RBAC Foundations (#12)

Enable the encode of group and role information into the oauth2 access
token.

charts/identity/crds/identity.unikorn-cloud.org_organizations.yaml

@@ -61,25 +61,42 @@ spec:
                   are specified then it is assumed all users have access to everything.
                 items:
                   properties:
-                    displayName:
-                      description: DisplayName is the name to display the group as
-                        in UIs and other UX interfaces.  This should again be unique
-                        within the organization to avoid ambiguity, but may be changed.
-                      type: string
                     id:
                       description: ID is the a unique, and immutable identifier for
                         the group, the intent being that resources will belong to
                         a group irrespective of display name changes.
                       type: string
-                    providerName:
+                    name:
+                      description: Name is the name to display the group as in UIs
+                        and other UX interfaces.  This should again be unique within
+                        the organization to avoid ambiguity, but may be changed.
+                      type: string
+                    providerGroupName:
                       description: ProviderName is the name of the group as returned
                         by the provider. For example a query of https://cloudidentity.googleapis.com/v1/groups/
                         will return something like groups/01664s551ax43ok.
                       type: string
+                    roles:
+                      description: Roles are a list of roles users of the group inherit.
+                      items:
+                        description: Role defines the role a user has within the scope
+                          of a group.
+                        enum:
+                        - superAdmin
+                        - admin
+                        - user
+                        - reader
+                        type: string
+                      type: array
+                    users:
+                      description: Users are a list of user names that are members
+                        of the group.
+                      items:
+                        type: string
+                      type: array
                   required:
-                  - displayName
                   - id
-                  - providerName
+                  - name
                   type: object
                 type: array
               owner:

charts/identity/templates/organization.yaml

@@ -17,4 +17,23 @@ spec:
       customerId: {{ $google.customerId }}
     {{- end }}
   {{- end }}
+{{- with $groups := $org.groups }}
+  groups:
+{{- range $group := $groups }}
+  - id: {{ $group.id }}
+    name: {{ $group.name }}
+  {{- with $roles := $group.roles }}
+    roles:
+  {{- range $role := $roles }}
+    - {{ $role }}
+  {{- end }}
+  {{- end }}
+  {{- with $users := $group.users }}
+    users:
+  {{- range $user := $users }}
+    - {{ $user }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
 {{- end }}

charts/identity/values.yaml

@@ -68,9 +68,15 @@ host: identity.acme.org
 #   - # A unique and immutable ID.
 #     id: 5f7033e8-17fc-41a1-a8f6-f3085115b611
 #     # The name to be displayed by UIs.
-#     displayName: My Group
+#     name: My Group
 #     # The unique name the provider refers to the group.
 #     providerName: groups/38ru24810eck10
+#     # Explicit list of users
+#     users:
+#     - foo@gmail.com
+#     # Roles for the group e.g. superAdmin, admin, user, reader.
+#     roles:
+#     - user
 
 ingress:
   # Sets the ingress class to use.

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/google/uuid v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/unikorn-cloud/core v0.1.8
+	github.com/unikorn-cloud/core v0.1.10
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0
 	go.opentelemetry.io/otel/sdk v1.22.0

go.sum

@@ -265,6 +265,12 @@ github.com/unikorn-cloud/core v0.1.7 h1:I2Xu9gYlRnkG0TjY+qbTIWY+kHCv76mCOVFkLL1d
 github.com/unikorn-cloud/core v0.1.7/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
 github.com/unikorn-cloud/core v0.1.8 h1:JJAfUgCP2hAAAMcfWjE0hmyDOmlg9fxNlWSyJs7gT3k=
 github.com/unikorn-cloud/core v0.1.8/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.10-0.20240314110053-42e6a0300b53 h1:vQYiOBQoUBpuu8XnHskUe8ypnK4M9TnwlrvoO84f4F0=
+github.com/unikorn-cloud/core v0.1.10-0.20240314110053-42e6a0300b53/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.10-0.20240314111057-273eb5d18310 h1:xKFgb2hVz7sLzFk+KI7POiaaniibvkuiclR3pMlUOSs=
+github.com/unikorn-cloud/core v0.1.10-0.20240314111057-273eb5d18310/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.10 h1:8D5+CSbBi0ziutAoaWnQq/t1mtfV0IQ1uD6Dg7HfAqY=
+github.com/unikorn-cloud/core v0.1.10/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=

pkg/apis/unikorn/v1alpha1/types.go

@@ -18,6 +18,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"github.com/unikorn-cloud/core/pkg/authorization/oauth2/claims"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -174,14 +176,18 @@ type OrganizationGroup struct {
 	// being that resources will belong to a group irrespective of display name
 	// changes.
 	ID string `json:"id"`
-	// DisplayName is the name to display the group as in UIs and other UX
+	// Name is the name to display the group as in UIs and other UX
 	// interfaces.  This should again be unique within the organization to
 	// avoid ambiguity, but may be changed.
-	DisplayName string `json:"displayName"`
+	Name string `json:"name"`
 	// ProviderName is the name of the group as returned by the provider.
 	// For example a query of https://cloudidentity.googleapis.com/v1/groups/
 	// will return something like groups/01664s551ax43ok.
-	ProviderName string `json:"providerName"`
+	ProviderGroupName *string `json:"providerGroupName,omitempty"`
+	// Users are a list of user names that are members of the group.
+	Users []string `json:"users,omitempty"`
+	// Roles are a list of roles users of the group inherit.
+	Roles []claims.Role `json:"roles,omitempty"`
 }
 
