feat: setup-gap-authz

Author: erikburt

actions/setup-gap-authz/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.21-alpine AS builder
+
+WORKDIR /app
+COPY main.go .
+RUN go mod init github.com/auth-service && \
+    go build -o auth-service .
+
+FROM alpine:3.18
+
+RUN apk --no-cache add ca-certificates
+WORKDIR /app
+COPY --from=builder /app/auth-service .
+
+ENV AUTH_SERVICE_PORT=9001
+EXPOSE ${AUTH_SERVICE_PORT}
+
+CMD ["/app/auth-service"]

actions/setup-gap-authz/README.md

@@ -0,0 +1,5 @@
+# setup-gap-authz
+
+Used by the [setup-gap](../setup-gap/) action.
+
+This creates a local service which handles the fetching and refreshing of JWT.

actions/setup-gap-authz/action.yml

@@ -0,0 +1,70 @@
+name: setup-gap-authz
+description: "An ext_authz service used by setup-gap to handle authorization"
+
+inputs:
+  gap-name:
+    description: "See setup-gap for more details."
+    required: true
+
+  github-oidc-token-header-name:
+    description: "See setup-gap for more details."
+    required: true
+
+  port:
+    description: "The port the auth service will listen on."
+    required: false
+    default: "9001"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Build and run auth service
+      shell: bash
+      env:
+        AUTH_SERVICE_PORT: ${{ inputs.port }}
+        GITHUB_OIDC_TOKEN_HEADER_NAME:
+          ${{ inputs.github-oidc-token-header-name }}
+        GAP_NAME: ${{ inputs.gap-name }}
+      run: |
+        # Get the Github OIDC hostname
+        export GITHUB_OIDC_HOSTNAME=$(echo "${ACTIONS_ID_TOKEN_REQUEST_URL}" | awk -F[/:] '{print $4}')
+
+        echo "Building auth service container..."
+        # Pass the port at build time
+        docker build -t "gap-auth-service-${{ inputs.gap-name }}" \
+          --build-arg AUTH_SERVICE_PORT="${AUTH_SERVICE_PORT}" \
+          "${{ github.action_path }}"
+
+        echo "Starting auth service on port ${AUTH_SERVICE_PORT}..."
+        docker run -d \
+          --name "gap-auth-service-${{ inputs.gap-name }}" \
+          -p "${AUTH_SERVICE_PORT}:${AUTH_SERVICE_PORT}" \
+          -e AUTH_SERVICE_PORT="${AUTH_SERVICE_PORT}" \
+          -e GITHUB_OIDC_TOKEN_HEADER_NAME="${GITHUB_OIDC_TOKEN_HEADER_NAME}" \
+          -e GITHUB_OIDC_HOSTNAME="${GITHUB_OIDC_HOSTNAME}" \
+          -e ACTIONS_ID_TOKEN_REQUEST_URL="${ACTIONS_ID_TOKEN_REQUEST_URL}" \
+          -e ACTIONS_ID_TOKEN_REQUEST_TOKEN="${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+          -e GITHUB_REPOSITORY="${GITHUB_REPOSITORY}" \
+          "gap-auth-service-${{ inputs.gap-name }}"
+
+    - name: Wait for auth service to be ready
+      shell: bash
+      env:
+        AUTH_SERVICE_PORT: ${{ inputs.port }}
+      run: |
+        echo "Waiting for auth service to be ready..."
+        echo "Sending requests to http://localhost:${AUTH_SERVICE_PORT}/healthz"
+        for i in {1..25}; do
+          if curl -s http://localhost:${AUTH_SERVICE_PORT}/healthz | grep -q "OK"; then
+            echo "Auth service is ready."
+            break
+          fi
+
+          if [ $i -eq 25 ]; then
+            echo "::error::Auth service failed to start."
+            exit 1
+          fi
+
+          echo "Waiting for auth service... (attempt $i/25)"
+          sleep 1
+        done

