Backport of [NET-4792] Add integrations tests for jwt-auth into release/1.16.x (#18173)
backport of commit e588acf2ee4752334f640be389ae3843aac501de Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
This commit is contained in:
parent
761fdacda6
commit
e1ef25d91a
|
@ -8,7 +8,6 @@ import (
|
|||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/hashicorp/consul/test/integration/consul-container/libs/utils"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
|
@ -18,6 +17,7 @@ import (
|
|||
|
||||
"github.com/hashicorp/consul/api"
|
||||
"github.com/hashicorp/consul/sdk/testutil/retry"
|
||||
"github.com/hashicorp/consul/test/integration/consul-container/libs/utils"
|
||||
"github.com/hashicorp/serf/serf"
|
||||
|
||||
goretry "github.com/avast/retry-go"
|
||||
|
|
|
@ -167,14 +167,13 @@ func NewConnectService(ctx context.Context, sidecarCfg SidecarConfig, serviceBin
|
|||
namePrefix := fmt.Sprintf("%s-service-connect-%s", node.GetDatacenter(), sidecarCfg.Name)
|
||||
containerName := utils.RandName(namePrefix)
|
||||
|
||||
agentConfig := node.GetConfig()
|
||||
internalAdminPort, err := node.ClaimAdminPort()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
fmt.Println("agent image name", agentConfig.DockerImage())
|
||||
imageVersion := utils.SideCarVersion(agentConfig.DockerImage())
|
||||
fmt.Println("agent image name", nodeConfig.DockerImage())
|
||||
imageVersion := utils.SideCarVersion(nodeConfig.DockerImage())
|
||||
req := testcontainers.ContainerRequest{
|
||||
Image: fmt.Sprintf("consul-envoy:%s", imageVersion),
|
||||
WaitingFor: wait.ForLog("").WithStartupTimeout(100 * time.Second),
|
||||
|
@ -238,6 +237,21 @@ func NewConnectService(ctx context.Context, sidecarCfg SidecarConfig, serviceBin
|
|||
req.Env["CONSUL_GRPC_ADDR"] = fmt.Sprintf("http://127.0.0.1:%d", 8502)
|
||||
}
|
||||
|
||||
if nodeConfig.ACLEnabled {
|
||||
client := node.GetClient()
|
||||
token, _, err := client.ACL().TokenCreate(&api.ACLToken{
|
||||
ServiceIdentities: []*api.ACLServiceIdentity{
|
||||
{ServiceName: sidecarCfg.ServiceID},
|
||||
},
|
||||
}, nil)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
req.Env["CONSUL_HTTP_TOKEN"] = token.SecretID
|
||||
}
|
||||
|
||||
var (
|
||||
appPortStrs []string
|
||||
adminPortStr = strconv.Itoa(internalAdminPort)
|
||||
|
|
|
@ -24,20 +24,22 @@ import (
|
|||
"time"
|
||||
)
|
||||
|
||||
// TestJWTAuthConnectService summary
|
||||
// TestJWTAuthConnectService summary:
|
||||
// This test ensures that when we have an intention referencing a JWT, requests
|
||||
// without JWT authorization headers are denied. And requests with the correct JWT
|
||||
// Authorization header are successful
|
||||
// without JWT authorization headers are denied and requests with the correct JWT
|
||||
// Authorization header are successful.
|
||||
//
|
||||
// Steps:
|
||||
// - Creates a single agent cluster
|
||||
// - Generates a JWKS and 2 JWTs with different claims
|
||||
// - Generates another JWKS with a single JWT
|
||||
// - Configures proxy defaults, providers and intentions
|
||||
// - Creates a static-server and sidecar containers
|
||||
// - Registers the created static-server and sidecar with consul
|
||||
// - Create a static-client and sidecar containers
|
||||
// - Registers the static-client and sidecar with consul
|
||||
// - Ensure client sidecar is running as expected
|
||||
// - Make a request without the JWT Authorization header and expects 401 StatusUnauthorized
|
||||
// - Make a request with the JWT Authorization header and expects a 200
|
||||
// - Runs a couple of scenarios to ensure jwt validation works as expected
|
||||
func TestJWTAuthConnectService(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
|
@ -47,39 +49,65 @@ func TestJWTAuthConnectService(t *testing.T) {
|
|||
ApplyDefaultProxySettings: true,
|
||||
BuildOpts: &libcluster.BuildOptions{
|
||||
Datacenter: "dc1",
|
||||
