feat(agent): do not block execution of controllers on error

feat(auth): accept clock skew for token validation
2023-04-01 19:44:00 +02:00 · 2023-04-01 19:30:45 +02:00
5 changed files with 24 additions and 15 deletions
--- a/internal/agent/agent.go
+++ b/internal/agent/agent.go
@ -44,8 +44,6 @@ func (a *Agent) Run(ctx context.Context) error {

 		if err := a.registerAgent(ctx, client, state); err != nil {
 			logger.Error(ctx, "could not register agent", logger.E(errors.WithStack(err)))
-
-			return
 		}

 		logger.Debug(ctx, "state before reconciliation", logger.F("state", state))
@ -81,7 +79,7 @@ func (a *Agent) Reconcile(ctx context.Context, state *State) error {
 		)

 		if err := ctrl.Reconcile(ctrlCtx, state); err != nil {
-			return errors.WithStack(err)
+			logger.Error(ctx, "could not reconcile", logger.E(errors.WithStack(err)))
 		}
 	}

--- a/internal/auth/agent/authenticator.go
+++ b/internal/auth/agent/authenticator.go
@ -14,8 +14,11 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )

+const DefaultAcceptableSkew = 5 * time.Minute
+
 type Authenticator struct {
-	repo datastore.AgentRepository
+	repo           datastore.AgentRepository
+	acceptableSkew time.Duration
 }

 // Authenticate implements auth.Authenticator.
@ -72,6 +75,7 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 		[]byte(rawToken),
 		jwt.WithKeySet(agent.KeySet.Set, jws.WithRequireKid(false)),
 		jwt.WithValidate(true),
+		jwt.WithAcceptableSkew(a.acceptableSkew),
 	)
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -91,9 +95,10 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 	return user, nil
 }

-func NewAuthenticator(repo datastore.AgentRepository) *Authenticator {
+func NewAuthenticator(repo datastore.AgentRepository, acceptableSkew time.Duration) *Authenticator {
 	return &Authenticator{
-		repo: repo,
+		repo:           repo,
+		acceptableSkew: acceptableSkew,
 	}
 }

--- a/internal/auth/thirdparty/authenticator.go
+++ b/internal/auth/thirdparty/authenticator.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"strings"
+	"time"

 	"forge.cadoles.com/Cadoles/emissary/internal/auth"
 	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
@ -11,9 +12,12 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )

+const DefaultAcceptableSkew = 5 * time.Minute
+
 type Authenticator struct {
-	keys   jwk.Set
-	issuer string
+	keys           jwk.Set
+	issuer         string
+	acceptableSkew time.Duration
 }

 // Authenticate implements auth.Authenticator.
@ -30,7 +34,7 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

-	token, err := parseToken(ctx, a.keys, a.issuer, rawToken)
+	token, err := parseToken(ctx, a.keys, a.issuer, rawToken, a.acceptableSkew)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@ -57,10 +61,11 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 	return user, nil
 }

-func NewAuthenticator(keys jwk.Set, issuer string) *Authenticator {
+func NewAuthenticator(keys jwk.Set, issuer string, acceptableSkew time.Duration) *Authenticator {
 	return &Authenticator{
-		keys:   keys,
-		issuer: issuer,
+		keys:           keys,
+		issuer:         issuer,
+		acceptableSkew: acceptableSkew,
 	}
 }

--- a/internal/auth/thirdparty/jwt.go
+++ b/internal/auth/thirdparty/jwt.go
@ -13,12 +13,13 @@ import (

 const keyRole = "role"

-func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken string) (jwt.Token, error) {
+func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {
 	token, err := jwt.Parse(
 		[]byte(rawToken),
 		jwt.WithKeySet(keys, jws.WithRequireKid(false)),
 		jwt.WithIssuer(issuer),
 		jwt.WithValidate(true),
+		jwt.WithAcceptableSkew(acceptableSkew),
 	)
 	if err != nil {
 		return nil, errors.WithStack(err)
--- a/internal/server/server.go
+++ b/internal/server/server.go
@ -105,8 +105,8 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e

 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(
-				thirdparty.NewAuthenticator(keys, string(s.conf.Issuer)),
-				agent.NewAuthenticator(s.agentRepo),
+				thirdparty.NewAuthenticator(keys, string(s.conf.Issuer), thirdparty.DefaultAcceptableSkew),
+				agent.NewAuthenticator(s.agentRepo, agent.DefaultAcceptableSkew),
 			))

 			r.Route("/agents", func(r chi.Router) {
Author	SHA1	Message	Date
William Petit	909549f056	feat(agent): do not block execution of controllers on error Some checks reported errors arcad/emissary/pipeline/head Something is wrong with the build of this commit Details	2023-04-01 19:44:00 +02:00
William Petit	7d551a8312	feat(auth): accept clock skew for token validation Some checks reported errors arcad/emissary/pipeline/head Something is wrong with the build of this commit Details	2023-04-01 19:30:45 +02:00