Skip to content

Enable RAJEE authentication by default and fix integration tests #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
drernie merged 8 commits into from
Jan 16, 2026
Merged

Enable RAJEE authentication by default and fix integration tests #20

drernie merged 8 commits into from
Jan 16, 2026

Conversation

@drernie
Copy link
Member

@drernie drernie commented Jan 16, 2026
edited
Loading

Summary

This PR enables RAJEE authentication by default and completes the auth integration testing. Building on PR #18 which implemented the full JWT authentication system (Envoy jwt_authn + Lua authorization filters, JWKS endpoint, RAJEE token issuance), this PR flips the switch to enable auth by default, adds comprehensive integration test coverage, and fixes critical JWT validation issues discovered during testing.

What This PR Accomplishes

🔐 Authentication Enabled By Default

RAJEE Envoy now runs with authentication enabled by default. Every S3 request must include a valid JWT token with appropriate grants, enforced by:

  1. Envoy jwt_authn filter - Validates JWT signature against JWKS, checks issuer/audience
  2. Lua authorization filter - Checks grants for prefix/wildcard matching on S3 operations

✅ Complete Integration Test Coverage

Added comprehensive auth-enabled test coverage for all S3 operations:

  • Full roundtrip (PUT/GET/DELETE) with valid token
  • Negative authorization - 403 for unauthorized prefix access
  • ListBucket with prefix filtering
  • GetObjectAttributes operation
  • Versioning operations (GetObjectVersion, ListBucketVersions)
  • JWKS validation - Token signature validation against production JWKS

🐛 Critical Fixes

JWT Issuer Claim: Fixed issuer to use only scheme://netloc (no path component). This was causing JWT validation failures because Envoy expected https://7tp2ch1qoj.execute-api.us-east-1.amazonaws.com but tokens contained https://7tp2ch1qoj.execute-api.us-east-1.amazonaws.com/prod.

Test Token Issuance: Refactored integration tests to use the control plane /token endpoint instead of local JWT signing. The previous approach had a silent fallback to a test secret when AWS Secrets Manager was unavailable, causing all tokens to fail validation against production JWKS. Now all test tokens are issued by the control plane and properly signed.

Detailed Changes

Fixed

  • Token service issuer: Fixed issuer claim to use only scheme://netloc (no path) for proper JWT validation
  • CDK deployment: Fixed raja_issuer extraction in app.py to strip path from API URL
  • Integration tests: Refactored to use control plane /token endpoint instead of local JWT signing
    • Removed get_jwt_secret() helper and its silent fallback to test secrets
    • issue_rajee_token() now mints tokens via API, ensuring proper JWKS signature validation
    • All RAJEE Envoy tests now validate against production JWKS

Added

  • Integration tests: Complete auth-enabled coverage for S3 operations (6 tests covering all major operations)
  • Integration test: test_rajee_token_validates_against_jwks - Validates RAJEE tokens against the JWKS endpoint
  • Test helpers:
    • require_api_issuer() - Extract issuer (scheme+netloc) from API URL
    • Simplified issue_rajee_token() - Delegates to control plane
  • Test policy: policies/rajee_test_policy.cedar - Grants alice access to rajee-integration/ prefix
  • Documentation: specs/2-rajee/12-auth-failure-analysis.md - Root cause analysis of 401 vs 403 failure modes

Changed

  • RAJEE Envoy: Auth enabled by default (no longer requires explicit flag)
  • Deploy workflow: CDK deploy forces AUTH_DISABLED=false for RajeeEnvoyStack
  • Integration tests: All RAJEE tests now use production token service and JWKS validation
  • Test coverage: Auth-enabled tests cover positive and negative authorization scenarios

Testing Results

All integration tests pass with auth enabled:

./poe test-integration

tests/integration/test_rajee_envoy_bucket.py::test_rajee_envoy_s3_roundtrip_with_auth PASSED
tests/integration/test_rajee_envoy_bucket.py::test_rajee_envoy_auth_denies_unauthorized_prefix PASSED
tests/integration/test_rajee_envoy_bucket.py::test_rajee_envoy_list_bucket PASSED
tests/integration/test_rajee_envoy_bucket.py::test_rajee_envoy_get_object_attributes PASSED
tests/integration/test_rajee_envoy_bucket.py::test_rajee_envoy_versioning_operations PASSED
tests/integration/test_token_service.py::test_rajee_token_validates_against_jwks PASSED

Architecture

Auth Flow:

Client Request with JWT
        ↓
Envoy jwt_authn Filter (validates signature via JWKS)
        ↓
Lua Authorization Filter (checks grants)
        ↓
S3 Upstream (if authorized)

Grant Format: s3:{Action}/{Bucket}/{Prefix}

Examples:

  • s3:GetObject/my-bucket/rajee-integration/ - Read access to prefix
  • s3:PutObject/my-bucket/rajee-integration/ - Write access to prefix
  • s3:ListBucket/my-bucket/ - List bucket contents

Changelog

See CHANGELOG.md v0.4.2 for the complete release notes.

Related Issues

Deployment Impact

⚠️ Breaking Change: RAJEE Envoy now requires valid JWT tokens by default. All S3 requests must include:

  1. Valid JWT in Authorization: Bearer <token> header
  2. Token must be signed by RAJA control plane (validates against JWKS)
  3. Token must include grants for the requested S3 operation and prefix

Migration: Use the control plane /token endpoint with token_type=rajee to issue RAJEE tokens:

curl -X POST https://api.example.com/token \
  -H "Content-Type: application/json" \
  -d '{"principal": "alice", "token_type": "rajee"}'

🤖 Generated with Claude Code

drernie and others added 3 commits January 15, 2026 22:37
@drernie @claude
use proper GItHub URL
99e585b 
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@drernie
Bump version to 0.4.2
2167285
@drernie
Enable RAJEE auth by default
68adb67
@drernie drernie linked an issue Jan 16, 2026 that may be closed by this pull request
enable auth #19
Closed
drernie and others added 4 commits January 16, 2026 05:27
@drernie
Force auth enabled in CDK deploy
49be616
@drernie
Fix CDK deploy param and asset excludes
c62f6b5
@drernie
Add test-only public prefix bypass
83a3113
@drernie @claude
Fix RAJEE JWT validation and test token issuance
0e9fcb5 
This fixes the 401 auth failures in RAJEE integration tests by ensuring
tokens are properly signed and validated against JWKS.

Changes:
- Fixed issuer claim to use only scheme+netloc (no path)
- Refactored test helpers to use control plane /token endpoint
- Removed get_jwt_secret() helper and silent fallback
- All RAJEE tests now use production JWKS validation
- Added test_rajee_token_validates_against_jwks test
- Added specs/2-rajee/12-auth-failure-analysis.md

This resolves the JWT validation failures where tests were signing with
the wrong secret, causing Envoy jwt_authn to reject all requests with 401.

Co-Authored-By: Claude <noreply@anthropic.com>
@drernie drernie changed the title Enable RAJEE auth by default Fix RAJEE JWT validation and enable auth by default Jan 16, 2026
@drernie drernie changed the title Fix RAJEE JWT validation and enable auth by default Enable RAJEE authentication by default and fix integration tests Jan 16, 2026
@drernie @claude
Make CHANGELOG more concise
8601a88 
Co-Authored-By: Claude <noreply@anthropic.com>
@drernie drernie merged commit 45aa77d into main Jan 16, 2026
6 checks passed
@drernie drernie deleted the 19-enable-auth branch January 16, 2026 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

enable auth

2 participants

@drernie