acl: RPC endpoints for JWT auth (#15918)

.semgrep/rpc_endpoint.yml

@@ -99,6 +99,7 @@ rules:
             - pattern-not: 'structs.ACLListAuthMethodsRPCMethod'
             - pattern-not: 'structs.ACLOIDCAuthURLRPCMethod'
             - pattern-not: 'structs.ACLOIDCCompleteAuthRPCMethod'
+            - pattern-not: 'structs.ACLLoginRPCMethod'
             - pattern-not: '"CSIPlugin.Get"'
             - pattern-not: '"CSIPlugin.List"'
             - pattern-not: '"Status.Leader"'

command/agent/acl_endpoint.go

@@ -867,7 +867,7 @@ func (s *HTTPServer) ACLOIDCCompleteAuthRequest(resp http.ResponseWriter, req *h
 		return nil, CodedError(http.StatusBadRequest, err.Error())
 	}
 
-	var out structs.ACLOIDCCompleteAuthResponse
+	var out structs.ACLLoginResponse
 	if err := s.agent.RPC(structs.ACLOIDCCompleteAuthRPCMethod, &args, &out); err != nil {
 		return nil, err
 	}

command/agent/acl_endpoint_test.go

@@ -1122,7 +1122,7 @@ func TestHTTPServer_ACLAuthMethodListRequest(t *testing.T) {
 
 				// Upsert two auth-methods into state.
 				must.NoError(t, srv.server.State().UpsertACLAuthMethods(
-					10, []*structs.ACLAuthMethod{mock.ACLAuthMethod(), mock.ACLAuthMethod()}))
+					10, []*structs.ACLAuthMethod{mock.ACLOIDCAuthMethod(), mock.ACLOIDCAuthMethod()}))
 
 				// Build the HTTP request.
 				req, err := http.NewRequest(http.MethodGet, "/v1/acl/auth-methods", nil)
@@ -1198,7 +1198,7 @@ func TestHTTPServer_ACLAuthMethodRequest(t *testing.T) {
 			testFn: func(srv *TestAgent) {
 
 				// Create a mock auth-method to use in the request body.
-				mockACLAuthMethod := mock.ACLAuthMethod()
+				mockACLAuthMethod := mock.ACLOIDCAuthMethod()
 
 				// Build the HTTP request.
 				req, err := http.NewRequest(http.MethodPut, "/v1/acl/auth-method", encodeReq(mockACLAuthMethod))
@@ -1269,7 +1269,7 @@ func TestHTTPServer_ACLAuthMethodSpecificRequest(t *testing.T) {
 			testFn: func(srv *TestAgent) {
 
 				// Create a mock auth-method and put directly into state.
-				mockACLAuthMethod := mock.ACLAuthMethod()
+				mockACLAuthMethod := mock.ACLOIDCAuthMethod()
 				must.NoError(t, srv.server.State().UpsertACLAuthMethods(
 					20, []*structs.ACLAuthMethod{mockACLAuthMethod}))
 
@@ -1294,7 +1294,7 @@ func TestHTTPServer_ACLAuthMethodSpecificRequest(t *testing.T) {
 			testFn: func(srv *TestAgent) {
 
 				// Create a mock auth-method and put directly into state.
-				mockACLAuthMethod := mock.ACLAuthMethod()
+				mockACLAuthMethod := mock.ACLOIDCAuthMethod()
 				must.NoError(t, srv.server.State().UpsertACLAuthMethods(
 					20, []*structs.ACLAuthMethod{mockACLAuthMethod}))
 
@@ -1499,7 +1499,7 @@ func TestHTTPServer_ACLBindingRuleRequest(t *testing.T) {
 
 				// Upsert the auth method that the binding rule will associate
 				// with.
-				mockACLAuthMethod := mock.ACLAuthMethod()
+				mockACLAuthMethod := mock.ACLOIDCAuthMethod()
 				must.NoError(t, srv.server.State().UpsertACLAuthMethods(
 					10, []*structs.ACLAuthMethod{mockACLAuthMethod}))
 
@@ -1607,7 +1607,7 @@ func TestHTTPServer_ACLBindingRuleSpecificRequest(t *testing.T) {
 
