Merge pull request #8110 from pawanpinjarkar/generate-tokens

AGENT-872: Generate JWT token

Author: openshift-merge-bot[bot]

go.mod

@@ -44,6 +44,7 @@ require (
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.22.9
 	github.com/go-playground/validator/v10 v10.19.0
+	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/golang/mock v1.7.0-rc.1
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.6.0
@@ -183,7 +184,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.0.1 // indirect

pkg/asset/agent/common/infraenv.go

@@ -0,0 +1,30 @@
+package common
+
+import (
+	"github.com/google/uuid"
+
+	"github.com/openshift/installer/pkg/asset"
+)
+
+// InfraEnvID is an asset that generates infraEnvID.
+type InfraEnvID struct {
+	ID string
+}
+
+var _ asset.Asset = (*InfraEnvID)(nil)
+
+// Dependencies returns the assets on which the InfraEnv asset depends.
+func (a *InfraEnvID) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Generate generates the InfraEnvID for agent installer.
+func (a *InfraEnvID) Generate(dependencies asset.Parents) error {
+	a.ID = uuid.New().String()
+	return nil
+}
+
+// Name returns the human-friendly name of the asset.
+func (a *InfraEnvID) Name() string {
+	return "Agent Installer InfraEnv ID"
+}

pkg/asset/agent/gencrypto/authconfig.go

@@ -8,30 +8,51 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 
+	"github.com/golang-jwt/jwt/v4"
+
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 )
 
-// AuthConfig is an asset that generates ECDSA public and private keys.
+// AuthConfig is an asset that generates ECDSA public/private keys, JWT token.
 type AuthConfig struct {
-	PublicKey, PrivateKey string
+	PublicKey, PrivateKey, Token string
 }
 
-var _ asset.WritableAsset = (*AuthConfig)(nil)
+// LocalJWTKeyType suggests the key type to be used for the token.
+type LocalJWTKeyType string
+
+const (
+	// InfraEnvKey is used to generate token using infra env id.
+	InfraEnvKey LocalJWTKeyType = "infra_env_id"
+)
+
+var _ asset.Asset = (*AuthConfig)(nil)
 
 // Dependencies returns the assets on which the AuthConfig asset depends.
 func (a *AuthConfig) Dependencies() []asset.Asset {
-	return []asset.Asset{}
+	return []asset.Asset{
+		&common.InfraEnvID{},
+	}
 }
 
 // Generate generates the auth config for agent installer APIs.
 func (a *AuthConfig) Generate(dependencies asset.Parents) error {
+	infraEnvID := &common.InfraEnvID{}
+	dependencies.Get(infraEnvID)
 	PublicKey, PrivateKey, err := keyPairPEM()
 	if err != nil {
 		return err
 	}
 	a.PublicKey = PublicKey
 	a.PrivateKey = PrivateKey
 
+	token, err := localJWTForKey(infraEnvID.ID, a.PrivateKey)
+	if err != nil {
+		return err
+	}
+	a.Token = token
+
 	return nil
 }
 
@@ -40,21 +61,6 @@ func (a *AuthConfig) Name() string {
 	return "Agent Installer API Auth Config"
 }
 
-// Load returns the auth config from disk.
-func (a *AuthConfig) Load(f asset.FileFetcher) (bool, error) {
-	// The AuthConfig will not be needed by another asset so load is noop.
-	// This is implemented because it is required by WritableAsset
-	return false, nil
-}
-
-// Files returns the files generated by the asset.
-func (a *AuthConfig) Files() []*asset.File {
-	// Return empty array because File will never be loaded.
-	return []*asset.File{}
-}
-
-// Reused from assisted-service.
-// https://github.com/openshift/assisted-service/blob/d3c0122452c74ad208055b8b6ee412812431a83f/internal/gencrypto/keys.go#L13-L54
 func keyPairPEM() (string, string, error) {
 	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
@@ -97,3 +103,21 @@ func keyPairPEM() (string, string, error) {
 
 	return pubKeyPEM.String(), privKeyPEM.String(), nil
 }
+
+func localJWTForKey(id string, privateKkeyPem string) (string, error) {
+	priv, err := jwt.ParseECPrivateKeyFromPEM([]byte(privateKkeyPem))
+	if err != nil {
+		return "", err
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.MapClaims{
+		string(InfraEnvKey): id,
+	})
+
+	tokenString, err := token.SignedString(priv)
+	if err != nil {
+		return "", err
+	}
+
+	return tokenString, nil
+}

pkg/asset/agent/gencrypto/authconfig_test.go

@@ -4,6 +4,9 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 )
 
 func TestAuthConfig_Generate(t *testing.T) {
@@ -16,13 +19,17 @@ func TestAuthConfig_Generate(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
+			parents := asset.Parents{}
+			parents.Add(&common.InfraEnvID{})
+
 			authConfigAsset := &AuthConfig{}
-			err := authConfigAsset.Generate(nil)
+			err := authConfigAsset.Generate(parents)
 
 			assert.NoError(t, err)
 
 			assert.Contains(t, authConfigAsset.PrivateKey, "BEGIN EC PRIVATE KEY")
 			assert.Contains(t, authConfigAsset.PublicKey, "BEGIN EC PUBLIC KEY")
+			assert.NotEmpty(t, authConfigAsset.Token)
 		})
 	}
 }

