JWT based authentication support

[t-chaik]

This series of patch introduce JWT based authentication support for the min gRPC endpoint:

• Server-side TLS support for the main gRPC endpoint:
  • CLI configuration interface.
• Client-side TLS support for the "grpc" blobstore backend:
• JWT authentication for the main gRPC endpoint:
  • JWT token extraction and validation.
  • JWT token validation caching.
  • CLI configuration interface.

Suggestion on better naming for API, CLI and configuration are very welcome.

[EdSchouten]

Hi Martin,

Don't be discouraged by any of my remarks. Those changes look pretty neat already. Thanks for working on this! \o/

[t-chaik]

Don't be discouraged by any of my remarks. Those changes look pretty neat already. Thanks for working on this! \o/

No problem, I submitted that WIP precisely to get these remarks! Has you may know, I'm very new to Go so any comments are more than welcome.

[EdSchouten]

Thanks a lot! The patch looks pretty good already. Let's go for the icing on the cake. 👍

[t-chaik]

@EdSchouten: I've added basic unit tests for the JWT auth. validator. How does that all look to you now?

[mickael-carl]

Hi there! Mind rebasing your PR off master? Then we can merge this!

[prestonvanloon]

Any update on this? Authentication seems like a hard requirement for many deployments of buildbarn.

[EdSchouten]

@t-chaik is unfortunately no longer contributing to this project, which is why this PR never made any further progress. Fortunately, some progress has been made on this in the meantime. gRPC servers can nowadays be configured to use an authenticator:

bb-storage/pkg/proto/configuration/grpc/grpc.proto

Lines 29 to 65 in 7e30b99

	// Policy for authenticating clients against the gRPC server.
	AuthenticationPolicy authentication_policy = 4;
	// Maximum size of a Protobuf message that may be received by this
	// server.
	int64 maximum_received_message_size_bytes = 5;
	}
	message AuthenticationPolicy {
	oneof policy {
	// Allow all incoming requests.
	google.protobuf.Empty allow = 1;
	// Allow incoming requests if one of multiple authentication
	// policies allows it, similar to Python's any() function.
	AnyAuthenticationPolicy any = 2;
	// Deny all incoming requests, returning a fixed error message back
	// to the client.
	string deny = 3;
	// Allow incoming requests in case they present a valid TLS
	// certificate.
	TLSClientCertificateAuthenticationPolicy tls_client_certificate = 4;
	}
	}
	message AnyAuthenticationPolicy {
	// Set of backing authentication policies.
	repeated AuthenticationPolicy policies = 1;
	}
	message TLSClientCertificateAuthenticationPolicy {
	// PEM data for the certificate authorities that should be used to
	// validate the remote TLS client.
	string client_certificate_authorities = 1;
	}

bb-storage/pkg/grpc/authenticator.go

Lines 15 to 54 in 7e30b99

	// Authenticator can be used to grant or deny access to a gRPC server.
	// Implementations may grant access based on TLS connection state,
	// provided headers, source IP address ranges, etc. etc. etc.
	type Authenticator interface {
	Authenticate(ctx context.Context) error
	}
	// NewAuthenticatorFromConfiguration creates a tree of Authenticator
	// objects based on a configuration file.
	func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolicy) (Authenticator, error) {
	if policy == nil {
	return nil, status.Error(codes.InvalidArgument, "Authentication policy not specified")
	}
	switch policyKind := policy.Policy.(type) {
	case *configuration.AuthenticationPolicy_Allow:
	return AllowAuthenticator, nil
	case *configuration.AuthenticationPolicy_Any:
	children := make([]Authenticator, 0, len(policyKind.Any.Policies))
	for _, childConfiguration := range policyKind.Any.Policies {
	child, err := NewAuthenticatorFromConfiguration(childConfiguration)
	if err != nil {
	return nil, err
	}
	children = append(children, child)
	}
	return NewAnyAuthenticator(children), nil
	case *configuration.AuthenticationPolicy_Deny:
	return NewDenyAuthenticator(policyKind.Deny), nil
	case *configuration.AuthenticationPolicy_TlsClientCertificate:
	clientCAs := x509.NewCertPool()
	if !clientCAs.AppendCertsFromPEM([]byte(policyKind.TlsClientCertificate.ClientCertificateAuthorities)) {
	return nil, status.Error(codes.InvalidArgument, "Failed to parse client certificate authorities")
	}
	return NewTLSClientCertificateAuthenticator(
	clientCAs,
	clock.SystemClock), nil
	default:
	return nil, status.Error(codes.InvalidArgument, "Configuration did not contain an authentication policy type")
	}
	}

There are a couple of basic ones: always allow, always deny, TLS client certificate validation and an any() function that you can use to chain multiple authenticators. All that now needs to be done is that someone steps up and adds one that validates JWTs, or uses OAuth2, etc..

It now makes sense to work on this, because Bazel finally gained support for properly passing in credentials: bazelbuild/bazel#10015 bazelbuild/bazel#10634

[prestonvanloon]

Awesome! Just two days ago :)

My project just got setup with RBE and are looking to use buildbarn for our CI pipeline. I'd love to be able to expose a public endpoint for my team to make authenticated build requests. How can I help? Does bb-storage need support for jwt/oauth2/etc or is it already good to go with the latest bazel and some flag configuration?

[EdSchouten]

Awesome! Just two days ago :)

My project just got setup with RBE and are looking to use buildbarn for our CI pipeline. I'd love to be able to expose a public endpoint for my team to make authenticated build requests. How can I help? Does bb-storage need support for jwt/oauth2/etc or is it already good to go with the latest bazel and some flag configuration?

You should be able to get it all working by doing this:

1. Ensure you're using Bazel master.
2. Call Bazel with --remote_executor=grpcs://hostname:port --remote_header=authorization="Bearer some-oauth2-access-key-or-jwt-goes-here"
3. You will need to set up bb-storage, but you'll have to patch it up to add a new implementation of Authenticator that validates the token. You'll be able to extract the token from within the Authenticator by calling metadata.FromIncomingContext(ctx).Get("authorization").

[EdSchouten]

Let’s close this specific PR, as the author will likely not update this.