Feature/k8s token authentication

maas-integration-tests/pom.xml

@@ -163,6 +163,12 @@
             <version>3.17.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>wf.garnier</groupId>
+            <artifactId>testcontainers-dex</artifactId>
+            <version>3.2.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

maas-integration-tests/src/test/java/org/qubership/it/maas/AbstractMaasWithInitsIT.java

@@ -8,11 +8,17 @@
 import org.testcontainers.containers.*;
 import org.testcontainers.images.builder.ImageFromDockerfile;
 import org.testcontainers.utility.DockerImageName;
+import org.testcontainers.utility.MountableFile;
+import wf.garnier.testcontainers.dexidp.DexContainer;
 
 import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.nio.file.attribute.PosixFilePermission;
 import java.util.Base64;
 import java.util.Map;
+import java.util.Set;
 
 import static org.qubership.it.maas.MaasITHelper.TEST_NAMESPACE;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -30,6 +36,39 @@ public abstract class AbstractMaasWithInitsIT extends AbstractMaasIT {
 
     protected static final PostgreSQLContainer<?> POSTGRES_CONTAINER = new PostgreSQLContainer<>(DockerImageName.parse("postgres:16.2")).withNetwork(TEST_NETWORK);
 
+    protected static final DexContainer OIDC_SERVER_CONTAINER = new DexContainer(DexContainer.DEFAULT_IMAGE_NAME.withTag(DexContainer.DEFAULT_TAG))
+            .withNetwork(TEST_NETWORK)
+            .withNetworkAliases("oidc-server")
+            .withExposedPorts(5556, 5557)
+            .withCopyFileToContainer(
+                    MountableFile.forClasspathResource("dex-config.yaml"),
+                    "/etc/dex/config.yaml")
+            .withCommand("dex", "serve", "/etc/dex/config.yaml");
+
+    private static final Path oidcTokenTempFile;
+
+    static {
+        try {
+            oidcTokenTempFile = Files.createTempFile("", "");
+            Files.writeString(oidcTokenTempFile, Utils.getNewJwt("http://%s:%d/dex".formatted(OIDC_SERVER_CONTAINER.getNetworkAliases().getLast(), 5556)));
+            try {
+                Set<PosixFilePermission> permissions = Set.of(
+                        PosixFilePermission.OWNER_READ,
+                        PosixFilePermission.OWNER_WRITE,
+                        PosixFilePermission.GROUP_READ,
+                        PosixFilePermission.OTHERS_READ
+                );
+                Files.setPosixFilePermissions(oidcTokenTempFile, permissions);
+            } catch (UnsupportedOperationException e) {
+                oidcTokenTempFile.toFile().setReadable(true, true);
+                oidcTokenTempFile.toFile().setWritable(true, true);
+                oidcTokenTempFile.toFile().setReadable(true, false);
+            }
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
     protected static final GenericContainer<?> MAAS_CONTAINER = new GenericContainer<>(
             new ImageFromDockerfile()
                     .withFileFromPath(".", Paths.get("../maas"))
@@ -44,6 +83,8 @@ public abstract class AbstractMaasWithInitsIT extends AbstractMaasIT {
             )
             .withNetwork(TEST_NETWORK)
             .withExposedPorts(8080)
+            .withCopyFileToContainer(MountableFile.forHostPath(oidcTokenTempFile.toAbsolutePath()), "/var/run/secrets/kubernetes.io/serviceaccount/token")
+            .dependsOn(OIDC_SERVER_CONTAINER)
             .dependsOn(POSTGRES_CONTAINER);
 
     static {
@@ -55,6 +96,8 @@ public abstract class AbstractMaasWithInitsIT extends AbstractMaasIT {
         RABBITMQ_CONTAINER_1.start();
         RABBITMQ_CONTAINER_2.start();
 
+        OIDC_SERVER_CONTAINER.start();
+
         MAAS_CONTAINER.start();
 
         assertTrue(createManagersAccount());

maas-integration-tests/src/test/java/org/qubership/it/maas/Utils.java

@@ -2,6 +2,8 @@
 
 import lombok.extern.slf4j.Slf4j;
 
