fix: correct Heimdall principal claims pattern for client IDs

emsearcy · emsearcy · commit 61babc433963 · 2025-12-18T14:52:39.000-08:00
Change the client ID pattern from 'clients@{client_id}' to '{client_id}@Clients' to match the Auth0 convention used in the platform. - Updated JWT generation script to use correct suffix removal - Fixed Python JWT generator to handle @Clients suffix - Updated all YAML playbooks with corrected principal patterns Related: LFXV2-922 🤖 Generated with [GitHub Copilot](https://github.com/features/copilot) (via Zed) Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
diff --git a/playbooks/committees/base_committees/buf_committees.yaml b/playbooks/committees/base_committees/buf_committees.yaml
@@ -14,7 +14,7 @@ buf_committees:
     url: {{ environ.COMMITTEES_URL | default("http://lfx-v2-committee-service.lfx.svc.cluster.local:8080/committees") }}
     method: POST
     headers:
-      Authorization: !jwt bearer=true,aud=lfx-v2-committee-service,principal=clients@m2m_helper
+      Authorization: !jwt bearer=true,aud=lfx-v2-committee-service,principal=m2m_helper@clients
   steps:
     - json:
         name: Governing Board
@@ -60,7 +60,7 @@ buf_board_members:
     url: !sub "{{ environ.COMMITTEES_URL | default('http://lfx-v2-committee-service.lfx.svc.cluster.local:8080/committees') }}/${ buf_committees.steps[?json.name == 'Governing Board']._response.uid | [0] }/members?v=1"
     method: POST
     headers:
-      Authorization: !jwt bearer=true,aud=lfx-v2-committee-service,principal=clients@m2m_helper
+      Authorization: !jwt bearer=true,aud=lfx-v2-committee-service,principal=m2m_helper@clients
   steps:
     {% for i in range(8) %}
     - json:
diff --git a/playbooks/projects/base_projects/1_tlf.yaml b/playbooks/projects/base_projects/1_tlf.yaml
@@ -7,7 +7,7 @@ base_projects:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
   steps:
     - json:
         slug: tlf
diff --git a/playbooks/projects/base_projects/2_incorporated.yaml b/playbooks/projects/base_projects/2_incorporated.yaml
@@ -10,7 +10,7 @@ extra_incorporated:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
   steps:
     {% for outer in range(12) %}
     {% set project_name = fake.catch_phrase().title() %}
diff --git a/playbooks/projects/base_projects/3_umbrellas.yaml b/playbooks/projects/base_projects/3_umbrellas.yaml
@@ -7,7 +7,7 @@ sample_umbrella_buf:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
   steps:
     - json:
         slug: buf
@@ -49,7 +49,7 @@ sample_umbrella_iubp:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
   steps:
     - json:
         slug: industry-umbrella-branded-projects-iubp
diff --git a/playbooks/projects/extra_projects/n_depth.yaml b/playbooks/projects/extra_projects/n_depth.yaml
@@ -15,7 +15,7 @@ n_depth:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
   steps:
     {% set project_name = fake.catch_phrase().title() %}
     - json:
diff --git a/playbooks/projects/root_project_access/global_groups.yaml b/playbooks/projects/root_project_access/global_groups.yaml
@@ -29,7 +29,7 @@ global_groups:
               object: "team:project_super_admins"
             # A M2M principal from lfx-v2-helm's values.yaml
             # (authelia.authelia_client_generation.clients).
-            - user: "user:clients@lfx_m2m"
+            - user: "user:lfx_m2m@clients"
               relation: member
               object: "team:project_super_admins"
             # Attach the global group with the above members to the ROOT
diff --git a/playbooks/v1_meetings/umbrella_board_meeting/board_meeting.yaml b/playbooks/v1_meetings/umbrella_board_meeting/board_meeting.yaml
@@ -36,7 +36,7 @@ buf_board_meeting_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           {% set meeting_id = fake.pyint(min_value=10000000000, max_value=99999999999) %}
           {# Calculate initial meeting time based on `total_past_meetings`. #}
@@ -162,7 +162,7 @@ buf_board_meeting_committee_participants_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           # Renamed from `registrant_id` in v1.
           id: "{{ fake.uuid4() }}"
@@ -256,7 +256,7 @@ buf_board_past_meeting_{{ past_meeting_index }}_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           # Renamed from `meeting_and_occurrence_id` in v1.
           id: "{{ meeting_id }}-{{ occurrence_id }}"
@@ -354,7 +354,7 @@ buf_board_past_meeting_{{ past_meeting_index }}_recording_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           # Renamed from `meeting_and_occurrence_id` in v1.
           id: "{{ meeting_id }}-{{ occurrence_id }}"
@@ -454,7 +454,7 @@ buf_board_past_meeting_{{ past_meeting_index }}_transcript_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           # Renamed from `meeting_and_occurrence_id` in v1.
           id: "{{ meeting_id }}-{{ occurrence_id }}"
@@ -547,7 +547,7 @@ buf_board_past_meeting_{{ past_meeting_index }}_summary_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           summary_details:
             {% for i in range(fake.pyint(min_value=8, max_value=12)) %}
@@ -639,7 +639,7 @@ buf_board_past_meeting_{{ past_meeting_index }}_participants_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           # v2 attributes for convenience.
           is_invited: true
@@ -728,7 +728,7 @@ buf_board_past_meeting_{{ past_meeting_index }}_participant_guests_create:
         action: created
         headers:
           authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal={{ fake.user_name() }},email={{ fake.email() }}
-          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
+          x-on-behalf-of: !jwt bearer=true,aud=lfx-v2-project-service,principal=m2m_helper@clients
         data:
           # v2 attributes for convenience.
           is_invited: false
diff --git a/scripts/mock-heimdall-jwt.sh b/scripts/mock-heimdall-jwt.sh
@@ -40,7 +40,7 @@ jwt encode \
 	--jti "$(uuidgen)" \
 	--payload "aud=$aud" \
 	--payload "iss=heimdall" \
-	--payload "sub=${principal#clients@}" \
+	--payload "sub=${principal%@clients}" \
 	--payload "principal=$principal" \
 	--secret "@${pem_temp_dir}/signer.pem" \
 	"${payload}"
diff --git a/src/lfx_v2_mockdata/__init__.py b/src/lfx_v2_mockdata/__init__.py
@@ -81,9 +81,7 @@ class UploadMockDataArgs(BaseModel):
 )
 jinja_env: contextvars.ContextVar[Environment] = contextvars.ContextVar("jinja_env")
 args: contextvars.ContextVar[UploadMockDataArgs] = contextvars.ContextVar("args")
-retries_remaining: contextvars.ContextVar[int] = contextvars.ContextVar(
-    "retries_remaining"
-)
+retries_remaining: contextvars.ContextVar[int] = contextvars.ContextVar("retries_remaining")
 
