Merge pull request #589 from kartverket/add-jwt-authentication

Add JWT-validation for idporten/maskinporten

Author: larsore

api/v1alpha1/application_types.go

@@ -3,9 +3,9 @@ package v1alpha1
 import (
 	"encoding/json"
 	"errors"
+	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
 	"time"
 
-	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
 	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
 	"github.com/kartverket/skiperator/api/v1alpha1/podtypes"
 	corev1 "k8s.io/api/core/v1"
@@ -469,6 +469,10 @@ func (s *ApplicationSpec) Hosts() (HostCollection, error) {
 	return hosts, errors.Join(errorsFound...)
 }
 
+func (s *ApplicationSpec) IsRequestAuthEnabled() bool {
+	return (s.IDPorten != nil && s.IDPorten.IsRequestAuthEnabled()) || (s.Maskinporten != nil && s.Maskinporten.IsRequestAuthEnabled())
+}
+
 type MultiErr interface {
 	Unwrap() []error
 }

api/v1alpha1/digdirator/digdirator.go

@@ -0,0 +1,33 @@
+package digdirator
+
+import (
+	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type DigdiratorName string
+
+type DigdiratorInfo struct {
+	Name      DigdiratorName
+	IssuerURI string
+	JwksURI   string
+	ClientID  string
+}
+
+type DigdiratorClient interface {
+	GetOwnerReferences() []v1.OwnerReference
+	GetSecretName() string
+}
+
+type DigdiratorProvider interface {
+	IsRequestAuthEnabled() bool
+	GetAuthSpec() *istiotypes.RequestAuthentication
+	GetDigdiratorName() DigdiratorName
+	GetProvidedSecretName() *string
+	GetPaths() []string
+	GetIgnoredPaths() []string
+	GetIssuerKey() string
+	GetJwksKey() string
+	GetClientIDKey() string
+	GetTokenLocation() string
+}

api/v1alpha1/digdirator/idporten.go

@@ -1,18 +1,25 @@
 package digdirator
 
-import nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
+import (
+	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
+	"github.com/nais/digdirator/pkg/secrets"
+	nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const IDPortenName DigdiratorName = "idporten"
 
 // Based off NAIS' IDPorten specification as seen here:
 // https://github.com/nais/liberator/blob/c9da4cf48a52c9594afc8a4325ff49bbd359d9d2/pkg/apis/nais.io/v1/naiserator_types.go#L93C10-L93C10
 //
 // +kubebuilder:object:generate=true
 type IDPorten struct {
 	// The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal
-	// Meant to be a human-readable name for separating clients in the portal
+	// Meant to be a human-readable name for separating clients in the portal.
 	ClientName *string `json:"clientName,omitempty"`
 
 	// Whether to enable provisioning of an ID-porten client.
-	// If enabled, an ID-porten client be provisioned.
+	// If enabled, an ID-porten client will be provisioned.
 	Enabled bool `json:"enabled"`
 
