Fix Session validation for MCS Operator Mode (#191)

* Fix Session validation for MCS Operator Mode * Updated assets
2020-07-08 13:55:08 -07:00
parent 8a74b795c8
commit 328133d3ff
41 changed files with 608 additions and 398 deletions
--- a/pkg/acl/config.go
+++ b/pkg/acl/config.go
@@ -22,8 +22,7 @@ import (
 	"github.com/minio/minio/pkg/env"
 )

-// GetOperatorOnly gets MCS mkube admin mode status set on env variable
-// or default one
-func GetOperatorOnly() bool {
-	return strings.ToLower(env.Get(McsmKubeAdminOnly, "off")) == "on"
+// GetOperatorMode gets MCS Operator mode status set on env variable or default one
+func GetOperatorMode() bool {
+	return strings.ToLower(env.Get(mcsOperatorMode, "off")) == "on"
 }
--- a/pkg/acl/const.go
+++ b/pkg/acl/const.go
@@ -17,5 +17,5 @@
 package acl

 const (
-	McsmKubeAdminOnly = "MCS_MKUBE_ADMIN_ONLY"
+	mcsOperatorMode = "MCS_OPERATOR_MODE"
 )
--- a/pkg/acl/endpoints.go
+++ b/pkg/acl/endpoints.go
@@ -233,7 +233,7 @@ var operatorRules = map[string]ConfigurationActionSet{
 }

 // operatorOnly ENV variable
-var operatorOnly = GetOperatorOnly()
+var operatorOnly = GetOperatorMode()

 // GetActionsStringFromPolicy extract the admin/s3 actions from a given policy and return them in []string format
 //
--- a/pkg/auth/mkube.go
+++ b/pkg/auth/mkube.go
@@ -21,17 +21,17 @@ import (
 	"log"
 	"net/http"

-	"github.com/minio/mcs/pkg/auth/mkube"
+	"github.com/minio/mcs/cluster"
 	"github.com/minio/minio-go/v6/pkg/credentials"
 )

-// mkubeCredentialsProvider is an struct to hold the JWT (service account token)
-type mkubeCredentialsProvider struct {
+// operatorCredentialsProvider is an struct to hold the JWT (service account token)
+type operatorCredentialsProvider struct {
 	serviceAccountJWT string
 }

 // Implementing the interfaces of the minio Provider, we use this to leverage on the existing mcs Authentication flow
-func (s mkubeCredentialsProvider) Retrieve() (credentials.Value, error) {
+func (s operatorCredentialsProvider) Retrieve() (credentials.Value, error) {
 	return credentials.Value{
 		AccessKeyID:     "",
 		SecretAccessKey: "",
@@ -40,38 +40,32 @@ func (s mkubeCredentialsProvider) Retrieve() (credentials.Value, error) {
 }

 // IsExpired dummy function, must be implemented in order to work with the minio provider authentication
-func (s mkubeCredentialsProvider) IsExpired() bool {
+func (s operatorCredentialsProvider) IsExpired() bool {
 	return false
 }

-// isServiceAccountTokenValid will make an authenticated request (using bearer token) against Mkube hostname, if the
-// request success means the provided jwt its a valid service account token and the MCS user can use it for future requests
-// until it fails
+// isServiceAccountTokenValid will make an authenticated request (using bearer token) against kubernetes api, if the
+// request success means the provided jwt its a valid service account token and the MCS user can use it for future
+// requests until it fails
 func isServiceAccountTokenValid(client *http.Client, jwt string) bool {
-	url := fmt.Sprintf("%s/api/v1/tenants", mkube.GetMkubeEndpoint())
-	m3Req, err := http.NewRequest("GET", url, nil)
+	//# Explore the API with TOKEN
+	//curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
+	apiURL := fmt.Sprintf("%s/api", cluster.GetK8sAPIServer())
+	req, _ := http.NewRequest("GET", apiURL, nil)
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", jwt))
+	_, err := client.Do(req)
 	if err != nil {
 		log.Println(err)
 		return false
 	}
-	token := fmt.Sprintf("Bearer %s", jwt)
-	m3Req.Header.Add("Authorization", token)
-	resp, err := client.Do(m3Req)
-	if err != nil {
-		log.Println(err)
-		return false
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode >= 200 && resp.StatusCode < 300 {
-		return true
-	}
-	return false
+	return true
 }