 // OrganizationStatus defines the status of the server.

pkg/oauth2/accesstoken.go

@@ -21,13 +21,17 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"slices"
 	"time"
 
 	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/google/uuid"
 
 	"github.com/unikorn-cloud/core/pkg/authorization/oauth2/claims"
+	unikornv1 "github.com/unikorn-cloud/identity/pkg/apis/unikorn/v1alpha1"
 	"github.com/unikorn-cloud/identity/pkg/jose"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 var (
@@ -40,7 +44,28 @@ var (
 )
 
 // Issue issues a new JWT access token.
-func Issue(i *jose.JWTIssuer, r *http.Request, code *Code, expiresAt time.Time) (string, error) {
+func (a *Authenticator) Issue(i *jose.JWTIssuer, r *http.Request, code *Code, expiresAt time.Time) (string, error) {
+	var organization unikornv1.Organization
+
+	if err := a.client.Get(r.Context(), client.ObjectKey{Namespace: a.namespace, Name: code.Organization}, &organization); err != nil {
+		return "", err
+	}
+
+	//nolint:prealloc
+	var groups []claims.Group
+
+	for _, group := range organization.Spec.Groups {
+		// TODO: we should also check if the IdP has mapped the user to a group here.
+		if !slices.Contains(group.Users, code.Subject) {
+			continue
+		}
+
+		groups = append(groups, claims.Group{
+			ID:    group.ID,
+			Roles: group.Roles,
+		})
+	}
+
 	now := time.Now()
 
 	nowRFC7519 := jwt.NumericDate(now.Unix())
@@ -49,7 +74,7 @@ func Issue(i *jose.JWTIssuer, r *http.Request, code *Code, expiresAt time.Time)
 	claims := &claims.Claims{
 		Claims: jwt.Claims{
 			ID:      uuid.New().String(),
-			Subject: code.Email,
+			Subject: code.Subject,
 			Audience: jwt.Audience{
 				code.ClientID,
 			},
@@ -58,7 +83,10 @@ func Issue(i *jose.JWTIssuer, r *http.Request, code *Code, expiresAt time.Time)
 			NotBefore: &nowRFC7519,
 			Expiry:    &expiresAtRFC7519,
 		},
-		Organization: code.Organization,
+		Unikorn: &claims.UnikornClaims{
+			Organization: code.Organization,
+			Groups:       groups,
+		},
 	}
 
 	token, err := i.EncodeJWT(claims)

pkg/oauth2/federated.go

@@ -135,9 +135,8 @@ type Code struct {
 	ClientScope scope.Scope `json:"csc,omitempty"`
 	// ClientNonce is injected into a OIDC id_token.
 	ClientNonce string `json:"cno,omitempty"`
-	// TODO: we would be a lot more flexible by passing all the claims over...
-	// Email is exactly that.
-	Email string `json:"email"`
+	// Subject is the canonical subject name (not an alias).
+	Subject string `json:"sub"`
 	// Organization is the user's organization name.
 	Organization string `json:"org"`
 }
@@ -634,15 +633,15 @@ func (a *Authenticator) OIDCCallback(w http.ResponseWriter, r *http.Request) {
 
 	// TODO: map from IdP groups to ours and add into the code for later encoding
 	// into the access token.
-
+	// NOTE: the email
 	oauth2Code := &Code{
 		ClientID:            state.ClientID,
 		ClientRedirectURI:   state.ClientRedirectURI,
 		ClientCodeChallenge: state.ClientCodeChallenge,
 		ClientScope:         state.ClientScope,
 		ClientNonce:         state.ClientNonce,
 		Organization:        state.Organization,
-		Email:               claims.Email,
+		Subject:             claims.Email,
 	}
 
 	code, err := a.issuer.EncodeJWEToken(oauth2Code)
@@ -777,13 +776,13 @@ func (a *Authenticator) Token(w http.ResponseWriter, r *http.Request) (*generate
 	expiry := time.Now().Add(24 * time.Hour)
 
 	// TODO: add some scopes, these hould probably be derived from the organization.
-	accessToken, err := Issue(a.issuer, r, code, expiry)
+	accessToken, err := a.Issue(a.issuer, r, code, expiry)
 	if err != nil {
 		return nil, err
 	}
 
 	// Handle OIDC.
-	idToken, err := a.oidcIDToken(r, code.ClientScope, expiry, oidcHash(accessToken), r.Form.Get("client_id"), code.Email)
+	idToken, err := a.oidcIDToken(r, code.ClientScope, expiry, oidcHash(accessToken), r.Form.Get("client_id"), code.Subject)
 	if err != nil {
 		return nil, err
 	}