auth: OpenID/OAUth2 middleware

2 configurations for the listeners are now possible:
- enableJWT=false with client ssl auth
- enableJWT=true with https

Actual verification of the tokens is handled by
https://github.com/openshift-online/ocm-sdk-go.

An authentication handler is run as the top level handler, before any
routing is done. Routes which do not require authentication should be
listed as exceptions.

Authentication can be restricted using an ACL file which allows
filtering based on JWT claims. For more information see the inline
comments in ocm-sdk/authentication.

As an added quirk the `-v` flag for the osbuild-composer executable was
changed to `-verbose` to avoid flag collision with glog which declares
the `-v` flag in the package `init()` function. The ocm-sdk depends on
glog and pulls it in.

cmd/osbuild-composer/composer.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
+	"github.com/osbuild/osbuild-composer/internal/auth"
 	"github.com/osbuild/osbuild-composer/internal/cloudapi"
 	"github.com/osbuild/osbuild-composer/internal/distroregistry"
 	"github.com/osbuild/osbuild-composer/internal/jobqueue"
@@ -101,22 +102,28 @@ func (c *Composer) InitWeldr(repoPaths []string, weldrListener net.Listener,
 	return nil
 }
 
-func (c *Composer) InitAPI(cert, key string, l net.Listener) error {
+func (c *Composer) InitAPI(cert, key string, enableJWT bool, l net.Listener) error {
 	c.api = cloudapi.NewServer(c.workers, c.rpm, c.distros)
 	c.koji = kojiapi.NewServer(c.logger, c.workers, c.rpm, c.distros)
 
+	clientAuth := tls.RequireAndVerifyClientCert
+	if enableJWT {
+		// jwt enabled => tls listener without client auth
+		clientAuth = tls.NoClientCert
+	}
+
 	tlsConfig, err := createTLSConfig(&connectionConfig{
 		CACertFile:     c.config.Koji.CA,
 		ServerKeyFile:  key,
 		ServerCertFile: cert,
 		AllowedDomains: c.config.Koji.AllowedDomains,
+		ClientAuth:     clientAuth,
 	})
 	if err != nil {
 		return fmt.Errorf("Error creating TLS configuration: %v", err)
 	}
 
 	c.apiListener = tls.NewListener(l, tlsConfig)
-
 	return nil
 }
 
@@ -124,17 +131,23 @@ func (c *Composer) InitLocalWorker(l net.Listener) {
 	c.localWorkerListener = l
 }
 
-func (c *Composer) InitRemoteWorkers(cert, key string, l net.Listener) error {
+func (c *Composer) InitRemoteWorkers(cert, key string, enableJWT bool, l net.Listener) error {
+	clientAuth := tls.RequireAndVerifyClientCert
+	if enableJWT {
+		// jwt enabled => tls listener without client auth
+		clientAuth = tls.NoClientCert
+	}
+
 	tlsConfig, err := createTLSConfig(&connectionConfig{
 		CACertFile:     c.config.Worker.CA,
 		ServerKeyFile:  key,
 		ServerCertFile: cert,
 		AllowedDomains: c.config.Worker.AllowedDomains,
+		ClientAuth:     clientAuth,
 	})
 	if err != nil {
 		return fmt.Errorf("Error creating TLS configuration for remote worker API: %v", err)
 	}
-
 	c.workerListener = tls.NewListener(l, tlsConfig)
 
 	return nil
@@ -168,11 +181,26 @@ func (c *Composer) Start() error {
 
 	if c.workerListener != nil {
 		go func() {
+			handler := c.workers.Handler()
+			var err error
+			if c.config.Worker.EnableJWT {
+				handler, err = auth.BuildJWTAuthHandler(
+					c.config.Worker.JWTKeysURL,
+					c.config.Worker.JWTKeysCA,
+					c.config.Worker.JWTACLFile,
+					[]string{},
+					handler,
+				)
+				if err != nil {
+					panic(err)
+				}
+			}
+
 			s := &http.Server{
 				ErrorLog: c.logger,
-				Handler:  c.workers.Handler(),
+				Handler:  handler,
 			}
-			err := s.Serve(c.workerListener)
+			err = s.Serve(c.workerListener)
 			if err != nil {
 				panic(err)
 			}
@@ -193,12 +221,26 @@ func (c *Composer) Start() error {
 			mux.Handle(kojiRoute+"/", c.koji.Handler(kojiRoute))
 			mux.Handle("/metrics", promhttp.Handler().(http.HandlerFunc))
 
