Refactor for session management (#193)

Previously every Handler function was receiving the session token in the
form of a jwt string, in consequence every time we want to access the
encrypted claims of the jwt we needed to run a decryption process,
additionally we were decrypting the jwt twice, first at the session
validation then inside each handler function, this was also causing a
lot of using related to the merge between m3 and mcs

What changed:

Now we validate and decrypt the jwt once in `configure_mcs.go`, this
works for both, mcs (console) and operator sessions, and then pass the
decrypted claims to all the functions that need it, so no further token
validation or decryption is need it.

Author: Alevsk

Makefile

@@ -59,3 +59,6 @@ clean:
 	@find . -name '*.test' | xargs rm -fv
 	@find . -name '*~' | xargs rm -fv
 	@rm -vf mcs
+
+docker:
+	@docker build -t $(TAG) --build-arg build_version=$(BUILD_VERSION) --build-arg build_time='$(BUILD_TIME)' .

cluster/cluster.go

@@ -23,15 +23,28 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 )
 
-func GetK8sConfig(token string) *rest.Config {
-	// if console is running inside k8s by default he will have access to the ca cert from the k8s local authority
-	const (
-		rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-	)
-	tlsClientConfig := rest.TLSClientConfig{Insecure: getK8sAPIServerInsecure()}
-	if _, err := certutil.NewPool(rootCAFile); err == nil {
-		tlsClientConfig.CAFile = rootCAFile
+// getTLSClientConfig will return the right TLS configuration for the K8S client based on the configured TLS certificate
+func getTLSClientConfig() rest.TLSClientConfig {
+	var defaultRootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	var customRootCAFile = getK8sAPIServerTLSRootCA()
+	tlsClientConfig := rest.TLSClientConfig{}
+	// if console is running inside k8s by default he will have access to the CA Cert from the k8s local authority
+	if _, err := certutil.NewPool(defaultRootCAFile); err == nil {
+		tlsClientConfig.CAFile = defaultRootCAFile
+	}
+	// if the user explicitly define a custom CA certificate, instead, we will use that
+	if customRootCAFile != "" {
+		if _, err := certutil.NewPool(customRootCAFile); err == nil {
+			tlsClientConfig.CAFile = customRootCAFile
+		}
 	}
+	return tlsClientConfig
+}
+
+// This operation will run only once at console startup
+var tlsClientConfig = getTLSClientConfig()
+
+func GetK8sConfig(token string) *rest.Config {
 	config := &rest.Config{
 		Host:            GetK8sAPIServer(),
 		TLSClientConfig: tlsClientConfig,

cluster/config.go

@@ -48,10 +48,10 @@ func GetK8sAPIServer() string {
 	return env.Get(McsK8sAPIServer, apiServerAddress)
 }
 
-// getK8sAPIServerInsecure allow to tell the k8s client to skip TLS certificate verification, ie: when connecting to a k8s cluster
-// that uses certificate not trusted by your machine
-func getK8sAPIServerInsecure() bool {
-	return strings.ToLower(env.Get(McsK8SAPIServerInsecure, "off")) == "on"
+// If MCS_K8S_API_SERVER_TLS_ROOT_CA is true mcs will load the certificate into the
+// http.client rootCAs pool, this is useful for testing an k8s ApiServer or when working with self-signed certificates
+func getK8sAPIServerTLSRootCA() string {
+	return strings.TrimSpace(env.Get(McsK8SAPIServerTLSRootCA, ""))
 }
 
 // GetNsFromFile assumes console is running inside a k8s pod and extract the current namespace from the

cluster/const.go

@@ -17,9 +17,9 @@
 package cluster
 
 const (
-	McsK8sAPIServer         = "MCS_K8S_API_SERVER"
-	McsK8SAPIServerInsecure = "MCS_K8S_API_SERVER_INSECURE"
-	McsMinioImage           = "MCS_MINIO_IMAGE"
-	McsMCImage              = "MCS_MC_IMAGE"
-	McsNamespace            = "MCS_NAMESPACE"
+	McsK8sAPIServer          = "MCS_K8S_API_SERVER"
+	McsK8SAPIServerTLSRootCA = "MCS_K8S_API_SERVER_TLS_ROOT_CA"
+	McsMinioImage            = "MCS_MINIO_IMAGE"
+	McsMCImage               = "MCS_MC_IMAGE"
+	McsNamespace             = "MCS_NAMESPACE"
 )

docs/mcs_operator_mode.md

@@ -0,0 +1,39 @@
+# Running MCS in Operator mode
+
+`MCS` will authenticate against `Kubernetes`using bearer tokens via HTTP `Authorization` header. The user will provide this token once
+in the login form, MCS will validate it against Kubernetes (list apis) and if valid will generate and return a new MCS sessions 
+with encrypted claims (the user Service account token will be inside the JWT in the data field)
+
+# Kubernetes
+
+The provided `JWT token` corresponds to the `Kubernetes service account` that `MCS` will use to run tasks on behalf of the
+user, ie: list, create, edit, delete tenants, storage class, etc.
+
+
+# Development
+
+If console is running inside a k8s pod `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` will contain the k8s api server apiServerAddress
+if console is not running inside k8s by default will look for the k8s api server on `localhost:8001` (kubectl proxy)
+
+If you are running mcs in your local environment and wish to make request to `Kubernetes` you can set `MCS_K8S_API_SERVER`, if
+the environment variable is not present by default `MCS` will use `"http://localhost:8001"`, additionally you will need to set the
+`MCS_OPERATOR_MODE=on` variable to make MCS display the Operator UI.
+
+NOTE: using `kubectl` proxy is for local development only, since every request send to localhost:8001 will bypass service account authentication
+more info here: https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#directly-accessing-the-rest-api
+you can override this using `MCS_K8S_API_SERVER`, ie use the k8s cluster from `kubectl config view`
+
+## Extract the Service account token and use it with MCS
+
+For local development you can use the jwt associated to the `m3-sa` service account, you can get the token running
+the following command in your terminal:
+
+```
+kubectl get secret $(kubectl get serviceaccount mcs-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
+```
+
+Then run the mcs server
+
+```
+MCS_OPERATOR_MODE=on ./mcs server
+```

docs/mcs_service_account_mkube.md

@@ -32,6 +32,7 @@ import (
 
 	jwtgo "github.com/dgrijalva/jwt-go"
 	"github.com/go-openapi/swag"
+	"github.com/minio/mcs/models"
 	xjwt "github.com/minio/mcs/pkg/auth/jwt"
 	"github.com/minio/minio-go/v6/pkg/credentials"
 	uuid "github.com/satori/go.uuid"
@@ -210,7 +211,7 @@ func GetTokenFromRequest(r *http.Request) (*string, error) {
 	return swag.String(reqToken), nil
 }
 
-func GetClaimsFromTokenInRequest(req *http.Request) (*DecryptedClaims, error) {
+func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
 	sessionID, err := GetTokenFromRequest(req)
 	if err != nil {
 		return nil, err
@@ -221,5 +222,10 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*DecryptedClaims, error) {
 	if err != nil {
 		return nil, err
 	}
-	return claims, nil
+	return &models.Principal{
+		AccessKeyID:     claims.AccessKeyID,
+		Actions:         claims.Actions,
+		SecretAccessKey: claims.SecretAccessKey,
+		SessionToken:    claims.SessionToken,
+	}, nil
 }

models/principal.go

@@ -17,12 +17,12 @@
 package auth
 
 import (
-	"fmt"
+	"context"
 	"log"
-	"net/http"
 
 	"github.com/minio/mcs/cluster"
 	"github.com/minio/minio-go/v6/pkg/credentials"
+	operatorClientset "github.com/minio/minio-operator/pkg/client/clientset/versioned"
 )
 
 // operatorCredentialsProvider is an struct to hold the JWT (service account token)
@@ -44,16 +44,31 @@ func (s operatorCredentialsProvider) IsExpired() bool {
 	return false
 }
 
-// isServiceAccountTokenValid will make an authenticated request (using bearer token) against kubernetes api, if the
+// OperatorClient interface with all functions to be implemented
+// by mock when testing, it should include all OperatorClient respective api calls
+// that are used within this project.
+type OperatorClient interface {
+	Authenticate(context.Context) ([]byte, error)
+}
+
+// Interface implementation
+//
+// Define the structure of a operator client and define the functions that are actually used
+// from the minio-operator.
+type operatorClient struct {
+	client *operatorClientset.Clientset
+}
+
+// Authenticate implements the operator authenticate function via REST /api
+func (c *operatorClient) Authenticate(ctx context.Context) ([]byte, error) {
+	return c.client.RESTClient().Verb("GET").RequestURI("/api").DoRaw(ctx)
+}
+
+// isServiceAccountTokenValid will make an authenticated request against kubernetes api, if the
 // request success means the provided jwt its a valid service account token and the MCS user can use it for future
-// requests until it fails
-func isServiceAccountTokenValid(client *http.Client, jwt string) bool {
-	//# Explore the API with TOKEN
-	//curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
-	apiURL := fmt.Sprintf("%s/api", cluster.GetK8sAPIServer())
-	req, _ := http.NewRequest("GET", apiURL, nil)
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", jwt))
-	_, err := client.Do(req)
+// requests until it expires
+func isServiceAccountTokenValid(ctx context.Context, operatorClient OperatorClient) bool {
+	_, err := operatorClient.Authenticate(ctx)
 	if err != nil {
 		log.Println(err)
 		return false
@@ -63,8 +78,15 @@ func isServiceAccountTokenValid(client *http.Client, jwt string) bool {
 
 // GetMcsCredentialsForOperator will validate the provided JWT (service account token) and return it in the form of credentials.Credentials
 func GetMcsCredentialsForOperator(jwt string) (*credentials.Credentials, error) {
-	client := http.Client{}
-	if isServiceAccountTokenValid(&client, jwt) {
+	ctx := context.Background()
+	opClientClientSet, err := cluster.OperatorClient(jwt)
+	if err != nil {
+		return nil, err
+	}
+	opClient := &operatorClient{
+		client: opClientClientSet,
+	}
+	if isServiceAccountTokenValid(ctx, opClient) {
 		return credentials.New(operatorCredentialsProvider{serviceAccountJWT: jwt}), nil
 	}
 	return nil, errInvalidCredentials