[extension/externalauth] Add external proxy auth extension

Signed-off-by: Bogdan Stancu <[email protected]>

Author: bogdan-at-adobe

.codecov.yml

@@ -324,6 +324,10 @@ component_management:
     name: extension_datadog
     paths:
     - extension/datadogextension/**
+  - component_id: extension_externalauth
+    name: extension_externalauth
+    paths:
+    - extension/externalauthextension/**
   - component_id: extension_googleclientauth
     name: extension_googleclientauth
     paths:

.github/CODEOWNERS

@@ -106,6 +106,7 @@ extension/encoding/skywalkingencodingextension/                  @open-telemetry
 extension/encoding/textencodingextension/                        @open-telemetry/collector-contrib-approvers @MovieStoreGuy @atoulme
 extension/encoding/zipkinencodingextension/                      @open-telemetry/collector-contrib-approvers @MovieStoreGuy @dao-jun
 extension/googleclientauthextension/                             @open-telemetry/collector-contrib-approvers @dashpole @aabmass @braydonk @jsuereth @psx95 @ridwanmsharif
+extension/externalauthextension/                                 @open-telemetry/collector-contrib-approvers @bogdan-at-adobe
 extension/headerssetterextension/                                @open-telemetry/collector-contrib-approvers @VihasMakwana
 extension/healthcheckextension/                                  @open-telemetry/collector-contrib-approvers
 extension/healthcheckv2extension/                                @open-telemetry/collector-contrib-approvers @mwear

.github/component_labels.txt

@@ -86,6 +86,7 @@ extension/encoding/otlpencodingextension extension/encoding/otlpencoding
 extension/encoding/skywalkingencodingextension extension/encoding/skywalkingencoding
 extension/encoding/textencodingextension extension/encoding/textencoding
 extension/encoding/zipkinencodingextension extension/encoding/zipkinencoding
+extension/externalauthextension extension/externalauth
 extension/googleclientauthextension extension/googleclientauth
 extension/headerssetterextension extension/headerssetter
 extension/healthcheckextension extension/healthcheck

cmd/otelcontribcol/builder-config.yaml

@@ -22,6 +22,7 @@ extensions:
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/basicauthextension v0.128.0
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension v0.128.0
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/datadogextension v0.128.0
+  - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/externalauthextension v0.128.0
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/googleclientauthextension v0.128.0
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/headerssetterextension v0.128.0
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.128.0

extension/externalauthextension/Makefile

@@ -0,0 +1 @@
+include ../../Makefile.Common 

extension/externalauthextension/README.md

@@ -0,0 +1,115 @@
+# External Auth Extension
+
+<!-- status autogenerated section -->
+| Status        |           |
+| ------------- |-----------|
+| Stability     | [alpha]  |
+| Distributions | [contrib] |
+| Issues        | [![Open issues](https://img.shields.io/github/issues-search/open-telemetry/opentelemetry-collector-contrib?query=is%3Aissue%20is%3Aopen%20label%3Aextension%2Fexternalauth%20&label=open&color=orange&logo=opentelemetry)](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aopen+is%3Aissue+label%3Aextension%2Fexternalauth) [![Closed issues](https://img.shields.io/github/issues-search/open-telemetry/opentelemetry-collector-contrib?query=is%3Aissue%20is%3Aclosed%20label%3Aextension%2Fexternalauth%20&label=closed&color=blue&logo=opentelemetry)](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aclosed+is%3Aissue+label%3Aextension%2Fexternalauth) |
+| Code coverage | [![codecov](https://codecov.io/github/open-telemetry/opentelemetry-collector-contrib/graph/main/badge.svg?component=extension_externalauth)](https://app.codecov.io/gh/open-telemetry/opentelemetry-collector-contrib/tree/main/?components%5B0%5D=extension_externalauth&displayType=list) |
+| [Code Owners](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/CONTRIBUTING.md#becoming-a-code-owner)    | [@bogdan-at-adobe](https://www.github.com/bogdan-at-adobe) \| Seeking more code owners! |
+| Emeritus      |  |
+
+[alpha]: https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/component-stability.md#alpha
+[contrib]: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
+<!-- end autogenerated section -->
+
+This extension implements `configauth.ServerAuthenticator` to authenticate incoming requests using an external authentication service. The authenticator type has to be set to `externalauth`.
+
+The `externalauthextension` is an extension for the OpenTelemetry Collector that allows for external authentication of incoming requests. This extension can be used to integrate with external authentication services to validate credentials and enforce access control policies.
+
+## Problem Statement
+
+In distributed collector architectures where multiple collectors are chained together, authentication failures often go unnoticed until they reach the final collector in the chain. This creates several issues:
+
+- **Silent failures**: Intermediate collectors show successful processing logs while authentication actually fails
+- **Debugging complexity**: Authentication issues are only visible at the last collector, making troubleshooting difficult
+- **Misleading metrics**: Success metrics from intermediate collectors don't reflect actual authentication status
+- **Delayed error detection**: Authentication problems are discovered late in the pipeline
+
+The externalauth extension solves this by performing authentication validation at each collector in the chain, ensuring that authentication failures are detected and logged immediately where they occur.
+
+## Features
+
+- Supports integration with external authentication services
+- Validates incoming requests based on external authentication responses
+- Enforces access control policies
+- Token caching for performance optimization
+
+## Configuration
+
+The following settings are available:
+
+- `endpoint` (required): The URL of the external authentication service
+- `refresh_interval` (default = "1h"): Specifies the time that a newly checked token will be valid for
+- `header` (default = "Authorization"): Specifies the header to use for the token
+- `scheme` (default = "Bearer"): Specifies the authentication scheme used for the request
+- `expected_codes` (default = [200]): Specifies the list of expected HTTP codes
+- `method` (default = "POST"): Specifies the HTTP method to use for the authentication request
+- `http_client_timeout` (default = "10s"): Specifies the timeout for the HTTP client when making requests to the external authentication service
+- `telemetry_type` (default = "traces"): Specifies the telemetry type for this endpoint. Options: `traces`, `metrics`, `logs`. Only used to be added as a label to metrics
+
+### Example Configuration
+
+```yaml
+extensions:
+  externalauth:
+    endpoint: "https://auth-endpoint"
+    telemetry_type: "metrics"  # This endpoint handles metrics
+
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: "localhost:4317"
+        auth:
+          authenticator: externalauth
+
+service:
+  extensions: [externalauth]
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [otlp]
+```
+
+### Advanced Configuration
+
+```yaml
+extensions:
+  externalauth/custom:
+    endpoint: "https://custom-auth.example.com"
+    refresh_interval: "30m"
+    header: "X-Custom-Auth"
+    expected_codes: [200, 201]
+    scheme: "Custom"
+    method: "GET"
+    http_client_timeout: "5s"
+    telemetry_type: "traces"
+
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: "localhost:4317"
+        auth:
+          authenticator: externalauth/custom
+
+service:
+  extensions: [externalauth/custom]
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [otlp]
+```
+
+## Usage
+
+1. Configure the `externalauthextension` in your OpenTelemetry Collector configuration file
+2. Start the OpenTelemetry Collector
+3. The extension will intercept incoming requests and validate them using the configured external authentication service
+
+The full list of settings exposed for this extension is documented in [config.go](./config.go)
+with detailed sample configurations in [testdata/config.yaml](./testdata/config.yaml).

