Merge pull request #17 from Conjur-Enterprise/pr50

CNJR-0000: Add jwt authentication strategy

Author: szh

Diff for: CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [0.1.3] - 2025-02-24
+
+### Added
+- Add support for authn-jwt
+  [cyberark/conjur-api-python#50](https://github.com/cyberark/conjur-api-python/pull/50)
+
 ## [0.1.2] - 2024-08-01
 
 ### Security

Diff for: README.md

@@ -114,12 +114,14 @@ We provide the `AuthnAuthenticationStrategy` for the default Conjur authenticato
 authn_provider = AuthnAuthenticationStrategy(credentials_provider)
 ```
 
-We also provide the `LdapAuthenticationStrategy` for the ldap authenticator, and `OidcAuthenticationStrategy` for the OIDC authenticator.
+We also provide the `LdapAuthenticationStrategy`, `OidcAuthenticationStrategy`, and `JWTAuthenticationStrategy` for the
+ldap, oidc, and jwt authenticators respectively.
 Example use:
 
 ```python
 authn_provider = LdapAuthenticationStrategy(credentials_provider)
 authn_provider = OidcAuthenticationStrategy(credentials_provider)
+jwt_provider = JWTAuthenticationStrategy(token)
 ```
 
 When using these strategies, make sure `connection_info` has a `service_id` specified.

Diff for: ci/test/Dockerfile.test

@@ -1,4 +1,4 @@
-FROM ubuntu:23.04
+FROM ubuntu:24.04
 ENV INSTALL_DIR=/opt/conjur-api-python
 ENV DEBIAN_FRONTEND=noninteractive
 

Diff for: ci/test/conjur-deployment/configuration/initial_policy.yml

@@ -4,6 +4,11 @@
 - !user test-valid-user
 - !user test-invalid-user
 
+- !host
+  id: [email protected]
+  annotations:
+    authn-jwt/test-service/sub: test-workload
+
 - !policy
   id: conjur
   body: []
@@ -58,6 +63,26 @@
     privilege: [ read, authenticate ]
     resource: !webservice
 
+- !policy
+  id: conjur/authn-jwt/test-service
+  body:
+  - !webservice
+
+  - !webservice
+    id: status
+
+  - !variable jwks-uri
+  - !variable token-app-property
+  - !variable issuer
+  - !variable audience
+
+  - !group users
+
+  - !permit
+    role: !group users
+    privilege: [ read, authenticate ]
+    resource: !webservice
+
 - !grant
   role: !group conjur/authn-ldap/test-service/users
   member: !user alice
@@ -66,6 +91,10 @@
   role: !group conjur/authn-oidc/test-service/users
   member: !user john.williams
 
+- !grant
+  role: !group conjur/authn-jwt/test-service/users
+  member: !host [email protected]
+
 - !permit
   role: !user alice
   privileges: [ read ]

Diff for: ci/test/conjur-deployment/ubuntu_compose.yml

@@ -35,7 +35,7 @@ services:
       CONJUR_ACCOUNT: dev
       DATABASE_URL: postgres://postgres@pg/postgres
       RAILS_ENV: development
-      CONJUR_AUTHENTICATORS: authn-ldap/test-service,authn-oidc/test-service,authn
+      CONJUR_AUTHENTICATORS: authn-ldap/test-service,authn-oidc/test-service,authn-jwt/test-service,authn
       LDAP_URI: ldap://ldap-server:389
       LDAP_BASE: dc=conjur,dc=net
       LDAP_BINDDN: cn=admin,dc=conjur,dc=net
@@ -50,6 +50,7 @@ services:
       - pg
       - ldap-server
       - oidc-server
+      - jwt-server
 
   conjur-https:
     image: nginx:alpine
@@ -108,6 +109,19 @@ services:
       - "9443:443"
     volumes:
       - ${PWD}/ci/test/conjur-deployment/configuration/oidc:/oidc:ro
+  
+  jwt-server:
+    build:
+      context: ./mock-jwt-server
+      dockerfile: Dockerfile
+    ports:
+      - 8008:8080
+    environment:
+      ISSUER: "jwt-server"
+      AUDIENCE: "conjur"
+      SUBJECT: "test-workload"
+      EMAIL: "[email protected]"
+      EXTERNAL_PORT: "8008"
 
   test:
     privileged: true

Diff for: ci/test/test_integration

@@ -36,6 +36,12 @@ cleanup
 
 export REGISTRY_URL=${INFRAPOOL_REGISTRY_URL:-"docker.io"}
 
+# Ensure we are in repo root
+cd "$(git rev-parse --show-toplevel)"
+# Clone mock-jwt-server dependency
+rm -rf mock-jwt-server
+git clone https://github.com/gl-johnson/mock-jwt-server.git || true
+
 echo "Building API container..."
 docker_compose_command build test
 

Diff for: conjur_api/http/endpoints.py

@@ -19,6 +19,7 @@ class ConjurEndpoint(Enum):
     AUTHENTICATE = "{url}/authn/{account}/{login}/authenticate"
     AUTHENTICATE_LDAP = "{url}/authn-ldap/{service_id}/{account}/{login}/authenticate"
     AUTHENTICATE_OIDC = "{url}/authn-oidc/{service_id}/{account}/authenticate"
+    AUTHENTICATE_JWT = "{url}/authn-jwt/{service_id}/{account}/authenticate"
