feat: setup-gap-authz

Author: erikburt

actions/setup-gap-authz/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.21-alpine AS builder
+
+WORKDIR /app
+COPY main.go .
+RUN go mod init github.com/auth-service && \
+    go build -o auth-service .
+
+FROM alpine:3.18
+
+RUN apk --no-cache add ca-certificates
+WORKDIR /app
+COPY --from=builder /app/auth-service .
+
+ENV AUTH_SERVICE_PORT=9001
+EXPOSE ${AUTH_SERVICE_PORT}
+
+CMD ["/app/auth-service"]

actions/setup-gap-authz/README.md

@@ -0,0 +1,5 @@
+# setup-gap-authz
+
+Used by the [setup-gap](../setup-gap/) action.
+
+This creates a local service which handles the fetching and refreshing of JWT.

actions/setup-gap-authz/action.yml

@@ -0,0 +1,82 @@
+name: setup-gap-authz
+description: "An ext_authz service used by setup-gap to handle authorization"
+
+inputs:
+  gap-name:
+    description: "See setup-gap for more details."
+    required: true
+
+  github-oidc-token-header-name:
+    description: "See setup-gap for more details."
+    required: true
+
+  port:
+    description: "The port the auth service will listen on."
+    required: false
+    default: "9001"
+
+outputs:
+  container-ip:
+    description: "The IP address of the auth service container."
+    value: ${{ steps.run-auth-service.outputs.container-ip }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Build and run auth service
+      id: run-auth-service
+      shell: bash
+      env:
+        AUTH_SERVICE_PORT: ${{ inputs.port }}
+        GITHUB_OIDC_TOKEN_HEADER_NAME:
+          ${{ inputs.github-oidc-token-header-name }}
+        GAP_NAME: ${{ inputs.gap-name }}
+      run: |
+        # Get the Github OIDC hostname
+        export GITHUB_OIDC_HOSTNAME=$(echo "${ACTIONS_ID_TOKEN_REQUEST_URL}" | awk -F[/:] '{print $4}')
+
+        IMAGE_NAME="gap-auth-service-${GAP_NAME}"
+        CONTAINER_NAME="gap-auth-service-${GAP_NAME}-$(uuidgen | cut -d'-' -f1)"
+
+        echo "Building auth service container..."
+        # Pass the port at build time
+        docker build -t "${IMAGE_NAME}" \
+          --build-arg AUTH_SERVICE_PORT="${AUTH_SERVICE_PORT}" \
+          "${GITHUB_ACTION_PATH}"
+
+        echo "Starting auth service on port ${AUTH_SERVICE_PORT}..."
+        docker run -d \
+          --name "${CONTAINER_NAME}" \
+          -p "${AUTH_SERVICE_PORT}:${AUTH_SERVICE_PORT}" \
+          -e AUTH_SERVICE_PORT="${AUTH_SERVICE_PORT}" \
+          -e GITHUB_OIDC_TOKEN_HEADER_NAME="${GITHUB_OIDC_TOKEN_HEADER_NAME}" \
+          -e GITHUB_OIDC_HOSTNAME="${GITHUB_OIDC_HOSTNAME}" \
+          -e ACTIONS_ID_TOKEN_REQUEST_URL="${ACTIONS_ID_TOKEN_REQUEST_URL}" \
+          -e ACTIONS_ID_TOKEN_REQUEST_TOKEN="${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+          -e GITHUB_REPOSITORY="${GITHUB_REPOSITORY}" \
+          "${IMAGE_NAME}"
+
+        CONTAINER_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "${CONTAINER_NAME}")
+        echo "container-ip=${CONTAINER_IP}" | tee -a $GITHUB_OUTPUT
+
+    - name: Wait for auth service to be ready
+      shell: bash
+      env:
+        AUTH_SERVICE_PORT: ${{ inputs.port }}
+      run: |
+        echo "Waiting for auth service to be ready..."
+        echo "Sending requests to http://localhost:${AUTH_SERVICE_PORT}/healthz"
+        for i in {1..25}; do
+          if curl -s http://localhost:${AUTH_SERVICE_PORT}/healthz | grep -q "OK"; then
+            echo "Auth service is ready."
+            break
+          fi
+
+          if [ $i -eq 25 ]; then
+            echo "::error::Auth service failed to start."
+            exit 1
+          fi
+
+          echo "Waiting for auth service... (attempt $i/25)"
+          sleep 1
+        done

