grpc server options and authenticator

Signed-off-by: Jian Qiu <[email protected]>

Author: qiujian16

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/openshift/library-go v0.0.0-20240621150525-4bb4238aef81
 	github.com/prometheus/client_golang v1.19.1
 	github.com/prometheus/client_model v0.6.1
+	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/oauth2 v0.23.0
 	google.golang.org/grpc v1.65.0
@@ -72,7 +73,6 @@ require (
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rs/xid v1.4.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opencensus.io v0.24.0 // indirect

pkg/cloudevents/server/grpc/authn/interface.go

@@ -0,0 +1,22 @@
+package authn
+
+import "context"
+
+// Context key type defined to avoid collisions in other pkgs using context
+// See https://golang.org/pkg/context/#WithValue
+type contextKey string
+
+const (
+	contextUserKey   contextKey = "user"
+	contextGroupsKey contextKey = "groups"
+)
+
+// Authenticator is the interface to authenticat for grpc server
+type Authenticator interface {
+	Authenticate(ctx context.Context) (context.Context, error)
+}
+
+func newContextWithIdentity(ctx context.Context, user string, groups []string) context.Context {
+	ctx = context.WithValue(ctx, contextUserKey, user)
+	return context.WithValue(ctx, contextGroupsKey, groups)
+}

pkg/cloudevents/server/grpc/authn/mtls.go

@@ -0,0 +1,42 @@
+package authn
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/status"
+)
+
+type MtlsAuthenticator struct {
+}
+
+func NewMtlsAuthenticator() *MtlsAuthenticator {
+	return &MtlsAuthenticator{}
+}
+
+func (a *MtlsAuthenticator) Authenticate(ctx context.Context) (context.Context, error) {
+	p, ok := peer.FromContext(ctx)
+	if !ok {
+		return ctx, status.Error(codes.Unauthenticated, "no peer found")
+	}
+
+	tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
+	if !ok {
+		return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
+	}
+
+	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
+		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
+	}
+
+	if tlsAuth.State.VerifiedChains[0][0] == nil {
+		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
+	}
+
+	user := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
+	groups := tlsAuth.State.VerifiedChains[0][0].Subject.Organization
+	newCtx := newContextWithIdentity(ctx, user, groups)
+	return newCtx, nil
+}

pkg/cloudevents/server/grpc/authn/token.go

@@ -0,0 +1,54 @@
+package authn
+
+import (
+	"context"
+	"strings"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+type TokenAuthenticator struct {
+	client kubernetes.Interface
+}
+
+var _ Authenticator = &TokenAuthenticator{}
+
+func NewTokenAuthenticator(client kubernetes.Interface) *TokenAuthenticator {
+	return &TokenAuthenticator{client: client}
+}
+
+func (t *TokenAuthenticator) Authenticate(ctx context.Context) (context.Context, error) {
+	// Extract the metadata from the context
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return ctx, status.Error(codes.InvalidArgument, "missing metadata")
+	}
+
+	// Extract the access token from the metadata
+	authorization, ok := md["authorization"]
+	if !ok || len(authorization) == 0 {
+		return ctx, status.Error(codes.Unauthenticated, "invalid token")
+	}
+
+	token := strings.TrimPrefix(authorization[0], "Bearer ")
+	tr, err := t.client.AuthenticationV1().TokenReviews().Create(ctx, &authenticationv1.TokenReview{
+		Spec: authenticationv1.TokenReviewSpec{
+			Token: token,
+		},
+	}, metav1.CreateOptions{})
+	if err != nil {
+		return ctx, err
+	}
+
+	if !tr.Status.Authenticated {
+		return ctx, status.Error(codes.Unauthenticated, "token not authenticated")
+	}
+
+	newCtx := newContextWithIdentity(ctx, tr.Status.User.Username, tr.Status.User.Groups)
+	return newCtx, nil
+}

