Merge branch 'jkralik/feature/m2m-oauth-server-blacklist' into pm/api…

…-tokens-ui

Makefile

@@ -47,7 +47,7 @@ CERT_TOOL_SIGN_ALG ?= ECDSA-SHA256
 CERT_TOOL_ELLIPTIC_CURVE ?= P256
 CERT_TOOL_IMAGE = ghcr.io/plgd-dev/hub/cert-tool:vnext
 
-SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service test/oauth-server tools/cert-tool
+SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service m2m-oauth-server test/oauth-server tools/cert-tool
 .PHONY: $(SUBDIRS) push proto/generate clean build test env mongo nats certificates hub-build http-gateway-www simulators
 
 default: build

certificate-authority/config.yaml

@@ -44,6 +44,9 @@ apis:
           keyFile: "/secrets/private/cert.key"
           certFile: "/secrets/public/cert.crt"
           useSystemCAPool: false
+      tokenTrustVerification:
+        enabled: true
+        cacheExpiration: 30s
   http:
     address: "0.0.0.0:9101"
     readTimeout: 8s
@@ -112,5 +115,3 @@ signer:
   certFile: "/secrets/public/intermediateca.crt"
   validFrom: "now-1h"
   expiresIn: "87600h"
-
-

certificate-authority/service/cleanDatabase_test.go

@@ -29,7 +29,7 @@ func TestCertificateAuthorityServerCleanUpSigningRecords(t *testing.T) {
 	cfg.Clients.Storage.CleanUpRecords = "*/1 * * * * *"
 	fmt.Printf("%v\n\n", test.MakeConfig(t))
 
-	shutDown := testService.SetUpServices(context.Background(), t, testService.SetUpServicesCertificateAuthority|testService.SetUpServicesOAuth, testService.WithCAConfig(cfg))
+	shutDown := testService.SetUpServices(context.Background(), t, testService.SetUpServicesCertificateAuthority|testService.SetUpServicesOAuth|testService.SetUpServicesMachine2MachineOAuth, testService.WithCAConfig(cfg))
 	defer shutDown()
 
 	storeDB, closeStore := test.NewStore(t)

charts/plgd-hub/templates/_helpers.tpl

@@ -220,6 +220,15 @@ tls:
         {{- include "plgd-hub.httpConfig" (list $ .http $certPath ) | indent 8 }}
     {{- end }}
     {{- end }}
+  tokenTrustVerification:
+    {{- $tokenTrustVerification := $authorization.tokenTrustVerification }}
+    {{- if not $tokenTrustVerification }}
+    {{- $tokenTrustVerification = $.Values.global.authorization.tokenTrustVerification }}
+    {{- end }}
+    enabled: {{ $tokenTrustVerification.enabled | default false }}
+    {{- if $tokenTrustVerification.enabled }}
+    cacheExpiration: {{ $tokenTrustVerification.cacheExpiration }}
+    {{- end }}
 {{- end }}
 
 {{- define "plgd-hub.authorizationConfig" }}

charts/plgd-hub/templates/certificate-authority/config.yaml

@@ -30,11 +30,11 @@ data:
           # 0s - means infinity
           maxConnectionIdle: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
           # 0s - means infinity
-          maxConnectionAge: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
+          maxConnectionAge: {{ .apis.grpc.keepAlive.maxConnectionAge }}
           # 0s - means infinity
           maxConnectionAgeGrace: {{ .apis.grpc.keepAlive.maxConnectionAgeGrace }}
-          time: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
-          timeout: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
+          time: {{ .apis.grpc.keepAlive.time }}
+          timeout: {{ .apis.grpc.keepAlive.timeout }}
         tls:
           {{- $tls := .apis.grpc.tls }}
           {{- include "plgd-hub.internalCertificateConfig" (list $ $tls $cert ) | indent 8 }}

charts/plgd-hub/templates/m2m-oauth-server/_helpers.tpl

@@ -17,7 +17,7 @@
 {{- end -}}
 
 {{- define "plgd-hub.m2moauthserver.createServiceCertByCm" }}
-    {{- $serviceTls := .Values.m2moauthserver.apis.http.tls.certFile }}
+    {{- $serviceTls := .Values.m2moauthserver.apis.grpc.tls.certFile }}
     {{- if $serviceTls }}
     {{- printf "" -}}
     {{- else }}
@@ -78,14 +78,6 @@ true
 {{- end }}
 {{- end }}
 
