Fix bug determining jwt validity due to incorrect computation of system timestamp and provide configuration option to allow for timely slack in token validity

[fscz]

Please see the following issue in istio:

istio/istio#22750

[qiwzhang]

I am fine with change to use absl::ToUnixSeconds(absl::Now()).

But I don't like "- 5" part, it seems like a hack to solve your particular problem

BTW, even you passed this check, there is another check in verifyJwt which is calling this code here
https://github.com/google/jwt_verify_lib/blob/master/src/verify.cc#L163

[fscz]

The specific amount of slack is debatable. However, I don't think there is any doubt that there is a general need for some slack. Whatever part of an authn system (be it AWS ALB or https://istio.io/blog/2019/app-identity-and-access-adapter/) that refreshes access tokens has to check if the current token is still valid. Finally, istio-proxy validates the token again and the time between these two validation events is the time needed as slack.

[fscz]

Could we make the amount configurable?

[qiwzhang]

Yes, I like this idea. Let us make it configurable from filter config. Please see my other comments.

[qiwzhang]

It is better to config this slack time from filter config. If default is 0, it will not change existing behaviors.

We can add two fields:

exp_slack: // now <= exp + exp_slack
bnf_slack: // now >= bnf - bnf_slack

[fscz]

How do I use filter config?

[qiwzhang]

1. add new fields in Provider

2. you can get provider() as

jwks_data_->getJwtProvider()

as in line

[fscz]

Working on it. Think I need a proper build environment. Is there some documentation to set it up?
Can't find it in https://github.com/envoyproxy/envoy/

[qiwzhang]

You can check out this developer doc

The easiest way is to use docker

[fscz]

Ah. Good. Will do the docker thingy.

[qiwzhang]

not need to add anything to class members.

[qiwzhang]

We don't need to double check the exp an bnf here. My suggestion is:

• change code in https://github.com/google/jwt_verify_lib/blob/master/src/verify.cc
• add a new function called verifyJwtWithoutTimeChecking(), this function will not check nbf_ and exp_

[fscz]

Err. Are you sure? jwt_verify_lib isn't an Istio thing, is it?

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #10753 was synchronize by fscz.

see: more, trace.

[qiwzhang]

we can use int32. Please check out this protobuf guide

default value for int32 is 0 in protobuf, not need to specify it

[htuch]

Actually, in Envoy we override Google style and prefer uint32 :)

[fscz]

Unless there are absolute high-performance needs (which we don't have here) you should always make values explicit. This is clear to anyone without further poking any documentation.

[qiwzhang]

jwks_data_ is only assigned in line 186, you have to move this code after that.

[qiwzhang]

be careful about signed and unsigned comparison here. Normally, nbf_ is 0.
change it to

if (nbf_ > now + nbf_clack) will avoid the sign integer issue

[qiwzhang]

change it to .... && exp_ < now - exp_slack
is easier to read

[fscz]

ok

[fscz]

How do I get exp_slack and nbf_slack from the 'jwks_data_' that I have?

[htuch]

Thanks for the contribution. This change looks pretty gnarly from a security perspective, glad to have @qiwzhang doing first pass (appreciated). Can you also update to a more meaningful title?

[htuch]

Actually, in Envoy we override Google style and prefer uint32 :)

[htuch]

Where does this formula come from? RFC?

[fscz]

This formula is about token validity and it is not mentioned in https://tools.ietf.org/html/rfc6749. But let me make my case:
///////////////////////////////////////////////////
Some load balancer performinc OIDC authentication receives a request and determines that the existing access token is valid (for another 1 second). It forwards the request to Istio Ingressgateway and subsequently to some pod with an envoy sidecar. Meanwhile,
1 second has passed and when envoy checks the token it finds that it has expired.
///////////////////////////////////////////////////

[fscz]

About int32/uint32: I think we should use int32 since what we are trying to do here is provide a configuration option to users. If someone f.e. wants to use nbf_slack = -60 in order to ensure that tokens are valid, starting one minute into the future after their time of issue - why not?

[htuch]

Do we have any regression or unit/integration tests for this?

[fscz]

Tests? Jeeze. What roughnecked thinking. No, seriously. This is my first contribution here and I wasn't actually planning on going through by myself. Anyways, I don't mind at all doing it but need to get set up with a proper build environment to do real work. The coming weekend seems a good time to do so.

[fscz]

Ah heck, here I am working already.

[qiwzhang]

This header is not needed any more. please remove it

[qiwzhang]

In protobuf: it is

type field_name = field_index;

field_index has to be unique for all fields in a message.

There is not way to default default value in protobuf. default value is determined by the type

[qiwzhang]

should it be

now < nbf_ - nbf_slack

you want the jwt to be ready ahead of nbf time. Is that right?

