fix oauth2 jwt headers (ydb-platform#236)

kobzonega · web-flow · commit d74311450d8e · 2024-07-15T13:53:56.000+03:00
diff --git a/api/v1alpha1/connection_types.go b/api/v1alpha1/connection_types.go
@@ -5,9 +5,9 @@ import (
 )
 
 type ConnectionOptions struct {
-	AccessToken        *AccessTokenAuth       `json:"accessToken,omitempty"`
-	StaticCredentials  *StaticCredentialsAuth `json:"staticCredentials,omitempty"`
-	Oauth2TokenExhange *Oauth2TokenExchange   `json:"oauth2TokenExchange,omitempty"`
+	AccessToken         *AccessTokenAuth       `json:"accessToken,omitempty"`
+	StaticCredentials   *StaticCredentialsAuth `json:"staticCredentials,omitempty"`
+	Oauth2TokenExchange *Oauth2TokenExchange   `json:"oauth2TokenExchange,omitempty"`
 }
 
 type AccessTokenAuth struct {
@@ -22,13 +22,13 @@ type StaticCredentialsAuth struct {
 type Oauth2TokenExchange struct {
 	Endpoint   string            `json:"endpoint"`
 	PrivateKey *CredentialSource `json:"privateKey"`
-	JWTHeader  *JWTHeader        `json:",inline"`
-	JWTClaims  *JWTClaims        `json:",inline"`
+	JWTHeader  `json:",inline"`
+	JWTClaims  `json:",inline"`
 }
 
 type JWTHeader struct {
-	KeyID   string `json:"keyID,omitempty"`
-	SignAlg string `json:"signAlg,omitempty"`
+	KeyID   *string `json:"keyID"`
+	SignAlg string  `json:"signAlg,omitempty"`
 }
 type JWTClaims struct {
 	Issuer   string `json:"issuer,omitempty"`
diff --git a/api/v1alpha1/const.go b/api/v1alpha1/const.go
@@ -33,8 +33,9 @@ const (
 	BinariesDir      = "/opt/ydb/bin"
 	DaemonBinaryName = "ydbd"
 
-	DefaultRootUsername = "root"
-	DefaultRootPassword = ""
+	DefaultRootUsername  = "root"
+	DefaultRootPassword  = ""
+	DefaultSignAlgorithm = "RS256"
 
 	LabelDeploymentKey             = "deployment"
 	LabelDeploymentValueKubernetes = "kubernetes"
diff --git a/api/v1alpha1/storage_webhook.go b/api/v1alpha1/storage_webhook.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"math/rand"
 
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	corev1 "k8s.io/api/core/v1"
@@ -107,6 +108,14 @@ func (r *StorageDefaulter) Default(ctx context.Context, obj runtime.Object) erro
 		return nil
 	}
 
+	if storage.Spec.OperatorConnection != nil {
+		if storage.Spec.OperatorConnection.Oauth2TokenExchange != nil {
+			if storage.Spec.OperatorConnection.Oauth2TokenExchange.SignAlg == "" {
+				storage.Spec.OperatorConnection.Oauth2TokenExchange.SignAlg = DefaultSignAlgorithm
+			}
+		}
+	}
+
 	if storage.Spec.Image == nil {
 		storage.Spec.Image = &PodImage{}
 	}
@@ -171,6 +180,17 @@ func (r *StorageDefaulter) Default(ctx context.Context, obj runtime.Object) erro
 
 var _ webhook.Validator = &Storage{}
 
+func isSignAlgorithmSupported(alg string) bool {
+	supportedAlgs := jwt.GetAlgorithms()
+
+	for _, supportedAlg := range supportedAlgs {
+		if alg == supportedAlg {
+			return true
+		}
+	}
+	return false
+}
+
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (r *Storage) ValidateCreate() error {
 	storagelog.Info("validate create", "name", r.Name)
@@ -207,6 +227,16 @@ func (r *Storage) ValidateCreate() error {
 		return fmt.Errorf("field 'spec.operatorConnection' does not satisfy with config option `enforce_user_token_requirement: %t`", authEnabled)
 	}
 
+	if r.Spec.OperatorConnection != nil && r.Spec.OperatorConnection.Oauth2TokenExchange != nil {
+		auth := r.Spec.OperatorConnection.Oauth2TokenExchange
+		if auth.KeyID == nil {
+			return fmt.Errorf("field keyID is required for OAuth2TokenExchange type")
+		}
+		if !isSignAlgorithmSupported(auth.SignAlg) {
+			return fmt.Errorf("signAlg %s does not supported for OAuth2TokenExchange type", auth.SignAlg)
+		}
+	}
+
 	if r.Spec.NodeSets != nil {
 		var nodesInSetsCount int32
 		for _, nodeSetInline := range r.Spec.NodeSets {
@@ -294,6 +324,16 @@ func (r *Storage) ValidateUpdate(old runtime.Object) error {
 		return fmt.Errorf("field 'spec.operatorConnection' does not align with config option `enforce_user_token_requirement: %t`", authEnabled)
 	}
 
+	if r.Spec.OperatorConnection != nil && r.Spec.OperatorConnection.Oauth2TokenExchange != nil {
+		auth := r.Spec.OperatorConnection.Oauth2TokenExchange
+		if auth.KeyID == nil {
+			return fmt.Errorf("field keyID is required for OAuth2TokenExchange type")
+		}
+		if !isSignAlgorithmSupported(auth.SignAlg) {
+			return fmt.Errorf("signAlg %s does not supported for OAuth2TokenExchange type", auth.SignAlg)
+		}
+	}
+
 	if !r.Spec.OperatorSync {
 		oldStorage := old.(*Storage)
 