     # deepcode ignore NoHardcodedCredentials: False positive - this is a URL, not a credential
     LOGIN = "{url}/authn/{account}/login"
     LOGIN_LDAP = "{url}/authn-ldap/{service_id}/{account}/login"

Diff for: conjur_api/providers/__init__.py

@@ -7,3 +7,4 @@
 from conjur_api.providers.authn_authentication_strategy import AuthnAuthenticationStrategy
 from conjur_api.providers.ldap_authentication_strategy import LdapAuthenticationStrategy
 from conjur_api.providers.oidc_authentication_strategy import OidcAuthenticationStrategy
+from conjur_api.providers.jwt_authentication_strategy import JWTAuthenticationStrategy

Diff for: conjur_api/providers/jwt_authentication_strategy.py

@@ -0,0 +1,95 @@
+# -*- coding: utf-8 -*-
+"""
+JWTAuthenticationStrategy module
+
+This module holds the JWTAuthenticationStrategy class
+"""
+
+import base64
+import json
+import logging
+from datetime import datetime, timedelta
+from typing import Tuple
+
+from conjur_api.errors.errors import MissingRequiredParameterException
+from conjur_api.http.endpoints import ConjurEndpoint
+from conjur_api.interface import AuthenticationStrategyInterface
+from conjur_api.models.general.conjur_connection_info import \
+    ConjurConnectionInfo
+from conjur_api.models.ssl.ssl_verification_metadata import \
+    SslVerificationMetadata
+from conjur_api.wrappers.http_wrapper import HttpVerb, invoke_endpoint
+
+# Tokens should only be reused for 5 minutes (max lifetime is 8 minutes)
+DEFAULT_TOKEN_EXPIRATION = 8
+API_TOKEN_SAFETY_BUFFER = 3
+DEFAULT_API_TOKEN_DURATION = DEFAULT_TOKEN_EXPIRATION - API_TOKEN_SAFETY_BUFFER
+
+class JWTAuthenticationStrategy(AuthenticationStrategyInterface):
+    """
+    JWTAuthenticationStrategy
+
+    This class makes an HTTP POST request to authenticate and retrieve a token.
+    """
+
+    def __init__(self, jwt_token: str):
+        """
+        Initializes the JWTAuthenticationStrategy with a JWT token.
+
+        :param jwt_token: The JWT token to authenticate with
+        """
+        self.jwt_token = jwt_token  # Store JWT token in the class
+
+    async def authenticate(
+        self,
+        connection_info: ConjurConnectionInfo,
+        ssl_verification_data: SslVerificationMetadata,
+    ) -> Tuple[str, datetime]:
+        """
+        Authenticate method makes a POST request to the authentication endpoint,
+        retrieves a token, and calculates the token expiration.
+        """
+        logging.debug("Authenticating to %s...", connection_info.conjur_url)
+
+        api_token = await self._send_authenticate_request(ssl_verification_data, connection_info)
+
+        return api_token, self._calculate_token_expiration(api_token)
+
+    async def _send_authenticate_request(self, ssl_verification_data, connection_info):
+        self._validate_service_id_exists(connection_info)
+
+        params = {
+            'url': connection_info.conjur_url,
+            'service_id': connection_info.service_id,
+            'account': connection_info.conjur_account,
+        }
+        data = f"jwt={self.jwt_token}"
+
+        response = await invoke_endpoint(
+            HttpVerb.POST,
+            ConjurEndpoint.AUTHENTICATE_JWT,
+            params,
+            data,
+            ssl_verification_metadata=ssl_verification_data,
+            proxy_params=connection_info.proxy_params)
+        return response.text
+
+    def _validate_service_id_exists(self, connection_info: ConjurConnectionInfo):
+        if not connection_info.service_id:
+            raise MissingRequiredParameterException("service_id is required for authn-jwt")
+
+    @staticmethod
+    # pylint: disable=bare-except
+    def _calculate_token_expiration(api_token: str) -> datetime:
+        """
+        Calculate the expiration of the token by decoding the payload and extracting 'exp'.
+        """
+        try:
+            # The token is in JSON format. Each field in the token is base64 encoded.
+            # Decode the payload field and extract the expiration date.
+            decoded_token_payload = base64.b64decode(json.loads(api_token)['payload'].encode('ascii'))
+            token_expiration = json.loads(decoded_token_payload)['exp']
+            return datetime.fromtimestamp(token_expiration) - timedelta(minutes=API_TOKEN_SAFETY_BUFFER)
+        except:
+            # If we can't extract the expiration from the token, fall back to the default expiration
