Add support for path based auth

Author: philipgough

authentication/mtls.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"regexp"
 
 	"github.com/go-kit/log"
 	grpc_middleware_auth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
@@ -28,9 +29,11 @@ func init() {
 }
 
 type mTLSConfig struct {
-	RawCA  []byte `json:"ca"`
-	CAPath string `json:"caPath"`
-	CAs    []*x509.Certificate
+	RawCA        []byte   `json:"ca"`
+	CAPath       string   `json:"caPath"`
+	PathPatterns []string `json:"pathPatterns"`
+	CAs          []*x509.Certificate
+	pathMatchers []*regexp.Regexp
 }
 
 type MTLSAuthenticator struct {
@@ -83,6 +86,15 @@ func newMTLSAuthenticator(c map[string]interface{}, tenant string, registrationR
 		config.CAs = cas
 	}
 
+	// Compile path patterns
+	for _, pattern := range config.PathPatterns {
+		matcher, err := regexp.Compile(pattern)
+		if err != nil {
+			return nil, fmt.Errorf("failed to compile mTLS path pattern %q: %v", pattern, err)
+		}
+		config.pathMatchers = append(config.pathMatchers, matcher)
+	}
+
 	return MTLSAuthenticator{
 		tenant: tenant,
 		logger: logger,
@@ -93,6 +105,29 @@ func newMTLSAuthenticator(c map[string]interface{}, tenant string, registrationR
 func (a MTLSAuthenticator) Middleware() Middleware {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Check if mTLS is required for this path
+			if len(a.config.pathMatchers) > 0 {
+				pathMatches := false
+				for _, matcher := range a.config.pathMatchers {
+					if matcher.MatchString(r.URL.Path) {
+						pathMatches = true
+						break
+					}
+				}
+
+				// If path doesn't match, skip mTLS enforcement
+				if !pathMatches {
+					next.ServeHTTP(w, r)
+					return
+				}
+			}
+
+			// Path matches or no paths configured, enforce mTLS
+			if r.TLS == nil {
+				httperr.PrometheusAPIError(w, "mTLS required but no TLS connection", http.StatusBadRequest)
+				return
+			}
+
 			caPool := x509.NewCertPool()
 			for _, ca := range a.config.CAs {
 				caPool.AddCert(ca)
@@ -157,3 +192,83 @@ func (a MTLSAuthenticator) GRPCMiddleware() grpc.StreamServerInterceptor {
 func (a MTLSAuthenticator) Handler() (string, http.Handler) {
 	return "", nil
 }
+
+// PathAwareMiddleware creates a middleware that only enforces mTLS on matching paths
+func (a MTLSAuthenticator) PathAwareMiddleware(pathMatchers []*regexp.Regexp) Middleware {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Check if the request path matches any of the configured patterns
+			pathMatches := false
+			for _, matcher := range pathMatchers {
+				if matcher.MatchString(r.URL.Path) {
+					pathMatches = true
+					break
+				}
+			}
+
+			// If no path matches, skip mTLS enforcement
+			if !pathMatches {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Path matches, enforce mTLS
+			if r.TLS == nil {
+				httperr.PrometheusAPIError(w, "mTLS required but no TLS connection", http.StatusBadRequest)
+				return
+			}
+
+			caPool := x509.NewCertPool()
+			for _, ca := range a.config.CAs {
+				caPool.AddCert(ca)
+			}
+
+			if len(r.TLS.PeerCertificates) == 0 {
+				httperr.PrometheusAPIError(w, "client certificate required for this path", http.StatusUnauthorized)
+				return
+			}
+
+			opts := x509.VerifyOptions{
+				Roots:         caPool,
+				Intermediates: x509.NewCertPool(),
+				KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+			}
+
+			if len(r.TLS.PeerCertificates) > 1 {
+				for _, cert := range r.TLS.PeerCertificates[1:] {
+					opts.Intermediates.AddCert(cert)
+				}
+			}
+
+			if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil {
+				if errors.Is(err, x509.CertificateInvalidError{}) {
+					httperr.PrometheusAPIError(w, err.Error(), http.StatusUnauthorized)
+					return
+				}
+				httperr.PrometheusAPIError(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			var sub string
+			switch {
+			case len(r.TLS.PeerCertificates[0].EmailAddresses) > 0:
+				sub = r.TLS.PeerCertificates[0].EmailAddresses[0]
+			case len(r.TLS.PeerCertificates[0].URIs) > 0:
+				sub = r.TLS.PeerCertificates[0].URIs[0].String()
+			case len(r.TLS.PeerCertificates[0].DNSNames) > 0:
+				sub = r.TLS.PeerCertificates[0].DNSNames[0]
+			case len(r.TLS.PeerCertificates[0].IPAddresses) > 0:
+				sub = r.TLS.PeerCertificates[0].IPAddresses[0].String()
+			default:
+				httperr.PrometheusAPIError(w, "could not determine subject", http.StatusBadRequest)
+				return
+			}
+			ctx := context.WithValue(r.Context(), subjectKey, sub)
+
+			// Add organizational units as groups.
+			ctx = context.WithValue(ctx, groupsKey, r.TLS.PeerCertificates[0].Subject.OrganizationalUnit)
+
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}

