diff options
9 files changed, 477 insertions, 331 deletions
diff --git a/configdefinitions/src/vespa/CMakeLists.txt b/configdefinitions/src/vespa/CMakeLists.txt index 85fc1158afe..29ed0f53421 100644 --- a/configdefinitions/src/vespa/CMakeLists.txt +++ b/configdefinitions/src/vespa/CMakeLists.txt @@ -89,3 +89,4 @@ install_config_definition(hugging-face-embedder.def embedding.huggingface.huggin install_config_definition(hugging-face-tokenizer.def language.huggingface.config.hugging-face-tokenizer.def) install_config_definition(bert-base-embedder.def embedding.bert-base-embedder.def) install_config_definition(cloud-data-plane-filter.def jdisc.http.filter.security.cloud.config.cloud-data-plane-filter.def) +install_config_definition(cloud-token-data-plane-filter.def jdisc.http.filter.security.cloud.config.cloud-token-data-plane-filter.def) diff --git a/configdefinitions/src/vespa/cloud-data-plane-filter.def b/configdefinitions/src/vespa/cloud-data-plane-filter.def index d73c5a49c81..47478a28039 100644 --- a/configdefinitions/src/vespa/cloud-data-plane-filter.def +++ b/configdefinitions/src/vespa/cloud-data-plane-filter.def @@ -2,11 +2,6 @@ namespace=jdisc.http.filter.security.cloud.config legacyMode bool default=false -tokenContext string default="" clients[].id string clients[].permissions[] string clients[].certificates[] string -clients[].tokens[].id string -clients[].tokens[].fingerprints[] string -clients[].tokens[].checkAccessHashes[] string -clients[].tokens[].expirations[] string diff --git a/configdefinitions/src/vespa/cloud-token-data-plane-filter.def b/configdefinitions/src/vespa/cloud-token-data-plane-filter.def new file mode 100644 index 00000000000..3219ae4fa48 --- /dev/null +++ b/configdefinitions/src/vespa/cloud-token-data-plane-filter.def @@ -0,0 +1,10 @@ +# Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +namespace=jdisc.http.filter.security.cloud.config + +tokenContext string default="" +clients[].id string +clients[].permissions[] string +clients[].tokens[].id string +clients[].tokens[].fingerprints[] string +clients[].tokens[].checkAccessHashes[] string +clients[].tokens[].expirations[] string diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java new file mode 100644 index 00000000000..ea627b49d5d --- /dev/null +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/ClientPrincipal.java @@ -0,0 +1,31 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.jdisc.http.filter.security.cloud; + +import com.yahoo.jdisc.http.filter.DiscFilterRequest; + +import java.security.Principal; +import java.util.Set; +import java.util.logging.Logger; + +/** + * @author bjorncs + */ +record ClientPrincipal(Set<String> ids, Set<Permission> permissions) implements Principal { + + private static final Logger log = Logger.getLogger(ClientPrincipal.class.getName()); + + ClientPrincipal { ids = Set.copyOf(ids); permissions = Set.copyOf(permissions); } + @Override public String getName() { + return "ids=%s,permissions=%s".formatted(ids, permissions.stream().map(Permission::asString).toList()); + } + + static ClientPrincipal createForRequest(DiscFilterRequest req, Set<String> ids, Set<Permission> permissions) { + var p = new ClientPrincipal(ids, permissions); + req.setUserPrincipal(p); + log.fine(() -> "Client with ids=%s, permissions=%s" + .formatted(ids, permissions.stream().map(Permission::asString).toList())); + return p; + } +} + diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java index 2dc80fc9d2b..88e70e953b3 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java @@ -2,41 +2,25 @@ package com.yahoo.jdisc.http.filter.security.cloud; import com.yahoo.component.annotation.Inject; -import com.yahoo.component.provider.ComponentRegistry; -import com.yahoo.container.jdisc.AclMapping; -import com.yahoo.container.jdisc.RequestHandlerSpec; -import com.yahoo.container.jdisc.RequestView; -import com.yahoo.container.logging.AccessLogEntry; import com.yahoo.jdisc.Response; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase; import com.yahoo.jdisc.http.filter.security.cloud.config.CloudDataPlaneFilterConfig; -import com.yahoo.jdisc.http.server.jetty.DataplaneProxyCredentials; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.token.Token; -import com.yahoo.security.token.TokenCheckHash; -import com.yahoo.security.token.TokenDomain; -import com.yahoo.security.token.TokenFingerprint; -import java.security.Principal; import java.security.cert.X509Certificate; -import java.time.Clock; -import java.time.Instant; import java.util.ArrayList; import java.util.EnumSet; -import java.util.HashMap; import java.util.HashSet; import java.util.List; -import java.util.Map; import java.util.Optional; import java.util.Set; import java.util.TreeSet; import java.util.logging.Logger; -import java.util.stream.Collectors; -import static com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter.Permission.READ; -import static com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter.Permission.WRITE; -import static com.yahoo.jdisc.http.server.jetty.AccessLoggingRequestHandler.CONTEXT_KEY_ACCESS_LOG_ENTRY; +import static com.yahoo.jdisc.http.filter.security.cloud.Permission.READ; +import