Skip to content

ROX-20100: Add exchange token API#8176

Merged
dhaus67 merged 8 commits intomasterfrom
master-dh/rox-20100_exchange_m2m_token
Oct 26, 2023
Merged

ROX-20100: Add exchange token API#8176
dhaus67 merged 8 commits intomasterfrom
master-dh/rox-20100_exchange_m2m_token

Conversation

@dhaus67
Copy link
Contributor

@dhaus67 dhaus67 commented Oct 14, 2023
edited
Loading

Description

This is the second and final PR in a series of PRs to allow Central to issue short-lived tokens for machine to machine access (i.e. within CI environments) by exchanging an ID token for a Central token (also referred to as Rox token).

This PR contains:

  • Verifying ID tokens from third-party OIDC issuers.
  • Issuing tokens for machine to machine access.
  • Mapping machine to machine configs to roles based off of claim values.
  • Creating sources for tokens, ensuring that tokens will be revoked when a config is removed.

Checklist

  • Unit test and regression tests added
  • Investigated and inspected CI test results
  • Evaluated and added CHANGELOG entry if required
  • Determined and documented upgrade steps
  • Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)

If any of these don't apply, please comment below.

Testing Performed

Here I tell how I validated my change

  • see the added unit tests for basic functionality.

Additionally, since this is always hard with OIDC/ identity related changes, did the following manual tests:

  1. Create a configuration for GitHub using the sample GitHub repo which contains a sample GitHub action:
roxcurl <endpoint>/v1/auth/m2m -d '{"config": {"type": "GITHUB_ACTIONS", "tokenExpirationDuration": "5m", "mappings":[{"key":"sub","valueExpression":"repo:dhaus67/roxctl-central-login.*", "role":"Admin"}]}}'
  1. Run the action by triggering a manual workflow run.
  2. Observe that the run succeeds and examine the roxctl central whoami output, which refers to the github actor as user ID.

For a generic config:

  1. Create a generic configuration using Red Hat's internal IdP:
roxcurl <endpoint>/v1/auth/m2m -d '{"config": {"type": "GENERIC", "tokenExpirationDuration": "5m", "mappings":[{"key":"sub","valueExpression":"<redacted>", "role":"Admin"}], "generic": {"issuer": "https://auth.redhat.com/auth/realms/EmployeeIDP"}}}'
  1. Obtain an ID token from internal SSO, you may do so leveraging rhoas CLI:
rhoas login --auth-url https://auth.redhat.com/auth/realms/EmployeeIDP
  1. Exchange the token by calling the exchange token API:
roxcurl <endpoint>/v1/auth/m2m/exchange -d '{"idToken": "${rhoas authtoken}"}'
  1. Use the obtained token and test it via roxctl central whoami:
export ROX_API_TOKEN="..."
roxctl central whoami

General config tests for the API:

  1. Create a GitHub config:
roxcurl v1/auth/m2m -d '{"config": {"type": "GITHUB_ACTIONS", "tokenExpirationDuration": "5m", "mappings":[{"key": "sub", "valueExpression": "my-subject", "role": "Analyst"}]}}'

{
  "config": {
    "id": "4d6f5c69-3121-4d75-a77f-b5c41083dfc5",
    "type": "GITHUB_ACTIONS",
    "tokenExpirationDuration": "5m",
    "mappings": [
      {
        "key": "sub",
        "valueExpression": "my-subject",
        "role": "Analyst"
      }
    ],
    "issuer": "https://token.actions.githubusercontent.com"
  }
}
  1. Create a generic config:
roxcurl v1/auth/m2m -d '{"config": {"type": "GENERIC", "issuer": "<redacted>", "tokenExpirationDuration": "5m", "mappings":[{"key": "sub", "valueExpression": "my-subject", "role": "Analyst"}]}}'                                                        