 				// Upsert the auth method that the binding rule will associate
 				// with.
-				mockACLAuthMethod := mock.ACLAuthMethod()
+				mockACLAuthMethod := mock.ACLOIDCAuthMethod()
 				must.NoError(t, srv.server.State().UpsertACLAuthMethods(
 					10, []*structs.ACLAuthMethod{mockACLAuthMethod}))
 
@@ -1716,7 +1716,7 @@ func TestHTTPServer_ACLOIDCAuthURLRequest(t *testing.T) {
 
 				// Generate and upsert an ACL auth method for use. Certain values must be
 				// taken from the cap OIDC provider just like real world use.
-				mockedAuthMethod := mock.ACLAuthMethod()
+				mockedAuthMethod := mock.ACLOIDCAuthMethod()
 				mockedAuthMethod.Config.AllowedRedirectURIs = []string{"http://127.0.0.1:4649/oidc/callback"}
 				mockedAuthMethod.Config.OIDCDiscoveryURL = oidcTestProvider.Addr()
 				mockedAuthMethod.Config.SigningAlgs = []string{"ES256"}
@@ -1799,7 +1799,7 @@ func TestHTTPServer_ACLOIDCCompleteAuthRequest(t *testing.T) {
 
 				// Generate and upsert an ACL auth method for use. Certain values must be
 				// taken from the cap OIDC provider just like real world use.
-				mockedAuthMethod := mock.ACLAuthMethod()
+				mockedAuthMethod := mock.ACLOIDCAuthMethod()
 				mockedAuthMethod.Config.BoundAudiences = []string{"mock"}
 				mockedAuthMethod.Config.AllowedRedirectURIs = []string{"http://127.0.0.1:4649/oidc/callback"}
 				mockedAuthMethod.Config.OIDCDiscoveryURL = oidcTestProvider.Addr()

lib/auth/oidc/binder.go → lib/auth/binder.go

@@ -1,4 +1,4 @@
-package oidc
+package auth
 
 import (
 	"fmt"
@@ -8,7 +8,6 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/hil"
 	"github.com/hashicorp/hil/ast"
-
 	"github.com/hashicorp/nomad/nomad/structs"
 )
 

lib/auth/oidc/binder_test.go → lib/auth/binder_test.go

@@ -1,4 +1,4 @@
-package oidc
+package auth
 
 import (
 	"testing"
@@ -19,7 +19,7 @@ func TestBinder_Bind(t *testing.T) {
 	testBind := NewBinder(testStore)
 
 	// create an authMethod method and insert into the state store
-	authMethod := mock.ACLAuthMethod()
+	authMethod := mock.ACLOIDCAuthMethod()
 	must.NoError(t, testStore.UpsertACLAuthMethods(0, []*structs.ACLAuthMethod{authMethod}))
 
 	// create some roles and insert into the state store

lib/auth/oidc/claims.go → lib/auth/claims.go

@@ -1,4 +1,4 @@
-package oidc
+package auth
 
 import (
 	"encoding/json"

lib/auth/oidc/claims_test.go → lib/auth/claims_test.go

@@ -1,4 +1,4 @@
-package oidc
+package auth
 
 import (
 	"testing"

lib/auth/oidc/identity.go → lib/auth/identity.go

@@ -1,4 +1,4 @@
-package oidc
+package auth
 
 import (
 	"github.com/hashicorp/nomad/nomad/structs"

lib/auth/oidc/identity_test.go → lib/auth/identity_test.go

@@ -1,9 +1,10 @@
-package oidc
+package auth
 
 import (
-	"github.com/shoenig/test/must"
 	"testing"
 
+	"github.com/shoenig/test/must"
+
 	"github.com/hashicorp/nomad/ci"
 	"github.com/hashicorp/nomad/nomad/structs"
 )