InjectAutoEncryption: true,
|
||||
InjectGossipEncryption: true,
|
||||
InjectCerts: true,
|
||||
InjectGossipEncryption: false,
|
||||
AllowHTTPAnyway: true,
|
||||
ACLEnabled: true,
|
||||
},
|
||||
})
|
||||
|
||||
// generate jwks and 2 jwts with different claims for provider 1
|
||||
jwksOne, privOne := makeJWKS(t)
|
||||
claimsOne := makeTestClaims("https://legit.issuer.internal/", "https://consul.test")
|
||||
jwtOne := makeJWT(t, privOne, claimsOne, testClaimPayload{UserType: "admin", FirstName: "admin"})
|
||||
jwtOneAdmin := makeJWT(t, privOne, claimsOne, testClaimPayload{UserType: "client", FirstName: "non-admin"})
|
||||
provider1 := makeTestJWTProvider("okta", jwksOne, claimsOne)
|
||||
|
||||
// generate another jwks and jwt for provider 2
|
||||
jwksTwo, privTwo := makeJWKS(t)
|
||||
claimsTwo := makeTestClaims("https://another.issuer.internal/", "https://consul.test")
|
||||
jwtTwo := makeJWT(t, privTwo, claimsTwo, testClaimPayload{})
|
||||
provider2 := makeTestJWTProvider("auth0", jwksTwo, claimsTwo)
|
||||
|
||||
// configure proxy-defaults, jwt providers and intentions
|
||||
configureProxyDefaults(t, cluster)
|
||||
configureJWTProviders(t, cluster, provider1, provider2)
|
||||
configureIntentions(t, cluster, provider1, provider2)
|
||||
|
||||
clientService := createServices(t, cluster)
|
||||
_, clientPort := clientService.GetAddr()
|
||||
_, clientAdminPort := clientService.GetAdminAddr()
|
||||
_, adminPort := clientService.GetAdminAddr()
|
||||
|
||||
libassert.AssertUpstreamEndpointStatus(t, clientAdminPort, "static-server.default", "HEALTHY", 1)
|
||||
libassert.AssertContainerState(t, clientService, "running")
|
||||
libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", clientPort), "static-server", "")
|
||||
libassert.AssertUpstreamEndpointStatus(t, adminPort, "static-server.default", "HEALTHY", 1)
|
||||
|
||||
claims := jwt.Claims{
|
||||
Subject: "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
|
||||
Audience: jwt.Audience{"https://consul.test"},
|
||||
Issuer: "https://legit.issuer.internal/",
|
||||
NotBefore: jwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
|
||||
Expiry: jwt.NewNumericDate(time.Now().Add(60 * time.Minute)),
|
||||
}
|
||||
// request to restricted endpoint with no jwt should be denied
|
||||
doRequest(t, fmt.Sprintf("http://localhost:%d/restricted/foo", clientPort), http.StatusForbidden, "")
|
||||
|
||||
jwks, jwt := makeJWKSAndJWT(t, claims)
|
||||
// request with jwt 1 /restricted/foo should be disallowed
|
||||
doRequest(t, fmt.Sprintf("http://localhost:%d/restricted/foo", clientPort), http.StatusForbidden, jwtOne)
|
||||
|
||||
// configure proxy-defaults, jwt-provider and intention
|
||||
configureProxyDefaults(t, cluster)
|
||||
configureJWTProvider(t, cluster, jwks, claims)
|
||||
configureIntentions(t, cluster)
|
||||
// request with jwt 1 /other/foo should be allowed
|
||||
libassert.HTTPServiceEchoesWithHeaders(t, "localhost", clientPort, "other/foo", makeAuthHeaders(jwtOne))
|
||||
|
||||
baseURL := fmt.Sprintf("http://localhost:%d", clientPort)
|
||||
// TODO(roncodingenthusiast): update test to reflect jwt-auth filter in metadata mode
|
||||
doRequest(t, baseURL, http.StatusOK, "")
|
||||
// succeeds with jwt
|
||||
doRequest(t, baseURL, http.StatusOK, jwt)
|
||||
// request with jwt 1 /other/foo with mismatched claims should be disallowed
|
||||
doRequest(t, fmt.Sprintf("http://localhost:%d/other/foo", clientPort), http.StatusForbidden, jwtOneAdmin)
|
||||
|
||||
// request with provider 1 /foo should be allowed
|
||||
libassert.HTTPServiceEchoesWithHeaders(t, "localhost", clientPort, "foo", makeAuthHeaders(jwtOne))
|
||||
|
||||
// request with jwt 2 to /foo should be denied
|
||||
doRequest(t, fmt.Sprintf("http://localhost:%d/foo", clientPort), http.StatusForbidden, jwtTwo)
|
||||
|
||||
// request with jwt 2 to /restricted/foo should be allowed
|
||||
