Skip to content

Commit 580e58b

Browse files
committed
fix(gateway): gate unsafe auth deployment modes
Require explicit opt-in for OIDC authentication-only mode on shared gateway deployments and fail closed when gRPC user requests have no auth path. Align Helm validation, tests, and docs so weak auth modes are intentional and visible. Signed-off-by: Adrien Langou <alangou@nvidia.com>
1 parent 7bce122 commit 580e58b

17 files changed

Lines changed: 271 additions & 30 deletions

File tree

architecture/gateway.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,11 @@ gateway maps the verified certificate subject to a user principal. Kubernetes
2929
deployments use mTLS for transport only and require OIDC or a trusted access
3030
proxy for user authentication unless the explicit unsafe local-development
3131
`allow_unauthenticated_users` switch is enabled.
32+
OIDC deployments normally enforce RBAC roles for user and admin APIs. Shared
33+
gateways reject OIDC authentication-only mode unless
34+
`allow_oidc_auth_only` is set explicitly, and authenticated gRPC methods fail
35+
closed when no user, sandbox, mTLS, or explicit local-dev principal can be
36+
derived.
3237
When that service port is bound to loopback, the listener can also accept
3338
plaintext HTTP on the same port for sandbox service subdomains only. That local
3439
browser path is enabled by default and disabled with

crates/openshell-core/src/config.rs

Lines changed: 132 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -521,6 +521,12 @@ pub struct GatewayAuthConfig {
521521
/// gateway-minted sandbox JWTs.
522522
#[serde(default)]
523523
pub allow_unauthenticated_users: bool,
524+
525+
/// When true, an OIDC issuer may authenticate users without requiring
526+
/// configured RBAC roles. In that mode any valid token from the issuer can
527+
/// call user and admin APIs, so shared deployments must opt in explicitly.
528+
#[serde(default)]
529+
pub allow_oidc_auth_only: bool,
524530
}
525531

526532
const fn default_jwks_ttl_secs() -> u64 {
@@ -727,6 +733,66 @@ impl Config {
727733
self.service_routing.enable_loopback_service_http = enabled;
728734
self
729735
}
736+
737+
/// Validate auth settings that depend on the deployment posture.
738+
///
739+
/// Local loopback gateways can rely on developer-oriented auth shortcuts,
740+
/// but Kubernetes and externally-bound gateways must fail closed unless
741+
/// the operator chose an explicit weak mode.
742+
pub fn validate_gateway_auth_posture(&self) -> Result<(), String> {
743+
let shared = self.is_shared_gateway_deployment();
744+
745+
if let Some(oidc) = &self.oidc {
746+
let admin_set = !oidc.admin_role.is_empty();
747+
let user_set = !oidc.user_role.is_empty();
748+
749+
if admin_set != user_set {
750+
return Err(format!(
751+
"OIDC RBAC misconfiguration: admin_role={:?}, user_role={:?}. \
752+
Either set both roles (RBAC mode) or leave both empty (authentication-only mode).",
753+
oidc.admin_role, oidc.user_role,
754+
));
755+
}
756+
757+
if shared && !admin_set && !self.auth.allow_oidc_auth_only {
758+
return Err(
759+
"OIDC authentication-only mode is disabled for shared gateway deployments; \
760+
configure admin_role and user_role for RBAC, or set \
761+
auth.allow_oidc_auth_only=true to explicitly accept that any valid issuer token is authorized"
762+
.to_string(),
763+
);
764+
}
765+
}
766+
767+
let has_authenticator = self.oidc.is_some() || self.gateway_jwt.is_some();
768+
if shared
769+
&& !has_authenticator
770+
&& !self.mtls_auth.enabled
771+
&& !self.auth.allow_unauthenticated_users
772+
{
773+
return Err(
774+
"shared gateway deployments require an explicit auth path; configure OIDC, \
775+
mTLS user auth, gateway_jwt sandbox auth, or set auth.allow_unauthenticated_users=true \
776+
only behind a trusted local-dev/fronting-proxy boundary"
777+
.to_string(),
778+
);
779+
}
780+
781+
Ok(())
782+
}
783+
784+
/// Whether this gateway serves a shared or remotely reachable gRPC API.
785+
#[must_use]
786+
pub fn is_shared_gateway_deployment(&self) -> bool {
787+
self.compute_drivers
788+
.iter()
789+
.any(|driver| driver == ComputeDriverKind::Kubernetes.as_str())
790+
|| !self.bind_address.ip().is_loopback()
791+
|| self
792+
.extra_bind_addresses
793+
.iter()
794+
.any(|addr| !addr.ip().is_loopback())
795+
}
730796
}
731797

