Skip to content

feat: add support for bearer tokens in websocket protocols #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
prometherion merged 4 commits into from
Nov 14, 2024
Merged

feat: add support for bearer tokens in websocket protocols #533

prometherion merged 4 commits into from
Nov 14, 2024

Conversation

@CrimsonFez
Copy link
Contributor

@CrimsonFez CrimsonFez commented Sep 30, 2024

This is a simple change that enables us to extract the JWT from the WebSocket protocols as defined here kubernetes/kubernetes#47740. This satisfies #499.

Let me know if any changes are needed.

Thank you!

@CrimsonFez CrimsonFez changed the title add support for bearer tokens in websocket protocols feat: add support for bearer tokens in websocket protocols Sep 30, 2024
@CrimsonFez CrimsonFez force-pushed the websocket-fix branch 2 times, most recently from bc8b63a to 117380b Compare September 30, 2024 03:56
@oliverbaehler oliverbaehler self-assigned this Oct 2, 2024
@oliverbaehler
Copy link
Collaborator

oliverbaehler commented Oct 7, 2024

HI! You need to sign off your commits and gpg sign them as well :)

@CrimsonFez
Copy link
Contributor Author

CrimsonFez commented Oct 7, 2024

Should now be correct

prometherion
prometherion requested changes Oct 8, 2024
View reviewed changes
Copy link
Member

@prometherion prometherion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe the suggested code is incorrect, but we cannot return an empty token, otherwise the following calls would inherit the capsule-proxy one leading to a potential privilege escalation.

@CrimsonFez
Copy link
Contributor Author

CrimsonFez commented Oct 8, 2024

You have a good point.
However, I believe that later parts of the code check if the token string is empty and return an error stating that we cannot authenticate anonymous users.

@prometherion
Copy link
Member

prometherion commented Oct 10, 2024

@CrimsonFez you're right, touché!

Given the increased complexity it would be good if we could return an error and make it visible in the logs: we can achieve that with panic which is not ideal per se, or rather, by returning a second return such as the error.

prometherion
prometherion requested changes Nov 4, 2024
View reviewed changes
Copy link
Member

@prometherion prometherion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, happy to get this merged, just ensure the changes comply with the linters:

make golint

@prometherion prometherion linked an issue Nov 11, 2024 that may be closed by this pull request
add support for Websockets #499
Closed
prometherion
prometherion approved these changes Nov 11, 2024
View reviewed changes
Copy link
Member

@prometherion prometherion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super happy getting this merged, thanks a lot! 🚀

@prometherion
Copy link
Member

prometherion commented Nov 11, 2024

Ah, golangci-lint complains about minor style stuff: this should be the latest round, please @CrimsonFez, may I ask you to amend it?

You can test with golangci-lint by issuing make golint

@CrimsonFez
Copy link
Contributor Author

CrimsonFez commented Nov 11, 2024

Sure thing. I thought I got it all ;(

CrimsonFez and others added 4 commits November 14, 2024 14:36
@prometherion prometherion merged commit 4ae014c into projectcapsule:main Nov 14, 2024
7 of 8 checks passed
@CrimsonFez
Copy link
Contributor Author

CrimsonFez commented Nov 14, 2024

Thanks for cleaning that up! I don't always have a lot of time to do stuff. Very much appreciated!

@prometherion
Copy link
Member

prometherion commented Nov 14, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prometherion prometherion prometherion approved these changes

Assignees

@oliverbaehler oliverbaehler

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add support for Websockets

3 participants

@CrimsonFez @oliverbaehler @prometherion