search

Kuadrant / kuadrantctl

Kuadrant configuration command line utility
Apache License 2.0
6 stars 12 forks source link

Incorrect parsing of openIdConnectUrl for AuthPolicy #94

Open pehala opened 1 week ago

pehala commented 1 week ago

Both Swagger Docs and our own docs state that you should supply openid-configuration endpoint in OAS like this:

components:
  securitySchemes:
    securedDog:
      type: openIdConnect
      openIdConnectUrl: https://example.com/.well-known/openid-configuration

Kuadrantctl directly passes this value to AuthPolicy issuerUrl field, which requires issuerUrl and not openid-configuration.

Tested version: 0.2.3

Reproducer: Input:

components:
  securitySchemes:
    oidc:
      openIdConnectUrl: http://172.18.0.19:8080/realms/realm-phala--k0gf/.well-known/openid-configuration
      type: openIdConnect
info:
  title: Httpbin
  version: 0.0.51
  x-kuadrant:
    route:
      hostnames:
      - hostname-phala--usm5.test.com
      name: route-phala--5nxb
      parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: gw-phala--nphc
        namespace: kuadrant
openapi: 3.1.0
paths:
  /anything:
    get:
      operationId: get_anything
      responses:
        '200':
          content:
            application/json:
              schema:
                type: string
          description: Successful Response
      security:
      - oidc: []
    put:
      operationId: put_anything
      responses:
        '200':
          content:
            application/json:
              schema:
                type: string
          description: Successful Response
    x-kuadrant:
      backendRefs:
      - group: ''
        kind: Service
        name: httpbin-phala--6stb
        namespace: kuadrant
        port: 8080
  /get:
    get:
      operationId: get_get
      responses:
        '200':
          content:
            application/json:
              schema:
                type: string
          description: Successful Response

Output:

apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  creationTimestamp: null
  name: route-phala--5nxb
spec:
  routeSelectors:
  - matches:
    - method: GET
      path:
        type: Exact
        value: /anything
  rules:
    authentication:
      get_anything_oidc:
        credentials: {}
        jwt:
          issuerUrl: http://172.18.0.19:8080/realms/realm-phala--k0gf/.well-known/openid-configuration
        routeSelectors:
        - matches:
          - method: GET
            path:
              type: Exact
              value: /anything
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-phala--5nxb
status: {}
azgabur commented 1 week ago

The documentation is yet to be updated in my PR #76 to remove mention of the /.well-known/openid-configuration path. But I agree with you that the oas that is parsed by kuadrantctl should be compatible with oas that is used elsewhere. Like you mention in the Swagger docs the well-known path is used. I would expect kuadrantctl can parse it without an issue.

Link to relevant discussion with @guicassolato https://github.com/Kuadrant/kuadrantctl/pull/76#discussion_r1592769112