732798
impl Default for ServiceRoutingConfig {
@@ -811,8 +877,8 @@ mod tests {
811877
#[cfg(unix)]
812878
use super::is_reachable_unix_socket;
813879
use super::{
814-
ComputeDriverKind, Config, DEFAULT_SERVICE_ROUTING_DOMAIN, GatewayJwtConfig, detect_driver,
815-
docker_host_unix_socket_path, is_unix_socket, normalize_compute_driver_name,
880+
ComputeDriverKind, Config, DEFAULT_SERVICE_ROUTING_DOMAIN, GatewayJwtConfig, OidcConfig,
881+
detect_driver, docker_host_unix_socket_path, is_unix_socket, normalize_compute_driver_name,
816882
podman_socket_candidates_from_env, podman_socket_responds,
817883
};
818884
#[cfg(unix)]
@@ -879,6 +945,70 @@ mod tests {
879945
assert!(!cfg.auth.allow_unauthenticated_users);
880946
}
881947

948+
fn oidc_config(admin_role: &str, user_role: &str) -> OidcConfig {
949+
OidcConfig {
950+
issuer: "https://issuer.example.com".to_string(),
951+
audience: "openshell-cli".to_string(),
952+
jwks_ttl_secs: 3600,
953+
roles_claim: "realm_access.roles".to_string(),
954+
admin_role: admin_role.to_string(),
955+
user_role: user_role.to_string(),
956+
scopes_claim: String::new(),
957+
}
958+
}
959+
960+
#[test]
961+
fn gateway_auth_posture_allows_loopback_oidc_auth_only_without_override() {
962+
let cfg = Config::new(None).with_oidc(oidc_config("", ""));
963+
964+
assert!(cfg.validate_gateway_auth_posture().is_ok());
965+
}
966+
967+
#[test]
968+
fn gateway_auth_posture_rejects_shared_oidc_auth_only_without_override() {
969+
let cfg = Config::new(None)
970+
.with_compute_drivers([ComputeDriverKind::Kubernetes])
971+
.with_oidc(oidc_config("", ""));
972+
973+
let err = cfg.validate_gateway_auth_posture().unwrap_err();
974+
assert!(err.contains("OIDC authentication-only mode"));
975+
}
976+
977+
#[test]
978+
fn gateway_auth_posture_allows_shared_oidc_auth_only_with_override() {
979+
let mut cfg = Config::new(None)
980+
.with_compute_drivers([ComputeDriverKind::Kubernetes])
981+
.with_oidc(oidc_config("", ""));
982+
cfg.auth.allow_oidc_auth_only = true;
983+
984+
assert!(cfg.validate_gateway_auth_posture().is_ok());
985+
}
986+
987+
#[test]
988+
fn gateway_auth_posture_allows_shared_oidc_rbac() {
989+
let cfg = Config::new(None)
990+
.with_compute_drivers([ComputeDriverKind::Kubernetes])
991+
.with_oidc(oidc_config("openshell-admin", "openshell-user"));
992+
993+
assert!(cfg.validate_gateway_auth_posture().is_ok());
994+
}
995+
996+
#[test]
997+
fn gateway_auth_posture_rejects_partial_oidc_roles() {
998+
let cfg = Config::new(None).with_oidc(oidc_config("openshell-admin", ""));
999+
1000+
let err = cfg.validate_gateway_auth_posture().unwrap_err();
1001+
assert!(err.contains("OIDC RBAC misconfiguration"));
1002+
}
1003+
1004+
#[test]
1005+
fn gateway_auth_posture_rejects_shared_gateway_without_auth_path() {
1006+
let cfg = Config::new(None).with_compute_drivers([ComputeDriverKind::Kubernetes]);
1007+
1008+
let err = cfg.validate_gateway_auth_posture().unwrap_err();
1009+
assert!(err.contains("require an explicit auth path"));
1010+
}
1011+
8821012
#[test]
8831013
fn gateway_jwt_ttl_defaults_to_non_expiring() {
8841014
let cfg: GatewayJwtConfig = serde_json::from_value(serde_json::json!({

crates/openshell-server/src/cli.rs

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -457,8 +457,7 @@ async fn run_from_args(mut args: RunArgs, matches: ArgMatches) -> Result<()> {
457457
&& config.gateway_jwt.is_none()
458458
{
459459
warn!(
460-
"Neither mTLS user auth nor OIDC nor sandbox JWT auth is configured — \
461-
the gateway has no authentication mechanism"
460+
"No gateway authentication path is configured; non-loopback or shared deployments will fail startup"
462461
);
463462
}
464463

