✨ grpc server options and authenticator (#109)

* grpc server options and authenticator

Signed-off-by: Jian Qiu <[email protected]>

* Add ut

Signed-off-by: Jian Qiu <[email protected]>

---------

Signed-off-by: Jian Qiu <[email protected]>

Author: qiujian16

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/openshift/library-go v0.0.0-20240621150525-4bb4238aef81
 	github.com/prometheus/client_golang v1.19.1
 	github.com/prometheus/client_model v0.6.1
+	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/oauth2 v0.23.0
 	google.golang.org/grpc v1.65.0
@@ -72,7 +73,6 @@ require (
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rs/xid v1.4.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opencensus.io v0.24.0 // indirect

pkg/cloudevents/server/grpc/authn/interface.go

@@ -0,0 +1,22 @@
+package authn
+
+import "context"
+
+// Context key type defined to avoid collisions in other pkgs using context
+// See https://golang.org/pkg/context/#WithValue
+type contextKey string
+
+const (
+	contextUserKey   contextKey = "user"
+	contextGroupsKey contextKey = "groups"
+)
+
+// Authenticator is the interface to authenticat for grpc server
+type Authenticator interface {
+	Authenticate(ctx context.Context) (context.Context, error)
+}
+
+func newContextWithIdentity(ctx context.Context, user string, groups []string) context.Context {
+	ctx = context.WithValue(ctx, contextUserKey, user)
+	return context.WithValue(ctx, contextGroupsKey, groups)
+}

pkg/cloudevents/server/grpc/authn/mtls.go

@@ -0,0 +1,42 @@
+package authn
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/status"
+)
+
+type MtlsAuthenticator struct {
+}
+
+func NewMtlsAuthenticator() *MtlsAuthenticator {
+	return &MtlsAuthenticator{}
+}
+
+func (a *MtlsAuthenticator) Authenticate(ctx context.Context) (context.Context, error) {
+	p, ok := peer.FromContext(ctx)
+	if !ok {
+		return ctx, status.Error(codes.Unauthenticated, "no peer found")
+	}
+
+	tlsAuth, ok := p.AuthInfo.(credentials.TLSInfo)
+	if !ok {
+		return ctx, status.Error(codes.Unauthenticated, "unexpected peer transport credentials")
+	}
+
+	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
+		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
+	}
+
+	if tlsAuth.State.VerifiedChains[0][0] == nil {
+		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
+	}
+
+	user := tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
+	groups := tlsAuth.State.VerifiedChains[0][0].Subject.Organization
+	newCtx := newContextWithIdentity(ctx, user, groups)
+	return newCtx, nil
+}

pkg/cloudevents/server/grpc/authn/mtls_test.go

@@ -0,0 +1,65 @@
+package authn
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+	"testing"
+)
+
+func TestMtlsAuthenticator(t *testing.T) {
+	tests := []struct {
+		name     string
+		authInfo credentials.TLSInfo
+		valid    bool
+	}{
+		{
+			name:     "no info",
+			authInfo: credentials.TLSInfo{},
+			valid:    false,
+		},
+		{
+			name: "nil chain",
+			authInfo: credentials.TLSInfo{
+				State: tls.ConnectionState{
+					VerifiedChains: [][]*x509.Certificate{nil},
+				},
+			},
+			valid: false,
+		},
+		{
+			name: "valid chain",
+			authInfo: credentials.TLSInfo{
+				State: tls.ConnectionState{
+					VerifiedChains: [][]*x509.Certificate{
+						{
+							{
+								Subject: pkix.Name{},
+							},
+						},
+					},
+				},
+			},
+			valid: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			p := &peer.Peer{
+				AuthInfo: test.authInfo,
+			}
+			ctx := peer.NewContext(context.Background(), p)
+			authenticator := MtlsAuthenticator{}
+			_, err := authenticator.Authenticate(ctx)
+			if test.valid && err != nil {
+				t.Errorf("authenticator.Authenticate() = %v", err)
+			} else if !test.valid && err == nil {
+				t.Errorf("authenticator.Authenticate() = %v, wanted error", err)
+			}
+		})
+	}
+}

