Enable heimdall middleware and add a go program for automating the loading of mock project data via the POST project endpoint

Signed-off-by: Andres Tobon <andrest2455@gmail.com>

Author: andrest50

charts/lfx-v2-project-service/templates/heimdall.yaml

@@ -0,0 +1,13 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: lfx-v2-project-service
+  namespace: lfx
+spec:
+  forwardAuth:
+    address: "http://heimdall.lfx.svc.cluster.local:4456"
+    authResponseHeaders:
+      - Authorization

charts/lfx-v2-project-service/templates/ingressroute.yaml

@@ -13,11 +13,11 @@ spec:
   routes:
     - kind: Rule
       match: >-
-        Host(`{{.Values.ingress.hostname}}`)
+        Host(`{{.Values.ingress.hostname}}`) &&
+        (Path(`/projects`) || PathPrefix(`/projects/`) || Path(`/livez`) || Path(`/readyz`))
       priority: 10
-      # TODO: add heimdall middleware once it is working - currently it causes a 403
-      # middlewares:
-      #   - name: heimdall
+      middlewares:
+        - name: heimdall
       services:
         - kind: Service
           name: lfx-v2-project-service

charts/lfx-v2-project-service/templates/ruleset.yaml

@@ -8,7 +8,21 @@ metadata:
   namespace: lfx
 spec:
   rules:
-    - id: "rule:lfx:lfx-v2-project-service"
+    - id: "rule:lfx:lfx-v2-project-service:health"
+      match:
+        methods:
+          - GET
+        routes:
+          - path: /livez
+          - path: /readyz
+      execute:
+        - authenticator: anonymous_authenticator
+        - authorizer: allow_all
+        - finalizer: create_jwt
+          config:
+            values:
+              aud: lfx-v2-project-service
+    - id: "rule:lfx:lfx-v2-project-service:projects"
       match:
         methods:
           - GET
@@ -19,10 +33,15 @@ spec:
           - path: /projects
           - path: /projects/:id
       execute:
-        - authenticator: authelia
+        #- authenticator: authelia
         - authenticator: anonymous_authenticator
-        - contextualizer: authelia_userinfo
+        #- contextualizer: authelia_userinfo
         - authorizer: allow_all
+        # - authorizer: openfga_check
+        #   config:
+        #     values:
+        #       relation: manager
+        #       object: "project:111"
         - finalizer: create_jwt
           config:
             values:

charts/lfx-v2-project-service/values.yaml

@@ -10,3 +10,120 @@ nats:
   # url is the URL of the NATS server
   url: nats://nats.lfx.svc.cluster.local:4222
   projects_kv_bucket_name: projects
+
+# heimdall is the configuration for the heimdall middleware
+heimdall:
+  env:
+    CLIENT_SECRET:
+      secretKeyRef:
+        name: heimdall-secrets
+        key: heimdall_client_secret
+
+  mechanisms:
+    authenticators:
+      - id: anonymous_authenticator
+        type: anonymous
+        config:
+          subject: "_anonymous"
+      - id: authelia
+        type: oauth2_introspection
+        config:
+          metadata_endpoint:
+            url: http://auth.k8s.orb.local/.well-known/oauth-authorization-server
+            resolved_endpoints:
+              introspection_endpoint:
+                auth:
+                  type: basic_auth
+                  config:
+                    user: heimdall
+                    password: ${CLIENT_SECRET}
+          assertions:
+            audience:
+              - "http://lfx-api.k8s.orb.local/"
+          subject:
+            # Authelia doesn't provide a "sub" claim for client_credentials token
+            # introspection. Use a GJSON query to extract either the username or
+            # the client_id. Client IDs can collide with usernames (and GJSON
+            # doesn't let us do array concatenation to add a literal prefix), so
+            # the `sub` claim should NOT be used downstream.
+            id: '[username,client_id].0'
+    contextualizers:
+      - id: authelia_userinfo
+        type: generic
+        config:
+          endpoint:
+            url: http://auth.k8s.orb.local/api/oidc/userinfo
+            method: GET
+          forward_headers:
+            - Authorization
+          # Continuing on error is needed if this contextualizer is used in any
+          # rulesets that support anonymous access.
+          continue_pipeline_on_error: true
+    authorizers:
+      - id: allow_all
+        type: allow
+      - id: deny_all
+        type: deny
+      - id: openfga_check
+        type: remote
+        config:
+          endpoint: ${FGA_CHECK_ENDPOINT}
+          values:
+            # Most of the `values` are provided by the matching rule, but the
+            # `model_id` needs to be set by an environment variable.
+            model_id: ${FGA_MODEL_ID}
+          payload: |
+            {
+              "authorization_model_id": "{{ .Values.model_id }}",
+              "tuple_key": {
+                "user": {{
+                  list
+                    "user:"
+                    (
+                      eq .Subject.ID "_anonymous"
+                      | ternary
+                        "_anonymous"
+                        (or
+                          .Subject.Attributes.username
+                          (list "clients@" .Subject.Attributes.client_id | join ""))
+                    )
+                  | join "" | quote
+                }},
+                "relation": "{{ .Values.relation }}",
+                "object": "{{ .Values.object }}"
+              }
+            }
+          expressions:
+            - expression: |
+                Payload.allowed == true
+    finalizers:
+      - id: create_jwt
+        type: jwt
+        config:
+          signer:
+            key_store:
+              path: /secrets/signer.pem
+          claims: |
+            {
+              "principal": {{
+                eq .Subject.ID "_anonymous"
+                | ternary
+                  "_anonymous"
+                  (or
+                    .Subject.Attributes.username
+                    (list "clients@" .Subject.Attributes.client_id | join ""))
+                | quote
+              }}
+              {{ if .Outputs.authelia_userinfo.email -}},
+              "email": {{ quote .Outputs.authelia_userinfo.email }}
+              {{ end -}}
+              {{ if .Values.aud -}},
+              "aud": {{ quote .Values.aud }}
+              {{ end -}}
+            }
+
+  default_rule:
+    execute:
+      - authenticator: anonymous_authenticator
+      - authorizer: deny_all
+      - finalizer: create_jwt