-{{- define "plgd-hub.m2moauthserver.clientServiceSecretEnabled" -}}
-{{- if or .Values.global.m2mOAuthServer.clientServiceSecret .Values.m2moauthserver.clientServiceSecret.enabled }}
-true
-{{- else }}
-{{- printf "" }}
-{{- end }}
-{{- end }}
-
 {{- define "plgd-hub.m2moauthserver.getPrivateKeyFile" -}}
 {{- $privateKeyFile := .Values.m2moauthserver.oauthSigner.privateKeyFile }}
 {{- if and (not $privateKeyFile) (include "plgd-hub.m2moauthserver.privateKeySecretEnabled" $) }}
@@ -94,15 +86,6 @@ true
 {{- printf "%s" $privateKeyFile }}
 {{- end -}}
 
-{{- define "plgd-hub.m2moauthserver.getClientServiceSecretFile" -}}
-{{- $file := "" }}
-{{- if include "plgd-hub.m2moauthserver.clientServiceSecretEnabled" $ }}
-{{- $file = printf "%s/%s" .Values.m2moauthserver.clientServiceSecret.mountPath .Values.m2moauthserver.clientServiceSecret.fileName }}
-{{- end }}
-{{- printf "%s" $file }}
-{{- end -}}
-
-
 {{- define "plgd-hub.m2moauthserver.enabled" -}}
 {{- if and .Values.m2moauthserver.enabled (include "plgd-hub.m2moauthserver.privateKeySecretEnabled" .) }}
 true