pkg/cloudevents/server/grpc/authn/token.go

@@ -0,0 +1,54 @@
+package authn
+
+import (
+	"context"
+	"strings"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+type TokenAuthenticator struct {
+	client kubernetes.Interface
+}
+
+var _ Authenticator = &TokenAuthenticator{}
+
+func NewTokenAuthenticator(client kubernetes.Interface) *TokenAuthenticator {
+	return &TokenAuthenticator{client: client}
+}
+
+func (t *TokenAuthenticator) Authenticate(ctx context.Context) (context.Context, error) {
+	// Extract the metadata from the context
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return ctx, status.Error(codes.InvalidArgument, "missing metadata")
+	}
+
+	// Extract the access token from the metadata
+	authorization, ok := md["authorization"]
+	if !ok || len(authorization) == 0 {
+		return ctx, status.Error(codes.Unauthenticated, "invalid token")
+	}
+
+	token := strings.TrimPrefix(authorization[0], "Bearer ")
+	tr, err := t.client.AuthenticationV1().TokenReviews().Create(ctx, &authenticationv1.TokenReview{
+		Spec: authenticationv1.TokenReviewSpec{
+			Token: token,
+		},
+	}, metav1.CreateOptions{})
+	if err != nil {
+		return ctx, err
+	}
+
+	if !tr.Status.Authenticated {
+		return ctx, status.Error(codes.Unauthenticated, "token not authenticated")
+	}
+
+	newCtx := newContextWithIdentity(ctx, tr.Status.User.Username, tr.Status.User.Groups)
+	return newCtx, nil
+}

pkg/cloudevents/server/grpc/authn/token_test.go

@@ -0,0 +1,73 @@
+package authn
+
+import (
+	"context"
+	"fmt"
+	"google.golang.org/grpc/metadata"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes/fake"
+	clienttesting "k8s.io/client-go/testing"
+	"testing"
+)
+
+func TestTokenAuthenticator(t *testing.T) {
+	tests := []struct {
+		name     string
+		metadata metadata.MD
+		token    string
+		valid    bool
+	}{
+		{
+			name:     "no authorization field",
+			metadata: metadata.MD{},
+			valid:    false,
+		},
+		{
+			name: "token is not correct",
+			metadata: metadata.MD{
+				"Authorization": []string{"Bearer foo"},
+			},
+			token: "bar",
+			valid: false,
+		},
+		{
+			name: "authorization header is set",
+			metadata: metadata.MD{
+				"Authorization": []string{"Bearer foo"},
+			},
+			token: "foo",
+			valid: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			ctx := metadata.NewIncomingContext(context.Background(), test.metadata)
+			client := fake.NewClientset()
+			client.PrependReactor("create", "tokenreviews", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) {
+				createAction := action.(clienttesting.CreateAction)
+				tr, ok := createAction.GetObject().(*authenticationv1.TokenReview)
+				if !ok {
+					return false, nil, fmt.Errorf("not a TokenReview")
+				}
+				if tr.Spec.Token != test.token {
+					return false, nil, fmt.Errorf("invalid token")
+				}
+				tr.Status = authenticationv1.TokenReviewStatus{Authenticated: true}
+				return true, tr, nil
+			})
+			authenticator := NewTokenAuthenticator(client)
+			_, err := authenticator.Authenticate(ctx)
+			if test.valid {
+				if err != nil {
+					t.Errorf("authenticator.Authenticate() = %v", err)
+				}
+
+			}
+			if !test.valid && err == nil {
+				t.Errorf("authenticator.Authenticate() = %v, wanted error", err)
+			}
+		})
+	}
+}

