Allow to configure the IDP trusted CA from a file

Author: sergicastro

config/gen/go/v1/oidc/config.pb.go

@@ -109,7 +109,8 @@ message OIDCConfig {
     // self-signed certificate for testing purposes, but basically should not be set to
     // true in any other cases.
     // Optional.
-    bool skip_verify_peer_cert = 3;
+    // Deprecated: Use the one from the OIDCConfig instead.
+    bool skip_verify_peer_cert = 3 [deprecated = true];
   }
 
   oneof jwks_config {
@@ -189,9 +190,23 @@ message OIDCConfig {
   uint32 idle_session_timeout = 13;
 
   // When specified, the Authservice will trust the specified Certificate Authority when performing HTTPS calls to
-  // the Token Endpoint of the OIDC Identity Provider.
-  // Optional.
-  string trusted_certificate_authority = 14;
+  // the OIDC Identity Provider.
+  oneof trusted_ca_config {
+    // String PEM-encoded certificate authority to trust when performing HTTPS calls to the OIDC Identity Provider.
+    // Optional.
+    string trusted_certificate_authority = 14;
+
+    // The file path to the PEM-encoded certificate authority to trust when performing HTTPS calls to the OIDC Identity Provider.
+    // Optional.
+    string trusted_certificate_authority_file = 20;
+
+    // If set to true, the verification of the destination certificate will be skipped when
+    // making a request to the Token Endpoint. This option is useful when you want to use a
+    // self-signed certificate for testing purposes, but basically should not be set to true
+    // in any other cases.
+    // Optional.
+    bool skip_verify_peer_cert = 18;
+  }
 
   // The Authservice makes two kinds of direct network connections directly to the OIDC Provider.
   // Both are POST requests to the configured `token_uri` of the OIDC Provider.
@@ -213,10 +228,4 @@ message OIDCConfig {
   // Optional.
   RedisConfig redis_session_store_config = 16;
 
-  // If set to true, the verification of the destination certificate will be skipped when
-  // making a request to the Token Endpoint. This option is useful when you want to use a
-  // self-signed certificate for testing purposes, but basically should not be set to true
-  // in any other cases.
-  // Optional.
-  bool skip_verify_peer_cert = 18;
 }

config/gen/go/v1/oidc/config.pb.validate.go

@@ -9,9 +9,6 @@
         {
           "oidc": {
             "configuration_uri": "https://host.docker.internal:9443/realms/master/.well-known/openid-configuration",
-            "jwks_fetcher": {
-              "skip_verify_peer_cert": true
-            },
             "proxy_uri": "http://idp-proxy:9000",
             "callback_uri": "https://host.docker.internal:8443/callback",
             "client_id": "authservice",
@@ -28,7 +25,7 @@
             "redis_session_store_config": {
               "server_uri": "redis://redis:6379"
             },
-            "skip_verify_peer_cert": true
+            "trusted_certificate_authority_file": "/etc/authservice/certs/ca.crt"
           }
         }
       ]

config/v1/oidc/config.proto

@@ -63,6 +63,9 @@ services:
       - type: bind
         source: authz-config.json
         target: /etc/authservice/config.json
+      - type: bind
+        source: certs
+        target: /etc/authservice/certs
     extra_hosts:  # Required when running on Linux
       - "host.docker.internal:host-gateway"
 

e2e/keycloak/authz-config.json

@@ -16,10 +16,7 @@ package authz
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -90,18 +87,10 @@ func NewOIDCHandler(cfg *oidcv1.OIDCConfig, jwks oidc.JWKSProvider,
 
 func getHTTPClient(cfg *oidcv1.OIDCConfig) (*http.Client, error) {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
-	transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: cfg.SkipVerifyPeerCert}
 
