Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Well known attributes #428

Merged
merged 6 commits into from
Oct 9, 2023
Merged

Well known attributes #428

merged 6 commits into from
Oct 9, 2023

Conversation

didierofrivia
Copy link
Member

@didierofrivia didierofrivia commented Sep 22, 2023

Closes #425

This PR is an effort to implement the Well Known Attributes, in this case, aimed just for Auth purposes.

The built AuthorizationJson would look like

{
  "context": {
    "request": {
      "...":"..."
    }
  },
  "request": {
    "host": "my-api",
    "method": "GET",
    "path": "/operation",
    "url_path": "/operation",
    "headers": {
      "authorization": "Bearer n3ex87bye9238ry8"
    }
  },
  "source": {
    "address": "\\u003cnil\\u003e",
    "...":"..."
  },
  "destination": {
    "address": "\\u003cnil\\u003e",
    "...": "..."
  },
  "auth": {
    "identity": "...",
    "metadata": "...",
    "authorization": "...",
    "response": "...",
    "callbacks": "..."
},
}

Verification Steps:

  1. Setup cluster for testing:
make local-setup
  1. Forward the service port:
kubectl port-forward deployment/envoy 8000:8000 &
  1. Create the AuthConfig
kubectl apply -f -<<EOF
apiVersion: authorino.kuadrant.io/v1beta2
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
  - talker-api-authorino.127.0.0.1.nip.io
  authentication:
    "friends":
      apiKey:
        selector:
          matchLabels:
            group: friends
      credentials:
        authorizationHeader:
          prefix: APIKEY
EOF
  1. Create an API key
kubectl apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-key-1
  labels:
    authorino.kuadrant.io/managed-by: authorino
    group: friends
stringData:
  api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
type: Opaque
EOF
  1. Consume the API

With a valid API key:

curl -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx' http://talker-api-authorino.127.0.0.1.nip.io:8000/hello
# HTTP/1.1 200 OK

With missing or invalid API key:

curl -H 'Authorization: APIKEY invalid' http://talker-api-authorino.127.0.0.1.nip.io:8000/hello -i
# HTTP/1.1 401 Unauthorized
# www-authenticate: APIKEY realm="friends"
# x-ext-auth-reason: the API Key provided is invalid

@didierofrivia didierofrivia force-pushed the well_known_attrs branch 2 times, most recently from b7fd536 to 707709f Compare September 26, 2023 16:33
@didierofrivia didierofrivia self-assigned this Sep 26, 2023
@gitguardian
Copy link

gitguardian bot commented Sep 28, 2023

⚠️ GitGuardian has uncovered 11 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id Secret Commit Filename
8273841 Bearer Token d758e6c pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 30e4743 pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 80fa4fa pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 80fa4fa pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 30e4743 pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 18c9da2 pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 18c9da2 pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 18c9da2 pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 18c9da2 pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 18c9da2 pkg/service/auth_pipeline_test.go View secret
8273841 Bearer Token 18c9da2 pkg/service/auth_pipeline_test.go View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@didierofrivia didierofrivia changed the title [wip][feat] Well known attributes Well known attributes Oct 2, 2023
@didierofrivia didierofrivia marked this pull request as ready for review October 2, 2023 17:04
Copy link
Collaborator

@guicassolato guicassolato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still some polishing to do, but progressing well, @didierofrivia.


This is from the logs of the Authorino instance for the following AuthConfig:

apiVersion: authorino.kuadrant.io/v1beta2
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
  - talker-api-authorino.127.0.0.1.nip.io
  when:
  - selector: request.path
    operator: eq
    value: /protected
  authentication:
    "friends":
      apiKey:
        selector:
          matchLabels:
            group: friends
      credentials:
        authorizationHeader:
          prefix: APIKEY

