Merge pull request #9029 from naveenpaul1/metrics-auth-token

Authentication for metrics and version endpoint

Author: naveenpaul1

config.js

@@ -1126,6 +1126,9 @@ config.DEFAULT_REGION = 'us-east-1';
 
 config.VACCUM_ANALYZER_INTERVAL = 86400000;
 
+config.NOOBAA_METRICS_AUTH_ENABLED = process.env.NOOBAA_METRICS_AUTH_ENABLED === 'true';
+config.NOOBAA_VERSION_AUTH_ENABLED = process.env.NOOBAA_VERSION_AUTH_ENABLED === 'true';
+
 /////////////////////
 //                 //
 //    OVERRIDES    //

docs/NooBaaNonContainerized/ConfigFileCustomizations.md

@@ -449,7 +449,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     "LOG_TO_STDERR_ENABLED": false
     3. systemctl restart noobaa
     ```
-### 30. Notification log directory
+### 31. Notification log directory
 * <u>Key</u> `NOTIFICATION_LOG_DIR`
 * <u>Type</u> String
 * <u>Default</u> empty
@@ -462,7 +462,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     "NOTIFICATION_LOG_DIR": "/etc/notif"
     3. systemctl restart noobaa
 
-### 31. Prometheus HTTP enable flag -
+### 32. Prometheus HTTP enable flag -
 * <u>Key</u>: `ALLOW_HTTP_METRICS`  
 * <u>Type</u>: Boolean  
 * <u>Default</u>: true  
@@ -476,7 +476,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 32. Prometheus HTTPS enable flag -
+### 33. Prometheus HTTPS enable flag -
 * <u>Key</u>: `ALLOW_HTTPS_METRICS`  
 * <u>Type</u>: Boolean  
 * <u>Default</u>: true  
@@ -490,7 +490,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 33. Notification space monitor frequency flag -
+### 34. Notification space monitor frequency flag -
 * <u>Key</u>: `NOTIFICATION_REQ_PER_SPACE_CHECK`
 * <u>Type</u>: Positive integer
 * <u>Default</u>: 0
@@ -504,7 +504,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 34. Notification space monitor threshold flag -
+### 35. Notification space monitor threshold flag -
 * <u>Key</u>: `NOTIFICATION_SPACE_CHECK_THRESHOLD`
 * <u>Type</u>: Number
 * <u>Default</u>: 0.1
@@ -518,7 +518,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 34. Dynamic supplemental groups allocation flag -
+### 36. Dynamic supplemental groups allocation flag -
 * <u>Key</u>: `NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS`
 * <u>Type</u>: boolean
 * <u>Default</u>: true

src/endpoint/endpoint.js

@@ -349,6 +349,7 @@ function create_endpoint_handler(server_type, init_request_sdk, { virtual_hosts,
  * @param {import('http').ServerResponse} res 
  */
 function version_handler(req, res) {
+    if (config.NOOBAA_VERSION_AUTH_ENABLED && !http_utils.authorize_bearer(req, res)) return;
     const noobaa_package_version = pkg.version;
     res.statusCode = 200;
     res.setHeader('Content-Type', 'text/plain');

src/endpoint/endpoint_utils.js

@@ -4,6 +4,7 @@
 const querystring = require('querystring');
 const http_utils = require('../util/http_utils');
 const pkg = require('../../package.json');
+const config = require('../../config');
 
 function prepare_rest_request(req) {
     // generate request id, this is lighter than uuid
@@ -40,7 +41,9 @@ function parse_source_url(source_url) {
 }
 
 function set_noobaa_server_header(res) {
-    res.setHeader('Server', `NooBaa/${pkg.version}`);
+    if (!config.NOOBAA_VERSION_AUTH_ENABLED) {
+        res.setHeader('Server', `NooBaa/${pkg.version}`);
+    }
 }
 
 exports.prepare_rest_request = prepare_rest_request;

src/server/analytic_services/prometheus_reporting.js

@@ -21,6 +21,9 @@ const reports = Object.seal({
     endpoint: null // optional
 });
 
