Skip to content

Commit db82310

Browse files
davidspekdavidspek
authored
fix(trace-shield): Allow oauth credentials in basic auth header (#695)
* feat(trace-shield): allow auth in basic auth header Signed-off-by: David van der Spek <[email protected]> * fix: enabled + add token endpoint Signed-off-by: David van der Spek <[email protected]> * fix: set correct service name for hydra public Signed-off-by: David van der Spek <[email protected]> * fix(trace-shield): oauth in grafana datasource Signed-off-by: David van der Spek <[email protected]> --------- Signed-off-by: David van der Spek <[email protected]>
1 parent 12b6660 commit db82310

File tree

3 files changed

+37
-16
lines changed

3 files changed

+37
-16
lines changed

trace-shield/helm/trace-shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: v2
22
name: trace-shield
33
description: helm chart for trace-shield
44
type: application
5-
version: 0.1.8
5+
version: 0.1.12
66
appVersion: "v0.2.0"
77
dependencies:
88
- name: kratos

trace-shield/helm/trace-shield/templates/oathkeeper-rules.yaml

Lines changed: 31 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ data:
1818
url: https://{{ .Values.config.mimir.publicURL }}/prometheus/api/v1/<status|query|query_range|query_exemplars|series|label|metadata|read|cardinality><.*>
1919
authenticators:
2020
- handler: oauth2_introspection
21+
- handler: oauth2_client_credentials
2122
authorizer:
2223
handler: remote_json
2324
config:
@@ -28,7 +29,7 @@ data:
2829
{
2930
"subject": {{`"{{ print .Subject }}"`}},
3031
"requestedPermission": "read_metrics",
31-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
32+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
3233
}
3334
mutators:
3435
- handler: noop
@@ -42,6 +43,7 @@ data:
4243
url: https://{{ .Values.config.mimir.publicURL }}</api/v1/push.*|/otlp/v1/metrics.*>
4344
authenticators:
4445
- handler: oauth2_introspection
46+
- handler: oauth2_client_credentials
4547
authorizer:
4648
handler: remote_json
4749
config:
@@ -52,7 +54,7 @@ data:
5254
{
5355
"subject": {{`"{{ print .Subject }}"`}},
5456
"requestedPermission": "write_metrics",
55-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
57+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
5658
}
5759
mutators:
5860
- handler: noop
@@ -66,6 +68,7 @@ data:
6668
url: https://{{ .Values.config.mimir.publicURL }}</ruler/rule_groups.*|/prometheus/api/v1/rules.*|/prometheus/api/v1/alerts.*|/prometheus/config/v1/rules.*>
6769
authenticators:
6870
- handler: oauth2_introspection
71+
- handler: oauth2_client_credentials
6972
authorizer:
7073
handler: remote_json
7174
config:
@@ -76,7 +79,7 @@ data:
7679
{
7780
"subject": {{`"{{ print .Subject }}"`}},
7881
"requestedPermission": "read_metrics_rules",
79-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
82+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
8083
}
8184
mutators:
8285
- handler: noop
@@ -90,6 +93,7 @@ data:
9093
url: https://{{ .Values.config.mimir.publicURL }}/prometheus/config/v1/rules/<.*>
9194
authenticators:
9295
- handler: oauth2_introspection
96+
- handler: oauth2_client_credentials
9397
authorizer:
9498
handler: remote_json
9599
config:
@@ -100,7 +104,7 @@ data:
100104
{
101105
"subject": {{`"{{ print .Subject }}"`}},
102106
"requestedPermission": "write_metrics_rules",
103-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
107+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
104108
}
105109
mutators:
106110
- handler: noop
@@ -114,6 +118,7 @@ data:
114118
url: https://{{ .Values.config.mimir.publicURL }}/prometheus/config/v1/rules/<.*>
115119
authenticators:
116120
- handler: oauth2_introspection
121+
- handler: oauth2_client_credentials
117122
authorizer:
118123
handler: remote_json
119124
config:
@@ -124,7 +129,7 @@ data:
124129
{
125130
"subject": {{`"{{ print .Subject }}"`}},
126131
"requestedPermission": "delete_metrics_rules",
127-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
132+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
128133
}
129134
mutators:
130135
- handler: noop
@@ -138,6 +143,7 @@ data:
138143
url: https://{{ .Values.config.mimir.publicURL }}</multitenant_alertmanager/configs.*|/api/v1/alerts.*> #TODO: add /alertmanager
139144
authenticators:
140145
- handler: oauth2_introspection
146+
- handler: oauth2_client_credentials
141147
authorizer:
142148
handler: remote_json
143149
config:
@@ -148,7 +154,7 @@ data:
148154
{
149155
"subject": {{`"{{ print .Subject }}"`}},
150156
"requestedPermission": "read_metrics_alerts",
151-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
157+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
152158
}
153159
mutators:
154160
- handler: noop
@@ -162,6 +168,7 @@ data:
162168
url: https://{{ .Values.config.mimir.publicURL }}/api/v1/alerts<.*>
163169
authenticators:
164170
- handler: oauth2_introspection
171+
- handler: oauth2_client_credentials
165172
authorizer:
166173
handler: remote_json
167174
config:
@@ -172,7 +179,7 @@ data:
172179
{
173180
"subject": {{`"{{ print .Subject }}"`}},
174181
"requestedPermission": "write_metrics_alerts",
175-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
182+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
176183
}
177184
mutators:
178185
- handler: noop
@@ -186,6 +193,7 @@ data:
186193
url: https://{{ .Values.config.mimir.publicURL }}/api/v1/alerts<.*>
187194
authenticators:
188195
- handler: oauth2_introspection
196+