 	// AccessTokenLifetime is the lifetime in seconds for any issued access token from ID-porten.
@@ -75,4 +82,80 @@ type IDPorten struct {
 	// +kubebuilder:validation:Minimum=3600
 	// +kubebuilder:validation:Maximum=7200
 	SessionLifetime *int `json:"sessionLifetime,omitempty"`
+
+	// RequestAuthentication specifies how incoming JWTs should be validated.
+	RequestAuthentication *istiotypes.RequestAuthentication `json:"requestAuthentication,omitempty"`
+}
+
+type IDPortenClient struct {
+	Client nais_io_v1.IDPortenClient
+}
+
+func (i *IDPortenClient) GetSecretName() string {
+	return i.Client.Spec.SecretName
+}
+
+func (i *IDPortenClient) GetOwnerReferences() []v1.OwnerReference {
+	return i.Client.GetOwnerReferences()
+}
+
+func (i *IDPorten) IsRequestAuthEnabled() bool {
+	return i != nil && i.RequestAuthentication != nil && i.RequestAuthentication.Enabled
+}
+
+func (i *IDPorten) GetAuthSpec() *istiotypes.RequestAuthentication {
+	if i != nil && i.RequestAuthentication != nil {
+		return i.RequestAuthentication
+	}
+	return nil
+}
+
+func (i *IDPorten) GetDigdiratorName() DigdiratorName {
+	return IDPortenName
+}
+
+func (i *IDPorten) GetProvidedSecretName() *string {
+	if i != nil && i.RequestAuthentication != nil {
+		return i.RequestAuthentication.SecretName
+	}
+	return nil
+}
+
+func (i *IDPorten) GetPaths() []string {
+	var paths []string
+	if i.IsRequestAuthEnabled() {
+		if i.RequestAuthentication.Paths != nil {
+			paths = append(paths, *i.RequestAuthentication.Paths...)
+		}
+	}
+	return paths
+}
+
+func (i *IDPorten) GetIgnoredPaths() []string {
+	var ignoredPaths []string
+	if i.IsRequestAuthEnabled() {
+		if i.RequestAuthentication.IgnorePaths != nil {
+			ignoredPaths = append(ignoredPaths, *i.RequestAuthentication.IgnorePaths...)
+		}
+	}
+	return ignoredPaths
+}
+
+func (i *IDPorten) GetIssuerKey() string {
+	return secrets.IDPortenIssuerKey
+}
+
+func (i *IDPorten) GetJwksKey() string {
+	return secrets.IDPortenJwksUriKey
+}
+
+func (i *IDPorten) GetClientIDKey() string {
+	return secrets.IDPortenClientIDKey
+}
+
+func (i *IDPorten) GetTokenLocation() string {
+	if i != nil && i.RequestAuthentication != nil && i.RequestAuthentication.TokenLocation != nil {
+		return *i.RequestAuthentication.TokenLocation
+	}
+	return "cookie"
 }

api/v1alpha1/digdirator/maskinporten.go

@@ -1,6 +1,13 @@
 package digdirator
 
-import nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
+import (
+	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
+	"github.com/nais/digdirator/pkg/secrets"
+	nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const MaskinPortenName = "maskinporten"
 
 // https://github.com/nais/liberator/blob/c9da4cf48a52c9594afc8a4325ff49bbd359d9d2/pkg/apis/nais.io/v1/naiserator_types.go#L376
 //
@@ -15,4 +22,80 @@ type Maskinporten struct {
 
 	// Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.
 	Scopes *nais_io_v1.MaskinportenScope `json:"scopes,omitempty"`
+
+	// RequestAuthentication specifies how incoming JWTs should be validated.
+	RequestAuthentication *istiotypes.RequestAuthentication `json:"requestAuthentication,omitempty"`
+}
+
+type MaskinportenClient struct {
+	Client nais_io_v1.MaskinportenClient
+}
+
+func (m *MaskinportenClient) GetOwnerReferences() []v1.OwnerReference {
+	return m.Client.GetOwnerReferences()
+}
+
+func (m *MaskinportenClient) GetSecretName() string {
+	return m.Client.Spec.SecretName
+}
+
+func (i *Maskinporten) IsRequestAuthEnabled() bool {
+	return i != nil && i.RequestAuthentication != nil && i.RequestAuthentication.Enabled
+}
+
+func (i *Maskinporten) GetAuthSpec() *istiotypes.RequestAuthentication {
+	if i != nil && i.RequestAuthentication != nil {
+		return i.RequestAuthentication
+	}
+	return nil
+}
+
+func (i *Maskinporten) GetDigdiratorName() DigdiratorName {
+	return MaskinPortenName
+}
+
+func (i *Maskinporten) GetProvidedSecretName() *string {
+	if i != nil && i.RequestAuthentication != nil {
+		return i.RequestAuthentication.SecretName
+	}
+	return nil
+}
+
+func (i *Maskinporten) GetPaths() []string {
+	var paths []string
+	if i.IsRequestAuthEnabled() {
+		if i.RequestAuthentication.Paths != nil {
+			paths = append(paths, *i.RequestAuthentication.Paths...)
+		}
+	}
+	return paths
+}
+
+func (i *Maskinporten) GetIgnoredPaths() []string {
+	var ignoredPaths []string
+	if i.IsRequestAuthEnabled() {
+		if i.RequestAuthentication.IgnorePaths != nil {
+			ignoredPaths = append(ignoredPaths, *i.RequestAuthentication.IgnorePaths...)
+		}
+	}
+	return ignoredPaths
+}
+
+func (i *Maskinporten) GetIssuerKey() string {
+	return secrets.MaskinportenIssuerKey
+}
+
+func (i *Maskinporten) GetJwksKey() string {
+	return secrets.MaskinportenJwksUriKey
+}
+
+func (i *Maskinporten) GetClientIDKey() string {
+	return secrets.MaskinportenClientIDKey
+}
+
+func (i *Maskinporten) GetTokenLocation() string {
+	if i != nil && i.RequestAuthentication != nil && i.RequestAuthentication.TokenLocation != nil {
+		return *i.RequestAuthentication.TokenLocation
+	}
+	return "header"
 }

