open-policy-agent · anderseknert · Jul 1, 2024 · Jun 3, 2024 · Jun 3, 2024 · Jun 4, 2024
diff --git a/plugins/rest/auth.go b/plugins/rest/auth.go
@@ -40,6 +40,8 @@ import (
 const (
 	// Default to s3 when the service for sigv4 signing is not specified for backwards compatibility
 	awsSigv4SigningDefaultService = "s3"
+	// Default to urn:ietf:params:oauth:client-assertion-type:jwt-bearer for ClientAssertionType when not specified
+	defaultClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 )
 
 // DefaultTLSConfig defines standard TLS configurations based on the Config
@@ -281,6 +283,9 @@ type oauth2ClientCredentialsAuthPlugin struct {
 	AdditionalParameters map[string]string      `json:"additional_parameters,omitempty"`
 	AWSKmsKey            *awsKmsKeyConfig       `json:"aws_kms,omitempty"`
 	AWSSigningPlugin     *awsSigningAuthPlugin  `json:"aws_signing,omitempty"`
+	ClientAssertionType  string                 `json:"client_assertion_type"`
+	ClientAssertion      string                 `json:"client_assertion"`
+	ClientAssertionPath  string                 `json:"client_assertion_path"`
 
 	signingKey       *keys.Config
 	signingKeyParsed interface{}
@@ -459,14 +464,30 @@ func (ap *oauth2ClientCredentialsAuthPlugin) NewClient(c Config) (*http.Client,
 		return nil, errors.New("token_url required to use https scheme")
 	}
 	if ap.GrantType == grantTypeClientCredentials {
-		if ap.AWSKmsKey != nil && (ap.ClientSecret != "" || ap.SigningKeyID != "") ||
-			(ap.ClientSecret != "" && ap.SigningKeyID != "") {
-			return nil, errors.New("can only use one of client_secret, signing_key or signing_kms_key for client_credentials")
+		clientCredentialExists := make(map[string]bool)
+		clientCredentialExists["client_secret"] = ap.ClientSecret != ""
+		clientCredentialExists["signing_key"] = ap.SigningKeyID != ""
+		clientCredentialExists["aws_kms"] = ap.AWSKmsKey != nil
+		clientCredentialExists["client_assertion"] = ap.ClientAssertion != ""
+		clientCredentialExists["client_assertion_path"] = ap.ClientAssertionPath != ""
+
+		var notEmptyVarCount int
+
+		for _, credentialSet := range clientCredentialExists {
+			if credentialSet {
+				notEmptyVarCount++
+			}
+		}
+
+		if notEmptyVarCount == 0 {
+			return nil, errors.New("please provide one of client_secret, signing_key, aws_kms, client_assertion, or client_assertion_path required")
 		}
-		if ap.SigningKeyID == "" && ap.AWSKmsKey == nil && (ap.ClientID == "" || ap.ClientSecret == "") {
-			return nil, errors.New("client_id and client_secret required")
+
+		if notEmptyVarCount > 1 {
+			return nil, errors.New("can only use one of client_secret, signing_key, aws_kms, client_assertion, or client_assertion_path")
 		}
-		if ap.AWSKmsKey != nil {
+
+		if clientCredentialExists["aws_kms"] {
 			if ap.AWSSigningPlugin == nil {
 				return nil, errors.New("aws_kms and aws_signing required")
 			}
@@ -475,6 +496,24 @@ func (ap *oauth2ClientCredentialsAuthPlugin) NewClient(c Config) (*http.Client,
 			if err != nil {
 				return nil, err
 			}
+		} else if clientCredentialExists["client_assertion"] {
+			if ap.ClientAssertionType == "" {
+				ap.ClientAssertionType = defaultClientAssertionType
+			}
+			if ap.ClientID == "" {
+				return nil, errors.New("client_id and client_assertion required")
+			}
+		} else if clientCredentialExists["client_assertion_path"] {
+			if ap.ClientAssertionType == "" {
+				ap.ClientAssertionType = defaultClientAssertionType
+			}
+			if ap.ClientID == "" {
+				return nil, errors.New("client_id and client_assertion_path required")
+			}
+		} else if clientCredentialExists["client_secret"] {
+			if ap.ClientID == "" {
+				return nil, errors.New("client_id and client_secret required")
+			}
 		}
 	}
 