pkg/cloudevents/server/grpc/options/options.go

@@ -0,0 +1,59 @@
+package options
+
+import (
+	"github.com/spf13/pflag"
+	"math"
+	"time"
+)
+
+type GRPCServerOptions struct {
+	TLSCertFile             string
+	TLSKeyFile              string
+	ClientCAFile            string
+	ServerBindPort          string
+	MaxConcurrentStreams    uint32
+	MaxReceiveMessageSize   int
+	MaxSendMessageSize      int
+	ConnectionTimeout       time.Duration
+	WriteBufferSize         int
+	ReadBufferSize          int
+	MaxConnectionAge        time.Duration
+	ClientMinPingInterval   time.Duration
+	ServerPingInterval      time.Duration
+	ServerPingTimeout       time.Duration
+	PermitPingWithoutStream bool
+}
+
+func NewGRPCServerOptions() *GRPCServerOptions {
+	return &GRPCServerOptions{
+		ServerBindPort:        "8090",
+		MaxConcurrentStreams:  math.MaxUint32,
+		MaxReceiveMessageSize: 1024 * 1024 * 4,
+		MaxSendMessageSize:    math.MaxInt32,
+		ConnectionTimeout:     120 * time.Second,
+		MaxConnectionAge:      time.Duration(math.MaxInt64),
+		ClientMinPingInterval: 5 * time.Second,
+		ServerPingInterval:    30 * time.Second,
+		ServerPingTimeout:     10 * time.Second,
+		WriteBufferSize:       32 * 1024,
+		ReadBufferSize:        32 * 1024,
+	}
+}
+
+func (o *GRPCServerOptions) AddFlags(flags *pflag.FlagSet) {
+	flags.StringVar(&o.ServerBindPort, "grpc-server-bindport", o.ServerBindPort, "gPRC server bind port")
+	flags.Uint32Var(&o.MaxConcurrentStreams, "grpc-max-concurrent-streams", o.MaxConcurrentStreams, "gPRC max concurrent streams")
+	flags.IntVar(&o.MaxReceiveMessageSize, "grpc-max-receive-message-size", o.MaxReceiveMessageSize, "gPRC max receive message size")
+	flags.IntVar(&o.MaxSendMessageSize, "grpc-max-send-message-size", o.MaxSendMessageSize, "gPRC max send message size")
+	flags.DurationVar(&o.ConnectionTimeout, "grpc-connection-timeout", o.ConnectionTimeout, "gPRC connection timeout")
+	flags.DurationVar(&o.MaxConnectionAge, "grpc-max-connection-age", o.MaxConnectionAge, "A duration for the maximum amount of time connection may exist before closing")
+	flags.DurationVar(&o.ClientMinPingInterval, "grpc-client-min-ping-interval", o.ClientMinPingInterval, "Server will terminate the connection if the client pings more than once within this duration")
+	flags.DurationVar(&o.ServerPingInterval, "grpc-server-ping-interval", o.ServerPingInterval, "Duration after which the server pings the client if no activity is detected")
+	flags.DurationVar(&o.ServerPingTimeout, "grpc-server-ping-timeout", o.ServerPingTimeout, "Duration the client waits for a response after sending a keepalive ping")
+	flags.BoolVar(&o.PermitPingWithoutStream, "permit-ping-without-stream", o.PermitPingWithoutStream, "Allow keepalive pings even when there are no active streams")
+	flags.IntVar(&o.WriteBufferSize, "grpc-write-buffer-size", o.WriteBufferSize, "gPRC write buffer size")
+	flags.IntVar(&o.ReadBufferSize, "grpc-read-buffer-size", o.ReadBufferSize, "gPRC read buffer size")
+	flags.StringVar(&o.TLSCertFile, "grpc-tls-cert-file", "", "The path to the tls.crt file")
+	flags.StringVar(&o.TLSKeyFile, "grpc-tls-key-file", "", "The path to the tls.key file")
+	flags.StringVar(&o.ClientCAFile, "grpc-client-ca-file", "", "The path to the client ca file, must specify if using mtls authentication type")
+}