8

我最近在 GKE 集群中启用了 IAP。

  • 集群版本:1.15.11-gke.11

我按照这里的说明操作:https ://cloud.google.com/iap/docs/enabling-kubernetes-howto

服务配置如下:

---
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: foo-bc-iap
  namespace: foo-test
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: iap-client-secret
---
apiVersion: v1
kind: Service
metadata:
  name: foo-internal-service
  namespace: foo-test
  annotations:
    cloud.google.com/backend-config: '{"ports":{"80":"foo-bc-iap"}}'
spec:
  type: NodePort # To create Ingress using the service.
  selector:
    app: foo-test
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8081

我使用的凭据是 OAuth 2.0 客户端 ID(类型:Web 应用程序)。

在确保在 Kubernetes 服务上激活 IAP 时受 IAP 保护的 API 端点的工作方式不同后,我编写了以下测试程序以确保可以从 JSON 文件“account.json”中给出的服务帐户访问该端点。

在编写此示例应用程序时,我查阅了以下文档:https ://cloud.google.com/iap/docs/authentication-howto#iap_make_request-go

  • google.golang.org/api v0.23.0
  • 去 1.12
func (m *myApp) testAuthz(ctx *cli.Context) error {
    audience := "<The client ID of the credential mentioned above>"
    serviceAccountOption := idtoken.WithCredentialsFile("account.json")

    client, err := idtoken.NewClient(ctx.Context, audience, serviceAccountOption)
    if err != nil {
        return fmt.Errorf("idtoken.NewClient: %v", err)
    }

    requestBody := `{
        <some JSON payload>
    }`

    request, err := http.NewRequest("POST", "https://my.iap.protected/endpoint",
        bytes.NewBuffer([]byte(requestBody)))
    if err != nil {
        return fmt.Errorf("http.NewRequest: %v", err)
    }

    request.Header.Add("Content-Type", "application/json")

    response, err := client.Do(request)
    if err != nil {
        return fmt.Errorf("client.Do: %v", err)
    }
    defer response.Body.Close()

    fmt.Printf("request header = %#v\n", response.Request.Header)
    fmt.Printf("response header = %#v\n", response.Header)

    body, err := ioutil.ReadAll(response.Body)
    if err != nil {
        return fmt.Errorf("ioutil.ReadAll: %v", err)
    }

    fmt.Printf("%d: %s\n", response.StatusCode, string(body))

    return nil
}

但是当我运行它时,我只能看到以下响应。

request header = http.Header{"Authorization":[]string{"Bearer <jwt token>"}, "Content-Type":[]string{"application/json"}, "X-Cloud-Trace-Context":[]string{"c855757f20d155da1140fad1508ae3e5/17413578722158830486;o=0"}}

response header = http.Header{"Alt-Svc":[]string{"clear"}, "Content-Length":[]string{"49"}, "Content-Type":[]string{"text/html; charset=UTF-8"}, "Date":[]string{"Wed, 06 May 2020 22:17:43 GMT"}, "X-Goog-Iap-Generated-Response":[]string{"true"}}

401: Invalid IAP credentials: JWT signature is invalid

正如您在此处看到的,访问被拒绝

所以我认为用于对标头中的 JWT 令牌进行签名的签名可能是错误的。

但是我使用 jwt.io 确保了以下内容:

  • 标头中使用的 JWT 令牌由调用者服务帐户的私钥签名
  • 标头中使用的 JWT 令牌可以通过调用方服务帐户的公钥进行验证
  • JWT 令牌使用 RS256 算法签名

我还查看了令牌:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "<the service account's private key ID>"
}

{
  "iss": "<email address of the service account>",
  "aud": "",
  "exp": 1588806087,
  "iat": 1588802487,
  "sub": "<email address of the service acocunt>"
}

没什么奇怪的。

所以我不确定这里发生了什么。如果我禁用 IAP,端点会返回正确的响应

谁能给我一些提示我做错了什么?

