Skip to content

feat: evaluate alg based on the pem key#844

Merged
edwinjosechittilappilly merged 14 commits into
mainfrom
jwt-alg
Jan 30, 2026
Merged

feat: evaluate alg based on the pem key#844
edwinjosechittilappilly merged 14 commits into
mainfrom
jwt-alg

Conversation

@zzzming

@zzzming zzzming commented Jan 23, 2026

Copy link
Copy Markdown
Collaborator

This pull request enhances the JWT signing configuration logic in src/session_manager.py to support additional asymmetric key types and improves key type detection. The main changes include support for EC and EdDSA keys, more robust PEM detection, and clearer logging.

JWT signing enhancements:

  • Added support for Elliptic Curve (ES256) and EdDSA (EdDSA) private keys in addition to existing RSA (RS256) and symmetric (HS256) keys when loading from the environment variable JWT_SIGNING_KEY.
  • Improved PEM detection by stripping leading whitespace before checking for the PEM header, ensuring more robust handling of environment variables.
  • Refactored key loading logic to determine the JWT algorithm dynamically based on the private key type, raising an error for unsupported types.
  • Updated logging to provide clearer information about which algorithm is initialized for JWT signing.
  • Added missing imports for rsa, ec, ed25519, and ed448 key types from cryptography.hazmat.primitives.asymmetric.

Comment thread src/session_manager.py Outdated
Comment on lines +88 to +89
elif isinstance(key, ec.EllipticCurvePrivateKey):
self.algorithm = "ES256" # or choose based on curve if you support ES384/ES512

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we add a check based on curve sizes changes?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

something of this sort so we can check for the specific curve?

from cryptography.hazmat.primitives.asymmetric import rsa, ec, ed25519, ed448

if isinstance(key, rsa.RSAPrivateKey):
    self.algorithm = "RS256"

elif isinstance(key, ec.EllipticCurvePrivateKey):
    curve = key.curve
    if isinstance(curve, ec.SECP256R1):
        self.algorithm = "ES256"
    elif isinstance(curve, ec.SECP384R1):
        self.algorithm = "ES384"
    elif isinstance(curve, ec.SECP521R1):
        self.algorithm = "ES512"
    else:
        raise ValueError(f"Unsupported EC curve: {curve.name}")

elif isinstance(key, (ed25519.Ed25519PrivateKey, ed448.Ed448PrivateKey)):
    self.algorithm = "EdDSA"

else:
    raise ValueError(f"Unsupported private key type: {type(key)}")

@edwinjosechittilappilly edwinjosechittilappilly left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideal case this should cover the most of the cases.

Few NIT suggestions added for future.

@edwinjosechittilappilly edwinjosechittilappilly changed the title evaluate alg based on the pem key feat: evaluate alg based on the pem key Jan 26, 2026
edwinjosechittilappilly and others added 12 commits January 26, 2026 18:38
Updated the SessionManager to select the JWT algorithm based on the specific elliptic curve used in the EC private key, supporting ES256, ES384, and ES512. Raises an error for unsupported curves.
Changed the test-integration workflow to run on ubuntu-latest instead of a self-hosted ARM64 runner. Added a step to install docker-compose to ensure it is available in the CI environment.
Changed the test-integration workflow to run on a self-hosted ARM64 runner with specific labels instead of ubuntu-latest. This enables testing in an environment closer to production or with required hardware resources.
@mpawlow mpawlow self-requested a review January 28, 2026 18:58
Refactor and optimize JWT authentication testing against OpenSearch
for automated CI test targets by introducing reusable test function
and eliminating code duplication.

Changes:
- Add reusable test_jwt_opensearch function (lines 34-64)
  * Improved error handling with --fail-with-body curl flag
  * Enhanced output formatting with colored messages
  * Proper cleanup using temp files
- Add standalone test-os-jwt target for independent JWT testing
  * Documented in help system under "Diagnostic Tests"
- Remove duplicate JWT diagnostic code from test-ci (lines 691-698)
- Remove duplicate JWT diagnostic code from test-ci-local (lines 778-787)
- Update both targets to call reusable function: $(call test_jwt_opensearch)
- Update PHONY targets list and help documentation

Closes #887
@mpawlow

mpawlow commented Jan 30, 2026

Copy link
Copy Markdown
Collaborator

CI Integration Tests Failure

Problems

JWT OpenSearch Test Scenario

  1. Logging to stdout: The structlog logger defaulted to stdout because configure_logging() wasn't called before importing session_manager
  2. stderr redirection: The original 2>&1 was redirecting any stderr to stdout, further contaminating the token capture

Solution

  • Changed 2>&1 to 2>/dev/null to suppress stderr
  • Added configure_logging(log_level="CRITICAL") before importing session_manager to suppress log output that was going to stdout

Further Optimizations

Summary

Refactor and optimize JWT authentication testing against OpenSearch
for automated CI test targets by introducing reusable test function
and eliminating code duplication.

Changes

  • Add reusable test_jwt_opensearch function
    • Improved error handling with --fail-with-body curl flag
    • Enhanced output formatting with colored messages
    • Proper cleanup using temp files
  • Add standalone test-os-jwt target for independent JWT testing
    • Documented in help system under "Diagnostic Tests"
  • Removed duplicate JWT diagnostic code from test-ci
  • Removed duplicate JWT diagnostic code from test-ci-local
  • Updated both targets to call reusable function: $(call test_jwt_opensearch)
  • Updated PHONY targets list and help documentation

@mpawlow mpawlow left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functional Review

  • Added an additional commit to address the JWT OpenSearch test scenario issues
  • Integration CI Tests all pass now
  • LGTM / Approved

@edwinjosechittilappilly

Copy link
Copy Markdown
Collaborator

Thanks Mike!

@edwinjosechittilappilly edwinjosechittilappilly merged commit af0c823 into main Jan 30, 2026
4 checks passed
@edwinjosechittilappilly edwinjosechittilappilly deleted the jwt-alg branch January 30, 2026 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants