Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Translate access token instead of id token to gRPC backend in Flyte Admin HTTP middleware #5979

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions flyteadmin/auth/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -353,8 +353,8 @@
func GetHTTPRequestCookieToMetadataHandler(authCtx interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator {
return func(ctx context.Context, request *http.Request) metadata.MD {
// TODO: Improve error handling
idToken, _, _, _ := authCtx.CookieManager().RetrieveTokenValues(ctx, request)
if len(idToken) == 0 {
idToken, accessToken, _, _ := authCtx.CookieManager().RetrieveTokenValues(ctx, request)
if len(idToken) == 0 && len(accessToken) == 0 {
// If no token was found in the cookies, look for an authorization header, starting with a potentially
// custom header set in the Config object
if len(authCtx.Options().HTTPAuthorizationHeader) > 0 {
Expand All @@ -372,9 +372,18 @@
return nil
}

// IDtoken is injected into grpc authorization metadata
meta := metadata.MD{
DefaultAuthorizationHeader: []string{fmt.Sprintf("%s %s", IDTokenScheme, idToken)},
var meta metadata.MD

if len(accessToken) > 0 {
// Access token is injected into grpc authorization metadata
meta = metadata.MD{
DefaultAuthorizationHeader: []string{fmt.Sprintf("%s %s", BearerScheme, accessToken)},
}
} else {
// IDtoken is injected into grpc authorization metadata
meta = metadata.MD{
DefaultAuthorizationHeader: []string{fmt.Sprintf("%s %s", IDTokenScheme, idToken)},
}

Check warning on line 386 in flyteadmin/auth/handlers.go

View check run for this annotation

Codecov / codecov/patch

flyteadmin/auth/handlers.go#L383-L386

Added lines #L383 - L386 were not covered by tests
}

userInfo, err := authCtx.CookieManager().RetrieveUserInfo(ctx, request)
Expand Down
22 changes: 13 additions & 9 deletions flyteadmin/auth/handlers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -396,22 +396,26 @@ func TestGetHTTPRequestCookieToMetadataHandler(t *testing.T) {
mockAuthCtx.OnCookieManager().Return(&cookieManager)
mockAuthCtx.OnOptions().Return(&config.Config{})
handler := GetHTTPRequestCookieToMetadataHandler(&mockAuthCtx)
req, err := http.NewRequest("GET", "/api/v1/projects", nil)
assert.NoError(t, err)

accessTokenCookie, err := NewSecureCookie(accessTokenCookieNameSplitFirst, "a.b.c", cookieManager.hashKey, cookieManager.blockKey, "localhost", http.SameSiteDefaultMode)
accessTokenCookie1, err := NewSecureCookie(accessTokenCookieNameSplitFirst, "a.b.c", cookieManager.hashKey, cookieManager.blockKey, "localhost", http.SameSiteDefaultMode)
assert.NoError(t, err)
req.AddCookie(&accessTokenCookie)

accessTokenCookieSplit, err := NewSecureCookie(accessTokenCookieNameSplitSecond, ".d.e.f", cookieManager.hashKey, cookieManager.blockKey, "localhost", http.SameSiteDefaultMode)
accessTokenCookie2, err := NewSecureCookie(accessTokenCookieNameSplitSecond, ".d.e.f", cookieManager.hashKey, cookieManager.blockKey, "localhost", http.SameSiteDefaultMode)
assert.NoError(t, err)
req.AddCookie(&accessTokenCookieSplit)

idCookie, err := NewSecureCookie(idTokenCookieName, "a.b.c.d.e.f", cookieManager.hashKey, cookieManager.blockKey, "localhost", http.SameSiteDefaultMode)
idCookie, err := NewSecureCookie(idTokenCookieName, "x.y.z", cookieManager.hashKey, cookieManager.blockKey, "localhost", http.SameSiteDefaultMode)
assert.NoError(t, err)
req.AddCookie(&idCookie)

assert.Equal(t, "IDToken a.b.c.d.e.f", handler(ctx, req)["authorization"][0])
t.Run("access token and ID token cookies present", func(t *testing.T) {
req, err := http.NewRequest("GET", "/api/v1/projects", nil)
assert.NoError(t, err)

req.AddCookie(&accessTokenCookie1)
req.AddCookie(&accessTokenCookie2)
req.AddCookie(&idCookie)

assert.Equal(t, "Bearer a.b.c.d.e.f", handler(ctx, req)["authorization"][0])
})
}

func TestGetHTTPMetadataTaggingHandler(t *testing.T) {
Expand Down
Loading