extension/externalauthextension/config.go

@@ -0,0 +1,102 @@
+package externalauthextension
+
+import (
+	"errors"
+	"net/http"
+	"net/url"
+	"time"
+
+	"go.opentelemetry.io/collector/component"
+)
+
+const (
+	defaultRefreshInterval   = "1h"
+	defaultHeader            = "Authorization"
+	defaultExpectedCode      = 200
+	defaultScheme            = "Bearer"
+	defaultMethod            = "POST"
+	defaultHttpClientTimeout = 10 * time.Second
+	defaultTelemetryType     = "traces"
+)
+
+type Config struct {
+	// Endpoint specifies the endpoint to authenticate against. Required
+	Endpoint string `mapstructure:"endpoint"`
+	//RefreshInterval specifies the time that a newly checked token will be valid for. Defaults to "1h"
+	RefreshInterval string `mapstructure:"refresh_interval,omitempty"`
+	// Header specifies the header used in the request. Defaults to "Authorization"
+	Header string `mapstructure:"header,omitempty"`
+	// ExpectedCodes is a list of expected HTTP codes. Defaults to [200]
+	ExpectedCodes []int `mapstructure:"expected_codes,omitempty"`
+	// Scheme specifies the auth-scheme for the token. Defaults to "Bearer"
+	Scheme string `mapstructure:"scheme,omitempty"`
+	// Method specifies the HTTP method used in the request. Defaults to "POST"
+	Method string `mapstructure:"method,omitempty"`
+	// HTTPClientTimeout specifies the timeout for the HTTP client. Defaults to "10s"
+	HTTPClientTimeout time.Duration `mapstructure:"http_client_timeout,omitempty"`
+	// TelemetryType specifies the telemetry type for this endpoint. Options: "traces", "metrics", "logs". Defaults to "traces"
+	TelemetryType string `mapstructure:"telemetry_type,omitempty"`
+}
+
+var (
+	_                       component.Config = (*Config)(nil)
+	errNoEndpointProvided                    = errors.New("no endpoint to authenticate against provided")
+	errInvalidInterval                       = errors.New("invalid refresh interval")
+	errInvalidEndpoint                       = errors.New("invalid remote endpoint")
+	errInvalidHttpCode                       = errors.New("code provided is not a valid HTTP code")
+	errInvalidTelemetryType                  = errors.New("telemetry_type must be one of: traces, metrics, logs")
+)
+
+// Validate checks if the extension configuration is valid
+func (cfg *Config) Validate() error {
+	if cfg.Endpoint == "" {
+		return errNoEndpointProvided
+	} else {
+		_, err := url.ParseRequestURI(cfg.Endpoint)
+		if err != nil {
+			return errInvalidEndpoint
+		}
+	}
+	if cfg.RefreshInterval == "" {
+		cfg.RefreshInterval = defaultRefreshInterval
+	} else {
+		_, err := time.ParseDuration(cfg.RefreshInterval)
+		if err != nil {
+			return errInvalidInterval
+		}
+	}
+	if cfg.Header == "" {
+		cfg.Header = defaultHeader
+	}
+	if cfg.HTTPClientTimeout == 0 {
+		cfg.HTTPClientTimeout = defaultHttpClientTimeout
+	}
+	if cfg.ExpectedCodes == nil {
+		cfg.ExpectedCodes = []int{defaultExpectedCode}
+	} else {
+		for _, code := range cfg.ExpectedCodes {
+			if http.StatusText(code) == "" {
+				return errInvalidHttpCode
+			}
+		}
+	}
+	if cfg.Scheme == "" {
+		cfg.Scheme = defaultScheme
+	}
+	if cfg.Method == "" {
+		cfg.Method = defaultMethod
+	}
+	if cfg.TelemetryType == "" {
+		cfg.TelemetryType = defaultTelemetryType
+	} else {
+		validTypes := map[string]bool{
+			"traces":  true,
+			"metrics": true,
+			"logs":    true,
+		}
+		if !validTypes[cfg.TelemetryType] {
+			return errInvalidTelemetryType
+		}
+	}
+	return nil
+}