4

3 回答 3

3

我尝试了您的代码,发现它不适用于google.golang.org/api v0.23.0,但它确实适用google.golang.org/api v0.24.0(撰写本文时的最新版本)。

这确实是一个错误,发行说明中提到了以下内容:

When provided, use the TokenSource from options for NewTransport. This fixes a bug in idtoken.NewClient where the wrong TokenSource was being used for authentication.

有趣的是,0.23.0 正在发送一个使用服务帐户的私钥签名的令牌,其中包含以下声明:

{
  "iss":"xx@xx.iam.gserviceaccount.com",
  "aud":"",
  "exp":1589596554,
  "iat":1589592954,
  "sub":"xx@xx.iam.gserviceaccount.com"
}

和 0.24.0 发送一个用 google's private key签名的令牌。(在内部,以前的令牌交换为谷歌签名的令牌)

{
    "aud":"xxxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
    "azp":"xx@xx.iam.gserviceaccount.com",
    "email":"xx@xx.iam.gserviceaccount.com",
    "email_verified":true,
    "exp":1589596508,
    "iat":1589592908,
    "iss":"https://accounts.google.com",
    "sub":"11524xxxxxxxxxxxxxxxx"
}
于 2020-05-16T01:42:57.667 回答
0

JWT 令牌exp属性似乎有一个过期日期(5 月 7 日 1:01)并且您的帖子来自(5 月 7 日 3:53)您是否尝试过重新生成它?

[编辑:我知道这应该是评论。由于低代表发布为答案]

于 2020-05-15T09:33:45.990 回答
0

正如@Dirbaio 指出的那样,我认为这是 v0.23.0 特有的问题。因为我现在无法升级依赖项,所以我选择创建一个不使用idtoken.NewClient. 相反,它仅用于idtoken.NewTokenSource创建 OIDC 令牌。将令牌添加到 Authorization 标头很容易,因此我可以在由idtoken.NewClient.

package main

import (
    "context"
    "crypto/tls"
    "fmt"
    "io"
    "net/http"

    "golang.org/x/oauth2"
    "google.golang.org/api/idtoken"
    "google.golang.org/api/option"
)

// IAPClient is the default HTTPS client with Morse-Code KMS integration.
type IAPClient struct {
    client      *http.Client
    tokenSource oauth2.TokenSource
}

// NewIAPClient returns an HTTP client with TLS transport, but not doing the CA checks.
func NewIAPClient(audience string, opts ...option.ClientOption) *IAPClient {
    tokenSource, err := idtoken.NewTokenSource(context.Background(), audience, opts...)
    if err != nil {
        panic(fmt.Errorf("cannot create a new token source: %s", err.Error()))
    }

    return &IAPClient{
        client: &http.Client{
            Transport: &http.Transport{
                TLSClientConfig: &tls.Config{
                    InsecureSkipVerify: true,
                },
            },
        },
        tokenSource: tokenSource,
    }
}

// Do sends the http request to server with a morse-code JWT Authorization: Bearer header.
func (c *IAPClient) Do(request *http.Request) (*http.Response, error) {
    err := c.addAuthorizationHeader(request)
    if err != nil {
        return nil, fmt.Errorf("couldn't override the request with the new auth header: %s", err.Error())
    }

    return c.client.Do(request)
}

// Get sends the http GET request to server with a morse-code JWT Authorization: Bearer header.
func (c *IAPClient) Get(url string) (*http.Response, error) {
    request, err := http.NewRequest(http.MethodGet, url, nil)

    if err != nil {
        return nil, err
    }

    return c.Do(request)
}

// Post sends the http POST request to server with a morse-code JWT Authorization: Bearer header.
func (c *IAPClient) Post(url, contentType string, body io.Reader) (*http.Response, error) {
    request, err := http.NewRequest(http.MethodPost, url, body)
    if err != nil {
        return nil, err
    }

    request.Header.Add("Content-Type", contentType)

    return c.Do(request)
}

func (c *IAPClient) addAuthorizationHeader(request *http.Request) error {
    tkn, err := c.tokenSource.Token()
    if err != nil {
        return fmt.Errorf("cannot create a token: %s", err.Error())
    }

    tkn.SetAuthHeader(request)

    return nil
}
于 2020-05-28T02:52:29.197 回答