Support function authentication with OpenFaaS IAM

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>

Author: welteki

README.md

@@ -104,6 +104,9 @@ The watchdog can be configured through environment variables. You must always sp
 | `write_debug`          | Write all output, error messages, and additional information to the logs. Default is false |
 | `combine_output`       | True by default - combines stdout/stderr in function response, when set to false `stderr` is written to the container logs and stdout is used for function response |
 | `max_inflight`         | Limit the maximum number of requests in flight |
+| `jwt_auth`                       | For OpenFaaS for Enterprises customers only. When set to `true`, the watchdog will require a JWT token to be passed as a Bearer token in the Authorization header. This token can only be obtained through the OpenFaaS gateway using a token exchange using the `http://gateway.openfaas:8080` address as the authority. |
+| `jwt_auth_debug`                 | Print out debug messages from the JWT authentication process (OpenFaaS for Enterprises only). |
+| `jwt_auth_local`                 | When set to `true`, the watchdog will attempt to validate the JWT token using a port-forwarded or local gateway running at `http://127.0.0.1:8080` instead of attempting to reach it via an in-cluster service name  (OpenFaaS for Enterprises only). |
 
 ## Metrics
 

go.mod

@@ -3,19 +3,22 @@ module github.com/openfaas/classic-watchdog
 go 1.20
 
 require (
-	github.com/openfaas/faas-middleware v1.2.3
+	github.com/openfaas/faas-middleware v1.2.4
 	github.com/prometheus/client_golang v1.17.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
 	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.11.1 // indirect
+	github.com/rakutentech/jwk-go v1.1.3 // indirect
+	golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 // indirect
 	golang.org/x/sys v0.11.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 )

go.sum

@@ -303,7 +303,7 @@ func makeHealthHandler() func(http.ResponseWriter, *http.Request) {
 	}
 }
 
-func makeRequestHandler(config *WatchdogConfig) http.HandlerFunc {
+func makeRequestHandler(config *WatchdogConfig) http.Handler {
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.Method {
 		case
@@ -319,5 +319,5 @@ func makeRequestHandler(config *WatchdogConfig) http.HandlerFunc {
 
 		}
 	})
-	return limiter.NewConcurrencyLimiter(handler, config.maxInflight).ServeHTTP
+	return limiter.NewConcurrencyLimiter(handler, config.maxInflight)
 }

handler.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/openfaas/classic-watchdog/metrics"
 	"github.com/openfaas/classic-watchdog/types"
+	"github.com/openfaas/faas-middleware/auth"
 	"github.com/prometheus/client_golang/prometheus/testutil"
 )
 
@@ -86,8 +87,18 @@ func main() {
 		healthcheckInterval)
 	log.Printf("Listening on port: %d\n", config.port)
 
+	requestHandler := makeRequestHandler(&config)
+	if config.jwtAuthentication {
+		handler, err := makeJWTAuthHandler(config, requestHandler)
+		if err != nil {
+			log.Fatalf("Error creating JWTAuthMiddleware: %s", err.Error())
+		}
+		requestHandler = handler
+
+	}
+
 	http.HandleFunc("/_/health", makeHealthHandler())
-	http.HandleFunc("/", metrics.InstrumentHandler(makeRequestHandler(&config), httpMetrics))
+	http.HandleFunc("/", metrics.InstrumentHandler(requestHandler, httpMetrics))
 
 	metricsServer := metrics.MetricsServer{}
 	metricsServer.Register(config.metricsPort)
@@ -179,3 +190,46 @@ func printVersion() {
 
 	log.Printf("Version: %v\tSHA: %v\n", BuildVersion(), sha)
 }
+
+func makeJWTAuthHandler(c WatchdogConfig, next http.Handler) (http.Handler, error) {
+	namespace, err := getFnNamespace()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get function namespace: %w", err)
+	}
+	name, err := getFnName()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get function name: %w", err)
+	}
+
+	authOpts := auth.JWTAuthOptions{
+		Name:           name,
+		Namespace:      namespace,
+		LocalAuthority: c.jwtAuthLocal,
+		Debug:          c.jwtAuthDebug,
+	}
+
+	return auth.NewJWTAuthMiddleware(authOpts, next)
+}
+
+func getFnName() (string, error) {
+	name, ok := os.LookupEnv("OPENFAAS_NAME")
+	if !ok || len(name) == 0 {
+		return "", fmt.Errorf("env variable 'OPENFAAS_NAME' not set")
+	}
+
+	return name, nil
+}
+
+// getFnNamespace gets the namespace name from the env variable OPENFAAS_NAMESPACE
+// or reads it from the service account if the env variable is not present
+func getFnNamespace() (string, error) {
+	if namespace, ok := os.LookupEnv("OPENFAAS_NAMESPACE"); ok {
+		return namespace, nil
+	}
+
+	nsVal, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	if err != nil {
+		return "", err
+	}
+	return string(nsVal), nil
+}

main.go

@@ -95,6 +95,10 @@ func (ReadConfig) Read(hasEnv HasEnv) WatchdogConfig {
 		cfg.combineOutput = parseBoolValue(hasEnv.Getenv("combine_output"))
 	}
 