-			s := &http.Server{
-				ErrorLog: c.logger,
-				Handler:  mux,
+			handler := http.Handler(mux)
+			var err error
+			if c.config.ComposerAPI.EnableJWT {
+				handler, err = auth.BuildJWTAuthHandler(
+					c.config.ComposerAPI.JWTKeysURL,
+					c.config.ComposerAPI.JWTKeysCA,
+					c.config.ComposerAPI.JWTACLFile,
+					[]string{
+						"/metrics/?$",
+					}, mux)
+				if err != nil {
+					panic(err)
+				}
 			}
 
-			err := s.Serve(c.apiListener)
+			s := &http.Server{
+				ErrorLog: c.logger,
+				Handler:  handler,
+			}
+			err = s.Serve(c.apiListener)
 			if err != nil {
 				panic(err)
 			}
@@ -237,6 +279,7 @@ type connectionConfig struct {
 	ServerKeyFile  string
 	ServerCertFile string
 	AllowedDomains []string
+	ClientAuth     tls.ClientAuthType
 }
 
 func createTLSConfig(c *connectionConfig) (*tls.Config, error) {
@@ -261,7 +304,7 @@ func createTLSConfig(c *connectionConfig) (*tls.Config, error) {
 	}
 	return &tls.Config{
 		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientAuth:   c.ClientAuth,
 		ClientCAs:    roots,
 		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 			for _, chain := range verifiedChains {

cmd/osbuild-composer/config.go

@@ -23,7 +23,17 @@ type ComposerConfigFile struct {
 		PGUser         string   `toml:"pg_user" env:"PGUSER"`
 		PGPassword     string   `toml:"pg_password" env:"PGPASSWORD"`
 		PGSSLMode      string   `toml:"pg_ssl_mode" env:"PGSSLMODE"`
+		EnableJWT      bool     `toml:"enable_jwt"`
+		JWTKeysURL     string   `toml:"jwt_keys_url"`
+		JWTKeysCA      string   `toml:"jwt_ca_file"`
+		JWTACLFile     string   `toml:"jwt_acl_file"`
 	} `toml:"worker"`
+	ComposerAPI struct {
+		EnableJWT  bool   `toml:"enable_jwt"`
+		JWTKeysURL string `toml:"jwt_keys_url"`
+		JWTKeysCA  string `toml:"jwt_ca_file"`
+		JWTACLFile string `toml:"jwt_acl_file"`
+	} `toml:"composer_api"`
 	WeldrAPI WeldrAPIConfig `toml:"weldr_api"`
 }
 
@@ -100,6 +110,9 @@ func loadConfigFromEnv(intf interface{}) error {
 				continue
 			}
 			fieldV.SetString(confV)
+		case reflect.Bool:
+			// no-op
+			continue
 		case reflect.Slice:
 			// no-op
 			continue

cmd/osbuild-composer/config_test.go

@@ -25,7 +25,10 @@ func TestDefaultConfig(t *testing.T) {
 	defaultConfig := GetDefaultConfig()
 	require.Empty(t, defaultConfig.Koji)
 	require.Empty(t, defaultConfig.Worker)
-	require.Empty(t, defaultConfig.ComposerAPI)
+	require.False(t, defaultConfig.ComposerAPI.EnableJWT)
+	require.Equal(t, "", defaultConfig.ComposerAPI.JWTKeysCA)
+	require.False(t, defaultConfig.Worker.EnableJWT)
+	require.Equal(t, "", defaultConfig.Worker.JWTKeysCA)
 
 	expectedWeldrAPIConfig := WeldrAPIConfig{
 		DistroConfigs: map[string]WeldrDistroConfig{
@@ -62,6 +65,11 @@ func TestConfig(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, config)
 	require.Equal(t, "composer-db", config.Worker.PGDatabase)
+
+	require.True(t, config.ComposerAPI.EnableJWT)
+	require.Equal(t, "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs", config.ComposerAPI.JWTKeysURL)
+	require.Equal(t, "", config.ComposerAPI.JWTKeysCA)
+	require.Equal(t, "/var/lib/osbuild-composer/acl", config.ComposerAPI.JWTACLFile)
 }
 
