From 6a2339cfcd4ab6354e4a5daa4bf0ce419678d7d0 Mon Sep 17 00:00:00 2001 From: Kelvin Liu Date: Thu, 31 Aug 2023 19:44:04 +1000 Subject: [PATCH 1/2] Handle everyone@external in jwt authenticator; --- apiserver/authentication/jwt/jwt.go | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/apiserver/authentication/jwt/jwt.go b/apiserver/authentication/jwt/jwt.go index ce8062f05ae..db353b0af4d 100644 --- a/apiserver/authentication/jwt/jwt.go +++ b/apiserver/authentication/jwt/jwt.go @@ -11,15 +11,19 @@ import ( "time" "github.com/juju/errors" + "github.com/juju/loggo" "github.com/juju/names/v4" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" "github.com/juju/juju/apiserver/authentication" + "github.com/juju/juju/apiserver/common" apiservererrors "github.com/juju/juju/apiserver/errors" "github.com/juju/juju/core/permission" ) +var logger = loggo.GetLogger("juju.apiserver.authentication.jwt") + type Authenticator interface { authentication.RequestAuthenticator TokenParser @@ -110,8 +114,13 @@ func (t TokenEntity) Tag() names.Tag { // SubjectPermissions implements PermissionDelegator func (p *PermissionDelegator) SubjectPermissions( e authentication.Entity, - s names.Tag, -) (permission.Access, error) { + subject names.Tag, +) (a permission.Access, err error) { + if e.Tag().Id() == common.EveryoneTagName { + // JWT auth process does not support everyone@external. + // The everyone@external will be never included in the JWT token at least for now. + return permission.NoAccess, nil + } tokenEntity, err := userFromToken(p.Token) if err != nil { return permission.NoAccess, errors.Trace(err) @@ -121,7 +130,7 @@ func (p *PermissionDelegator) SubjectPermissions( if tokenEntity.Tag().String() != e.Tag().String() { return permission.NoAccess, fmt.Errorf("%w to use token permissions for one entity on another", errors.NotValid) } - return PermissionFromToken(p.Token, s) + return PermissionFromToken(p.Token, subject) } // PermissionsError implements PermissionDelegator @@ -142,6 +151,7 @@ func (j *JWTAuthenticator) Parse(ctx context.Context, tok string) (jwt.Token, au return nil, nil, errors.New("no jwt authToken parser configured") } tokBytes, err := base64.StdEncoding.DecodeString(tok) + logger.Tracef("token %s, error %#v", string(tokBytes), err) if err != nil { return nil, nil, errors.Annotate(err, "invalid jwt authToken in request") } From 1819807e05d4814c8655f37014c493dd26457c63 Mon Sep 17 00:00:00 2001 From: Kelvin Liu Date: Fri, 1 Sep 2023 12:26:04 +1000 Subject: [PATCH 2/2] Add test for SubjectPermissions in jwt authenticator; --- apiserver/authentication/jwt/jwt.go | 4 ---- apiserver/authentication/jwt/jwt_test.go | 9 ++++++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apiserver/authentication/jwt/jwt.go b/apiserver/authentication/jwt/jwt.go index db353b0af4d..8b53fe7e1db 100644 --- a/apiserver/authentication/jwt/jwt.go +++ b/apiserver/authentication/jwt/jwt.go @@ -11,7 +11,6 @@ import ( "time" "github.com/juju/errors" - "github.com/juju/loggo" "github.com/juju/names/v4" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" @@ -22,8 +21,6 @@ import ( "github.com/juju/juju/core/permission" ) -var logger = loggo.GetLogger("juju.apiserver.authentication.jwt") - type Authenticator interface { authentication.RequestAuthenticator TokenParser @@ -151,7 +148,6 @@ func (j *JWTAuthenticator) Parse(ctx context.Context, tok string) (jwt.Token, au return nil, nil, errors.New("no jwt authToken parser configured") } tokBytes, err := base64.StdEncoding.DecodeString(tok) - logger.Tracef("token %s, error %#v", string(tokBytes), err) if err != nil { return nil, nil, errors.Annotate(err, "invalid jwt authToken in request") } diff --git a/apiserver/authentication/jwt/jwt_test.go b/apiserver/authentication/jwt/jwt_test.go index af9871b7dd7..2e126cf4158 100644 --- a/apiserver/authentication/jwt/jwt_test.go +++ b/apiserver/authentication/jwt/jwt_test.go @@ -18,6 +18,7 @@ import ( "github.com/juju/juju/apiserver/authentication" "github.com/juju/juju/apiserver/authentication/jwt" + "github.com/juju/juju/apiserver/common" apitesting "github.com/juju/juju/apiserver/testing" "github.com/juju/juju/core/permission" "github.com/juju/juju/testing" @@ -139,10 +140,16 @@ func (s *loginTokenSuite) TestPermissionsForDifferentEntity(c *gc.C) { badUser := jwt.TokenEntity{ User: names.NewUserTag("wallyworld"), } - perm, err := authInfo.Delegator.SubjectPermissions(badUser, modelTag) c.Assert(errors.Is(err, errors.NotValid), jc.IsTrue) c.Assert(perm, gc.Equals, permission.NoAccess) + + badUser = jwt.TokenEntity{ + User: names.NewUserTag(common.EveryoneTagName), + } + perm, err = authInfo.Delegator.SubjectPermissions(badUser, modelTag) + c.Assert(err, jc.ErrorIsNil) + c.Assert(perm, gc.Equals, permission.NoAccess) } func (s *loginTokenSuite) TestControllerSuperuser(c *gc.C) {