actions/setup-gap-authz/main

@@ -0,0 +1,271 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+)
+
+// JWT token management
+var (
+	jwtToken          string
+	jwtExpiration     int64
+	tokenRefreshMutex sync.Mutex
+)
+
+// JWT payload structure
+type JWTPayload struct {
+	Exp int64 `json:"exp"`
+}
+
+// OIDCResponse structure
+type OIDCResponse struct {
+	Value string `json:"value"`
+}
+
+// Auth Response to Envoy
+type AuthResponse struct {
+	Status struct {
+		Code int `json:"code"`
+	} `json:"status"`
+	HttpResponse struct {
+		Headers map[string]string `json:"headers"`
+	} `json:"httpResponse"`
+}
+
+// Decode the JWT payload
+func decodeJWTPayload(jwt string) (*JWTPayload, error) {
+	parts := strings.Split(jwt, ".")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("invalid JWT format")
+	}
+
+	// Add padding if needed
+	payload := parts[1]
+	if l := len(payload) % 4; l > 0 {
+		payload += strings.Repeat("=", 4-l)
+	}
+
+	// Decode the base64 encoded payload
+	decoded, err := base64.URLEncoding.DecodeString(payload)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode payload: %v", err)
+	}
+
+	// Parse the JSON payload
+	var payloadObj JWTPayload
+	if err := json.Unmarshal(decoded, &payloadObj); err != nil {
+		return nil, fmt.Errorf("failed to parse payload: %v", err)
+	}
+
+	return &payloadObj, nil
+}
+
+// Fetch a new JWT token from GitHub
+func fetchGitHubOIDCToken() (string, int64, error) {
+	tokenRefreshMutex.Lock()
+	defer tokenRefreshMutex.Unlock()
+
+	// Check if we already have a valid token
+	now := time.Now().Unix()
+	if jwtToken != "" && jwtExpiration > now+60 {
+		log.Printf("Using existing token, expires in %d seconds", jwtExpiration-now)
+		return jwtToken, jwtExpiration, nil
+	}
+
+	log.Println("Fetching new GitHub OIDC token")
+
+	// Prepare the URL and headers
+	audience := "gap"
+	requestURL := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") + "&audience=" + audience
+	hostname := os.Getenv("GITHUB_OIDC_HOSTNAME")
+	authToken := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
+
+	// Create a new HTTP request
+	req, err := http.NewRequest("GET", requestURL, nil)
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to create request: %v", err)
+	}
+
+	// Set headers
+	req.Host = hostname
+	req.Header.Set("Authorization", "Bearer "+authToken)
+	req.Header.Set("Accept", "application/json")
+
+	// Send the request
+	client := &http.Client{Timeout: 5 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", 0, fmt.Errorf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	// Check the response status
+	if resp.StatusCode != http.StatusOK {
+		return "", 0, fmt.Errorf("request failed with status: %d", resp.StatusCode)
+	}
+
+	// Read the response body
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to read response: %v", err)
+	}
+
+	// Parse the JSON response
+	var oidcResp OIDCResponse
+	if err := json.Unmarshal(body, &oidcResp); err != nil {
+		return "", 0, fmt.Errorf("failed to parse response: %v", err)
+	}
+
+	// Extract the token
+	token := oidcResp.Value
+	if token == "" {
+		return "", 0, fmt.Errorf("empty token received")
+	}
+
+	// Parse the JWT to get expiration
+	payload, err := decodeJWTPayload(token)
+	if err != nil {
+		log.Printf("Failed to decode JWT payload: %v", err)
+		// If we can't parse expiration, use a conservative default (5 minutes)
+		jwtToken = token
+		jwtExpiration = now + 300 // 5 minute default
+		log.Printf("Could not parse token expiration, using 5 min default. Expires at: %s",
+			time.Unix(jwtExpiration, 0).Format(time.RFC3339))
+		return jwtToken, jwtExpiration, nil
+	}
+
+	// Store the token and expiration in global variables
+	jwtToken = token
+	jwtExpiration = payload.Exp
+
+	log.Printf("Token fetched successfully, expires at %s", time.Unix(jwtExpiration, 0).Format(time.RFC3339))
+	return jwtToken, jwtExpiration, nil
+}
+
+// ensurePort443 modifies the authority header to use port 443
+func ensurePort443(authority string) string {
+	mainDNSZone := os.Getenv("MAIN_DNS_ZONE")
+	if mainDNSZone == "" {
+		log.Println("MAIN_DNS_ZONE environment variable not set")
