chore(auth): DPoP and public fixes

dmihalcik-virtru · dmihalcik-virtru · commit c2456f758beb · 2024-04-23T15:20:24.000-04:00
- expose legacy public key endpoint as public
- DPoP `htu` should include origin part of url
- clarify error messages for dpop
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -56,6 +56,8 @@ server:
     key: /path/to/key
   auth:
     enabled: true
+    allowedHosts:
+      - "https://example.com"
     audience: https://example.com
     issuer: https://example.com
 ```
diff --git a/opentdf-example.yaml b/opentdf-example.yaml
@@ -23,6 +23,8 @@ services:
 server:
   auth:
     enabled: true
+    allowedHosts:
+      - "http://localhost:8080"
     audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
diff --git a/opentdf-with-hsm.yaml b/opentdf-with-hsm.yaml
@@ -23,6 +23,8 @@ services:
 server:
   auth:
     enabled: true
+    allowedHosts:
+      - "http://localhost:8080"
     audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     clients:
diff --git a/service/internal/auth/authn.go b/service/internal/auth/authn.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"path/filepath"
 	"slices"
 	"strings"
@@ -38,6 +39,7 @@ var (
 		"/kas.AccessService/PublicKey",
 		"/healthz",
 		"/.well-known/opentdf-configuration",
+		"/kas/kas_public_key",
 		"/kas/v2/kas_public_key",
 	}
 	// only asymmetric algorithms and no 'none'
@@ -67,6 +69,8 @@ type Authentication struct {
 	enforcer *Enforcer
 	// Public Routes HTTP & gRPC
 	publicRoutes []string
+	// Allowed origins for the DPoP htu field
+	allowedHosts []*url.URL
 }
 
 // Creates new authN which is used to verify tokens for a set of given issuers
@@ -126,13 +130,33 @@ func NewAuthenticator(ctx context.Context, cfg Config, d *db.Client) (*Authentic
 
 	a.oidcConfigurations[cfg.Issuer] = cfg.AuthNConfig
 
+	a.allowedHosts = make([]*url.URL, len(cfg.AllowedHosts))
+	for i, h := range cfg.AllowedHosts {
+		a.allowedHosts[i], err = url.Parse(h)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return a, nil
 }
 
 type dpopInfo struct {
-	headers []string
-	path    string
-	method  string
+	u []string
+	m string
+}
+
+func (a Authentication) normalizeURL(u *url.URL) []string {
+	n := *u
+	n.RawQuery = ""
+	n.Fragment = ""
+	us := make([]string, len(a.allowedHosts))
+	for i, v := range a.allowedHosts {
+		v2 := *v
+		v2.Path = u.Path
+		us[i] = v2.String()
+	}
+	return us
 }
 
 // verifyTokenHandler is a http handler that verifies the token
@@ -150,10 +174,9 @@ func (a Authentication) MuxHandler(handler http.Handler) http.Handler {
 			return
 		}
 		tok, newCtx, err := a.checkToken(r.Context(), header, dpopInfo{
-			headers: r.Header["Dpop"],
-			path:    r.URL.Path,
-			method:  r.Method,
-		})
+			u: a.normalizeURL(r.URL),
+			m: r.Method,
+		}, r.Header["Dpop"])
 
 		if err != nil {
 			slog.WarnContext(r.Context(), "failed to validate token", slog.String("error", err.Error()))
@@ -232,10 +255,10 @@ func (a Authentication) UnaryServerInterceptor(ctx context.Context, req any, inf
 		ctx,
 		header,
 		dpopInfo{
-			headers: md["dpop"],
-			path:    info.FullMethod,
-			method:  http.MethodPost,
+			u: []string{info.FullMethod},
+			m: http.MethodPost,
 		},
+		md["dpop"],
 	)
 	if err != nil {
 		slog.Warn("failed to validate token", slog.String("error", err.Error()))
@@ -258,7 +281,7 @@ func (a Authentication) UnaryServerInterceptor(ctx context.Context, req any, inf
 }
 
 // checkToken is a helper function to verify the token.