crates/openshell-server/src/config_file.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -393,11 +393,13 @@ grpc_endpoint = "https://openshell-gateway.agents.svc:8080"
393393
let toml = r"
394394
[openshell.gateway.auth]
395395
allow_unauthenticated_users = true
396+
allow_oidc_auth_only = true
396397
";
397398
let tmp = write_tmp(toml);
398399
let file = load(tmp.path()).expect("valid auth config parses");
399400
let auth = file.openshell.gateway.auth.expect("auth config");
400401
assert!(auth.allow_unauthenticated_users);
402+
assert!(auth.allow_oidc_auth_only);
401403
}
402404

403405
#[test]

crates/openshell-server/src/lib.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,9 @@ pub async fn run_server(
216216
if database_url.is_empty() {
217217
return Err(Error::config("database_url is required"));
218218
}
219+
config
220+
.validate_gateway_auth_posture()
221+
.map_err(Error::config)?;
219222

220223
let store = Arc::new(Store::connect(database_url).await?);
221224

crates/openshell-server/src/multiplex.rs

Lines changed: 23 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -442,9 +442,9 @@ where
442442
/// for local single-user gateways, or to an unsafe local developer user when
443443
/// `auth.allow_unauthenticated_users` is explicitly enabled.
444444
///
445-
/// When neither OIDC nor sandbox credentials are configured (a barebones
446-
/// dev gateway), the chain is left as `None` so the router short-circuits
447-
/// to pass-through unless mTLS or local unauthenticated users are enabled.
445+
/// When neither OIDC nor sandbox credentials are configured, the chain is left
446+
/// as `None`; authenticated methods still fail closed unless mTLS or local
447+
/// unauthenticated users are enabled explicitly.
448448
fn build_authenticator_chain(state: &ServerState) -> Option<AuthenticatorChain> {
449449
let mut authenticators: Vec<Arc<dyn crate::auth::authenticator::Authenticator>> = Vec::new();
450450
if let Some(k8s) = state.k8s_sa_authenticator.clone() {
@@ -469,8 +469,8 @@ fn build_authenticator_chain(state: &ServerState) -> Option<AuthenticatorChain>
469469
/// - Strip any external `x-openshell-auth-source` marker first (so callers
470470
/// cannot spoof a sandbox identity).
471471
/// - Health probes / reflection bypass the chain entirely.
472-
/// - When no chain is configured (OIDC not configured), forward without
473-
/// authentication — preserves today's pass-through behavior.
472+
/// - When no chain is configured, authenticated methods fail closed unless
473+
/// mTLS user auth or the explicit local unauthenticated user mode applies.
474474
/// - Otherwise, run the chain. The first match produces a `Principal`.
475475
/// `Principal::User` is gated by the RBAC `AuthzPolicy`.
476476
/// `Principal::Sandbox` is gated by a supervisor-method allowlist, then
@@ -588,9 +588,9 @@ where
588588
} else if allow_unauthenticated_users {
589589
unauthenticated_dev_user_principal()
590590
} else {
591-
// No auth configured — pass through for dev /
592-
// fronting-proxy deployments.
593-
return inner.ready().await?.call(req).await;
591+
return Ok(status_response(tonic::Status::unauthenticated(
592+
"gateway authentication is not configured",
593+
)));
594594
};
595595

596596
match principal {
@@ -1547,6 +1547,21 @@ mod tests {
15471547
));
15481548
}
15491549

1550+
#[tokio::test]
1551+
async fn missing_chain_without_explicit_auth_fails_closed() {
1552+
let (recorder, seen) = PrincipalRecorder::new();
1553+
let mut router =
1554+
AuthGrpcRouter::with_peer_identity(recorder, None, None, None, false, false);
1555+
1556+
let res = router
1557+
.call(empty_request("/openshell.v1.OpenShell/ListSandboxes"))
1558+
.await
1559+
.unwrap();
1560+
1561+
assert!(seen.lock().unwrap().is_none());
1562+
assert_eq!(grpc_status(&res).as_deref(), Some("16"));
1563+
}
1564+
15501565
#[tokio::test]
15511566
async fn user_principal_lands_in_request_extensions() {
15521567
let mock = Arc::new(MockAuthenticator::returning(Ok(Some(user_principal(

