Skip to content
This repository has been archived by the owner on Jul 4, 2024. It is now read-only.

Commit

Permalink
[HOTFIX] v1.94.1 IAS adapter auth changes (#3891)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ZdravkoGyurov
ZdravkoGyurov authored May 21, 2024
1 parent 72a98e7 commit 00965ae
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 101 deletions.
25 changes: 25 additions & 0 deletions chart/compass/charts/gateway/templates/oathkeeper-rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -578,3 +578,28 @@ spec:
- handler: id_token
config:
claims: {{ .Values.global.oathkeeper.idTokenConfig.claims | quote }}
---
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: compass-ias-adapter-internal
spec:
# Configuration of oathkeeper for secure endpoint internal communication with compass ias-adapter
upstream:
url: "http://compass-ias-adapter.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.global.iasAdapter.port }}"
match:
methods:
- GET
- PATCH
url: <http|https>://{{ .Values.global.iasAdapter.internalHost }}.{{ .Values.global.ingress.domainName }}<(:(80|443))?>{{ .Values.global.iasAdapter.apiRootPath }}/<.*>
authenticators:
- handler: jwt
config:
jwks_urls: [{{ .Values.global.kubernetes.serviceAccountTokenJWKS }}]
authorizer:
handler: allow
mutators:
- handler: noop # This will copy all request headers to the oathkeeper's session, making them available in the claims template
- handler: id_token
config:
claims: {{ .Values.global.oathkeeper.idTokenConfig.internalClaims | quote }}
30 changes: 30 additions & 0 deletions chart/compass/charts/ias-adapter/templates/virtual-service-internal.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ template "fullname" . }}-internal
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
hosts:
- '{{ .Values.global.iasAdapter.internalHost }}.{{ .Values.global.ingress.domainName }}'
gateways:
- {{ .Values.global.istio.gateway.namespace }}/{{ .Values.global.istio.gateway.name }}
http:
- match:
- uri:
regex: /.*
headers:
request:
remove:
{{- range .Values.global.gateway.headers.request.remove }}
- {{ . }}
{{- end }}
route:
- destination:
host: {{ .Values.global.oathkeeper.host }}
port:
number: {{ .Values.global.oathkeeper.port }}
3 changes: 2 additions & 1 deletion chart/compass/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ global:
name: compass-hydrator
ias_adapter:
dir: prod/incubator/
version: "v20240422-51e00712"
version: "PR-3891"
name: compass-ias-adapter
kyma_adapter:
dir: prod/incubator/
Expand Down Expand Up @@ -573,6 +573,7 @@ global:
censoredFlows: "JWT"
iasAdapter:
port: 8080
internalHost: compass-ias-adapter-internal
apiRootPath: "/ias-adapter"
readTimeout: 30s
readHeaderTimeout: 30s
Expand Down
84 changes: 0 additions & 84 deletions components/ias-adapter/internal/api/middlewares/auth.go
View file

This file was deleted.

15 changes: 7 additions & 8 deletions ...s-adapter/internal/api/middlewares/jwt.go → ...pter/internal/api/middlewares/id_token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,8 @@ import (
"net/http"
"strings"

"github.com/golang-jwt/jwt/v5"

"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
"github.com/kyma-incubator/compass/components/ias-adapter/internal/api/internal"
"github.com/kyma-incubator/compass/components/ias-adapter/internal/errors"
"github.com/kyma-incubator/compass/components/ias-adapter/internal/jwk"
Expand All @@ -19,17 +18,17 @@ const (
keyIDHeader = "kid"
)

type JWTMiddleware struct {
type IDTokenMiddleware struct {
cache jwk.Cache
}

func NewJWTMiddleware(cache jwk.Cache) JWTMiddleware {
return JWTMiddleware{
func NewIDTokenMiddleware(cache jwk.Cache) IDTokenMiddleware {
return IDTokenMiddleware{
cache: cache,
}
}

func (m JWTMiddleware) JWT(ctx *gin.Context) {
func (m IDTokenMiddleware) VerifyIDToken(ctx *gin.Context) {
log := logger.FromContext(ctx)

bearerToken, err := getBearerToken(ctx.Request)
Expand Down Expand Up @@ -58,11 +57,11 @@ func getBearerToken(r *http.Request) (string, error) {
}

type jwtClaims struct {
Tenants string `json:"tenant"`
Tenant string `json:"tenant"`
jwt.RegisteredClaims
}

func (m JWTMiddleware) verifyJWT(ctx context.Context, jwtToken string) (jwtClaims, error) {
func (m IDTokenMiddleware) verifyJWT(ctx context.Context, jwtToken string) (jwtClaims, error) {
claims := jwtClaims{}
token, err := jwt.ParseWithClaims(jwtToken, &claims, func(token *jwt.Token) (any, error) {
keyID, ok := token.Header[keyIDHeader]
Expand Down
10 changes: 2 additions & 8 deletions components/ias-adapter/internal/api/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,14 +41,8 @@ func NewServer(ctx context.Context, cfg config.Config, services Services) (*http
if err != nil {
return nil, errors.Newf("failed to create jwk cache: %w", err)
}
jwtMiddleware := middlewares.NewJWTMiddleware(jwkCache)
tenantMappingRouter.Use(jwtMiddleware.JWT)
authMiddleware, err := middlewares.NewAuthMiddleware(ctx, cfg.TenantInfo)
if err != nil {
return nil, errors.Newf("failed to create auth middleware: %w", err)
}
routerGroup.Use(authMiddleware.Auth)
tenantMappingRouter.Use(authMiddleware.Auth)
idTokenMiddleware := middlewares.NewIDTokenMiddleware(jwkCache)
tenantMappingRouter.Use(idTokenMiddleware.VerifyIDToken)
tenantMappingsHandler := handlers.TenantMappingsHandler{
Service: services.TenantMappingsService,
AsyncProcessor: services.AsyncProcessor,
Expand Down

0 comments on commit 00965ae

Please sign in to comment.