feat(listener): Parse Runtime ID from Request Header (#664)

* feat(listener): Parse Runtime ID from Request Header

* chore: Fix Lint

* fix: Adjust Other Unit Test to Contain XFCC Header

* fix: Lint

Author: LeelaChacha

listener/pkg/v2/certificate/parse_certificate.go

@@ -0,0 +1,84 @@
+package certificate
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+const (
+	XFCCHeader     = "X-Forwarded-Client-Cert"
+	CertificateKey = "Cert="
+	Limit32KiB     = 32 * 1024
+)
+
+var (
+	ErrPemDecode          = errors.New("failed to decode PEM block")
+	ErrEmptyCert          = errors.New("empty certificate")
+	ErrHeaderValueTooLong = errors.New(XFCCHeader + " header value too long (over 32KiB)")
+	ErrHeaderMissing      = fmt.Errorf("request does not contain '%s' header", XFCCHeader)
+)
+
+// GetCertificateFromHeader extracts the XFCC header and pareses it into a valid x509 certificate.
+func GetCertificateFromHeader(r *http.Request) (*x509.Certificate, error) {
+	// Fetch XFCC-Header data
+	xfccValues, ok := r.Header[XFCCHeader]
+	if !ok {
+		return nil, ErrHeaderMissing
+	}
+
+	xfccVal := xfccValues[0]
+
+	// Limit the length of the data (prevent resource exhaustion attack)
+	if len(xfccVal) > Limit32KiB {
+		return nil, ErrHeaderValueTooLong
+	}
+
+	// Extract raw certificate from the first header value
+	cert := getCertTokenFromXFCCHeader(xfccVal)
+	if cert == "" {
+		return nil, ErrEmptyCert
+	}
+
+	// Decode URL-format
+	decodedValue, err := url.QueryUnescape(cert)
+	if err != nil {
+		return nil, fmt.Errorf("could not decode certificate URL format: %w", err)
+	}
+	decodedValue = strings.Trim(decodedValue, "\"")
+
+	// Decode PEM block and parse certificate
+	block, _ := pem.Decode([]byte(decodedValue))
+	if block == nil {
+		return nil, ErrPemDecode
+	}
+	certificate, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse PEM block into x509 certificate: %w", err)
+	}
+
+	return certificate, nil
+}
+
+// getCertTokenFromXFCCHeader returns the first certificate embedded in the XFFC Header,
+// if exists. Otherwise an empty string is returned.
+func getCertTokenFromXFCCHeader(hVal string) string {
+	certStartIdx := strings.Index(hVal, CertificateKey)
+	if certStartIdx >= 0 {
+		tokenWithCert := hVal[(certStartIdx + len(CertificateKey)):]
+		// we shouldn't have "," here but it's safer to add it anyway
+		certEndIdx := strings.IndexAny(tokenWithCert, ";,")
+		if certEndIdx == -1 {
+			// no suffix, the entire token is the cert value
+			return tokenWithCert
+		}
+
+		// there's some data after the cert value, return just the cert part
+		return tokenWithCert[:certEndIdx]
+	}
+	return ""
+}