actions/setup-gap-authz/main.go

@@ -0,0 +1,222 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+	"sync"
+	"time"
+)
+
+// JWT token management
+var (
+	jwtToken          string
+	jwtExpiration     int64
+	tokenRefreshMutex sync.Mutex
+)
+
+// JWT payload structure
+type JWTPayload struct {
+	Exp int64 `json:"exp"`
+}
+
+// OIDCResponse structure
+type OIDCResponse struct {
+	Value string `json:"value"`
+}
+
+// Auth Request from Envoy
+type AuthRequest struct {
+	Attributes struct {
+		Request struct {
+			Http struct {
+				Method   string            `json:"method"`
+				Path     string            `json:"path"`
+				Host     string            `json:"host"`
+				Headers  map[string]string `json:"headers"`
+				Protocol string            `json:"protocol"`
+			} `json:"http"`
+		} `json:"request"`
+	} `json:"attributes"`
+}
+
+// Auth Response to Envoy
+type AuthResponse struct {
+	Status struct {
+		Code int `json:"code"`
+	} `json:"status"`
+	HttpResponse struct {
+		Headers map[string]string `json:"headers"`
+	} `json:"httpResponse"`
+}
+
+// Decode the JWT payload
+func decodeJWTPayload(jwt string) (*JWTPayload, error) {
+	parts := strings.Split(jwt, ".")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("invalid JWT format")
+	}
+
+	// Add padding if needed
+	payload := parts[1]
+	if l := len(payload) % 4; l > 0 {
+		payload += strings.Repeat("=", 4-l)
+	}
+
+	// Decode the base64 encoded payload
+	decoded, err := base64.URLEncoding.DecodeString(payload)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode payload: %v", err)
+	}
+
+	// Parse the JSON payload
+	var payloadObj JWTPayload
+	if err := json.Unmarshal(decoded, &payloadObj); err != nil {
+		return nil, fmt.Errorf("failed to parse payload: %v", err)
+	}
+
+	return &payloadObj, nil
+}
+
+// Fetch a new JWT token from GitHub
+func fetchGitHubOIDCToken() (string, int64, error) {
+	tokenRefreshMutex.Lock()
+	defer tokenRefreshMutex.Unlock()
+
+	// Check if we already have a valid token
+	now := time.Now().Unix()
+	if jwtToken != "" && jwtExpiration > now+60 {
+		log.Printf("Using existing token, expires in %d seconds", jwtExpiration-now)
+		return jwtToken, jwtExpiration, nil
+	}
+
+	log.Println("Fetching new GitHub OIDC token")
+
+	// Prepare the URL and headers
+	audience := "gap"
+	requestURL := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") + "&audience=" + audience
+	hostname := os.Getenv("GITHUB_OIDC_HOSTNAME")
+	authToken := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
+
+	// Create a new HTTP request
+	req, err := http.NewRequest("GET", requestURL, nil)
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to create request: %v", err)
+	}
+
+	// Set headers
+	req.Host = hostname
+	req.Header.Set("Authorization", "Bearer "+authToken)
+	req.Header.Set("Accept", "application/json")
+
+	// Send the request
+	client := &http.Client{Timeout: 5 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", 0, fmt.Errorf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	// Check the response status
+	if resp.StatusCode != http.StatusOK {
+		return "", 0, fmt.Errorf("request failed with status: %d", resp.StatusCode)
+	}
+
+	// Read the response body
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to read response: %v", err)
+	}
+
+	// Parse the JSON response
+	var oidcResp OIDCResponse
+	if err := json.Unmarshal(body, &oidcResp); err != nil {
+		return "", 0, fmt.Errorf("failed to parse response: %v", err)
+	}
+
+	// Extract the token
+	token := oidcResp.Value
+	if token == "" {
+		return "", 0, fmt.Errorf("empty token received")
+	}
+
+	// Parse the JWT to get expiration
+	payload, err := decodeJWTPayload(token)
+	if err != nil {
+		log.Printf("Failed to decode JWT payload: %v, using default expiration", err)
+		return token, now + 300, nil // 5 minute default
+	}
+
+	log.Printf("Token fetched successfully, expires at %s", time.Unix(payload.Exp, 0).Format(time.RFC3339))
+	return token, payload.Exp, nil
+}
+
+// handleCheck processes auth requests from Envoy
+func handleCheck(w http.ResponseWriter, r *http.Request) {
+	// Parse the request
+	var authReq AuthRequest
+	if err := json.NewDecoder(r.Body).Decode(&authReq); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	// Fetch or refresh the token
+	token, _, err := fetchGitHubOIDCToken()
+	if err != nil {
+		log.Printf("Error fetching token: %v", err)
+		http.Error(w, "Failed to fetch token", http.StatusInternalServerError)
+		return
+	}
+
+	// Prepare the response
+	authResp := AuthResponse{}
+	authResp.Status.Code = 200
+	authResp.HttpResponse.Headers = make(map[string]string)
+
+	// Add GitHub OIDC token header
+	headerName := os.Getenv("GITHUB_OIDC_TOKEN_HEADER_NAME")
+	authResp.HttpResponse.Headers[headerName] = "Bearer " + token
+
+	// Add repository header if not already present
+	repoHeader := "x-repository"
+	if _, exists := authReq.Attributes.Request.Http.Headers[repoHeader]; !exists {
+		authResp.HttpResponse.Headers[repoHeader] = os.Getenv("GITHUB_REPOSITORY")
+	}
+
+	// Send the response
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(authResp)
+}
+
+// handleHealthz is a simple health check endpoint
+func handleHealthz(w http.ResponseWriter, r *http.Request) {
+	fmt.Fprint(w, "OK")
+}
+
+func main() {
+	port := os.Getenv("AUTH_SERVICE_PORT")
+	if port == "" {
+		log.Fatal("AUTH_SERVICE_PORT environment variable is required.")
+		os.Exit(1)
+	}
+
+	// Initialize token
+	_, _, err := fetchGitHubOIDCToken()
+	if err != nil {
+		log.Printf("Initial token fetch failed: %v", err)
+	}
+
+	// Set up HTTP server
+	http.HandleFunc("/check", handleCheck)
+	http.HandleFunc("/healthz", handleHealthz)
+
+	log.Printf("Starting auth service on port %s", port)
+	if err := http.ListenAndServe(":"+port, nil); err != nil {
+		log.Fatalf("Failed to start server: %v", err)
+	}
+}

