Passthrough OAuth bearer token supplied to Query service through to ES storage

[rubenvp8510]

Which problem is this PR solving?

• To provide fine grained visibility of tracing information stored in Elasticsearch, protected using tools like SearchGuard, it would be useful if the OAuth bearer token for the authenticated user could be passed through the Query service to the ES storage plugin and then propagated to the ES cluster.
  To enable users to disable the propagation, this PR includes the possibility of enable/disable this behavior using a flag.

Short description of the changes

• I injected the token in the context, and used it on ES plugin, also included a flag, but not sure if the flag should be at the query level, I put it the query level because this behavior only makes sense there. (IMHO). Also I did some changes to disable health check on plugin because the token is provided on each request, so I cannot check health of ES cluster when query service starts.

[yurishkuro]

+1

[yurishkuro]

What is the format of Authorization header?

[rubenvp8510]

According to https://tools.ietf.org/html/rfc6750#section-2.1
It should be in the form : Authorization: "Bearer <token>"

[yurishkuro]

The recommended way of storing values in Context is by using private keys:

type storageContextKeyType string
var storageContextKey = storageContextKeyType("Storage-Token")

[rubenvp8510]

Thanks for the recomendation, I'll change it

[yurishkuro]

avoid duplicating wrappers. There's no business meaning of calling CompressHandler twice in different context.

I suggest var h http.Hander = r and then keep overwriting h with every new decorator (including in L90)

[yurishkuro]

doesn't need to be public

[yurishkuro]

this will overwrite L281

[yurishkuro]

repeats L356-357, please DRY

[yurishkuro]

ctx should be in the first position

[codecov]

Codecov Report

Merging #1599 into master will increase coverage by <.01%.
The diff coverage is 95%.

@@            Coverage Diff             @@
##           master    #1599      +/-   ##
==========================================
+ Coverage   98.72%   98.72%   +<.01%     
==========================================
  Files         191      193       +2     
  Lines        9182     9211      +29     
==========================================
+ Hits         9065     9094      +29     
+ Misses         91       90       -1     
- Partials       26       27       +1

Impacted Files	Coverage Δ
cmd/query/app/flags.go	100% <100%> (ø)	⬆️
cmd/query/app/token_propagation_handler.go	100% <100%> (ø)
cmd/query/app/server.go	90.76% <100%> (+0.44%)	⬆️
plugin/storage/es/options.go	100% <100%> (ø)	⬆️
plugin/storage/es/spanstore/reader.go	100% <100%> (ø)	⬆️
plugin/storage/es/spanstore/writer.go	97.59% <100%> (ø)	⬆️
plugin/storage/es/spanstore/service_operation.go	100% <100%> (ø)	⬆️
storage/spanstore/token_propagation.go	71.42% <71.42%> (ø)
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5b52726...53aafca. Read the comment docs.

[jpkrohling]

Looks very good! I have only a couple of comments, especially about sanitizing the bearer value and about making sure that only the appropriate authorization types are propagated down.

[jpkrohling]

The way it is, you are probably propagating non-bearer authorization as well, such as Basic. If this is what you want, you should rename the functions from bearerTokenPropagation to authorizationHeaderPropagation.

If you didn't intend to propagate the basic auth as well, check explicitly for the authorization type ("Bearer" == headerValue[0]).

[objectiser]

I think we also need to be checking for X-Forwarded-Access-Token - as (for example) if using the OpenShift OAuthProxy - it will receive the bearer token from the UI, and if configured to do so, will pass it in the upstream request in the X-Forwarded-Access-Token header instead of Authorization.

@jpkrohling does this sound reasonable to you?

[jpkrohling]

Yes, it does. That's a common header set by reverse proxies.

[rubenvp8510]

I put support for X-Forwarded-Access-Token, I tried to get token from there if Authorization header is not defined.

[objectiser]

Should this check whether the token has a value? Currently, if Authorization is not Bearer the supplied string will be empty? If empty token, then could just return the ctx.

[objectiser]

Would be better to return the token into a local var, check a value has been found, before overwriting the token. That way - if a request is sent in without a bearer token, it will still revert to the supplied tr.token.

[rubenvp8510]

well, I wasn't sure if we wanted to do that, but ok I'll do the change

[objectiser]

@rubenvp8510 Once the changes have been applied, could you do a quick test using the operator with Oauth proxy cli parameter --pass-user-bearer-token and check that a token is passed to ES?

[rubenvp8510]

@objectiser sure!

[jpkrohling]

Look, I found another bear!