MCS service account authentication with Mkube

`MCS` will authenticate against `Mkube`using bearer tokens via HTTP `Authorization` header.

Kubernetes

By default, if you don't provide `MCS_K8S_SA_JWT` mcs will assume is running inside a `kubernetes` pod and will try to read
the jwt from `/var/run/secrets/kubernetes.io/serviceaccount/token` and use it.

The provided `JWT token` corresponds to the `Kubernetes service account` that `Mkube` will use to run tasks on behalf of `MCS`
ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use `"http://m3:8787"`

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the `m3-sa` service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
```

Then run the mcs server

```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_K8S_SA_JWT=eyJh... ./mcs server
```

Author: Alevsk

docs/mcs_service_account_mkube.md

@@ -0,0 +1,31 @@
+# MCS service account authentication with Mkube
+
+`MCS` will authenticate against `Mkube`using bearer tokens via HTTP `Authorization` header.
+
+# Kubernetes
+
+By default, if you don't provide `MCS_K8S_SA_JWT` mcs will assume is running inside a `kubernetes` pod and will try to read
+the jwt from `/var/run/secrets/kubernetes.io/serviceaccount/token` and use it.
+
+The provided `JWT token` corresponds to the `Kubernetes service account` that `Mkube` will use to run tasks on behalf of `MCS`
+ie: list, create, edit, delete tenants, storage class, etc.
+
+# Development
+
+If you are running mcs in your local environment and wish to make request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
+the environment variable is not present by default `MCS` will use `"http://m3:8787"`
+
+## Extract the Service account token and use it with MCS
+
+For local development you can use the jwt associated to the `m3-sa` service account, you can get the token running
+the following command in your terminal:
+
+```
+kubectl get secret $(kubectl get serviceaccount m3-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
+```
+
+Then run the mcs server
+
+```
+MCS_M3_HOSTNAME=http://localhost:8787 MCS_K8S_SA_JWT=eyJh... ./mcs server
+```

go.mod

@@ -18,8 +18,8 @@ require (
 	github.com/json-iterator/go v1.1.9
 	github.com/minio/cli v1.22.0
 	github.com/minio/mc v0.0.0-20200515235434-3b479cf92ed6
-	github.com/minio/minio v0.0.0-20200516011754-9cac385aecdb
-	github.com/minio/minio-go/v6 v6.0.56-0.20200502013257-a81c8c13cc3f
+	github.com/minio/minio v0.0.0-20200603201854-5686a7e27319
+	github.com/minio/minio-go/v6 v6.0.56
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/satori/go.uuid v1.2.0
 	github.com/stretchr/testify v1.5.1

go.sum

@@ -26,9 +26,11 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net/http"
 	"strings"
 
 	jwtgo "github.com/dgrijalva/jwt-go"
+	"github.com/go-openapi/swag"
 	xjwt "github.com/minio/mcs/pkg/auth/jwt"
 	"github.com/minio/minio-go/v6/pkg/credentials"
 	"github.com/minio/minio/cmd"
@@ -182,3 +184,42 @@ func decrypt(data []byte) ([]byte, error) {
 	}
 	return plaintext, nil
 }
+
+// GetTokenFromRequest returns a token from a http Request
+// either defined on a cookie `token` or on Authorization header.
+//
+// Authorization Header needs to be like "Authorization Bearer <jwt_token>"
+func GetTokenFromRequest(r *http.Request) (*string, error) {
+	// Get Auth token
+	var reqToken string
+
+	// Token might come either as a Cookie or as a Header
+	// if not set in cookie, check if it is set on Header.
+	tokenCookie, err := r.Cookie("token")
+	if err != nil {
+		headerToken := r.Header.Get("Authorization")
+		// reqToken should come as "Bearer <token>"
+		splitHeaderToken := strings.Split(headerToken, "Bearer")
+		if len(splitHeaderToken) <= 1 {
+			return nil, errNoAuthToken
+		}
+		reqToken = strings.TrimSpace(splitHeaderToken[1])
+	} else {
+		reqToken = strings.TrimSpace(tokenCookie.Value)
+	}
+	return swag.String(reqToken), nil
+}
+
+func GetClaimsFromTokenInRequest(req *http.Request) (*DecryptedClaims, error) {
+	sessionID, err := GetTokenFromRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// Perform decryption of the JWT, if MCS is able to decrypt the JWT that means a valid session