static com.yahoo.jdisc.http.filter.security.cloud.Permission.WRITE; + /** * Data plane filter for Cloud @@ -50,91 +34,49 @@ import static com.yahoo.jdisc.http.server.jetty.AccessLoggingRequestHandler.CONT public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase { private static final Logger log = Logger.getLogger(CloudDataPlaneFilter.class.getName()); - static final int CHECK_HASH_BYTES = 32; private final boolean legacyMode; private final List<Client> allowedClients; - private final TokenDomain tokenDomain; - private final Clock clock; @Inject - public CloudDataPlaneFilter(CloudDataPlaneFilterConfig cfg, - ComponentRegistry<DataplaneProxyCredentials> optionalReverseProxy) { - this(cfg, reverseProxyCert(optionalReverseProxy).orElse(null), Clock.systemUTC()); - } - - CloudDataPlaneFilter(CloudDataPlaneFilterConfig cfg, X509Certificate reverseProxyCert, Clock clock) { + public CloudDataPlaneFilter(CloudDataPlaneFilterConfig cfg) { this.legacyMode = cfg.legacyMode(); - this.tokenDomain = TokenDomain.of(cfg.tokenContext()); - this.clock = clock; if (legacyMode) { allowedClients = List.of(); log.fine(() -> "Legacy mode enabled"); } else { - allowedClients = parseClients(cfg, reverseProxyCert, clock); + allowedClients = parseClients(cfg); } } - private static Optional<X509Certificate> reverseProxyCert( - ComponentRegistry<DataplaneProxyCredentials> optionalReverseProxy) { - return optionalReverseProxy.allComponents().stream().findAny().map(DataplaneProxyCredentials::certificate); - } - - private static List<Client> parseClients(CloudDataPlaneFilterConfig cfg, X509Certificate reverseProxyCert, Clock clock) { - var now = clock.instant(); + private static List<Client> parseClients(CloudDataPlaneFilterConfig cfg) { Set<String> ids = new HashSet<>(); List<Client> clients = new ArrayList<>(cfg.clients().size()); - boolean hasClientRequiringCertificate = false; if (cfg.clients().isEmpty()) throw new IllegalArgumentException("Empty clients configuration"); for (var c : cfg.clients()) { if (ids.contains(c.id())) throw new IllegalArgumentException("Clients definition has duplicate id '%s'".formatted(c.id())); - if (!c.certificates().isEmpty() && !c.tokens().isEmpty()) - throw new IllegalArgumentException("Client '%s' has both certificate and token configured".formatted(c.id())); - if (c.certificates().isEmpty() && c.tokens().isEmpty()) - throw new IllegalArgumentException("Client '%s' has neither certificate nor token configured".formatted(c.id())); - if (!c.tokens().isEmpty() && reverseProxyCert == null) - throw new IllegalArgumentException( - "Client '%s' has token configured but reverse proxy certificate is missing".formatted(c.id())); + if (c.certificates().isEmpty()) + throw new IllegalArgumentException("Client '%s' has no certificate configured".formatted(c.id())); ids.add(c.id()); - EnumSet<Permission> permissions = c.permissions().stream().map(Permission::of) - .collect(Collectors.toCollection(() -> EnumSet.noneOf(Permission.class))); - if (!c.certificates().isEmpty()) { - List<X509Certificate> certs; - try { - certs = c.certificates().stream() - .flatMap(pem -> X509CertificateUtils.certificateListFromPem(pem).stream()).toList(); - } catch (Exception e) { - throw new IllegalArgumentException( - "Client '%s' contains invalid X.509 certificate PEM: %s".formatted(c.id(), e.toString()), e); - } - if (certs.isEmpty()) throw new IllegalArgumentException( - "Client '%s' certificate PEM contains no valid X.509 entries".formatted(c.id())); - clients.add(new Client(c.id(), permissions, certs, Map.of())); - hasClientRequiringCertificate = true; - } else { - var tokens = new HashMap<TokenCheckHash, TokenVersion>(); - for (var token : c.tokens()) { - for (int version = 0; version < token.checkAccessHashes().size(); version++) { - var tokenVersion = TokenVersion.of( - token.id(), token.fingerprints().get(version), token.checkAccessHashes().get(version), - token.expirations().get(version)); - tokens.put(tokenVersion.accessHash(), tokenVersion); - } - } - // Add reverse proxy certificate as required certificate for client definition - clients.add(new Client(c.id(), permissions, List.of(reverseProxyCert), tokens)); + List<X509Certificate> certs; + try { + certs = c.certificates().stream() + .flatMap(pem -> X509CertificateUtils.certificateListFromPem(pem).stream()).toList(); + } catch (Exception e) { + throw new IllegalArgumentException( + "Client '%s' contains invalid X.509 certificate PEM: %s".formatted(c.id(), e.toString()), e); } + if (certs.isEmpty()) throw new IllegalArgumentException( + "Client '%s' certificate PEM contains no valid X.509 entries".formatted(c.id())); + clients.add(new Client(c.id(), Permission.setOf(c.permissions()), certs)); } - if (!hasClientRequiringCertificate) - throw new IllegalArgumentException("At least one client must require a certificate"); log.fine(() -> "Configured clients with ids %s".formatted(ids)); return clients; } @Override protected Optional<ErrorResponse> filter(DiscFilterRequest req) { - var now = clock.instant(); var certs = req.getClientCertificateChain(); log.fine(() -> "Certificate chain contains %d elements".formatted(certs.size())); if (certs.isEmpty()) { @@ -143,109 +85,28 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase { } if (legacyMode) { log.fine("Legacy mode validation complete"); - req.setUserPrincipal(new ClientPrincipal(Set.of(), Set.of(READ, WRITE))); + ClientPrincipal.createForRequest(req, Set.of(), Set.of(READ, WRITE)); return Optional.empty(); } - RequestView view = req.asRequestView(); - var permission = Optional.ofNullable((RequestHandlerSpec) req.getAttribute(RequestHandlerSpec.ATTRIBUTE_NAME)) - .or(() -> Optional.of(RequestHandlerSpec.DEFAULT_INSTANCE)) - .flatMap(spec -> { - var action = spec.aclMapping().get(view); - var maybePermission = Permission.of(action); - if (maybePermission.isEmpty()) log.fine(() -> "Unknown action '%s'".formatted(action)); - return maybePermission; - }).orElse(null); - if (permission == null) { - log.fine(() -> "No valid permission mapping defined for %s @ '%s'".formatted(view.method(), view.uri())); - return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); - } + var permission = Permission.getRequiredPermission(req).orElse(null); + if (permission == null) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); var clientCert = certs.get(0); - var requestTokenHash = requestTokenHash(req).orElse(null); var clientIds = new TreeSet<String>(); var permissions = new TreeSet<Permission>(); - var matchedTokens = new HashSet<TokenVersion>(); for (Client c : allowedClients) { if (!c.permissions().contains(permission)) continue; if (!c.certificates().contains(clientCert)) continue; - if (!c.tokens().isEmpty()) { - if (requestTokenHash == null) continue; - var matchedToken = c.tokens().get(requestTokenHash); - if (matchedToken == null) continue; - var expiration = matchedToken.expiration().orElse(null); - if (expiration != null && now.isAfter(expiration)) continue; - matchedTokens.add(matchedToken); - } clientIds.add(c.id()); permissions.addAll(c.permissions()); } - if (matchedTokens.size() > 1) { - log.warning("Multiple tokens matched for request %s" - .formatted(matchedTokens.stream().map(TokenVersion::id).toList())); - return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); - } - var matchedToken = matchedTokens.stream().findAny().orElse(null); - if (matchedToken != null) { - addAccessLogEntry(req, "token.id", matchedToken.id()); - addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString()); - addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>")); - } - log.fine(() -> "Client with ids=%s, permissions=%s" - .formatted(clientIds, permissions.stream().map(Permission::asString).toList())); if (clientIds.isEmpty()) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); - req.setUserPrincipal(new ClientPrincipal(clientIds, permissions)); + ClientPrincipal.createForRequest(req, clientIds, permissions); return Optional.empty(); } - private Optional<TokenCheckHash> requestTokenHash(DiscFilterRequest req) { - return Optional.ofNullable(req.getHeader("Authorization")) - .filter(h -> h.startsWith("Bearer ")) - .map(t -> t.substring("Bearer ".length()).trim()) - .map(t -> TokenCheckHash.of(Token.of(tokenDomain, t), CHECK_HASH_BYTES)); - } - - private static void addAccessLogEntry(DiscFilterRequest req, String key, String value) { - ((AccessLogEntry) req.getAttribute(CONTEXT_KEY_ACCESS_LOG_ENTRY)).addKeyValue(key, value); - } - - public record ClientPrincipal(Set<String> ids, Set<Permission> permissions) implements Principal { - public ClientPrincipal { ids = Set.copyOf(ids); permissions = Set.copyOf(permissions); } - @Override public String getName() { - return "ids=%s,permissions=%s".formatted(ids, permissions.stream().map(Permission::asString).toList()); - } - } - - enum Permission { READ, WRITE; - String asString() { - return switch (this) { - case READ -> "read"; - case WRITE -> "write"; - }; - } - static Permission of(String v) { - return switch (v) { - case "read" -> READ; - case "write" -> WRITE; - default -> throw new IllegalArgumentException("Invalid permission '%s'".formatted(v)); - }; - } - static Optional<Permission> of(AclMapping.Action a) { - if (a.equals(AclMapping.Action.READ)) return Optional.of(READ); - if (a.equals(AclMapping.Action.WRITE)) return Optional.of(WRITE); - return Optional.empty(); - } - } - - private record TokenVersion(String id, TokenFingerprint fingerprint, TokenCheckHash accessHash, Optional<Instant> expiration) { - static TokenVersion of(String id, String fingerprint, String accessHash, String expiration) { - return new TokenVersion(id, TokenFingerprint.ofHex(fingerprint), TokenCheckHash.ofHex(accessHash), - expiration.equals("<none>") ? Optional.empty() : Optional.of(Instant.parse(expiration))); - } - } - - private record Client(String id, EnumSet<Permission> permissions, List<X509Certificate> certificates, - Map<TokenCheckHash, TokenVersion> tokens) { + private record Client(String id, EnumSet<Permission> permissions, List<X509Certificate> certificates) { Client { - permissions = EnumSet.copyOf(permissions); certificates = List.copyOf(certificates); tokens = Map.copyOf(tokens); + permissions = EnumSet.copyOf(permissions); certificates = List.copyOf(certificates); } } } diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java