Wire in WebhookTokenAutenticators support#18868
Wire in WebhookTokenAutenticators support#18868openshift-merge-robot merged 2 commits intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
size/M
simo5
added
do-not-merge/work-in-progress
|
@mrogers950 @enj PTAL |
pkg/cmd/server/apis/config/types.go
Outdated
| // OAuthConfig, if present start the /oauth endpoint in this process | ||
| OAuthConfig *OAuthConfig | ||
| // WebhookTokenAuthnConfig, if present configures remote token reviewers | ||
| WebhookTokenAuthenticators []WebhookTokenAuthenticators |
There was a problem hiding this comment.
probably belongs under MasterAuthConfig
There was a problem hiding this comment.
do we have a use case for allowing more than one, or is that just future-proofing?
There was a problem hiding this comment.
Maybe seem that it is more similar to OAuthConfig than RequestHeaderAuthenticationOptions as an auth type, why do we not have OAuthConfig under MasterauthConfig ?
There was a problem hiding this comment.
OAuth component is distinct from the master API. OAuth config is for the OAuth server. MasterAuthConfig is for the API server.
There was a problem hiding this comment.
Maybe seem that it is more similar to OAuthConfig than RequestHeaderAuthenticationOptions as an auth type
RequestHeaderAuthenticationOptions and WebhookTokenAuthenticators both mirror upstream API authentication configuration options. We should group them under MasterAuthConfig.
pkg/cmd/server/apis/config/types.go
Outdated
| AllowRecursiveQueries bool | ||
| } | ||
|
|
||
| type WebhookTokenAuthenticators struct { |
There was a problem hiding this comment.
type should be singular if it describes a single authenticator
| }, | ||
| } | ||
| } | ||
| // TODO: handle WebhookTokenAuthenticators somehow ? |
There was a problem hiding this comment.
probably just as an additional condition in if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 || ... token webhooks ... {
There was a problem hiding this comment.
yeah I wasn't sure about that I'll do as you suggest
openshift-ci-robot
added
the
size/M
openshift-ci-robot
added
size/L
|
/retest |
| WebhookTokenAuthnConfigFile string `json:"webhookTokenAuthnConfigFile"` | ||
| // WebhookTokenAuthnCacheTTL indicates how long an authentication result should be cached. | ||
| // It takes a valid time duration string (e.g. "5m"). | ||
| // If empty, you get the default timeout. If zero (e.g. "0m"), caching is disabled |
There was a problem hiding this comment.
Probably should state what the default timeout is (I see no code that does defaulting in this PR).
There was a problem hiding this comment.
There is currently no default, you are required tio state the CacheTTL
There was a problem hiding this comment.
Upstream defaults this to 2 minutes. @liggitt any preference?
There was a problem hiding this comment.
I've added a 10s default
| validationResults.AddErrors(field.Required(fldPath.Child("requestHeader.extraHeaderPrefixes"), "must be specified for a secure connection")) | ||
| } | ||
|
|
||
| for _, wta := range config.WebhookTokenAuthenticators { |
| group.NewTokenGroupAdder(oauthTokenAuthenticator, []string{bootstrappolicy.AuthenticatedOAuthGroup})) | ||
| } | ||
|
|
||
| for _, wta := range config.AuthConfig.WebhookTokenAuthenticators { |
There was a problem hiding this comment.
integration test (which I know you are already working on)
@liggitt I specifically asked for this from @simo5. I see no reason not to have it, and I really do not want to try to hack it in later. It is assumed that all such remote token authenticators are allowed to see all tokens - if you do not trust all of them at that level, then you should not put them in your config. |
|
@openshift/api-review |
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
|
|
||
| // Ex |
There was a problem hiding this comment.
ignore, remnant of my copy/paste from the oidc test
pkg/cmd/server/apis/config/types.go
Outdated
| EtcdConfig *EtcdConfig | ||
| // OAuthConfig, if present start the /oauth endpoint in this process | ||
| OAuthConfig *OAuthConfig | ||
|
|
| EtcdConfig *EtcdConfig `json:"etcdConfig"` | ||
| // OAuthConfig, if present start the /oauth endpoint in this process | ||
| OAuthConfig *OAuthConfig `json:"oauthConfig"` | ||
|
|
There was a problem hiding this comment.
yeah remamnt of a previous incarnation, will remove, thanks for catching
simo5
force-pushed
the
WebhookEnable
branch
3 times, most recently
from
5330e97 to
b39e082
Compare
simo5
removed
the
do-not-merge/work-in-progress
|
I think we are ready for final reviews |
|
api approved. |
simo5
force-pushed
the
WebhookEnable
branch
2 times, most recently
from
13e3e62 to
f9af946
Compare
| } | ||
| errors := ValidateMasterAuthConfig(config, nil) | ||
| if len(test.expectedErrors) != len(errors.Errors) { | ||
| t.Errorf("%s: expected %v errors, got %v", test.testName, test.expectedErrors, errors.Errors) |
There was a problem hiding this comment.
continue after this line or you can panic on the next loop
There was a problem hiding this comment.