- handler: oauth2_client_credentials
189197
authorizer:
190198
handler: remote_json
191199
config:
@@ -196,7 +204,7 @@ data:
196204
{
197205
"subject": {{`"{{ print .Subject }}"`}},
198206
"requestedPermission": "delete_metrics_alerts",
199-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
207+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
200208
}
201209
mutators:
202210
- handler: noop
@@ -215,6 +223,7 @@ data:
215223
url: https://{{ .Values.config.mimir.publicURL }}/alertmanager<.*> # TODO: does this need to be separate
216224
authenticators:
217225
- handler: oauth2_introspection
226+
- handler: oauth2_client_credentials
218227
- handler: cookie_session
219228
authorizer:
220229
handler: allow
@@ -235,6 +244,7 @@ data:
235244
url: https://{{ .Values.config.loki.publicURL }}/loki/api/v1/<query|query_range|label|series|tail><.*>
236245
authenticators:
237246
- handler: oauth2_introspection
247+
- handler: oauth2_client_credentials
238248
authorizer:
239249
handler: remote_json
240250
config:
@@ -245,7 +255,7 @@ data:
245255
{
246256
"subject": {{`"{{ print .Subject }}"`}},
247257
"requestedPermission": "read_logs",
248-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
258+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
249259
}
250260
mutators:
251261
- handler: noop
@@ -259,6 +269,7 @@ data:
259269
url: https://{{ .Values.config.loki.publicURL }}/loki/api/v1/push<.*>
260270
authenticators:
261271
- handler: oauth2_introspection
272+
- handler: oauth2_client_credentials
262273
authorizer:
263274
handler: remote_json
264275
config:
@@ -269,7 +280,7 @@ data:
269280
{
270281
"subject": {{`"{{ print .Subject }}"`}},
271282
"requestedPermission": "write_logs",
272-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
283+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
273284
}
274285
mutators:
275286
- handler: noop
@@ -283,6 +294,7 @@ data:
283294
url: https://{{ .Values.config.loki.publicURL }}</loki/api/v1/rules|/prometheus/api/v1/rules|/prometheus/config/v1/rules><.*>
284295
authenticators:
285296
- handler: oauth2_introspection
297+
- handler: oauth2_client_credentials
286298
authorizer:
287299
handler: remote_json
288300
config:
@@ -293,7 +305,7 @@ data:
293305
{
294306
"subject": {{`"{{ print .Subject }}"`}},
295307
"requestedPermission": "read_logs_rules",
296-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
308+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
297309
}
298310
mutators:
299311
- handler: noop
@@ -307,6 +319,7 @@ data:
307319
url: https://{{ .Values.config.loki.publicURL }}/loki/api/v1/rules<.*>
308320
authenticators:
309321
- handler: oauth2_introspection
322+
- handler: oauth2_client_credentials
310323
authorizer:
311324
handler: remote_json
312325
config:
@@ -317,7 +330,7 @@ data:
317330
{
318331
"subject": {{`"{{ print .Subject }}"`}},
319332
"requestedPermission": "write_logs_rules",
320-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
333+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
321334
}
322335
mutators:
323336
- handler: noop
@@ -331,6 +344,7 @@ data:
331344
url: https://{{ .Values.config.loki.publicURL }}/loki/api/v1/rules<.*>
332345
authenticators:
333346
- handler: oauth2_introspection
347+
- handler: oauth2_client_credentials
334348
authorizer:
335349
handler: remote_json
336350
config:
@@ -341,7 +355,7 @@ data:
341355
{
342356
"subject": {{`"{{ print .Subject }}"`}},
343357
"requestedPermission": "delete_logs_rules",
344-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
358+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
345359
}
346360
mutators:
347361
- handler: noop
@@ -357,6 +371,7 @@ data:
357371
url: https://{{ .Values.config.tempo.publicURL }}/api/<traces|search|v2/search><.*>
358372
authenticators:
359373
- handler: oauth2_introspection
374+
- handler: oauth2_client_credentials
360375
authorizer:
361376
handler: remote_json
362377
config:
@@ -367,7 +382,7 @@ data:
367382
{
368383
"subject": {{`"{{ print .Subject }}"`}},
369384
"requestedPermission": "read_traces",
370-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
385+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
371386
}
372387
mutators:
373388
- handler: noop
@@ -381,6 +396,7 @@ data:
381396
url: https://{{ .Values.config.tempo.publicURL }}</otlp/v1/traces|/jaeger/api/traces|/zipkin/spans><.*>
382397
authenticators:
383398
- handler: oauth2_introspection
399+
- handler: oauth2_client_credentials
384400
authorizer:
385401
handler: remote_json
386402
config:
@@ -391,7 +407,7 @@ data:
391407
{
392408
"subject": {{`"{{ print .Subject }}"`}},
393409
"requestedPermission": "write_traces",
394-
"isOAuth2Client": {{`{{ eq (print .Subject) (print .Extra.client_id) }}`}}
410+
"isOAuth2Client": {{`{{ or (eq (print .Subject) (print .Extra.client_id)) (eq (print .Subject) (regexReplaceAll ":.*" (.MatchContext.Header.Get "Authorization" | trimPrefix "Basic " | b64dec) "")) }}`}}
395411
}
396412
mutators:
397413
- handler: noop

trace-shield/helm/trace-shield/values.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -450,6 +450,11 @@ oathkeeper:
450450
config:
451451
introspection_url: http://trace-shield-hydra-admin:4445/admin/oauth2/introspect
452452
# scope_strategy: exact
453+
454+
oauth2_client_credentials:
455+
enabled: true
456+
config:
457+
token_url: http://trace-shield-hydra-public:4444/oauth2/token
453458

454459
noop:
455460
enabled: true

0 commit comments

Comments
 (0)