MCS service account authentication with Mkube (#166)

`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)

Kubernetes

The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```

Then run the mcs server

```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```

Self-signed certificates and Custom certificate authority for Mkube

If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable

````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````

Author: Alevsk

docs/mcs_service_account_mkube.md

@@ -0,0 +1,40 @@
+# MCS service account authentication with Mkube
+
+`MCS` will authenticate against `Mkube`using bearer tokens via HTTP `Authorization` header. The user will provide this token once
+in the login form, MCS will validate it against Mkube (list tenants) and if valid will generate and return a new MCS sessions 
+with encrypted claims (the user Service account token will be inside the JWT in the data field)
+
+# Kubernetes
+
+The provided `JWT token` corresponds to the `Kubernetes service account` that `Mkube` will use to run tasks on behalf of the
+user, ie: list, create, edit, delete tenants, storage class, etc.
+
+# Development
+
+If you are running mcs in your local environment and wish to make request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
+the environment variable is not present by default `MCS` will use `"http://m3:8787"`, additionally you will need to set the
+`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI 
+
+## Extract the Service account token and use it with MCS
+
+For local development you can use the jwt associated to the `m3-sa` service account, you can get the token running
+the following command in your terminal:
+
+```
+kubectl get secret $(kubectl get serviceaccount m3-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
+```
+
+Then run the mcs server
+
+```
+MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs server
+```
+
+# Self-signed certificates and Custom certificate authority for Mkube
+
+If Mkube uses TLS with a self-signed certificate, or a certificate issued by a custom certificate authority you can add those
+certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable
+
+````
+MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs server
+````

go.mod

@@ -18,8 +18,8 @@ require (
 	github.com/json-iterator/go v1.1.9
 	github.com/minio/cli v1.22.0
 	github.com/minio/mc v0.0.0-20200515235434-3b479cf92ed6
-	github.com/minio/minio v0.0.0-20200516011754-9cac385aecdb
-	github.com/minio/minio-go/v6 v6.0.56-0.20200502013257-a81c8c13cc3f
+	github.com/minio/minio v0.0.0-20200603201854-5686a7e27319
+	github.com/minio/minio-go/v6 v6.0.56
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/satori/go.uuid v1.2.0
 	github.com/stretchr/testify v1.5.1

go.sum

@@ -22,8 +22,8 @@ import (
 	"github.com/minio/minio/pkg/env"
 )
 
-// GetOperatorOnly gets mcs operator mode status set on env variable
-//or default one
-func GetOperatorOnly() string {
-	return strings.ToLower(env.Get(McsOperatorOnly, "off"))
+// GetOperatorOnly gets MCS mkube admin mode status set on env variable
+// or default one
+func GetOperatorOnly() bool {
+	return strings.ToLower(env.Get(McsmKubeAdminOnly, "off")) == "on"
 }

models/login_details.go

@@ -17,5 +17,5 @@
 package acl
 
 const (
-	McsOperatorOnly = "MCS_OPERATOR_ONLY"
+	McsmKubeAdminOnly = "MCS_MKUBE_ADMIN_ONLY"
 )

models/login_mkube_request.go

@@ -286,7 +286,7 @@ func actionsStringToActionSet(actions []string) iampolicy.ActionSet {
 func GetAuthorizedEndpoints(actions []string) []string {
 	rangeTake := endpointRules
 
-	if operatorOnly == "on" {
+	if operatorOnly {
 		rangeTake = operatorRules
 	}
 

pkg/acl/config.go

@@ -106,7 +106,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 }
 
 func TestOperatorOnlyEndpoints(t *testing.T) {
-	operatorOnly = "on"
+	operatorOnly = true
 
 	tests := []endpoint{
 		{

pkg/acl/const.go

@@ -26,9 +26,11 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net/http"
 	"strings"
 
 	jwtgo "github.com/dgrijalva/jwt-go"
+	"github.com/go-openapi/swag"
 	xjwt "github.com/minio/mcs/pkg/auth/jwt"
 	"github.com/minio/minio-go/v6/pkg/credentials"
 	"github.com/minio/minio/cmd"
@@ -182,3 +184,42 @@ func decrypt(data []byte) ([]byte, error) {
 	}
 	return plaintext, nil
 }
+
+// GetTokenFromRequest returns a token from a http Request
+// either defined on a cookie `token` or on Authorization header.
+//
+// Authorization Header needs to be like "Authorization Bearer <jwt_token>"
+func GetTokenFromRequest(r *http.Request) (*string, error) {
+	// Get Auth token
+	var reqToken string
+
+	// Token might come either as a Cookie or as a Header
+	// if not set in cookie, check if it is set on Header.
+	tokenCookie, err := r.Cookie("token")
+	if err != nil {
+		headerToken := r.Header.Get("Authorization")
+		// reqToken should come as "Bearer <token>"
+		splitHeaderToken := strings.Split(headerToken, "Bearer")
+		if len(splitHeaderToken) <= 1 {
+			return nil, errNoAuthToken
+		}
+		reqToken = strings.TrimSpace(splitHeaderToken[1])
+	} else {
+		reqToken = strings.TrimSpace(tokenCookie.Value)
+	}
+	return swag.String(reqToken), nil
+}
+
+func GetClaimsFromTokenInRequest(req *http.Request) (*DecryptedClaims, error) {
+	sessionID, err := GetTokenFromRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// Perform decryption of the JWT, if MCS is able to decrypt the JWT that means a valid session
+	// was used in the first place to get it
+	claims, err := JWTAuthenticate(*sessionID)
+	if err != nil {
+		return nil, err
+	}
+	return claims, nil
+}