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/deploy/ydb-operator/Chart.yaml b/deploy/ydb-operator/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.20
+version: 0.5.21
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.5.20"
+appVersion: "0.5.21"
diff --git a/deploy/ydb-operator/crds/storage.yaml b/deploy/ydb-operator/crds/storage.yaml
@@ -4900,6 +4900,7 @@ spec:
                         type: string
                     required:
                     - endpoint
+                    - keyID
                     - privateKey
                     type: object
                   staticCredentials:
diff --git a/internal/resources/resource.go b/internal/resources/resource.go
@@ -407,49 +407,39 @@ func getYDBOauth2Credentials(
 		ctx,
 		storage.Namespace,
 		restConfig,
-		auth.Oauth2TokenExhange.PrivateKey.SecretKeyRef,
+		auth.Oauth2TokenExchange.PrivateKey.SecretKeyRef,
 	)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to get RSA private key for Oauth2TokenExchange from secret: %s, key: %s, error: %w",
-			auth.Oauth2TokenExhange.PrivateKey.SecretKeyRef.Name,
-			auth.Oauth2TokenExhange.PrivateKey.SecretKeyRef.Key,
+			auth.Oauth2TokenExchange.PrivateKey.SecretKeyRef.Name,
+			auth.Oauth2TokenExchange.PrivateKey.SecretKeyRef.Key,
 			err)
 	}
+
+	keyID := *auth.Oauth2TokenExchange.KeyID
+	signMethod := jwt.GetSigningMethod(auth.Oauth2TokenExchange.SignAlg)
 	privateKeyPEM, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(privateKey))
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to parse RSA private key for Oauth2TokenExchange from secret: %s, key: %s, error: %w",
-			auth.Oauth2TokenExhange.PrivateKey.SecretKeyRef.Name,
-			auth.Oauth2TokenExhange.PrivateKey.SecretKeyRef.Key,
+			auth.Oauth2TokenExchange.PrivateKey.SecretKeyRef.Name,
+			auth.Oauth2TokenExchange.PrivateKey.SecretKeyRef.Key,
 			err,
 		)
 	}
 
-	var signMethod jwt.SigningMethod
-	if auth.Oauth2TokenExhange.JWTHeader.SignAlg != "" {
-		if !isSignAlgorithmSupported(auth.Oauth2TokenExhange.JWTHeader.SignAlg) {
-			return nil, fmt.Errorf(
-				"sign algorithm %s does not supported",
-				auth.Oauth2TokenExhange.JWTHeader.SignAlg,
-			)
-		}
-		signMethod = jwt.GetSigningMethod(auth.Oauth2TokenExhange.JWTHeader.SignAlg)
-	} else {
-		signMethod = jwt.SigningMethodRS256
-	}
-
 	return ydbCredentials.NewOauth2TokenExchangeCredentials(
-		ydbCredentials.WithTokenEndpoint(auth.Oauth2TokenExhange.Endpoint),
-		ydbCredentials.WithAudience(auth.Oauth2TokenExhange.JWTClaims.Audience),
+		ydbCredentials.WithTokenEndpoint(auth.Oauth2TokenExchange.Endpoint),
+		ydbCredentials.WithAudience(auth.Oauth2TokenExchange.Audience),
 		ydbCredentials.WithJWTSubjectToken(
+			ydbCredentials.WithKeyID(keyID),
 			ydbCredentials.WithSigningMethod(signMethod),
 			ydbCredentials.WithPrivateKey(privateKeyPEM),
-			ydbCredentials.WithKeyID(auth.Oauth2TokenExhange.JWTHeader.KeyID),
-			ydbCredentials.WithAudience(auth.Oauth2TokenExhange.JWTClaims.Audience),
-			ydbCredentials.WithIssuer(auth.Oauth2TokenExhange.JWTClaims.Issuer),
-			ydbCredentials.WithSubject(auth.Oauth2TokenExhange.JWTClaims.Subject),
-			ydbCredentials.WithID(auth.Oauth2TokenExhange.JWTClaims.ID),
+			ydbCredentials.WithIssuer(auth.Oauth2TokenExchange.Issuer),
+			ydbCredentials.WithSubject(auth.Oauth2TokenExchange.Subject),
+			ydbCredentials.WithID(auth.Oauth2TokenExchange.ID),
+			ydbCredentials.WithAudience(auth.Oauth2TokenExchange.Audience),
 		))
 }
 
@@ -485,7 +475,7 @@ func GetYDBCredentials(
 		return getYDBStaticCredentials(ctx, storage, restConfig)
 	}
 
-	if auth.Oauth2TokenExhange != nil {
+	if auth.Oauth2TokenExchange != nil {
 		return getYDBOauth2Credentials(ctx, storage, restConfig)
 	}
 
@@ -602,14 +592,3 @@ func PodIsReady(e corev1.Pod) bool {
 	}
 	return false
 }
-
-func isSignAlgorithmSupported(alg string) bool {
-	supportedAlgs := jwt.GetAlgorithms()
-
-	for _, supportedAlg := range supportedAlgs {
-		if alg == supportedAlg {
-			return true
-		}
-	}
-	return false
-}
