Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable additional identity providers for machine accounts (GitHub Actions enablement) #5385

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Enable additional identity providers for machine accounts (GitHub Actions enablement) #5385

wants to merge 12 commits into from
+2,131 −1,430

Conversation

evankanderson
Copy link
Member

Summary

This cleans up #4317, and enables additional service account (machine identity) providers in internal/auth, starting with GitHub Actions. It's possible that this could be generalized to AWS, GCP, etc service accounts, but I wanted to start with a concrete example which enabled a number of other stories.

Usage (from #4317):

Fixes #5145

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

Added unit tests for new modules, and tested manually.

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@evankanderson evankanderson requested a review from a team as a code owner January 30, 2025 03:45
evankanderson
evankanderson commented Jan 30, 2025
View reviewed changes
Copy link
Member Author

@evankanderson evankanderson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about the size of the diff! I tried not to make it too large, but also not to leave too many things half-way (unlike #4317, which explicitly did that)

internal/auth/jwt/jwtauth.go
Comment on lines -109 to -110
// GetUserSubjectFromContext returns the user subject from the context, or nil
func GetUserSubjectFromContext(ctx context.Context) string {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this because an ID token with a sub but without the iss context seems dangerous, so I'd prefer to have our code explicitly get auth.Identity objects and reason about them.

@evankanderson
Copy link
Member Author

(Fixed lint and hopefully test failures)

@evankanderson
Copy link
Member Author

#5386 may help with the "unit test" leg of PRs timing out.

eleftherias
eleftherias reviewed Jan 30, 2025
View reviewed changes
internal/auth/githubactions/githubactions.go Outdated
Comment on lines 1 to 14
//
// Copyright 2024 Stacklok, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

chore: The newly added files still use the old license header

Suggested change
//
// Copyright 2024 Stacklok, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// SPDX-FileCopyrightText: Copyright 2025 The Minder Authors
// SPDX-License-Identifier: Apache-2.0

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed!

cmd/server/app/serve.go Show resolved Hide resolved
internal/auth/jwt/dynamic/dynamic_fetch.go Outdated
// limitations under the License.

// Package dynamic provides the logic for reading and validating JWT tokens
// using a JWKS URL from the token's
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Incomplete sentence here

cmd/server/app/serve.go
if err != nil {
return fmt.Errorf("failed to fetch and cache identity provider JWKS: %w\n", err)
}
dynamicJwt := dynamic.NewDynamicValidator(ctx, cfg.Identity.Server.Audience)
jwt := merged.Validator{Validators: []jwt.Validator{staticJwt, dynamicJwt}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Wouldn't it be safer to have static validators for each identity provider? That way we would only call out to the issuers we support.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a static list of identity resolvers that map iss + sub into a "user" string for OpenFGA and the database. I can add an allow-list to the dynamic validator if you'd like -- I already added metrics to see how often new resolvers were coming in (because I thought it might be interesting).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think an allowlist would be useful. The identity resolvers validation happens later, and it would be nice to catch this sooner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eleftherias eleftherias eleftherias left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
Planned Work
Status: Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Finish #4317 and merge
2 participants
@evankanderson @eleftherias