Merge pull request #523 from NERSC/callout-update

swelborn · web-flow · commit fee40cb5a6b6 · 2026-01-20T17:53:24.000-05:00
update callout to avoid use of APP.nk and CALLOUT.nk
diff --git a/backend/callout/service/.env.example b/backend/callout/service/.env.example
@@ -1,10 +1,10 @@
-CALLOUT_ACCOUNT_NKEY_FILE=/nats-conf/CALLOUT.nk
+CALLOUT_ACCOUNT_PUBLIC_KEY_FILE=/nats-conf/CALLOUT.pub
 CALLOUT_ACCOUNT_SIGNING_KEY_FILE=/nats-conf/CALLOUT_sk.nk
 CALLOUT_ACCOUNT_XKEY_FILE=/nats-conf/CALLOUT_xkey.nk
 CALLOUT_USER_CREDS_FILE=/nats-conf/callout.creds
-APP_ACCOUNT_NKEY_FILE=/nats-conf/APP.nk
+APP_ACCOUNT_PUBLIC_KEY_FILE=/nats-conf/APP.pub
 APP_ACCOUNT_SIGNING_KEY_FILE=/nats-conf/APP_sk.nk
 SERVER_URL=nats://nats1:4222
 TOKEN_EXPIRATION_TIME_S=600
 JWT_SECRET_KEYS=changethis
-JWT_ALGORITHM=HS256
+JWT_ALGORITHM=HS256
diff --git a/backend/callout/service/go.mod b/backend/callout/service/go.mod
@@ -3,14 +3,14 @@ module distiller-callout
 go 1.24.0
 
 require (
-	github.com/aricart/callout.go v0.2.0
 	github.com/go-playground/validator/v10 v10.25.0
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/joho/godotenv v1.5.1
 	github.com/nats-io/jwt/v2 v2.7.3
 	github.com/nats-io/nats-server/v2 v2.11.1
-	github.com/nats-io/nats.go v1.39.1
+	github.com/nats-io/nats.go v1.40.1
 	github.com/nats-io/nkeys v0.4.10
+	github.com/synadia-io/callout.go v0.2.1
 )
 
 require (
diff --git a/backend/callout/service/go.sum b/backend/callout/service/go.sum
@@ -2,8 +2,6 @@ dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op h1:+OSa/t11TFhqfrX0EOSqQBDJ0YlpmK0rDSiB19dg9M0=
 github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op/go.mod h1:IUpT2DPAKh6i/YhSbt6Gl3v2yvUZjmKncl7U91fup7E=
-github.com/aricart/callout.go v0.2.0 h1:PdC+1DU/FxzB0jzGjrVsppkDo85qpLNzZeAZz9DrKAo=
-github.com/aricart/callout.go v0.2.0/go.mod h1:MOOfW150p/M1eELg1Gs5IvTBjS3jNhbrlJrMstaEDPE=
 github.com/aricart/nst.go v0.1.0 h1:GqLjCGFd02hJCdL96rVwtkRTXAajokV5sgikB5BQ7NQ=
 github.com/aricart/nst.go v0.1.0/go.mod h1:N0yWlAR0nNa+Bkl2onPbOi9+LqXmcwg2WBZKHKanbyk=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -36,8 +34,8 @@ github.com/nats-io/jwt/v2 v2.7.3 h1:6bNPK+FXgBeAqdj4cYQ0F8ViHRbi7woQLq4W29nUAzE=
 github.com/nats-io/jwt/v2 v2.7.3/go.mod h1:GvkcbHhKquj3pkioy5put1wvPxs78UlZ7D/pY+BgZk4=
 github.com/nats-io/nats-server/v2 v2.11.1 h1:LwdauqMqMNhTxTN3+WFTX6wGDOKntHljgZ+7gL5HCnk=
 github.com/nats-io/nats-server/v2 v2.11.1/go.mod h1:leXySghbdtXSUmWem8K9McnJ6xbJOb0t9+NQ5HTRZjI=
-github.com/nats-io/nats.go v1.39.1 h1:oTkfKBmz7W047vRxV762M67ZdXeOtUgvbBaNoQ+3PPk=
-github.com/nats-io/nats.go v1.39.1/go.mod h1:MgRb8oOdigA6cYpEPhXJuRVH6UE/V4jblJ2jQ27IXYM=
+github.com/nats-io/nats.go v1.40.1 h1:MLjDkdsbGUeCMKFyCFoLnNn/HDTqcgVa3EQm+pMNDPk=
+github.com/nats-io/nats.go v1.40.1/go.mod h1:wV73x0FSI/orHPSYoyMeJB+KajMDoWyXmFaRrrYaaTo=
 github.com/nats-io/nkeys v0.4.10 h1:glmRrpCmYLHByYcePvnTBEAwawwapjCPMjy2huw20wc=
 github.com/nats-io/nkeys v0.4.10/go.mod h1:OjRrnIKnWBFl+s4YK5ChQfvHP2fxqZexrKJoVVyWB3U=
 github.com/nats-io/nsc/v2 v2.10.3-0.20250110165315-eeda721ecff6 h1:V1uh9L3rGIUeYoMd0/EZY2Tvy5+1CkgGpDRx8t3+PNY=
@@ -48,6 +46,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/synadia-io/callout.go v0.2.1 h1:apV+t85RvP3c6rUZwCD1txeoGJvYmhndvpOc5sCmqvQ=
+github.com/synadia-io/callout.go v0.2.1/go.mod h1:JklDEQ+1QXw05NEokqE/OM1LTv4yBqoL33ZDBDEntgg=
 github.com/synadia-io/jwt-auth-builder.go v0.0.4 h1:cfTMDAa9iylnD/O6kXqE8Mk51F36kyuQ6BhRrT1svfI=
 github.com/synadia-io/jwt-auth-builder.go v0.0.4/go.mod h1:8WYR7+nLQcDMBpocuPgdFJ5/2UOr+HPll3qv+KNdGvs=
 golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
diff --git a/backend/callout/service/main.go b/backend/callout/service/main.go
@@ -13,23 +13,23 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/aricart/callout.go"
 	"github.com/go-playground/validator/v10"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/joho/godotenv"
 	natsjwt "github.com/nats-io/jwt/v2"
 	nslogger "github.com/nats-io/nats-server/v2/logger"
 	"github.com/nats-io/nats.go"
 	"github.com/nats-io/nkeys"
+	"github.com/synadia-io/callout.go"
 )
 
