8000 Require email_verified to be used when email is set as username via CEL by enj · Pull Request #123737 · kubernetes/kubernetes · GitHub
[go: up one dir, main page]
Skip to content

Require email_verified to be used when email is set as username via CEL #123737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 8, 2024
Merged

Require email_verified to be used when email is set as username via CEL #123737

merged 1 commit into from
Mar 8, 2024
+628 −32

Conversation

enj
Copy link
Member
@enj enj commented Mar 5, 2024
edited
Loading

/kind feature
/kind api-change
/assign liggitt aramase
/triage accepted
/milestone v1.30
/sig auth

Fixes #123675

When configuring a JWT authenticator:

If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
An example claim validation rule expression that matches the validation automatically
applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'.

xref: #130875

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Mar 5, 2024
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Mar 5, 2024
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API triage/accepted Indicates an issue or PR is ready to be actively worked on. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Mar 5, 2024
@k8s-ci-robot k8s-ci-robot requested review from sttts and yujuhong March 5, 2024 23:31
@k8s-ci-robot k8s-ci-robot added area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 5, 2024
@k8s-triage-robot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

liggitt
liggitt reviewed Mar 6, 2024
View reviewed changes
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 7, 2024
aramase
aramase reviewed Mar 7, 2024
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go
// Same as the --oidc-username-claim and --oidc-username-prefix flags.
// If username.expression is set, the expression must produce a string value.
// If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
// username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
Copy link
Member
@aramase aramase Mar 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add integrations tests using claims.email_verified in

  1. username.expression
  2. extra[*].valueExpression
  3. claimValidationRules[*].expression

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can though we can only cover the positive cases since the API server won't start on the negative cases.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't feel strongly about unit or integration tests as long as the unit tests actually exercise the functional evaluator

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #123825, will handle this in a follow-up due to limited time left in the release.

liggitt
liggitt reviewed Mar 8, 2024
View reviewed changes
Copy link
Member
@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one question on nil checks in the visitor, needs the doc update for v1beta1 @aramase noticed, lgtm otherwise

staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
return false
}

func usesEmailVerifiedClaim(ast *celgo.Ast) bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll trust the unit tests and @jpbetz's review of the traversal logic / comparison with the CEL visitor for correctness.

My only comment all the way down the chain is that it's not obvious which of the fields can be nil, and where the visitor currently works but would panic if it got an AST that was valid but unexpected.

Two ways to resolve that:

  1. know for sure what can / can't be nil (now or in the future with any possible future AST changes)
  2. check everything that can be nil for nil explicitly

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added nil checks for everything.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go
// Same as the --oidc-username-claim and --oidc-username-prefix flags.
// If username.expression is set, the expression must produce a string value.
// If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
// username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't feel strongly about unit or integration tests as long as the unit tests actually exercise the functional evaluator

@liggitt liggitt mentioned this pull request Mar 8, 2024
Merged
5 tasks
@enj enj mentioned this pull request Mar 8, 2024
Open
@enj enj force-pushed the enj/i/cel_email_verified branch from f6a102f to 121607e Compare March 8, 2024 17:59
aramase
aramase reviewed Mar 8, 2024
View reviewed changes
Copy link
Member
@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 5d10fb759700fcf75c98372c30ff0ea165a3c44d

@liggitt
Copy link
Member
liggitt commented Mar 8, 2024

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 8, 2024
@k8s-ci-robot k8s-ci-robot merged commit 9a160fa into kubernetes:master Mar 8, 2024
@enj enj mentioned this pull request Mar 11, 2024
Open
56 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@sttts sttts Awaiting requested review from sttts

@yujuhong yujuhong Awaiting requested review from yujuhong

+3 more reviewers

@TristonianJones TristonianJones TristonianJones left review comments

@jpbetz jpbetz jpbetz left review comments

@aramase aramase aramase left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@liggitt liggitt

@aramase aramase

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
[sig-release] Bug Triage
Archived in project
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.

Document email_verified check when CEL expression is used in authentication configuration
7 participants
@enj @k8s-triage-robot @k8s-ci-robot @liggitt @TristonianJones @jpbetz @aramase
0