Add revoke JWT endpoint

Author: ManuelBilbao

crates/common/src/commit/constants.rs

@@ -3,3 +3,4 @@ pub const REQUEST_SIGNATURE_PATH: &str = "/signer/v1/request_signature";
 pub const GENERATE_PROXY_KEY_PATH: &str = "/signer/v1/generate_proxy_key";
 pub const STATUS_PATH: &str = "/status";
 pub const RELOAD_PATH: &str = "/reload";
+pub const REVOKE_JWT: &str = "/revoke_jwt";

crates/common/src/commit/request.rs

@@ -14,8 +14,11 @@ use tree_hash::TreeHash;
 use tree_hash_derive::TreeHash;
 
 use crate::{
-    constants::COMMIT_BOOST_DOMAIN, error::BlstErrorWrapper, signature::verify_signed_message,
-    signer::BlsPublicKey, types::Chain,
+    constants::COMMIT_BOOST_DOMAIN,
+    error::BlstErrorWrapper,
+    signature::verify_signed_message,
+    signer::BlsPublicKey,
+    types::{Chain, ModuleId},
 };
 
 pub trait ProxyId: AsRef<[u8]> + Debug + Clone + Copy + TreeHash + Display {}
@@ -198,6 +201,11 @@ pub struct GetPubkeysResponse {
     pub keys: Vec<ConsensusProxyMap>,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct RevokeJWTRequest {
+    pub module_id: ModuleId,
+}
+
 /// Map of consensus pubkeys to proxies
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct ConsensusProxyMap {
@@ -288,7 +296,7 @@ mod tests {
 
         let _: SignedProxyDelegationBls = serde_json::from_str(data).unwrap();
 
-        let data = r#"{ 
+        let data = r#"{
             "message": {
                 "delegator": "0xa3366b54f28e4bf1461926a3c70cdb0ec432b5c92554ecaae3742d33fb33873990cbed1761c68020e6d3c14d30a22050",
                 "proxy": "0x4ca9939a8311a7cab3dde201b70157285fa81a9d"

crates/signer/src/error.rs

@@ -25,6 +25,9 @@ pub enum SignerModuleError {
     #[error("Dirk signer does not support this operation")]
     DirkNotSupported,
 
+    #[error("module id not found")]
+    ModuleIdNotFound,
+
     #[error("internal error: {0}")]
     Internal(String),
 }
@@ -45,6 +48,7 @@ impl IntoResponse for SignerModuleError {
                 (StatusCode::INTERNAL_SERVER_ERROR, "internal error".to_string())
             }
             SignerModuleError::SignerError(err) => (StatusCode::BAD_REQUEST, err.to_string()),
+            SignerModuleError::ModuleIdNotFound => (StatusCode::NOT_FOUND, self.to_string()),
         }
         .into_response()
     }

crates/signer/src/service.rs

@@ -13,11 +13,11 @@ use cb_common::{
     commit::{
         constants::{
             GENERATE_PROXY_KEY_PATH, GET_PUBKEYS_PATH, RELOAD_PATH, REQUEST_SIGNATURE_PATH,
-            STATUS_PATH,
+            REVOKE_JWT, STATUS_PATH,
         },
         request::{
-            EncryptionScheme, GenerateProxyRequest, GetPubkeysResponse, SignConsensusRequest,
-            SignProxyRequest, SignRequest,
+            EncryptionScheme, GenerateProxyRequest, GetPubkeysResponse, RevokeJWTRequest,
+            SignConsensusRequest, SignProxyRequest, SignRequest,
         },
     },
     config::StartSignerConfig,
@@ -47,7 +47,7 @@ struct SigningState {
     manager: Arc<RwLock<SigningManager>>,
     /// Map of modules ids to JWT secrets. This also acts as registry of all
     /// modules running
-    jwts: Arc<HashMap<ModuleId, String>>,
+    jwts: Arc<RwLock<HashMap<ModuleId, String>>>,
 }
 
 impl SigningService {
@@ -61,7 +61,7 @@ impl SigningService {
 
         let state = SigningState {
             manager: Arc::new(RwLock::new(start_manager(config.clone()).await?)),
-            jwts: config.jwts.into(),
+            jwts: Arc::new(RwLock::new(config.jwts)),
         };
 
         let loaded_consensus = state.manager.read().await.available_consensus_signers();
@@ -77,6 +77,7 @@ impl SigningService {
             .route(GENERATE_PROXY_KEY_PATH, post(handle_generate_proxy))
             .route_layer(middleware::from_fn_with_state(state.clone(), jwt_auth))
             .route(RELOAD_PATH, post(handle_reload))
+            .route(REVOKE_JWT, post(handle_revoke_jwt))
             .with_state(state.clone())
             .route_layer(middleware::from_fn(log_request))
             .route(STATUS_PATH, get(handle_status));
@@ -108,7 +109,8 @@ async fn jwt_auth(
         SignerModuleError::Unauthorized
     })?;
 
-    let jwt_secret = state.jwts.get(&module_id).ok_or_else(|| {
+    let guard = state.jwts.read().await;
+    let jwt_secret = guard.get(&module_id).ok_or_else(|| {
         error!("Unauthorized request. Was the module started correctly?");
         SignerModuleError::Unauthorized
     })?;
@@ -270,7 +272,7 @@ async fn handle_reload(
         }
     };
 
-    state.jwts = config.jwts.clone().into();
+    state.jwts = Arc::new(RwLock::new(config.jwts.clone()));
 
     let new_manager = match start_manager(config).await {
         Ok(manager) => manager,
@@ -285,6 +287,17 @@ async fn handle_reload(
     Ok(StatusCode::OK)
 }
 
+async fn handle_revoke_jwt(
+    State(state): State<SigningState>,
+    Json(request): Json<RevokeJWTRequest>,
+) -> Result<impl IntoResponse, SignerModuleError> {
+    let mut guard = state.jwts.write().await;
+    guard
+        .remove(&request.module_id)
+        .ok_or(SignerModuleError::ModuleIdNotFound)
+        .map(|_| StatusCode::OK)
+}
+
 async fn start_manager(config: StartSignerConfig) -> eyre::Result<SigningManager> {
     let proxy_store = if let Some(store) = config.store.clone() {
         Some(store.init_from_env()?)