actions/setup-gap-authz/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "setup-gap-authz",
+  "version": "0.0.0",
+  "description": "",
+  "private": true,
+  "scripts": {},
+  "author": "@smartcontractkit",
+  "license": "MIT",
+  "dependencies": {},
+  "repository": "https://github.com/smartcontractkit/.github"
+}

actions/setup-gap-authz/project.json

@@ -0,0 +1,7 @@
+{
+  "name": "setup-gap-authz",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "projectType": "application",
+  "sourceRoot": "actions/setup-gap-authz",
+  "targets": {}
+}

actions/setup-gap/action.yml

@@ -117,6 +117,11 @@ inputs:
     default: ""
     required: false
 
+  auth-service-port:
+    description: "The port the auth service will listen on."
+    required: false
+    default: "9001"
+
 outputs:
   local-proxy-port:
     description: "The port the local proxy will listen on."
@@ -264,6 +269,14 @@ runs:
         # Verify the installation by checking version
         gomplate --version
 
+    - name: Build and run auth service
+      uses: smartcontractkit/.github/actions/setup-gap-authz@feat/setup-gap-authz
+      with:
+        gap-name: ${{ inputs.gap-name }}
+        github-oidc-token-header-name:
+          ${{ inputs.github-oidc-token-header-name }}
+        port: ${{ inputs.auth-service-port }}
+
     - name: Run local Envoy proxy
       shell: sh
       env:
@@ -279,6 +292,7 @@ runs:
         PROXY_PORT: ${{ inputs.proxy-port }}
         WEBSOCKETS_PROXY_PORT: ${{ inputs.websockets-proxy-port }}
         WEBSOCKETS_SERVICES: ${{ inputs.websockets-services }}
+        AUTH_SERVICE_PORT: ${{ inputs.auth-service-port }}
       run: |
         # Get the Github OIDC hostname
         export GITHUB_OIDC_HOSTNAME=$(echo $ACTIONS_ID_TOKEN_REQUEST_URL | awk -F[/:] '{print $4}')
@@ -295,7 +309,7 @@ runs:
         echo "Using log level: ${PROXY_LOG_LEVEL}"
 
         # List of required ENVs to check
-        required_env_vars="DYNAMIC_PROXY_PORT ENABLE_PROXY_DEBUG GITHUB_OIDC_TOKEN_HEADER_NAME ENVOY_PROXY_IMAGE GITHUB_OIDC_HOSTNAME K8S_API_ENDPOINT_PORT MAIN_DNS_ZONE PROXY_LOG_LEVEL PROXY_PORT GITHUB_REPOSITORY WEBSOCKETS_PROXY_PORT"
+        required_env_vars="DYNAMIC_PROXY_PORT ENABLE_PROXY_DEBUG GITHUB_OIDC_TOKEN_HEADER_NAME ENVOY_PROXY_IMAGE GITHUB_OIDC_HOSTNAME K8S_API_ENDPOINT_PORT MAIN_DNS_ZONE PROXY_LOG_LEVEL PROXY_PORT GITHUB_REPOSITORY WEBSOCKETS_PROXY_PORT AUTH_SERVICE_PORT"
 
         # Loop through each variable and check if it's empty
         for var in $required_env_vars; do