charts/plgd-hub/templates/m2m-oauth-server/config.yaml

@@ -1,5 +1,5 @@
 {{- if include "plgd-hub.m2moauthserver.enabled" . }}
-{{- $oauthServerCertPath := "/certs" }}
+{{- $cert := "/certs" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -17,16 +17,49 @@ data:
       encoderConfig:
         timeEncoder: {{ .log.encoderConfig.timeEncoder }}
     apis:
+      grpc:
+        address: {{  .apis.grpc.address | default (printf "0.0.0.0:%v" .port) | quote }}
+        sendMsgSize: {{ int64 .apis.grpc.sendMsgSize | default 4194304 }}
+        recvMsgSize: {{ int64 .apis.grpc.recvMsgSize | default 4194304 }}
+        enforcementPolicy:
+          minTime: {{ .apis.grpc.enforcementPolicy.minTime }}
+          permitWithoutStream: {{ .apis.grpc.enforcementPolicy.permitWithoutStream }}
+        keepAlive:
+          # 0s - means infinity
+          maxConnectionIdle: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
+          # 0s - means infinity
+          maxConnectionAge: {{ .apis.grpc.keepAlive.maxConnectionAge }}
+          # 0s - means infinity
+          maxConnectionAgeGrace: {{ .apis.grpc.keepAlive.maxConnectionAgeGrace }}
+          time: {{ .apis.grpc.keepAlive.time }}
+          timeout: {{ .apis.grpc.keepAlive.timeout }}
+        tls:
+          {{- $tls := .apis.grpc.tls }}
+          {{- include "plgd-hub.internalCertificateConfig" (list $ $tls $cert ) | indent 8 }}
+          clientCertificateRequired: {{ .apis.grpc.tls.clientCertificateRequired }}
+        authorization:
+          {{- $authorization := .apis.grpc.authorization }}
+          {{- include "plgd-hub.authorizationConfig" (list $ $authorization "m2moauthserver.apis.grpc.authorization" $cert ) | indent 8 }}
       http:
-        address: {{  .apis.http.address | default (printf "0.0.0.0:%v" .port) | quote }}
+        address: {{ .apis.http.address | default (printf "0.0.0.0:%v" .httpPort) | quote }}
         readTimeout: {{ .apis.http.readTimeout }}
         readHeaderTimeout: {{ .apis.http.readHeaderTimeout }}
         writeTimeout: {{ .apis.http.writeTimeout }}
         idleTimeout: {{ .apis.http.idleTimeout }}
-        tls:
-          {{- $tls := .apis.http.tls }}
-          {{- include "plgd-hub.internalCertificateConfig" (list $ $tls $oauthServerCertPath ) | indent 8 }}
-          clientCertificateRequired: {{ .apis.http.tls.clientCertificateRequired }}
+    clients:
+      storage:
+        cleanUpDeletedTokens: {{ .clients.storage.cleanUpDeletedTokens | quote }}
+        use: {{ include "plgd-hub.useDatabase" (list $ . .clients.storage.use)  | quote }}
+        mongoDB:
+          uri: {{ include "plgd-hub.mongoDBUri" (list $ .clients.storage.mongoDB.uri )  | quote }}
+          database: {{ .clients.storage.mongoDB.database }}
+          maxPoolSize: {{ .clients.storage.mongoDB.maxPoolSize }}
+          maxConnIdleTime: {{ .clients.storage.mongoDB.maxConnIdleTime }}
+          tls:
+            {{- $mongoDbTls := .clients.storage.mongoDB.tls }}
+            {{- include "plgd-hub.internalCertificateConfig" (list $ $mongoDbTls $cert ) | indent 10 }}
+            useSystemCAPool: {{ .clients.storage.mongoDB.tls.useSystemCAPool }}
+      {{- include "plgd-hub.openTelemetryExporterConfig" (list $ $cert ) | nindent 6 }}
     oauthSigner:
       privateKeyFile: {{ include "plgd-hub.m2moauthserver.getPrivateKeyFile" $ }}
       domain: {{ include "plgd-hub.m2moauthserver.ingressDomain" $ }}
@@ -69,7 +102,7 @@ data:
           jwtPrivateKey:
             enabled: {{ .jwtPrivateKey.enabled }}
             authorization:
-              {{- $authorization := include "plgd-hub.basicAuthorizationConfig" (list $ .jwtPrivateKey.authorization (printf "m2moauthserver.oauthSigner.clients[%v].jwtPrivateKey.authorization" $idx) $oauthServerCertPath) | fromYaml }}
+              {{- $authorization := include "plgd-hub.basicAuthorizationConfig" (list $ .jwtPrivateKey.authorization (printf "m2moauthserver.oauthSigner.clients[%v].jwtPrivateKey.authorization" $idx) $cert) | fromYaml }}
               {{- if $authorization.audience }}
               audience: {{ $authorization.audience | quote }}
               {{- end }}
@@ -80,11 +113,11 @@ data:
                   http: {{- .http | toYaml | nindent 20 }}
               {{- end }}
               {{- end }}
+              tokenTrustVerification:
+                enabled: false
           {{- end }}
           {{- end }}
         {{- end }}
         {{- end }}
-    clients:
-      {{- include "plgd-hub.openTelemetryExporterConfig" (list $ $oauthServerCertPath) | nindent 6 }}
 {{- end }}
 {{- end }}