 func TestWeldrDistrosImageTypeDenyList(t *testing.T) {

cmd/osbuild-composer/main.go

@@ -21,7 +21,7 @@ var repositoryConfigs = []string{
 
 func main() {
 	var verbose bool
-	flag.BoolVar(&verbose, "v", false, "Print access log")
+	flag.BoolVar(&verbose, "verbose", false, "Print access log")
 	flag.Parse()
 
 	var logger *log.Logger
@@ -88,7 +88,7 @@ func main() {
 			log.Fatal("The osbuild-composer-api.socket unit is misconfigured. It should contain only one socket.")
 		}
 
-		err = composer.InitAPI(ServerCertFile, ServerKeyFile, l[0])
+		err = composer.InitAPI(ServerCertFile, ServerKeyFile, config.ComposerAPI.EnableJWT, l[0])
 		if err != nil {
 			log.Fatalf("Error initializing koji API: %v", err)
 		}
@@ -99,7 +99,7 @@ func main() {
 			log.Fatal("The osbuild-remote-worker.socket unit is misconfigured. It should contain only one socket.")
 		}
 
-		err = composer.InitRemoteWorkers(ServerCertFile, ServerKeyFile, l[0])
+		err = composer.InitRemoteWorkers(ServerCertFile, ServerKeyFile, config.Worker.EnableJWT, l[0])
 		if err != nil {
 			log.Fatalf("Error initializing worker API: %v", err)
 		}

cmd/osbuild-composer/testdata/test.toml

@@ -15,3 +15,8 @@ image_type_denylist = [ "qcow2" ]
 
 # overrides the default rhel-* configuration
 [weldr_api.distros."rhel-*"]
+
+[composer_api]
+enable_jwt = true
+jwt_keys_url = "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"
+jwt_acl_file = "/var/lib/osbuild-composer/acl"

cmd/osbuild-mock-openid-provider/main.go

@@ -0,0 +1,123 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"flag"
+	"io/ioutil"
+	"log"
+	"math/big"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+)
+
+// Implements /certs and /token
+func main() {
+	var addr string
+	var rsaPubPem string
+	var rsaPem string
+	var tlsCert string
+	var tlsKey string
+	flag.StringVar(&addr, "a", "localhost:8080", "Address to serve on")
+	flag.StringVar(&rsaPubPem, "rsaPubPem", "", "rsa pubkey in pem format (path)")
+	flag.StringVar(&rsaPem, "rsaPem", "", "rsa privkey in pem format (path)")
+	flag.StringVar(&tlsCert, "cert", "", "tls cert")
+	flag.StringVar(&tlsKey, "key", "", "tls key")
+	flag.Parse()
+
+	if rsaPubPem == "" || rsaPem == "" {
+		panic("path to rsa keys needed")
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/certs", func(w http.ResponseWriter, r *http.Request) {
+		type key struct {
+			Kid string `json:"kid"`
+			Kty string `json:"kty"`
+			Alg string `json:"alg"`
+			N   string `json:"n"`
+			E   string `json:"e"`
+		}
+
+		rsaPubBytes, err := ioutil.ReadFile(rsaPubPem)
+		if err != nil {
+			panic(err)
+		}
+		pubKey, err := jwt.ParseRSAPublicKeyFromPEM(rsaPubBytes)
+		if err != nil {
+			panic(err)
+		}
+		k := key{
+			Kid: "key-id",
+			Kty: "RSA",
+			Alg: "RS256",
+			N:   strings.TrimRight(base64.URLEncoding.EncodeToString(pubKey.N.Bytes()), "="),
+			E:   strings.TrimRight(base64.URLEncoding.EncodeToString(big.NewInt(int64(pubKey.E)).Bytes()), "="),
+		}
+
+		type response struct {
+			Keys []key `json:"keys"`
+		}
+
+		err = json.NewEncoder(w).Encode(response{
+			Keys: []key{
+				k,
+			},
+		})
+		if err != nil {
+			panic(err)
+		}
+		w.Header().Set("Content-Type", "application/json")
+	})
+
+	mux.HandleFunc("/token", func(w http.ResponseWriter, r *http.Request) {
+		type customClaims struct {
+			Type      string `json:"typ"`
+			ExpiresAt int64  `json:"exp"`
+			IssuedAt  int64  `json:"iat"`
+			jwt.Claims
+		}
+
+		cc := customClaims{
+			Type:      "Bearer",
+			ExpiresAt: 0,
+			IssuedAt:  time.Now().Unix(),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodRS256, cc)
+		token.Header["kid"] = "key-id"
+
+		rsaPrivBytes, err := ioutil.ReadFile(rsaPem)
+		if err != nil {
+			panic(err)
+		}
+		privKey, err := jwt.ParseRSAPrivateKeyFromPEM(rsaPrivBytes)
+		if err != nil {
+			panic(err)
+		}
+		tokenStr, err := token.SignedString(privKey)
+		if err != nil {
+			panic(err)
+		}
+
+		type response struct {
+			AccessToken string `json:"access_token"`
+		}
+
+		err = json.NewEncoder(w).Encode(response{
+			AccessToken: tokenStr,
+		})
+		if err != nil {
+			panic(err)
+		}
+		w.Header().Set("Content-Type", "application/json")
+	})
+
+	if tlsCert != "" && tlsKey != "" {
+		log.Fatal(http.ListenAndServeTLS(addr, tlsCert, tlsKey, mux))
+	} else {
+		log.Fatal(http.ListenAndServe(addr, mux))
+	}
+}

