Line data Source code
1 : // For details about authentication see docs/authentication.md
2 :
3 : use arc_swap::ArcSwap;
4 : use serde;
5 : use std::{borrow::Cow, fmt::Display, fs, sync::Arc};
6 :
7 : use anyhow::Result;
8 : use camino::Utf8Path;
9 : use jsonwebtoken::{
10 : decode, encode, Algorithm, DecodingKey, EncodingKey, Header, TokenData, Validation,
11 : };
12 : use serde::{Deserialize, Serialize};
13 :
14 : use crate::{http::error::ApiError, id::TenantId};
15 :
16 : /// Algorithm to use. We require EdDSA.
17 : const STORAGE_TOKEN_ALGORITHM: Algorithm = Algorithm::EdDSA;
18 :
19 8 : #[derive(Debug, Serialize, Deserialize, Clone, Copy, PartialEq)]
20 : #[serde(rename_all = "lowercase")]
21 : pub enum Scope {
22 : // Provides access to all data for a specific tenant (specified in `struct Claims` below)
23 : // TODO: join these two?
24 : Tenant,
25 : // Provides blanket access to all tenants on the pageserver plus pageserver-wide APIs.
26 : // Should only be used e.g. for status check/tenant creation/list.
27 : PageServerApi,
28 : // Provides blanket access to all data on the safekeeper plus safekeeper-wide APIs.
29 : // Should only be used e.g. for status check.
30 : // Currently also used for connection from any pageserver to any safekeeper.
31 : SafekeeperData,
32 : // The scope used by pageservers in upcalls to storage controller and cloud control plane
33 : #[serde(rename = "generations_api")]
34 : GenerationsApi,
35 : // Allows access to control plane managment API and some storage controller endpoints.
36 : Admin,
37 : }
38 :
39 : /// JWT payload. See docs/authentication.md for the format
40 24 : #[derive(Debug, Serialize, Deserialize, Clone, PartialEq)]
41 : pub struct Claims {
42 : #[serde(default)]
43 : pub tenant_id: Option<TenantId>,
44 : pub scope: Scope,
45 : }
46 :
47 : impl Claims {
48 0 : pub fn new(tenant_id: Option<TenantId>, scope: Scope) -> Self {
49 0 : Self { tenant_id, scope }
50 0 : }
51 : }
52 :
53 : pub struct SwappableJwtAuth(ArcSwap<JwtAuth>);
54 :
55 : impl SwappableJwtAuth {
56 0 : pub fn new(jwt_auth: JwtAuth) -> Self {
57 0 : SwappableJwtAuth(ArcSwap::new(Arc::new(jwt_auth)))
58 0 : }
59 0 : pub fn swap(&self, jwt_auth: JwtAuth) {
60 0 : self.0.swap(Arc::new(jwt_auth));
61 0 : }
62 0 : pub fn decode(&self, token: &str) -> std::result::Result<TokenData<Claims>, AuthError> {
63 0 : self.0.load().decode(token)
64 0 : }
65 : }
66 :
67 : impl std::fmt::Debug for SwappableJwtAuth {
68 0 : fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
69 0 : write!(f, "Swappable({:?})", self.0.load())
70 0 : }
71 : }
72 :
73 0 : #[derive(Clone, PartialEq, Eq, Hash, Debug)]
74 : pub struct AuthError(pub Cow<'static, str>);
75 :
76 : impl Display for AuthError {
77 0 : fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
78 0 : write!(f, "{}", self.0)
79 0 : }
80 : }
81 :
82 : impl From<AuthError> for ApiError {
83 0 : fn from(_value: AuthError) -> Self {
84 0 : // Don't pass on the value of the AuthError as a precautionary measure.
85 0 : // Being intentionally vague in public error communication hurts debugability
86 0 : // but it is more secure.
87 0 : ApiError::Forbidden("JWT authentication error".to_string())
88 0 : }
89 : }
90 :
91 : pub struct JwtAuth {
92 : decoding_keys: Vec<DecodingKey>,
93 : validation: Validation,
94 : }
95 :
96 : impl JwtAuth {
97 4 : pub fn new(decoding_keys: Vec<DecodingKey>) -> Self {
98 4 : let mut validation = Validation::default();
99 4 : validation.algorithms = vec![STORAGE_TOKEN_ALGORITHM];
100 4 : // The default 'required_spec_claims' is 'exp'. But we don't want to require
101 4 : // expiration.
102 4 : validation.required_spec_claims = [].into();
103 4 : Self {
104 4 : decoding_keys,
105 4 : validation,
106 4 : }
107 4 : }
108 :
109 0 : pub fn from_key_path(key_path: &Utf8Path) -> Result<Self> {
110 0 : let metadata = key_path.metadata()?;
111 0 : let decoding_keys = if metadata.is_dir() {
112 0 : let mut keys = Vec::new();
113 0 : for entry in fs::read_dir(key_path)? {
114 0 : let path = entry?.path();
115 0 : if !path.is_file() {
116 : // Ignore directories (don't recurse)
117 0 : continue;
118 0 : }
119 0 : let public_key = fs::read(path)?;
120 0 : keys.push(DecodingKey::from_ed_pem(&public_key)?);
121 : }
122 0 : keys
123 0 : } else if metadata.is_file() {
124 0 : let public_key = fs::read(key_path)?;
125 0 : vec![DecodingKey::from_ed_pem(&public_key)?]
