Pass authentication spec in auth config

kartverket · Feb 11, 2025 · 28fc206 · 28fc206
1 parent c16c91c
commit 28fc206
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 23 deletions.
diff --git a/api/v1alpha1/digdirator/digdirator.go b/api/v1alpha1/digdirator/digdirator.go
@@ -1,6 +1,7 @@
 package digdirator
 
 import (
+	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -20,6 +21,7 @@ type DigdiratorClients struct {
 
 type DigdiratorProvider interface {
 	IsEnabled() bool
+	GetAuthSpec() istiotypes.Authentication
 	GetDigdiratorName() DigdiratorName
 	GetProvidedSecretName() *string
 	GetIgnoredPaths() []string

diff --git a/api/v1alpha1/digdirator/idporten.go b/api/v1alpha1/digdirator/idporten.go
@@ -97,6 +97,10 @@ func (i *IDPorten) IsEnabled() bool {
 	return i != nil && i.Enabled && i.Authentication != nil && i.Authentication.Enabled
 }
 
+func (i *IDPorten) GetAuthSpec() istiotypes.Authentication {
+	return *i.Authentication
+}
+
 func (i *IDPorten) GetDigdiratorName() DigdiratorName {
 	return IDPortenName
 }

diff --git a/api/v1alpha1/digdirator/maskinporten.go b/api/v1alpha1/digdirator/maskinporten.go
@@ -35,7 +35,10 @@ const MaskinPortenName = "maskinporten"
 
 func (i *Maskinporten) IsEnabled() bool {
 	return i != nil && i.Enabled && i.Authentication != nil && i.Authentication.Enabled
-
+}
+
+func (i *Maskinporten) GetAuthSpec() istiotypes.Authentication {
+	return *i.Authentication
 }
 
 func (i *Maskinporten) GetDigdiratorName() DigdiratorName {

diff --git a/internal/controllers/application.go b/internal/controllers/application.go
@@ -192,7 +192,7 @@ func (r *ApplicationReconciler) Reconcile(ctx context.Context, req reconcile.Req
 	if err != nil {
 		rLog.Error(err, "cant find identity config map")
 	} //TODO Error state?
-	authConfigs, err := r.GetAuthConfigsForApplication(ctx, application)
+	authConfigs, err := r.getAuthConfigsForApplication(ctx, application)
 	if err != nil {
 		rLog.Error(err, "can't resolve auth config")
 	}
@@ -421,7 +421,7 @@ func validateIngresses(application *skiperatorv1alpha1.Application) error {
 	return nil
 }
 
-func (r *ApplicationReconciler) GetAuthConfigsForApplication(ctx context.Context, application *skiperatorv1alpha1.Application) (*AuthConfigs, error) {
+func (r *ApplicationReconciler) getAuthConfigsForApplication(ctx context.Context, application *skiperatorv1alpha1.Application) (*AuthConfigs, error) {
 	if application == nil {
 		return nil, fmt.Errorf("cannot retrieve AuthConfigs for nil application")
 	}
@@ -457,6 +457,7 @@ func (r *ApplicationReconciler) getAuthConfig(ctx context.Context, application s
 		return nil, fmt.Errorf("failed to get auth config secret for %s: %w", digdiratorProvider.GetDigdiratorName(), err)
 	}
 	return &AuthConfig{
+		Spec:     digdiratorProvider.GetAuthSpec(),
 		NotPaths: digdiratorProvider.GetIgnoredPaths(),
 		ProviderURIs: digdirator.DigdiratorURIs{
 			Name:      digdiratorProvider.GetDigdiratorName(),

diff --git a/pkg/reconciliation/reconciliation.go b/pkg/reconciliation/reconciliation.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
+	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
 	"github.com/kartverket/skiperator/pkg/log"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/rest"
@@ -22,6 +23,7 @@ const (
 type AuthConfigs []AuthConfig
 
 type AuthConfig struct {
+	Spec         istiotypes.Authentication
 	NotPaths     []string
 	ProviderURIs digdirator.DigdiratorURIs
 }

diff --git a/pkg/resourcegenerator/istio/authorizationpolicy/jwt_auth/authorization_policy.go b/pkg/resourcegenerator/istio/authorizationpolicy/jwt_auth/authorization_policy.go
@@ -46,19 +46,19 @@ func Generate(r reconciliation.Reconciliation) error {
 				application.Name,
 				*authConfigs,
 				allowedPaths,
-				[]string{authorizationpolicy.DefaultDenyPath},
+				authorizationpolicy.DefaultDenyPath,
 			),
 		)
 	}
 	ctxLog.Debug("Finished generating JWT-auth AuthorizationPolicy for application", "application", application.Name)
 	return nil
 }
 