libassert.HTTPServiceEchoesWithHeaders(t, "localhost", clientPort, "restricted/foo", makeAuthHeaders(jwtTwo))
|
||||
|
||||
// request with jwt 2 to /other/foo should be denied
|
||||
doRequest(t, fmt.Sprintf("http://localhost:%d/other/foo", clientPort), http.StatusForbidden, jwtTwo)
|
||||
}
|
||||
|
||||
func makeAuthHeaders(jwt string) map[string]string {
|
||||
return map[string]string{"Authorization": fmt.Sprintf("Bearer %s", jwt)}
|
||||
}
|
||||
|
||||
func createServices(t *testing.T, cluster *libcluster.Cluster) libservice.Service {
|
||||
|
@ -92,25 +120,25 @@ func createServices(t *testing.T, cluster *libcluster.Cluster) libservice.Servic
|
|||
HTTPPort: 8080,
|
||||
GRPCPort: 8079,
|
||||
}
|
||||
apiOpts := &api.QueryOptions{Token: cluster.TokenBootstrap}
|
||||
|
||||
// Create a service and proxy instance
|
||||
_, _, err := libservice.CreateAndRegisterStaticServerAndSidecar(node, serviceOpts)
|
||||
require.NoError(t, err)
|
||||
|
||||
libassert.CatalogServiceExists(t, client, "static-server-sidecar-proxy", nil)
|
||||
libassert.CatalogServiceExists(t, client, libservice.StaticServerServiceName, nil)
|
||||
libassert.CatalogServiceExists(t, client, "static-server-sidecar-proxy", apiOpts)
|
||||
libassert.CatalogServiceExists(t, client, libservice.StaticServerServiceName, apiOpts)
|
||||
|
||||
// Create a client proxy instance with the server as an upstream
|
||||
clientConnectProxy, err := libservice.CreateAndRegisterStaticClientSidecar(node, "", false, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
libassert.CatalogServiceExists(t, client, "static-client-sidecar-proxy", nil)
|
||||
libassert.CatalogServiceExists(t, client, "static-client-sidecar-proxy", apiOpts)
|
||||
|
||||
return clientConnectProxy
|
||||
}
|
||||
|
||||
// creates a JWKS and JWT that will be used for validation
|
||||
func makeJWKSAndJWT(t *testing.T, claims jwt.Claims) (string, string) {
|
||||
func makeJWKS(t *testing.T) (string, string) {
|
||||
pub, priv, err := libutils.GenerateKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
|
@ -120,46 +148,36 @@ func makeJWKSAndJWT(t *testing.T, claims jwt.Claims) (string, string) {
|
|||
jwksJson, err := json.Marshal(jwks)
|
||||
require.NoError(t, err)
|
||||
|
||||
type orgs struct {
|
||||
Primary string `json:"primary"`
|
||||
}
|
||||
privateCl := struct {
|
||||
FirstName string `json:"first_name"`
|
||||
Org orgs `json:"org"`
|
||||
Groups []string `json:"groups"`
|
||||
}{
|
||||
FirstName: "jeff2",
|
||||
Org: orgs{"engineering"},
|
||||
Groups: []string{"foo", "bar"},
|
||||
}
|
||||
return string(jwksJson), priv
|
||||
}
|
||||
|
||||
jwt, err := libutils.SignJWT(priv, claims, privateCl)
|
||||
type testClaimPayload struct {
|
||||
UserType string
|
||||
FirstName string
|
||||
}
|
||||
|
||||
func makeJWT(t *testing.T, priv string, claims jwt.Claims, payload testClaimPayload) string {
|
||||
jwt, err := libutils.SignJWT(priv, claims, payload)
|
||||
require.NoError(t, err)
|
||||
return string(jwksJson), jwt
|
||||
|
||||
return jwt
|
||||
}
|
||||
|
||||
// configures the protocol to http as this is needed for jwt-auth
|
||||
func configureProxyDefaults(t *testing.T, cluster *libcluster.Cluster) {
|
||||
client := cluster.Agents[0].GetClient()
|
||||
|
||||
ok, _, err := client.ConfigEntries().Set(&api.ProxyConfigEntry{
|
||||
require.NoError(t, cluster.ConfigEntryWrite(&api.ProxyConfigEntry{
|
||||
Kind: api.ProxyDefaults,
|
||||
Name: api.ProxyConfigGlobal,
|
||||
Config: map[string]interface{}{
|
||||
"protocol": "http",
|
||||
},
|
||||
}, nil)
|
||||
require.NoError(t, err)
|
||||
require.True(t, ok)
|
||||
}))
|
||||
}
|
||||
|
||||
// creates a JWT local provider
|
||||
func configureJWTProvider(t *testing.T, cluster *libcluster.Cluster, jwks string, claims jwt.Claims) {
|
||||
client := cluster.Agents[0].GetClient()
|
||||
|
||||
ok, _, err := client.ConfigEntries().Set(&api.JWTProviderConfigEntry{
