Adds support for hidden private keys in server tenants

server/routerlicious/.changeset/curly-wombats-peel.md

@@ -0,0 +1,7 @@
+---
+"@fluidframework/server-services-utils": minor
+---
+
+Adds support for a new token claim - `isKeylessAccessToken`.
+
+The added support for this new claim would allow the server to know what keys to use to validate an access token. This value will only be added for tokens signed by the server. It is not exposed to the client API.

server/routerlicious/.changeset/six-candles-sneeze.md

@@ -0,0 +1,7 @@
+---
+"@fluidframework/server-services": minor
+---
+
+Adds support for the tenant manager to use Riddler's new APIs
+
+Now the tenant manager used by Alfred can fetch the new private keys exposed by Riddler. The `getKeys` API can be called with the `usePrivateKeys` flag set to true. This is currently only used for one Alfred to Riddler API call to fetch tenant keys when signing a document creation token.

server/routerlicious/.changeset/weak-radios-camp.md

@@ -0,0 +1,7 @@
+---
+"@fluidframework/server-routerlicious-base": major
+---
+
+Now Riddler supports using private keys to sign server access tokens
+
+Riddler's tenant manager now exposes two new properties - `enablePrivateKeyAccess` and `enableSharedKeyAccess`. These respectively indicate whether a tenant can be accessed using hidden private keys and whether a tenant can be accessed using shared secrets. APIs now support toggling the `enablePrivateKeyAccess` prop. They also support fetching these new keys and refreshing these new keys. All calls to manipulate private keys should be made from within the server.

server/routerlicious/.changeset/wide-ducks-bake.md

@@ -0,0 +1,7 @@
+---
+"@fluidframework/server-services-core": major
+---
+
+Adds new props to the tenant interface to support private key based access
+
+Now tenants have two new properties - `enablePrivateKeyAccess` and `enableSharedKeyAccess`. These are used by Riddler to determine whether a tenant allows just shared key access, private key access or both.

server/routerlicious/packages/routerlicious-base/package.json

@@ -143,6 +143,9 @@
 			"ClassDeclaration_RiddlerResources": {
 				"forwardCompat": false,
 				"backCompat": false
+			},
+			"ClassDeclaration_TenantManager": {
+				"forwardCompat": false
 			}
 		}
 	}

server/routerlicious/packages/routerlicious-base/src/alfred/routes/api/documents.ts

@@ -101,8 +101,7 @@ async function generateCreateDocumentResponseBody(
 		if (token === undefined) {
 			throw new NetworkError(400, "Authorization header is missing or malformed");
 		}
-		const tenantKey = await tenantManager.getKey(tenantId);
-		newDocumentAccessToken = getCreationToken(token, tenantKey, documentId);
+		newDocumentAccessToken = await getCreationToken(tenantManager, token, tenantId, documentId);
 	}
 	let newDocumentSession: ISession | undefined;
 	if (enableDiscovery) {

server/routerlicious/packages/routerlicious-base/src/riddler/api.ts

@@ -91,7 +91,13 @@ export function create(
 	router.get("/tenants/:id/keys", (request, response) => {
 		const tenantId = request.params.id;
 		const includeDisabledTenant = getIncludeDisabledFlag(request);
-		const tenantP = manager.getTenantKeys(tenantId, includeDisabledTenant);
+		const usePrivateKeys = getUsePrivateKeysFlag(request);
+		const tenantP = manager.getTenantKeys(
+			tenantId,
+			includeDisabledTenant,
+			false /* bypassCache */,
+			usePrivateKeys,
+		);
 		handleResponse(tenantP, response);
 	});
 
@@ -113,6 +119,16 @@ export function create(
 		handleResponse(storageP, response);
 	});
 
+	/**
+	 * Updates the keyless access setting for the given tenant
+	 */
+	router.put("/tenants/:id/privateKeyAccess", (request, response) => {
+		const tenantId = request.params.id;
+		const enablePrivateKeyAccess = request.body.enablePrivateKeyAccess ?? false;
+		const storageP = manager.updatePrivateKeyAccessPolicy(tenantId, enablePrivateKeyAccess);
+		handleResponse(storageP, response);
+	});
+
 	/**
 	 * Updates the customData for the given tenant
 	 */
@@ -128,7 +144,8 @@ export function create(
 	router.put("/tenants/:id/key", (request, response) => {
 		const tenantId = request.params.id;
 		const keyName = request.body.keyName as string;
-		const refreshKeyP = manager.refreshTenantKey(tenantId, keyName);
+		const refreshPrivateKey = request.body.refreshPrivateKey as boolean;
+		const refreshKeyP = manager.refreshTenantKey(tenantId, keyName, refreshPrivateKey);
 		handleResponse(refreshKeyP, response);
 	});
 
@@ -142,11 +159,13 @@ export function create(
 		const tenantCustomData: ITenantCustomData = request.body.customData
 			? request.body.customData
 			: {};
+		const enablePrivateKeyAccess = request.body.enablePrivateKeyAccess ?? false;
 		const tenantP = manager.createTenant(
 			tenantId,
 			tenantStorage,
 			tenantOrderer,
 			tenantCustomData,
+			enablePrivateKeyAccess,
 		);
 		handleResponse(tenantP, response);
 	});
@@ -169,5 +188,10 @@ export function create(
 		return includeDisabledRaw?.toLowerCase() === "true";
 	}
 
+	function getUsePrivateKeysFlag(request): boolean {
+		const usePrivateKeys = request.query.usePrivateKeys as string;
+		return usePrivateKeys?.toLowerCase() === "true";
+	}
+
 	return router;
 }