Fix Session validation for MCS Operator Mode

Author: dvaldivia

pkg/acl/config.go

@@ -22,8 +22,8 @@ import (
 	"github.com/minio/minio/pkg/env"
 )
 
-// GetOperatorOnly gets MCS mkube admin mode status set on env variable
+// GetOperatorMode gets MCS mkube admin mode status set on env variable
 // or default one
-func GetOperatorOnly() bool {
-	return strings.ToLower(env.Get(McsmKubeAdminOnly, "off")) == "on"
+func GetOperatorMode() bool {
+	return strings.ToLower(env.Get(mcsOperatorMode, "off")) == "on"
 }

pkg/acl/const.go

@@ -17,5 +17,5 @@
 package acl
 
 const (
-	McsmKubeAdminOnly = "MCS_MKUBE_ADMIN_ONLY"
+	mcsOperatorMode = "MCS_OPERATOR_MODE"
 )

pkg/acl/endpoints.go

@@ -233,7 +233,7 @@ var operatorRules = map[string]ConfigurationActionSet{
 }
 
 // operatorOnly ENV variable
-var operatorOnly = GetOperatorOnly()
+var operatorOnly = GetOperatorMode()
 
 // GetActionsStringFromPolicy extract the admin/s3 actions from a given policy and return them in []string format
 //

restapi/client.go

@@ -168,7 +168,7 @@ func newMcsCredentials(accessKey, secretKey, location string) (*credentials.Cred
 	// Future authentication methods can be added under this switch statement
 	switch {
 	// MKUBE authentication for MCS
-	case acl.GetOperatorOnly():
+	case acl.GetOperatorMode():
 		{
 			if MkubeEndpoint == "" {
 				return nil, errors.New("endpoint cannot be empty for Mkube")

restapi/configure_mcs.go

@@ -24,6 +24,8 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/minio/mcs/pkg/acl"
+
 	"github.com/minio/mcs/models"
 	"github.com/minio/mcs/pkg"
 	"github.com/minio/mcs/pkg/auth"
@@ -60,9 +62,18 @@ func configureAPI(api *operations.McsAPI) http.Handler {
 	// Applies when the "x-token" header is set
 
 	api.KeyAuth = func(token string, scopes []string) (*models.Principal, error) {
-		if auth.IsJWTValid(token) {
-			prin := models.Principal(token)
-			return &prin, nil
+		if acl.GetOperatorMode() {
+			// here we just check the token is present on the request, authentication will be done
+			// by kubernetes api server
+			if token != "" {
+				prin := models.Principal(token)
+				return &prin, nil
+			}
+		} else {
+			if auth.IsJWTValid(token) {
+				prin := models.Principal(token)
+				return &prin, nil
+			}
 		}
 		log.Printf("Access attempt with incorrect api key auth: %s", token)
 		return nil, errors.New(401, "incorrect api key auth")

restapi/user_login.go

@@ -155,7 +155,7 @@ func getLoginDetailsResponse() (*models.LoginDetails, error) {
 	ctx := context.Background()
 	loginStrategy := models.LoginDetailsLoginStrategyForm
 	redirectURL := ""
-	if acl.GetOperatorOnly() {
+	if acl.GetOperatorMode() {
 		loginStrategy = models.LoginDetailsLoginStrategyServiceAccount
 	} else if oauth2.IsIdpEnabled() {
 		loginStrategy = models.LoginDetailsLoginStrategyRedirect