+	// was used in the first place to get it
+	claims, err := JWTAuthenticate(*sessionID)
+	if err != nil {
+		return nil, err
+	}
+	return claims, nil
+}

pkg/auth/jwt.go

@@ -239,19 +239,18 @@ func newMinioClient(jwt string) (*minio.Client, error) {
 }
 
 // newS3BucketClient creates a new mc S3Client to talk to the server based on a bucket
-func newS3BucketClient(jwt string, bucketName string) (*mc.S3Client, error) {
+func newS3BucketClient(claims *auth.DecryptedClaims, bucketName string) (*mc.S3Client, error) {
 	endpoint := getMinIOServer()
 	useSSL := getMinIOEndpointIsSecure()
 
-	claims, err := auth.JWTAuthenticate(jwt)
-	if err != nil {
-		return nil, err
-	}
-
 	if strings.TrimSpace(bucketName) != "" {
 		endpoint += fmt.Sprintf("/%s", bucketName)
 	}
 
+	if claims == nil {
+		return nil, fmt.Errorf("the provided credentials are invalid")
+	}
+
 	s3Config := newS3Config(endpoint, claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken, !useSSL)
 	client, pErr := mc.S3New(s3Config)
 	if pErr != nil {

pkg/ws/websocket.go

@@ -18,6 +18,7 @@ package restapi
 
 import (
 	"fmt"
+	"io/ioutil"
 	"strconv"
 	"strings"
 
@@ -233,3 +234,23 @@ func getSecureExpectCTHeader() string {
 func getM3Host() string {
 	return env.Get(McsM3Host, "http://m3:8787")
 }
+
+// getMcsK8sServiceAccountJWTFromFile if mcs is running inside k8s
+// we check and extract the jwt sa-token from /var/run/secrets/kubernetes.io/serviceaccount/token, otherwise returns
+// empty string
+func getMcsK8sServiceAccountJWTFromFile() string {
+	dat, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
+	if err != nil {
+		return ""
+	}
+	return string(dat)
+}
+
+// This operation will run only once on mcs start-up
+var saToken = getMcsK8sServiceAccountJWTFromFile()
+
+// getMcsK8sServiceAccountJWT return the ServiceAccount JWT mcs will use to interact with mkube, by
+// default will return the jwt sa-token associated to the pod running mcs inside kubernetes
+func getMcsK8sServiceAccountJWT() string {
+	return env.Get(McsK8sServiceAccountJWT, saToken)
+}

restapi/client.go

@@ -168,7 +168,8 @@ func FileServerMiddleware(next http.Handler) http.Handler {
 			serveWS(w, r)
 		case strings.HasPrefix(r.URL.Path, "/api/v1/mkube"):
 			client := &http.Client{}
-			serverMkube(client, w, r)
+			m3SAToken := getMcsK8sServiceAccountJWT()
+			serverMkube(m3SAToken, client, w, r)
 		case strings.HasPrefix(r.URL.Path, "/api"):
 			next.ServeHTTP(w, r)
 		default:

restapi/config.go

@@ -50,4 +50,5 @@ const (
 	McsSecureFeaturePolicy                   = "MCS_SECURE_FEATURE_POLICY"
 	McsSecureExpectCTHeader                  = "MCS_SECURE_EXPECT_CT_HEADER"
 	McsM3Host                                = "MCS_M3_HOSTNAME"
+	McsK8sServiceAccountJWT                  = "MCS_K8S_SA_JWT"
 )

restapi/configure_mcs.go

@@ -25,10 +25,21 @@ import (
 	"strings"
 
 	apiErrors "github.com/go-openapi/errors"
+	"github.com/minio/mcs/pkg/auth"
 )
 
 // serverMkube handles calls for mkube
-func serverMkube(client *http.Client, w http.ResponseWriter, req *http.Request) {
+func serverMkube(m3SAToken string, client *http.Client, w http.ResponseWriter, req *http.Request) {
+	// check user session is valid by decrypting the claims inside the encrypted JWT
+	_, err := auth.GetClaimsFromTokenInRequest(req)
+	if err != nil {
+		apiErrors.ServeError(w, req, err)
+		return
+	}
+	if m3SAToken == "" {
+		apiErrors.ServeError(w, req, errors.New("service M3 is not available"))
+		return
+	}
 	// destination of the request, the mkube server
 	req.URL.Path = strings.Replace(req.URL.Path, "/mkube", "", 1)
 	targetURL := fmt.Sprintf("%s%s", getM3Host(), req.URL.String())
@@ -41,8 +52,10 @@ func serverMkube(client *http.Client, w http.ResponseWriter, req *http.Request)
 		return
 	}
 
-	// set the m3Req headers
-	m3Req.Header = req.Header
+	// Set the m3Req authorization headers
+	// Authorization Header needs to be like "Authorization Bearer <jwt_token>"
+	token := fmt.Sprintf("Bearer %s", m3SAToken)
+	m3Req.Header.Add("Authorization", token)
 	resp, err := client.Do(m3Req)
 	if err != nil {
 		log.Println("error on m3 request:", err)