deploy/helm/openshell/README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,7 @@ add `ci/values-spire.yaml` to the OpenShell release values files.
191191
| securityContext.runAsNonRoot | bool | `true` | Require the gateway container to run as a non-root user. |
192192
| securityContext.runAsUser | int | `1000` | UID assigned to the gateway container. |
193193
| server.appArmorProfile | string | `"Unconfined"` | Kubernetes AppArmor profile requested for sandbox agent containers. Default Unconfined avoids runtime/default AppArmor blocking the supervisor's network namespace mount setup on AppArmor-enabled nodes. Set to "" to omit the field, "RuntimeDefault" to force the runtime default profile, or "Localhost/profile-name" for an operator-managed localhost profile. |
194+
| server.auth.allowOidcAuthOnly | bool | `false` | UNSAFE: allow OIDC authentication-only mode when adminRole and userRole are both empty. In this mode any valid token from the issuer can call user and admin APIs. Leave false for shared or production clusters. |
194195
| server.auth.allowUnauthenticatedUsers | bool | `false` | UNSAFE: accept unauthenticated CLI/user requests as a local developer principal. Intended only for trusted local Skaffold/k3d development or a fully trusted fronting proxy. Leave false for shared or production clusters. |
195196
| server.dbUrl | string | `"sqlite:/var/openshell/openshell.db"` | Gateway database URL (used for the default SQLite backend). |
196197
| server.defaultRuntimeClassName | string | `""` | Default Kubernetes runtimeClassName for sandbox pods. Applied when a CreateSandbox request does not specify one. Empty (default) = omit the field, using the cluster's default RuntimeClass. Set to a RuntimeClass name (e.g. "kata-containers", "nvidia") to apply it to all sandboxes that don't explicitly override it. |
@@ -203,14 +204,14 @@ add `ci/values-spire.yaml` to the OpenShell release values files.
203204
| server.grpcRateLimit.windowSeconds | int | `0` | gRPC rate-limit window length in seconds. Must be positive (alongside requests) to enable rate limiting; 0 (default) disables it. |
204205
| server.hostGatewayIP | string | `""` | Host gateway IP for sandbox pod hostAliases. When set, sandbox pods get hostAliases entries mapping host.docker.internal and host.openshell.internal to this IP, allowing them to reach services running on the Docker host. Auto-detected by the cluster entrypoint script. |
205206
| server.logLevel | string | `"info"` | Gateway log level. |
206-
| server.oidc.adminRole | string | `""` | Role name for admin access. Leave empty (with userRole also empty) for authentication-only mode. Both must be set or both empty. |
207+
| server.oidc.adminRole | string | `""` | Role name for admin access. Set with userRole for RBAC mode. Leaving both empty enables authentication-only mode only when server.auth.allowOidcAuthOnly=true. |
207208
| server.oidc.audience | string | `"openshell-cli"` | Expected audience claim for the API resource server. This should match the server's --oidc-audience, NOT the CLI client ID. |
208209
| server.oidc.caConfigMapName | string | `""` | Name of a ConfigMap containing a CA certificate bundle (key: ca.crt) for verifying the OIDC issuer's TLS certificate. Required when the issuer uses a non-public CA (e.g. OpenShift ingress, private PKI). |
209210
| server.oidc.issuer | string | `""` | OIDC issuer URL (e.g. https://keycloak.example.com/realms/openshell). |
210211
| server.oidc.jwksTtl | int | `3600` | JWKS key cache TTL in seconds. |
211212
| server.oidc.rolesClaim | string | `""` | Dot-separated path to the roles array in the JWT claims. Keycloak: "realm_access.roles", Entra ID: "roles", Okta: "groups". |
212213
| server.oidc.scopesClaim | string | `""` | Dot-separated path to the scopes array in the JWT claims. |
213-
| server.oidc.userRole | string | `""` | Role name for standard user access. |
214+
| server.oidc.userRole | string | `""` | Role name for standard user access. Set with adminRole for RBAC mode. |
214215
| server.providerTokenGrants.spiffe.enabled | bool | `false` | Mount the SPIFFE Workload API socket into sandbox pods for dynamic provider token grants. |
215216
| server.providerTokenGrants.spiffe.workloadApiSocketPath | string | `"/spiffe-workload-api/spire-agent.sock"` | Path to the SPIFFE Workload API socket mounted into sandbox pods. |
216217
| server.sandboxImage | string | `"ghcr.io/nvidia/openshell-community/sandboxes/base:latest"` | Default sandbox image used when requests do not specify one. |