listener/pkg/v2/certificate/parse_certificate_test.go

@@ -0,0 +1,101 @@
+package certificate_test
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/kyma-project/runtime-watcher/listener/pkg/v2/certificate"
+	"github.com/kyma-project/runtime-watcher/listener/pkg/v2/certificate/utils"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetCertificateFromHeader_Success(t *testing.T) {
+	pemCert, err := utils.NewPemCertificateBuilder().Build()
+	require.NoError(t, err)
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header.Set(certificate.XFCCHeader, certificate.CertificateKey+pemCert)
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.NoError(t, err)
+	require.NotNil(t, cert)
+}
+
+func TestGetCertificateFromHeader_MissingHeader(t *testing.T) {
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.Error(t, err)
+	require.Nil(t, cert)
+	require.Equal(t, certificate.ErrHeaderMissing, err)
+}
+
+func TestGetCertificateFromHeader_TooLong(t *testing.T) {
+	longValue := make([]byte, certificate.Limit32KiB+1)
+	for i := range longValue {
+		longValue[i] = 'A'
+	}
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header.Set(certificate.XFCCHeader, certificate.CertificateKey+string(longValue))
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.Error(t, err)
+	require.Nil(t, cert)
+	require.Equal(t, certificate.ErrHeaderValueTooLong, err)
+}
+
+func TestGetCertificateFromHeader_EmptyCert(t *testing.T) {
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header.Set(certificate.XFCCHeader, "Cert=;Other=foo")
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.Error(t, err)
+	require.Nil(t, cert)
+	require.Equal(t, certificate.ErrEmptyCert, err)
+}
+
+func TestGetCertificateFromHeader_NoCertToken(t *testing.T) {
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header.Set(certificate.XFCCHeader, "Other=foo;Stuff=bar")
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.Error(t, err)
+	require.Nil(t, cert)
+	require.Equal(t, certificate.ErrEmptyCert, err)
+}
+
+func TestGetCertificateFromHeader_InvalidURLFormat(t *testing.T) {
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header.Set(certificate.XFCCHeader, "Cert=%ZZ;Other=foo")
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.Error(t, err)
+	require.Nil(t, cert)
+	require.Contains(t, err.Error(), "could not decode certificate URL format")
+}
+
+func TestGetCertificateFromHeader_PEMDecodeError(t *testing.T) {
+	invalid := url.QueryEscape("not a pem block")
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header.Set(certificate.XFCCHeader, certificate.CertificateKey+invalid)
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.Error(t, err)
+	require.Nil(t, cert)
+	require.Equal(t, certificate.ErrPemDecode, err)
+}
+
+func TestGetCertificateFromHeader_CertificateParseError(t *testing.T) {
+	pemInvalid := "-----BEGIN CERTIFICATE-----\nAAAA\n-----END CERTIFICATE-----"
+	escaped := url.QueryEscape(pemInvalid)
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header.Set(certificate.XFCCHeader, certificate.CertificateKey+escaped)
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.Error(t, err)
+	require.Nil(t, cert)
+	require.Contains(t, err.Error(), "failed to parse PEM block into x509 certificate")
+}
+
+func TestGetCertificateFromHeader_MultipleValuesFirstHasCert(t *testing.T) {
+	pemCert, err := utils.NewPemCertificateBuilder().Build()
+	require.NoError(t, err)
+	r, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://localhost", nil)
+	r.Header[certificate.XFCCHeader] = []string{certificate.CertificateKey + pemCert + ";Other=foo", "Cert=ignored"}
+	cert, err := certificate.GetCertificateFromHeader(r)
+	require.NoError(t, err)
+	require.NotNil(t, cert)
+}

listener/pkg/v2/certificate/utils/test_utils.go

@@ -0,0 +1,60 @@
+package utils
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net/url"
+	"time"
+)
+
+type CertificateBuilder struct {
+	commonName   string
+	serialNumber *big.Int
+	notBefore    time.Time
+	notAfter     time.Time
+	dnsNames     []string
+}
+
+func NewPemCertificateBuilder() *CertificateBuilder {
+	return &CertificateBuilder{
+		commonName:   "test-cert",
+		serialNumber: big.NewInt(1),
+		notBefore:    time.Now().Add(-time.Hour),
+		notAfter:     time.Now().Add(time.Hour),
+		dnsNames:     []string{"example.com"},
+	}
+}
+
+func (builder *CertificateBuilder) WithCommonName(commonName string) *CertificateBuilder {
+	builder.commonName = commonName
+	return builder
+}
+
+func (builder *CertificateBuilder) Build() (string, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return "", fmt.Errorf("unable to generate ecdsa key: %w", err)
+	}
+	tmpl := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: builder.commonName,
+		},
+		SerialNumber:          builder.serialNumber,
+		NotBefore:             builder.notBefore,
+		NotAfter:              builder.notAfter,
+		DNSNames:              builder.dnsNames,
+		BasicConstraintsValid: true,
+	}
+	certBytes, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
+	if err != nil {
+		return "", fmt.Errorf("unable to create certificate: %w", err)
+	}
+	block := &pem.Block{Type: "CERTIFICATE", Bytes: certBytes}
+	return url.QueryEscape(string(pem.EncodeToMemory(block))), nil
+}

listener/pkg/v2/event/http_test.go

@@ -12,7 +12,10 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/go-logr/zapr"
+	"github.com/kyma-project/runtime-watcher/listener/pkg/v2/certificate"
+	"github.com/kyma-project/runtime-watcher/listener/pkg/v2/certificate/utils"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -35,7 +38,11 @@ func setupLogger() logr.Logger {
 	return zapr.NewLogger(zapLog)
 }
 
-func newListenerRequest(t *testing.T, method, url string, watcherEvent *types.WatchEvent) *http.Request {
+func newListenerRequest(t *testing.T,
+	method, url string,
+	watcherEvent *types.WatchEvent,
+	encodedCertificate string,
+) *http.Request {
 	t.Helper()
 
 	var body io.Reader
@@ -47,11 +54,13 @@ func newListenerRequest(t *testing.T, method, url string, watcherEvent *types.Wa
 		body = bytes.NewBuffer(jsonBody)
 	}
 
