Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update JWT/JWKS policy validation #4160

Merged
merged 12 commits into from
Aug 2, 2023
Merged

Update JWT/JWKS policy validation #4160

merged 12 commits into from
Aug 2, 2023

Conversation

jjngx
Copy link
Contributor

@jjngx jjngx commented Jul 27, 2023
edited
Loading

Proposed changes

This PR fixes JWT/JWKS policy validation.

When a user tries to apply JWKS without mandatory keyCache, the policy is rejected:

An example of the invalid policy (missing keyCache):

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: jwt-policy
spec:
  jwt:
    realm: MyProductAPI
    token: $http_token
    jwksURI: http:https://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
kubectl describe policies.k8s.nginx.org jwt-policy
Name:         jwt-policy
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  k8s.nginx.org/v1
Kind:         Policy
Metadata:
  Creation Timestamp:  2023-08-01T13:29:20Z
  Generation:          1
  Resource Version:    19890
  UID:                 39ee839f-f606-45ab-8ffc-8d155d76ad14
Spec:
  Jwt:
    Jwks URI:  http:https://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
    Realm:     MyProductAPI
    Token:     $http_token
Status:
  Message:  Policy default/jwt-policy is invalid and was rejected: spec.jwt.keyCache: Required value: key cache must be set when using JWKS
  Reason:   Rejected
  State:    Invalid
Events:
  Type     Reason    Age    From                      Message
  ----     ------    ----   ----                      -------
  Warning  Rejected  4m13s  nginx-ingress-controller  Policy default/jwt-policy is invalid and was rejected: spec.jwt.keyCache: Required value: key cache must be set when using JWKS

The same policy but with keyCache set to a valid value 1h:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: jwt-policy
spec:
  jwt:
    realm: MyProductAPI
    token: $http_token
    jwksURI: http:https://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
    keyCache: 1h
kubectl describe policies.k8s.nginx.org jwt-policy
Name:         jwt-policy
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  k8s.nginx.org/v1
Kind:         Policy
Metadata:
  Creation Timestamp:  2023-08-01T13:29:20Z
  Generation:          2
  Resource Version:    20779
  UID:                 39ee839f-f606-45ab-8ffc-8d155d76ad14
Spec:
  Jwt:
    Jwks URI:   http:https://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
    Key Cache:  1h
    Realm:      MyProductAPI
    Token:      $http_token
Status:
  Message:  Policy default/jwt-policy was added or updated
  Reason:   AddedOrUpdated
  State:    Valid
Events:
  Type     Reason          Age    From                      Message
  ----     ------          ----   ----                      -------
  Normal   AddedOrUpdated  6s     nginx-ingress-controller  Policy default/jwt-policy was added or updated

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@jjngx jjngx self-assigned this Jul 27, 2023
@github-actions github-actions bot added the bug An issue reporting a potential bug label Jul 27, 2023
@github-actions
Copy link

github-actions bot commented Jul 27, 2023
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Manifest Files

@jjngx jjngx linked an issue Jul 27, 2023 that may be closed by this pull request
JWS_URI caching removed when keyCache is omitted #4124
Closed
@codecov
Copy link

codecov bot commented Jul 27, 2023
edited
Loading

Codecov Report

Merging #4160 (0fcbd23) into main (ce43fba) will increase coverage by 0.04%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #4160      +/-   ##
==========================================
+ Coverage   51.90%   51.95%   +0.04%     
==========================================
  Files          59       59              
  Lines       16735    16743       +8     
==========================================
+ Hits         8686     8698      +12     
+ Misses       7749     7748       -1     
+ Partials      300      297       -3
Files Changed Coverage Δ
pkg/apis/configuration/validation/policy.go 92.80% <100.00%> (-0.12%) ⬇️

... and 3 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@jjngx jjngx marked this pull request as ready for review August 1, 2023 13:42
@jjngx jjngx requested a review from a team as a code owner August 1, 2023 13:42
@jjngx jjngx requested a review from a team August 2, 2023 12:39
@jjngx jjngx merged commit 7cd7024 into main Aug 2, 2023
62 checks passed
@jjngx jjngx deleted the fix/jws-uri-cache branch August 2, 2023 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haywoodsh haywoodsh haywoodsh approved these changes

@shaun-nx shaun-nx shaun-nx approved these changes

@vepatel vepatel Awaiting requested review from vepatel

@jasonwilliams14 jasonwilliams14 Awaiting requested review from jasonwilliams14

Assignees

@jjngx jjngx

Labels
bug An issue reporting a potential bug
Projects
NGINX Ingress Controller
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

JWS_URI caching removed when keyCache is omitted
3 participants
@jjngx @haywoodsh @shaun-nx