@@ -502,12 +541,34 @@ func (ap *oauth2ClientCredentialsAuthPlugin) requestToken(ctx context.Context) (
 			if err != nil {
 				return nil, err
 			}
-			body.Add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+			body.Add("client_assertion_type", defaultClientAssertionType)
 			body.Add("client_assertion", *authJwt)
 
 			if ap.ClientID != "" {
 				body.Add("client_id", ap.ClientID)
 			}
+		} else if ap.ClientAssertion != "" {
+			if ap.ClientAssertionType == "" {
+				ap.ClientAssertionType = defaultClientAssertionType
+			}
+			if ap.ClientID != "" {
+				body.Add("client_id", ap.ClientID)
+			}
+			body.Add("client_assertion_type", ap.ClientAssertionType)
+			body.Add("client_assertion", ap.ClientAssertion)
+		} else if ap.ClientAssertionPath != "" {
+			if ap.ClientAssertionType == "" {
+				ap.ClientAssertionType = defaultClientAssertionType
+			}
+			bytes, err := os.ReadFile(ap.ClientAssertionPath)
+			if err != nil {
+				return nil, err
+			}
+			if ap.ClientID != "" {
+				body.Add("client_id", ap.ClientID)
+			}
+			body.Add("client_assertion_type", ap.ClientAssertionType)
+			body.Add("client_assertion", strings.TrimSpace(string(bytes)))
 		}
 	}
 