-	r, err := http.NewRequestWithContext(t.Context(), method, url, body)
+	httpRequest, err := http.NewRequestWithContext(t.Context(), method, url, body)
+	httpRequest.Header.Set(certificate.XFCCHeader, certificate.CertificateKey+encodedCertificate)
+
 	if err != nil {
 		t.Fatal(err)
 	}
-	return r
+	return httpRequest
 }
 
 type GenericTestEvt struct {
@@ -76,8 +85,12 @@ func TestHandler(t *testing.T) {
 		Owner:      types.ObjectKey{Name: "kyma", Namespace: v1.NamespaceDefault},
 		Watched:    types.ObjectKey{Name: "watched-resource", Namespace: v1.NamespaceDefault},
 		WatchedGvk: v1.GroupVersionKind{Kind: "kyma", Group: "operator.kyma-project.io", Version: "v1alpha1"},
+		SkrMeta:    types.SkrMeta{RuntimeId: "test-cert"},
 	}
-	httpRequest := newListenerRequest(t, http.MethodPost, "http://localhost:8082/v1/kyma/event", testWatcherEvt)
+	pemCert, err := utils.NewPemCertificateBuilder().Build()
+	require.NoError(t, err)
+	httpRequest := newListenerRequest(t, http.MethodPost, "http://localhost:8082/v1/kyma/event", testWatcherEvt,
+		pemCert)
 	testEvt := GenericTestEvt{}
 	go func() {
 		testEvt.mu.Lock()

listener/pkg/v2/event/watcher_event.go

@@ -10,11 +10,12 @@ import (
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
+	"github.com/kyma-project/runtime-watcher/listener/pkg/v2/certificate"
 	"github.com/kyma-project/runtime-watcher/listener/pkg/v2/types"
 )
 
 const (
-	contentMapCapacity = 3
+	contentMapCapacity = 4
 )
 
 type UnmarshalError struct {
@@ -44,13 +45,43 @@ func UnmarshalSKREvent(req *http.Request) (*types.WatchEvent, *UnmarshalError) {
 	watcherEvent := &types.WatchEvent{}
 	err = json.Unmarshal(body, watcherEvent)
 	if err != nil {
-		return nil, &UnmarshalError{fmt.Sprintf("could not unmarshal watcher event: Body{%s}",
-			string(body)), http.StatusInternalServerError}
+		return nil, &UnmarshalError{
+			fmt.Sprintf("could not unmarshal watcher event: Body{%s}",
+				string(body)), http.StatusInternalServerError,
+		}
 	}
 
+	skrMetaFromRequest, unmarshalError := getSkrMetaFromRequest(req)
+	if unmarshalError != nil {
+		return nil, unmarshalError
+	}
+	watcherEvent.SkrMeta = skrMetaFromRequest
+
 	return watcherEvent, nil
 }
 
+func getSkrMetaFromRequest(req *http.Request) (types.SkrMeta, *UnmarshalError) {
+	clientCertificate, err := certificate.GetCertificateFromHeader(req)
+	if err != nil {
+		return types.SkrMeta{}, &UnmarshalError{
+			fmt.Sprintf("could not get client certificate from request: %v", err),
+			http.StatusUnauthorized,
+		}
+	}
+
+	if clientCertificate.Subject.CommonName == "" {
+		return types.SkrMeta{}, &UnmarshalError{
+			"client certificate common name is empty",
+			http.StatusBadRequest,
+		}
+	}
+
+	return types.SkrMeta{
+		RuntimeId: clientCertificate.Subject.CommonName,
+		SkrDomain: "", // this cannot be reliably extracted from the certificate.DNSNames slice
+	}, nil
+}
+
 func GenericEvent(watcherEvent *types.WatchEvent) *unstructured.Unstructured {
 	genericEvtObject := &unstructured.Unstructured{}
 	content := UnstructuredContent(watcherEvent)
@@ -65,5 +96,6 @@ func UnstructuredContent(watcherEvt *types.WatchEvent) map[string]interface{} {
 	content["owner"] = watcherEvt.Owner
 	content["watched"] = watcherEvt.Watched
 	content["watched-gvk"] = watcherEvt.WatchedGvk
+	content["runtime-id"] = watcherEvt.SkrMeta.RuntimeId
 	return content
 }