[Feature] [Gateway] ArangoDB AuthIntegration (#1715)

Author: ajanikow

CHANGELOG.md

@@ -23,6 +23,7 @@
 - (Feature) Integration Service TLS
 - (Feature) (Gateway) SNI and Authz support
 - (Maintenance) Bump Examples to ArangoDB 3.12
+- (Feature) (Gateway) ArangoDB JWT Auth Integration
 
 ## [1.2.42](https://github.com/arangodb/kube-arangodb/tree/1.2.42) (2024-07-23)
 - (Maintenance) Go 1.22.4 & Kubernetes 1.29.6 libraries

cmd/version.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -21,8 +21,6 @@
 package cmd
 
 import (
-	"fmt"
-
 	"github.com/spf13/cobra"
 
 	"github.com/arangodb/kube-arangodb/pkg/version"
@@ -38,6 +36,5 @@ var cmdVersion = &cobra.Command{
 }
 
 func versionRun(cmd *cobra.Command, args []string) {
-	v := version.GetVersionV1()
-	println(fmt.Sprintf("Version: %s %s, Build: %s, Go: %s, Build Date: %s", v.Edition.Title(), v.Version, v.Build, v.GoVersion, v.BuildDate))
+	println(version.GetVersionV1().String())
 }

docs/api/ArangoRoute.V1Alpha1.md

@@ -16,6 +16,12 @@ Deployment specifies the ArangoDeployment object name
 
 ***
 
+### .spec.destination.authentication.type
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.42/pkg/apis/networking/v1alpha1/route_spec_destination_authentication.go#L28)</sup>
+
+***
+
 ### .spec.destination.path
 
 Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.42/pkg/apis/networking/v1alpha1/route_spec_destination.go#L36)</sup>
@@ -131,6 +137,12 @@ UID keeps the information about object UID
 
 ***
 
+### .status.target.authentication.type
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.42/pkg/apis/networking/v1alpha1/route_status_target_authentication.go#L26)</sup>
+
+***
+
 ### .status.target.destinations\[int\].host
 
 Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.42/pkg/apis/networking/v1alpha1/route_status_target_destination.go#L38)</sup>
@@ -145,7 +157,7 @@ Type: `integer` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.
 
 ### .status.target.path
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.42/pkg/apis/networking/v1alpha1/route_status_target.go#L37)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.42/pkg/apis/networking/v1alpha1/route_status_target.go#L40)</sup>
 
 Path specifies request path override
 

integrations/envoy/auth/v3/check.go

@@ -0,0 +1,46 @@
+//
+// DISCLAIMER
+//
+// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v3
+
+import (
+	"context"
+
+	pbEnvoyAuthV3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+)
+
+type AuthResponse struct {
+	Username string
+}
+
+type AuthRequestFunc func(ctx context.Context, request *pbEnvoyAuthV3.CheckRequest, current *AuthResponse) (*AuthResponse, error)
+
+func MergeAuthRequest(ctx context.Context, request *pbEnvoyAuthV3.CheckRequest, requests ...AuthRequestFunc) (*AuthResponse, error) {
+	var resp *AuthResponse
+	for _, r := range requests {
+		if v, err := r(ctx, request, resp); err != nil {
+			return nil, err
+		} else {
+			resp = v
+		}
+	}
+
+	return resp, nil
+}

integrations/envoy/auth/v3/check_adb_jwt.go

@@ -0,0 +1,60 @@
+//
+// DISCLAIMER
+//
+// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v3
+
+import (
+	"context"
+
+	pbEnvoyAuthV3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+
+	pbAuthenticationV1 "github.com/arangodb/kube-arangodb/integrations/authentication/v1/definition"
+	"github.com/arangodb/kube-arangodb/pkg/util/strings"
+)
+
+func (i *impl) checkADBJWT(ctx context.Context, request *pbEnvoyAuthV3.CheckRequest, current *AuthResponse) (*AuthResponse, error) {
+	if current != nil {
+		// Already authenticated
+		return current, nil
+	}
+	if auth, ok := request.GetAttributes().GetRequest().GetHttp().GetHeaders()["authorization"]; ok {
+		parts := strings.SplitN(auth, " ", 2)
+		if len(parts) == 2 {
+			if strings.ToLower(parts[0]) == "bearer" {
+				resp, err := i.authClient.Validate(ctx, &pbAuthenticationV1.ValidateRequest{
+					Token: parts[1],
+				})
+				if err != nil {
+					logger.Err(err).Warn("Auth failure")
+					return nil, nil
+				}
+
+				if err == nil && resp.GetIsValid() {
+					// All went fine!
+					return &AuthResponse{
+						Username: resp.GetDetails().GetUser(),
+					}, nil
+				}
+			}
+		}
+	}
+
+	return nil, nil
+}