{
  "config": {
    "id": "fcffb2fc-7d40-4ebd-986f-839f6fdbfdbe",
    "type": "GENERIC",
    "tokenExpirationDuration": "5m",
    "mappings": [
      {
        "key": "sub",
        "valueExpression": "my-subject",
        "role": "Analyst"
      }
    ],
    "issuer": "<redacted>"
  }
}
  1. List configs:
roxcurl v1/auth/m2m

{
  "configs": [
    {
      "id": "fcffb2fc-7d40-4ebd-986f-839f6fdbfdbe",
      "type": "GENERIC",
      "tokenExpirationDuration": "5m",
      "mappings": [
        {
          "key": "sub",
          "valueExpression": "my-subject",
          "role": "Analyst"
        }
      ],
      "issuer": "<redacted>"
    },
    {
      "id": "4d6f5c69-3121-4d75-a77f-b5c41083dfc5",
      "type": "GITHUB_ACTIONS",
      "tokenExpirationDuration": "5m",
      "mappings": [
        {
          "key": "sub",
          "valueExpression": "my-subject",
          "role": "Analyst"
        }
      ],
      "issuer": "https://token.actions.githubusercontent.com"
    }
  ]
}
  1. Get a specific config:
roxcurl v1/auth/m2m/4d6f5c69-3121-4d75-a77f-b5c41083dfc5

{
  "config": {
    "id": "4d6f5c69-3121-4d75-a77f-b5c41083dfc5",
    "type": "GITHUB_ACTIONS",
    "tokenExpirationDuration": "5m",
    "mappings": [
      {
        "key": "sub",
        "valueExpression": "my-subject",
        "role": "Analyst"
      }
    ],
    "issuer": "https://token.actions.githubusercontent.com"
  }
}
  1. Update a config:
roxcurl v1/auth/m2m -d '{"config": {"type": "GITHUB_ACTIONS", "id": "4d6f5c69-3121-4d75-a77f-b5c41083dfc5","tokenExpirationDuration": "10m", "mappings":[{"key": "sub", "valueExpression": "my-subject", "role": "Analyst"}]}}' -X POST
  1. Delete a config:
roxcurl v1/auth/m2m/4d6f5c69-3121-4d75-a77f-b5c41083dfc5 -X DELETE

Reminder for reviewers

In addition to reviewing code here, reviewers must also review testing and request further testing in case the
performed one does not seem sufficient. As a reviewer, you must not approve the change until you understand the
performed testing and you are satisfied with it.

@openshift-ci
Copy link

openshift-ci bot commented Oct 14, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@dhaus67
Copy link
Contributor Author

dhaus67 commented Oct 14, 2023
edited
Loading

Current dependencies on/for this PR:

This comment was auto-generated by Graphite.

@dhaus67 dhaus67 mentioned this pull request Oct 14, 2023
Merged
5 tasks
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from d329f19 to e8ccdaa Compare October 14, 2023 07:50
@ghost
Copy link

ghost commented Oct 14, 2023
edited by ghost
Loading

Images are ready for the commit at 0247e0a.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.2.x-559-g0247e0ad32.

@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from e8ccdaa to a4f066b Compare October 14, 2023 08:38
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100-machine-to-machine-api branch from acf1c82 to 09b4eee Compare October 14, 2023 17:55
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch 2 times, most recently from f6aa2fc to 58077c8 Compare October 14, 2023 21:20
@dhaus67 dhaus67 requested review from msugakov and stehessel October 14, 2023 22:37
@dhaus67 dhaus67 marked this pull request as ready for review October 14, 2023 22:37
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100-machine-to-machine-api branch from 09b4eee to c4c3867 Compare October 19, 2023 03:08
@dhaus67 dhaus67 requested a review from a team as a code owner October 19, 2023 03:08
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from 58077c8 to 61cdd30 Compare October 19, 2023 03:08
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100-machine-to-machine-api branch from c4c3867 to fa3c7b4 Compare October 19, 2023 03:08
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from 61cdd30 to ab80f8d Compare October 19, 2023 03:09
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch 4 times, most recently from 0b1f2e2 to 5fd57f5 Compare October 20, 2023 11:53
msugakov
msugakov reviewed Oct 20, 2023
View reviewed changes
Copy link
Contributor

@msugakov msugakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sharing as much as I could go through today, not the complete code.

