Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement OpenID token expressions evaluation #63

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Implement OpenID token expressions evaluation #63

wants to merge 11 commits into from

Conversation

ErmakovDmitriy
Copy link
Contributor

This PR implements an OpenID token expression evaluation.

The idea and the use-case is to be able to define different behavior in HAProxy based on OpenID token claims.

An example:

  • An OpenID token contains a field roles which is an array of admin, viewer, editor;
  • We want to allow access to /admin URL path only for people with admin role;

With this PR, it is possible to define in HAProxy:

acl host1.example.com hdr(host) -i host1.example.com
acl host1.example.com_admin_path path_beg -i /admin
acl host1.example.com-admin-allowed var(sess.auth.token_expression_in_roles_admin) -m bool

http-request send-spoe-group spoe-auth try-auth-all if host1.example.com
http-request set-var(req.oidc_token_expressions) str("in;roles;admin") if host1.example.com
http-request send-spoe-group spoe-auth try-auth-all if host1.example.com

use_backend haproxy-spoe-auth-error if host1.example.com oauth2_error
use_backend haproxy-spoe-auth-redirect if host1.example.com !oauth2_authenticated

http-request deny deny_status 403 if host1.example.com !host1.example.com-admin-allowed host1.example.com_admin_path oauth2_authenticated
use_backend host1.example.com-backend if host1.example.com host1.example.com-admin-allowed

mougams
mougams requested changes Jan 20, 2025
View reviewed changes
Copy link
Contributor

@mougams mougams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR, a bit complex since this adds lots of things in the same PR - would have been nice if this could be split, but that's ok.

I've put few remarks, and the patch seems breaking.
Also, you might need to rebase, since I've merged some lib updates.

internal/auth/oidc_clients_store.go
}
}

return &StaticOIDCClientsStore{clients: clients}
}

func NewEmptyStaticOIDCClientStore() *StaticOIDCClientsStore {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could probably be removed since never used

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that NewStaticOIDCClientStore is used here https://github.com/ErmakovDmitriy/haproxy-spoe-auth/blob/83168273b5dfb93155e124958989b14f471e7ce6/cmd/haproxy-spoe-auth/main.go#L141
and NewEmptyStaticOIDCClientStore is used in a test: https://github.com/ErmakovDmitriy/haproxy-spoe-auth/blob/83168273b5dfb93155e124958989b14f471e7ce6/internal/auth/oidc_clients_store_test.go#L12

internal/auth/authenticator_oidc_token_expressions.go
return ""
}

const (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To simplify, you could probably merge this with the constants

	operationIn           string = "in"
	operationNotIn        string = "notin"
	operationExists       string = "exists"
	operationDoesNotExist string = "doesnotexist"
)```

so that during the assignement it becomes as simple as


		expr.Operation = val[0].value

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am sorry, I might have misunderstood your idea but I can not see how I can simplify this.

May I ask you to explain me?

@ErmakovDmitriy
Copy link
Contributor Author

Hi mougams,

Thank you and sorry for such a complex PR.

I will try to fix what you requested and update this PR.

dependabot bot and others added 10 commits March 7, 2025 08:55
@dependabot
Bump github.com/tidwall/gjson from 1.17.3 to 1.18.0
6027311 
Bumps [github.com/tidwall/gjson](https://github.com/tidwall/gjson) from 1.17.3 to 1.18.0.
- [Commits](tidwall/gjson@v1.17.3...v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/tidwall/gjson
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump golang.org/x/oauth2 from 0.22.0 to 0.25.0
b2be74c 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.22.0 to 0.25.0.
- [Commits](golang/oauth2@v0.22.0...v0.25.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/stretchr/testify from 1.9.0 to 1.10.0
8a5c422 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@mougams
Bump go-ldap library to 3.4.9
cd0c2d1 
This implicitly bumps crypto lib which fixes a CVE.

https://github.com/go-ldap/ldap/releases/tag/v3.4.9
@dependabot
Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0
2596dfb 
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.11.0 to 3.12.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](coreos/go-oidc@v3.11.0...v3.12.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/go-ldap/ldap/v3 from 3.4.9 to 3.4.10
4b676db 
Bumps [github.com/go-ldap/ldap/v3](https://github.com/go-ldap/ldap) from 3.4.9 to 3.4.10.
- [Release notes](https://github.com/go-ldap/ldap/releases)
- [Commits](go-ldap/ldap@v3.4.9...v3.4.10)

---
updated-dependencies:
- dependency-name: github.com/go-ldap/ldap/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5
650aac4 
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.2 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](go-jose/go-jose@v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@mougams
Bump go version to 1.23 + libraries to latest
2a8d29b
Keep function parameter types
62df1f4
Document breaking changes
8316827
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mougams mougams mougams requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ErmakovDmitriy @mougams