+            return datetime.now() + timedelta(minutes=DEFAULT_API_TOKEN_DURATION)

Diff for: tests/authentication_strategy/test_unit_jwt_authentication_provider.py

@@ -0,0 +1,20 @@
+from aiounittest import AsyncTestCase
+
+from conjur_api.errors.errors import MissingRequiredParameterException
+from conjur_api.models.general.conjur_connection_info import ConjurConnectionInfo
+from conjur_api.models.general.credentials_data import CredentialsData
+from conjur_api.providers import JWTAuthenticationStrategy
+
+class JWTAuthenticationStrategyTest(AsyncTestCase):
+
+    async def test_missing_serviceid(self):
+        conjur_url = "https://conjur.example.com"
+        connection_info = ConjurConnectionInfo(conjur_url, "some_account")
+
+        jwt_token = "eyJhb..."
+
+        provider = JWTAuthenticationStrategy(jwt_token)
+        with self.assertRaises(MissingRequiredParameterException) as context:
+            await provider.authenticate(connection_info, None)
+
+        self.assertRegex(context.exception.message, "service_id is required")

Diff for: tests/integration/integ_utils.py

@@ -6,6 +6,7 @@
 from conjur_api.models.general.conjur_connection_info import ConjurConnectionInfo
 from conjur_api.providers import SimpleCredentialsProvider, AuthnAuthenticationStrategy, LdapAuthenticationStrategy
 from conjur_api.providers.oidc_authentication_strategy import OidcAuthenticationStrategy
+from conjur_api.providers.jwt_authentication_strategy import JWTAuthenticationStrategy
 
 
 class ConjurUser:
@@ -18,6 +19,7 @@ class AuthenticationStrategyType(Enum):
     AUTHN = 'AUTHN'
     LDAP = 'LDAP'
     OIDC = 'OIDC'
+    JWT  = 'JWT'
 
 
 async def create_client(username: str, password: str,
@@ -37,6 +39,8 @@ async def create_client(username: str, password: str,
     authn_strategy: AuthenticationStrategyInterface
     if authn_strategy_type == AuthenticationStrategyType.OIDC:
         authn_strategy = OidcAuthenticationStrategy(credentials_provider)
+    elif authn_strategy_type == AuthenticationStrategyType.JWT:
+        authn_strategy = JWTAuthenticationStrategy(password) # password is the JWT token
     elif authn_strategy_type == AuthenticationStrategyType.LDAP:
         authn_strategy = LdapAuthenticationStrategy(credentials_provider)
     else:

Diff for: tests/integration/test_integration_jwt_authentication.py

@@ -0,0 +1,48 @@
+import asyncio
+import os
+
+import requests
+from aiounittest import AsyncTestCase
+from requests.auth import HTTPBasicAuth
+
+from conjur_api.errors.errors import HttpStatusError
+from tests.integration.integ_utils import (AuthenticationStrategyType,
+                                           ConjurUser, create_client)
+
+
+class TestJWTAuthentication(AsyncTestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        asyncio.run(cls._add_test_data())
+
+    async def test_jwt_authentication_success(self):
+        c = await create_client("", self.valid_jwt, AuthenticationStrategyType.JWT,
+                                service_id='test-service')
+
+        response = await c.whoami()
+        self.assertTrue(response['username'] == 'host/[email protected]')
+
+    async def test_jwt_authentication_failure_invalid_token(self):
+        c = await create_client("", self.invalid_jwt, AuthenticationStrategyType.JWT,
+                                service_id='test-service')
+
+        with self.assertRaises(HttpStatusError) as context:
+            response = await c.whoami()
+        self.assertEqual(context.exception.status, 401)
+
+    @classmethod
+    async def _add_test_data(cls):
+        c = await create_client("admin", os.environ['CONJUR_AUTHN_API_KEY'])
+        await c.set('conjur/authn-jwt/test-service/jwks-uri', 'http://jwt-server:8080/.well-known/jwks.json')
+        await c.set('conjur/authn-jwt/test-service/token-app-property', 'email')
+        await c.set('conjur/authn-jwt/test-service/audience', 'conjur')
+        await c.set('conjur/authn-jwt/test-service/issuer', 'jwt-server')
+
+        url = 'http://jwt-server:8080/token'
+
+        # file deepcode ignore SSLVerificationBypass/test: This is a test file and we are using a local server
+        x = requests.get(url, verify=False)
+
+        cls.valid_jwt = x.json()['token']
+        cls.invalid_jwt = 'invalid_token'