databroker: require JWT for access (#1503)

2025-05-30 09:27:19 +02:00 · 2020-10-09 11:08:40 -06:00 · 2020-10-09 11:08:40 -06:00 · eb79cc0957
commit eb79cc0957
parent 27d0cf180a
11 changed files with 188 additions and 79 deletions
--- a/cmd/pomerium-cli/cli.go
+++ b/cmd/pomerium-cli/cli.go
@ -3,6 +3,7 @@ package main
 import (
 	"bufio"
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/url"
@ -91,23 +92,6 @@ var serviceAccountCmd = &cobra.Command{
 		l := zerolog.Nop()
 		log.SetLogger(&l)

-		dataBrokerURL, err := url.Parse(serviceAccountOptions.dataBrokerURL)
-		if err != nil {
-			return fmt.Errorf("invalid databroker url: %w", err)
-		}
-
-		cc, err := grpc.GetGRPCClientConn("databroker", &grpc.Options{
-			Addr:                    dataBrokerURL,
-			OverrideCertificateName: serviceAccountOptions.overrideCertificateName,
-			CA:                      serviceAccountOptions.ca,
-			CAFile:                  serviceAccountOptions.caFile,
-			WithInsecure:            !strings.HasSuffix(dataBrokerURL.Scheme, "s"),
-		})
-		if err != nil {
-			return fmt.Errorf("error creating databroker connection: %w", err)
-		}
-		defer cc.Close()
-
 		// hydrate our session
 		serviceAccountOptions.serviceAccount.Audience = jwt.Audience(serviceAccountOptions.aud)
 		serviceAccountOptions.serviceAccount.Groups = []string(serviceAccountOptions.groups)
@ -144,6 +128,26 @@ var serviceAccountCmd = &cobra.Command{
 			return errors.New("iss is required")
 		}

+		dataBrokerURL, err := url.Parse(serviceAccountOptions.dataBrokerURL)
+		if err != nil {
+			return fmt.Errorf("invalid databroker url: %w", err)
+		}
+
+		rawSharedKey, _ := base64.StdEncoding.DecodeString(sharedKey)
+
+		cc, err := grpc.GetGRPCClientConn("databroker", &grpc.Options{
+			Addr:                    dataBrokerURL,
+			OverrideCertificateName: serviceAccountOptions.overrideCertificateName,
+			CA:                      serviceAccountOptions.ca,
+			CAFile:                  serviceAccountOptions.caFile,
+			WithInsecure:            !strings.HasSuffix(dataBrokerURL.Scheme, "s"),
+			SignedJWTKey:            rawSharedKey,
+		})
+		if err != nil {
+			return fmt.Errorf("error creating databroker connection: %w", err)
+		}
+		defer cc.Close()
+
 		sa := &user.ServiceAccount{
 			Id:        uuid.New().String(),
 			UserId:    serviceAccountOptions.serviceAccount.User,