Add compute_ctl:external_api JWT scope

It allows access to the compute_ctl external HTTP server.

Signed-off-by: Tristan Partin <tristan@neon.tech>

compute_tools/src/http/middleware/authorize.rs

@@ -64,45 +64,57 @@ impl AsyncAuthorizeRequest<Body> for Authorize {
             };
 
             match data.claims.scope {
-                // TODO: We should validate audience for every token, but
-                // instead of this ad-hoc validation, we should turn
-                // [`Validation::validate_aud`] on. This is merely a stopgap
-                // while we roll out `aud` deployment. We return a 401
-                // Unauthorized because when we eventually do use
-                // [`Validation`], we will hit the above `Err` match arm which
-                // returns 401 Unauthorized.
-                Some(ComputeClaimsScope::Admin) => {
-                    let Some(ref audience) = data.claims.audience else {
-                        return Err(JsonResponse::error(
-                            StatusCode::UNAUTHORIZED,
-                            "missing audience in authorization token claims",
-                        ));
-                    };
+                // If the scope is not [`ComputeClaimsScope::Admin`], then we
+                // must validate the compute_id
+                Some(ref scope) => {
+                    // TODO: We should validate audience for every token, but
+                    // instead of this ad-hoc validation, we should turn
+                    // [`Validation::validate_aud`] on. This is merely a stopgap
+                    // while we roll out `aud` deployment. We return a 401
+                    // Unauthorized because when we eventually do use
+                    // [`Validation`], we will hit the above `Err` match arm which
+                    // returns 401 Unauthorized.
+                    if scope.contains(&ComputeClaimsScope::Admin) {
+                        let Some(ref audience) = data.claims.audience else {
+                            return Err(JsonResponse::error(
+                                StatusCode::UNAUTHORIZED,
+                                "missing audience in authorization token claims",
+                            ));
+                        };
 
-                    if !audience.iter().any(|a| a == COMPUTE_AUDIENCE) {
+                        if !audience.iter().any(|a| a == COMPUTE_AUDIENCE) {
+                            return Err(JsonResponse::error(
+                                StatusCode::UNAUTHORIZED,
+                                "invalid audience in authorization token claims",
+                            ));
+                        }
+                    } else if scope.contains(&ComputeClaimsScope::ComputeCtlExternalApi) {
+                        let Some(ref claimed_compute_id) = data.claims.compute_id else {
+                            return Err(JsonResponse::error(
+                                StatusCode::FORBIDDEN,
+                                "missing compute_id in authorization token claims",
+                            ));
+                        };
+
+                        if *claimed_compute_id != compute_id {
+                            return Err(JsonResponse::error(
+                                StatusCode::FORBIDDEN,
+                                "invalid compute ID in authorization token claims",
+                            ));
+                        }
+                    } else {
                         return Err(JsonResponse::error(
                             StatusCode::UNAUTHORIZED,
-                            "invalid audience in authorization token claims",
+                            "compute_ctl:external_api scope not included",
                         ));
                     }
                 }
 
-                // If the scope is not [`ComputeClaimsScope::Admin`], then we
-                // must validate the compute_id
-                _ => {
-                    let Some(ref claimed_compute_id) = data.claims.compute_id else {
-                        return Err(JsonResponse::error(
-                            StatusCode::FORBIDDEN,
-                            "missing compute_id in authorization token claims",
-                        ));
-                    };
-
-                    if *claimed_compute_id != compute_id {
-                        return Err(JsonResponse::error(
-                            StatusCode::FORBIDDEN,
-                            "invalid compute ID in authorization token claims",
-                        ));
-                    }
+                None => {
+                    return Err(JsonResponse::error(
+                        StatusCode::UNAUTHORIZED,
+                        "compute_ctl:external_api scope not included",
+                    ));
                 }
             }
 

control_plane/src/bin/neon_local.rs

@@ -709,7 +709,7 @@ struct EndpointGenerateJwtCmdArgs {
     endpoint_id: String,
 
     #[clap(short = 's', long, help = "Scope to generate the JWT with", value_parser = ComputeClaimsScope::from_str)]
-    scope: Option<ComputeClaimsScope>,
+    scope: Vec<ComputeClaimsScope>,
 }
 
 #[derive(clap::Subcommand)]
@@ -1580,7 +1580,7 @@ async fn handle_endpoint(subcmd: &EndpointCmd, env: &local_env::LocalEnv) -> Res
                     .with_context(|| format!("postgres endpoint {endpoint_id} is not found"))?
             };
 
