Added auth settings for receivers.

Includes an initial support for OIDC authenticator.

Closes open-telemetry#1424

Signed-off-by: Juraci Paixão Kröhling <[email protected]>

config/configauth/configauth.go

@@ -0,0 +1,49 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configauth
+
+// Authentication defines the auth settings for the receiver
+type Authentication struct {
+	// The attribute (header name) to look for auth data. Optional, default value: "authentication".
+	Attribute string `mapstructure:"attribute"`
+
+	// OIDC configures this receiver to use the given OIDC provider as the backend for the authentication mechanism.
+	// Required.
+	OIDC *OIDC `mapstructure:"oidc"`
+}
+
+// OIDC defines the OpenID Connect properties for this processor
+type OIDC struct {
+	// IssuerURL is the base URL for the OIDC provider.
+	// Required.
+	IssuerURL string `mapstructure:"issuer_url"`
+
+	// Audience of the token, used during the verification.
+	// For example: "https://accounts.google.com" or "https://login.salesforce.com".
+	// Required.
+	Audience string `mapstructure:"audience"`
+
+	// The local path for the issuer CA's TLS server cert.
+	// Optional.
+	IssuerCAPath string `mapstructure:"issuer_ca_path"`
+
+	// The claim to use as the username, in case the token's 'sub' isn't the suitable source.
+	// Optional.
+	UsernameClaim string `mapstructure:"username_claim"`
+
+	// The claim that holds the subject's group membership information.
+	// Optional.
+	GroupsClaim string `mapstructure:"groups_claim"`
+}

config/configgrpc/configgrpc.go

@@ -16,6 +16,7 @@
 package configgrpc
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"strings"
@@ -27,8 +28,10 @@ import (
 	"google.golang.org/grpc/encoding/gzip"
 	"google.golang.org/grpc/keepalive"
 
+	"go.opentelemetry.io/collector/config/configauth"
 	"go.opentelemetry.io/collector/config/confignet"
 	"go.opentelemetry.io/collector/config/configtls"
+	"go.opentelemetry.io/collector/internal/auth"
 )
 
 // Compression gRPC keys for supported compression types within collector
@@ -157,9 +160,12 @@ type GRPCServerSettings struct {
 
 	// Keepalive anchor for all the settings related to keepalive.
 	Keepalive *KeepaliveServerConfig `mapstructure:"keepalive,omitempty"`
+
+	// Auth for this receiver
+	Auth *configauth.Authentication `mapstructure:"auth,omitempty"`
 }
 
-// ToServerOption maps configgrpc.GRPCClientSettings to a slice of dial options for gRPC
+// ToDialOptions maps configgrpc.GRPCClientSettings to a slice of dial options for gRPC
 func (gcs *GRPCClientSettings) ToDialOptions() ([]grpc.DialOption, error) {
 	var opts []grpc.DialOption
 	if gcs.Compression != "" {
@@ -287,6 +293,22 @@ func (gss *GRPCServerSettings) ToServerOption() ([]grpc.ServerOption, error) {
 		}
 	}
 
+	if gss.Auth != nil {
+		auth, err := auth.New(*gss.Auth)
+		if err != nil {
+			return nil, err
+		}
+
+		// perhaps we should use a timeout here?
+		if err := auth.Start(context.Background()); err != nil {
+			return nil, err
+		}
+
+		// TODO: we need a hook to call auth.Close()
+
+		opts = append(opts, grpc.UnaryInterceptor(auth.UnaryInterceptor), grpc.StreamInterceptor(auth.StreamInterceptor))
+	}
+
 	return opts, nil
 }
 

config/configgrpc/configgrpc_test.go

@@ -22,8 +22,10 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 
+	"go.opentelemetry.io/collector/config/configauth"
 	"go.opentelemetry.io/collector/config/confignet"
 	"go.opentelemetry.io/collector/config/configtls"
 	otelcol "go.opentelemetry.io/collector/internal/data/opentelemetry-proto-gen/collector/trace/v1"
@@ -74,7 +76,7 @@ func TestDefaultGrpcServerSettings(t *testing.T) {
 	assert.Len(t, opts, 0)
 }
 
-func TestAllGrpcServerSettings(t *testing.T) {
+func TestAllGrpcServerSettingsExceptAuth(t *testing.T) {
 	gss := &GRPCServerSettings{
 		NetAddr: confignet.NetAddr{
 			Endpoint:  "localhost:1234",
@@ -107,6 +109,25 @@ func TestAllGrpcServerSettings(t *testing.T) {
 	assert.Len(t, opts, 7)
 }
 
+func TestGrpcServerAuthSettings(t *testing.T) {
+	gss := &GRPCServerSettings{}
+
+	// sanity check
+	_, err := gss.ToServerOption()
+	require.NoError(t, err)
+
+	// test
+	gss.Auth = &configauth.Authentication{
+		OIDC: &configauth.OIDC{},
+	}
+	opts, err := gss.ToServerOption()
+
+	// verify
+	// an error here is a positive confirmation that Auth kicked in
+	assert.Error(t, err)
+	assert.Nil(t, opts)
+}
+
 func TestGRPCClientSettingsError(t *testing.T) {
 	tests := []struct {
 		settings GRPCClientSettings

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/census-instrumentation/opencensus-proto v0.3.0
 	github.com/client9/misspell v0.3.4
+	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/davecgh/go-spew v1.1.1
 	github.com/evanphx/json-patch v4.5.0+incompatible // indirect
 	github.com/go-kit/kit v0.10.0
@@ -37,6 +38,7 @@ require (
 	github.com/orijtech/prometheus-go-metrics-exporter v0.0.5
 	github.com/ory/go-acc v0.2.6
 	github.com/pavius/impi v0.0.3
+	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/prometheus/client_golang v1.7.1
 	github.com/prometheus/common v0.11.1
 	github.com/prometheus/prometheus v1.8.2-0.20200626085723-c448ada63d83
@@ -63,6 +65,7 @@ require (
 	google.golang.org/grpc v1.32.0
 	google.golang.org/grpc/examples v0.0.0-20200728065043-dfc0c05b2da9 // indirect
 	google.golang.org/protobuf v1.25.0
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.3.0
 	honnef.co/go/tools v0.0.1-2020.1.5
 )