authentication/oidc.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"regexp"
 	"strings"
 	"time"
 
@@ -40,15 +41,16 @@ func init() {
 
 // oidcConfig represents the oidc authenticator config.
 type oidcConfig struct {
-	ClientID      string `json:"clientID"`
-	ClientSecret  string `json:"clientSecret"`
-	GroupClaim    string `json:"groupClaim"`
-	IssuerRawCA   []byte `json:"issuerCA"`
-	IssuerCAPath  string `json:"issuerCAPath"`
+	ClientID      string   `json:"clientID"`
+	ClientSecret  string   `json:"clientSecret"`
+	GroupClaim    string   `json:"groupClaim"`
+	IssuerRawCA   []byte   `json:"issuerCA"`
+	IssuerCAPath  string   `json:"issuerCAPath"`
 	issuerCA      *x509.Certificate
-	IssuerURL     string `json:"issuerURL"`
-	RedirectURL   string `json:"redirectURL"`
-	UsernameClaim string `json:"usernameClaim"`
+	IssuerURL     string   `json:"issuerURL"`
+	RedirectURL   string   `json:"redirectURL"`
+	UsernameClaim string   `json:"usernameClaim"`
+	PathPatterns  []string `json:"pathPatterns"`
 }
 
 type oidcAuthenticator struct {
@@ -62,6 +64,7 @@ type oidcAuthenticator struct {
 	redirectURL  string
 	oauth2Config oauth2.Config
 	handler      http.Handler
+	pathMatchers []*regexp.Regexp
 }
 
 func newOIDCAuthenticator(c map[string]interface{}, tenant string,
@@ -146,6 +149,16 @@ func newOIDCAuthenticator(c map[string]interface{}, tenant string,
 
 	verifier := provider.Verifier(&oidc.Config{ClientID: config.ClientID, SkipClientIDCheck: true})
 
+	// Compile path patterns
+	var pathMatchers []*regexp.Regexp
+	for _, pattern := range config.PathPatterns {
+		matcher, err := regexp.Compile(pattern)
+		if err != nil {
+			return nil, fmt.Errorf("failed to compile OIDC path pattern %q: %v", pattern, err)
+		}
+		pathMatchers = append(pathMatchers, matcher)
+	}
+
 	oidcProvider := &oidcAuthenticator{
 		tenant:       tenant,
 		logger:       logger,
@@ -156,6 +169,7 @@ func newOIDCAuthenticator(c map[string]interface{}, tenant string,
 		client:       client,
 		cookieName:   fmt.Sprintf("observatorium_%s", tenant),
 		redirectURL:  path.Join("/", tenant),
+		pathMatchers: pathMatchers,
 	}
 
 	r := chi.NewRouter()
@@ -275,6 +289,24 @@ func (a oidcAuthenticator) Handler() (string, http.Handler) {
 func (a oidcAuthenticator) Middleware() Middleware {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Check if OIDC is required for this path
+			if len(a.pathMatchers) > 0 {
+				pathMatches := false
+				for _, matcher := range a.pathMatchers {
+					if matcher.MatchString(r.URL.Path) {
+						pathMatches = true
+						break
+					}
+				}
+				
+				// If path doesn't match, skip OIDC enforcement
+				if !pathMatches {
+					next.ServeHTTP(w, r)
+					return
+				}
+			}
+
+			// Path matches or no paths configured, enforce OIDC
 			var token string
 
 			authorizationHeader := r.Header.Get("Authorization")

main.go

@@ -237,9 +237,11 @@ type tenant struct {
 		IssuerRawCA   []byte `json:"issuerCA"`
 		IssuerCAPath  string `json:"issuerCAPath"`
 		issuerCA      *x509.Certificate
-		IssuerURL     string `json:"issuerURL"`
-		RedirectURL   string `json:"redirectURL"`
-		UsernameClaim string `json:"usernameClaim"`
+		IssuerURL     string   `json:"issuerURL"`
+		RedirectURL   string   `json:"redirectURL"`
+		UsernameClaim string   `json:"usernameClaim"`
+		Paths         []string `json:"paths"`
+		pathMatchers  []*regexp.Regexp
 		config        map[string]interface{}
 	} `json:"oidc"`
 	OpenShift *struct {
@@ -255,16 +257,19 @@ type tenant struct {
 	} `json:"authenticator"`
 