new file mode 100644 index 00000000000..582aa2c8aee --- /dev/null +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilter.java @@ -0,0 +1,148 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.filter.security.cloud; + +import com.yahoo.component.annotation.Inject; +import com.yahoo.container.logging.AccessLogEntry; +import com.yahoo.jdisc.Response; +import com.yahoo.jdisc.http.filter.DiscFilterRequest; +import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase; +import com.yahoo.jdisc.http.filter.security.cloud.config.CloudTokenDataPlaneFilterConfig; +import com.yahoo.security.token.Token; +import com.yahoo.security.token.TokenCheckHash; +import com.yahoo.security.token.TokenDomain; +import com.yahoo.security.token.TokenFingerprint; + +import java.time.Clock; +import java.time.Instant; +import java.util.ArrayList; +import java.util.EnumSet; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.Set; +import java.util.TreeSet; +import java.util.logging.Logger; + +import static com.yahoo.jdisc.http.server.jetty.AccessLoggingRequestHandler.CONTEXT_KEY_ACCESS_LOG_ENTRY; + +/** + * Token data plane filter for Cloud + * + * @author bjorncs + */ +public class CloudTokenDataPlaneFilter extends JsonSecurityRequestFilterBase { + + private static final Logger log = Logger.getLogger(CloudTokenDataPlaneFilter.class.getName()); + static final int CHECK_HASH_BYTES = 32; + + private final List<Client> allowedClients; + private final TokenDomain tokenDomain; + private final Clock clock; + + @Inject + public CloudTokenDataPlaneFilter(CloudTokenDataPlaneFilterConfig cfg) { + this(cfg, Clock.systemUTC()); + } + + CloudTokenDataPlaneFilter(CloudTokenDataPlaneFilterConfig cfg, Clock clock) { + this.tokenDomain = TokenDomain.of(cfg.tokenContext()); + this.clock = clock; + this.allowedClients = parseClients(cfg); + } + + private static List<Client> parseClients(CloudTokenDataPlaneFilterConfig cfg) { + Set<String> ids = new HashSet<>(); + List<Client> clients = new ArrayList<>(cfg.clients().size()); + if (cfg.clients().isEmpty()) throw new IllegalArgumentException("Empty clients configuration"); + for (var c : cfg.clients()) { + if (ids.contains(c.id())) + throw new IllegalArgumentException("Clients definition has duplicate id '%s'".formatted(c.id())); + if (c.tokens().isEmpty()) + throw new IllegalArgumentException("Client '%s' has no tokens configured".formatted(c.id())); + ids.add(c.id()); + var tokens = new HashMap<TokenCheckHash, TokenVersion>(); + for (var token : c.tokens()) { + for (int version = 0; version < token.checkAccessHashes().size(); version++) { + var tokenVersion = TokenVersion.of( + token.id(), token.fingerprints().get(version), token.checkAccessHashes().get(version), + token.expirations().get(version)); + tokens.put(tokenVersion.accessHash(), tokenVersion); + } + } + clients.add(new Client(c.id(), Permission.setOf(c.permissions()), tokens)); + } + log.fine(() -> "Configured clients with ids %s".formatted(ids)); + return List.copyOf(clients); + } + + @Override + protected Optional<ErrorResponse> filter(DiscFilterRequest req) { + var now = clock.instant(); + var bearerToken = requestBearerToken(req).orElse(null); + if (bearerToken == null) { + log.fine("Missing bearer token"); + return Optional.of(new ErrorResponse(Response.Status.UNAUTHORIZED, "Unauthorized")); + } + var permission = Permission.getRequiredPermission(req).orElse(null); + if (permission == null) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); + var requestTokenHash = requestTokenHash(bearerToken); + var clientIds = new TreeSet<String>(); + var permissions = new TreeSet<Permission>(); + var matchedTokens = new HashSet<TokenVersion>(); + for (Client c : allowedClients) { + if (!c.permissions().contains(permission)) continue; + var matchedToken = c.tokens().get(requestTokenHash); + if (matchedToken == null) continue; + var expiration = matchedToken.expiration().orElse(null); + if (expiration != null && now.isAfter(expiration)) continue; + matchedTokens.add(matchedToken); + clientIds.add(c.id()); + permissions.addAll(c.permissions()); + } + if (clientIds.isEmpty()) return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); + if (matchedTokens.size() > 1) { + log.warning("Multiple tokens matched for request %s" + .formatted(matchedTokens.stream().map(TokenVersion::id).toList())); + return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Forbidden")); + } + var matchedToken = matchedTokens.stream().findAny().orElse(null); + if (matchedToken != null) { + addAccessLogEntry(req, "token.id", matchedToken.id()); + addAccessLogEntry(req, "token.hash", matchedToken.fingerprint().toDelimitedHexString()); + addAccessLogEntry(req, "token.exp", matchedToken.expiration().map(Instant::toString).orElse("<none>")); + } + ClientPrincipal.createForRequest(req, clientIds, permissions); + return Optional.empty(); + } + + private TokenCheckHash requestTokenHash(String bearerToken) { + return TokenCheckHash.of(Token.of(tokenDomain, bearerToken), CHECK_HASH_BYTES); + } + + private static Optional<String> requestBearerToken(DiscFilterRequest req) { + return