[fscz]

Reflecting on that idea, I think that any use cases for this come down to machines running with incorrect system time and I don't see why we should account for that.

[qiwzhang]

ok, then

[qiwzhang]

why this change?

[fscz]

never mind. was accidental. has been changed back.

[qiwzhang]

remove trailing space

[qiwzhang]

You need to get the latest jwt_verify_lib here:

By change its SHA, and sha256.

the sha256 sum is by: downloading that .tar.gz file, and run sha256sum on the file.

[fscz]

How do I get the current .tar.gz file. As I understand, the file
https://github.com/google/jwt_verify_lib/archive/40e2cc938f4bcd059a97dc6c73f59ecfa5a71bac.tar.gz

is outdated. But how do I get the new one?

[qiwzhang]

the new sha is: b5b3b4ed8611b1eea8764845381e60becc7b0b43

the file is https://github.com/google/jwt_verify_lib/archive/b5b3b4ed8611b1eea8764845381e60becc7b0b43.tar.gz

sha256 is: 21b9fd9fb8714cb199a823a4c01cf6665bdd42b62137348707dee51714797dfc

[qiwzhang]

please also update the date in the comment field

[fscz]

I am using
./ci/run_envoy_docker.sh 'ci/do_circle_ci.sh bazel.coverage'

to build/test locally but it takes ages. Is that correct? See log below

./ci/run_envoy_docker.sh 'ci/do_circle_ci.sh bazel.coverage'
disk space at beginning of build:
Filesystem Size Used Avail Use% Mounted on
overlay 59G 51G 5.3G 91% /
tmpfs 64M 0 64M 0% /dev
tmpfs 995M 0 995M 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
osxfs 1.6T 637G 883G 42% /source
osxfs 1.6T 637G 883G 42% /build
/dev/sda1 59G 51G 5.3G 91% /etc/hosts
overlay 995M 1012K 994M 1% /run/docker.sock
tmpfs 995M 0 995M 0% /proc/acpi
tmpfs 995M 0 995M 0% /sys/firmware
No remote cache bucket is set, skipping setup remote cache.
ENVOY_SRCDIR=/source
ENVOY_BUILD_TARGET=//source/exe:envoy-static
2020/04/16 21:48:07 Downloading https://releases.bazel.build/2.2.0/release/bazel-2.2.0-linux-x86_64...
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Starting local Bazel server and connecting to it...
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
HEAD is now at c6c986c... http: fix types (#118)
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
building using 8 CPUs
clang toolchain with libc++ configured
bazel coverage build with tests //test/...
Starting run_envoy_bazel_coverage.sh...
PWD=/source
SRCDIR=/source
VALIDATE_COVERAGE=true
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 199 packages loaded
Loading: 199 packages loaded
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Loading: 0 packages loaded
Loading: 1 packages loaded
Loading: 2 packages loaded
Loading: 2 packages loaded
Generated coverage BUILD file at: /source/test/coverage/BUILD
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Analyzing: target //test/coverage:coverage_tests (1021 packages loaded, 26065 targets configured)
curren

[lizan]

?

[lizan]

Don't use absl::Now but use time from timeSource().systemTime(), this will make test easier by providing mock time.

[lizan]

coverage CI are a bit flaky now so don't worry for now, can you fix format to see if other CI is green?

[qiwzhang]

s/iat/nbf

[fscz]

Still seeing this:

source/extensions/filters/http/jwt_authn/authenticator.cc:172:59: error: no member named 'nbf_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t nbf_slack = jwks_data_->getJwtProvider().nbf_slack();
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
source/extensions/filters/http/jwt_authn/authenticator.cc:173:59: error: no member named 'exp_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t exp_slack = jwks_data_->getJwtProvider().exp_slack();

[qiwzhang]

Hmm, make sure this modified proto files are compiled. by

bazel build //api/...

for docker run: you need to run this command "bazel.api"

[fscz]

I am seeing the error as output from
https://circleci.com/gh/envoyproxy/envoy/338165?utm_campaign=workflow-failed&utm_medium=email&utm_source=notification

[qiwzhang]

This header is not needed any more. please remove it

[fscz]

Bump:
I get a compilation error

source/extensions/filters/http/jwt_authn/authenticator.cc:172:59: error: no member named 'nbf_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t nbf_slack = jwks_data_->getJwtProvider().nbf_slack();

source/extensions/filters/http/jwt_authn/authenticator.cc:173:59: error: no member named 'exp_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t exp_slack = jwks_data_->getJwtProvider().exp_slack();

as output from https://circleci.com/gh/envoyproxy/envoy/338165?utm_campaign=workflow-failed&utm_medium=email&utm_source=notification

[lizan]

Please fix the format, the format check including api_shadow generation, if api_shadow is not reflecting your change, it results the compilation error you see.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[fscz]

Please fix the format, the format check including api_shadow generation, if api_shadow is not reflecting your change, it results the compilation error you see.

How do I fix the format? Is there some guide that I can follow?

[qiwzhang]

I think you can run "fix_format" command

[repokitteh-read-only]

CC @envoyproxy/api-watchers: FYI only for changes made to api/.

🐱

Caused by: #10753 was synchronize by fscz.

see: more, trace.

[fscz]

Ok. After fix format coverage tests still fail.
See https://circleci.com/gh/envoyproxy/envoy/343381?utm_campaign=workflow-failed&utm_medium=email&utm_source=notification

I think the most relevant part is:
`
[----------] 1 test from ExtractorTest
[ RUN ] ExtractorTest.TestPrefixHeaderNotMatch
#0 Envoy::SignalAction::sigHandler() [0x10ccb5b4]
#1 __restore_rt [0x7f7bfea51390]
#2 Envoy::Config::(anonymous namespace)::annotateWithOriginalType()::TypeAnnotatingProtoVisitor::onField() [0x1180e588]
#3 Envoy::ProtobufMessage::traverseMutableMessage() [0x11b69aad]
#4 Envoy::ProtobufMessage::traverseMutableMessage() [0x11b69be4]
#5 Envoy::ProtobufMessage::traverseMutableMessage() [0x11b69b6b]
#6 Envoy::Config::(anonymous namespace)::annotateWithOriginalType() [0x1180d883]
#7 Envoy::Config::VersionConverter::upgrade() [0x1180d6e6]
#8 Envoy::(anonymous namespace)::tryWithApiBoosting() [0x10cd0756]
#9 Envoy::MessageUtil::loadFromJson() [0x10cd05bb]
#10 Envoy::(anonymous namespace)::jsonConvertInternal() [0x10cd105e]
#11 Envoy::MessageUtil::loadFromYaml() [0x10cd09bc]
#12 Envoy::TestUtility::loadFromYaml() [0x62071bf]
#13 Envoy::Extensions::HttpFilters::JwtAuthn::(anonymous namespace)::ExtractorTest::SetUp() [0xa22fbc2]
#14 testing::internal::HandleSehExceptionsInMethodIfSupported<>() [0x12108f66]
#15 testing::internal::HandleExceptionsInMethodIfSupported<>() [0x120f5531]
#16 testing::Test::Run() [0x120dfd85]
#17 testing::TestInfo::Run() [0x120e0908]
#18 testing::TestSuite::Run() [0x120e1079]
#19 testing::internal::UnitTestImpl::RunAllTests() [0x120ee086]
#20 testing::internal::HandleSehExceptionsInMethodIfSupported<>() [0x1210de06]
#21 testing::internal::HandleExceptionsInMethodIfSupported<>() [0x120f8351]
#22 testing::UnitTest::Run() [0x120edad0]
#23 RUN_ALL_TESTS() [0x10671e45]
#24 Envoy::TestRunner::RunTests() [0x10671546]
#25 main [0x1066f877]
#26 __libc_start_main [0x7f7bfe696830]
external/bazel_tools/tools/test/collect_coverage.sh: line 131: 23945 Segmentation fault (core dumped) "$@"

• TEST_STATUS=139
• touch /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/5345/execroot/envoy/bazel-out/k8-fastbuild/testlogs/test/coverage/coverage_tests/shard_26_of_50/coverage.dat
• [[ 139 -ne 0 ]]
• echo --
  --
• echo Coverage runner: Not collecting coverage for failed test.
  Coverage runner: Not collecting coverage for failed test.
• echo The following commands failed with status 139
  The following commands failed with status 139
• echo /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/5345/execroot/envoy/bazel-out/k8-fastbuild/bin/test/coverage/coverage_tests.runfiles/envoy/test/coverage/coverage_tests --gmock_default_mock_behavior=2 '--log-path /dev/null' '-l trace'
  /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/5345/execroot/envoy/bazel-out/k8-fastbuild/bin/test/coverage/coverage_tests.runfiles/envoy/test/coverage/coverage_tests --gmock_default_mock_behavior=2 --log-path /dev/null -l trace
• exit 139
  ================================================================================
  FAIL: //test/coverage:coverage_tests (shard 25 of 50) (see /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/execroot/envoy/bazel-out/k8-fastbuild/testlogs/test/coverage/coverage_tests/shard_25_of_50/test.log)

FAILED: //test/coverage:coverage_tests (Summary)`

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[fscz]

Bump. Come on guys. Let's get this through. This should really be fixed.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[stale]

This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!