Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(dp-token): allow validator to define keys not scoped to a mesh #8169

Merged
merged 4 commits into from
Oct 27, 2023
Merged

feat(dp-token): allow validator to define keys not scoped to a mesh #8169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d0809e2
feat(dp-token): allow keys not scoped to a mesh
nicoche Oct 27, 2023
cf02961
feat(dp-token): add test for keys not scoped to a mesh
nicoche Oct 27, 2023
dc5a2dd
Merge branch 'master' into multi-mesh-offline-dp-token
nicoche Oct 27, 2023
aed9b21
feat(dp-token): fix tests' public keys names
nicoche Oct 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions pkg/config/types/keys.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,5 @@ func (m MeshedPublicKey) Validate() error {
if err := m.PublicKey.Validate(); err != nil {
return err
}
if m.Mesh == "" {
return errors.New(".Mesh is required")
}
return nil
}
4 changes: 4 additions & 0 deletions pkg/tokens/builtin/components.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,12 @@ func NewDataplaneTokenValidator(resManager manager.ReadOnlyResourceManager, stor
if err != nil {
return nil, err
}

return issuer.NewValidator(func(meshName string) (tokens.Validator, error) {
keys := keysByMesh[meshName]
// Also use keys that are not bound to any mesh
keys = append(keys, keysByMesh[""]...)

staticSigningKeyAccessor, err := tokens.NewStaticSigningKeyAccessor(keys)
if err != nil {
return nil, err
Expand Down
47 changes: 41 additions & 6 deletions test/e2e_env/universal/auth/offline_auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,10 @@ import (
)

func OfflineAuth() {
meshName := "offline-auth"
meshes := []string{
"offline-auth-1",
"offline-auth-2",
}

var universal Cluster

Expand Down Expand Up @@ -44,7 +47,7 @@ dpServer:
useSecrets: false
publicKeys:
- kid: static-1
mesh: offline-auth
mesh: offline-auth-1
key: |
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqwbFZ7LSuRGEkFPsZOLYuimsjDeie4sdtqIVW9bLDrTSql+o2sBL
Expand All @@ -54,6 +57,16 @@ dpServer:
FvX0KmBtADEJ4n9Jo4ja3hDmp83Q4KjJq0xKbhh9Fp3AjwjDb0fVFwbt+8SdVgyV
5PE+7HdigwlJ/cOVb9IY/UKVgCzlW5inCQIDAQAB
-----END RSA PUBLIC KEY-----
- kid: offline-auth-nomesh-1
key: |
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsGQSfwmBU/DMDLnKCbg7cKUrBEAxDinCPaQ5foF87H8aul4EAzym
KswoSpwXyyhAqVf2pHJYqkIX0HwL5xkgGy3lvNekgJPLeQaGMg0qVol+tU0/go6i
50LUzSvPo6kBHCBOiFTNxZ+HRiCdTJd655ALBn1a4LbVPGDqPnHikSWsZg69gkV7
T+jdPz4rBqfhNahREinVRe1DsLVJ0trjc91+2dRYj1e+tKVQDwCNj5cP2GzYUkAb
XaMpe1ZGQSC9/gTlJIEU7Lyz7fyOJcCZbGASy8nBixM6E5l8QPrFVIDVkeNJNVQj
35gOQBJWtsCEiBx3spsKLeoim62wun05HwIDAQAB
-----END RSA PUBLIC KEY-----
`

BeforeAll(func() {
Expand All @@ -62,7 +75,8 @@ dpServer:
Install(Kuma(core.Standalone,
WithYamlConfig(cpCfg),
)).
Install(MeshUniversal(meshName)).
Install(MeshUniversal(meshes[0])).
Install(MeshUniversal(meshes[1])).
Setup(universal)).To(Succeed())
})

Expand Down Expand Up @@ -98,19 +112,40 @@ dpServer:
It("should use dp-token generated offline", func() {
// given
token, err := universal.GetKumactlOptions().RunKumactlAndGetOutput("generate", "dataplane-token",
"--mesh", meshName,
"--mesh", meshes[0],
"--kid", "static-1",
"--valid-for", "24h",
"--signing-key-path", filepath.Join("..", "..", "keys", "samplekey.pem"),
)
Expect(err).ToNot(HaveOccurred())

// when
Expect(universal.Install(DemoClientUniversal("test-server", meshName, WithToken(token)))).To(Succeed())
Expect(universal.Install(DemoClientUniversal("test-server-1", meshes[0], WithToken(token)))).To(Succeed())

// then
Eventually(func(g Gomega) {
online, _, err := IsDataplaneOnline(universal, meshes[0], "test-server-1")
g.Expect(err).ToNot(HaveOccurred())
g.Expect(online).To(BeTrue())
}, "30s", "1s").Should(Succeed())
})

It("should use a dp-token generated offline, validated with a non-mesh scoped key", func() {
// given
token, err := universal.GetKumactlOptions().RunKumactlAndGetOutput("generate", "dataplane-token",
"--mesh", meshes[1],
"--kid", "offline-auth-nomesh-1",
"--valid-for", "24h",
"--signing-key-path", filepath.Join("..", "..", "keys", "samplekey-2.pem"),
)
Expect(err).ToNot(HaveOccurred())

// when
Expect(universal.Install(DemoClientUniversal("test-server-2", meshes[1], WithToken(token)))).To(Succeed())