Optional.ofNullable(req.getHeader("Authorization")) + .filter(h -> h.startsWith("Bearer ")) + .map(t -> t.substring("Bearer ".length()).trim()) + .filter(t -> !t.isBlank()); + + } + + private static void addAccessLogEntry(DiscFilterRequest req, String key, String value) { + ((AccessLogEntry) req.getAttribute(CONTEXT_KEY_ACCESS_LOG_ENTRY)).addKeyValue(key, value); + } + + private record TokenVersion(String id, TokenFingerprint fingerprint, TokenCheckHash accessHash, Optional<Instant> expiration) { + static TokenVersion of(String id, String fingerprint, String accessHash, String expiration) { + return new TokenVersion(id, TokenFingerprint.ofHex(fingerprint), TokenCheckHash.ofHex(accessHash), + expiration.equals("<none>") ? Optional.empty() : Optional.of(Instant.parse(expiration))); + } + } + + private record Client(String id, EnumSet<Permission> permissions, Map<TokenCheckHash, TokenVersion> tokens) { + Client { + permissions = EnumSet.copyOf(permissions); tokens = Map.copyOf(tokens); + } + } +} diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/Permission.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/Permission.java new file mode 100644 index 00000000000..4bab83f8576 --- /dev/null +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/Permission.java @@ -0,0 +1,63 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.jdisc.http.filter.security.cloud; + +import com.yahoo.container.jdisc.AclMapping; +import com.yahoo.container.jdisc.RequestHandlerSpec; +import com.yahoo.container.jdisc.RequestView; +import com.yahoo.jdisc.http.filter.DiscFilterRequest; + +import java.util.Collection; +import java.util.EnumSet; +import java.util.Optional; +import java.util.logging.Logger; +import java.util.stream.Collectors; + +/** + * @author bjorncs + */ +enum Permission { + READ, WRITE; + + private static final Logger log = Logger.getLogger(Permission.class.getName()); + + String asString() { + return switch (this) { + case READ -> "read"; + case WRITE -> "write"; + }; + } + + static Permission of(String v) { + return switch (v) { + case "read" -> READ; + case "write" -> WRITE; + default -> throw new IllegalArgumentException("Invalid permission '%s'".formatted(v)); + }; + } + + static EnumSet<Permission> setOf(Collection<String> v) { + return v.stream().map(Permission::of).collect(Collectors.toCollection(() -> EnumSet.noneOf(Permission.class))); + } + + static Optional<Permission> getRequiredPermission(DiscFilterRequest req) { + RequestView view = req.asRequestView(); + var result = Optional.ofNullable((RequestHandlerSpec) req.getAttribute(RequestHandlerSpec.ATTRIBUTE_NAME)) + .or(() -> Optional.of(RequestHandlerSpec.DEFAULT_INSTANCE)) + .flatMap(spec -> { + var action = spec.aclMapping().get(view); + var maybePermission = Permission.of(action); + if (maybePermission.isEmpty()) log.fine(() -> "Unknown action '%s'".formatted(action)); + return maybePermission; + }); + if (result.isEmpty()) + log.fine(() -> "No valid permission mapping defined for %s @ '%s'".formatted(view.method(), view.uri())); + return result; + } + + static Optional<Permission> of(AclMapping.Action a) { + if (a.equals(AclMapping.Action.READ)) return Optional.of(READ); + if (a.equals(AclMapping.Action.WRITE)) return Optional.of(WRITE); + return Optional.empty(); + } +} diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java index d9daf8b6f46..8d2fd1f569e 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java @@ -5,35 +5,24 @@ import com.yahoo.container.jdisc.AclMapping.Action; import com.yahoo.container.jdisc.HttpMethodAclMapping; import com.yahoo.container.jdisc.RequestHandlerSpec; import com.yahoo.container.jdisc.RequestHandlerTestDriver.MockResponseHandler; -import com.yahoo.container.logging.AccessLogEntry; import com.yahoo.jdisc.http.HttpRequest.Method; -import com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter.ClientPrincipal; import com.yahoo.jdisc.http.filter.security.cloud.config.CloudDataPlaneFilterConfig; import com.yahoo.jdisc.http.filter.util.FilterTestUtils; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.token.Token; -import com.yahoo.security.token.TokenCheckHash; -import com.yahoo.security.token.TokenDomain; -import com.yahoo.security.token.TokenGenerator; -import com.yahoo.test.ManualClock; -import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import javax.security.auth.x500.X500Principal; import java.math.BigInteger; import java.security.cert.X509Certificate; -import java.time.Duration; -import java.time.Instant; import java.util.List; import java.util.Set; import static com.yahoo.jdisc.Response.Status.FORBIDDEN; import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED; -import static com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter.CHECK_HASH_BYTES; -import static com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter.Permission.READ; -import static com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter.Permission.WRITE; +import static com.yahoo.jdisc.http.filter.security.cloud.Permission.READ; +import static com.yahoo.jdisc.http.filter.security.cloud.Permission.WRITE; import static com.yahoo.security.KeyAlgorithm.EC; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static