deploy/helm/openshell/ci/values-keycloak.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ server:
3131
jwksTtl: 60
3232
# Keycloak puts realm roles at realm_access.roles in the JWT.
3333
rolesClaim: "realm_access.roles"
34-
# Leave both empty for authentication-only mode (any valid token is accepted).
34+
# RBAC mode: both roles must be set. Leave both empty only with
35+
# server.auth.allowOidcAuthOnly=true for authentication-only mode.
3536
adminRole: "openshell-admin"
3637
userRole: "openshell-user"

deploy/helm/openshell/templates/_helpers.tpl

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -163,9 +163,20 @@ Validate chart values that Helm would otherwise accept silently.
163163
{{- $workloadKind := include "openshell.workloadKind" . -}}
164164
{{- $workload := .Values.workload | default dict -}}
165165
{{- $replicaCount := int (default 1 .Values.replicaCount) -}}
166+
{{- $oidcIssuer := default "" .Values.server.oidc.issuer -}}
167+
{{- $oidcAdminRole := default "" .Values.server.oidc.adminRole -}}
168+
{{- $oidcUserRole := default "" .Values.server.oidc.userRole -}}
169+
{{- $oidcAdminRoleSet := ne $oidcAdminRole "" -}}
170+
{{- $oidcUserRoleSet := ne $oidcUserRole "" -}}
166171
{{- if and (hasKey .Values "postgres") (kindIs "map" .Values.postgres) (hasKey .Values.postgres "enabled") -}}
167172
{{- fail "postgres.enabled was removed; the OpenShell chart no longer deploys PostgreSQL. Provision PostgreSQL separately and set server.externalDbSecret to a Secret containing a PostgreSQL URI." -}}
168173
{{- end -}}
174+
{{- if and $oidcIssuer (ne $oidcAdminRoleSet $oidcUserRoleSet) -}}
175+
{{- fail "server.oidc.adminRole and server.oidc.userRole must either both be set for OIDC RBAC or both be empty for authentication-only mode." -}}
176+
{{- end -}}
177+
{{- if and $oidcIssuer (not $oidcAdminRoleSet) (not .Values.server.auth.allowOidcAuthOnly) -}}
178+
{{- fail "OIDC authentication-only mode authorizes any valid issuer token. Set server.oidc.adminRole and server.oidc.userRole for RBAC, or set server.auth.allowOidcAuthOnly=true to opt in explicitly." -}}
179+
{{- end -}}
169180
{{- if not (or (eq $workloadKind "statefulset") (eq $workloadKind "deployment")) -}}
170181
{{- fail "workload.kind must be one of: statefulset, deployment." -}}
171182
{{- end -}}

deploy/helm/openshell/templates/gateway-config.yaml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -76,11 +76,16 @@ data:
7676
client_ca_path = "/etc/openshell-tls/client-ca/ca.crt"
7777
{{- end }}
7878
79-
{{- if .Values.server.auth.allowUnauthenticatedUsers }}
79+
{{- if or .Values.server.auth.allowUnauthenticatedUsers .Values.server.auth.allowOidcAuthOnly }}
8080
8181
[openshell.gateway.auth]
82+
{{- if .Values.server.auth.allowUnauthenticatedUsers }}
8283
allow_unauthenticated_users = true
8384
{{- end }}
85+
{{- if .Values.server.auth.allowOidcAuthOnly }}
86+
allow_oidc_auth_only = true
87+
{{- end }}
88+
{{- end }}
8489
8590
[openshell.gateway.gateway_jwt]
8691
signing_key_path = "/etc/openshell-jwt/signing.pem"
@@ -98,10 +103,10 @@ data:
98103
{{- if .Values.server.oidc.rolesClaim }}
99104
roles_claim = {{ .Values.server.oidc.rolesClaim | quote }}
100105
{{- end }}
101-
{{- if .Values.server.oidc.adminRole }}
106+
{{- if or .Values.server.oidc.adminRole .Values.server.auth.allowOidcAuthOnly }}
102107
admin_role = {{ .Values.server.oidc.adminRole | quote }}
103108
{{- end }}
104-
{{- if .Values.server.oidc.userRole }}
109+
{{- if or .Values.server.oidc.userRole .Values.server.auth.allowOidcAuthOnly }}
105110
user_role = {{ .Values.server.oidc.userRole | quote }}
106111
{{- end }}
107112
{{- if .Values.server.oidc.scopesClaim }}

0 commit comments

Comments
 (0)