+	cfg.jwtAuthentication = parseBoolValue(hasEnv.Getenv("jwt_auth"))
+	cfg.jwtAuthDebug = parseBoolValue(hasEnv.Getenv("jwt_auth_debug"))
+	cfg.jwtAuthLocal = parseBoolValue(hasEnv.Getenv("jwt_auth_local"))
+
 	cfg.metricsPort = 8081
 	cfg.maxInflight = parseIntValue(hasEnv.Getenv("max_inflight"), 0)
 
@@ -147,6 +151,17 @@ type WatchdogConfig struct {
 	// metricsPort is the HTTP port to serve metrics on
 	metricsPort int
 
+	// jwtAuthentication enables JWT authentication for the watchdog
+	// using the OpenFaaS gateway as the issuer.
+	jwtAuthentication bool
+
+	// jwtAuthDebug enables debug logging for the JWT authentication middleware.
+	jwtAuthDebug bool
+
+	// jwtAuthLocal indicates wether the JWT authentication middleware should use a port-forwarded or
+	// local gateway running at `http://127.0.0.1:8000` instead of attempting to reach it via an in-cluster service
+	jwtAuthLocal bool
+
 	// maxInflight limits the number of simultaneous
 	// requests that the watchdog allows concurrently.
 	// Any request which exceeds this limit will

readconfig.go

@@ -45,7 +45,7 @@ func TestHandler_TransferEncodingPassedToFunction(t *testing.T) {
 		cgiHeaders:  true,
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -81,7 +81,7 @@ func TestHandler_HasCustomHeaderInFunction_WithCgi_Mode(t *testing.T) {
 		cgiHeaders:  true,
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -123,7 +123,7 @@ func TestHandler_HasCustomHeaderInFunction_WithCgiMode_AndBody(t *testing.T) {
 		cgiHeaders:  true,
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -164,7 +164,7 @@ func TestHandler_HasHostHeaderWhenSet(t *testing.T) {
 		cgiHeaders:  true,
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -194,7 +194,7 @@ func TestHandler_HostHeader_Empty_WhenNotSet(t *testing.T) {
 		cgiHeaders:  true,
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -229,7 +229,7 @@ func TestHandler_StderrWritesToStderr_CombinedOutput_False(t *testing.T) {
 	}
 
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusInternalServerError
 
@@ -270,7 +270,7 @@ func TestHandler_StderrWritesToResponse_CombinedOutput_True(t *testing.T) {
 	}
 
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusInternalServerError
 
@@ -317,7 +317,7 @@ func TestHandler_DoesntHaveCustomHeaderInFunction_WithoutCgi_Mode(t *testing.T)
 		cgiHeaders:  false,
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -351,7 +351,7 @@ func TestHandler_HasXDurationSecondsHeader(t *testing.T) {
 		faasProcess: "cat",
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -383,7 +383,7 @@ func TestHandler_RequestTimeoutFailsForExceededDuration(t *testing.T) {
 		}
 
 		handler := makeRequestHandler(&config)
-		handler(rr, req)
+		handler.ServeHTTP(rr, req)
 
 		required := http.StatusRequestTimeout
 		if status := rr.Code; status != required {
@@ -409,7 +409,7 @@ func TestHandler_StatusOKAllowed_ForWriteableVerbs(t *testing.T) {
 			faasProcess: "cat",
 		}
 		handler := makeRequestHandler(&config)
-		handler(rr, req)
+		handler.ServeHTTP(rr, req)
 
 		required := http.StatusOK
 		if status := rr.Code; status != required {
@@ -435,7 +435,7 @@ func TestHandler_StatusMethodNotAllowed_ForUnknown(t *testing.T) {
 
 	config := WatchdogConfig{}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusMethodNotAllowed
 	if status := rr.Code; status != required {
@@ -458,7 +458,7 @@ func TestHandler_StatusOKForGETAndNoBody(t *testing.T) {
 	}
 
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {
@@ -553,7 +553,7 @@ func TestHandler_HasFullPathAndQueryInFunction_WithCgi_Mode(t *testing.T) {
 		cgiHeaders:  true,
 	}
 	handler := makeRequestHandler(&config)
-	handler(rr, req)
+	handler.ServeHTTP(rr, req)
 
 	required := http.StatusOK
 	if status := rr.Code; status != required {