java.time.Instant.EPOCH; @@ -50,21 +39,8 @@ class CloudDataPlaneFilterTest { private static final X509Certificate FEED_CERT = certificate("my-feed-client"); private static final X509Certificate SEARCH_CERT = certificate("my-search-client"); private static final X509Certificate LEGACY_CLIENT_CERT = certificate("my-legacy-client"); - private static final X509Certificate REVERSE_PROXY_CERT = certificate("nginx"); private static final String FEED_CLIENT_ID = "feed-client"; private static final String MTLS_SEARCH_CLIENT_ID = "mtls-search-client"; - private static final String TOKEN_SEARCH_CLIENT = "token-search-client"; - private static final String TOKEN_CONTEXT = "my-token-context"; - private static final String TOKEN_ID = "my-token-id"; - private static final Instant TOKEN_EXPIRATION = EPOCH.plus(Duration.ofDays(1)); - private static final Token VALID_TOKEN = - TokenGenerator.generateToken(TokenDomain.of(TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES); - private static final Token UNKNOWN_TOKEN = - TokenGenerator.generateToken(TokenDomain.of(TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES); - - private ManualClock clock; - - @BeforeEach void resetClock() { clock = new ManualClock(EPOCH); } @Test void accepts_any_trusted_client_certificate_in_legacy_mode() { @@ -144,137 +120,13 @@ class CloudDataPlaneFilterTest { assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); } - @Test - void accepts_reverse_proxy_with_token() { - var entry = new AccessLogEntry(); - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.GET) - .withAccessLogEntry(entry) - .withClientCertificate(REVERSE_PROXY_CERT) - .withHeader("Authorization", "Bearer " + VALID_TOKEN.secretTokenString()) - .build(); - var responseHandler = new MockResponseHandler(); - newFilterWithClientsConfig().filter(req, responseHandler); - assertNull(responseHandler.getResponse()); - assertEquals(new ClientPrincipal(Set.of(TOKEN_SEARCH_CLIENT), Set.of(READ)), req.getUserPrincipal()); - assertEquals(TOKEN_ID, entry.getKeyValues().get("token.id").get(0)); - assertEquals(VALID_TOKEN.fingerprint().toDelimitedHexString(), entry.getKeyValues().get("token.hash").get(0)); - assertEquals(TOKEN_EXPIRATION.toString(), entry.getKeyValues().get("token.exp").get(0)); - } - - @Test - void fails_for_reverse_proxy_with_token_wrong_permission() { - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.POST) - .withClientCertificate(REVERSE_PROXY_CERT) - .withHeader("Authorization", "Bearer " + VALID_TOKEN.secretTokenString()) - .build(); - var responseHandler = new MockResponseHandler(); - newFilterWithClientsConfig().filter(req, responseHandler); - assertNotNull(responseHandler.getResponse()); - assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); - } - - @Test - void fails_for_reverse_proxy_without_token() { - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.GET) - .withClientCertificate(REVERSE_PROXY_CERT) - .build(); - var responseHandler = new MockResponseHandler(); - newFilterWithClientsConfig().filter(req, responseHandler); - assertNotNull(responseHandler.getResponse()); - assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); - } - - @Test - void fails_for_reverse_proxy_with_unknown_token() { - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.GET) - .withClientCertificate(REVERSE_PROXY_CERT) - .withHeader("Authorization", "Bearer " + UNKNOWN_TOKEN.secretTokenString()) - .build(); - var responseHandler = new MockResponseHandler(); - newFilterWithClientsConfig().filter(req, responseHandler); - assertNotNull(responseHandler.getResponse()); - assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); - } - - @Test - void fails_for_missing_certificate_with_token() { - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.GET) - .withHeader("Authorization", "Bearer " + VALID_TOKEN.secretTokenString()) - .build(); - var responseHandler = new MockResponseHandler(); - newFilterWithClientsConfig().filter(req, responseHandler); - assertNotNull(responseHandler.getResponse()); - assertEquals(UNAUTHORIZED, responseHandler.getResponse().getStatus()); - } - - @Test - void fails_for_unknown_certificate_with_token() { - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.GET) - .withClientCertificate(LEGACY_CLIENT_CERT) - .withHeader("Authorization", "Bearer " + VALID_TOKEN.secretTokenString()) - .build(); - var responseHandler = new MockResponseHandler(); - newFilterWithClientsConfig().filter(req, responseHandler); - assertNotNull(responseHandler.getResponse()); - assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); - } - - @Test - void certificate_has_precedence_over_token() { - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.POST) - .withClientCertificate(FEED_CERT) - .withHeader("Authorization", "Bearer " + VALID_TOKEN.secretTokenString()) - .build(); - var responseHandler = new MockResponseHandler(); - newFilterWithClientsConfig().filter(req, responseHandler); - assertNull(responseHandler.getResponse()); - assertEquals(new ClientPrincipal(Set.of(FEED_CLIENT_ID), Set.of(WRITE)), req.getUserPrincipal()); - } - - @Test - void fails_for_expired_token() { - var entry = new