pkg/asset/agent/image/ignition.go

@@ -13,7 +13,6 @@ import (
 	igntypes "github.com/coreos/ignition/v2/config/v3_2/types"
 	"github.com/coreos/stream-metadata-go/arch"
 	"github.com/coreos/stream-metadata-go/stream"
-	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
@@ -24,6 +23,7 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	agentcommon "github.com/openshift/installer/pkg/asset/agent"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/joiner"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
@@ -100,6 +100,7 @@ func (a *Ignition) Dependencies() []asset.Asset {
 		&mirror.RegistriesConf{},
 		&mirror.CaBundle{},
 		&gencrypto.AuthConfig{},
+		&common.InfraEnvID{},
 	}
 }
 
@@ -113,7 +114,8 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 	agentHostsAsset := &agentconfig.AgentHosts{}
 	extraManifests := &manifests.ExtraManifests{}
 	keyPairAsset := &gencrypto.AuthConfig{}
-	dependencies.Get(agentManifests, agentConfigAsset, agentHostsAsset, extraManifests, keyPairAsset, agentWorkflow, clusterInfo, addNodesConfig)
+	infraEnvAsset := &common.InfraEnvID{}
+	dependencies.Get(agentManifests, agentConfigAsset, agentHostsAsset, extraManifests, keyPairAsset, agentWorkflow, clusterInfo, addNodesConfig, infraEnvAsset)
 
 	pwd := &password.KubeadminPassword{}
 	dependencies.Get(pwd)
@@ -229,7 +231,7 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 
 	releaseImageMirror := mirror.GetMirrorFromRelease(agentManifests.ClusterImageSet.Spec.ReleaseImage, registriesConfig)
 
-	infraEnvID := uuid.New().String()
+	infraEnvID := infraEnvAsset.ID
 	logrus.Debug("Generated random infra-env id ", infraEnvID)
 
 	osImage, err := getOSImagesInfo(archName, openshiftVersion, streamGetter)

pkg/asset/agent/image/ignition_test.go

@@ -21,6 +21,7 @@ import (
 	hivev1 "github.com/openshift/hive/apis/hive/v1"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/agent/agentconfig"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/joiner"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
@@ -670,6 +671,7 @@ func buildIgnitionAssetDefaultDependencies(t *testing.T) []asset.Asset {
 		&tls.AdminKubeConfigSignerCertKey{},
 		&tls.AdminKubeConfigClientCertKey{},
 		&gencrypto.AuthConfig{},
+		&common.InfraEnvID{},
 	}
 }
 

pkg/asset/agent/image/unconfigured_ignition.go

@@ -7,11 +7,11 @@ import (
 
 	igntypes "github.com/coreos/ignition/v2/config/v3_2/types"
 	"github.com/coreos/stream-metadata-go/arch"
-	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/agent/mirror"
 	"github.com/openshift/installer/pkg/asset/ignition"
@@ -78,16 +78,18 @@ func (a *UnconfiguredIgnition) Dependencies() []asset.Asset {
 		&manifests.NMStateConfig{},
 		&mirror.RegistriesConf{},
 		&mirror.CaBundle{},
+		&common.InfraEnvID{},
 	}
 }
 
 // Generate generates the agent installer unconfigured ignition.
 func (a *UnconfiguredIgnition) Generate(dependencies asset.Parents) error {
 	infraEnvAsset := &manifests.InfraEnv{}
+	infraEnvIDAsset := &common.InfraEnvID{}
 	clusterImageSetAsset := &manifests.ClusterImageSet{}
 	pullSecretAsset := &manifests.AgentPullSecret{}
 	nmStateConfigs := &manifests.NMStateConfig{}
-	dependencies.Get(infraEnvAsset, clusterImageSetAsset, pullSecretAsset, nmStateConfigs)
+	dependencies.Get(infraEnvAsset, clusterImageSetAsset, pullSecretAsset, nmStateConfigs, infraEnvIDAsset)
 
 	infraEnv := infraEnvAsset.Config
 	clusterImageSet := clusterImageSetAsset.Config
@@ -122,7 +124,7 @@ func (a *UnconfiguredIgnition) Generate(dependencies asset.Parents) error {
 	registryCABundle := &mirror.CaBundle{}
 	dependencies.Get(registriesConfig, registryCABundle)
 
-	infraEnvID := uuid.New().String()
+	infraEnvID := infraEnvIDAsset.ID
 	logrus.Debug("Generated random infra-env id ", infraEnvID)
 
 	openshiftVersion, err := version.Version()

pkg/asset/agent/image/unconfigured_ignition_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/openshift/assisted-service/models"
 	hivev1 "github.com/openshift/hive/apis/hive/v1"
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/agent/common"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
 	"github.com/openshift/installer/pkg/asset/agent/mirror"
 )
@@ -115,6 +116,7 @@ func buildUnconfiguredIgnitionAssetDefaultDependencies(t *testing.T) []asset.Ass
 		&manifests.NMStateConfig{},
 		&mirror.RegistriesConf{},
 		&mirror.CaBundle{},
+		&common.InfraEnvID{},
 	}
 }