integrations/envoy/auth/v3/consts.go

@@ -22,4 +22,18 @@ package v3
 
 const (
 	Name = "envoy.auth.v3"
+
+	AuthConfigKeywordTrue  = "true"
+	AuthConfigKeywordFalse = "false"
+
+	AuthConfigNamespace     = "platform.arangodb.com"
+	AuthConfigAuthNamespace = "auth." + AuthConfigNamespace
+
+	AuthConfigTypeKey   = AuthConfigNamespace + "/type"
+	AuthConfigTypeValue = "ArangoDBPlatform"
+
+	AuthConfigAuthRequiredKey = AuthConfigAuthNamespace + "/required"
+
+	AuthUsernameHeader      = "arangodb-platform-user"
+	AuthAuthenticatedHeader = "arangodb-platform-authenticated"
 )

integrations/envoy/auth/v3/impl.go

@@ -22,22 +22,32 @@ package v3
 
 import (
 	"context"
+	"net/http"
 
+	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	pbEnvoyAuthV3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"google.golang.org/grpc"
 
+	pbAuthenticationV1 "github.com/arangodb/kube-arangodb/integrations/authentication/v1/definition"
+	"github.com/arangodb/kube-arangodb/pkg/util"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors/panics"
 	"github.com/arangodb/kube-arangodb/pkg/util/svc"
 )
 
-func New() svc.Handler {
-	return &impl{}
+func New(authClient pbAuthenticationV1.AuthenticationV1Client) svc.Handler {
+	return &impl{
+		authClient: authClient,
+	}
 }
 
 var _ pbEnvoyAuthV3.AuthorizationServer = &impl{}
 var _ svc.Handler = &impl{}
 
 type impl struct {
 	pbEnvoyAuthV3.UnimplementedAuthorizationServer
+
+	authClient pbAuthenticationV1.AuthenticationV1Client
 }
 
 func (i *impl) Name() string {
@@ -53,10 +63,84 @@ func (i *impl) Register(registrar *grpc.Server) {
 }
 
 func (i *impl) Check(ctx context.Context, request *pbEnvoyAuthV3.CheckRequest) (*pbEnvoyAuthV3.CheckResponse, error) {
-	logger.Info("Request Received")
+	resp, err := panics.RecoverO1(func() (*pbEnvoyAuthV3.CheckResponse, error) {
+		return i.check(ctx, request)
+	})
+
+	if err != nil {
+		var v DeniedResponse
+		if errors.As(err, &v) {
+			return v.GetCheckResponse()
+		}
+		return nil, err
+	}
+	return resp, nil
+}
+
+func (i *impl) check(ctx context.Context, request *pbEnvoyAuthV3.CheckRequest) (*pbEnvoyAuthV3.CheckResponse, error) {
+	ext := request.GetAttributes().GetContextExtensions()
+
+	if v, ok := ext[AuthConfigTypeKey]; !ok || v != AuthConfigTypeValue {
+		return nil, DeniedResponse{
+			Code: http.StatusBadRequest,
+			Message: &DeniedMessage{
+				Message: "Auth plugin is not enabled for this request",
+			},
+		}
+	}
+
+	authenticated, err := MergeAuthRequest(ctx, request, i.checkADBJWT)
+	if err != nil {
+		return nil, err
+	}
+
+	if util.Optional(ext, AuthConfigAuthRequiredKey, AuthConfigKeywordFalse) == AuthConfigKeywordTrue && authenticated == nil {
+		return nil, DeniedResponse{
+			Code: http.StatusUnauthorized,
+			Message: &DeniedMessage{
+				Message: "Unauthorized",
+			},
+		}
+	}
+
+	if authenticated != nil {
+		return &pbEnvoyAuthV3.CheckResponse{
+			HttpResponse: &pbEnvoyAuthV3.CheckResponse_OkResponse{
+				OkResponse: &pbEnvoyAuthV3.OkHttpResponse{
+					Headers: []*corev3.HeaderValueOption{
+						{
+							Header: &corev3.HeaderValue{
+								Key:   AuthUsernameHeader,
+								Value: authenticated.Username,
+							},
+							AppendAction: corev3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
+						},
+						{
+							Header: &corev3.HeaderValue{
+								Key:   AuthAuthenticatedHeader,
+								Value: "true",
+							},
+							AppendAction: corev3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
+						},
+					},
+				},
+			},
+		}, nil
+	}
+
 	return &pbEnvoyAuthV3.CheckResponse{
 		HttpResponse: &pbEnvoyAuthV3.CheckResponse_OkResponse{
-			OkResponse: &pbEnvoyAuthV3.OkHttpResponse{},
+			OkResponse: &pbEnvoyAuthV3.OkHttpResponse{
+				Headers: []*corev3.HeaderValueOption{
+					{
+						Header: &corev3.HeaderValue{
+							Key:   AuthAuthenticatedHeader,
+							Value: "false",
+						},
+						AppendAction: corev3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
+					},
+				},
+			},
 		},
 	}, nil
 }