-	if cfg.GetTrustedCertificateAuthority() != "" {
-		certPool, err := x509.SystemCertPool()
-		if err != nil {
-			return nil, fmt.Errorf("error creating system cert pool: %w", err)
-		}
-		transport.TLSClientConfig.RootCAs = certPool
-
-		if ok := certPool.AppendCertsFromPEM([]byte(cfg.GetTrustedCertificateAuthority())); !ok {
-			return nil, errors.New("could no load trusted certificate authority")
-		}
+	var err error
+	if transport.TLSClientConfig, err = internal.LoadTLSConfig(cfg); err != nil {
+		return nil, err
 	}
 
 	if cfg.ProxyUri != "" {

e2e/keycloak/docker-compose.yaml

@@ -1333,20 +1333,6 @@ func TestLoadWellKnownConfigError(t *testing.T) {
 	require.Error(t, err) // Fail to retrieve the dynamic config since the test server is not running
 }
 
-const smallCAPem = `-----BEGIN CERTIFICATE-----
-MIIB8TCCAZugAwIBAgIJANZ3fvnlU+1IMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQKDAdUZXRyYXRlMRQw
-EgYDVQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MDIx
-NjE1MzExOFoXDTI0MDIxNzE1MzExOFowXjELMAkGA1UEBhMCVVMxEzARBgNVBAgM
-CkNhbGlmb3JuaWExEDAOBgNVBAoMB1RldHJhdGUxFDASBgNVBAsMC0VuZ2luZWVy
-aW5nMRIwEAYDVQQDDAlsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
-17tRxNJNLZVu2ntW/ehw5BneJFV+o7UmpCipv0zBtMtgJw2Z04fYiipaXgwg/sVL
-wnyFgbhd0OgoIEg+ND38iQIDAQABozwwOjASBgNVHRMBAf8ECDAGAQH/AgEBMA4G
-A1UdDwEB/wQEAwIC5DAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEL
-BQADQQAnQuyYJ6FbTuwtduT1ZCDcXMqTKcLb4ex3iaowflGubQuCX41yIprFScN4
-2P5SpEcFlILZiK6vRzyPmuWEQVVr
------END CERTIFICATE-----`
-
 func TestNewOIDCHandler(t *testing.T) {
 
 	tests := []struct {
@@ -1356,8 +1342,6 @@ func TestNewOIDCHandler(t *testing.T) {
 	}{
 		{"empty", &oidcv1.OIDCConfig{}, false},
 		{"proxy uri", &oidcv1.OIDCConfig{ProxyUri: "http://proxy"}, false},
-		{"trusted CA-invalid", &oidcv1.OIDCConfig{TrustedCertificateAuthority: "<ca pem>"}, true},
-		{"trusted CA-valid", &oidcv1.OIDCConfig{TrustedCertificateAuthority: smallCAPem}, false},
 	}
 
 	for _, tt := range tests {

internal/authz/oidc.go

@@ -16,7 +16,6 @@ package oidc
 
 import (
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/http"
@@ -94,37 +93,43 @@ func (j *DefaultJWKSProvider) GracefulStop() {
 // Get the JWKS for the given OIDC configuration
 func (j *DefaultJWKSProvider) Get(ctx context.Context, config *oidcv1.OIDCConfig) (jwk.Set, error) {
 	if config.GetJwksFetcher() != nil {
-		return j.fetchDynamic(ctx, config.GetJwksFetcher())
+		return j.fetchDynamic(ctx, config)
 	}
 	return j.fetchStatic(config.GetJwks())
 }
 
 // fetchDynamic fetches the JWKS from the given URI. If the JWKS URI is already know, the JWKS will be returned from
 // the cache. Otherwise, the JWKS will be fetched from the URI and the cache will be configured to periodically
 // refresh the JWKS.
-func (j *DefaultJWKSProvider) fetchDynamic(ctx context.Context, config *oidcv1.OIDCConfig_JwksFetcherConfig) (jwk.Set, error) {
+func (j *DefaultJWKSProvider) fetchDynamic(ctx context.Context, config *oidcv1.OIDCConfig) (jwk.Set, error) {
 	log := j.log.Context(ctx)
+	jwksConfig := config.GetJwksFetcher()
 