 type Config struct {
 	VERIFY_URL                       string   `validate:"omitempty,url"`
-	CALLOUT_ACCOUNT_NKEY_FILE        string   `validate:"required,filepath"`
+	CALLOUT_ACCOUNT_PUBLIC_KEY_FILE  string   `validate:"required,filepath"`
 	CALLOUT_ACCOUNT_SIGNING_KEY_FILE string   `validate:"required,filepath"`
 	CALLOUT_ACCOUNT_XKEY_FILE        string   `validate:"required,filepath"`
 	CALLOUT_USER_CREDS_FILE          string   `validate:"required,filepath"`
-	APP_ACCOUNT_NKEY_FILE            string   `validate:"required,filepath"`
+	APP_ACCOUNT_PUBLIC_KEY_FILE      string   `validate:"required,filepath"`
 	APP_ACCOUNT_SIGNING_KEY_FILE     string   `validate:"required,filepath"`
 	SERVER_URL                       string   `validate:"required,url"`
 	TOKEN_EXPIRATION_TIME_S          int      `validate:"required"`
@@ -48,11 +48,11 @@ func main() {
 
 	cfg := Config{
 		VERIFY_URL:                       os.Getenv("VERIFY_URL"),
-		CALLOUT_ACCOUNT_NKEY_FILE:        os.Getenv("CALLOUT_ACCOUNT_NKEY_FILE"),
+		CALLOUT_ACCOUNT_PUBLIC_KEY_FILE:  os.Getenv("CALLOUT_ACCOUNT_PUBLIC_KEY_FILE"),
 		CALLOUT_ACCOUNT_SIGNING_KEY_FILE: os.Getenv("CALLOUT_ACCOUNT_SIGNING_KEY_FILE"),
 		CALLOUT_ACCOUNT_XKEY_FILE:        os.Getenv("CALLOUT_ACCOUNT_XKEY_FILE"),
 		CALLOUT_USER_CREDS_FILE:          os.Getenv("CALLOUT_USER_CREDS_FILE"),
-		APP_ACCOUNT_NKEY_FILE:            os.Getenv("APP_ACCOUNT_NKEY_FILE"),
+		APP_ACCOUNT_PUBLIC_KEY_FILE:      os.Getenv("APP_ACCOUNT_PUBLIC_KEY_FILE"),
 		APP_ACCOUNT_SIGNING_KEY_FILE:     os.Getenv("APP_ACCOUNT_SIGNING_KEY_FILE"),
 		SERVER_URL:                       os.Getenv("SERVER_URL"),
 		TOKEN_EXPIRATION_TIME_S: func() int {
@@ -75,42 +75,38 @@ func main() {
 	logger.Noticef("config validated")
 