126 : } else {
127 0 : anyhow::bail!("path is neither a directory or a file")
128 : };
129 0 : if decoding_keys.is_empty() {
130 0 : anyhow::bail!("Configured for JWT auth with zero decoding keys. All JWT gated requests would be rejected.");
131 0 : }
132 0 : Ok(Self::new(decoding_keys))
133 0 : }
134 :
135 0 : pub fn from_key(key: String) -> Result<Self> {
136 0 : Ok(Self::new(vec![DecodingKey::from_ed_pem(key.as_bytes())?]))
137 0 : }
138 :
139 : /// Attempt to decode the token with the internal decoding keys.
140 : ///
141 : /// The function tries the stored decoding keys in succession,
142 : /// and returns the first yielding a successful result.
143 : /// If there is no working decoding key, it returns the last error.
144 4 : pub fn decode(&self, token: &str) -> std::result::Result<TokenData<Claims>, AuthError> {
145 4 : let mut res = None;
146 4 : for decoding_key in &self.decoding_keys {
147 4 : res = Some(decode(token, decoding_key, &self.validation));
148 4 : if let Some(Ok(res)) = res {
149 4 : return Ok(res);
150 0 : }
151 : }
152 0 : if let Some(res) = res {
153 0 : res.map_err(|e| AuthError(Cow::Owned(e.to_string())))
154 : } else {
155 0 : Err(AuthError(Cow::Borrowed("no JWT decoding keys configured")))
156 : }
157 4 : }
158 : }
159 :
160 : impl std::fmt::Debug for JwtAuth {
161 0 : fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
162 0 : f.debug_struct("JwtAuth")
163 0 : .field("validation", &self.validation)
164 0 : .finish()
165 0 : }
166 : }
167 :
168 : // this function is used only for testing purposes in CLI e g generate tokens during init
169 2 : pub fn encode_from_key_file(claims: &Claims, key_data: &[u8]) -> Result<String> {
170 2 : let key = EncodingKey::from_ed_pem(key_data)?;
171 2 : Ok(encode(&Header::new(STORAGE_TOKEN_ALGORITHM), claims, &key)?)
172 2 : }
173 :
174 : #[cfg(test)]
175 : mod tests {
176 : use super::*;
177 : use std::str::FromStr;
178 :
179 : // Generated with:
180 : //
181 : // openssl genpkey -algorithm ed25519 -out ed25519-priv.pem
182 : // openssl pkey -in ed25519-priv.pem -pubout -out ed25519-pub.pem
183 : const TEST_PUB_KEY_ED25519: &[u8] = br#"
184 : -----BEGIN PUBLIC KEY-----
185 : MCowBQYDK2VwAyEARYwaNBayR+eGI0iXB4s3QxE3Nl2g1iWbr6KtLWeVD/w=
186 : -----END PUBLIC KEY-----
187 : "#;
188 :
189 : const TEST_PRIV_KEY_ED25519: &[u8] = br#"
190 : -----BEGIN PRIVATE KEY-----
191 : MC4CAQAwBQYDK2VwBCIEID/Drmc1AA6U/znNRWpF3zEGegOATQxfkdWxitcOMsIH
192 : -----END PRIVATE KEY-----
193 : "#;
194 :
195 2 : #[test]
196 2 : fn test_decode() {
197 2 : let expected_claims = Claims {
198 2 : tenant_id: Some(TenantId::from_str("3d1f7595b468230304e0b73cecbcb081").unwrap()),
199 2 : scope: Scope::Tenant,
200 2 : };
201 2 :
202 2 : // A test token containing the following payload, signed using TEST_PRIV_KEY_ED25519:
203 2 : //
204 2 : // ```
205 2 : // {
206 2 : // "scope": "tenant",
207 2 : // "tenant_id": "3d1f7595b468230304e0b73cecbcb081",
208 2 : // "iss": "neon.controlplane",
209 2 : // "iat": 1678442479
210 2 : // }
211 2 : // ```
212 2 : //
213 2 : let encoded_eddsa = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6InRlbmFudCIsInRlbmFudF9pZCI6IjNkMWY3NTk1YjQ2ODIzMDMwNGUwYjczY2VjYmNiMDgxIiwiaXNzIjoibmVvbi5jb250cm9scGxhbmUiLCJpYXQiOjE2Nzg0NDI0Nzl9.rNheBnluMJNgXzSTTJoTNIGy4P_qe0JUHl_nVEGuDCTgHOThPVr552EnmKccrCKquPeW3c2YUk0Y9Oh4KyASAw";
214 2 :
215 2 : // Check it can be validated with the public key
216 2 : let auth = JwtAuth::new(vec![DecodingKey::from_ed_pem(TEST_PUB_KEY_ED25519).unwrap()]);
217 2 : let claims_from_token = auth.decode(encoded_eddsa).unwrap().claims;
218 2 : assert_eq!(claims_from_token, expected_claims);
219 2 : }
220 :
221 2 : #[test]
222 2 : fn test_encode() {
223 2 : let claims = Claims {
224 2 : tenant_id: Some(TenantId::from_str("3d1f7595b468230304e0b73cecbcb081").unwrap()),
225 2 : scope: Scope::Tenant,
226 2 : };
227 2 :
228 2 : let encoded = encode_from_key_file(&claims, TEST_PRIV_KEY_ED25519).unwrap();
229 2 :
230 2 : // decode it back
231 2 : let auth = JwtAuth::new(vec![DecodingKey::from_ed_pem(TEST_PUB_KEY_ED25519).unwrap()]);
232 2 : let decoded = auth.decode(&encoded).unwrap();
233 2 :
234 2 : assert_eq!(decoded.claims, claims);
235 2 : }
236 : }
|