charts/plgd-hub/templates/m2m-oauth-server/deployment.yaml

@@ -56,9 +56,12 @@ spec:
             - "--config"
             - {{  printf "%s/%s" .Values.m2moauthserver.config.mountPath .Values.m2moauthserver.config.fileName | quote }}
           ports:
-            - name: http
+            - name: grpc
               containerPort: {{ .Values.m2moauthserver.port }}
               protocol: TCP
+            - name: http
+              containerPort: {{ .Values.m2moauthserver.httpPort }}
+              protocol: TCP  
           {{- with .Values.m2moauthserver.livenessProbe }}
           livenessProbe:
           {{- toYaml . | nindent 12 }}
@@ -78,6 +81,7 @@ spec:
             - name: service-crt
               mountPath: {{ $rdServiceCert }}
             {{- end }}
+            {{- include "plgd-hub.extraCAPoolMount" (list . .Values.extraCAPool.authorization) | nindent 12 }}
             {{- include "plgd-hub.extraCAPoolMount" (list . .Values.extraCAPool.internal) | nindent 12 }}
             {{- with .Values.m2moauthserver.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
@@ -87,22 +91,12 @@ spec:
               mountPath: {{ .Values.m2moauthserver.privateKey.mountPath }}
               readOnly: true
             {{- end }}
-            {{- if include "plgd-hub.m2moauthserver.clientServiceSecretEnabled" $ }}
-            - name: {{ .Values.m2moauthserver.clientServiceSecret.volume }}
-              mountPath: {{ .Values.m2moauthserver.clientServiceSecret.mountPath }}
-              readOnly: true
-            {{- end }}
       volumes:
         {{- if include "plgd-hub.m2moauthserver.privateKeySecretEnabled" $ }}
         - name: {{ .Values.m2moauthserver.privateKey.volume }}
           secret:
             secretName: {{ .Values.m2moauthserver.privateKey.secretName }}
         {{- end }}
-        {{- if include "plgd-hub.m2moauthserver.clientServiceSecretEnabled" $ }}
-        - name: {{ .Values.m2moauthserver.clientServiceSecret.volume }}
-          secret:
-            secretName: {{ .Values.m2moauthserver.clientServiceSecret.secretName }}
-        {{- end }}
         - name: {{ .Values.m2moauthserver.config.volume }}
           configMap:
             name: {{ include "plgd-hub.m2moauthserver.configName" . }}
@@ -111,6 +105,7 @@ spec:
           secret:
             secretName: {{ include "plgd-hub.m2moauthserver.serviceCertName" . }}
         {{- end }}
+        {{- include "plgd-hub.extraCAPoolVolume" (list . .Values.extraCAPool.authorization) | nindent 8 }}
         {{- include "plgd-hub.extraCAPoolVolume" (list . .Values.extraCAPool.internal) | nindent 8 }}
         {{- with .Values.m2moauthserver.extraVolumes }}
         {{- toYaml . | nindent 8 }}

charts/plgd-hub/templates/m2m-oauth-server/grpc-ingress.yaml

@@ -0,0 +1,40 @@
+{{- if and (include "plgd-hub.m2moauthserver.enabled" .) .Values.m2moauthserver.ingress.grpc.enabled }}
+{{- $fullname := include "plgd-hub.m2moauthserver.fullname" . }}
+{{- $port := .Values.m2moauthserver.port }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullname }}-grpc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "plgd-hub.labels" . | nindent 4 }}
+  annotations:
+    {{- if .Values.m2moauthserver.ingress.grpc.annotations }}
+    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.ingress.grpc.annotations "context" $ ) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.m2moauthserver.ingress.grpc.customAnnotations }}
+    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.ingress.grpc.customAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+spec:
+  tls:
+    - hosts:
+        - {{ include "plgd-hub.m2moauthserver.ingressDomain"  . | quote }}
+      {{- if $.Values.global.enableWildCartCert }}
+      secretName: {{ include "plgd-hub.wildCardCertName" . | quote }}
+      {{- else }}
+      secretName: {{ include "plgd-hub.m2moauthserver.domainCertName" . | quote }}
+      {{- end }}
+  rules:
+  - host: {{ include "plgd-hub.m2moauthserver.ingressDomain"  . | quote }}
+    http:
+      paths:
+      {{- range  .Values.m2moauthserver.ingress.grpc.paths }}
+        - path: {{ . }}
+          pathType: Prefix
+          backend:
+            service:
+              name: {{ $fullname }}-grpc
+              port:
+                number: {{ $port }}
+      {{- end }}
+{{- end }}

charts/plgd-hub/templates/m2m-oauth-server/grpc-service.yaml

@@ -0,0 +1,25 @@
+{{- if and (include "plgd-hub.m2moauthserver.enabled" .) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "plgd-hub.m2moauthserver.fullname" . }}-grpc
+  namespace: {{ .Release.Namespace }}  
+  labels:
+    {{- include "plgd-hub.labels" . | nindent 4 }}
+    {{- with .Values.m2moauthserver.service.grpc.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  {{- if .Values.m2moauthserver.service.grpc.annotations }}
+  annotations:
+    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.service.grpc.annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.m2moauthserver.service.grpc.type | default "ClusterIP" }}
+  ports:
+    - port: {{ .Values.m2moauthserver.port }}
+      targetPort: {{ .Values.m2moauthserver.service.grpc.targetPort }}
+      protocol: {{ .Values.m2moauthserver.service.grpc.protocol }}
+      name: {{ .Values.m2moauthserver.service.grpc.name }}
+  selector:
+  {{- include "plgd-hub.m2moauthserver.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/plgd-hub/templates/m2m-oauth-server/ingress.yaml → charts/plgd-hub/templates/m2m-oauth-server/http-ingress.yaml