When I curl the protected service:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x13d9af0]

goroutine 469 [running]:
net/url.(*URL).Port(...)
	/usr/lib/golang/src/net/url/url.go:1152
github.com/kuadrant/authorino/pkg/service.newSourceAttributes(0x40000a97c0)
	/usr/src/authorino/pkg/service/well_known_attributes.go:167 +0x70
github.com/kuadrant/authorino/pkg/service.NewWellKnownAttributes(0x40000a97c0, 0x0?)
	/usr/src/authorino/pkg/service/well_known_attributes.go:134 +0x30
github.com/kuadrant/authorino/pkg/service.NewAuthorizationJSON(0x40009afbc0, 0x4000724c18?)
	/usr/src/authorino/pkg/service/auth_pipeline.go:612 +0x28
github.com/kuadrant/authorino/pkg/service.(*AuthPipeline).GetAuthorizationJSON(0x4000169b00)
	/usr/src/authorino/pkg/service/auth_pipeline.go:577 +0x520
github.com/kuadrant/authorino/pkg/service.(*AuthPipeline).evaluateConditions(0x2c5eb60?, {0x40009ae060, 0x1, 0x13d36c0?})
	/usr/src/authorino/pkg/service/auth_pipeline.go:378 +0x28
github.com/kuadrant/authorino/pkg/service.(*AuthPipeline).Evaluate(0x4000169b00)
	/usr/src/authorino/pkg/service/auth_pipeline.go:453 +0x74
github.com/kuadrant/authorino/pkg/service.(*AuthService).Check(0x40001b3e60, {0x1c56610, 0x4000714570}, 0x40009afbc0)
	/usr/src/authorino/pkg/service/auth.go:284 +0x57c
github.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1({0x1c56610, 0x4000714570}, {0x17999e0?, 0x40009afbc0})
	/usr/src/authorino/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v3/external_auth.pb.go:699 +0x74
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0}, 0x400039f700, 0x4000519d58)
	/usr/src/authorino/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go:342 +0x3d4
google.golang.org/grpc.getChainUnaryHandler.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0})
	/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1164 +0xa0
github.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0}, 0x400039f700?, 0x40004d3200)
	/usr/src/authorino/vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_metrics.go:107 +0x74
google.golang.org/grpc.chainUnaryInterceptors.func1({0x1c56610, 0x40009afb90}, {0x17999e0, 0x40009afbc0}, 0x40007359f8?, 0xfb46b0?)
	/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1155 +0x88
github.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler({0x170fee0?, 0x40001b3e60}, {0x1c56610, 0x40009afb90}, 0x40004a7b90, 0x40001b3de0)
	/usr/src/authorino/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v3/external_auth.pb.go:701 +0x134
google.golang.org/grpc.(*Server).processUnaryRPC(0x40000fc5a0, {0x1c5e020, 0x40008c1a00}, 0x400093c7e0, 0x4000358030, 0x2c25960, 0x0)
	/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1345 +0xc50
google.golang.org/grpc.(*Server).handleStream(0x40000fc5a0, {0x1c5e020, 0x40008c1a00}, 0x400093c7e0, 0x0)
	/usr/src/authorino/vendor/google.golang.org/grpc/server.go:1722 +0x840
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	/usr/src/authorino/vendor/google.golang.org/grpc/server.go:966 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func1
	/usr/src/authorino/vendor/google.golang.org/grpc/server.go:964 +0x294

Copy link
Collaborator

@guicassolato guicassolato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid we may still be missing a few null checks, @didierofrivia.

E.g., try: (Requires grpcurl.)

make cluster install run
grpcurl -plaintext -d @ localhost:50051 envoy.service.auth.v3.Authorization.Check <<EOF
{}
EOF

@didierofrivia
Copy link
Member Author

Thanks again @guicassolato ! will do :)

Copy link
Collaborator

@guicassolato guicassolato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@didierofrivia, as discussed offline, the error pointed out by me before is not caused by the changes in this PR, but a preexisting bug.

A more fair test would be:

grpcurl -plaintext -d @ localhost:50051 envoy.service.auth.v3.Authorization.Check <<EOF
{
  "attributes": {
    "request": {
      "http": {
        "headers": {},
        "host": "talker-api-authorino.127.0.0.1.nip.io"
      }
    }
  }
}
EOF

The above avoids the bug in AuthService.Check() (i.e., lack of validation of the user input) and lets the flow go through the new code to build the Authorization JSON, where it does not fail.

I think all the functions you use in the PR to obtain attribute context data, such as GetScheme(), GetHost(), GetAddress(), GetSocketAddress(), etc, already implement the necessary null-checks.

@didierofrivia didierofrivia merged commit 15dd344 into main Oct 9, 2023
9 checks passed
@didierofrivia didierofrivia deleted the well_known_attrs branch October 9, 2023 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Status: To test
Development

Successfully merging this pull request may close these issues.

Well-known attributes (Kuadrant RFC-0002)
2 participants