pkg/cloudevents/server/grpc/options/optoins.go

@@ -0,0 +1,47 @@
+package options
+
+import (
+	"github.com/spf13/pflag"
+	"math"
+	"time"
+)
+
+type GRPCServerOptions struct {
+	TLSCertFile             string
+	TLSKeyFile              string
+	ClientCAFile            string
+	ServerBindPort          string
+	MaxConcurrentStreams    uint32
+	MaxReceiveMessageSize   int
+	MaxSendMessageSize      int
+	ConnectionTimeout       time.Duration
+	WriteBufferSize         int
+	ReadBufferSize          int
+	MaxConnectionAge        time.Duration
+	ClientMinPingInterval   time.Duration
+	ServerPingInterval      time.Duration
+	ServerPingTimeout       time.Duration
+	PermitPingWithoutStream bool
+}
+
+func NewGRPCServerOptions() *GRPCServerOptions {
+	return &GRPCServerOptions{}
+}
+
+func (o *GRPCServerOptions) AddFlags(flags *pflag.FlagSet) {
+	flags.StringVar(&o.ServerBindPort, "grpc-server-bindport", "8090", "gPRC server bind port")
+	flags.Uint32Var(&o.MaxConcurrentStreams, "grpc-max-concurrent-streams", math.MaxUint32, "gPRC max concurrent streams")
+	flags.IntVar(&o.MaxReceiveMessageSize, "grpc-max-receive-message-size", 1024*1024*4, "gPRC max receive message size")
+	flags.IntVar(&o.MaxSendMessageSize, "grpc-max-send-message-size", math.MaxInt32, "gPRC max send message size")
+	flags.DurationVar(&o.ConnectionTimeout, "grpc-connection-timeout", 120*time.Second, "gPRC connection timeout")
+	flags.DurationVar(&o.MaxConnectionAge, "grpc-max-connection-age", time.Duration(math.MaxInt64), "A duration for the maximum amount of time connection may exist before closing")
+	flags.DurationVar(&o.ClientMinPingInterval, "grpc-client-min-ping-interval", 5*time.Second, "Server will terminate the connection if the client pings more than once within this duration")
+	flags.DurationVar(&o.ServerPingInterval, "grpc-server-ping-interval", 30*time.Second, "Duration after which the server pings the client if no activity is detected")
+	flags.DurationVar(&o.ServerPingTimeout, "grpc-server-ping-timeout", 10*time.Second, "Duration the client waits for a response after sending a keepalive ping")
+	flags.BoolVar(&o.PermitPingWithoutStream, "permit-ping-without-stream", false, "Allow keepalive pings even when there are no active streams")
+	flags.IntVar(&o.WriteBufferSize, "grpc-write-buffer-size", 32*1024, "gPRC write buffer size")
+	flags.IntVar(&o.ReadBufferSize, "grpc-read-buffer-size", 32*1024, "gPRC read buffer size")
+	flags.StringVar(&o.TLSCertFile, "grpc-tls-cert-file", "", "The path to the tls.crt file")
+	flags.StringVar(&o.TLSKeyFile, "grpc-tls-key-file", "", "The path to the tls.key file")
+	flags.StringVar(&o.ClientCAFile, "grpc-client-ca-file", "", "The path to the client ca file, must specify if using mtls authentication type")
+}