|
||||
func makeTestJWTProvider(name string, jwks string, claims jwt.Claims) *api.JWTProviderConfigEntry {
|
||||
return &api.JWTProviderConfigEntry{
|
||||
Kind: api.JWTProvider,
|
||||
Name: "test-jwt",
|
||||
Name: name,
|
||||
JSONWebKeySet: &api.JSONWebKeySet{
|
||||
Local: &api.LocalJWKS{
|
||||
JWKS: base64.StdEncoding.EncodeToString([]byte(jwks)),
|
||||
|
@ -167,42 +185,85 @@ func configureJWTProvider(t *testing.T, cluster *libcluster.Cluster, jwks string
|
|||
},
|
||||
Issuer: claims.Issuer,
|
||||
Audiences: claims.Audience,
|
||||
}, nil)
|
||||
require.NoError(t, err)
|
||||
require.True(t, ok)
|
||||
}
|
||||
}
|
||||
|
||||
// creates a JWT local provider
|
||||
func configureJWTProviders(t *testing.T, cluster *libcluster.Cluster, providers ...*api.JWTProviderConfigEntry) {
|
||||
for _, prov := range providers {
|
||||
require.NoError(t, cluster.ConfigEntryWrite(prov))
|
||||
}
|
||||
}
|
||||
|
||||
// creates an intention referencing the jwt provider
|
||||
func configureIntentions(t *testing.T, cluster *libcluster.Cluster) {
|
||||
client := cluster.Agents[0].GetClient()
|
||||
|
||||
ok, _, err := client.ConfigEntries().Set(&api.ServiceIntentionsConfigEntry{
|
||||
func configureIntentions(t *testing.T, cluster *libcluster.Cluster, provider1, provider2 *api.JWTProviderConfigEntry) {
|
||||
intention := api.ServiceIntentionsConfigEntry{
|
||||
Kind: "service-intentions",
|
||||
Name: libservice.StaticServerServiceName,
|
||||
Sources: []*api.SourceIntention{
|
||||
{
|
||||
Name: libservice.StaticClientServiceName,
|
||||
Permissions: []*api.IntentionPermission{
|
||||
{
|
||||
Action: api.IntentionActionAllow,
|
||||
},
|
||||
HTTP: &api.IntentionHTTPPermission{
|
||||
PathPrefix: "/restricted/",
|
||||
},
|
||||
JWT: &api.IntentionJWTRequirement{
|
||||
Providers: []*api.IntentionJWTProvider{
|
||||
{
|
||||
Name: "test-jwt",
|
||||
VerifyClaims: []*api.IntentionJWTClaimVerification{},
|
||||
Name: provider2.Name,
|
||||
},
|
||||
},
|
||||
},
|
||||
}, nil)
|
||||
require.NoError(t, err)
|
||||
require.True(t, ok)
|
||||
},
|
||||
{
|
||||
Action: api.IntentionActionAllow,
|
||||
HTTP: &api.IntentionHTTPPermission{
|
||||
PathPrefix: "/",
|
||||
},
|
||||
JWT: &api.IntentionJWTRequirement{
|
||||
Providers: []*api.IntentionJWTProvider{
|
||||
{
|
||||
Name: provider1.Name,
|
||||
VerifyClaims: []*api.IntentionJWTClaimVerification{
|
||||
{
|
||||
Path: []string{"UserType"},
|
||||
Value: "admin",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "other-client",
|
||||
Permissions: []*api.IntentionPermission{
|
||||
{
|
||||
Action: api.IntentionActionAllow,
|
||||
HTTP: &api.IntentionHTTPPermission{
|
||||
PathPrefix: "/other/",
|
||||
},
|
||||
JWT: &api.IntentionJWTRequirement{
|
||||
Providers: []*api.IntentionJWTProvider{
|
||||
{
|
||||
Name: provider2.Name,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
require.NoError(t, cluster.ConfigEntryWrite(&intention))
|
||||
}
|
||||
|
||||
func doRequest(t *testing.T, url string, expStatus int, jwt string) {
|
||||
retry.RunWith(&retry.Timer{Timeout: 5 * time.Second, Wait: time.Second}, t, func(r *retry.R) {
|
||||
|
||||
client := cleanhttp.DefaultClient()
|
||||
|
||||
req, err := http.NewRequest("GET", url, nil)
|
||||
require.NoError(r, err)
|
||||
if jwt != "" {
|
||||
|
@ -213,3 +274,13 @@ func doRequest(t *testing.T, url string, expStatus int, jwt string) {
|
|||
require.Equal(r, expStatus, resp.StatusCode)
|
||||
})
|
||||
}
|
||||
|
||||
func makeTestClaims(issuer, audience string) jwt.Claims {
|
||||
return jwt.Claims{
|
||||
Subject: "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
|
||||
Audience: jwt.Audience{audience},
|
||||
Issuer: issuer,
|
||||
NotBefore: jwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
|
||||
Expiry: jwt.NewNumericDate(time.Now().Add(60 * time.Minute)),
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue