-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Spike] Changes needed to support GitHub Actions direct authentication to Minder #4317
base: main
Are you sure you want to change the base?
Changes from all commits
61864cd
3e08526
dbc09df
ae53ffb
1c955b9
d41e578
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
// | ||
// Copyright 2024 Stacklok, Inc. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
// Package githubactions provides an implementation of the GitHub IdentityProvider. | ||
package githubactions | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"net/url" | ||
"strings" | ||
|
||
"github.com/lestrrat-go/jwx/v2/jwt" | ||
|
||
"github.com/mindersec/minder/internal/auth" | ||
) | ||
|
||
// GitHubActions is an implementation of the auth.IdentityProvider interface. | ||
type GitHubActions struct { | ||
} | ||
|
||
var _ auth.IdentityProvider = (*GitHubActions)(nil) | ||
var _ auth.Resolver = (*GitHubActions)(nil) | ||
|
||
var ghIssuerUrl = url.URL{ | ||
Scheme: "https", | ||
Host: "token.actions.githubusercontent.com", | ||
} | ||
|
||
// String implements auth.IdentityProvider. | ||
func (_ *GitHubActions) String() string { | ||
return "githubactions" | ||
} | ||
|
||
// URL implements auth.IdentityProvider. | ||
func (_ *GitHubActions) URL() url.URL { | ||
return ghIssuerUrl | ||
} | ||
|
||
// Resolve implements auth.IdentityProvider. | ||
func (gha *GitHubActions) Resolve(_ context.Context, id string) (*auth.Identity, error) { | ||
// GitHub Actions subjects look like: | ||
// repo:evankanderson/actions-id-token-testing:ref:refs/heads/main | ||
// however, OpenFGA does not allow the "#" or ":" characters in the subject: | ||
// https://github.com/openfga/openfga/blob/main/pkg/tuple/tuple.go#L34 | ||
return &auth.Identity{ | ||
UserID: strings.ReplaceAll(id, ":", "+"), | ||
HumanName: strings.ReplaceAll(id, "+", ":"), | ||
Provider: gha, | ||
}, nil | ||
} | ||
|
||
// Validate implements auth.IdentityProvider. | ||
func (gha *GitHubActions) Validate(_ context.Context, token jwt.Token) (*auth.Identity, error) { | ||
expectedUrl := gha.URL() | ||
if token.Issuer() != expectedUrl.String() { | ||
return nil, errors.New("token issuer is not the expected issuer") | ||
} | ||
return &auth.Identity{ | ||
UserID: strings.ReplaceAll(token.Subject(), ":", "+"), | ||
HumanName: token.Subject(), | ||
Provider: gha, | ||
}, nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
// | ||
// Copyright 2024 Stacklok, Inc. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
// Package dynamic provides the logic for reading and validating JWT tokens | ||
// using a JWKS URL from the token's | ||
package dynamic | ||
|
||
import ( | ||
"context" | ||
"encoding/base64" | ||
"encoding/json" | ||
"fmt" | ||
"io" | ||
"net/http" | ||
"time" | ||
|
||
"github.com/lestrrat-go/jwx/v2/jwk" | ||
"github.com/lestrrat-go/jwx/v2/jws" | ||
"github.com/lestrrat-go/jwx/v2/jwt" | ||
"github.com/lestrrat-go/jwx/v2/jwt/openid" | ||
|
||
stacklok_jwt "github.com/mindersec/minder/internal/auth/jwt" | ||
) | ||
|
||
// a subset of the openID well-known configuration for JSON parsing | ||
type openIdConfig struct { | ||
JwksURI string `json:"jwks_uri"` | ||
} | ||
|
||
// Validator dynamically validates JWTs by fetching the key from the well-known OIDC issuer URL. | ||
type Validator struct { | ||
jwks *jwk.Cache | ||
aud string | ||
} | ||
|
||
var _ stacklok_jwt.Validator = (*Validator)(nil) | ||
|
||
// NewDynamicValidator creates a new instance of the dynamic JWT validator | ||
func NewDynamicValidator(ctx context.Context, aud string) *Validator { | ||
return &Validator{ | ||
jwks: jwk.NewCache(ctx), | ||
aud: aud, | ||
} | ||
} | ||
|
||
// ParseAndValidate implements jwt.Validator. | ||
func (m Validator) ParseAndValidate(tokenString string) (openid.Token, error) { | ||
// This is based on https://github.com/lestrrat-go/jwx/blob/v2/examples/jwt_parse_with_key_provider_example_test.go | ||
|
||
_, b64payload, _, err := jws.SplitCompact([]byte(tokenString)) | ||
if err != nil { | ||
return nil, fmt.Errorf("failed to split compact JWT: %w", err) | ||
} | ||
|
||
jwtPayload := make([]byte, base64.RawStdEncoding.DecodedLen(len(b64payload))) | ||
if _, err := base64.RawStdEncoding.Decode(jwtPayload, b64payload); err != nil { | ||
return nil, fmt.Errorf("failed to decode JWT payload: %w", err) | ||
} | ||
|
||
parsed, err := jwt.Parse(jwtPayload, jwt.WithVerify(false), jwt.WithToken(openid.New())) | ||
if err != nil { | ||
return nil, fmt.Errorf("failed to parse JWT payload: %w", err) | ||
} | ||
openIdToken, ok := parsed.(openid.Token) | ||
if !ok { | ||
return nil, fmt.Errorf("failed to cast JWT payload to openid.Token") | ||
} | ||
|
||
// Now that we've got the issuer, we can validate the token | ||
keySet, err := m.getKeySet(parsed.Issuer()) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There's a possible resource exhaustion attack here if you got a lot of OAuth issuers. We can probably narrow this down with an allow-list, e.g. from IdentityProvider API (get all the allowed issuers, drop the others early). |
||
if err != nil { | ||
return nil, fmt.Errorf("failed to get JWK set: %w", err) | ||
} | ||
if _, err := jws.Verify([]byte(tokenString), jws.WithKeySet(keySet)); err != nil { | ||
return nil, fmt.Errorf("failed to verify JWT: %w", err) | ||
} | ||
|
||
return openIdToken, nil | ||
} | ||
|
||
func (m Validator) getKeySet(issuer string) (jwk.Set, error) { | ||
jwksUrl, err := getJWKSUrlForOpenId(issuer) | ||
if err != nil { | ||
return nil, fmt.Errorf("failed to fetch JWKS URL from openid: %w", err) | ||
} | ||
if err := m.jwks.Register(jwksUrl, jwk.WithMinRefreshInterval(15*time.Minute)); err != nil { | ||
return nil, fmt.Errorf("failed to register JWKS URL: %w", err) | ||
} | ||
|
||
return m.jwks.Get(context.Background(), jwksUrl) | ||
} | ||
|
||
func getJWKSUrlForOpenId(issuer string) (string, error) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You would think this function existed in |
||
wellKnownUrl := fmt.Sprintf("%s/.well-known/openid-configuration", issuer) | ||
|
||
resp, err := http.Get(wellKnownUrl) // #nosec: G107 | ||
if err != nil { | ||
return "", err | ||
} | ||
defer resp.Body.Close() | ||
|
||
if resp.StatusCode != http.StatusOK { | ||
return "", fmt.Errorf("unexpected status code: %d", resp.StatusCode) | ||
} | ||
|
||
body, err := io.ReadAll(resp.Body) | ||
if err != nil { | ||
return "", fmt.Errorf("Failed to read respons body: %w", err) | ||
} | ||
|
||
config := openIdConfig{} | ||
if err := json.Unmarshal(body, &config); err != nil { | ||
return "", fmt.Errorf("failed to unmarshal JSON: %w", err) | ||
} | ||
|
||
return config.JwksURI, nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,6 +7,7 @@ package jwt | |
import ( | ||
"context" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/lestrrat-go/jwx/v2/jwk" | ||
"github.com/lestrrat-go/jwx/v2/jwt" | ||
|
@@ -112,6 +113,12 @@ func GetUserSubjectFromContext(ctx context.Context) string { | |
if !ok { | ||
return "" | ||
} | ||
// TODO: wire this in to IdentityProvider interface. Alternatively, have a different version | ||
// for authzClient.Check that is IdentityProvider aware | ||
|
||
if token.Issuer() == "https://token.actions.githubusercontent.com" { | ||
return fmt.Sprintf("githubactions/%s", strings.ReplaceAll(token.Subject(), ":", "+")) | ||
} | ||
Comment on lines
+116
to
+121
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hahaha, this is gross. We should probably put all of this mangling / un-mangling in |
||
return token.Subject() | ||
} | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
// | ||
// Copyright 2024 Stacklok, Inc. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
// Package merged provides the logic for reading and validating JWT tokens | ||
package merged | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/lestrrat-go/jwx/v2/jwt/openid" | ||
|
||
stacklok_jwt "github.com/mindersec/minder/internal/auth/jwt" | ||
) | ||
|
||
// Validator is a struct that combines multiple JWT validators. | ||
type Validator struct { | ||
Validators []stacklok_jwt.Validator | ||
} | ||
|
||
var _ stacklok_jwt.Validator = (*Validator)(nil) | ||
|
||
// ParseAndValidate implements jwt.Validator. | ||
func (m Validator) ParseAndValidate(tokenString string) (openid.Token, error) { | ||
for _, v := range m.Validators { | ||
t, err := v.ParseAndValidate(tokenString) | ||
if err == nil { | ||
return t, nil | ||
} | ||
} | ||
return nil, fmt.Errorf("no validator could parse and validate the token") | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -336,7 +336,7 @@ func (s *Server) AssignRole(ctx context.Context, req *minder.AssignRoleRequest) | |
} else if sub != "" && inviteeEmail == "" { | ||
// Enable one or the other. | ||
// This is temporary until we deprecate it completely in favor of email-based role assignments | ||
if !flags.Bool(ctx, s.featureFlags, flags.UserManagement) { | ||
if flags.Bool(ctx, s.featureFlags, flags.MachineAccounts) || !flags.Bool(ctx, s.featureFlags, flags.UserManagement) { | ||
Comment on lines
337
to
+339
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since machine accounts can't accept ToS or invitations, I'm extending the lifetime of this branch. Sorry-not-sorry! |
||
assignment, err := db.WithTransaction(s.store, func(qtx db.ExtendQuerier) (*minder.RoleAssignment, error) { | ||
return s.roles.CreateRoleAssignment(ctx, qtx, s.authzClient, s.idClient, targetProject, sub, authzRole) | ||
}) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -59,11 +59,13 @@ func (_ *roleService) CreateRoleAssignment(ctx context.Context, qtx db.Querier, | |
// TODO: this assumes that we store all users in the database, and that we don't | ||
// need to namespace identify providers. We should revisit these assumptions. | ||
// | ||
if _, err := qtx.GetUserBySubject(ctx, identity.String()); err != nil { | ||
if errors.Is(err, sql.ErrNoRows) { | ||
return nil, util.UserVisibleError(codes.NotFound, "User not found") | ||
if identity.Provider.String() == "" { | ||
if _, err := qtx.GetUserBySubject(ctx, identity.String()); err != nil { | ||
if errors.Is(err, sql.ErrNoRows) { | ||
return nil, util.UserVisibleError(codes.NotFound, "User not found") | ||
} | ||
return nil, status.Errorf(codes.Internal, "error getting user: %v", err) | ||
} | ||
return nil, status.Errorf(codes.Internal, "error getting user: %v", err) | ||
} | ||
Comment on lines
59
to
69
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh look:
Visited! |
||
|
||
// Check in case there's an existing role assignment for the user | ||
|
@@ -101,11 +103,13 @@ func (_ *roleService) UpdateRoleAssignment(ctx context.Context, qtx db.Querier, | |
} | ||
|
||
// Verify if user exists | ||
if _, err := qtx.GetUserBySubject(ctx, identity.String()); err != nil { | ||
if errors.Is(err, sql.ErrNoRows) { | ||
return nil, util.UserVisibleError(codes.NotFound, "User not found") | ||
if identity.Provider.String() == "" { | ||
if _, err := qtx.GetUserBySubject(ctx, identity.String()); err != nil { | ||
if errors.Is(err, sql.ErrNoRows) { | ||
return nil, util.UserVisibleError(codes.NotFound, "User not found") | ||
} | ||
return nil, status.Errorf(codes.Internal, "error getting user: %v", err) | ||
} | ||
return nil, status.Errorf(codes.Internal, "error getting user: %v", err) | ||
} | ||
|
||
// Remove the existing role assignment for the user | ||
|
@@ -150,11 +154,13 @@ func (_ *roleService) RemoveRoleAssignment(ctx context.Context, qtx db.Querier, | |
} | ||
|
||
// Verify if user exists | ||
if _, err := qtx.GetUserBySubject(ctx, identity.String()); err != nil { | ||
if errors.Is(err, sql.ErrNoRows) { | ||
return nil, util.UserVisibleError(codes.NotFound, "User not found") | ||
if identity.Provider.String() == "" { | ||
if _, err := qtx.GetUserBySubject(ctx, identity.String()); err != nil { | ||
if errors.Is(err, sql.ErrNoRows) { | ||
return nil, util.UserVisibleError(codes.NotFound, "User not found") | ||
} | ||
return nil, status.Errorf(codes.Internal, "error getting user: %v", err) | ||
} | ||
return nil, status.Errorf(codes.Internal, "error getting user: %v", err) | ||
} | ||
|
||
// Get all role assignments for the project | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oop, this doesn't check audience, and should.