lib/auth/jwt/validator.go

@@ -0,0 +1,125 @@
+package jwt
+
+import (
+	"context"
+	"crypto"
+	"fmt"
+	"time"
+
+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/cap/jwt"
+	"golang.org/x/exp/slices"
+
+	"github.com/hashicorp/nomad/helper"
+	"github.com/hashicorp/nomad/nomad/structs"
+)
+
+// Validate performs token signature verification and JWT header validation,
+// and returns a list of claims or an error in case any validation or signature
+// verification fails.
+func Validate(ctx context.Context, token string, methodConf *structs.ACLAuthMethodConfig) (map[string]any, error) {
+	var (
+		keySet jwt.KeySet
+		err    error
+	)
+
+	// JWT validation can happen in 3 ways:
+	// - via embedded public keys, locally
+	// - via JWKS
+	// - or via OIDC provider
+	if len(methodConf.JWTValidationPubKeys) != 0 {
+		keySet, err = usingStaticKeys(methodConf.JWTValidationPubKeys)
+		if err != nil {
+			return nil, err
+		}
+	} else if methodConf.JWKSURL != "" {
+		keySet, err = usingJWKS(ctx, methodConf.JWKSURL, methodConf.JWKSCACert)
+		if err != nil {
+			return nil, err
+		}
+	} else if methodConf.OIDCDiscoveryURL != "" {
+		keySet, err = usingOIDC(ctx, methodConf.OIDCDiscoveryURL, methodConf.DiscoveryCaPem)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// SigningAlgs field is a string, we need to convert it to a type the go-jwt
+	// accepts in order to validate.
+	toAlgFn := func(m string) jwt.Alg { return jwt.Alg(m) }
+	algorithms := helper.ConvertSlice(methodConf.SigningAlgs, toAlgFn)
+
+	expected := jwt.Expected{
+		Audiences:         methodConf.BoundAudiences,
+		SigningAlgorithms: algorithms,
+		NotBeforeLeeway:   methodConf.NotBeforeLeeway,
+		ExpirationLeeway:  methodConf.ExpirationLeeway,
+		ClockSkewLeeway:   methodConf.ClockSkewLeeway,
+	}
+
+	validator, err := jwt.NewValidator(keySet)
+	if err != nil {
+		return nil, err
+	}
+
+	claims, err := validator.Validate(ctx, token, expected)
+	if err != nil {
+		return nil, fmt.Errorf("unable to verify signature of JWT token: %v", err)
+	}
+
+	// validate issuer manually, because we allow users to specify an array
+	if len(methodConf.BoundIssuer) > 0 {
+		if _, ok := claims["iss"]; !ok {
+			return nil, fmt.Errorf(
+				"auth method specifies BoundIssuers but the provided token does not contain issuer information",
+			)
+		}
+		if iss, ok := claims["iss"].(string); !ok {
+			return nil, fmt.Errorf("unable to read iss property of provided token")
+		} else if !slices.Contains(methodConf.BoundIssuer, iss) {
+			return nil, fmt.Errorf("invalid JWT issuer: %v", claims["iss"])
+		}
+	}
+
+	return claims, nil
+}
+
+func usingStaticKeys(keys []string) (jwt.KeySet, error) {
+	var parsedKeys []crypto.PublicKey
+	for _, v := range keys {
+		key, err := jwt.ParsePublicKeyPEM([]byte(v))
+		parsedKeys = append(parsedKeys, key)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse public key for JWT auth: %v", err)
+		}
+	}
+	return jwt.NewStaticKeySet(parsedKeys)
+}
+
+func usingJWKS(ctx context.Context, jwksurl, jwkscapem string) (jwt.KeySet, error) {
+	// Measure the JWKS endpoint performance.
+	defer metrics.MeasureSince([]string{"nomad", "acl", "jwt", "jwks"}, time.Now())
+
+	keySet, err := jwt.NewJSONWebKeySet(ctx, jwksurl, jwkscapem)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get validation keys from JWKS: %v", err)
+	}
+	return keySet, nil
+}
+
+func usingOIDC(ctx context.Context, oidcurl string, oidccapem []string) (jwt.KeySet, error) {
+	// Measure the OIDC endpoint performance.
+	defer metrics.MeasureSince([]string{"nomad", "acl", "jwt", "oidc_jwt"}, time.Now())
+
+	// TODO why do we have DiscoverCaPem as an array but JWKSCaPem as a single string?
+	pem := ""
+	if len(oidccapem) > 0 {
+		pem = oidccapem[0]
+	}
+
+	keySet, err := jwt.NewOIDCDiscoveryKeySet(ctx, oidcurl, pem)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get validation keys from OIDC provider: %v", err)
+	}
+	return keySet, nil
+}