api/v1alpha1/digdirator/zz_generated.deepcopy.go

@@ -0,0 +1,81 @@
+package istiotypes
+
+// RequestAuthentication specifies how incoming JWTs should be validated.
+//
+// +kubebuilder:object:generate=true
+type RequestAuthentication struct {
+	// Whether to enable JWT validation.
+	// If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience.
+	Enabled bool `json:"enabled"`
+
+	// The name of the Kubernetes Secret containing OAuth2 credentials.
+	//
+	// If omitted, the associated client registration in the application manifest is used for JWT validation.
+	// +kubebuilder:validation:Optional
+	SecretName *string `json:"secretName,omitempty"`
+
+	// If set to `true`, the original token will be kept for the upstream request. Defaults to `true`.
+	// +kubebuilder:default=true
+	ForwardJwt bool `json:"forwardJwt,omitempty"`
+
+	// Where to find the JWT in the incoming request
+	//
+	// An enum value of `header` means that the JWT is present in the `Authorization` header as a `Bearer` token.
+	// An enum value of `cookie` means that the JWT is present as a cookie called `BearerToken`.
+	//
+	// If omitted, its default value depends on the provider type:
+	// - Defaults to "cookie" for providers supporting user login (e.g. IDPorten).
+	// - Defaults to "header" for providers not supporting user login (e.g. Maskinporten).
+	// +kubebuilder:validation:Enum=header;cookie
+	// +kubebuilder:validation:Optional
+	TokenLocation *string `json:"tokenLocation,omitempty"`
+
+	// This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
+	// The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.
+	// ```
+	//
+	//	outputClaimToHeaders:
+	//	- header: x-my-company-jwt-group
+	//	  claim: my-group
+	//	- header: x-test-environment-flag
+	//	  claim: test-flag
+	//	- header: x-jwt-claim-group
+	//	  claim: nested.key.group
+	//
+	// ```
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:MaxItems=10
+	OutputClaimToHeaders *[]ClaimToHeader `json:"outputClaimToHeaders,omitempty"`
+
+	// Paths specifies paths that require an authenticated JWT.
+	//
+	// The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'.
+	// The paths can also contain the wildcard operator '*', but only at the end.
+	// +listType=set
+	// +kubebuilder:validation:Items.Pattern=`^/[a-zA-Z0-9\-._~!$&'()+,;=:@%/]*(\*)?$`
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:Optional
+	Paths *[]string `json:"paths,omitempty"`
+
+	// IgnorePaths specifies paths that do not require an authenticated JWT.
+	//
+	// The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'.
+	// The paths can also contain the wildcard operator '*', but only at the end.
+	// +listType=set
+	// +kubebuilder:validation:Items.Pattern=`^/[a-zA-Z0-9\-._~!$&'()+,;=:@%/]*(\*)?$`
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:Optional
+	IgnorePaths *[]string `json:"ignorePaths,omitempty"`
+}
+
+type ClaimToHeader struct {
+	// The name of the HTTP header for which the specified claim will be copied to.
+	// +kubebuilder:validation:Pattern="^[a-zA-Z0-9-]+$"
+	// +kubebuilder:validation:MaxLength=64
+	Header string `json:"header"`
+
+	// The claim to be copied.
+	// +kubebuilder:validation:Pattern="^[a-zA-Z0-9-._]+$"
+	// +kubebuilder:validation:MaxLength=128
+	Claim string `json:"claim"`
+}