-func (a Authentication) checkToken(ctx context.Context, authHeader []string, dpopInfo dpopInfo) (jwt.Token, context.Context, error) {
+func (a Authentication) checkToken(ctx context.Context, authHeader []string, dpopInfo dpopInfo, dpopHeader []string) (jwt.Token, context.Context, error) {
 	var (
 		tokenRaw string
 	)
@@ -317,7 +340,7 @@ func (a Authentication) checkToken(ctx context.Context, authHeader []string, dpo
 		// come from token introspection
 		return accessToken, ctx, nil
 	}
-	key, err := validateDPoP(accessToken, tokenRaw, dpopInfo)
+	key, err := validateDPoP(accessToken, tokenRaw, dpopInfo, dpopHeader)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -340,11 +363,11 @@ func GetJWKFromContext(ctx context.Context) jwk.Key {
 	panic("got something that is not a jwk.Key from the JWK context")
 }
 
-func validateDPoP(accessToken jwt.Token, acessTokenRaw string, dpopInfo dpopInfo) (jwk.Key, error) {
-	if len(dpopInfo.headers) != 1 {
-		return nil, fmt.Errorf("got %d dpop headers, should have 1", len(dpopInfo.headers))
+func validateDPoP(accessToken jwt.Token, acessTokenRaw string, dpopInfo dpopInfo, headers []string) (jwk.Key, error) {
+	if len(headers) != 1 {
+		return nil, fmt.Errorf("got %d dpop headers, should have 1", len(headers))
 	}
-	dpopHeader := dpopInfo.headers[0]
+	dpopHeader := headers[0]
 
 	cnf, ok := accessToken.Get("cnf")
 	if !ok {
@@ -405,8 +428,9 @@ func validateDPoP(accessToken jwt.Token, acessTokenRaw string, dpopInfo dpopInfo
 		return nil, fmt.Errorf("couldn't compute thumbprint for key in `jwk` in DPoP JWT")
 	}
 
-	if base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(thumbprint) != jkt {
-		return nil, fmt.Errorf("the `jkt` from the DPoP JWT didn't match the thumbprint from the access token")
+	thumbprintStr := base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(thumbprint)
+	if thumbprintStr != jkt {
+		return nil, fmt.Errorf("the `jkt` from the DPoP JWT didn't match the thumbprint from the access token; cnf.jkt=[%v], computed=[%v]", jkt, thumbprintStr)
 	}
 
 	// at this point we have the right key because its thumbprint matches the `jkt` claim
@@ -432,17 +456,17 @@ func validateDPoP(accessToken jwt.Token, acessTokenRaw string, dpopInfo dpopInfo
 		return nil, fmt.Errorf("`htm` claim missing in DPoP JWT")
 	}
 
-	if htm != dpopInfo.method {
-		return nil, fmt.Errorf("incorrect `htm` claim in DPoP JWT")
+	if htm != dpopInfo.m {
+		return nil, fmt.Errorf("incorrect `htm` claim in DPoP JWT; should match [%v]", dpopInfo.m)
 	}
 
 	htu, ok := dpopToken.Get("htu")
 	if !ok {
 		return nil, fmt.Errorf("`htu` claim missing in DPoP JWT")
 	}
 
-	if htu != dpopInfo.path {
-		return nil, fmt.Errorf("incorrect `htu` claim in DPoP JWT")
+	if !slices.Contains(dpopInfo.u, htu.(string)) {
+		return nil, fmt.Errorf("incorrect `htu` claim in DPoP JWT; should match %v", dpopInfo.u)
 	}
 
 	ath, ok := dpopToken.Get("ath")
diff --git a/service/internal/auth/authn_test.go b/service/internal/auth/authn_test.go
@@ -144,9 +144,10 @@ func (s *AuthSuite) SetupTest() {
 		context.Background(),
 		Config{
 			AuthNConfig: AuthNConfig{
-				EnforceDPoP: true,
-				Issuer:      s.server.URL,
-				Audience:    "test",
+				AllowedHosts: []string{""},
+				EnforceDPoP:  true,
+				Issuer:       s.server.URL,
+				Audience:     "test",
 			},
 			PublicRoutes: []string{"/public", "/public2/*", "/public3/static", "/static/*", "/static/*/*"},
 		},
@@ -174,7 +175,7 @@ func (s *AuthSuite) Test_CheckToken_When_JWT_Expired_Expect_Error() {
 	s.NotNil(signedTok)
 	s.Require().NoError(err)
 
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
+	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{}, nil)
 	s.Require().Error(err)
 	s.Equal("\"exp\" not satisfied", err.Error())