@@ -1,6 +1,6 @@
-{{- if and (include "plgd-hub.m2moauthserver.enabled" .) .Values.m2moauthserver.ingress.enabled }}
+{{- if and (include "plgd-hub.m2moauthserver.enabled" .) .Values.m2moauthserver.ingress.http.enabled }}
 {{- $fullname := include "plgd-hub.m2moauthserver.fullname" . }}
-{{- $port := .Values.m2moauthserver.port }}
+{{- $port := .Values.m2moauthserver.httpPort }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -9,11 +9,11 @@ metadata:
   labels:
     {{- include "plgd-hub.labels" . | nindent 4 }}
   annotations:
-    {{- if .Values.m2moauthserver.ingress.annotations }}
-    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.ingress.annotations "context" $ ) | nindent 4 }}
+    {{- if .Values.m2moauthserver.ingress.http.annotations }}
+    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.ingress.http.annotations "context" $ ) | nindent 4 }}
     {{- end }}
-    {{- if .Values.m2moauthserver.ingress.customAnnotations }}
-    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.ingress.customAnnotations "context" $ ) | nindent 4 }}
+    {{- if .Values.m2moauthserver.ingress.http.customAnnotations }}
+    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.ingress.http.customAnnotations "context" $ ) | nindent 4 }}
     {{- end }}
 spec:
   tls:
@@ -28,7 +28,7 @@ spec:
   - host: {{ include "plgd-hub.m2moauthserver.ingressDomain" . | quote }}
     http:
       paths:
-      {{- range  .Values.m2moauthserver.ingress.paths }}
+      {{- range  .Values.m2moauthserver.ingress.http.paths }}
       - path: {{ . }}
         pathType: Prefix
         backend:

charts/plgd-hub/templates/m2m-oauth-server/http-service.yaml

@@ -0,0 +1,25 @@
+{{- if include "plgd-hub.m2moauthserver.enabled" . -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "plgd-hub.m2moauthserver.fullname" . }}
+  namespace: {{ .Release.Namespace }}  
+  labels:
+    {{- include "plgd-hub.labels" . | nindent 4 }}
+    {{- with .Values.m2moauthserver.service.http.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  {{- if .Values.m2moauthserver.service.http.annotations }}
+  annotations:
+    {{- include "plgd-hub.tplvalues.render" ( dict "value" .Values.m2moauthserver.service.http.annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.m2moauthserver.service.http.type | default "ClusterIP" }}
+  ports:
+    - port: {{ .Values.m2moauthserver.httpPort }}
+      targetPort: {{ .Values.m2moauthserver.service.http.targetPort }}
+      protocol: {{ .Values.m2moauthserver.service.http.protocol }}
+      name: {{ .Values.m2moauthserver.service.http.name }}
+  selector:
+  {{- include "plgd-hub.m2moauthserver.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/plgd-hub/templates/m2m-oauth-server/service-crt.yaml

@@ -27,8 +27,11 @@ spec:
   dnsNames:
     - {{ printf "%s.%s.svc.%s" $serviceDns .Release.Namespace .Values.cluster.dns | quote }}
     - {{ $serviceDns | quote }}
-    {{- if .Values.m2moauthserver.service.crt.extraDnsNames }}
-    {{- toYaml .Values.m2moauthserver.service.crt.extraDnsNames | nindent 4 }}
+    {{- if .Values.m2moauthserver.service.grpc.crt.extraDnsNames }}
+    {{- toYaml .Values.m2moauthserver.service.grpc.crt.extraDnsNames | nindent 4 }}
+    {{- end }}
+    {{- if .Values.m2moauthserver.service.http.crt.extraDnsNames }}
+    {{- toYaml .Values.m2moauthserver.service.http.crt.extraDnsNames | nindent 4 }}
     {{- end }}
   duration: {{ .Values.certmanager.internal.cert.duration | default .Values.certmanager.default.cert.duration }}
   renewBefore: {{ .Values.certmanager.internal.cert.renewBefore | default .Values.certmanager.default.cert.renewBefore }}