https://github.com/anderslauri/open-iap

Open Programmatic Identity Aware Proxy for Google Cloud
https://github.com/anderslauri/open-iap

gke google-service-account google-workspace iap identity-aware-proxy ingress ingress-nginx jwt jwt-authentication

Last synced: 2 months ago
JSON representation

Open Programmatic Identity Aware Proxy for Google Cloud

• Host: GitHub
• URL: https://github.com/anderslauri/open-iap
• Owner: anderslauri
• License: mit
• Created: 2024-02-18T09:47:46.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2024-04-01T11:15:36.000Z (9 months ago)
• Last Synced: 2024-04-02T12:20:54.874Z (9 months ago)
• Topics: gke, google-service-account, google-workspace, iap, identity-aware-proxy, ingress, ingress-nginx, jwt, jwt-authentication
• Language: Go
• Homepage:
• Size: 154 KB
• Stars: 0
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Open Programmatic Identity Aware Proxy for Google Cloud

Open implementation of Programmatic Identity Aware Proxy for Google Cloud workload to workload authentication using Google Service Account.

Performs validity and signature verification of Google Service Account JWT - while also verifying subject of claim `email` has role bidning

`roles/iap.httpsResourceAccess` inside project. Role `roles/iap.httpsResourceAccess` (as with Identity Aware Proxy) is required for authentication.

Conditional expressions are supported. A role binding can be restricted to only allow communication to a single specific `host` and `path`.

The following token types are supported for Google Service Account:

- **ID-Token**

- **Self-Signed JWTs**

Please reference [Google Cloud Token Types][Google Cloud Token Types] for more information. For **Self-Signed JWTs** please ensure to follow

[specification as required by Google][Self-Signed JWTs].

## Why?

- Identity Aware Proxy for Google Cloud is only available in BeyondCorp Enterprise.

- There is other solutions available on GitHub, however, none of are really suitable and made compatible with existing IAM on Google Cloud.

## Authentication of Google Cloud Service Account

1. Signature verification using `JWK`. Source of `JWK` is determined given type of JWT.

2. `iat` and `exp` claim verification. Leeway for `JWT` is configurable. Default is 1 minute.

3. `aud` claim must be equal to request url.

4. Role `roles/iap.httpsResourceAccessor` is verified given subject of claim email. Role binding can be granted directly on project,

   or indirectly, via membership in Google Workspace group.

:exclamation: Steps `{1..3}` follow [JWT-verification as described by Google Cloud][JWT-Verification]. Step `4` is custom step following

the ideas of `Identity Aware Proxy`.

:exclamation: After successful `{1..4}`. Value of claim `email` is cached. Key is hash, in `SHA256`, of `{JWT || Request URL}`. 

`ttl` for cache value is `exp - `. Once token is found in cache - only `exp` claim validity and step `4` is performed per each request.

:exclamation: The code strives to retain a performance aware profile. Caching is used aggressivly on multiple layers to ensure an overall

low 90th percentile response time. To benefit from cache locality, use a ring hash for routing.

## Role bindings

:warning: All role bindings are consumed asynchronously given a defined time interval (see configuration). This may or

may not be acceptable - depends on your choice. Bindings are kept in memory for performance reasons. Default interval is `5min`.

### Conditional expressions

`request.path`, `request.host` and `request.time` are supported with conditional expressions with role `roles/iap.httpsResourceAccessor`. 

If role binding has conditional expression, this conditional expression is compiled and evaluated in memory using `cel-go`. All conditional

expressions are only compiled once - after first compilation - the program (representing conditional expression) is cached for performance reasons.

## How to run

:exclamation: Use `Dockerfile` as example.

Configuration uses [pkl-lang][pkl-lang]. `pkl` must be available in `$PATH`. As well, `default_config.pkl` 

and `app_config.pkl` must be present in same directory as application executable when starting application.

### Required Prerequisites

* **Groups Reader** is required on Google Workspace. Reference [Google Workspace Administrator Roles][Google Workspace Administrator Roles].

* **resourcemanager.projects.getIamPolicy** is required to list all bindings for role `roles/iap.httpsResourceAccess` 

for Google Service Account inside project. Usage of custom role is recommended!

* **Admin API** and **Cloud Resource Manager API** is required on project.

## API 

### /auth (GET)

Authentication endpoint. Return code `200 OK` given successful authentication, else `401 Unauthorized`.

#### Zero Trust with NetworkPolicy and nginx

Use the following example (as inspiration), to enable secure, zero trust based communication of workload to workload communication to services on `GKE`.

##### Configuration NetworkPolicy

Enforce connectivity restrictions to service, traffic must only be permitted through `namespace` of `nginx`.

````

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: my-service

spec:

  ingress:

    - from:

        - namespaceSelector:

            matchExpressions:

              - key: kubernetes.io/metadata.name

                operator: In

                values:

                - nginx

      ports:

      - port: 8080

        protocol: TCP

  podSelector:

    matchLabels:

      app: my-service

  policyTypes:

  - Ingress

`````

##### Global nginx configuration

Define following configuration on `controller` of `nginx`. Ensuring, requests (all `ingress` registered with `controller`), only are permitted given valid authentication.

```

global-auth-snippet: |

  proxy_set_header Proxy-Authorization $http_proxy_authorization;

global-auth-url: http://.:8080/auth

```

#### Required headers

:warning: `X-Original-URL`, i.e. from `nginx` has assumed trust.

1. `Authorization` or `Proxy-Authorization`.

2. `X-Original-URL` is configured to be present. This can be changed using `HeaderMapping` in configuration.

### /healthz (GET)

Kubernetes health endpoint for liveness and readiness. Return code `200 OK`.

## Future changes

In scope for `open-iap`.

1. Role `roles/iap.tunnelResourceAccessor` for `TUNNEL`-proxy.

2. Role bindings on project level are only used. Folders and organization must be implemented as optional feature.

3. Consume `IAM Role Audit Events`. Ensuring close to real time changes to policy bindings.

[Google Workspace Groups API]:  "Google Workspace Groups API"

[Google Workspace Administrator Roles]:  "Google Workspace Administrator Roles"

[Google Cloud Token Types]:  "Google Cloud Token Types"

[Programmatic Authentication]:  "Programmatic Authentication"

[JWT-verification]:  "JWT-verification"

[cel-go]:  "cel-go"

[pkl-lang]:  "pkl-lang"

[Self-Signed JWTs]:  "Self-Signed JWTs"