ROX-23709: Trust Data Plane OAuth issuers in fleetshard authorization middleware

[kovayur]

Description

This change adds Data Plane OAuth issuers validation in fleetshard authorization middleware.
The old authorization remains for backward compatibility

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• Add secret to app-interface Vault or Secrets Manager if necessary
• RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources
• (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[kovayur]

• ROX-23709: Load token from file in fleetshard-sync #1802
• ROX-23709: Trust Data Plane OAuth issuers in fleetshard authorization middleware #1801 👈
• ROX-23709: Refactor authentication handler #1789
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @kovayur and the rest of your teammates on Graphite

[dhaus67]

nit: maybe to make it more clear to folks reading through things:

Suggested change

	"Fleetshard authZ middleware allowed subject")
	"Fleetshard authZ middleware allowed subject claim of the token")

[kovayur]

Obsolete, moved to the config file

[dhaus67]

Seeing as the effort will be relatively low, might make sense to allow setting multiple subjects as allowed ones, similar to the previous org IDs? While currently not eminent, it's not a lot of work to add support for that and will make our life easier in the future.

[kovayur]

Done

[dhaus67]

In case the subject is empty or malformed:

Suggested change

	glog.Infof("fleetshard subject is not allowed (expected=%s, actual=%s)", expected, s)
	glog.Infof("fleetshard subject is not allowed (expected=%s, actual=%q)", expected, s)

[kovayur]

Obsolete, added the generic claims check

[dhaus67]

nit:

Suggested change

	func checkSubject(expected string) mux.MiddlewareFunc {
	func checkSubject(allowedSubject string) mux.MiddlewareFunc {

[kovayur]

Obsolete, added the generic claims check

[dhaus67]

One thing in addition that would work well besides verifying the subject would also be verifying the audience. We can set the audience to a custom one in the projected volume mount (and also should, so that the token cannot be used to access the API server) and additionally verify that here.

[kovayur]

One thing in addition that would work well besides verifying the subject would also be verifying the audience. We can set the audience to a custom one in the projected volume mount (and also should, so that the token cannot be used to access the API server) and additionally verify that here.

Done

[dhaus67]

super nit: while we're at it, might make sense to give proper comments to all the functions here..

[kovayur]

Done.

[dhaus67]

Looking at this, does it even make sense to give clients the option to set required to false? I don't think we should IMO, but since this is more or less pre-existing, it's fine to leave as is and address in a follow-up, but I feel like we should introduce some sane defaults here to avoid people unsetting the required by mistake.

[kovayur]

Agree, removed the required option

[dhaus67]

instead of breaking you could just call next.ServeHTTP here. Then you don't have the additional indentation at the bottom with !audienceAccepted.

[kovayur]

Done, thanks

[dhaus67]

Is it going to be a string or string array? Either way, I think it would be nice to have a concrete type here instead of the interface.

[kovayur]

It can be either string or array

[kovayur]

I added logic to cast it to []string and a few unit tests

[dhaus67]

Since audience is of type interface, what will %q actually print here? Better to return a concrete type in GetAudience().

[kovayur]

Changed to strings.join since claims.getAudience now returns []string. See the comment above.

[dhaus67]

super nit: probably preferences, but might as well do var aud []string 🤷

[kovayur]

This was done on purpose in order to get consistent results in the following test cases:

• should return empty slice if the claim is empty array
• should return empty slice if the claim is empty interface

If I change this line to var aud []string, GetAudience will return an empty and nil slice respectively.

[dhaus67]

I'd rather fail open and create a log message that parts of the audience couldn't be parsed but not fail closed like we do here.

[kovayur]

Done.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dhaus67, kovayur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dhaus67,kovayur]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment