Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP - Add nonce validation in PoP token verifier #367

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

WIP - Add nonce validation in PoP token verifier #367

wants to merge 6 commits into from

Conversation

julienstroheker
Copy link
Contributor

@julienstroheker julienstroheker commented Jun 14, 2023
edited
Loading

Making sure nonce claim is not been re-used more than once on each requests.

  • Validating if nonce claim is present as string
  • Saving each nonce claim value into a map (cache)
  • Validating that each requests is having a difference nonce claims by checking the values in the cache.
  • Refactoring big cache library to be used on authn and authz side
  • Cleaning the cache after TTL pop token expiration + 1minutes by spawning a go routine for each calls

@julienstroheker julienstroheker requested a review from a team as a code owner June 14, 2023 00:06
@julienstroheker julienstroheker force-pushed the juliens/pop-nonce-check branch from d4a3aca to 19be0ef Compare June 14, 2023 00:31
AzureMarker
AzureMarker suggested changes Jun 15, 2023
View reviewed changes
auth/providers/azure/pop_tokenverifier.go Outdated Show resolved Hide resolved
auth/providers/azure/pop_tokenverifier.go Outdated Show resolved Hide resolved
auth/providers/azure/pop_tokenverifier.go Outdated Show resolved Hide resolved
auth/providers/azure/pop_tokenverifier_test.go Outdated Show resolved Hide resolved
AzureMarker
AzureMarker reviewed Jun 20, 2023
View reviewed changes
auth/providers/azure/pop_tokenverifier_test.go Outdated
time.Sleep(2 * time.Second)

_, err = verifierNonce.ValidatePopToken(validToken)
assert.NoError(t, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this have an error since the PoP token is only valid for 1 second according to the NewPoPVerifier call on line 313, and it's been 2 seconds since the token was created?

auth/providers/azure/pop_tokenverifier_test.go Show resolved Hide resolved
auth/providers/azure/pop_tokenverifier_test.go Outdated Show resolved Hide resolved
@weinong
Copy link
Contributor

weinong commented Aug 9, 2023

@julienstroheker is this PR still open?

@julienstroheker
Copy link
Contributor Author

Yes. I was waiting the UT refactor pr to merge first.

AzureMarker
AzureMarker reviewed Oct 3, 2023
View reviewed changes
auth/providers/azure/pop_tokenverifier.go Outdated Show resolved Hide resolved
auth/providers/azure/pop_tokenverifier.go Outdated Show resolved Hide resolved
auth/providers/azure/pop_tokenverifier.go Outdated Show resolved Hide resolved
auth/providers/azure/pop_tokenverifier_test.go Outdated Show resolved Hide resolved
@julienstroheker julienstroheker force-pushed the juliens/pop-nonce-check branch from 7394192 to c4e6be9 Compare October 4, 2023 00:03
@julienstroheker julienstroheker requested a review from a team as a code owner October 4, 2023 00:03
@julienstroheker julienstroheker force-pushed the juliens/pop-nonce-check branch 3 times, most recently from e6b3b70 to 5aa0f6e Compare October 4, 2023 00:46
julienstroheker and others added 2 commits October 5, 2023 17:59
@julienstroheker
Juliens/pop nonce squash (#1)
852d1ac 
* add pop token nonce validation

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* add details on UT

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* Safe map lock + Uts update

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* review

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* gen fmt

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* Fixing ut race

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* using len

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* ut reusing nonce with different ts

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* Using same token different ts on UT

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* remove unused param

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* lint issue

Signed-off-by: Julien Stroheker <juliens@microsoft.com>

* save work

* update UTs

* review

---------

Signed-off-by: Julien Stroheker <juliens@microsoft.com>
@julienstroheker
add test description
c358321 
Signed-off-by: Julien Stroheker <juliens@microsoft.com>
@julienstroheker julienstroheker force-pushed the juliens/pop-nonce-check branch from b8e33bf to c358321 Compare October 5, 2023 21:59
@julienstroheker
Copy link
Contributor Author

Still holding this PR due to changes we do on RBAC. This requires more tests + to review PR comments.

PLEASE DO NOT MERGE

@julienstroheker julienstroheker changed the title Add nonce validation in PoP token verifier WIP - Add nonce validation in PoP token verifier Dec 11, 2023
@julienstroheker
Merge branch 'master' into juliens/pop-nonce-check
3e21fcb
@julienstroheker
Refactor cache
110fd13 
Signed-off-by: Julien Stroheker <juliens@microsoft.com>
@julienstroheker
fmt and lint
71d499e 
Signed-off-by: Julien Stroheker <juliens@microsoft.com>
@julienstroheker
bump time sleep on UT
d00740c 
Signed-off-by: Julien Stroheker <juliens@microsoft.com>
julienstroheker
julienstroheker commented Dec 22, 2023
View reviewed changes
auth/providers/azure/pop_tokenverifier.go
"github.com/pkg/errors"
"gopkg.in/square/go-jose.v2/jwt"
"k8s.io/klog/v2"
)

// // create a cache to save nonce claim to make sure the nonce is not reused
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be removed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weinong weinong weinong left review comments

@amanohar amanohar amanohar requested changes

@AzureMarker AzureMarker AzureMarker approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@julienstroheker @weinong @AzureMarker @amanohar