diff --git a/plugins/rest/auth_test.go b/plugins/rest/auth_test.go
@@ -191,3 +191,133 @@ func TestAssumeRoleWithUnsupportedSigningProvider(t *testing.T) {
 		t.Fatalf("expected error: %v but got: %v", expErrMsg, err)
 	}
 }
+
+func TestOauth2WithClientAssertion(t *testing.T) {
+	conf := `{
+		"name": "foo",
+		"url": "http://localhost",
+		"credentials": {
+			"oauth2": {
+				"grant_type": "client_credentials",
+				"token_url": "https://localhost",
+				"scopes": ["profile", "opa"],
+				"additional_claims": {
+					"aud": "some audience"
+				},
+				"client_id": "123",
+				"client_assertion": "abc123"
+			}
+		}
+	}`
+
+	client, err := New([]byte(conf), map[string]*keys.Config{})
+	if err != nil {
+		t.Fatalf("New() = %v", err)
+	}
+
+	if _, err := client.config.Credentials.OAuth2.NewClient(client.config); err != nil {
+		t.Fatalf("OAuth2.NewClient() = %q", err)
+	}
+
+	if client.config.Credentials.OAuth2.ClientAssertionType != defaultClientAssertionType {
+		t.Errorf("OAuth2.ClientAssertionType = %v, want = %v", client.config.Credentials.OAuth2.ClientAssertionType, defaultClientAssertionType)
+	}
+}
+
+func TestOauth2WithClientAssertionOverrideAssertionType(t *testing.T) {
+	conf := `{
+		"name": "foo",
+		"url": "http://localhost",
+		"credentials": {
+			"oauth2": {
+				"grant_type": "client_credentials",
+				"token_url": "https://localhost",
+				"scopes": ["profile", "opa"],
+				"additional_claims": {
+					"aud": "some audience"
+				},
+				"client_id": "123",
+				"client_assertion": "abc123",
+				"client_assertion_type": "urn:ietf:params:oauth:my-thing"
+			}
+		}
+	}`
+
+	client, err := New([]byte(conf), map[string]*keys.Config{})
+	if err != nil {
+		t.Fatalf("New() = %v", err)
+	}
+
+	if _, err := client.config.Credentials.OAuth2.NewClient(client.config); err != nil {
+		t.Fatalf("OAuth2.NewClient() = %q", err)
+	}
+
+	if client.config.Credentials.OAuth2.ClientAssertionType != "urn:ietf:params:oauth:my-thing" {
+		t.Errorf("OAuth2.ClientAssertionType = %v, want = %v", client.config.Credentials.OAuth2.ClientAssertionType, "urn:ietf:params:oauth:my-thing")
+	}
+}
+
+func TestOauth2WithClientAssertionPath(t *testing.T) {
+	conf := `{
+		"name": "foo",
+		"url": "http://localhost",
+		"credentials": {
+			"oauth2": {
+				"grant_type": "client_credentials",
+				"token_url": "https://localhost",
+				"scopes": ["profile", "opa"],
+				"additional_claims": {
+					"aud": "some audience"
+				},
+				"client_id": "123",
+				"client_assertion_path": "/var/run/secrets/azure/tokens/azure-identity-token"
+			}
+		}
+	}`
+
+	client, err := New([]byte(conf), map[string]*keys.Config{})
+	if err != nil {
+		t.Fatalf("New() = %v", err)
+	}
+
+	if _, err := client.config.Credentials.OAuth2.NewClient(client.config); err != nil {
+		t.Fatalf("OAuth2.NewClient() = %q", err)
+	}
+
+	if client.config.Credentials.OAuth2.ClientAssertionType != defaultClientAssertionType {
+		t.Errorf("OAuth2.ClientAssertionType = %v, want = %v", client.config.Credentials.OAuth2.ClientAssertionType, defaultClientAssertionType)
+	}
+}
+
+func TestOauth2WithClientAssertionPathOverrideAssertionType(t *testing.T) {
+	conf := `{
+		"name": "foo",
+		"url": "http://localhost",
+		"credentials": {
+			"oauth2": {
+				"grant_type": "client_credentials",
+				"token_url": "https://localhost",
+				"scopes": ["profile", "opa"],
+				"additional_claims": {
+					"aud": "some audience"
+				},
+				"client_id": "123",
+				"client_assertion_path": "/var/run/secrets/azure/tokens/azure-identity-token",
+				"client_assertion_type": "urn:ietf:params:oauth:my-thing"
+			}
+		}
+	}`
+
+	client, err := New([]byte(conf), map[string]*keys.Config{})
+	if err != nil {
+		t.Fatalf("New() = %v", err)
+	}
+
+	if _, err := client.config.Credentials.OAuth2.NewClient(client.config); err != nil {
+		t.Fatalf("OAuth2.NewClient() = %q", err)
+	}
+
+	if client.config.Credentials.OAuth2.ClientAssertionType != "urn:ietf:params:oauth:my-thing" {
+		t.Errorf("OAuth2.ClientAssertionType = %v, want = %v", client.config.Credentials.OAuth2.ClientAssertionType, "urn:ietf:params:oauth:my-thing")
+	}
+}
diff --git a/plugins/rest/rest_test.go b/plugins/rest/rest_test.go
@@ -770,6 +770,38 @@ func TestNew(t *testing.T) {
 			}`,
 			wantErr: true,
 		},
+		{
+			name: "Oauth2CredsClientAssertionPath",
+			input: fmt.Sprintf(`{
+				"name": "foo",
+				"url": "http://localhost",
+				"credentials": {
+					"oauth2": {
+						"grant_type": %q,
+						"token_url": "https://localhost",
+						"client_id": "client_one",
+						"client_assertion_path": "/some/file",
+						"scopes": ["profile", "opa"]
+					}
+				}
+			}`, grantTypeClientCredentials),
+		},
+		{
+			name: "Oauth2CredsClientAssertion",
+			input: fmt.Sprintf(`{
+				"name": "foo",
+				"url": "http://localhost",
+				"credentials": {
+					"oauth2": {
+						"grant_type": %q,
+						"token_url": "https://localhost",
+						"client_id": "client_one",
+						"client_assertion": "assertive",
+						"scopes": ["profile", "opa"]
+					}
+				}
+			}`, grantTypeClientCredentials),
+		},
 	}
 
 	var results []Client