Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the groups claim to the attribute request.auth.groups #1896

Merged
merged 7 commits into from
Aug 7, 2018
Merged

Add the groups claim to the attribute request.auth.groups #1896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6ca1fe9
Add the groups JWT claims to the attribute request.auth.groups
lei-tang Aug 7, 2018
027e26c
Fix lint errors
lei-tang Aug 7, 2018
4d42289
Simplify the code
lei-tang Aug 7, 2018
ad26f53
Fix lint error
lei-tang Aug 7, 2018
9fa8cf5
Simplify the code
lei-tang Aug 7, 2018
0b604c8
Add a test
lei-tang Aug 7, 2018
1a5a19a
Fix the test error
lei-tang Aug 7, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions include/istio/utils/attribute_names.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ struct AttributeName {
// Authentication attributes
static const char kRequestAuthPrincipal[];
static const char kRequestAuthAudiences[];
static const char kRequestAuthGroups[];
static const char kRequestAuthPresenter[];
static const char kRequestAuthClaims[];
static const char kRequestAuthRawClaims[];
Expand Down
29 changes: 29 additions & 0 deletions src/envoy/http/authn/authn_utils.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ namespace {
// The JWT audience key name
static const std::string kJwtAudienceKey = "aud";

// The JWT groups key name
static const std::string kJwtGroupsKey = "groups";

// Extract JWT audience into the JwtPayload.
// This function should to be called after the claims are extracted.
void ExtractJwtAudience(
Expand All @@ -48,6 +51,30 @@ void ExtractJwtAudience(
// Not convertable to string array
}
}

// Extract JWT groups into the JwtPayload.
// This function should to be called after the claims are extracted.
void ExtractJwtGroups(
const Envoy::Json::Object& obj,
const ::google::protobuf::Map< ::std::string, ::std::string>& claims,
istio::authn::JwtPayload* payload) {
const std::string& key = kJwtGroupsKey;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we extend this to any string array claims?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The claim key (e.g., kJwtGroupsKey, kJwtAudienceKey) can be extended as an argument of the extraction function to support extracting any claims with the key. However, it is not straightforward to make the following statements in these extraction functions to be generic for extracting any claim key. If you have a way to do it, please let me know.
payload->add_audiences(claims.at(key));
payload->add_groups(claims.at(key));

// "groups" can be either string array or string.
// First, try as string
if (claims.count(key) > 0) {
payload->add_groups(claims.at(key));
return;
}
// Next, try as string array
try {
std::vector<std::string> group_vector = obj.getStringArray(key);
for (const std::string group : group_vector) {
payload->add_groups(group);
}
} catch (Json::Exception& e) {
// Not convertable to string array
}
}
}; // namespace

// Retrieve the JwtPayload from the HTTP headers with the key
Expand Down Expand Up @@ -98,6 +125,8 @@ bool AuthnUtils::GetJWTPayloadFromHeaders(
// Extract audience
// ExtractJwtAudience() should be called after claims are extracted.
ExtractJwtAudience(*json_obj, payload->claims(), payload);
// ExtractJwtGroups() should be called after claims are extracted.
ExtractJwtGroups(*json_obj, payload->claims(), payload);
// Build user
if (claims->count("iss") > 0 && claims->count("sub") > 0) {
payload->set_user((*claims)["iss"] + "/" + (*claims)["sub"]);
Expand Down
9 changes: 9 additions & 0 deletions src/envoy/utils/authn.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,15 @@ void Authentication::SaveAuthAttributesToStruct(
setKeyValue(data, istio::utils::AttributeName::kRequestAuthAudiences,
origin.audiences(0));
}
if (!origin.groups().empty()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is about to be removed. You need to add this logic to SaveAuthAttributesToStruct instead.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have discussed it offline and it is already in SaveAuthAttributesToStruct.

::google::protobuf::ListValue* value;
value = (*data.mutable_fields())
[istio::utils::AttributeName::kRequestAuthGroups]
.mutable_list_value();
for (int i = 0; i < origin.groups().size(); i++) {
value->add_values()->set_string_value(origin.groups(i));
}
}
if (!origin.presenter().empty()) {
setKeyValue(data, istio::utils::AttributeName::kRequestAuthPresenter,
origin.presenter());
Expand Down
14 changes: 14 additions & 0 deletions src/envoy/utils/authn_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ TEST_F(AuthenticationTest, SaveAuthAttributesToStruct) {
origin->add_audiences("audiences0");
origin->add_audiences("audiences1");
origin->set_presenter("presenter");
origin->add_groups("group1");
origin->add_groups("group2");
auto claim = origin->mutable_claims();
(*claim)["key1"] = "value1";
(*claim)["key2"] = "value2";
Expand All @@ -92,6 +94,18 @@ TEST_F(AuthenticationTest, SaveAuthAttributesToStruct) {
.at(istio::utils::AttributeName::kRequestAuthAudiences)
.string_value(),
"audiences0");
EXPECT_EQ(data.fields()
.at(istio::utils::AttributeName::kRequestAuthGroups)
.list_value()
.values(0)
.string_value(),
"group1");
EXPECT_EQ(data.fields()
.at(istio::utils::AttributeName::kRequestAuthGroups)
.list_value()
.values(1)
.string_value(),
"group2");
EXPECT_EQ(data.fields()
.at(istio::utils::AttributeName::kRequestAuthPresenter)
.string_value(),
Expand Down
4 changes: 4 additions & 0 deletions src/istio/authn/context.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ message JwtPayload {
// object (map) to access other claims that not cover with the string claims
// map above.
string raw_claims = 6;

// The groups claim in the JWT.
// Example: [‘group1’, ‘group2’]
repeated string groups = 7;
}

// Container to hold authenticated attributes from X509 (mTLS).
Expand Down
1 change: 1 addition & 0 deletions src/istio/utils/attribute_names.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ const char AttributeName::kQuotaCacheHit[] = "quota.cache_hit";
// Authentication attributes
const char AttributeName::kRequestAuthPrincipal[] = "request.auth.principal";
const char AttributeName::kRequestAuthAudiences[] = "request.auth.audiences";
const char AttributeName::kRequestAuthGroups[] = "request.auth.groups";
const char AttributeName::kRequestAuthPresenter[] = "request.auth.presenter";
const char AttributeName::kRequestAuthClaims[] = "request.auth.claims";
const char AttributeName::kRequestAuthRawClaims[] = "request.auth.raw_claims";
Expand Down