MCS service account authentication with Mkube (#166)

`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)

Kubernetes

The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```

Then run the mcs server

```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```

Self-signed certificates and Custom certificate authority for Mkube

If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable

````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````

restapi/ws_handle.go

@@ -26,7 +26,6 @@ import (
 	"github.com/go-openapi/errors"
 	"github.com/gorilla/websocket"
 	"github.com/minio/mcs/pkg/auth"
-	"github.com/minio/mcs/pkg/ws"
 )
 
 var upgrader = websocket.Upgrader{
@@ -99,14 +98,9 @@ func (c wsConn) readMessage() (messageType int, p []byte, err error) {
 // on the path.
 // Request should come like ws://<host>:<port>/ws/<api>
 func serveWS(w http.ResponseWriter, req *http.Request) {
-	sessionID, err := ws.GetTokenFromRequest(req)
-	if err != nil {
-		errors.ServeError(w, req, err)
-		return
-	}
 	// Perform authentication before upgrading to a Websocket Connection
 	// authenticate WS connection with MCS
-	claims, err := auth.JWTAuthenticate(*sessionID)
+	claims, err := auth.GetClaimsFromTokenInRequest(req)
 	if err != nil {
 		log.Print("error on ws authentication: ", err)
 		errors.ServeError(w, req, errors.New(http.StatusUnauthorized, err.Error()))
@@ -152,7 +146,7 @@ func serveWS(w http.ResponseWriter, req *http.Request) {
 		go wsAdminClient.heal(hOptions)
 	case strings.HasPrefix(wsPath, `/watch`):
 		wOptions := getWatchOptionsFromReq(req)
-		wsS3Client, err := newWebSocketS3Client(conn, *sessionID, wOptions.BucketName)
+		wsS3Client, err := newWebSocketS3Client(conn, claims, wOptions.BucketName)
 		if err != nil {
 			closeWsConn(conn)
 			return
@@ -188,10 +182,10 @@ func newWebSocketAdminClient(conn *websocket.Conn, autClaims *auth.DecryptedClai
 }
 
 // newWebSocketS3Client returns a wsAdminClient authenticated as MCS admin
-func newWebSocketS3Client(conn *websocket.Conn, jwt, bucketName string) (*wsS3Client, error) {
+func newWebSocketS3Client(conn *websocket.Conn, claims *auth.DecryptedClaims, bucketName string) (*wsS3Client, error) {
 	// Only start Websocket Interaction after user has been
 	// authenticated with MinIO
-	s3Client, err := newS3BucketClient(jwt, bucketName)
+	s3Client, err := newS3BucketClient(claims, bucketName)
 	if err != nil {
 		log.Println("error creating S3Client:", err)
 		conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))