@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from 5fd57f5 to b93280a Compare October 20, 2023 21:25
dashrews78
dashrews78 reviewed Oct 23, 2023
View reviewed changes
dashrews78
dashrews78 reviewed Oct 23, 2023
View reviewed changes
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100-machine-to-machine-api branch from c3a491c to 73dfd50 Compare October 24, 2023 02:33
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch 2 times, most recently from 4c2fc46 to adf6a46 Compare October 25, 2023 12:18
msugakov
msugakov reviewed Oct 25, 2023
View reviewed changes
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from adf6a46 to b30c12c Compare October 25, 2023 12:52
@dhaus67 dhaus67 requested a review from msugakov October 25, 2023 12:53
@dhaus67
Copy link
Contributor Author

dhaus67 commented Oct 25, 2023

/retest

janisz
janisz reviewed Oct 25, 2023
View reviewed changes
janisz
janisz reviewed Oct 25, 2023
View reviewed changes
Copy link
Contributor

@janisz janisz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a fan of using mutexes to lock databases read/writes.

msugakov
msugakov reviewed Oct 25, 2023
View reviewed changes
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100-machine-to-machine-api branch from 25d655c to 82fb93a Compare October 25, 2023 16:54
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from b30c12c to 5ad07de Compare October 25, 2023 16:54
msugakov
msugakov approved these changes Oct 25, 2023
View reviewed changes
Copy link
Contributor

@msugakov msugakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving provided that the feature is Tech Preview, is gated, and @dhaus67 tested it in the current form. Will continue iterating on the PR after the release is cut.

@dhaus67 dhaus67 force-pushed the master-dh/rox-20100-machine-to-machine-api branch from 82fb93a to d038085 Compare October 25, 2023 20:58
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from 5ad07de to 2627aa2 Compare October 25, 2023 20:58
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100-machine-to-machine-api branch from d038085 to b1b0bf2 Compare October 25, 2023 22:30
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from 2627aa2 to dc0e50e Compare October 25, 2023 22:31
Base automatically changed from master-dh/rox-20100-machine-to-machine-api to master October 25, 2023 23:50
@dhaus67 dhaus67 force-pushed the master-dh/rox-20100_exchange_m2m_token branch from dc0e50e to 0247e0a Compare October 26, 2023 03:22
@dhaus67 dhaus67 enabled auto-merge (squash) October 26, 2023 03:23
@openshift-ci
Copy link

openshift-ci bot commented Oct 26, 2023

@dhaus67: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocp-4-10-ebpf-qa-e2e-tests 5ad07de link false /test ocp-4-10-ebpf-qa-e2e-tests
ci/prow/gke-operator-e2e-tests dc0e50e link false /test gke-operator-e2e-tests
ci/prow/gke-qa-e2e-tests 0247e0a link false /test gke-qa-e2e-tests
ci/prow/ocp-4-13-qa-e2e-tests 0247e0a link false /test ocp-4-13-qa-e2e-tests
ci/prow/ocp-4-10-qa-e2e-tests 0247e0a link false /test ocp-4-10-qa-e2e-tests
ci/prow/gke-nongroovy-e2e-tests 0247e0a link false /test gke-nongroovy-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@dhaus67 dhaus67 merged commit 5fb94b9 into master Oct 26, 2023
@dhaus67 dhaus67 deleted the master-dh/rox-20100_exchange_m2m_token branch October 26, 2023 04:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msugakov msugakov msugakov approved these changes

@janisz janisz janisz left review comments

@stehessel stehessel Awaiting requested review from stehessel

@dashrews78 dashrews78 Awaiting requested review from dashrews78

Assignees

No one assigned

Labels

area/auth area/central area/postgres

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dhaus67 @msugakov @janisz @dashrews78