Merge pull request juju#16174 from ycliuhw/fix/lp-2033261

juju#16174 This PR ensures the JWT authenticator rejects `everyone@external` because this user is only used for juju. ## Checklist - [x] Code style: imports ordered, good names, simple structure, etc - [x] Comments saying why design decisions were made - [x] Go unit tests, with comments saying what you're testing - [ ] ~[Integration tests](https://github.com/juju/juju/tree/main/tests), with comments saying what you're testing~ - [ ] ~[doc.go](https://discourse.charmhub.io/t/readme-in-packages/451) added or updated in changed packages~ ## QA steps ```sh juju add-model m31-from-jaas aws/ap-southeast-2 juju models --all Controller: jimm-staging Model Cloud/Region Type Status Machines Cores Units Access Last connection m31-from-jaas* aws/ap-southeast-2 ec2 available 0 0 0 admin never connected juju deploy juju-qa-dummy-source -m jimm-staging:m311-from-jaas Located charm "juju-qa-dummy-source" in charm-hub, revision 6 Deploying "juju-qa-dummy-source" from charm-hub charm "juju-qa-dummy-source", revision 6 in channel stable on ubuntu@20.04/stable juju status -m jimm-staging:m31-from-jaas Model Controller Cloud/Region Version SLA Timestamp m31-from-jaas jimm-staging aws/ap-southeast-2 3.2.4.1 unsupported 19:28:37+10:00 App Version Status Scale Charm Channel Rev Exposed Message dummy-source waiting 0/1 juju-qa-dummy-source stable 6 no waiting for machine Unit Workload Agent Machine Public address Ports Message dummy-source/0 waiting allocating 0 waiting for machine Machine State Address Inst id Base AZ Message 0 pending pending ubuntu@20.04 Start instance attempt 1 ``` ## Documentation changes No ## Bug reference https://bugs.launchpad.net/juju/+bug/2033261
jack-w-shaw · Sep 1, 2023 · a6cc97e · a6cc97e
2 parents 5104447 + 1819807
commit a6cc97e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/apiserver/authentication/jwt/jwt.go b/apiserver/authentication/jwt/jwt.go
@@ -16,6 +16,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwt"
 
 	"github.com/juju/juju/apiserver/authentication"
+	"github.com/juju/juju/apiserver/common"
 	apiservererrors "github.com/juju/juju/apiserver/errors"
 	"github.com/juju/juju/core/permission"
 )
@@ -110,8 +111,13 @@ func (t TokenEntity) Tag() names.Tag {
 // SubjectPermissions implements PermissionDelegator
 func (p *PermissionDelegator) SubjectPermissions(
 	e authentication.Entity,
-	s names.Tag,
-) (permission.Access, error) {
+	subject names.Tag,
+) (a permission.Access, err error) {
+	if e.Tag().Id() == common.EveryoneTagName {
+		// JWT auth process does not support everyone@external.
+		// The everyone@external will be never included in the JWT token at least for now.
+		return permission.NoAccess, nil
+	}
 	tokenEntity, err := userFromToken(p.Token)
 	if err != nil {
 		return permission.NoAccess, errors.Trace(err)
@@ -121,7 +127,7 @@ func (p *PermissionDelegator) SubjectPermissions(
 	if tokenEntity.Tag().String() != e.Tag().String() {
 		return permission.NoAccess, fmt.Errorf("%w to use token permissions for one entity on another", errors.NotValid)
 	}
-	return PermissionFromToken(p.Token, s)
+	return PermissionFromToken(p.Token, subject)
 }
 
 // PermissionsError implements PermissionDelegator

diff --git a/apiserver/authentication/jwt/jwt_test.go b/apiserver/authentication/jwt/jwt_test.go
@@ -18,6 +18,7 @@ import (
 
 	"github.com/juju/juju/apiserver/authentication"
 	"github.com/juju/juju/apiserver/authentication/jwt"
+	"github.com/juju/juju/apiserver/common"
 	apitesting "github.com/juju/juju/apiserver/testing"
 	"github.com/juju/juju/core/permission"
 	"github.com/juju/juju/testing"
@@ -139,10 +140,16 @@ func (s *loginTokenSuite) TestPermissionsForDifferentEntity(c *gc.C) {
 	badUser := jwt.TokenEntity{
 		User: names.NewUserTag("wallyworld"),
 	}
-
 	perm, err := authInfo.Delegator.SubjectPermissions(badUser, modelTag)
 	c.Assert(errors.Is(err, errors.NotValid), jc.IsTrue)
 	c.Assert(perm, gc.Equals, permission.NoAccess)
+
+	badUser = jwt.TokenEntity{
+		User: names.NewUserTag(common.EveryoneTagName),
+	}
+	perm, err = authInfo.Delegator.SubjectPermissions(badUser, modelTag)
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(perm, gc.Equals, permission.NoAccess)
 }
 
 func (s *loginTokenSuite) TestControllerSuperuser(c *gc.C) {