Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Api specific backend jwt generation #1153

Merged
merged 4 commits into from
May 22, 2023
Merged

Api specific backend jwt generation #1153

merged 4 commits into from
May 22, 2023

Conversation

BLasan
Copy link
Contributor

@BLasan BLasan commented May 12, 2023
edited
Loading

Purpose

Define API Specific Backend JWT Token generation configs.

Issue

Goals

This removes the usage of enforcer.jwtGenerator property defined in the main config file and allows users to provide configurations individually for APIs rather than as a shared one.

Approach

Added a new property for the APIPolicy to define the configurations. A sample will be as follows.

apiVersion: dp.wso2.com/v1alpha1
kind: APIPolicy
metadata:
  name: jwt-token-generator-policy
  namespace: gateway-integration-test-infra
spec:
  override:
    backendJwtToken:
      enabled: true
      encoding: "base64"
      signingAlgorithm: "SHA256withRSA"
      header: "X-JWT-Assertion"
  targetRef:
    group: gateway.networking.k8s.io
    kind: API
    name:  api-policy-with-jwt-generator

Automation tests

Added an integration test to check whether the backend request is holding the JWT header defined in the configuration if token generation is allowed. Otherwise, that header should not be in the request.

@codecov-commenter
Copy link

codecov-commenter commented May 12, 2023
edited
Loading

Codecov Report

Patch coverage has no change and project coverage change: -1.57 ⚠️

Comparison is base (2dfda53) 34.20% compared to head (be7f3e0) 32.64%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1153      +/-   ##
==========================================
- Coverage   34.20%   32.64%   -1.57%     
==========================================
  Files         350      183     -167     
  Lines       40398    20829   -19569     
  Branches    12754     6736    -6018     
==========================================
- Hits        13818     6799    -7019     
+ Misses      26336    13905   -12431     
+ Partials      244      125     -119
Flag Coverage Δ
adapter 25.09% <ø> (-1.10%) ⬇️
admin-domain-service 57.16% <ø> (+0.78%) ⬆️
backoffice-domain-service 50.29% <ø> (ø)
devportal-domain-service 31.52% <ø> (-20.14%) ⬇️
idp-domain-service 80.10% <ø> (ø)
runtime-domain-service 32.22% <ø> (+0.15%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 212 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@BLasan BLasan force-pushed the api-specific-backend-jwt-generation branch 3 times, most recently from fb280f6 to 4474ca9 Compare May 12, 2023 11:42
AmaliMatharaarachchi
AmaliMatharaarachchi reviewed May 15, 2023
View reviewed changes
adapter/api/proto/wso2/discovery/api/BackendJWTTokenInfo.proto Outdated
@@ -0,0 +1,34 @@
// Copyright (c) 2021, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Copyright (c) 2021, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
// Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.

adapter/api/proto/wso2/discovery/config/enforcer/jwt_generator.proto Outdated
string private_key_path = 11;

int32 token_ttl = 12;
int32 token_ttl = 3;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why did we keep it in the config, can't we move it to CR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no such field for ttl under the jwt generator config. https://apim.docs.wso2.com/en/latest/deploy-and-publish/deploy-on-gateway/choreo-connect/passing-enduser-attributes-to-the-backend-via-choreo-connect/#enabling-the-default-backend-jwt-generator This value is populated in the code from some other config and kept under this jwt generator config. If it's needed, we can and support for api level ttl.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shall we add it to cr?

.../main/java/org/wso2/apk/enforcer/commons/jwtgenerator/AbstractAPIMgtGatewayJWTGenerator.java Outdated
Comment on lines 145 to 146
//useKid becomes always false
return JWTUtil.generateHeader(publicCert, signatureAlgorithm, false);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keep it as it is till we fix the usekid properly

Suggested change
//useKid becomes always false
return JWTUtil.generateHeader(publicCert, signatureAlgorithm, false);
// TODO(benura) populate useKid accordingly, currently it's always false
return JWTUtil.generateHeader(publicCert, signatureAlgorithm, jwtConfigurationDto.useKid());

helm-charts/templates/data-plane/gateway-components/log-conf.yaml Outdated
Comment on lines 94 to 97
enabled = false
encoding = "base64" # base64,base64url
claimDialect = "http://wso2.org/claims"
header = "X-JWT-Assertion"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no usage of this right? shall we remove it then?

test/integration/integration/utils/testtypes/apipolicy_types.go Outdated
@@ -0,0 +1,145 @@
/*
* Copyright (c) 2022, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Copyright (c) 2022, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
* Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.

test/integration/integration/utils/testtypes/apipolicy_types.go
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.

// APIPolicySpec defines the desired state of APIPolicy
type APIPolicySpec struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we require this file, apipolicy type in test package? can't we remove this file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have used this to unmarshal the policy yaml file in the test case

test/integration/integration/utils/http/http.go Outdated
@@ -247,6 +247,9 @@ func CompareRequest(req *roundtripper.Request, cReq *roundtripper.CapturedReques
if !ok {
return fmt.Errorf("expected %s header to be set by the enforcer", name)
}
if actualVal == nil && actualVal[0] == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't it a or condition?

Suggested change
if actualVal == nil && actualVal[0] == "" {
if actualVal == nil || actualVal[0] == "" {

adapter/api/proto/wso2/discovery/api/BackendJWTTokenInfo.proto
bool enabled = 1;
string encoding = 2;
string header = 3;
string signingAlgorithm = 4;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't we added custom claims?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't we going to add these in JWT issuer level?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, it should come here. We were talking about adding claim mappings at the issuer level, not custom claims. They are 2 different features.

@BLasan BLasan force-pushed the api-specific-backend-jwt-generation branch 2 times, most recently from b12ed8b to bd0ca7b Compare May 16, 2023 19:09
@BLasan BLasan force-pushed the api-specific-backend-jwt-generation branch from bd0ca7b to 2397f2d Compare May 17, 2023 05:19
@tharindu1st tharindu1st merged commit 96e1e68 into main May 22, 2023
This was referenced May 23, 2023
Merged
Closed
@BLasan BLasan deleted the api-specific-backend-jwt-generation branch June 27, 2023 04:43
@tharindu1st tharindu1st linked an issue Jul 2, 2023 that may be closed by this pull request
[adapter] enable backendJWT per API. #632
Closed
@BLasan BLasan mentioned this pull request Jul 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tharindu1st tharindu1st tharindu1st approved these changes

@AmaliMatharaarachchi AmaliMatharaarachchi AmaliMatharaarachchi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[adapter] enable backendJWT per API.
4 participants
@BLasan @codecov-commenter @tharindu1st @AmaliMatharaarachchi