Add comprehensive mTLS and OAuth authentication to REST API v2

This commit introduces comprehensive authentication support for the cloud event
notifications REST API v2, enabling secure communication in production environments.

**Authentication Methods:**
- mTLS (Mutual TLS) authentication with client certificate validation
- OAuth JWT token authentication with strict issuer validation
- Support for both OpenShift OAuth server and Kubernetes ServiceAccount tokens
- Flexible authentication configuration via JSON config files

**OpenShift Integration:**
- Native OpenShift Service CA integration for automatic certificate management
- OpenShift OAuth server integration for JWT token validation
- ServiceAccount-based authentication for pod-to-pod communication
- Dynamic cluster name configuration for multi-cluster deployments

**Security Features:**
- Strict OAuth validation with issuer verification
- Comprehensive token validation (expiration, audience, signature)
- Client certificate validation with configurable CA trust
- Path-based authentication middleware (health endpoints bypass auth)
- Localhost connection support for internal health checks

**Configuration Options:**
- JSON-based authentication configuration
- Support for OpenShift Service CA and cert-manager
- Configurable OAuth scopes and audience validation
- Environment-based cluster name configuration

**Core Implementation:**
- `v2/auth.go`: OAuth and mTLS authentication middleware and validation logic
- `v2/server.go`: Enhanced server with authentication support and TLS configuration
- `go.mod`/`go.sum`: Added golang-jwt/jwt/v5 dependency for JWT validation

**Documentation:**
- `AUTHENTICATION.md`: Comprehensive authentication configuration guide
- `OPENSHIFT_AUTHENTICATION.md`: OpenShift-specific deployment and configuration
- `README.md`: Updated with authentication feature overview and links

**Examples and Templates:**
- `auth-config-example.json`: Example authentication configuration
- `examples/openshift-auth-config.json`: OpenShift-specific configuration template
- `examples/openshift-manifests.yaml`: Complete OpenShift deployment manifests
- `examples/README.md`: Documentation for example configurations

- **Multi-Issuer Support**: Accepts both OpenShift OAuth tokens and Kubernetes ServiceAccount tokens
- **Strict Validation**: No authentication bypass mechanisms, exact issuer matching required
- **Comprehensive Error Handling**: Clear error messages without exposing sensitive information
- **Production Ready**: Designed for secure production deployments in OpenShift clusters

- Authentication is optional and configurable
- Existing deployments continue to work without authentication
- Health check endpoints remain accessible for monitoring
- Graceful fallback for non-authenticated deployments

This implementation provides enterprise-grade security for cloud event notifications
while maintaining compatibility with existing deployments and supporting flexible
authentication scenarios across different Kubernetes environments.

Resolves authentication requirements for secure cloud event communication in
production OpenShift environments.

Signed-off-by: Jack Ding <jackding@gmail.com>

Author: jzding

AUTHENTICATION.md

@@ -7,6 +7,27 @@
 
 The REST-API specification below is generated by Swagger tools. Please refer to the [Developers Guide](docs/dev-readme.md) on how to use Swagger to generate specs and documentations.
 
+## Authentication
+
+This REST API supports enterprise-grade authentication using mTLS and OAuth with **strict security validation**. For detailed configuration instructions, see:
+
+- **[Authentication Configuration](AUTHENTICATION.md)** - Complete guide for configuring mTLS and OAuth authentication
+- **[OpenShift Authentication](OPENSHIFT_AUTHENTICATION.md)** - OpenShift-specific deployment guide with native Service CA and OAuth server integration
+
+### Security Features
+
+- **Strict OAuth Validation**: JWT tokens are validated against the configured issuer with no bypass mechanisms
+- **Issuer Verification**: Token issuer must exactly match the configured OAuth issuer
+- **Expiration Checking**: Expired tokens are rejected with clear error messages
+- **Audience Validation**: Tokens must contain the required audience claim
+- **mTLS Certificate Validation**: Client certificates are verified against the configured CA
+
+### Recent Security Improvements
+
+- **Fixed OAuth Security Vulnerability** (v2.1.0): Implemented proper OAuth token validation to prevent unauthorized access
+- **Added JWT Library Support**: Uses `golang-jwt/jwt/v5` for secure token parsing and validation
+- **Enhanced Error Handling**: Clear error messages for authentication failures without exposing sensitive information
+
 ## O-RAN Compliant REST API Specification
 
 Starting from release [v1.21.0](https://github.com/redhat-cne/rest-api/releases/tag/v1.21.0), the REST API implemented in this repo is compliant with [O-RAN O-Cloud Notification API Specification for Event Consumers 4.0](https://orandownloadsweb.azurewebsites.net/specifications).

OPENSHIFT_AUTHENTICATION.md

@@ -0,0 +1,12 @@
+{
+  "enableMTLS": true,
+  "caCertPath": "/etc/certs/ca.crt",
+  "serverCertPath": "/etc/certs/server.crt",
+  "serverKeyPath": "/etc/certs/server.key",
+
+  "enableOAuth": true,
+  "oauthIssuer": "https://your-oauth-provider.com",
+  "oauthJWKSURL": "https://your-oauth-provider.com/.well-known/jwks.json",
+  "requiredScopes": ["subscription:create", "events:read"],
+  "requiredAudience": "rest-api-service"
+}

README.md

@@ -0,0 +1,34 @@
+# Authentication Configuration Examples
+
+This directory contains example configuration files for setting up authentication with the REST API.
+
+## Files
+
+### Configuration Examples
+
+- **`openshift-auth-config.json`** - Example authentication configuration for OpenShift environments
+  - Uses OpenShift Service CA for mTLS certificate management
+  - Integrates with OpenShift's built-in OAuth server
+  - Template format with placeholder URLs that should be customized for your cluster
+
+### Deployment Examples
+
+- **`openshift-manifests.yaml`** - Complete Kubernetes manifests for OpenShift deployment
+  - Service definitions with Service CA annotations
+  - ConfigMaps for cluster information and authentication configuration
+  - ServiceAccount and RBAC resources
+  - Template format with `{{.NodeName}}` and `{{.ClusterName}}` placeholders
+
+## Usage
+
+1. **For OpenShift deployments**: Use the `openshift-*` files as templates
+2. **Replace placeholders**: Update `your-cluster.com` with your actual cluster domain
+3. **Deploy**: Apply the manifests to your OpenShift cluster
+
+## Template Variables
+
+- `{{.NodeName}}` - Replaced with the actual node name during deployment
+- `{{.ClusterName}}` - Should be replaced with your cluster's domain name
+- `your-cluster.com` - Placeholder that should be replaced with your actual cluster domain
+
+For detailed instructions, see the main [Authentication Configuration](../AUTHENTICATION.md) documentation.

auth-config-example.json

@@ -0,0 +1,15 @@
+{
+  "enableMTLS": true,
+  "useServiceCA": true,
+  "caCertPath": "/etc/cloud-event-proxy/ca-bundle/service-ca.crt",
+  "serverCertPath": "/etc/cloud-event-proxy/server-certs/tls.crt",
+  "serverKeyPath": "/etc/cloud-event-proxy/server-certs/tls.key",
+  "enableOAuth": true,
+  "useOpenShiftOAuth": true,
+  "oauthIssuer": "https://oauth-openshift.apps.your-cluster.com",
+  "oauthJWKSURL": "https://oauth-openshift.apps.your-cluster.com/oauth/jwks",
+  "requiredScopes": ["user:info"],
+  "requiredAudience": "openshift",
+  "serviceAccountName": "cloud-event-proxy-sa",
+  "serviceAccountToken": "/var/run/secrets/kubernetes.io/serviceaccount/token"
+}

