Add required claims for generated JWT (#16)

* Add required claims for generated JWT

Token generated by previous version did not have an issuer and audience claims, sot it was considered invalid by the token validator.

* Fix formatting issues

* Fix compiler warnings

src/models/internal/v1/token.rs

@@ -3,8 +3,9 @@ use base64::engine::general_purpose::STANDARD;
 use base64::Engine;
 use flate2::write::ZlibEncoder;
 use flate2::Compression;
-use std::collections::HashMap;
+use jwt::Claims;
 use std::io::Write;
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
 /// Represents an internal JWT Token issued by `boxer-issuer`
 pub struct InternalToken {
@@ -31,30 +32,48 @@ impl InternalToken {
     }
 }
 
-impl TryInto<HashMap<String, String>> for InternalToken {
+impl TryInto<Claims> for InternalToken {
     type Error = anyhow::Error;
 
-    fn try_into(self) -> Result<HashMap<String, String>, Self::Error> {
+    fn try_into(self) -> Result<Claims, Self::Error> {
+        // This claim should be always present in the boxer token
         const API_VERSION_KEY: &str = "boxer.sneaksanddata.com/api-version";
+
+        // Constants related to a particular API version
         const POLICY_KEY: &str = "boxer.sneaksanddata.com/policy";
         const USER_ID_KEY: &str = "boxer.sneaksanddata.com/user-id";
         const IDENTITY_PROVIDER_KEY: &str = "boxer.sneaksanddata.com/identity-provider";
 
+        // The constants below to be moved in the service configuration file in the future.
+        const BOXER_ISSUER: &str = "boxer.sneaksanddata.com";
+        const BOXER_AUDIENCE: &str = "boxer.sneaksanddata.com";
+
         let compressed_policy = {
             let mut encoder = ZlibEncoder::new(Vec::new(), Compression::default());
             encoder.write_all(self.policy.as_bytes())?;
             encoder.finish()?
         };
 
-        let mut map = HashMap::new();
-        map.insert(API_VERSION_KEY.to_string(), self.version);
-        map.insert(POLICY_KEY.to_string(), STANDARD.encode(&compressed_policy));
-        map.insert(USER_ID_KEY.to_string(), self.metadata.user_id);
-        map.insert(
+        let mut claims: Claims /* Type */ = Default::default();
+        claims
+            .private
+            .insert(API_VERSION_KEY.to_string(), self.version.into());
+        claims.private.insert(
+            POLICY_KEY.to_string(),
+            STANDARD.encode(&compressed_policy).into(),
+        );
+        claims
+            .private
+            .insert(USER_ID_KEY.to_string(), self.metadata.user_id.into());
+        claims.private.insert(
             IDENTITY_PROVIDER_KEY.to_string(),
-            self.metadata.identity_provider.name(),
+            self.metadata.identity_provider.name().into(),
         );
 
-        Ok(map)
+        claims.registered.issuer = Some(BOXER_ISSUER.to_string());
+        claims.registered.audience = Some(BOXER_AUDIENCE.to_string());
+        let one_hour = SystemTime::now() + Duration::from_secs(3600);
+        claims.registered.expiration = Some(one_hour.duration_since(UNIX_EPOCH)?.as_secs());
+        Ok(claims)
     }
 }

src/services/token_service.rs

@@ -9,10 +9,9 @@ use crate::services::policy_repository::PolicyRepository;
 use anyhow::bail;
 use async_trait::async_trait;
 use hmac::{Hmac, Mac};
-use jwt::SignWithKey;
+use jwt::{Claims, SignWithKey};
 use log::error;
 use sha2::Sha256;
-use std::collections::HashMap;
 use std::sync::Arc;
 
 #[async_trait]
@@ -59,7 +58,7 @@ impl TokenProvider for TokenService {
     async fn generate_token(&self, identity: ExternalIdentity) -> Result<String, anyhow::Error> {
         let policy = self.policy_repository.get_policy(&identity).await?;
         let token = InternalToken::new(policy, identity.user_id, identity.identity_provider);
-        let claims: HashMap<String, String> = token.try_into()?;
+        let claims: Claims = token.try_into()?;
         let key: Hmac<Sha256> = Hmac::new_from_slice(&self.sign_secret)?;
         claims.sign_with_key(&key).map_err(|e| {
             error!("Failed to issue token: {:?}", e);