extension/externalauthextension/config_test.go

@@ -0,0 +1,129 @@
+package externalauthextension
+
+import (
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/confmap/confmaptest"
+	"go.opentelemetry.io/collector/confmap/xconfmap"
+
+	"github.com/open-telemetry/opentelemetry-collector-contrib/extension/externalauthextension/internal/metadata"
+)
+
+func TestLoadConfig(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		id          component.ID
+		expected    component.Config
+		expectedErr bool
+	}{
+		{
+			id: component.NewIDWithName(metadata.Type, "valid"),
+			expected: &Config{
+				Endpoint:          "https://auth.example.com/validate",
+				RefreshInterval:   "1h",
+				Header:            "Authorization",
+				ExpectedCodes:     []int{200},
+				Scheme:            "Bearer",
+				Method:            "POST",
+				HTTPClientTimeout: 10 * time.Second,
+				TelemetryType:     "traces",
+			},
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "metrics"),
+			expected: &Config{
+				Endpoint:          "https://auth.example.com/validate",
+				RefreshInterval:   "1h",
+				Header:            "Authorization",
+				ExpectedCodes:     []int{200},
+				Scheme:            "Bearer",
+				Method:            "POST",
+				HTTPClientTimeout: 10 * time.Second,
+				TelemetryType:     "metrics",
+			},
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "logs"),
+			expected: &Config{
+				Endpoint:          "https://auth.example.com/validate",
+				RefreshInterval:   "1h",
+				Header:            "Authorization",
+				ExpectedCodes:     []int{200},
+				Scheme:            "Bearer",
+				Method:            "POST",
+				HTTPClientTimeout: 10 * time.Second,
+				TelemetryType:     "logs",
+			},
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "custom_settings"),
+			expected: &Config{
+				Endpoint:          "https://custom-auth.example.com",
+				RefreshInterval:   "30m",
+				Header:            "X-Custom-Auth",
+				ExpectedCodes:     []int{200, 201},
+				Scheme:            "Custom",
+				Method:            "GET",
+				HTTPClientTimeout: 5 * time.Second,
+				TelemetryType:     "traces",
+			},
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "k8s_dns"),
+			expected: &Config{
+				Endpoint:          "dns:///auth-service.namespace.svc.cluster.local",
+				RefreshInterval:   "1h",
+				Header:            "Authorization",
+				ExpectedCodes:     []int{200},
+				Scheme:            "Bearer",
+				Method:            "POST",
+				HTTPClientTimeout: 10 * time.Second,
+				TelemetryType:     "traces",
+			},
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "missing_endpoint"),
+			expectedErr: true,
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_endpoint"),
+			expectedErr: true,
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_interval"),
+			expectedErr: true,
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_http_code"),
+			expectedErr: true,
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_telemetry_type"),
+			expectedErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.id.String(), func(t *testing.T) {
+			cm, err := confmaptest.LoadConf(filepath.Join("testdata", "config.yaml"))
+			require.NoError(t, err)
+			factory := NewFactory()
+			cfg := factory.CreateDefaultConfig()
+			sub, err := cm.Sub(tt.id.String())
+			require.NoError(t, err)
+			require.NoError(t, sub.Unmarshal(cfg))
+			if tt.expectedErr {
+				assert.Error(t, xconfmap.Validate(cfg))
+				return
+			}
+			assert.NoError(t, xconfmap.Validate(cfg))
+			assert.Equal(t, tt.expected, cfg)
+		})
+	}
+}

extension/externalauthextension/doc.go

@@ -0,0 +1,7 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:generate mdatagen metadata.yaml
+
+// Package externalauthextension implements an extension offering external authentication for incoming requests.
+package externalauthextension // import "github.com/open-telemetry/opentelemetry-collector-contrib/extension/externalauthextension"