Add JWKS generation to both dev and prod Docker setups (#433)

Author: nickclyde

query-connector/.gitignore

@@ -8,4 +8,5 @@ certificates
 /playwright/.cache/
 /coverage
 report.json
-.tool-versions
+.tool-versions
+keys/

query-connector/Dockerfile

@@ -3,8 +3,7 @@ FROM node:22-alpine AS base
 FROM base AS installer
 
 RUN apk update
-RUN apk add --no-cache libc6-compat
-RUN apk add --no-cache bash curl
+RUN apk add --no-cache libc6-compat bash curl git go
 
 WORKDIR /app
 COPY . .
@@ -24,11 +23,16 @@ ENV NEXT_TELEMETRY_DISABLED=1
 RUN npm ci
 RUN npm run build
 
+# Download jwksetinfer tool
+RUN git clone https://github.com/MicahParks/jwkset.git \
+    && cd jwkset/cmd/jwksetinfer \
+    && go build
+
 # Final stage for running the app
 FROM base AS runner
 WORKDIR /app
 
-RUN apk add --no-cache bash openjdk17-jre
+RUN apk add --no-cache bash openjdk17-jre openssl uuidgen jq
 
 # Copy Flyway from the installer stage
 COPY --from=installer /flyway /flyway
@@ -50,11 +54,13 @@ COPY --from=installer /app/package.json .
 COPY --from=installer /app/flyway/conf/flyway.conf ../flyway/conf/flyway.conf
 COPY --from=installer /app/flyway/sql ../flyway/sql
 COPY --from=installer /app/src/app/assets ./.next/server/app/assets
+COPY --from=installer /app/jwkset/cmd/jwksetinfer/jwksetinfer /usr/local/bin/jwksetinfer
 
 # Automatically leverage output traces to reduce image size
 COPY --from=installer --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=installer --chown=nextjs:nodejs /app/.next/static ./.next/static
 COPY --from=installer --chown=nextjs:nodejs /app/public ./public
+COPY --from=installer --chown=nextjs:nodejs /app/start.sh ./start.sh
 RUN ls -R
 # Set environment variables for Flyway and Node.js telemetry
 ENV NEXT_TELEMETRY_DISABLED=1
@@ -64,4 +70,5 @@ ENV JAVA_HOME=/usr/lib/jvm/default-jvm
 # Add the OpenJDK to the PATH so the java command is available for Flways
 ENV PATH=$JAVA_HOME/bin:$PATH
 
-CMD ["sh", "-c","flyway -configFiles=../flyway/conf/flyway.conf -schemas=public -connectRetries=60 migrate && echo done with flyway && node server.js"]
+ENTRYPOINT ["/bin/bash"]
+CMD ["/app/start.sh"]

query-connector/Dockerfile.jwks-seeder

@@ -0,0 +1,28 @@
+FROM alpine:latest
+
+# Install required packages
+RUN apk update && apk add --no-cache \
+  bash \
+  openssl \
+  uuidgen \
+  jq \
+  git \
+  go
+
+# Set up work directory
+WORKDIR /app
+
+# Download and build jwksetinfer tool
+RUN git clone https://github.com/MicahParks/jwkset.git && \
+  cd jwkset/cmd/jwksetinfer && \
+  go build && \
+  mv jwksetinfer /usr/local/bin/ && \
+  chmod +x /usr/local/bin/jwksetinfer && \
+  cd / && \
+  rm -rf /app/jwkset
+
+# Set entrypoint to bash to keep container running or execute scripts
+ENTRYPOINT ["/bin/bash"]
+
+# Default command (can be overridden in docker-compose)
+CMD ["/app/generate_jwks.sh"]

query-connector/docker-compose-dev.yaml

@@ -101,5 +101,14 @@ services:
       flyway:
         condition: service_completed_successfully
 
+  # JWKS key generator
+  jwks-generator:
+    build:
+      context: .
+      dockerfile: Dockerfile.jwks-seeder
+    volumes:
+      - "./keys:/app/keys"
+      - "./generate_jwks.sh:/app/generate_jwks.sh"
+
 volumes:
   aidbox_pg_data:

query-connector/generate_jwks.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Check if keys/jwks.json exists
+if [ -f keys/jwks.json ]; then
+  echo "JWKS already exists. Skipping key generation."
+  exit 0
+fi
+
+mkdir -p keys
+
+# Generate ECDSA key pair and JWKS for SMART on FHIR
+set -e
+if [ ! -f keys/ec384-private.pem ]; then
+  echo "Generating new ECDSA key pair..."
+
+  # Generate ECDSA P-384 key pair
+  openssl ecparam -name secp384r1 -genkey -noout -out keys/ec384-private.pem
+  openssl ec -in keys/ec384-private.pem -pubout -out keys/ec384-public.pem
+
+  # Generate JWKS
+  jwksetinfer keys/ec384-private.pem >keys/jwks.json
+
+  # Generate a UUID and replace kid in jwks.json using jq
+  KID=$(uuidgen)
+  jq --arg KID "$KID" '.keys[0].kid = $KID' keys/jwks.json >keys/jwks.json.tmp
+
+  # Add algorithm to jwks.json
+  jq '.keys[0].alg = "ES384"' keys/jwks.json.tmp >keys/jwks.json
+
+  # Fix permissions
+  chmod 600 keys/ec384-private.pem
+  chmod 644 keys/ec384-public.pem keys/jwks.json
+
+  echo "Key generation complete."
+else
+  echo "Using existing keys."
+fi

query-connector/src/app/(pages)/.well-known/jwks.json/route.ts

@@ -0,0 +1,25 @@
+import { NextResponse } from "next/server";
+import fs from "fs";
+import path from "path";
+
+export async function GET() {
+  try {
+    // Path to the JWKS file
+    const jwksPath = path.join(process.cwd(), "keys", "jwks.json");
+
+    // Read the JWKS file
+    const jwksContent = fs.readFileSync(jwksPath, "utf-8");
+    const jwks = JSON.parse(jwksContent);
+
+    // Return the JWKS as JSON
+    return NextResponse.json(jwks, {
+      headers: {
+        "Cache-Control": "public, max-age=3600", // Cache for 1 hour
+        "Content-Type": "application/json",
+      },
+    });
+  } catch (error) {
+    console.error("Error serving JWKS:", error);
+    return NextResponse.json({ error: "Failed to load JWKS" }, { status: 500 });
+  }
+}

query-connector/start.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Run flyway migrations
+flyway -configFiles=/flyway/conf/flyway.conf -schemas=public -connectRetries=60 migrate
+echo "Flyway migrations complete."
+
+# Generate JWKS
+./generate_jwks.sh
+
+# Start the server
+node server.js