Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support built-in function authentication with OpenFaaS IAM. #29

Merged
merged 14 commits into from
Jun 14, 2024
Merged

Support built-in function authentication with OpenFaaS IAM. #29

merged 14 commits into from
Jun 14, 2024

Conversation

welteki
Copy link
Member

@welteki welteki commented May 28, 2024

Description

Add support for built-in function authentication with OpenFaaS IAM to the go-sdk.

To prevent a breaking change by changing the client constructor function signature a new constructor function NewClientWithOpts was added.

gatewayURL, _ := url.Parse("http://127.0.0.1:8080")
auth := &sdk.BasicAuth{
    Username: username,
    Password: password,
}

client := sdk.NewClientWithOpts(gatewayURL, http.DefaultClient, sdk.WithAuthentication(auth))

The client has a new method InvokeFunction that can be used to invoke OpenFaaS functions.

When the auth argument is true the function invocation will be authenticated with an OpenFaaS function access token. The InvokeFunction method handles exchanging an ID token obtained from the FunctionTokenSource for an OpenFaaS function access token with a single function as audience.

Function access tokens are cached to prevent going through the token exchange each time a function is called.

By default the authentication provider set in ClientAuth is used as the function token source if it implements the TokenSource interface. Alternatively a function token source can be explicitly set with the WithFunctionTokenSource option during client construction.

The ExchangeIDToken token function accepts an extra list of exchange options to configure the token exchange. Supported options are WithAudience and WithScope.

Motivation and Context

  • I have raised an issue to propose this change (required)
  • My issue has received approval from the maintainers or lead with the design/approved label

Support built-in function authentication with OpenFaaS IAM.

How Has This Been Tested?

These changes have been used and tested E2E in the OpenFaaS CLI, pro connector sdk and dashboard.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@welteki
Don't modify the client gateway url struct in client methods
9797ec0 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Refactor ClientCredentialsTokenSource to use Token struct
ca9c2e9 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Add scope to token
b73e79e 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Add exchange options
84bf8cc 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Have TokenAuth type implement the TokenSource interface
5303651 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Improve errors for token exchange functions
9bd4a11 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Add support for invoking functions using the client
6c37a68 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Cache function invocation tokens
7c850b9 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Improve code comments and update README
d45b4a9 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Dump exchange request when FAAS_DEBUG is set
e3993cb 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@derek derek bot added the no-dco label May 30, 2024
@derek Derek
Copy link

derek bot commented May 30, 2024

Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.

Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.

💡 Shall we fix this?

This will only take a few moments.

First, clone your fork and checkout this branch using the git CLI.

Next, set up your real name and email address:

git config --global user.name "Your Full Name"
git config --global user.email "[email protected]"

Finally, run one of these commands to add the "Signed-off-by" line to your commits.

If you only have one commit so far then run: git commit --amend --signoff and then git push --force.
If you have multiple commits, watch this video.

Check that the message has been added properly by running "git log".

@derek derek bot removed the no-dco label May 30, 2024
alexellis
alexellis reviewed May 30, 2024
View reviewed changes
tokencache.go
@@ -41,3 +50,33 @@ func (c *MemoryTokenCache) Get(key string) (*Token, bool) {

return token, ok
}

// StartGC starts garbage collection of expired tokens.
func (c *MemoryTokenCache) StartGC(ctx context.Context, gcInterval time.Duration) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would a user access this when they've constructed a Client and have started using it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise, how do you stop this?

Copy link
Member Author

@welteki welteki May 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You would have to start it when instantiating the cache. The context can be used to stop it.

The cache can be passed in as an option when the client is constructed.

fnTokenCache := sdk.NewMemoryTokenCache()
go fnTokenCache.StartGC(context.Background(), time.Second*10)

client := sdk.NewClientWithOpts(
    gatewayUrl,
    httpClient,
    sdk.WithAuthentication(auth),
    sdk.WithFunctionTokenCache(fnTokenCache),
)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that example in the examples in the README?

How would you change the example so someone could stop the StartGC?

Copy link
Member Author

@welteki welteki Jun 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes this example is also in the README.

Instead of passing the background context in the example it can be changed to use a context that can be cancelled.

@derek derek bot added the no-dco label May 30, 2024
@derek Derek
Copy link

derek bot commented May 30, 2024

Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.

Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.

💡 Shall we fix this?

This will only take a few moments.

First, clone your fork and checkout this branch using the git CLI.

Next, set up your real name and email address:

git config --global user.name "Your Full Name"
git config --global user.email "[email protected]"

Finally, run one of these commands to add the "Signed-off-by" line to your commits.

If you only have one commit so far then run: git commit --amend --signoff and then git push --force.
If you have multiple commits, watch this video.

Check that the message has been added properly by running "git log".

@welteki
Support garbage collection of expired tokens from cache
343aee3 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@welteki
Accept a http.Request as argument to InvokeFunction
20a2d09 
Allow the caller to construct and configure requests as required without
limitations imposed by the signature of InvokeFunction.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
@derek derek bot removed the no-dco label May 30, 2024
alexellis
alexellis approved these changes Jun 14, 2024
View reviewed changes
Copy link
Member

@alexellis alexellis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apprved

@alexellis alexellis merged commit 091053e into openfaas:master Jun 14, 2024
1 check passed
@welteki welteki deleted the function-auth branch June 14, 2024 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexellis alexellis alexellis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@welteki @alexellis