 # NATS connection variables.
 nats_client: None | NatsClient = None
@@ -180,9 +178,7 @@ def evaluate(self):
         # Attempt to evaluate expression against data context.
         value = jmespath.search(self.expression, data_context)
         if value is None:
-            raise AttributeError(
-                f"JMESPath expression '{self.expression}' not found in data"
-            )
+            raise AttributeError(f"JMESPath expression '{self.expression}' not found in data")
         return value
 
 
@@ -246,9 +242,7 @@ def replace_placeholder(match):
             # Attempt to evaluate expression against data context.
             value = jmespath.search(expression, data_context)
             if value is None:
-                raise AttributeError(
-                    f"JMESPath expression '{expression}' not found in data"
-                )
+                raise AttributeError(f"JMESPath expression '{expression}' not found in data")
             return str(value)
 
         # Find and replace all ${...} patterns with their evaluated values.
@@ -263,7 +257,7 @@ class JWTGenerator(yaml.YAMLObject):
     Arguments are passed as key=value pairs separated by commas.
 
     Example:
-        !jwt aud=lfx-v2-project-service,principal=clients@m2m_helper,\\
+        !jwt aud=lfx-v2-project-service,principal=m2m_helper@clients,\
              email=test@example.com
     """
 
@@ -331,7 +325,7 @@ def generate_jwt(self) -> str:
         payload = {
             "aud": audience,
             "iss": "heimdall",
-            "sub": principal.replace("clients@", ""),  # Remove clients@ prefix.
+            "sub": principal.replace("@clients", ""),  # Remove @clients suffix.
             "principal": principal,
             "exp": now_int + 300,  # 5 minutes expiry.
             "nbf": now_int,  # Valid from now.
@@ -349,9 +343,7 @@ def generate_jwt(self) -> str:
             )
             # Ensure we have an RSA private key for PS256 algorithm.
             if not isinstance(loaded_key, rsa.RSAPrivateKey):
-                raise ValueError(
-                    "JWT signing requires an RSA private key for PS256 algorithm"
-                )
+                raise ValueError("JWT signing requires an RSA private key for PS256 algorithm")
             private_key = loaded_key
         except Exception as e:
             raise ValueError(f"Failed to load RSA private key: {e}") from e
@@ -385,9 +377,7 @@ def _get_key_id(self, cli_args) -> str:
             return _jwks_kid_cache
 