+import java.util.Base64;
+
 @Slf4j
 public class Utils {
     @FunctionalInterface
@@ -25,4 +27,21 @@ public static void retry(int maxAttempts, OmnivoreRunnable f) throws Exception {
             }
         }
     }
+
+    public static String getNewJwt(String issuer) {
+        String headerJson = "{\"alg\":\"none\",\"typ\":\"JWT\"}";
+        String encodedHeader = base64UrlEncode(headerJson);
+
+        String payloadJson = String.format("{\"iss\":\"%s\"}", issuer);
+        String encodedPayload = base64UrlEncode(payloadJson);
+
+        String signature = "";
+        return String.format("%s.%s.%s", encodedHeader, encodedPayload, signature);
+    }
+
+    private static String base64UrlEncode(String data) {
+        return Base64.getUrlEncoder()
+                .withoutPadding()
+                .encodeToString(data.getBytes());
+    }
 }

maas-integration-tests/src/test/resources/dex-config.yaml

@@ -0,0 +1,18 @@
+issuer: http://oidc-server:5556/dex
+
+storage:
+  type: sqlite3
+
+web:
+  http: 0.0.0.0:5556
+
+telemetry:
+  http: 0.0.0.0:5558
+
+grpc:
+  addr: 0.0.0.0:5557
+
+connectors:
+  - type: mockCallback
+    id: mock
+    name: Example

maas/maas-service/application.yaml

@@ -28,6 +28,10 @@ db:
   cipher:
     key: thisis32bitlongpassphraseimusing
 
+kubernetes:
+  oidc:
+    audience: maas
+
 
 # DR mode defaults
 execution.mode: active
@@ -40,4 +44,4 @@ kafka.client.timeout: 10s
 health.check.interval: 5s
 
 # Migrate cr
-fallback.cr.apiversion: ""
+fallback.cr.apiversion: ""

maas/maas-service/controller/account_controller.go

@@ -124,7 +124,7 @@ func (a *AccountController) SaveManagerAccount(fiberCtx *fiber.Ctx) error {
 	}
 
 	log.InfoC(ctx, "Received request on create one more manage account")
-	if _, err := a.service.IsAccessGranted(ctx, username, password, model.ManagerAccountNamespace, []model.RoleName{model.ManagerRole}); err != nil {
+	if _, err := a.service.IsAccessGrantedWithBasic(ctx, username, password, model.ManagerAccountNamespace, []model.RoleName{model.ManagerRole}); err != nil {
 		return utils.LogError(log, ctx, "password verification does not passed: %w", err)
 	}
 	if managerAccount, err := a.service.CreateNewManager(ctx, &accountRequest); err != nil {

maas/maas-service/controller/account_controller_test.go

@@ -63,7 +63,7 @@ func TestAccountController_UpdatePassword(t *testing.T) {
 		ctx, cancelContext := context.WithCancel(context.Background())
 		defer cancelContext()
 
-		authService := auth.NewAuthService(auth.NewAuthDao(baseDao), nil, nil)
+		authService := auth.NewAuthService(auth.NewAuthDao(baseDao), nil, nil, nil)
 		accountController := NewAccountController(authService)
 
 		_, err := authService.CreateNewManager(ctx, &model.ManagerAccountDto{
@@ -72,7 +72,7 @@ func TestAccountController_UpdatePassword(t *testing.T) {
 		})
 		assert.NoError(t, err)
 
-		app.Put("/auth/account/manager/:name/password", SecurityMiddleware([]model.RoleName{model.ManagerRole}, authService.IsAccessGranted), accountController.UpdatePassword)
+		app.Put("/auth/account/manager/:name/password", SecurityMiddleware([]model.RoleName{model.ManagerRole}, authService.IsAccessGrantedWithBasic, nil), accountController.UpdatePassword)
 		testUpdatePasswordPath := "/auth/account/manager/" + managerName + "/password"
 
 		req := httptest.NewRequest("PUT", testUpdatePasswordPath, nil)
@@ -125,7 +125,7 @@ func TestAccountController_DeleteClientAccount(t *testing.T) {
 		ctx, cancelContext := context.WithCancel(context.Background())
 		defer cancelContext()
 
-		authService := auth.NewAuthService(auth.NewAuthDao(baseDao), nil, nil)
+		authService := auth.NewAuthService(auth.NewAuthDao(baseDao), nil, nil, nil)
 		accountController := NewAccountController(authService)
 
 		_, err := authService.CreateNewManager(ctx, &model.ManagerAccountDto{
@@ -149,7 +149,7 @@ func TestAccountController_DeleteClientAccount(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, testClienetUsername, account.Username)
 