examples/README.md

@@ -0,0 +1,159 @@
+# Unified OpenShift Authentication Configuration
+# Works for both single node and multi-node OpenShift clusters
+# Uses OpenShift's built-in Service CA and OAuth server
+
+---
+# Service with Service CA annotation for automatic certificate generation
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/scrape: "false"
+    service.beta.openshift.io/serving-cert-secret-name: cloud-event-proxy-tls
+  labels:
+    app: linuxptp-daemon
+  name: ptp-event-publisher-service-{{.NodeName}}
+  namespace: openshift-ptp
+spec:
+  clusterIP: None
+  selector:
+    app: linuxptp-daemon
+    nodeName: {{.NodeName}}
+  ports:
+    - name: publisher-port
+      port: 9043
+  sessionAffinity: None
+  type: ClusterIP
+
+---
+# ConfigMap for cluster information
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-info
+  namespace: openshift-ptp
+data:
+  cluster-name: "{{.ClusterName}}"
+
+---
+# ConfigMap for authentication configuration
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cloud-event-proxy-auth-config
+  namespace: openshift-ptp
+data:
+  auth-config.json: |
+    {
+      "enableMTLS": true,
+      "useServiceCA": true,
+      "caCertPath": "/etc/cloud-event-proxy/ca-bundle/service-ca.crt",
+      "serverCertPath": "/etc/cloud-event-proxy/server-certs/tls.crt",
+      "serverKeyPath": "/etc/cloud-event-proxy/server-certs/tls.key",
+      "enableOAuth": true,
+      "useOpenShiftOAuth": true,
+      "oauthIssuer": "https://oauth-openshift.apps.{{.ClusterName}}",
+      "oauthJWKSURL": "https://oauth-openshift.apps.{{.ClusterName}}/oauth/jwks",
+      "requiredScopes": ["user:info"],
+      "requiredAudience": "openshift",
+      "serviceAccountName": "cloud-event-proxy-sa",
+      "serviceAccountToken": "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    }
+
+---
+# ServiceAccount for the cloud-event-proxy
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-event-proxy-sa
+  namespace: openshift-ptp
+
+---
+# Role for cloud-event-proxy permissions
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cloud-event-proxy-role
+  namespace: openshift-ptp
+rules:
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]
+
+---
+# RoleBinding to bind ServiceAccount to Role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cloud-event-proxy-binding
+  namespace: openshift-ptp
+subjects:
+- kind: ServiceAccount
+  name: cloud-event-proxy-sa
+  namespace: openshift-ptp
+roleRef:
+  kind: Role
+  name: cloud-event-proxy-role
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# DaemonSet configuration for cloud-event-proxy
+# Works on both single node and multi-node clusters
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: linuxptp-daemon
+  namespace: openshift-ptp
+spec:
+  selector:
+    matchLabels:
+      app: linuxptp-daemon
+      nodeName: {{.NodeName}}
+  template:
+    metadata:
+      labels:
+        app: linuxptp-daemon
+        nodeName: {{.NodeName}}
+    spec:
+      serviceAccountName: cloud-event-proxy-sa
+      containers:
+      - name: cloud-event-proxy
+        image: quay.io/redhat-cne/cloud-event-proxy:latest
+        args:
+          - "--auth-config=/etc/cloud-event-proxy/auth/auth-config.json"
+        env:
+        - name: CLUSTER_NAME
+          valueFrom:
+            configMapKeyRef:
+              name: cluster-info
+              key: cluster-name
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        volumeMounts:
+        - name: server-certs
+          mountPath: /etc/cloud-event-proxy/server-certs
+          readOnly: true
+        - name: ca-bundle
+          mountPath: /etc/cloud-event-proxy/ca-bundle
+          readOnly: true
+        - name: auth-config
+          mountPath: /etc/cloud-event-proxy/auth
+          readOnly: true
+      volumes:
+      - name: server-certs
+        secret:
+          secretName: cloud-event-proxy-tls
+      - name: ca-bundle
+        secret:
+          secretName: cloud-event-proxy-tls
+      - name: auth-config
+        configMap:
+          name: cloud-event-proxy-auth-config

examples/openshift-auth-config.json

@@ -20,6 +20,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect

examples/openshift-manifests.yaml

@@ -9,6 +9,8 @@ github.com/cloudevents/sdk-go/v2 v2.15.2/go.mod h1:lL7kSWAE/V8VI4Wh0jbL2v/jvqsm6
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=