cmd/osbuild-worker/main.go

@@ -10,6 +10,7 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
+	"os/exec"
 	"path"
 	"strings"
 	"time"
@@ -148,32 +149,47 @@ func main() {
 	var client *worker.Client
 	if unix {
 		client = worker.NewClientUnix(address)
-	} else if config.Authentication != nil && config.Authentication.OfflineTokenPath != "" {
-		t, err := ioutil.ReadFile(config.Authentication.OfflineTokenPath)
-		if err != nil {
-			log.Fatalf("Could not read offline token: %v", err)
-		}
-		token := strings.TrimSpace(string(t))
-
-		if config.Authentication.OAuthURL == "" {
-			log.Fatal("OAuth URL should be specified together with the offline token")
-		}
-
-		client, err = worker.NewClient("https://"+address, nil, &token, &config.Authentication.OAuthURL)
-		if err != nil {
-			log.Fatalf("Error creating worker client: %v", err)
-		}
 	} else {
-		conf, err := createTLSConfig(&connectionConfig{
+		var token *string
+		var oAuthURL *string
+		if config.Authentication != nil && config.Authentication.OfflineTokenPath != "" {
+			t, err := ioutil.ReadFile(config.Authentication.OfflineTokenPath)
+			if err != nil {
+				log.Fatalf("Could not read offline token: %v", err)
+			}
+			t2 := strings.TrimSpace(string(t))
+			token = &t2
+
+			if config.Authentication.OAuthURL == "" {
+				log.Fatal("OAuth URL should be specified together with the offline token")
+			}
+			oAuthURL = &config.Authentication.OAuthURL
+
+			if strings.HasPrefix(address, "http") {
+				out, err := exec.Command("systemd-escape", "-u", address).Output()
+				if err != nil {
+					log.Fatalf("Could not escape remote worker address: %v", err)
+				}
+				address = strings.TrimSpace(string(out))
+			} else {
+				address = fmt.Sprintf("https://%s", address)
+			}
+		}
+
+		var conf *tls.Config
+		conConf := &connectionConfig{
 			CACertFile:     "/etc/osbuild-composer/ca-crt.pem",
 			ClientKeyFile:  "/etc/osbuild-composer/worker-key.pem",
 			ClientCertFile: "/etc/osbuild-composer/worker-crt.pem",
-		})
-		if err != nil {
-			log.Fatalf("Error creating TLS config: %v", err)
+		}
+		if _, err = os.Stat(conConf.CACertFile); err == nil {
+			conf, err = createTLSConfig(conConf)
+			if err != nil {
+				log.Fatalf("Error creating TLS config: %v", err)
+			}
 		}
 
-		client, err = worker.NewClient("https://"+address, conf, nil, nil)
+		client, err = worker.NewClient(address, conf, token, oAuthURL)
 		if err != nil {
 			log.Fatalf("Error creating worker client: %v", err)
 		}