 	// Keys description:
-	// calloutAccountKP: signs callout responses.
-	// 		should be **account key** of the callout account
+	// calloutAccountPublicKey: issuer for callout responses.
+	// 		should be **public key** of the callout account
+	// calloutAccountSigningKeyKP: signs callout responses.
+	// 		should be **signing key** of the callout account
 	// calloutEncryptionKP: encrypts callout responses.
 	// 		should be **encryption key** of the callout account
-	// appAccountKP: key pair for assigning account to the user
-	// 		should be **account key** of the app account
+	// appAccountPublicKey: account assignment for the user
+	// 		should be **public key** of the app account
 	// appAccountSigningKeyKP: key pair for signing the user
 	// 		should be **signing key** of the app account
-	calloutAccountKP, err := loadAndParseKeys(cfg.CALLOUT_ACCOUNT_NKEY_FILE)
+	calloutAccountSigningKeyKP, err := loadAndParseKeys(cfg.CALLOUT_ACCOUNT_SIGNING_KEY_FILE)
 	if err != nil {
-		panic(fmt.Errorf("error creating issuer key pair: %v", err))
+		panic(fmt.Errorf("error creating signing key pair: %v", err))
 	}
-
-	// TODO: determine how avoid using calloutAccountKP
-	// calloutAccountSigningKeyKP, err := loadAndParseKeys(cfg.CALLOUT_ACCOUNT_SIGNING_KEY_FILE)
-	// if err != nil {
-	// 	panic(fmt.Errorf("error creating signing key pair: %v", err))
-	// }
 	calloutEncryptionKP, err := loadAndParseKeys(cfg.CALLOUT_ACCOUNT_XKEY_FILE)
 	if err != nil {
 		panic(fmt.Errorf("error creating encryption key pair: %v", err))
 	}
-	appAccountKP, err := loadAndParseKeys(cfg.APP_ACCOUNT_NKEY_FILE)
-	if err != nil {
-		panic(fmt.Errorf("error creating account key pair: %v", err))
-	}
 	appAccountSigningKeyKP, err := loadAndParseKeys(cfg.APP_ACCOUNT_SIGNING_KEY_FILE)
 	if err != nil {
 		panic(fmt.Errorf("error creating account signing key pair: %v", err))
 	}
 
 	logger.Noticef("keys loaded")
 
-	appAccountPublicKey, err := appAccountKP.PublicKey()
+	calloutAccountPublicKey, err := loadPublicAccountKey(cfg.CALLOUT_ACCOUNT_PUBLIC_KEY_FILE)
+	if err != nil {
+		panic(fmt.Errorf("error loading callout account public key: %v", err))
+	}
+	appAccountPublicKey, err := loadPublicAccountKey(cfg.APP_ACCOUNT_PUBLIC_KEY_FILE)
 	if err != nil {
-		panic(fmt.Errorf("error getting app account public key: %v", err))
+		panic(fmt.Errorf("error loading app account public key: %v", err))
 	}
 
 	// Function that creates the users
@@ -183,7 +179,9 @@ func main() {
 	_, err = callout.NewAuthorizationService(nc,
 		callout.Authorizer(authorizer),
 		// Sign the response with the callout account's signing key
-		callout.ResponseSignerKey(calloutAccountKP),
+		callout.ResponseSignerKey(calloutAccountSigningKeyKP),
+		// Let NATS verify the signing key against the callout account
+		callout.ResponseSignerIssuer(calloutAccountPublicKey),
 		// Encrypt the response with the callout account's encryption key
 		callout.EncryptionKey(calloutEncryptionKP))
 
@@ -198,23 +196,23 @@ func main() {
 }
 
 func VerifyTokenLocally(token string, secretKeys []string, algorithm string) (*jwt.Token, error) {
-    var lastErr error
-    
-    for _, secretKey := range secretKeys {
-        parsedToken, err := jwt.Parse(token, func(pToken *jwt.Token) (interface{}, error) {
-            if pToken.Method.Alg() != algorithm {
-                return nil, fmt.Errorf("unexpected signing method: %v", pToken.Header["alg"])
-            }
-            return []byte(secretKey), nil
-        })
-
-        if err == nil && parsedToken.Valid {
-            return parsedToken, nil
-        }
-        lastErr = err
-    }
-
-    return nil, fmt.Errorf("failed to verify token with any key: %v", lastErr)
+	var lastErr error
+
+	for _, secretKey := range secretKeys {
+		parsedToken, err := jwt.Parse(token, func(pToken *jwt.Token) (interface{}, error) {
+			if pToken.Method.Alg() != algorithm {
+				return nil, fmt.Errorf("unexpected signing method: %v", pToken.Header["alg"])
+			}
+			return []byte(secretKey), nil
+		})
+
+		if err == nil && parsedToken.Valid {
+			return parsedToken, nil
+		}
+		lastErr = err
+	}
+
+	return nil, fmt.Errorf("failed to verify token with any key: %v", lastErr)
 }
 
 func VerifyToken(token string, verificationUrl string) error {
@@ -239,6 +237,24 @@ func VerifyToken(token string, verificationUrl string) error {
 	return nil
 }
 
