feat(dp-token): allow validator to define keys not scoped to a mesh (#…

…8169) This permits dpServer.authn.dpPRoxy.dpToken.validator.publicKeys to omit the .mesh field. Keys without the .mesh field will be considered to verify the signature of dataplane tokens, no matter the mesh of the dataplane. Signed-off-by: nicoche <[email protected]>
kumahq · Oct 27, 2023 · 3234b91 · 3234b91
1 parent 40527b6
commit 3234b91
Show file tree

Hide file tree

Showing 6 changed files with 83 additions and 9 deletions.
diff --git a/pkg/config/types/keys.go b/pkg/config/types/keys.go
@@ -35,8 +35,5 @@ func (m MeshedPublicKey) Validate() error {
 	if err := m.PublicKey.Validate(); err != nil {
 		return err
 	}
-	if m.Mesh == "" {
-		return errors.New(".Mesh is required")
-	}
 	return nil
 }
diff --git a/pkg/tokens/builtin/components.go b/pkg/tokens/builtin/components.go
@@ -43,8 +43,12 @@ func NewDataplaneTokenValidator(resManager manager.ReadOnlyResourceManager, stor
 	if err != nil {
 		return nil, err
 	}
+
 	return issuer.NewValidator(func(meshName string) (tokens.Validator, error) {
 		keys := keysByMesh[meshName]
+		// Also use keys that are not bound to any mesh
+		keys = append(keys, keysByMesh[""]...)
+
 		staticSigningKeyAccessor, err := tokens.NewStaticSigningKeyAccessor(keys)
 		if err != nil {
 			return nil, err

diff --git a/test/e2e_env/universal/auth/offline_auth.go b/test/e2e_env/universal/auth/offline_auth.go
@@ -11,7 +11,10 @@ import (
 )
 
 func OfflineAuth() {
-	meshName := "offline-auth"
+	meshes := []string{
+		"offline-auth-1",
+		"offline-auth-2",
+	}
 
 	var universal Cluster
 
@@ -44,7 +47,7 @@ dpServer:
           useSecrets: false
           publicKeys:
           - kid: static-1
-            mesh: offline-auth
+            mesh: offline-auth-1
             key: |
               -----BEGIN RSA PUBLIC KEY-----
               MIIBCgKCAQEAqwbFZ7LSuRGEkFPsZOLYuimsjDeie4sdtqIVW9bLDrTSql+o2sBL
@@ -54,6 +57,16 @@ dpServer:
               FvX0KmBtADEJ4n9Jo4ja3hDmp83Q4KjJq0xKbhh9Fp3AjwjDb0fVFwbt+8SdVgyV
               5PE+7HdigwlJ/cOVb9IY/UKVgCzlW5inCQIDAQAB
               -----END RSA PUBLIC KEY-----
+          - kid: offline-auth-nomesh-1
+            key: |
+              -----BEGIN RSA PUBLIC KEY-----
+              MIIBCgKCAQEAsGQSfwmBU/DMDLnKCbg7cKUrBEAxDinCPaQ5foF87H8aul4EAzym
+              KswoSpwXyyhAqVf2pHJYqkIX0HwL5xkgGy3lvNekgJPLeQaGMg0qVol+tU0/go6i
+              50LUzSvPo6kBHCBOiFTNxZ+HRiCdTJd655ALBn1a4LbVPGDqPnHikSWsZg69gkV7
+              T+jdPz4rBqfhNahREinVRe1DsLVJ0trjc91+2dRYj1e+tKVQDwCNj5cP2GzYUkAb
+              XaMpe1ZGQSC9/gTlJIEU7Lyz7fyOJcCZbGASy8nBixM6E5l8QPrFVIDVkeNJNVQj
+              35gOQBJWtsCEiBx3spsKLeoim62wun05HwIDAQAB
+              -----END RSA PUBLIC KEY-----
 `
 