cmd/project-api/jwt.go

@@ -20,7 +20,7 @@ const (
 	// PS256 is the default for Heimdall's JWT finalizer.
 	signatureAlgorithm = validator.PS256
 	defaultIssuer      = "heimdall"
-	defaultAudience    = "query-svc"
+	defaultAudience    = "lfx-v2-project-service"
 )
 
 var (
@@ -107,7 +107,7 @@ func (j *jwtAuth) parsePrincipal(ctx context.Context, token string, logger *slog
 		// dropping the suffix of the 3rd error's String() method could be more
 		// accurate to error boundaries, but could also expose tertiary errors if
 		// errors are not wrapped with Go 1.13 `%w` semantics.
-		logger.With(errKey, err).WarnContext(ctx, "authorization failed")
+		logger.With("default_audience", defaultAudience).With("default_issuer", defaultIssuer).With(errKey, err).WarnContext(ctx, "authorization failed")
 		errString := err.Error()
 		firstColon := strings.Index(errString, ":")
 		if firstColon != -1 && firstColon+1 < len(errString) {

cmd/project-api/service_endpoint.go

@@ -528,8 +528,8 @@ func (s *ProjectsService) Livez(_ context.Context) ([]byte, error) {
 // JWTAuth implements Auther interface for the JWT security scheme.
 func (s *ProjectsService) JWTAuth(ctx context.Context, bearerToken string, _ *security.JWTScheme) (context.Context, error) {
 	// Parse the Heimdall-authorized principal from the token.
-	// TODO: handle error
 	principal, _ := s.auth.parsePrincipal(ctx, bearerToken, s.logger)
+	// TODO: handle error
 	// if err != nil {
 	// 	return ctx, err
 	// }

tools/load_mock_data/Makefile

@@ -0,0 +1,64 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+# Makefile for Project Mock Data Loader
+
+.PHONY: build run clean help test
+
+# Default target
+help:
+	@echo "Available targets:"
+	@echo "  build    - Build the mock data loader binary"
+	@echo "  run      - Run the mock data loader (requires -bearer-token)"
+	@echo "  clean    - Remove build artifacts"
+	@echo "  test     - Run tests (if any)"
+	@echo ""
+	@echo "Usage examples:"
+	@echo "  make build"
+	@echo "  make run ARGS='-bearer-token \"your-token\" -num-projects 5'"
+	@echo "  make run ARGS='-bearer-token \"your-token\" -api-url \"http://localhost:8080/projects\"'"
+
+# Build the binary
+build:
+	@echo "Building mock data loader..."
+	go build -o bin/load_mock_data main.go
+	@echo "Binary created: bin/load_mock_data"
+
+# Run the script
+run:
+	@if [ -z "$(ARGS)" ]; then \
+		echo "Error: ARGS variable is required for run target"; \
+		echo "Example: make run ARGS='-bearer-token \"your-token\" -num-projects 5'"; \
+		exit 1; \
+	fi
+	@if [ ! -f "./bin/load_mock_data" ]; then \
+		echo "Binary not found. Building first..."; \
+		make build; \
+	fi
+	@echo "Running mock data loader with args: $(ARGS)"
+	./bin/load_mock_data $(ARGS)
+
+# Clean build artifacts
+clean:
+	@echo "Cleaning build artifacts..."
+	rm -f bin/load_mock_data
+	@echo "Clean complete"
+
+# Run tests (placeholder for future tests)
+test:
+	@echo "Running tests..."
+	@echo "No tests implemented yet"
+	@echo "Tests complete"
+
+# Install dependencies (if needed)
+deps:
+	@echo "Installing dependencies..."
+	go mod tidy
+	@echo "Dependencies installed"
+
+# Development mode - build and run with common args
+dev:
+	@echo "Development mode - building and running with sample args..."
+	make build
+	@echo "To run with your token:"
+	@echo "  ./bin/load_mock_data -bearer-token \"your-jwt-token\" -num-projects 5"