-		app.Delete("/test", SecurityMiddleware([]model.RoleName{model.ManagerRole}, authService.IsAccessGranted), accountController.DeleteClientAccount)
+		app.Delete("/test", SecurityMiddleware([]model.RoleName{model.ManagerRole}, authService.IsAccessGrantedWithBasic, nil), accountController.DeleteClientAccount)
 
 		userAccountJson, err := json.Marshal(clientAccount)
 		assert.NoError(t, err)

maas/maas-service/controller/controller_common_funcs.go

@@ -6,6 +6,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
+	"regexp"
+	"strconv"
+	"strings"
+
 	"github.com/go-playground/validator/v10"
 	"github.com/gofiber/fiber/v2"
 	"github.com/google/uuid"
@@ -17,10 +22,6 @@ import (
 	v "github.com/netcracker/qubership-maas/validator"
 	"golang.org/x/exp/slices"
 	"gopkg.in/yaml.v3"
-	"net/http"
-	"regexp"
-	"strconv"
-	"strings"
 )
 
 const (
@@ -59,28 +60,57 @@ func init() {
 
 type RequestBodyHandler func(ctx context.Context) (interface{}, error)
 
-func SecurityMiddleware(roles []model.RoleName, authorize func(context.Context, string, utils.SecretString, string, []model.RoleName) (*model.Account, error)) fiber.Handler {
+type authorizeWithBasicFunc func(context.Context, string, utils.SecretString, string, []model.RoleName) (*model.Account, error)
+type authorizeWithTokenFunc func(context.Context, string, string, []model.RoleName) (*model.Account, error)
+
+func SecurityMiddleware(roles []model.RoleName, authorizeWithBasic authorizeWithBasicFunc, authorizeWithToken authorizeWithTokenFunc) fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
 		userCtx := ctx.UserContext()
-		username, password, err := utils.GetBasicAuth(ctx)
-		if err != nil {
+		namespace := string(ctx.Request().Header.Peek(HeaderXNamespace))
+		authHeader := string(ctx.Request().Header.Peek(fiber.HeaderAuthorization))
+
+		var (
+			account *model.Account
+			// in kubernetes m2m auth composite isolation is always enabled
+			compositeIsolationDisabled = false
+		)
+
+		authScheme, creds, ok := utils.ParseAuthHeader(authHeader)
+		if !ok {
 			if slices.Contains(roles, model.AnonymousRole) {
 				log.WarnC(userCtx, "Anonymous access will be dropped in future releases for: %s", ctx.OriginalURL())
 				return ctx.Next()
 			}
-			return utils.LogError(log, userCtx, "security middleware error: %w", err)
+			return utils.LogError(log, userCtx, "request authorization failure: invalid auth header: %w", msg.AuthError)
 		}
 
-		namespace := string(ctx.Request().Header.Peek(HeaderXNamespace))
+		switch strings.ToLower(authScheme) {
+		case "basic":
+			username, password, err := utils.GetBasicAuth(ctx)
+			if err != nil {
+				return utils.LogError(log, userCtx, "security middleware error: %w", err)
+			}
 
-		acc, err := authorize(ctx.UserContext(), username, password, namespace, roles)
-		if err != nil {
-			return utils.LogError(log, userCtx, "request authorization failure: %w", err)
+			account, err = authorizeWithBasic(userCtx, username, password, namespace, roles)
+			if err != nil {
+				return utils.LogError(log, userCtx, "request authorization failure: %w", err)
+			}
+			compositeIsolationDisabled = strings.ToLower(string(ctx.Request().Header.Peek(HeaderXCompositeIsolationDisabled))) == "disabled"
+		case "bearer":
+			serviceAccount, err := authorizeWithToken(userCtx, creds, namespace, roles)
+			if err != nil {
+				return utils.LogError(log, userCtx, "request authorization failure: %w", err)
+			}
+			account = serviceAccount
+		default:
+			if slices.Contains(roles, model.AnonymousRole) {
+				log.WarnC(userCtx, "Anonymous access will be dropped in future releases for: %s", ctx.OriginalURL())
+				return ctx.Next()
+			}
+			return utils.LogError(log, userCtx, "security middleware error: %w", msg.AuthError)
 		}
 
-		compositeIsolationDisabled := strings.ToLower(string(ctx.Request().Header.Peek(HeaderXCompositeIsolationDisabled))) == "disabled"
-
-		secCtx := model.NewSecurityContext(acc, compositeIsolationDisabled)
+		secCtx := model.NewSecurityContext(account, compositeIsolationDisabled)
 		ctx.SetUserContext(model.WithSecurityContext(userCtx, secCtx))
 		return ctx.Next()
 	}