urbit/shrub
1
1
Fork 0
mirror of https://github.com/urbit/shrub.git synced 2024-12-20 01:01:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

-get-gcp-jwt: clean up references, use +ot

Browse Source 
Moves =, closer to call sites so it's clearer what's coming from where.
Also uses +ot, allowing a less horrifying +sign-jwt. This also seems to
not jump back and forth between tapes and cords as much, for what that's
worth.
This commit is contained in:
J 2021-02-23 19:41:18 +00:00
parent ac40b5cf24
commit 860343e3d4
1 changed files with 19 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
pkg/arvo/ted/get-gcp-jwt.hoon
View File

@ -17,11 +17,9 @@
:: ::
:: ::
/- spider, settings /- spider, settings
/+ jose, pkcs, strandio /+ jose, pkcs, primitive-rsa, strandio
=, strand=strand:spider =, strand=strand:spider
=, format =, rsa=primitive-rsa
=, jose
=, pkcs
^- thread:spider ^- thread:spider
|^ |^
|= * |= *
@ -62,7 +60,7 @@
%. dat %. dat
;: cork ;: cork
to-wain:format to-wain:format
ring:de:pem:pkcs8 ring:de:pem:pkcs8:pkcs
need need
== ==
:: construct and return a self-signed JWT issued now, expiring in ~h1. :: construct and return a self-signed JWT issued now, expiring in ~h1.
@ -72,32 +70,29 @@
|= [=key:rsa kid=@t iss=@t scope=@t aud=@t iat=@da] |= [=key:rsa kid=@t iss=@t scope=@t aud=@t iat=@da]
^- @t ^- @t
=/ job=json =/ job=json
%^ sign:jws key =, enjs:format
%^ sign:jws:jose key
:: the JWT's "header" :: the JWT's "header"
%: pairs:enjs %: pairs
alg+s+'RS256' alg+s+'RS256'
typ+s+'JWT' typ+s+'JWT'
kid+s+kid kid+s+kid
~ ~
== ==
:: the JWT's "payload" :: the JWT's "payload"
%: pairs:enjs %: pairs
iss+s+iss iss+s+iss
sub+s+iss :: per g.co, use iss for sub sub+s+iss :: per g.co, use iss for sub
scope+s+scope scope+s+scope
aud+s+aud aud+s+aud
iat+(sect:enjs iat) iat+(sect iat)
exp+(sect:enjs (add iat ~h1)) exp+(sect (add iat ~h1))
~ ~
== ==
?> ?=([%o *] job) =/ [pod=@t pad=@t sig=@t]
=* mep p.job =, dejs:format
=+ :~ pod=(sa:dejs (~(got by mep) 'protected')) ((ot 'protected'^so 'payload'^so 'signature'^so ~) job)
pad=(sa:dejs (~(got by mep) 'payload')) (rap 3 (join '.' `(list @t)`~[pod pad sig]))
sig=(sa:dejs (~(got by mep) 'signature'))
==
%- crip :: XX
:(weld pod "." pad "." sig)
:: RPC to get a signed JWT. Probably only works with Google. :: RPC to get a signed JWT. Probably only works with Google.
:: Described at: :: Described at:
:: https://developers.google.com/identity/protocols/oauth2/service-account :: https://developers.google.com/identity/protocols/oauth2/service-account
@ -113,7 +108,7 @@
^= body ^= body
%- some %- as-octt:mimes:html %- some %- as-octt:mimes:html
%- en-json:html %- en-json:html
%: pairs:enjs %: pairs:enjs:format
['grant_type' s+'urn:ietf:params:oauth:grant-type:jwt-bearer'] ['grant_type' s+'urn:ietf:params:oauth:grant-type:jwt-bearer']
assertion+s+jot assertion+s+jot
~ ~
@ -128,7 +123,9 @@
=/ jon=(unit json) (de-json:html body) =/ jon=(unit json) (de-json:html body)
?~ jon ?~ jon
(strand-fail:strandio %bad-body ~[body]) (strand-fail:strandio %bad-body ~[body])
?. ?=([%o [[%'id_token' %s @] ~ ~]] +.jon) =* job u.jon
(strand-fail:strandio %bad-json ~[body]) %- pure:m
(pure:m p.q.n.p.u.jon) =, dejs:format
%- (ot 'id_token'^so ~)
job
-- --