search

buildbarn / bb-storage

Storage daemon, capable of storing data for the Remote Execution protocol
Apache License 2.0
142 stars 91 forks source link

Failed to create authorization header parser for JWT authentication policy: Unsupported public key type #171

Closed pkar closed 1 year ago

pkar commented 1 year ago

I'm trying to test out a simple JWT policy in a Kubernetes deployment, however it's not clear what the issue is with the public key.

Generated the pub/priv keys with

$ openssl genrsa -out jwtRSA256-private.pem 4096
$ openssl rsa -in jwtRSA256-private.pem -pubout -outform PEM -out jwtRSA256-public.pem

The policy looks like

  frontend.jsonnet: |
    local common = import 'common.libsonnet';

    {
      grpcServers: [{
        listenAddresses: [':8980'],
        authenticationPolicy: { any: { policies: [
          { jwt: {
            publicKey: |||
              -----BEGIN PUBLIC KEY-----
              .........................==
              -----END PUBLIC KEY-----
            |||,
            maximumCacheSize: 10000,
            cacheReplacementPolicy: 'LEAST_RECENTLY_USED',
            claimsValidationJmespathExpression: '`true`',
            metadataExtractionJmespathExpression: '{ "private": { "mayWriteAC": `true` } }',
          } },
        ] } },
      }],
      schedulers: {

The frontend storage fails to startup with

frontend-5cfdfd6b68-7f4v7 storage 2023/04/17 22:34:33 gRPC server failure: rpc error: code = InvalidArgument desc = Failed to create authorization header parser for JWT authentication policy: Unsupported public key type

Ran a simple test locally and the keys parse ok

func main() {
    block, _ := pem.Decode([]byte(pubKey))
    if block == nil {
        log.Fatal("invalid pubkey")
    }
    parsedKey, err := x509.ParsePKIXPublicKey(block.Bytes)
    if err != nil {
        log.Fatal(err)
    }
    fmt.Printf("%s\n", reflect.TypeOf(parsedKey))
    switch convertedKey := parsedKey.(type) {
    case *ecdsa.PublicKey:
    case ed25519.PublicKey:
    case *rsa.PublicKey:
        fmt.Println("correct")
    default:
        fmt.Printf("unsupported public key type %+v\n", convertedKey)
    }
}
*rsa.PublicKey
correct
EdSchouten commented 1 year ago

Support for RSA keys was only added relatively recently: 6458687f9de7251b0373c7e0858850007bb26fc2. Are you sure you're running a version of Buildbarn that is recent enough to include support for this?

pkar commented 1 year ago

That was it thank you. I had 20230208T220714Z-fd356c8 and updating to 20230225T170654Z-99b5ad0 works as intended.

EdSchouten commented 1 year ago

Note that we recently moved away from Docker Hub. Newer images are stored on GitHub itself:

https://github.com/buildbarn/bb-storage/pkgs/container/bb-storage

So it is possible to use a version that is newer than February 25th.