AccessLogEntry(); - var req = FilterTestUtils.newRequestBuilder() - .withMethod(Method.GET) - .withAccessLogEntry(entry) - .withClientCertificate(REVERSE_PROXY_CERT) - .withHeader("Authorization", "Bearer " + VALID_TOKEN.secretTokenString()) - .build(); - var filter = newFilterWithClientsConfig(); - - var responseHandler = new MockResponseHandler(); - filter.filter(req, responseHandler); - assertNull(responseHandler.getResponse()); - - clock.advance(Duration.ofDays(1)); - responseHandler = new MockResponseHandler(); - filter.filter(req, responseHandler); - assertNull(responseHandler.getResponse()); - - clock.advance(Duration.ofMillis(1)); - responseHandler = new MockResponseHandler(); - filter.filter(req, responseHandler); - assertNotNull(responseHandler.getResponse()); - assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); - } - private CloudDataPlaneFilter newFilterWithLegacyMode() { - return new CloudDataPlaneFilter( - new CloudDataPlaneFilterConfig.Builder() - .legacyMode(true).build(), (X509Certificate) null, clock); + return new CloudDataPlaneFilter(new CloudDataPlaneFilterConfig.Builder().legacyMode(true).build()); } private CloudDataPlaneFilter newFilterWithClientsConfig() { return new CloudDataPlaneFilter( new CloudDataPlaneFilterConfig.Builder() - .tokenContext(TOKEN_CONTEXT) .clients(List.of( new CloudDataPlaneFilterConfig.Clients.Builder() .certificates(X509CertificateUtils.toPem(FEED_CERT)) @@ -283,18 +135,8 @@ class CloudDataPlaneFilterTest { new CloudDataPlaneFilterConfig.Clients.Builder() .certificates(X509CertificateUtils.toPem(SEARCH_CERT)) .permissions(READ.asString()) - .id(MTLS_SEARCH_CLIENT_ID), - new CloudDataPlaneFilterConfig.Clients.Builder() - .tokens(new CloudDataPlaneFilterConfig.Clients.Tokens.Builder() - .id(TOKEN_ID) - .checkAccessHashes(TokenCheckHash.of(VALID_TOKEN, 32).toHexString()) - .fingerprints(VALID_TOKEN.fingerprint().toDelimitedHexString()) - .expirations(TOKEN_EXPIRATION.toString())) - .permissions(READ.asString()) - .id(TOKEN_SEARCH_CLIENT))) - .build(), - REVERSE_PROXY_CERT, - clock); + .id(MTLS_SEARCH_CLIENT_ID))) + .build()); } private static X509Certificate certificate(String name) { diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilterTest.java new file mode 100644 index 00000000000..cac7818a1fc --- /dev/null +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudTokenDataPlaneFilterTest.java @@ -0,0 +1,195 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.filter.security.cloud; + +import com.yahoo.container.jdisc.AclMapping.Action; +import com.yahoo.container.jdisc.HttpMethodAclMapping; +import com.yahoo.container.jdisc.RequestHandlerSpec; +import com.yahoo.container.jdisc.RequestHandlerTestDriver.MockResponseHandler; +import com.yahoo.container.logging.AccessLogEntry; +import com.yahoo.jdisc.http.HttpRequest.Method; +import com.yahoo.jdisc.http.filter.security.cloud.config.CloudTokenDataPlaneFilterConfig; +import com.yahoo.jdisc.http.filter.util.FilterTestUtils; +import com.yahoo.security.token.Token; +import com.yahoo.security.token.TokenCheckHash; +import com.yahoo.security.token.TokenDomain; +import com.yahoo.security.token.TokenGenerator; +import com.yahoo.test.ManualClock; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import java.time.Duration; +import java.time.Instant; +import java.util.List; +import java.util.Set; + +import static com.yahoo.jdisc.Response.Status.FORBIDDEN; +import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED; +import static com.yahoo.jdisc.http.filter.security.cloud.CloudTokenDataPlaneFilter.CHECK_HASH_BYTES; +import static com.yahoo.jdisc.http.filter.security.cloud.Permission.READ; +import static com.yahoo.jdisc.http.filter.security.cloud.Permission.WRITE; +import static java.time.Instant.EPOCH; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; + +/** + * @author bjorncs + */ +class CloudTokenDataPlaneFilterTest { + + private static final String TOKEN_SEARCH_CLIENT = "token-search-client"; + private static final String TOKEN_FEED_CLIENT = "token-feed-client"; + private static final String TOKEN_CONTEXT = "my-token-context"; + private static final String READ_TOKEN_ID = "my-read-token-id"; + private static final String WRITE_TOKEN_ID = "my-write-token-id"; + private static final Instant TOKEN_EXPIRATION = EPOCH.plus(Duration.ofDays(1)); + private static final Token READ_TOKEN = + TokenGenerator.generateToken(TokenDomain.of(TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES); + private static final Token WRITE_TOKEN = + TokenGenerator.generateToken(TokenDomain.of(TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES); + private static final Token UNKNOWN_TOKEN = + TokenGenerator.generateToken(TokenDomain.of(TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES); + private ManualClock clock; + + @BeforeEach void resetClock() { clock = new ManualClock(EPOCH); } + + @Test + void supports_handler_with_custom_request_spec() { + // Spec that maps POST as action 'read' + var spec = RequestHandlerSpec.builder() + .withAclMapping(HttpMethodAclMapping.standard() + .override(Method.POST, Action.READ).build()) + .build(); + var req = FilterTestUtils.newRequestBuilder() + .withMethod(Method.POST) + .withHeader("Authorization", "Bearer " + READ_TOKEN.secretTokenString()) + .withAttribute(RequestHandlerSpec.ATTRIBUTE_NAME, spec) + .build(); + var responseHandler = new MockResponseHandler(); + newFilterWithClientsConfig().filter(req, responseHandler); + assertNull(responseHandler.getResponse()); + assertEquals(new ClientPrincipal(Set.of(TOKEN_SEARCH_CLIENT), Set.of(READ)), req.getUserPrincipal()); + } + + @Test + void fails_on_handler_with_custom_request_spec_with_invalid_action() { + // Spec that maps POST as action 'read' + var spec = RequestHandlerSpec.builder() + .withAclMapping(HttpMethodAclMapping.standard() + .override(Method.GET, Action.custom("custom")).build()) + .build(); + var req = FilterTestUtils.newRequestBuilder() + .withMethod(Method.GET) + .withHeader("Authorization", "Bearer " + READ_TOKEN.secretTokenString()) + .withAttribute(RequestHandlerSpec.ATTRIBUTE_NAME, spec) + .build(); + var responseHandler = new MockResponseHandler(); + newFilterWithClientsConfig().filter(req, responseHandler); + assertNotNull(responseHandler.getResponse()); + assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); + } + + @Test + void accepts_valid_token() { + var entry = new AccessLogEntry(); + var req = FilterTestUtils.newRequestBuilder() + .withMethod(Method.GET) + .withAccessLogEntry(entry) + .withHeader("Authorization", "Bearer " + READ_TOKEN.secretTokenString()) + .build(); + var responseHandler = new MockResponseHandler(); + newFilterWithClientsConfig().filter(req, responseHandler); + assertNull(responseHandler.getResponse()); + assertEquals(new ClientPrincipal(Set.of(TOKEN_SEARCH_CLIENT), Set.of(READ)), req.getUserPrincipal()); + assertEquals(READ_TOKEN_ID, entry.getKeyValues().get("token.id").get(0)); + assertEquals(READ_TOKEN.fingerprint().toDelimitedHexString(), entry.getKeyValues().get("token.hash").get(0)); + assertEquals(TOKEN_EXPIRATION.toString(), entry.getKeyValues().get("token.exp").get(0)); + } + + @Test + void fails_for_token_with_invalid_permission() { + var req = FilterTestUtils.newRequestBuilder() + .withMethod(Method.GET) + .withHeader("Authorization", "Bearer " + WRITE_TOKEN.secretTokenString()) + .build(); + var responseHandler = new MockResponseHandler(); + newFilterWithClientsConfig().filter(req, responseHandler); + assertNotNull(responseHandler.getResponse()); + assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); + } + + @Test + void fails_for_missing_token() { + var req = FilterTestUtils.newRequestBuilder() + .withMethod(Method.GET) + .build(); + var responseHandler = new MockResponseHandler(); + newFilterWithClientsConfig().filter(req, responseHandler); + assertNotNull(responseHandler.getResponse()); + assertEquals(UNAUTHORIZED, responseHandler.getResponse().getStatus()); + } + + @Test + void fails_for_unknown_token() { + var req = FilterTestUtils.newRequestBuilder() + .withMethod(Method.GET) + .withHeader("Authorization", "Bearer " + UNKNOWN_TOKEN.secretTokenString()) + .build(); + var responseHandler = new MockResponseHandler(); + newFilterWithClientsConfig().filter(req, responseHandler); + assertNotNull(responseHandler.getResponse()); + assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); + } + + @Test + void fails_for_expired_token() { + var entry = new AccessLogEntry(); + var req = FilterTestUtils.newRequestBuilder() + .withMethod(Method.GET) + .withAccessLogEntry(entry) + .withHeader("Authorization", "Bearer " + READ_TOKEN.secretTokenString()) + .build(); + var filter = newFilterWithClientsConfig(); + + var responseHandler = new MockResponseHandler(); + filter.filter(req, responseHandler); + assertNull(responseHandler.getResponse()); + + clock.advance(Duration.ofDays(1)); + responseHandler = new MockResponseHandler(); + filter.filter(req, responseHandler); + assertNull(responseHandler.getResponse()); + + clock.advance(Duration.ofMillis(1)); + responseHandler = new MockResponseHandler(); + filter.filter(req, responseHandler); + assertNotNull(responseHandler.getResponse()); + assertEquals(FORBIDDEN, responseHandler.getResponse().getStatus()); + } + + private CloudTokenDataPlaneFilter newFilterWithClientsConfig() { + return new CloudTokenDataPlaneFilter( + new CloudTokenDataPlaneFilterConfig.Builder() + .tokenContext(TOKEN_CONTEXT) + .clients(List.of( + new CloudTokenDataPlaneFilterConfig.Clients.Builder() + .tokens(new CloudTokenDataPlaneFilterConfig.Clients.Tokens.Builder() + .id(READ_TOKEN_ID) + .checkAccessHashes(TokenCheckHash.of(READ_TOKEN, 32).toHexString()) + .fingerprints(READ_TOKEN.fingerprint().toDelimitedHexString()) + .expirations(TOKEN_EXPIRATION.toString())) + .permissions(READ.asString()) + .id(TOKEN_SEARCH_CLIENT), + new CloudTokenDataPlaneFilterConfig.Clients.Builder() + .tokens(new CloudTokenDataPlaneFilterConfig.Clients.Tokens.Builder() + .id(WRITE_TOKEN_ID) + .checkAccessHashes(TokenCheckHash.of(WRITE_TOKEN, 32).toHexString()) + .fingerprints(WRITE_TOKEN.fingerprint().toDelimitedHexString()) + .expirations(TOKEN_EXPIRATION.toString())) + .permissions(WRITE.asString()) + .id(TOKEN_FEED_CLIENT))) + .build(), + clock); + } + +}
\ No newline at end of file |