Merge pull request #29000 from michael-redpanda/gbac/core-14893/initial-processing

[CORE-14893] Process group claims from OIDC tokens

Author: michael-redpanda

src/v/cluster/controller.cc

@@ -215,6 +215,12 @@ ss::future<> controller::wire_up() {
             ss::sharded_parameter([] {
                 return config::shard_local_cfg()
                   .oidc_keys_refresh_interval.bind();
+            }),
+            ss::sharded_parameter([] {
+                return config::shard_local_cfg().oidc_group_claim_path.bind();
+            }),
+            ss::sharded_parameter([] {
+                return config::shard_local_cfg().nested_group_behavior.bind();
             }));
       })
       .then([this] {

src/v/config/configuration.cc

@@ -3887,6 +3887,25 @@ configuration::configuration()
       "access tokens.",
       {.needs_restart = needs_restart::no, .visibility = visibility::user},
       1h)
+  , oidc_group_claim_path(
+      *this,
+      "oidc_group_claim_path",
+      "JSON path to extract groups from the JWT payload.",
+      {.needs_restart = needs_restart::no, .visibility = visibility::user},
+      "$.groups",
+      security::oidc::validate_group_claim_path)
+  , nested_group_behavior(
+      *this,
+      "nested_group_behavior",
+      "Behavior for handling nested groups when extracting groups from "
+      "authentication tokens.  Two options are available - none and suffix.  "
+      "With none, the group is left alone (e.g. '/group/child/grandchild').  "
+      "Suffix will extract the final component from the nested group (e.g. "
+      "'/group' -> 'group' and '/group/child/grandchild' -> 'grandchild').",
+      {.needs_restart = needs_restart::no, .visibility = visibility::user},
+      security::oidc::nested_group_behavior::none,
+      {security::oidc::nested_group_behavior::none,
+       security::oidc::nested_group_behavior::suffix})
   , http_authentication(
       *this,
       "OIDC",

src/v/config/configuration.h

@@ -28,6 +28,7 @@
 #include "model/metadata.h"
 #include "model/timestamp.h"
 #include "pandaproxy/schema_registry/schema_id_validation.h"
+#include "security/config.h"
 #include "utils/unresolved_address.h"
 
 #include <seastar/core/sstring.hh>
@@ -722,6 +723,9 @@ struct configuration final : public config_store {
     property<std::chrono::seconds> oidc_clock_skew_tolerance;
     property<ss::sstring> oidc_principal_mapping;
     property<std::chrono::seconds> oidc_keys_refresh_interval;
+    property<ss::sstring> oidc_group_claim_path;
+
+    enum_property<security::oidc::nested_group_behavior> nested_group_behavior;
 
     // HTTP Authentication
     enterprise<property<std::vector<ss::sstring>>> http_authentication;

src/v/config/convert.h

@@ -18,6 +18,7 @@
 #include "model/metadata.h"
 #include "model/timestamp.h"
 #include "pandaproxy/schema_registry/schema_id_validation.h"
+#include "security/config.h"
 #include "strings/string_switch.h"
 
 #include <boost/lexical_cast.hpp>
@@ -762,4 +763,24 @@ struct convert<model::kafka_batch_validation_mode> {
     }
 };
 
+template<>
+struct convert<security::oidc::nested_group_behavior> {
+    static Node encode(const security::oidc::nested_group_behavior& rhs) {
+        return Node(fmt::format("{}", rhs));
+    }
+
+    static bool
+    decode(const Node& node, security::oidc::nested_group_behavior& rhs) {
+        static constexpr auto acceptable_values
+          = security::oidc::acceptable_nested_group_behavior_values();
+        auto value = node.as<std::string>();
+        if (!std::ranges::contains(acceptable_values, value)) {
+            return false;
+        }
+        std::istringstream iss(value);
+        iss >> rhs;
+        return true;
+    }
+};
+
 } // namespace YAML

src/v/config/property.h

@@ -713,6 +713,10 @@ consteval std::string_view property_type_name() {
                            type,
                            model::kafka_batch_validation_mode>) {
         return "string";
+    } else if constexpr (std::is_same_v<
+                           type,
+                           security::oidc::nested_group_behavior>) {
+        return "string";
     } else {
         static_assert(
           base::unsupported_type<T>::value, "Type name not defined");

src/v/config/rjson_serialization.cc

@@ -315,4 +315,10 @@ void rjson_serialize(
     stringize(w, m);
 }
 
+void rjson_serialize(
+  json::Writer<json::StringBuffer>& w,
+  security::oidc::nested_group_behavior ngb) {
+    stringize(w, ngb);
+}
+
 } // namespace json

src/v/config/rjson_serialization.h

@@ -154,4 +154,7 @@ void rjson_serialize(
 void rjson_serialize(
   json::Writer<json::StringBuffer>&, const model::kafka_batch_validation_mode&);
 
+void rjson_serialize(
+  json::Writer<json::StringBuffer>&, security::oidc::nested_group_behavior);
+
 } // namespace json

src/v/config/types.h

@@ -256,5 +256,4 @@ static constexpr auto acceptable_audit_log_failure_policy_values() {
 
 std::ostream& operator<<(std::ostream&, audit_failure_policy);
 std::istream& operator>>(std::istream&, audit_failure_policy&);
-
 } // namespace config

src/v/security/BUILD

@@ -18,6 +18,9 @@ redpanda_cc_library(
         "oidc_principal_mapping.h",
         "oidc_url_parser.h",
     ],
+    implementation_deps = [
+        "//src/v/strings:string_switch",
+    ],
     visibility = ["//visibility:public"],
     deps = [
         "//src/v/base",

src/v/security/config.h

@@ -33,7 +33,39 @@ validate_rules(const std::optional<std::vector<ss::sstring>>& r) noexcept;
 
 namespace security::oidc {
 
+/// \brief Defines behavior for nested groups in group claim
+enum class nested_group_behavior : uint8_t {
+    /// No special handling for nested groups
+    none,
+    /// Uses suffix of group claim, so `/a/b/c` becomes `c`
+    suffix
+};
+
+constexpr std::string_view to_string_view(nested_group_behavior b) {
+    switch (b) {
+    case nested_group_behavior::none:
+        return "none";
+    case nested_group_behavior::suffix:
+        return "suffix";
+    }
+    return "unknown";
+}
+
+static constexpr auto acceptable_nested_group_behavior_values() {
+    return std::to_array(
+      {to_string_view(nested_group_behavior::none),
+       to_string_view(nested_group_behavior::suffix)});
+}
+
+std::ostream& operator<<(std::ostream& os, nested_group_behavior b);
+std::istream& operator>>(std::istream& is, nested_group_behavior& b);
+
 std::optional<ss::sstring>
 validate_principal_mapping_rule(const ss::sstring& rule);
 
-}
+/// \brief Validates the path to the group claim in the OIDC JWT.
+///
+/// \returns std::nullopt on no error, ss::sstring with error message
+std::optional<ss::sstring> validate_group_claim_path(const ss::sstring& path);
+
+} // namespace security::oidc