+const ROLE_METRICS = 'metrics';
+const ROLE_ADMIN = 'admin';
+
 let io_stats_complete = {};
 let ops_stats_complete = {};
 let fs_worker_stats_complete = {};
@@ -69,6 +72,12 @@ async function start_server(
         return;
     }
     const metrics_request_handler = async (req, res) => {
+        if (config.NOOBAA_METRICS_AUTH_ENABLED && !http_utils.authorize_bearer(req, res, [ ROLE_METRICS, ROLE_ADMIN ])) {
+            // Authorize bearer token metrics endpoint
+            // Role 'metrics' is used in operator RPC call, 
+            // Update operator RPC call first before changing role
+            return;
+        }
         // Serve all metrics on the root path for system that do have one or more fork running.
         if (fork_enabled) {
             // we would like this part to be first as clusterMetrics might fail.

src/server/web_server.js

@@ -217,6 +217,8 @@ async function get_log_level_handler(req, res) {
 }
 
 async function get_version_handler(req, res) {
+    // Authorize bearer token version endpoint
+    if (config.NOOBAA_VERSION_AUTH_ENABLED && !http_utils.authorize_bearer(req, res)) return;
     const { status, version } = await getVersion(req.url);
     if (version) res.send(version);
     if (status !== 200) res.status(status);

src/util/http_utils.js

@@ -946,6 +946,57 @@ function set_response_headers_from_request(req, res) {
     if (req.query['response-expires']) res.setHeader('Expires', req.query['response-expires']);
 }
 
+/**
+ * Authenticate JWT bearer token for metrics / version endpoints.
+ * Returns `true` on success, `false` after the function already sent an HTTP
+ * response (401/403) and the caller should terminate the handler early.
+ * 
+ * @param {import('http').IncomingMessage} req
+ * @param {import('http').ServerResponse} res
+ * @param {string[]} [roles]
+ */
+function authorize_bearer(req, res, roles = undefined) {
+    const { authorization, ...rest_headers } = req.headers;
+
+    const populate_response = () => {
+        res.statusCode = 403;
+        res.setHeader('Content-Type', 'text/plain');
+        res.end('Forbidden');
+    };
+
+
+    if (!authorization) {
+        dbg.error('Authentication required:', req.method, req.url, rest_headers);
+        // request lacks authentication, let the client know it's required with 401 Unauthorized
+        res.statusCode = 401;
+        res.setHeader('WWW-Authenticate', 'Bearer');
+        res.setHeader('Content-Type', 'text/plain');
+        res.end('Unauthorized');
+        return false;
+    }
+    if (!authorization.startsWith('Bearer ')) {
+        dbg.error('Authentication scheme must be Bearer:', req.method, req.url, rest_headers);
+        // authentication was provided but is invalid, return 403 Forbidden.
+        populate_response();
+        return false;
+    }
+    const token = authorization.slice('Bearer '.length);
+    let auth;
+    try {
+        auth = jwt_utils.authorize_jwt_token(token);
+    } catch (err) {
+        dbg.error('Authentication failed to verify JWT token:', req.method, req.url, rest_headers, err);
+        populate_response();
+        return false;
+    }
+    if (roles && !roles.includes(auth.role)) {
+        dbg.error('Authentication role is not allowed:', auth, roles, req.method, req.url, rest_headers);
+        populate_response();
+        return false;
+    }
+    return true;
+}
+
 exports.parse_url_query = parse_url_query;
 exports.parse_client_ip = parse_client_ip;
 exports.get_md_conditions = get_md_conditions;
@@ -984,3 +1035,4 @@ exports.CONTENT_TYPE_APP_JSON = CONTENT_TYPE_APP_JSON;
 exports.CONTENT_TYPE_APP_XML = CONTENT_TYPE_APP_XML;
 exports.CONTENT_TYPE_APP_FORM_URLENCODED = CONTENT_TYPE_APP_FORM_URLENCODED;
 exports.set_response_headers_from_request = set_response_headers_from_request;
+exports.authorize_bearer = authorize_bearer;

src/util/jwt_utils.js

@@ -27,6 +27,10 @@ function make_internal_auth_token(object = {}, jwt_options = {}) {
     return make_auth_token(object, jwt_options);
 }
 
+/**
+ * authorize jwt token by verifying it against the jwt secret
+ * @param {string} token
+ */
 function authorize_jwt_token(token) {
     try {
         return jwt.verify(token, get_jwt_secret());