 	BeforeAll(func() {
@@ -62,7 +75,8 @@ dpServer:
 			Install(Kuma(core.Standalone,
 				WithYamlConfig(cpCfg),
 			)).
-			Install(MeshUniversal(meshName)).
+			Install(MeshUniversal(meshes[0])).
+			Install(MeshUniversal(meshes[1])).
 			Setup(universal)).To(Succeed())
 	})
 
@@ -98,19 +112,40 @@ dpServer:
 	It("should use dp-token generated offline", func() {
 		// given
 		token, err := universal.GetKumactlOptions().RunKumactlAndGetOutput("generate", "dataplane-token",
-			"--mesh", meshName,
+			"--mesh", meshes[0],
 			"--kid", "static-1",
 			"--valid-for", "24h",
 			"--signing-key-path", filepath.Join("..", "..", "keys", "samplekey.pem"),
 		)
 		Expect(err).ToNot(HaveOccurred())
 
 		// when
-		Expect(universal.Install(DemoClientUniversal("test-server", meshName, WithToken(token)))).To(Succeed())
+		Expect(universal.Install(DemoClientUniversal("test-server-1", meshes[0], WithToken(token)))).To(Succeed())
+
+		// then
+		Eventually(func(g Gomega) {
+			online, _, err := IsDataplaneOnline(universal, meshes[0], "test-server-1")
+			g.Expect(err).ToNot(HaveOccurred())
+			g.Expect(online).To(BeTrue())
+		}, "30s", "1s").Should(Succeed())
+	})
+
+	It("should use a dp-token generated offline, validated with a non-mesh scoped key", func() {
+		// given
+		token, err := universal.GetKumactlOptions().RunKumactlAndGetOutput("generate", "dataplane-token",
+			"--mesh", meshes[1],
+			"--kid", "offline-auth-nomesh-1",
+			"--valid-for", "24h",
+			"--signing-key-path", filepath.Join("..", "..", "keys", "samplekey-2.pem"),
+		)
+		Expect(err).ToNot(HaveOccurred())
+
+		// when
+		Expect(universal.Install(DemoClientUniversal("test-server-2", meshes[1], WithToken(token)))).To(Succeed())
 
 		// then
 		Eventually(func(g Gomega) {
-			online, _, err := IsDataplaneOnline(universal, meshName, "test-server")
+			online, _, err := IsDataplaneOnline(universal, meshes[1], "test-server-2")
 			g.Expect(err).ToNot(HaveOccurred())
 			g.Expect(online).To(BeTrue())
 		}, "30s", "1s").Should(Succeed())

diff --git a/test/keys/README.md b/test/keys/README.md
@@ -2,3 +2,6 @@ Keys for tests generated by executing:
 