 	MTLS *struct {
-		RawCA  []byte `json:"ca"`
-		CAPath string `json:"caPath"`
-		cas    []*x509.Certificate
-		config map[string]interface{}
+		RawCA        []byte   `json:"ca"`
+		CAPath       string   `json:"caPath"`
+		Paths        []string `json:"paths"`
+		cas          []*x509.Certificate
+		pathMatchers []*regexp.Regexp
+		config       map[string]interface{}
 	} `json:"mTLS"`
 	OPA *struct {
 		Query           string   `json:"query"`
 		Paths           []string `json:"paths"`
 		URL             string   `json:"url"`
 		WithAccessToken bool     `json:"withAccessToken"`
+		pathMatchers    []*regexp.Regexp
 		authorizer      rbac.Authorizer
 	} `json:"opa"`
 	RateLimits []*struct {
@@ -362,6 +367,23 @@ func main() {
 					continue
 				}
 
+				// Compile OIDC path matchers
+				for _, pathPattern := range t.OIDC.Paths {
+					matcher, err := regexp.Compile(pathPattern)
+					if err != nil {
+						skip.Log("msg", "failed to compile OIDC path pattern", "pattern", pathPattern, "err", err, "tenant", t.Name)
+						skippedTenants.WithLabelValues(t.Name).Inc()
+						tenantsCfg.Tenants[i] = nil
+						break
+					}
+					t.OIDC.pathMatchers = append(t.OIDC.pathMatchers, matcher)
+				}
+				if tenantsCfg.Tenants[i] == nil {
+					continue
+				}
+
+				// Add path patterns to the config that will be passed to the authenticator
+				oidcConfig["pathPatterns"] = t.OIDC.Paths
 				t.OIDC.config = oidcConfig
 			}
 
@@ -373,6 +395,24 @@ func main() {
 					tenantsCfg.Tenants[i] = nil
 					continue
 				}
+
+				// Compile mTLS path matchers
+				for _, pathPattern := range t.MTLS.Paths {
+					matcher, err := regexp.Compile(pathPattern)
+					if err != nil {
+						skip.Log("msg", "failed to compile mTLS path pattern", "pattern", pathPattern, "err", err, "tenant", t.Name)
+						skippedTenants.WithLabelValues(t.Name).Inc()
+						tenantsCfg.Tenants[i] = nil
+						break
+					}
+					t.MTLS.pathMatchers = append(t.MTLS.pathMatchers, matcher)
+				}
+				if tenantsCfg.Tenants[i] == nil {
+					continue
+				}
+
+				// Add path patterns to the config that will be passed to the authenticator
+				mTLSConfig["pathPatterns"] = t.MTLS.Paths
 				t.MTLS.config = mTLSConfig
 			}
 
@@ -397,6 +437,21 @@ func main() {
 			}
 
 			if t.OPA != nil {
+				// Compile OPA path matchers
+				for _, pathPattern := range t.OPA.Paths {
+					matcher, err := regexp.Compile(pathPattern)
+					if err != nil {
+						skip.Log("msg", "failed to compile OPA path pattern", "pattern", pathPattern, "err", err, "tenant", t.Name)
+						skippedTenants.WithLabelValues(t.Name).Inc()
+						tenantsCfg.Tenants[i] = nil
+						break
+					}
+					t.OPA.pathMatchers = append(t.OPA.pathMatchers, matcher)
+				}
+				if tenantsCfg.Tenants[i] == nil {
+					continue
+				}
+
 				if t.OPA.URL != "" {
 					u, err := url.Parse(t.OPA.URL)
 					if err != nil {
@@ -1546,6 +1601,7 @@ func tenantAuthenticatorConfig(t *tenant) (map[string]interface{}, string, error
 	}
 }
 
+
 type otelErrorHandler struct {
 	logger log.Logger
 }