Added support for authentication processor

config/configauth/configauth.go

@@ -0,0 +1,49 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configauth
+
+// Authentication defines the auth settings for the receiver
+type Authentication struct {
+ // The attribute (header name) to look for auth data. Optional, default value: "authentication".
+ Attribute string `mapstructure:"attribute"`
+
+ // OIDC configures this receiver to use the given OIDC provider as the backend for the authentication mechanism.
+ // Required.
+ OIDC *OIDC `mapstructure:"oidc"`
+}
+
+// OIDC defines the OpenID Connect properties for this processor
+type OIDC struct {
+ // IssuerURL is the base URL for the OIDC provider.
+ // Required.
+ IssuerURL string `mapstructure:"issuer_url"`
+
+ // Audience of the token, used during the verification.
+ // For example: "https://accounts.google.com" or "https://login.salesforce.com".
+ // Required.
+ Audience string `mapstructure:"audience"`
+
+ // The local path for the issuer CA's TLS server cert.
+ // Optional.
+ IssuerCAPath string `mapstructure:"issuer_ca_path"`
+
+ // The claim to use as the username, in case the token's 'sub' isn't the suitable source.
+ // Optional.
+ UsernameClaim string `mapstructure:"username_claim"`
+
+ // The claim that holds the subject's group membership information.
+ // Optional.
+ GroupsClaim string `mapstructure:"groups_claim"`
+}

config/configauth/empty_test.go

@@ -0,0 +1,15 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configauth

config/configgrpc/configgrpc.go

@@ -16,6 +16,7 @@
 package configgrpc
 
 import (
+ "context"
  "fmt"
  "net"
  "strings"
@@ -27,8 +28,10 @@ import (
  "google.golang.org/grpc/encoding/gzip"
  "google.golang.org/grpc/keepalive"
 
+ "go.opentelemetry.io/collector/config/configauth"
  "go.opentelemetry.io/collector/config/confignet"
  "go.opentelemetry.io/collector/config/configtls"
+ "go.opentelemetry.io/collector/internal/auth"
 )
 
 // Compression gRPC keys for supported compression types within collector
@@ -157,9 +160,12 @@ type GRPCServerSettings struct {
 
  // Keepalive anchor for all the settings related to keepalive.
  Keepalive *KeepaliveServerConfig `mapstructure:"keepalive,omitempty"`
+
+ // Auth for this receiver
+ Auth *configauth.Authentication `mapstructure:"auth,omitempty"`
 }
 
-// ToServerOption maps configgrpc.GRPCClientSettings to a slice of dial options for gRPC
+// ToDialOptions maps configgrpc.GRPCClientSettings to a slice of dial options for gRPC
 func (gcs *GRPCClientSettings) ToDialOptions() ([]grpc.DialOption, error) {
  var opts []grpc.DialOption
  if gcs.Compression != "" {
@@ -287,6 +293,22 @@ func (gss *GRPCServerSettings) ToServerOption() ([]grpc.ServerOption, error) {
  }
  }
 
+ if gss.Auth != nil {
+ auth, err := auth.New(*gss.Auth)
+ if err != nil {
+ return nil, err
+ }
+
+ // perhaps we should use a timeout here?
+ if err := auth.Start(context.Background()); err != nil {
+ return nil, err
+ }
+
+ // TODO: we need a hook to call auth.Close()
+
+ opts = append(opts, grpc.UnaryInterceptor(auth.UnaryInterceptor), grpc.StreamInterceptor(auth.StreamInterceptor))
+ }
+
  return opts, nil
 }
 

config/configgrpc/configgrpc_test.go

@@ -22,8 +22,10 @@ import (
  "time"
 
  "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
  "google.golang.org/grpc"
 
+ "go.opentelemetry.io/collector/config/configauth"
  "go.opentelemetry.io/collector/config/confignet"
  "go.opentelemetry.io/collector/config/configtls"
  otelcol "go.opentelemetry.io/collector/internal/data/opentelemetry-proto-gen/collector/trace/v1"
@@ -74,7 +76,7 @@ func TestDefaultGrpcServerSettings(t *testing.T) {
  assert.Len(t, opts, 0)
 }
 
-func TestAllGrpcServerSettings(t *testing.T) {
+func TestAllGrpcServerSettingsExceptAuth(t *testing.T) {
  gss := &GRPCServerSettings{
  NetAddr: confignet.NetAddr{
  Endpoint: "localhost:1234",
@@ -107,6 +109,25 @@ func TestAllGrpcServerSettings(t *testing.T) {
  assert.Len(t, opts, 7)
 }
 
+func TestGrpcServerAuthSettings(t *testing.T) {
+ gss := &GRPCServerSettings{}
+
+ // sanity check
+ _, err := gss.ToServerOption()
+ require.NoError(t, err)
+
+ // test
+ gss.Auth = &configauth.Authentication{
+ OIDC: &configauth.OIDC{},
+ }
+ opts, err := gss.ToServerOption()
+
+ // verify
+ // an error here is a positive confirmation that Auth kicked in
+ assert.Error(t, err)
+ assert.Nil(t, opts)
+}
+
 func TestGRPCClientSettingsError(t *testing.T) {
  tests := []struct {
  settings GRPCClientSettings

go.mod

@@ -10,6 +10,7 @@ require (
  github.com/cenkalti/backoff v2.2.1+incompatible
  github.com/census-instrumentation/opencensus-proto v0.3.0
  github.com/client9/misspell v0.3.4
+ github.com/coreos/go-oidc v2.2.1+incompatible
  github.com/davecgh/go-spew v1.1.1
  github.com/evanphx/json-patch v4.5.0+incompatible // indirect
  github.com/go-kit/kit v0.10.0
@@ -37,6 +38,7 @@ require (
  github.com/orijtech/prometheus-go-metrics-exporter v0.0.5
  github.com/ory/go-acc v0.2.6
  github.com/pavius/impi v0.0.3
+ github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
  github.com/prometheus/client_golang v1.7.1
  github.com/prometheus/common v0.11.1
  github.com/prometheus/prometheus v1.8.2-0.20200626085723-c448ada63d83
@@ -63,6 +65,7 @@ require (
  google.golang.org/grpc v1.32.0
  google.golang.org/grpc/examples v0.0.0-20200728065043-dfc0c05b2da9 // indirect
  google.golang.org/protobuf v1.25.0
+ gopkg.in/square/go-jose.v2 v2.5.1 // indirect
  gopkg.in/yaml.v2 v2.3.0
  honnef.co/go/tools v0.0.1-2020.1.5
 )