-func getJwtValidationAuthPolicy(namespacedName types.NamespacedName, applicationName string, authConfigs []reconciliation.AuthConfig, allowPaths []string, denyPaths []string) *securityv1.AuthorizationPolicy {
+func getJwtValidationAuthPolicy(namespacedName types.NamespacedName, applicationName string, authConfigs []reconciliation.AuthConfig, allowPaths []string, denyPath string) *securityv1.AuthorizationPolicy {
 	var authPolicyRules []*securityv1api.Rule
 
 	notPaths := allowPaths
-	notPaths = append(allowPaths, denyPaths...)
+	notPaths = append(allowPaths, denyPath)
 	for _, authConfig := range authConfigs {
 		authPolicyRules = append(authPolicyRules, &securityv1api.Rule{
 			To: []*securityv1api.Rule_To{

diff --git a/pkg/resourcegenerator/istio/requestauthentication/request_authentication.go b/pkg/resourcegenerator/istio/requestauthentication/request_authentication.go
@@ -3,8 +3,6 @@ package requestauthentication
 import (
 	"fmt"
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
-	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
-	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
 	securityv1api "istio.io/api/security/v1"
@@ -43,12 +41,7 @@ func Generate(r reconciliation.Reconciliation) error {
 func getRequestAuthentication(application *skiperatorv1alpha1.Application, authConfigs []reconciliation.AuthConfig) securityv1.RequestAuthentication {
 	jwtRules := make([]*v1beta1.JWTRule, len(authConfigs))
 	for i, config := range authConfigs {
-		switch config.ProviderURIs.Name {
-		case digdirator.IDPortenName:
-			jwtRules[i] = getJWTRule(application.Spec.IDPorten.Authentication, config.ProviderURIs)
-		case digdirator.MaskinPortenName:
-			jwtRules[i] = getJWTRule(application.Spec.Maskinporten.Authentication, config.ProviderURIs)
-		}
+		jwtRules[i] = getJWTRule(config)
 	}
 	return securityv1.RequestAuthentication{
 		ObjectMeta: metav1.ObjectMeta{
@@ -64,16 +57,16 @@ func getRequestAuthentication(application *skiperatorv1alpha1.Application, authC
 	}
 }
 
-func getJWTRule(authentication *istiotypes.Authentication, providerURIs digdirator.DigdiratorURIs) *v1beta1.JWTRule {
+func getJWTRule(authConfig reconciliation.AuthConfig) *v1beta1.JWTRule {
 	var jwtRule = v1beta1.JWTRule{
-		ForwardOriginalToken: authentication.ForwardOriginalToken,
+		ForwardOriginalToken: authConfig.Spec.ForwardOriginalToken,
 	}
-	if authentication.TokenLocation == "cookie" {
+	if authConfig.Spec.TokenLocation == "cookie" {
 		jwtRule.FromCookies = []string{"BearerToken"}
 	}
-	if authentication.OutputClaimToHeaders != nil {
-		claimsToHeaders := make([]*v1beta1.ClaimToHeader, len(*authentication.OutputClaimToHeaders))
-		for i, claimToHeader := range *authentication.OutputClaimToHeaders {
+	if authConfig.Spec.OutputClaimToHeaders != nil {
+		claimsToHeaders := make([]*v1beta1.ClaimToHeader, len(*authConfig.Spec.OutputClaimToHeaders))
+		for i, claimToHeader := range *authConfig.Spec.OutputClaimToHeaders {
 			claimsToHeaders[i] = &v1beta1.ClaimToHeader{
 				Header: claimToHeader.Header,
 				Claim:  claimToHeader.Claim,
@@ -82,9 +75,9 @@ func getJWTRule(authentication *istiotypes.Authentication, providerURIs digdirat
 		jwtRule.OutputClaimToHeaders = claimsToHeaders
 	}
 
-	jwtRule.Issuer = providerURIs.IssuerURI
-	jwtRule.JwksUri = providerURIs.JwksURI
-	jwtRule.Audiences = []string{providerURIs.ClientID}
+	jwtRule.Issuer = authConfig.ProviderURIs.IssuerURI
+	jwtRule.JwksUri = authConfig.ProviderURIs.JwksURI
+	jwtRule.Audiences = []string{authConfig.ProviderURIs.ClientID}
 
 	return &jwtRule
 }