-// GetMcsCredentialsFromMkube will validate the provided JWT (service account token) and return it in the form of credentials.Credentials
-func GetMcsCredentialsFromMkube(jwt string) (*credentials.Credentials, error) {
-	if isServiceAccountTokenValid(mkube.HTTPClient, jwt) {
-		return credentials.New(mkubeCredentialsProvider{serviceAccountJWT: jwt}), nil
+// GetMcsCredentialsForOperator will validate the provided JWT (service account token) and return it in the form of credentials.Credentials
+func GetMcsCredentialsForOperator(jwt string) (*credentials.Credentials, error) {
+	client := http.Client{}
+	if isServiceAccountTokenValid(&client, jwt) {
+		return credentials.New(operatorCredentialsProvider{serviceAccountJWT: jwt}), nil
 	}
 	return nil, errInvalidCredentials
 }
--- a/pkg/auth/mkube/config.go
+++ b/pkg/auth/mkube/config.go
@@ -1,117 +0,0 @@
-// This file is part of MinIO Console Server
-// Copyright (c) 2020 MinIO, Inc.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-package mkube
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/minio/minio/pkg/env"
-)
-
-var (
-	certDontExists = "File certificate doesn't exists: %s"
-)
-
-// getMkubeEndpoint returns the hostname of mkube
-func GetMkubeEndpoint() string {
-	return env.Get(McsMkubeHost, "http://m3:8787")
-}
-
-// getMkubeEndpointIsSecure returns true or false depending on the protocol in Mkube URL
-func getMkubeEndpointIsSecure() bool {
-	server := GetMkubeEndpoint()
-	if strings.Contains(server, "://") {
-		parts := strings.Split(server, "://")
-		if len(parts) > 1 {
-			if parts[0] == "https" {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// If MCS_M3_SERVER_TLS_CA_CERTIFICATE is true mcs will load a list of certificates into the
-// http.client rootCAs store, this is useful for testing or when working with self-signed certificates
-func getMkubeServerTLSRootCAs() []string {
-	caCertFileNames := strings.TrimSpace(env.Get(McsMkubeTLSCACertificate, ""))
-	if caCertFileNames == "" {
-		return []string{}
-	}
-	return strings.Split(caCertFileNames, ",")
-}
-
-// FileExists verifies if a file exist on the desired location and its not a folder
-func FileExists(filename string) bool {
-	info, err := os.Stat(filename)
-	if os.IsNotExist(err) {
-		return false
-	}
-	return !info.IsDir()
-}
-
-// GetMkubeHTTPClient returns an http.Client with custom configurations used by MCS to talk to Mkube
-// custom configurations include the use of CA certificates
-func getMkubeHTTPClient() *http.Client {
-	httpTransport := &http.Transport{}
-	// If Mkube server is running with TLS enabled and it's using a self-signed certificate
-	// or a certificate issued by a custom certificate authority we prepare a new custom *http.Transport
-	if getMkubeEndpointIsSecure() {
-		caCertFileNames := getMkubeServerTLSRootCAs()
-		tlsConfig := &tls.Config{
-			// Can't use SSLv3 because of POODLE and BEAST
-			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
-			// Can't use TLSv1.1 because of RC4 cipher usage
-			MinVersion: tls.VersionTLS12,
-		}
-		// If CAs certificates are configured we save them to the http.Client RootCAs store
-		if len(caCertFileNames) > 0 {
-			certs := x509.NewCertPool()
-			for _, caCert := range caCertFileNames {
-				// Validate certificate exists
-				if FileExists(caCert) {
-					pemData, err := ioutil.ReadFile(caCert)
-					if err != nil {
-						// if there was an error reading pem file stop mcs
-						panic(err)
-					}
-					certs.AppendCertsFromPEM(pemData)
-				} else {
-					// if provided cert filename doesn't exists stop mcs
-					panic(fmt.Sprintf(certDontExists, caCert))
-				}
-			}
-			tlsConfig.RootCAs = certs
-		}
-		httpTransport.TLSClientConfig = tlsConfig
-	}
-
-	// Return http client with default configuration
-	return &http.Client{
-		Transport: httpTransport,
-	}
-}
-
-// HTTPClient it's a public variable that contains the HTTP configuration to be used by MCS to talk to Mkube
-// This function will run only once
-var HTTPClient = getMkubeHTTPClient()
--- a/pkg/auth/mkube/const.go
+++ b/pkg/auth/mkube/const.go
@@ -1,22 +0,0 @@
-// This file is part of MinIO Console Server
-// Copyright (c) 2020 MinIO, Inc.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-package mkube
-
-const (
-	McsMkubeHost             = "MCS_M3_HOSTNAME"
-	McsMkubeTLSCACertificate = "MCS_M3_SERVER_TLS_CA_CERTIFICATE"
-)