+func loadPublicAccountKey(fp string) (string, error) {
+	if fp == "" {
+		return "", errors.New("public key file required")
+	}
+	data, err := os.ReadFile(fp)
+	if err != nil {
+		return "", fmt.Errorf("error reading public key file: %w", err)
+	}
+	key := strings.TrimSpace(string(data))
+	if key == "" {
+		return "", errors.New("public key file is empty")
+	}
+	if !nkeys.IsValidPublicAccountKey(key) {
+		return "", errors.New("public key must be an account public key")
+	}
+	return key, nil
+}
+
 func loadAndParseKeys(fp string) (nkeys.KeyPair, error) {
 	if fp == "" {
 		return nil, errors.New("key file required")
diff --git a/conf/nats-conf/README.md b/conf/nats-conf/README.md
@@ -45,10 +45,10 @@ sequenceDiagram
 The script generates the following artifacts to `./out_jwt`:
 
 - `auth.conf`: configuration generated after all accounts are added, imported in nats cluster configuration files
-- `APP.nk`: ___APP___ `account` private NKEY. Used to extract public NKEY and assign it to users (IssuerAccount).
+- `APP.pub`: ___APP___ `account` public NKEY. Used to assign users to the APP account (IssuerAccount).
 - `APP_sk.nk`: ___APP___ `account` signing private NKEY. Used to sign users in auth callout.
-- `CALLOUT.nk`: ___CALLOUT___ `account` private NKEY. Used to sign auth callout responses.
-- `CALLOUT_sk.nk`: ___CALLOUT___ `account` signing private NKEY. Currently doesn't do anything
+- `CALLOUT.pub`: ___CALLOUT___ `account` public NKEY. Used as the auth callout response issuer.
+- `CALLOUT_sk.nk`: ___CALLOUT___ `account` signing private NKEY. Used to sign auth callout responses.
 - `CALLOUT_xkey.nk`: ___CALLOUT___ `account` encryption NKEY
 - `backend.creds`: backend `user` credentials used by backend services (FastAPI, orchestrator, agents)
 - `callout.creds`: callout `user` credentials used by callout service
diff --git a/conf/nats-conf/generate-auth-jwt.sh b/conf/nats-conf/generate-auth-jwt.sh
@@ -105,9 +105,9 @@ cp "$NSC_WORK_DIR"/*.creds "$CP_DIR"/
 cp "$NSC_WORK_DIR/$AUTH_CONF_FILENAME" "$CP_DIR/$AUTH_CONF_FILENAME"
 
 NSC_KEYS_BASE="$XDG_DATA_HOME/nats/nsc/keys/keys"
-cp "$NSC_KEYS_BASE/A/${APP_ACCOUNT:1:2}/${APP_ACCOUNT}.nk" "$CP_DIR/APP.nk"
+printf "%s\n" "$APP_ACCOUNT" > "$CP_DIR/APP.pub"
 cp "$NSC_KEYS_BASE/A/${APP_ACCOUNT_SK:1:2}/${APP_ACCOUNT_SK}.nk" "$CP_DIR/APP_sk.nk"
-cp "$NSC_KEYS_BASE/A/${CALLOUT_ACCOUNT:1:2}/${CALLOUT_ACCOUNT}.nk" "$CP_DIR/CALLOUT.nk"
+printf "%s\n" "$CALLOUT_ACCOUNT" > "$CP_DIR/CALLOUT.pub"
 cp "$NSC_KEYS_BASE/A/${CALLOUT_ACCOUNT_SK:1:2}/${CALLOUT_ACCOUNT_SK}.nk" "$CP_DIR/CALLOUT_sk.nk"
 cp "$NSC_KEYS_BASE/X/${CALLOUT_ACCOUNT_XKEY:1:2}/${CALLOUT_ACCOUNT_XKEY}.nk" "$CP_DIR/CALLOUT_xkey.nk"
 