pkg/cloudevents/server/grpc/options/server.go

@@ -0,0 +1,186 @@
+package options
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/keepalive"
+	"open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types"
+	"open-cluster-management.io/sdk-go/pkg/cloudevents/server"
+	grpcserver "open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc"
+	"open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/authn"
+	"os"
+)
+
+// PreStartHook is an interface to start hook before grpc server is started.
+type PreStartHook interface {
+	// Start should be a non-blocking call
+	Run(ctx context.Context)
+}
+
+type Server struct {
+	options        *GRPCServerOptions
+	authenticators []authn.Authenticator
+	services       map[types.CloudEventsDataType]server.Service
+	hooks          []PreStartHook
+}
+
+func NewServer(opt *GRPCServerOptions) *Server {
+	return &Server{options: opt, services: make(map[types.CloudEventsDataType]server.Service)}
+}
+
+func (s *Server) WithAuthenticator(authenticator authn.Authenticator) *Server {
+	s.authenticators = append(s.authenticators, authenticator)
+	return s
+}
+
+func (s *Server) WithService(t types.CloudEventsDataType, service server.Service) *Server {
+	s.services[t] = service
+	return s
+}
+
+func (s *Server) WithPreStartHooks(hooks ...PreStartHook) *Server {
+	s.hooks = append(s.hooks, hooks...)
+	return s
+}
+
+func (s *Server) Run(ctx context.Context) error {
+	var grpcServerOptions []grpc.ServerOption
+	grpcServerOptions = append(grpcServerOptions, grpc.MaxRecvMsgSize(s.options.MaxReceiveMessageSize))
+	grpcServerOptions = append(grpcServerOptions, grpc.MaxSendMsgSize(s.options.MaxSendMessageSize))
+	grpcServerOptions = append(grpcServerOptions, grpc.MaxConcurrentStreams(s.options.MaxConcurrentStreams))
+	grpcServerOptions = append(grpcServerOptions, grpc.ConnectionTimeout(s.options.ConnectionTimeout))
+	grpcServerOptions = append(grpcServerOptions, grpc.WriteBufferSize(s.options.WriteBufferSize))
+	grpcServerOptions = append(grpcServerOptions, grpc.ReadBufferSize(s.options.ReadBufferSize))
+	grpcServerOptions = append(grpcServerOptions, grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{
+		MinTime:             s.options.ClientMinPingInterval,
+		PermitWithoutStream: s.options.PermitPingWithoutStream,
+	}))
+	grpcServerOptions = append(grpcServerOptions, grpc.KeepaliveParams(keepalive.ServerParameters{
+		MaxConnectionAge: s.options.MaxConnectionAge,
+		Time:             s.options.ServerPingInterval,
+		Timeout:          s.options.ServerPingTimeout,
+	}))
+
+	// Serve with TLS
+	serverCerts, err := tls.LoadX509KeyPair(s.options.TLSCertFile, s.options.TLSKeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to load broker certificates: %v", err)
+	}
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{serverCerts},
+		MinVersion:   tls.VersionTLS13,
+		MaxVersion:   tls.VersionTLS13,
+	}
+
+	if s.options.ClientCAFile != "" {
+		certPool, err := x509.SystemCertPool()
+		if err != nil {
+			return fmt.Errorf("failed to load system cert pool: %v", err)
+		}
+		caPEM, err := os.ReadFile(s.options.ClientCAFile)
+		if err != nil {
+			return fmt.Errorf("failed to read broker client CA file: %v", err)
+		}
+		if ok := certPool.AppendCertsFromPEM(caPEM); !ok {
+			return fmt.Errorf("failed to append broker client CA to cert pool")
+		}
+		tlsConfig.ClientCAs = certPool
+		tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
+	}
+
+	grpcServerOptions = append(grpcServerOptions, grpc.Creds(credentials.NewTLS(tlsConfig)))
+
+	grpcServerOptions = append(grpcServerOptions,
+		grpc.ChainUnaryInterceptor(newAuthUnaryInterceptor(s.authenticators...)),
+		grpc.ChainStreamInterceptor(newAuthStreamInterceptor(s.authenticators...)))
+
+	grpcServer := grpc.NewServer(grpcServerOptions...)
+	grpcEventServer := grpcserver.NewGRPCBroker(grpcServer, ":"+s.options.ServerBindPort)
+
+	for t, service := range s.services {
+		grpcEventServer.RegisterService(t, service)
+	}
+
+	// start hook
+	for _, hook := range s.hooks {
+		hook.Run(ctx)
+	}
+
+	go grpcEventServer.Start(ctx)
+	<-ctx.Done()
+	return nil
+}
+
+func newAuthUnaryInterceptor(authenticators ...authn.Authenticator) grpc.UnaryServerInterceptor {
+	return func(
+		ctx context.Context,
+		req interface{},
+		info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler,
+	) (interface{}, error) {
+		var err error
+		for _, authenticator := range authenticators {
+			ctx, err = authenticator.Authenticate(ctx)
+			if err == nil {
+				return handler(ctx, req)
+			}
+		}
+
+		if err != nil {
+			return nil, err
+		}
+
+		return handler(ctx, req)
+	}
+}
+
+// wrappedAuthStream wraps a grpc.ServerStream associated with an incoming RPC, and
+// a custom context containing the user and groups derived from the client certificate
+// specified in the incoming RPC metadata
+type wrappedAuthStream struct {
+	grpc.ServerStream
+	ctx context.Context
+}
+
+// Context returns the context associated with the stream
+func (w *wrappedAuthStream) Context() context.Context {
+	return w.ctx
+}
+
+// newWrappedAuthStream creates a new wrappedAuthStream
+func newWrappedAuthStream(ctx context.Context, s grpc.ServerStream) grpc.ServerStream {
+	return &wrappedAuthStream{s, ctx}
+}
+
+// newAuthStreamInterceptor creates a stream interceptor that retrieves the user and groups
+// based on the specified authentication type. It supports retrieving from either the access
+// token or the client certificate depending on the provided authNType.
+// The interceptor then adds the retrieved identity information (user and groups) to the
+// context and invokes the provided handler.
+func newAuthStreamInterceptor(authenticators ...authn.Authenticator) grpc.StreamServerInterceptor {
+	return func(
+		srv interface{},
+		ss grpc.ServerStream,
+		info *grpc.StreamServerInfo,
+		handler grpc.StreamHandler,
+	) error {
+		var err error
+		ctx := ss.Context()
+		for _, authenticator := range authenticators {
+			ctx, err = authenticator.Authenticate(ctx)
+			if err == nil {
+				return handler(srv, newWrappedAuthStream(ctx, ss))
+			}
+		}
+
+		if err != nil {
+			return err
+		}
+
+		return handler(srv, newWrappedAuthStream(ctx, ss))
+	}
+}