aaw icon indicating copy to clipboard operation
aaw copied to clipboard

Published 20 hours ago verified publisher icon StatCan

JWT auth: Load public key on Trino coordinator

Open rohank07 opened this issue 3 years ago • 3 comments
trafficstars

https://trino.io/docs/current/security/jwt.html

Use the http-server.authentication.jwt.key-file property to specify either:

The URL to a JWKS endpoint service, where the URL begins with https://. The JWKS service must be reachable from the coordinator. If the coordinator is running in a secured or firewalled network, the administrator may have to open access to the JWKS server host.

The path to a local file in PEM or HMAC format that contains a single key. If the file path contains $KEYID, then Trino interpolates the keyid from the JWT into the file path before loading this key. This enables support for setups with multiple keys.

rohank07 avatar Aug 18 '22 19:08 rohank07

Attempted to check if the injected ca.crt was the one that can be used to validate the token:

import jwt
import base64
from cryptography.x509 import load_pem_x509_certificate

# Get injected cert
with open('/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', 'r') as file:
    cert = file.read().encode('utf-8')
print(cert)

# Extract the public key
cert_obj = load_pem_x509_certificate(cert)
public_key = cert_obj.public_key()
print(public_key)

# Extract injected namespace jwt token
with open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r') as file:
    token = file.read()
print(token)

# Split token into the 3 components, check header for cert algorthim
parts = token.split('.')
header = base64.b64decode(parts[0] + '==')
print(header)

# Print off payload for validation
payload = base64.b64decode(parts[0] + '==')
print(payload)

# Decode with public key
decoded = jwt.decode(token, public_key, algorithms='RS256', verify=True)
print('[*] Decoded: ', decoded)

Result: InvalidSignatureError: Signature verification failed

I also tested the other certs that are injected into each pod: kube-root-ca, istio-ca-root, they didn't work either.

vexingly avatar Aug 19 '22 15:08 vexingly

When checking the header you can see the kid value: b'{"alg":"RS256","kid":"sWN5lb_wzeMiVAMuxo0hcho6cJ_7jNIfJalThkYY_hU"}'

This is a fingerprint of the signing key, which can be used to find the correct cert.

You can view the signing keys for the statcan azure tenant via: https://login.microsoftonline.com/258f1f99-ee3d-42c7-bfc5-7af1b2343e02/discovery/keys

None of these kid's match though, so it doesn't seem these are the correct keys.

Can we hit the JWKS endpoint for the cluster from anywhere or find it in the azure portal?

vexingly avatar Aug 19 '22 15:08 vexingly

We have not been able to locate the sa.pub key to validate the tokens against yet, seeing as azure doesn't allow access to the master kube api server where it is located and we can't access the jwks endpoint.

Working with CNS to see if they can help with this in https://jirab.statcan.ca/browse/CLOUD-14138

On a side note, we have determined that the ca.crt that is packaged with the token is there to be used to validate the sa.pub key and/or jwks endpoint, so that we know we're using the correct validation key!

vexingly avatar Aug 31 '22 14:08 vexingly

Closing. Use password-auth for initial deployment and then use jwt auth once cluster upgraded to v1.22

rohank07 avatar Sep 06 '22 20:09 rohank07