Merge pull request openshift#8717 from pawanpinjarkar/day2-auth

AGENT-919: Authenticate day2 operations

Author: openshift-merge-bot[bot]

data/data/agent/files/usr/local/share/assisted-service/assisted-service.env.template

@@ -19,4 +19,4 @@ OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR={{.ReleaseImageMirror}}
 STORAGE=filesystem
 INFRA_ENV_ID={{.InfraEnvID}}
 EC_PUBLIC_KEY_PEM={{.PublicKeyPEM}}
-AGENT_AUTH_TOKEN={{.Token}}
+AGENT_AUTH_TOKEN={{.Token}}

data/data/agent/systemd/units/agent-import-cluster.service.template

@@ -16,7 +16,7 @@ EnvironmentFile=/usr/local/share/assisted-service/assisted-service.env
 EnvironmentFile=/etc/assisted/add-nodes.env
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
 ExecStartPre=/usr/local/bin/wait-for-assisted-service.sh
-ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-import-cluster -v /etc/assisted/clusterconfig:/clusterconfig -v /etc/assisted/manifests:/manifests -v /etc/assisted/extra-manifests:/extra-manifests {{ if .HaveMirrorConfig }}-v /etc/containers:/etc/containers{{ end }} {{.CaBundleMount}} --env SERVICE_BASE_URL --env OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR --env CLUSTER_ID --env CLUSTER_NAME --env CLUSTER_API_VIP_DNS_NAME $SERVICE_IMAGE /usr/local/bin/agent-installer-client importCluster
+ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-import-cluster -v /etc/assisted/clusterconfig:/clusterconfig -v /etc/assisted/manifests:/manifests -v /etc/assisted/extra-manifests:/extra-manifests {{ if .HaveMirrorConfig }}-v /etc/containers:/etc/containers{{ end }} {{.CaBundleMount}} --env SERVICE_BASE_URL --env OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR --env CLUSTER_ID --env CLUSTER_NAME --env CLUSTER_API_VIP_DNS_NAME --env AGENT_AUTH_TOKEN $SERVICE_IMAGE /usr/local/bin/agent-installer-client importCluster
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 

pkg/agent/cluster.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/openshift/assisted-service/client/installer"
 	"github.com/openshift/assisted-service/models"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/workflow"
 	"github.com/openshift/installer/pkg/gather/ssh"
 )
@@ -70,9 +71,22 @@ func NewCluster(ctx context.Context, assetDir, rendezvousIP, kubeconfigPath, ssh
 	czero := &Cluster{}
 	capi := &clientSet{}
 
-	authToken, err := FindAuthTokenFromAssetStore(assetDir)
-	if err != nil {
-		logrus.Fatal(err)
+	var authToken string
+	var err error
+
+	switch workflowType {
+	case workflow.AgentWorkflowTypeInstall:
+		authToken, err = FindAuthTokenFromAssetStore(assetDir)
+		if err != nil {
+			return nil, err
+		}
+	case workflow.AgentWorkflowTypeAddNodes:
+		authToken, err = gencrypto.GetAuthTokenFromCluster(ctx, kubeconfigPath)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("AgentWorkflowType value not supported: %s", workflowType)
 	}
 
 	restclient := NewNodeZeroRestClient(ctx, rendezvousIP, sshKey, authToken)

pkg/agent/rest.go

@@ -119,7 +119,7 @@ func FindRendezvouIPAndSSHKeyFromAssetStore(assetDir string) (string, string, er
 	return rendezvousIP, sshKey, nil
 }
 
-// FindAuthTokenFromAssetStore returns the auth token.
+// FindAuthTokenFromAssetStore returns the auth token from asset store.
 func FindAuthTokenFromAssetStore(assetDir string) (string, error) {
 	authConfigAsset := &gencrypto.AuthConfig{}
 
@@ -135,9 +135,12 @@ func FindAuthTokenFromAssetStore(assetDir string) (string, error) {
 		return "", errors.New("failed to load AuthConfig")
 	}
 
-	token := authConfig.(*gencrypto.AuthConfig).Token
+	var authToken string
+	if authConfig != nil {
+		authToken = authConfig.(*gencrypto.AuthConfig).AgentAuthToken
+	}
 
-	return token, nil
+	return authToken, nil
 }
 
 // IsRestAPILive Determine if the Agent Rest API on node zero has initialized

pkg/asset/agent/gencrypto/auth_utils.go

@@ -1,8 +1,12 @@
 package gencrypto
 
 import (
+	"time"
+
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/pkg/errors"
 )
 
 // UserAuthHeaderWriter sets the JWT authorization token.
@@ -11,3 +15,24 @@ func UserAuthHeaderWriter(token string) runtime.ClientAuthInfoWriter {
 		return r.SetHeaderParam("Authorization", token)
 	})
 }
+
+// ParseExpirationFromToken checks if the token is expired or not.
+func ParseExpirationFromToken(tokenString string) (time.Time, error) {
+	token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return time.Time{}, err
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return time.Time{}, errors.Errorf("malformed token claims in url")
+	}
+	exp, ok := claims["exp"].(float64)
+	if !ok {
+		return time.Time{}, errors.Errorf("token missing 'exp' claim")
+	}
+	expTime := time.Unix(int64(exp), 0)
+	expiresAt := strfmt.DateTime(expTime)
+	expiryTime := time.Time(expiresAt)
+
+	return expiryTime, nil
+}

pkg/asset/agent/gencrypto/auth_utils_test.go

@@ -0,0 +1,53 @@
+package gencrypto
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseExpirationFromToken(t *testing.T) {
+	publicKey, privateKey, err := keyPairPEM()
+	assert.NotEmpty(t, publicKey)
+	assert.NotEmpty(t, privateKey)
+	assert.NoError(t, err)
+
+	infraEnvID := uuid.New().String()
+
+	tokenNoExp, err := generateToken(infraEnvID, privateKey)
+	assert.NotEmpty(t, tokenNoExp)
+	assert.NoError(t, err)
+
+	expiry := time.Now().UTC().Add(30 * time.Second)
+	tokenWithExp, err := generateToken(infraEnvID, privateKey, expiry)
+	assert.NotEmpty(t, tokenWithExp)
+	assert.NoError(t, err)
+
+	cases := []struct {
+		name, token, errorMessage string
+		expectedErr               bool
+	}{
+		{
+			name:         "exp-claim-not-set",
+			token:        tokenNoExp,
+			expectedErr:  true,
+			errorMessage: "token missing 'exp' claim",
+		},
+		{
+			name:  "exp-claim-set",
+			token: tokenWithExp,
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err = ParseExpirationFromToken(tc.token)
+			if tc.expectedErr {
+				assert.EqualError(t, err, tc.errorMessage)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}