Ah, true, but then, the test already failed :-)
Will fix
|
|
||
| for i := range obj.AuthConfig.WebhookTokenAuthenticators { | ||
| if len(obj.AuthConfig.WebhookTokenAuthenticators[i].ConfigFile) == 0 { | ||
| continue |
There was a problem hiding this comment.
I don't understand this continue
There was a problem hiding this comment.
Does not default the TTL if there is no file to start with
There was a problem hiding this comment.
(config is already wrong)
There was a problem hiding this comment.
Sure, but then why do we not want to default? It will just make two errors show up and make the user think that both are required.
| // Set defaults Cache TTLs for external Webhook Token Reviewers | ||
| for i := range obj.AuthConfig.WebhookTokenAuthenticators { | ||
| if len(obj.AuthConfig.WebhookTokenAuthenticators[i].ConfigFile) == 0 { | ||
| continue |
| authToken := "Anything-goes!" | ||
| authTestUser := "testuser" | ||
| authTestUID := "42" | ||
| authTestGroups := []string{"testgroup"} |
| } | ||
|
|
||
| // Get master config | ||
| masterOptions, err := testserver.DefaultMasterOptions() |
There was a problem hiding this comment.
Just cosmetic for increasing readability since you do not need that variable until later.
| // Try to authenticate with a token that can be validated only by our | ||
| // external token reviewer | ||
| userConfig := &restclient.Config{ | ||
| Host: clientConfig.Host, |
There was a problem hiding this comment.
userConfig := AnonymousClientConfig(...)
userConfig.BearerToken = ...
| userWhoamiOptions := cmd.WhoAmIOptions{UserInterface: userClient.Users(), Out: ioutil.Discard} | ||
| retrievedUser, err := userWhoamiOptions.WhoAmI() | ||
| if err != nil { | ||
| t.Errorf("unexpected error: %v", err) |
There was a problem hiding this comment.
Not really needed, other tests do the same
There was a problem hiding this comment.
Just because other people write their tests incorrectly is not a valid reason to continue doing the wrong thing.
| masterOptions.AuthConfig.WebhookTokenAuthenticators = []configapi.WebhookTokenAuthenticator{ | ||
| { | ||
| ConfigFile: authConfigFile.Name(), | ||
| CacheTTL: "10s", |
There was a problem hiding this comment.
defaulting is already checked in uint tests, no need to check it here
There was a problem hiding this comment.
Hm I guess serialization tests may be enough.
There was a problem hiding this comment.
DEfaulting happens before we override this part of the config anyway, so it wouldn't work :-)
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
| err = oauthClient.Oauth().OAuthAccessTokens().Delete("XYZ", &metav1.DeleteOptions{}) | ||
| if !kerrors.IsForbidden(err) { |
There was a problem hiding this comment.
Needs to check for scope error.
There was a problem hiding this comment.
Because we should know we got forbidden via scope and not "the token stopped working for random reason"
Signed-off-by: Monis Khan <mkhan@redhat.com>
|
/retest |
| } | ||
| webhookTokenAuthenticator, err := webhooktoken.New(wta.ConfigFile, ttl) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("Failed to create webhook token authenticator for ConfigFile='%s'", wta.ConfigFile) |
There was a problem hiding this comment.
Include the error that caused the failure:
return nil, nil, fmt.Errorf("Failed to create webhook token authenticator for ConfigFile=%q: %v", wta.ConfigFile, err)
Also replace '%s' with %q on both messages.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, simo5 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/refresh |
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/test extended_conformance_install |
|
/retest |
|
/test extended_networking_minimal |
|
/test extended_conformance_install |
|
Flake: #18982 |
|
/retest |
1 similar comment
|
/retest |
|
Automatic merge from submit-queue. |
7 participants
This allows to use an external server for Token authentication.