// then
Eventually(func(g Gomega) {
online, _, err := IsDataplaneOnline(universal, meshName, "test-server")
online, _, err := IsDataplaneOnline(universal, meshes[1], "test-server-2")
g.Expect(err).ToNot(HaveOccurred())
g.Expect(online).To(BeTrue())
}, "30s", "1s").Should(Succeed())
Expand Down
3 changes: 3 additions & 0 deletions test/keys/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,6 @@ Keys for tests generated by executing:

kumactl generate signing-key --format=pem > samplekey.pem
kumactl generate public-key --signing-key-path=samplekey.pem > publickey.pem

kumactl generate signing-key --format=pem > samplekey-2.pem
kumactl generate public-key --signing-key-path=samplekey-2.pem > publickey-2.pem
8 changes: 8 additions & 0 deletions test/keys/publickey-2.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsGQSfwmBU/DMDLnKCbg7cKUrBEAxDinCPaQ5foF87H8aul4EAzym
KswoSpwXyyhAqVf2pHJYqkIX0HwL5xkgGy3lvNekgJPLeQaGMg0qVol+tU0/go6i
50LUzSvPo6kBHCBOiFTNxZ+HRiCdTJd655ALBn1a4LbVPGDqPnHikSWsZg69gkV7
T+jdPz4rBqfhNahREinVRe1DsLVJ0trjc91+2dRYj1e+tKVQDwCNj5cP2GzYUkAb
XaMpe1ZGQSC9/gTlJIEU7Lyz7fyOJcCZbGASy8nBixM6E5l8QPrFVIDVkeNJNVQj
35gOQBJWtsCEiBx3spsKLeoim62wun05HwIDAQAB
-----END RSA PUBLIC KEY-----
27 changes: 27 additions & 0 deletions test/keys/samplekey-2.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsGQSfwmBU/DMDLnKCbg7cKUrBEAxDinCPaQ5foF87H8aul4E
AzymKswoSpwXyyhAqVf2pHJYqkIX0HwL5xkgGy3lvNekgJPLeQaGMg0qVol+tU0/
go6i50LUzSvPo6kBHCBOiFTNxZ+HRiCdTJd655ALBn1a4LbVPGDqPnHikSWsZg69
gkV7T+jdPz4rBqfhNahREinVRe1DsLVJ0trjc91+2dRYj1e+tKVQDwCNj5cP2GzY
UkAbXaMpe1ZGQSC9/gTlJIEU7Lyz7fyOJcCZbGASy8nBixM6E5l8QPrFVIDVkeNJ
NVQj35gOQBJWtsCEiBx3spsKLeoim62wun05HwIDAQABAoIBAEuXt22F70y/51KU
1Ibx01dlEVhTAjLlpn6wQIt8hsL7fcLcw693cGbq82F2H6RK7dsk/WhgMKtWg8ov
PxKc6+t58fjKGY+YxxxotV4B0mEfr5OXNV6ILjwZogUDf4rNxNH+7mjynvTQdzKQ
i5jlWiCe1HrFggrHj/6+MeTs/YHiAmFowQoLX376C1bfzNIdK3kTOSx9JTB40+kJ
6NJ+Rfnp4V86nDZn73QDD0wkvBe0DNCDp+VkSyVH4bE/5+sTGhm6aQg5MSZJxRK/
EGvglWeaOpuXLu9Zo14mob9qyDDazlakyAX86ZcVvVXq0XmMie6uPqUAll5tZobr
oMzS6tECgYEA6TJ+1tITUsJBDMYMK+6vv+MW31VDy5FVIqYqFZBALoM4MbzS3t08
7MAQ3F4ycKQLmnDZ59VlYPIQhhQ2EEb8gR8HP1Ek+bN8VHRwBewR/zUHxhycGvLi
ZZMKcGIJaeAwP+jZZGamZO8fl5DlWLCczvrIEyCUm32YmTZpEYPhQ80CgYEAwaOS
y6ofJiTSEWY52zM5CCB3bZ7fDxGHe1o6P0kViM3dXTfgZL2R5eGGcIajtV8MBzNl
byy7qOxt6i20sxQqD4IIZXgLiWP95Ry40di6KqYKBOpfRGwt0M2wUQizx+NXyu69
KKa/QA98RRDsEETCKqq7ivNqUZpj50/rbSsp3JsCgYEAzpXHO/O63pPsIK7KVZkL
5Qf+WTcl6g8DxsBBg/zYftwMSjOm83w23t1/kll4gcUx6k2THQg02V9YOA9rnZvl
UVX1i6gNA5B30jGclAKAJwAJtP3fZRhKbAWJN+oBwOO0msli3Mj7G2ujJxhbtOgw
4kPUPu2b+OuY5hIHnlaglvkCgYB2TqM8rfcUDgEOwl9s7rHUpklxf1SXV0VodysJ
SXTPvb+W2bHOuwft5MmH7KsPAEBQEfXSZAlP3wwUvNIfa517Fh5dKGgcDCyuk8rT
409zCTkr4apNGq8vWMx15hQ5d0xHX2/Q63gEArIRXJJuKiRbfy7QaYI201ZgmDKl
425TKwKBgQDULDPS3Pft7ajilHIOUhaeAmyL+t//HtO3iNVEKqBjCM5msim0yXCf
mWTHaccUmAeauA9YYefQnCVxW1IyLIClRIu1D8zqoXh9SoafUKOMQGX1jNKwTAl5
J23/q2ZhCmrahyBrlGvzMZnyl4/Zm2RJ9tS5TU58y2SvusP0K47VeA==
-----END RSA PRIVATE KEY-----
Loading