diff --git a/executor/jwt_authenticator_test.go b/executor/jwt_authenticator_test.go deleted file mode 100644 index 8c1993e0..00000000 --- a/executor/jwt_authenticator_test.go +++ /dev/null @@ -1,186 +0,0 @@ -package executor - -import ( - "testing" -) - -func Test_isAuthorized(t *testing.T) { - tests := []struct { - name string - want bool - permissions AuthPermissions - namespace string - function string - }{ - { - name: "deny empty permission list", - want: false, - permissions: AuthPermissions{ - Permissions: []string{}, - }, - namespace: "staging", - function: "env", - }, - { - name: "allow empty audience list", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"staging:env"}, - }, - namespace: "staging", - function: "env", - }, - { - name: "allow cluster wildcard", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"*"}, - }, - namespace: "staging", - function: "figlet", - }, - { - name: "allow function wildcard", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"dev:*"}, - }, - namespace: "dev", - function: "figlet", - }, - { - name: "allow namespace wildcard", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"*:env"}, - }, - namespace: "openfaas-fn", - function: "env", - }, - { - name: "allow function", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:env"}, - }, - namespace: "openfaas-fn", - function: "env", - }, - { - name: "deny function", - want: false, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:env"}, - }, - namespace: "openfaas-fn", - function: "figlet", - }, - { - name: "deny namespace", - want: false, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:*"}, - }, - namespace: "staging", - function: "env", - }, - { - name: "deny namespace wildcard", - want: false, - permissions: AuthPermissions{ - Permissions: []string{"*:figlet"}, - }, - namespace: "staging", - function: "env", - }, - { - name: "multiple permissions allow function", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:*", "staging:env"}, - }, - namespace: "staging", - function: "env", - }, - { - name: "multiple permissions deny function", - want: false, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:figlet", "staging-*:env"}, - }, - namespace: "staging", - function: "env", - }, - { - name: "allow audience", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:*"}, - Audience: []string{"openfaas-fn:env"}, - }, - namespace: "openfaas-fn", - function: "env", - }, - { - name: "deny audience", - want: false, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:*"}, - Audience: []string{"openfaas-fn:env"}, - }, - namespace: "openfaas-fn", - function: "figlet", - }, - { - name: "allow audience function wildcard", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:figlet"}, - Audience: []string{"openfaas-fn:*"}, - }, - namespace: "openfaas-fn", - function: "figlet", - }, - { - name: "deny audience function wildcard", - want: false, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:figlet", "dev:env"}, - Audience: []string{"openfaas-fn:*"}, - }, - namespace: "dev", - function: "env", - }, - { - name: "deny audience namespace wildcard", - want: false, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:*", "dev:*"}, - Audience: []string{"*:env"}, - }, - namespace: "dev", - function: "figlet", - }, - { - name: "allow audience namespace wildcard", - want: true, - permissions: AuthPermissions{ - Permissions: []string{"openfaas-fn:*", "dev:*"}, - Audience: []string{"*:env"}, - }, - namespace: "openfaas-fn", - function: "env", - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - want := test.want - got := isAuthorized(test.permissions, test.namespace, test.function) - - if want != got { - t.Errorf("want: %t, got: %t", want, got) - } - }) - } -} diff --git a/go.mod b/go.mod index 9bda8ec2..ce9c4465 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module github.com/openfaas/of-watchdog go 1.21 +replace github.com/openfaas/faas-middleware => /home/welteki/code/openfaas/oss/faas-middleware + require ( github.com/docker/go-units v0.5.0 github.com/golang-jwt/jwt/v5 v5.2.1 diff --git a/go.sum b/go.sum index c73433ee..2d77824f 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,6 @@ github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg= github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= -github.com/openfaas/faas-middleware v1.2.3 h1:nRib38/i5eNdUTTKA7ILgO/Xns5zVorCO6lIBjr2xA0= -github.com/openfaas/faas-middleware v1.2.3/go.mod h1:pMyWe0SP0zuzIj2on1pmRkZAjGIS+uRk2mp3N6LSlDI= github.com/openfaas/faas-provider v0.25.3 h1:cy5GKP1R/xZkPjg+9We7yqpfz298GrKw4ZRYJVprt7Q= github.com/openfaas/faas-provider v0.25.3/go.mod h1:NsETIfEndZn4mn/w/XnBTcDTwKqULCziphLp7KgeRcA= github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= diff --git a/main.go b/main.go index ab483d16..0881f436 100644 --- a/main.go +++ b/main.go @@ -23,6 +23,7 @@ import ( units "github.com/docker/go-units" limiter "github.com/openfaas/faas-middleware/concurrency-limiter" + auth "github.com/openfaas/faas-middleware/function-auth" "github.com/openfaas/of-watchdog/config" "github.com/openfaas/of-watchdog/executor" "github.com/openfaas/of-watchdog/metrics" @@ -75,7 +76,7 @@ func main() { requestHandler := baseFunctionHandler if watchdogConfig.JWTAuthentication { - handler, err := executor.NewJWTAuthMiddleware(baseFunctionHandler) + handler, err := auth.NewJWTAuthMiddleware(baseFunctionHandler) if err != nil { log.Fatalf("Error creating JWTAuthMiddleware: %s", err.Error()) } diff --git a/executor/jwt_authenticator.go b/vendor/github.com/openfaas/faas-middleware/function-auth/jwt_authenticator.go similarity index 98% rename from executor/jwt_authenticator.go rename to vendor/github.com/openfaas/faas-middleware/function-auth/jwt_authenticator.go index 578f5834..0e4c58dd 100644 --- a/executor/jwt_authenticator.go +++ b/vendor/github.com/openfaas/faas-middleware/function-auth/jwt_authenticator.go @@ -1,4 +1,4 @@ -package executor +package functionauth import ( "crypto" @@ -12,9 +12,8 @@ import ( "strings" "time" - "github.com/rakutentech/jwk-go/jwk" - "github.com/golang-jwt/jwt/v5" + "github.com/rakutentech/jwk-go/jwk" ) const functionRealm = "IAM function invoke" @@ -123,6 +122,7 @@ func NewJWTAuthMiddleware(next http.Handler) (http.Handler, error) { } if !isAuthorized(functionClaims.Authentication, namespace, name) { + w.Header().Set("X-OpenFaaS-Internal", "faas-middleware") http.Error(w, "insufficient permissions", http.StatusForbidden) log.Printf("%s %s - %d ACCESS DENIED - (%s)", r.Method, r.URL.Path, http.StatusForbidden, time.Since(st).Round(time.Millisecond)) @@ -138,6 +138,7 @@ func NewJWTAuthMiddleware(next http.Handler) (http.Handler, error) { // It does not otherwise end the request; the caller should ensure no further writes are done to w. // The error message should be plain text. func httpUnauthorized(w http.ResponseWriter, err string) { + w.Header().Set("X-OpenFaaS-Internal", "faas-middleware") w.Header().Set("WWW-Authenticate", fmt.Sprintf("Bearer realm=%s", functionRealm)) http.Error(w, err, http.StatusUnauthorized) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 8034306a..66799df6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -13,9 +13,10 @@ github.com/docker/go-units # github.com/golang-jwt/jwt/v5 v5.2.1 ## explicit; go 1.18 github.com/golang-jwt/jwt/v5 -# github.com/openfaas/faas-middleware v1.2.3 +# github.com/openfaas/faas-middleware v1.2.3 => /home/welteki/code/openfaas/oss/faas-middleware ## explicit; go 1.20 github.com/openfaas/faas-middleware/concurrency-limiter +github.com/openfaas/faas-middleware/function-auth # github.com/openfaas/faas-provider v0.25.3 ## explicit; go 1.20 github.com/openfaas/faas-provider/httputil @@ -92,3 +93,4 @@ google.golang.org/protobuf/reflect/protoregistry google.golang.org/protobuf/runtime/protoiface google.golang.org/protobuf/runtime/protoimpl google.golang.org/protobuf/types/known/timestamppb +# github.com/openfaas/faas-middleware => /home/welteki/code/openfaas/oss/faas-middleware