-	if !j.cache.IsRegistered(config.JwksUri) {
+	if !j.cache.IsRegistered(jwksConfig.JwksUri) {
 		transport := http.DefaultTransport.(*http.Transport).Clone()
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: config.SkipVerifyPeerCert}
+
+		var err error
+		if transport.TLSClientConfig, err = internal.LoadTLSConfig(config); err != nil {
+			return nil, fmt.Errorf("error loading TLS config: %w", err)
+		}
+
 		client := &http.Client{Transport: transport}
-		refreshInterval := time.Duration(config.PeriodicFetchIntervalSec) * time.Second
+		refreshInterval := time.Duration(jwksConfig.PeriodicFetchIntervalSec) * time.Second
 		if refreshInterval == 0 {
 			refreshInterval = DefaultFetchInterval
 		}
 
-		log.Info("configuring JWKS auto refresh", "jwks", config.JwksUri, "interval", refreshInterval, "skip_verify", config.SkipVerifyPeerCert)
+		log.Info("configuring JWKS auto refresh", "jwks", jwksConfig.JwksUri, "interval", refreshInterval, "skip_verify", config.GetSkipVerifyPeerCert())
 
-		j.cache.Configure(config.JwksUri,
+		j.cache.Configure(jwksConfig.JwksUri,
 			jwk.WithHTTPClient(client),
 			jwk.WithRefreshInterval(refreshInterval),
 		)
 	}
 
-	log.Debug("fetching JWKS", "jwks", config.JwksUri)
+	log.Debug("fetching JWKS", "jwks", jwksConfig.JwksUri)
 
-	jwks, err := j.cache.Fetch(ctx, config.JwksUri)
+	jwks, err := j.cache.Fetch(ctx, jwksConfig.JwksUri)
 	if err != nil {
 		return nil, fmt.Errorf("%w: %v", ErrJWKSFetch, err)
 	}

internal/authz/oidc_test.go

@@ -185,9 +185,11 @@ func TestDynamicJWKSProvider(t *testing.T) {
 				JwksFetcher: &oidcv1.OIDCConfig_JwksFetcherConfig{
 					JwksUri:                  server.URL,
 					PeriodicFetchIntervalSec: 1,
-					SkipVerifyPeerCert:       true,
 				},
 			},
+			TrustedCaConfig: &oidcv1.OIDCConfig_SkipVerifyPeerCert{
+				SkipVerifyPeerCert: true,
+			},
 		}
 
 		keys, err := cache.Get(context.Background(), config)

internal/oidc/jwks.go

@@ -0,0 +1,76 @@
+// Copyright 2024 Tetrate
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package internal
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"os"
+)
+
+// AuthServiceTLSConfig is an interface for the TLS configuration of the AuthService.
+type AuthServiceTLSConfig interface {
+	// GetTrustedCertificateAuthority returns the trusted certificate authority PEM.
+	GetTrustedCertificateAuthority() string
+	// GetTrustedCertificateAuthorityFile returns the path to the trusted certificate authority file.
+	GetTrustedCertificateAuthorityFile() string
+	// GetSkipVerifyPeerCert returns whether to skip verification of the peer certificate.
+	GetSkipVerifyPeerCert() bool
+}
+
+// LoadTLSConfig loads a TLS configuration from the given AuthServiceTLSConfig.
+func LoadTLSConfig(config AuthServiceTLSConfig) (*tls.Config, error) {
+	tlsConfig := &tls.Config{}
+
+	// Load the trusted CA PEM from the config
+	var ca []byte
+	switch {
+
+	case config.GetTrustedCertificateAuthority() != "":
+		ca = []byte(config.GetTrustedCertificateAuthority())
+
+	case config.GetTrustedCertificateAuthorityFile() != "":
+		var err error
+		ca, err = os.ReadFile(config.GetTrustedCertificateAuthorityFile())
+		if err != nil {
+			return nil, fmt.Errorf("error reading trusted CA file: %w", err)
+		}
+
+	case config.GetSkipVerifyPeerCert():
+		tlsConfig.InsecureSkipVerify = true
+
+	default:
+		// No CA or skip verification, return nil TLS config
+		return nil, nil
+	}
+
+	// Add the loaded CA to the TLS config
+	if len(ca) != 0 {
+		certPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("error creating system cert pool: %w", err)
+		}
+
+		if ok := certPool.AppendCertsFromPEM(ca); !ok {
+			return nil, errors.New("could no load trusted certificate authority")
+		}
+
+		tlsConfig.RootCAs = certPool
+	}
+
+	return tlsConfig, nil
+}