feat: make AuthSettings compatible with single key

aldbr · aldbr · commit 847f6f55b433 · 2025-05-07T15:31:32.000+02:00
diff --git a/diracx-core/src/diracx/core/settings.py b/diracx-core/src/diracx/core/settings.py
@@ -22,8 +22,9 @@
 from botocore.config import Config
 from botocore.errorfactory import ClientError
 from cryptography.fernet import Fernet
-from joserfc.jws import KeySet
+from joserfc.jwk import JWKRegistry, KeySet
 from pydantic import (
+    AliasChoices,
     AnyUrl,
     BeforeValidator,
     Field,
@@ -70,7 +71,7 @@ def __init__(self, data: str):
 
 
 def _maybe_load_keys_from_file(value: Any) -> Any:
-    """Load private keys from files if needed."""
+    """Load jwks from files if needed."""
     if isinstance(value, str):
         # If the value is a string, we need to check if it is a JSON string or a file URL
         if not (value.strip().startswith("{") or value.startswith("[")):
@@ -85,8 +86,16 @@ def _maybe_load_keys_from_file(value: Any) -> Any:
     return value
 
 
+def _maybe_load_and_wrap_single_key(value: Any) -> Any:
+    if isinstance(value, str) and value.strip().startswith("-----BEGIN"):
+        return json.dumps(KeySet(keys=[JWKRegistry.import_key(value)]).as_dict(private=True))  # type: ignore
+    return value
+
+
 TokenSigningKeyStore = Annotated[
-    _TokenSigningKeyStore, BeforeValidator(_maybe_load_keys_from_file)
+    _TokenSigningKeyStore,
+    BeforeValidator(_maybe_load_keys_from_file),
+    BeforeValidator(_maybe_load_and_wrap_single_key),
 ]
 
 
@@ -151,7 +160,9 @@ class AuthSettings(ServiceSettingsBase):
     state_key: FernetKey
 
     token_issuer: str
-    token_keystore: TokenSigningKeyStore
+    token_keystore: TokenSigningKeyStore = Field(
+        validation_alias=AliasChoices("token_keystore", "token_key")
+    )
     token_allowed_algorithms: list[str] = ["RS256", "EdDSA"]  # noqa: S105
     access_token_expire_minutes: int = 20
     refresh_token_expire_minutes: int = 60
diff --git a/diracx-logic/src/diracx/logic/auth/utils.py b/diracx-logic/src/diracx/logic/auth/utils.py
@@ -9,7 +9,7 @@
 from cachetools import TTLCache
 from cryptography.fernet import Fernet
 from joserfc import jwt
-from joserfc.jws import KeySet
+from joserfc.jwk import KeySet
 from joserfc.jwt import Claims, JWTClaimsRegistry
 from typing_extensions import TypedDict
 from uuid_utils import UUID
diff --git a/diracx-routers/tests/auth/test_standard.py b/diracx-routers/tests/auth/test_standard.py
@@ -12,8 +12,7 @@
 import jwt
 import pytest
 from cryptography.fernet import Fernet
-from joserfc.jwk import RSAKey, OKPKey
-from joserfc.jws import KeySet
+from joserfc.jwk import RSAKey, OKPKey, KeySet
 from joserfc.errors import UnsupportedKeyOperationError
 from pytest_httpx import HTTPXMock
 from uuid_utils import uuid7