-            let jwt = endpoint.generate_jwt(args.scope)?;
+            let jwt = endpoint.generate_jwt(Some(args.scope.clone()))?;
 
             print!("{jwt}");
         }

control_plane/src/endpoint.rs

@@ -632,14 +632,16 @@ impl Endpoint {
     }
 
     /// Generate a JWT with the correct claims.
-    pub fn generate_jwt(&self, scope: Option<ComputeClaimsScope>) -> Result<String> {
+    pub fn generate_jwt(&self, scope: Option<Vec<ComputeClaimsScope>>) -> Result<String> {
         self.env.generate_auth_token(&ComputeClaims {
             audience: match scope {
-                Some(ComputeClaimsScope::Admin) => Some(vec![COMPUTE_AUDIENCE.to_owned()]),
+                Some(ref scope) if scope.contains(&ComputeClaimsScope::Admin) => {
+                    Some(vec![COMPUTE_AUDIENCE.to_owned()])
+                }
                 _ => None,
             },
             compute_id: match scope {
-                Some(ComputeClaimsScope::Admin) => None,
+                Some(ref scope) if scope.contains(&ComputeClaimsScope::Admin) => None,
                 _ => Some(self.endpoint_id.clone()),
             },
             scope,
@@ -918,7 +920,7 @@ impl Endpoint {
                     self.external_http_address.port()
                 ),
             )
-            .bearer_auth(self.generate_jwt(None::<ComputeClaimsScope>)?)
+            .bearer_auth(self.generate_jwt(Some(vec![ComputeClaimsScope::ComputeCtlExternalApi]))?)
             .send()
             .await?;
 
@@ -995,7 +997,7 @@ impl Endpoint {
                 self.external_http_address.port()
             ))
             .header(CONTENT_TYPE.as_str(), "application/json")
-            .bearer_auth(self.generate_jwt(None::<ComputeClaimsScope>)?)
+            .bearer_auth(self.generate_jwt(Some(vec![ComputeClaimsScope::ComputeCtlExternalApi]))?)
             .body(
                 serde_json::to_string(&ConfigurationRequest {
                     spec,

libs/compute_api/src/requests.rs

@@ -17,6 +17,10 @@ pub enum ComputeClaimsScope {
     /// An admin-scoped token allows access to all of `compute_ctl`'s authorized
     /// facilities.
     Admin,
+
+    /// Scope providing access to the `compute_ctl` external API.
+    #[serde(rename = "compute_ctl:external_api")]
+    ComputeCtlExternalApi,
 }
 
 impl FromStr for ComputeClaimsScope {
@@ -25,6 +29,7 @@ impl FromStr for ComputeClaimsScope {
     fn from_str(s: &str) -> Result<Self, Self::Err> {
         match s {
             "admin" => Ok(ComputeClaimsScope::Admin),
+            "compute_ctl:external_api" => Ok(ComputeClaimsScope::ComputeCtlExternalApi),
             _ => Err(anyhow::anyhow!("invalid compute claims scope \"{s}\"")),
         }
     }
@@ -41,8 +46,8 @@ pub struct ComputeClaims {
     /// [`ComputeClaimsScope::Admin`].
     pub compute_id: Option<String>,
 
-    /// The scope of what the token authorizes.
-    pub scope: Option<ComputeClaimsScope>,
+    /// The scopes of what the token is authorized for.
+    pub scope: Option<Vec<ComputeClaimsScope>>,
 
     /// The recipient the token is intended for.
     ///

test_runner/fixtures/endpoint/http.py

@@ -25,6 +25,7 @@ The value to place in the `aud` claim.
 @final
 class ComputeClaimsScope(StrEnum):
     ADMIN = "admin"
+    COMPUTE_CTL_EXTERNAL_API = "compute_ctl:external_api"
 
 
 @final

test_runner/fixtures/neon_cli.py

@@ -536,16 +536,14 @@ class NeonLocalCli(AbstractNeonCli):
         res.check_returncode()
         return res
 
-    def endpoint_generate_jwt(
-        self, endpoint_id: str, scope: ComputeClaimsScope | None = None
-    ) -> str:
+    def endpoint_generate_jwt(self, endpoint_id: str, scope: list[ComputeClaimsScope]) -> str:
         """
         Generate a JWT for making requests to the endpoint's external HTTP
         server.
         """
         args = ["endpoint", "generate-jwt", endpoint_id]
-        if scope:
-            args += ["--scope", str(scope)]
+        for s in scope:
+            args += ["--scope", str(s)]
 
         cmd = self.raw_cli(args)
         cmd.check_returncode()

test_runner/fixtures/neon_fixtures.py

@@ -4282,7 +4282,7 @@ class Endpoint(PgProtocol, LogUtils):
 
         self.config(config_lines)
 
-        self.__jwt = self.generate_jwt()
+        self.__jwt = self.generate_jwt([ComputeClaimsScope.COMPUTE_CTL_EXTERNAL_API])
 
         return self
 
@@ -4329,7 +4329,7 @@ class Endpoint(PgProtocol, LogUtils):
 
         return self
 
-    def generate_jwt(self, scope: ComputeClaimsScope | None = None) -> str:
+    def generate_jwt(self, scope: list[ComputeClaimsScope]) -> str:
         """
         Generate a JWT for making requests to the endpoint's external HTTP
         server.