+		return authority
+	}
+
+	// Escape special characters in the DNS zone for regex
+	escapedDNSZone := regexp.QuoteMeta(mainDNSZone)
+
+	// Check if the authority matches the pattern and has a port
+	re := regexp.MustCompile(escapedDNSZone + ":\\d+$")
+	if re.MatchString(authority) {
+		// Replace the port with 443
+		newAuthority := regexp.MustCompile(":\\d+$").ReplaceAllString(authority, ":443")
+		log.Printf("Updated authority header from %s to %s", authority, newAuthority)
+		return newAuthority
+	}
+
+	return authority
+}
+
+func addHeader(w http.ResponseWriter, headerName, headerValue string) {
+	log.Printf("Adding header: %s", headerName)
+	w.Header().Set(headerName, headerValue)
+}
+
+// handleCheck processes auth requests from Envoy
+func handleCheck(w http.ResponseWriter, r *http.Request) {
+	log.Printf("Check: %s %s %s", r.Method, r.URL.Path, r.UserAgent())
+
+	// Get the authority header from the request headers
+	// For HTTP-based ext_authz, Envoy forwards the original headers
+	authority := r.Header.Get(":authority")
+	if authority == "" {
+		// Try the Host header as fallback
+		authority = r.Host
+		log.Printf("No :authority header found, using Host header: %s", authority)
+	}
+	log.Printf("Received Authority header: %s", authority)
+
+	// Fetch or refresh the token
+	token, _, err := fetchGitHubOIDCToken()
+	if err != nil {
+		log.Printf("Error fetching token: %v", err)
+		http.Error(w, "Failed to fetch token", http.StatusInternalServerError)
+		return
+	}
+
+	// Prepare the response
+	authResp := AuthResponse{}
+	authResp.Status.Code = 200
+	authResp.HttpResponse.Headers = make(map[string]string)
+
+	// Add the JWT token header
+	headerName := os.Getenv("GITHUB_OIDC_TOKEN_HEADER_NAME")
+	addHeader(w, headerName, "Bearer "+token)
+
+	githubRepository := os.Getenv("GITHUB_REPOSITORY")
+	addHeader(w, "x-repository", githubRepository)
+
+	// Check and modify the authority header if needed
+	if authority != "" {
+		modifiedAuthority := ensurePort443(authority)
+		addHeader(w, ":authority", modifiedAuthority)
+	}
+
+	// Send the response
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(authResp)
+}
+
+// handleHealthz is a simple health check endpoint
+func handleHealthz(w http.ResponseWriter, r *http.Request) {
+	log.Printf("Health check request: %s", r.URL.Path)
+	fmt.Fprint(w, "OK")
+}
+
+// handleNotFound handles all other paths, logs the request path, and returns a 404
+func handleNotFound(w http.ResponseWriter, r *http.Request) {
+	log.Printf("Not found request: %s %s", r.Method, r.URL.Path)
+	http.Error(w, "Not Found", http.StatusNotFound)
+}
+
+func main() {
+	port := os.Getenv("AUTH_SERVICE_PORT")
+	if port == "" {
+		log.Fatal("AUTH_SERVICE_PORT environment variable is required.")
+		os.Exit(1)
+	}
+
+	// Initialize token
+	_, _, err := fetchGitHubOIDCToken()
+	if err != nil {
+		log.Printf("Initial token fetch failed: %v", err)
+		// Continue anyway, we'll retry on first request
+	}
+
+	// Set up HTTP server with custom mux
+	mux := http.NewServeMux()
+
+	// Register /check and /check/* endpoints
+	mux.HandleFunc("/check/", handleCheck)
+	mux.HandleFunc("/check", handleCheck)
+
+	mux.HandleFunc("/healthz", handleHealthz)
+
+	// Set up a catch-all handler for any other paths
+	mux.HandleFunc("/", handleNotFound)
+
+	// Start the server
+	address := fmt.Sprintf("0.0.0.0:%s", port)
+	log.Printf("Starting auth service on %s", address)
+	if err := http.ListenAndServe(address, mux); err != nil {
+		log.Fatalf("Failed to start server: %v", err)
+	}
+}

actions/setup-gap-authz/main.go

@@ -0,0 +1,11 @@
+{
+  "name": "setup-gap-authz",
+  "version": "0.0.0",
+  "description": "",
+  "private": true,
+  "scripts": {},
+  "author": "@smartcontractkit",
+  "license": "MIT",
+  "dependencies": {},
+  "repository": "https://github.com/smartcontractkit/.github"
+}

actions/setup-gap-authz/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "setup-gap-authz",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "projectType": "application",
+  "sourceRoot": "actions/setup-gap-authz",
+  "targets": {}
+}