).await {
+				Ok(auth) => auth,
 				Err(e) => {
 					println!("Failed to parse the PEM formatted RSA public key: {}", e);
 					std::process::exit(-1);
 				},
 			};
 			println!("Configured JWT authorizer with RSA public key");
-			Arc::new(JWTAuthorizer::new(rsa_public_key).await)
+			Arc::new(authorizer)
 		} else {
 			println!("No JWT authentication method configured");
 			Arc::new(NoopAuthorizer {})