 }
@@ -198,7 +199,7 @@ func (s *AuthSuite) Test_UnaryServerInterceptor_When_Authorization_Header_Missin
 }
 
 func (s *AuthSuite) Test_CheckToken_When_Authorization_Header_Invalid_Expect_Error() {
-	_, _, err := s.auth.checkToken(context.Background(), []string{"BPOP "}, dpopInfo{})
+	_, _, err := s.auth.checkToken(context.Background(), []string{"BPOP "}, dpopInfo{}, nil)
 	s.Require().Error(err)
 	s.Equal("not of type bearer or dpop", err.Error())
 }
@@ -212,7 +213,7 @@ func (s *AuthSuite) Test_CheckToken_When_Missing_Issuer_Expect_Error() {
 	s.NotNil(signedTok)
 	s.Require().NoError(err)
 
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
+	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{}, nil)
 	s.Require().Error(err)
 	s.Equal("missing issuer", err.Error())
 }
@@ -227,7 +228,7 @@ func (s *AuthSuite) Test_CheckToken_When_Invalid_Issuer_Value_Expect_Error() {
 	s.NotNil(signedTok)
 	s.Require().NoError(err)
 
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
+	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{}, nil)
 	s.Require().Error(err)
 	s.Equal("invalid issuer", err.Error())
 }
@@ -241,7 +242,7 @@ func (s *AuthSuite) Test_CheckToken_When_Audience_Missing_Expect_Error() {
 	s.NotNil(signedTok)
 	s.Require().NoError(err)
 
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
+	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{}, nil)
 	s.Require().Error(err)
 	s.Equal("claim \"aud\" not found", err.Error())
 }
@@ -256,7 +257,7 @@ func (s *AuthSuite) Test_CheckToken_When_Audience_Invalid_Expect_Error() {
 	s.NotNil(signedTok)
 	s.Require().NoError(err)
 
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
+	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{}, nil)
 	s.Require().Error(err)
 	s.Equal("\"aud\" not satisfied", err.Error())
 }
@@ -272,7 +273,7 @@ func (s *AuthSuite) Test_CheckToken_When_Valid_No_DPoP_Expect_Error() {
 	s.NotNil(signedTok)
 	s.Require().NoError(err)
 
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
+	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{}, nil)
 	s.Require().Error(err)
 	s.Require().Contains(err.Error(), "dpop")
 }
@@ -350,14 +351,14 @@ func (s *AuthSuite) TestInvalid_DPoP_Cases() {
 			context.Background(),
 			[]string{fmt.Sprintf("DPoP %s", string(testCase.accessToken))},
 			dpopInfo{
-				headers: []string{dpopToken},
-				path:    "/a/path",
-				method:  http.MethodPost,
+				u: []string{"/a/path"},
+				m: http.MethodPost,
 			},
+			[]string{dpopToken},
 		)
 
 		s.Require().Error(err)
-		s.Equal(testCase.errorMessage, err.Error())
+		s.Contains(err.Error(), testCase.errorMessage)
 	}
 }
 
@@ -568,7 +569,7 @@ func (s *AuthSuite) Test_Allowing_Auth_With_No_DPoP() {
 	s.NotNil(signedTok)
 	s.Require().NoError(err)
 
-	_, ctx, err := auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
+	_, ctx, err := auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{}, nil)
 	s.Require().NoError(err)
 	s.Require().Nil(GetJWKFromContext(ctx))
 }
diff --git a/service/internal/auth/config.go b/service/internal/auth/config.go
@@ -17,6 +17,7 @@ type AuthNConfig struct {
 	OIDCConfiguration `yaml:"-" json:"-"`
 	Policy            PolicyConfig `yaml:"policy" json:"policy" mapstructure:"policy"`
 	CacheRefresh      string       `mapstructure:"cache_refresh_interval"`
+	AllowedHosts      []string
 }
 
 type PolicyConfig struct {

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ type AuthNConfig struct {`
`17`	`17`	OIDCConfiguration `yaml:"-" json:"-"`
`18`	`18`	Policy PolicyConfig `yaml:"policy" json:"policy" mapstructure:"policy"`
`19`	`19`	CacheRefresh string `mapstructure:"cache_refresh_interval"`
	`20`	`+ AllowedHosts []string`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`type PolicyConfig struct {`