         # Fetch from Heimdall JWKS endpoint.
-        jwks_url = (
-            "http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks"
-        )
+        jwks_url = "http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks"
         try:
             response = requests.get(jwks_url, timeout=10)
             response.raise_for_status()
@@ -542,9 +532,7 @@ def yaml_render(template_dir, yaml_file):
         env.globals["fake"] = fake
         env.globals["timedelta"] = datetime.timedelta
         env.globals["now_z"] = (
-            lambda: datetime.datetime.now(datetime.UTC)
-            .isoformat("T")
-            .replace("+00:00", "Z")
+            lambda: datetime.datetime.now(datetime.UTC).isoformat("T").replace("+00:00", "Z")
         )
         env.globals["slug_from_project_name"] = slug_from_project_name
         # Store the environment in the context for use by the !include
@@ -755,9 +743,7 @@ def run_http_request_playbook(name: str, playbook: dict) -> None:
             except AttributeError as e:
                 if cli_args.dry_run:
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         step_payload["_response"] = {}
                         continue
                     else:
@@ -766,9 +752,7 @@ def run_http_request_playbook(name: str, playbook: dict) -> None:
                     if retries_remaining.get() > 0:
                         continue
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         continue
                     raise
             if request_data is None and "raw" in step_payload:
@@ -808,9 +792,7 @@ def run_http_request_playbook(name: str, playbook: dict) -> None:
             step_payload["_response"] = r_dict
         except json.decoder.JSONDecodeError as e:
             if cli_args.force:
-                logger.error(
-                    "Failed to parse response as JSON", error=str(e), playbook=name
-                )
+                logger.error("Failed to parse response as JSON", error=str(e), playbook=name)
                 # Add a placeholder response to prevent re-running.
                 step_payload["_response"] = {}
                 continue
@@ -866,9 +848,7 @@ async def run_nats_publish_playbook(name: str, playbook: dict) -> None:
             except AttributeError as e:
                 if cli_args.dry_run:
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         step_payload["_response"] = {}
                         continue
                     else:
@@ -877,9 +857,7 @@ async def run_nats_publish_playbook(name: str, playbook: dict) -> None:
                     if retries_remaining.get() > 0:
                         continue
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         continue
                     raise
         elif "raw" in step_payload:
@@ -978,9 +956,7 @@ async def run_nats_kv_put_playbook(name: str, playbook: dict) -> None:
             except AttributeError as e:
                 if cli_args.dry_run:
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         step_payload["_response"] = {}
                         continue
                     else:
@@ -989,9 +965,7 @@ async def run_nats_kv_put_playbook(name: str, playbook: dict) -> None:
                     if retries_remaining.get() > 0:
                         continue
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         continue
                     raise
         elif "raw" in step_payload:
@@ -1076,9 +1050,7 @@ async def run_nats_request_playbook(name: str, playbook: dict) -> None:
             except AttributeError as e:
                 if cli_args.dry_run:
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         step_payload["_response"] = {}
                         continue
                     else:
@@ -1087,9 +1059,7 @@ async def run_nats_request_playbook(name: str, playbook: dict) -> None:
                     if retries_remaining.get() > 0:
                         continue
                     if cli_args.force:
-                        logger.error(
-                            "Error processing playbook", error=str(e), playbook=name
-                        )
+                        logger.error("Error processing playbook", error=str(e), playbook=name)
                         continue
                     raise
         elif "raw" in step_payload:
@@ -1115,9 +1085,7 @@ async def run_nats_request_playbook(name: str, playbook: dict) -> None:
         )
 
         try:
-            response = await nats_client.request(
-                params.subject, data, timeout=params.timeout
-            )
+            response = await nats_client.request(params.subject, data, timeout=params.timeout)
             # Parse the response data and store it.
             try:
                 response_data = json.loads(response.data.decode())