 kumactl generate signing-key --format=pem > samplekey.pem
 kumactl generate public-key --signing-key-path=samplekey.pem > publickey.pem
+
+kumactl generate signing-key --format=pem > samplekey-2.pem
+kumactl generate public-key --signing-key-path=samplekey-2.pem > publickey-2.pem
diff --git a/test/keys/publickey-2.pem b/test/keys/publickey-2.pem
@@ -0,0 +1,8 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAsGQSfwmBU/DMDLnKCbg7cKUrBEAxDinCPaQ5foF87H8aul4EAzym
+KswoSpwXyyhAqVf2pHJYqkIX0HwL5xkgGy3lvNekgJPLeQaGMg0qVol+tU0/go6i
+50LUzSvPo6kBHCBOiFTNxZ+HRiCdTJd655ALBn1a4LbVPGDqPnHikSWsZg69gkV7
+T+jdPz4rBqfhNahREinVRe1DsLVJ0trjc91+2dRYj1e+tKVQDwCNj5cP2GzYUkAb
+XaMpe1ZGQSC9/gTlJIEU7Lyz7fyOJcCZbGASy8nBixM6E5l8QPrFVIDVkeNJNVQj
+35gOQBJWtsCEiBx3spsKLeoim62wun05HwIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/test/keys/samplekey-2.pem b/test/keys/samplekey-2.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAsGQSfwmBU/DMDLnKCbg7cKUrBEAxDinCPaQ5foF87H8aul4E
+AzymKswoSpwXyyhAqVf2pHJYqkIX0HwL5xkgGy3lvNekgJPLeQaGMg0qVol+tU0/
+go6i50LUzSvPo6kBHCBOiFTNxZ+HRiCdTJd655ALBn1a4LbVPGDqPnHikSWsZg69
+gkV7T+jdPz4rBqfhNahREinVRe1DsLVJ0trjc91+2dRYj1e+tKVQDwCNj5cP2GzY
+UkAbXaMpe1ZGQSC9/gTlJIEU7Lyz7fyOJcCZbGASy8nBixM6E5l8QPrFVIDVkeNJ
+NVQj35gOQBJWtsCEiBx3spsKLeoim62wun05HwIDAQABAoIBAEuXt22F70y/51KU
+1Ibx01dlEVhTAjLlpn6wQIt8hsL7fcLcw693cGbq82F2H6RK7dsk/WhgMKtWg8ov
+PxKc6+t58fjKGY+YxxxotV4B0mEfr5OXNV6ILjwZogUDf4rNxNH+7mjynvTQdzKQ
+i5jlWiCe1HrFggrHj/6+MeTs/YHiAmFowQoLX376C1bfzNIdK3kTOSx9JTB40+kJ
+6NJ+Rfnp4V86nDZn73QDD0wkvBe0DNCDp+VkSyVH4bE/5+sTGhm6aQg5MSZJxRK/
+EGvglWeaOpuXLu9Zo14mob9qyDDazlakyAX86ZcVvVXq0XmMie6uPqUAll5tZobr
+oMzS6tECgYEA6TJ+1tITUsJBDMYMK+6vv+MW31VDy5FVIqYqFZBALoM4MbzS3t08
+7MAQ3F4ycKQLmnDZ59VlYPIQhhQ2EEb8gR8HP1Ek+bN8VHRwBewR/zUHxhycGvLi
+ZZMKcGIJaeAwP+jZZGamZO8fl5DlWLCczvrIEyCUm32YmTZpEYPhQ80CgYEAwaOS
+y6ofJiTSEWY52zM5CCB3bZ7fDxGHe1o6P0kViM3dXTfgZL2R5eGGcIajtV8MBzNl
+byy7qOxt6i20sxQqD4IIZXgLiWP95Ry40di6KqYKBOpfRGwt0M2wUQizx+NXyu69
+KKa/QA98RRDsEETCKqq7ivNqUZpj50/rbSsp3JsCgYEAzpXHO/O63pPsIK7KVZkL
+5Qf+WTcl6g8DxsBBg/zYftwMSjOm83w23t1/kll4gcUx6k2THQg02V9YOA9rnZvl
+UVX1i6gNA5B30jGclAKAJwAJtP3fZRhKbAWJN+oBwOO0msli3Mj7G2ujJxhbtOgw
+4kPUPu2b+OuY5hIHnlaglvkCgYB2TqM8rfcUDgEOwl9s7rHUpklxf1SXV0VodysJ
+SXTPvb+W2bHOuwft5MmH7KsPAEBQEfXSZAlP3wwUvNIfa517Fh5dKGgcDCyuk8rT
+409zCTkr4apNGq8vWMx15hQ5d0xHX2/Q63gEArIRXJJuKiRbfy7QaYI201ZgmDKl
+425TKwKBgQDULDPS3Pft7ajilHIOUhaeAmyL+t//HtO3iNVEKqBjCM5msim0yXCf
+mWTHaccUmAeauA9YYefQnCVxW1IyLIClRIu1D8zqoXh9SoafUKOMQGX1jNKwTAl5
+J23/q2ZhCmrahyBrlGvzMZnyl4/Zm2RJ9tS5TU58y2SvusP0K47VeA==
+-----END RSA PRIVATE KEY-----