AGENT-919: Authenticate day2 operations

Creating a Nodes ISO:
- secret does not exist
   1. Generate a new public key and JWT token with an expiration time of 48 hours
   2. The public key and token gets saved into the asset store
   3. Create a secret named agent-auth-token in the openshift-config namespace with this token and public key from the asset store.

- secret already exists
   1. Retrieve the stored token and check if the secret with JWT token is older than 24 hours.

- secret already exists and the token is older than 24 Hours
   1. Generate a new public key and JWT token with a new expiration time of 48 hours
   2. Update the secret with a new public key and JWT token

- secret already exists and the token is not older than 24 Hours
   1. Retrieve the token and public key from the secret and update the asset store with the values from the secret.

Running monitor-add-nodes Command:
  1. Retrieve the token from the secret.
  2. Register the agent installer client with the retrieved token.
  3. Send the auth token to the assisted service API via HTTP headers

Author: pawanpinjarkar

data/data/agent/files/usr/local/share/assisted-service/assisted-service.env.template

@@ -19,4 +19,4 @@ OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR={{.ReleaseImageMirror}}
 STORAGE=filesystem
 INFRA_ENV_ID={{.InfraEnvID}}
 EC_PUBLIC_KEY_PEM={{.PublicKeyPEM}}
-AGENT_AUTH_TOKEN={{.Token}}
+AGENT_AUTH_TOKEN={{.Token}}

data/data/agent/systemd/units/agent-import-cluster.service.template

@@ -16,7 +16,7 @@ EnvironmentFile=/usr/local/share/assisted-service/assisted-service.env
 EnvironmentFile=/etc/assisted/add-nodes.env
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
 ExecStartPre=/usr/local/bin/wait-for-assisted-service.sh
-ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-import-cluster -v /etc/assisted/clusterconfig:/clusterconfig -v /etc/assisted/manifests:/manifests -v /etc/assisted/extra-manifests:/extra-manifests {{ if .HaveMirrorConfig }}-v /etc/containers:/etc/containers{{ end }} {{.CaBundleMount}} --env SERVICE_BASE_URL --env OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR --env CLUSTER_ID --env CLUSTER_NAME --env CLUSTER_API_VIP_DNS_NAME $SERVICE_IMAGE /usr/local/bin/agent-installer-client importCluster
+ExecStart=podman run --net host --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --replace --name=agent-import-cluster -v /etc/assisted/clusterconfig:/clusterconfig -v /etc/assisted/manifests:/manifests -v /etc/assisted/extra-manifests:/extra-manifests {{ if .HaveMirrorConfig }}-v /etc/containers:/etc/containers{{ end }} {{.CaBundleMount}} --env SERVICE_BASE_URL --env OPENSHIFT_INSTALL_RELEASE_IMAGE_MIRROR --env CLUSTER_ID --env CLUSTER_NAME --env CLUSTER_API_VIP_DNS_NAME --env AGENT_AUTH_TOKEN $SERVICE_IMAGE /usr/local/bin/agent-installer-client importCluster
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 

pkg/agent/cluster.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/openshift/assisted-service/client/installer"
 	"github.com/openshift/assisted-service/models"
+	"github.com/openshift/installer/pkg/asset/agent/gencrypto"
 	"github.com/openshift/installer/pkg/asset/agent/workflow"
 	"github.com/openshift/installer/pkg/gather/ssh"
 )
@@ -70,9 +71,22 @@ func NewCluster(ctx context.Context, assetDir, rendezvousIP, kubeconfigPath, ssh
 	czero := &Cluster{}
 	capi := &clientSet{}
 
-	authToken, err := FindAuthTokenFromAssetStore(assetDir)
-	if err != nil {
-		logrus.Fatal(err)
+	var authToken string
+	var err error
+
+	switch workflowType {
+	case workflow.AgentWorkflowTypeInstall:
+		authToken, err = FindAuthTokenFromAssetStore(assetDir)
+		if err != nil {
+			return nil, err
+		}
+	case workflow.AgentWorkflowTypeAddNodes:
+		authToken, err = gencrypto.GetAuthTokenFromCluster(ctx, kubeconfigPath)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("AgentWorkflowType value not supported: %s", workflowType)
 	}
 
 	restclient := NewNodeZeroRestClient(ctx, rendezvousIP, sshKey, authToken)

pkg/agent/rest.go

@@ -119,7 +119,7 @@ func FindRendezvouIPAndSSHKeyFromAssetStore(assetDir string) (string, string, er
 	return rendezvousIP, sshKey, nil
 }
 
-// FindAuthTokenFromAssetStore returns the auth token.
+// FindAuthTokenFromAssetStore returns the auth token from asset store.
 func FindAuthTokenFromAssetStore(assetDir string) (string, error) {
 	authConfigAsset := &gencrypto.AuthConfig{}
 
@@ -135,9 +135,12 @@ func FindAuthTokenFromAssetStore(assetDir string) (string, error) {
 		return "", errors.New("failed to load AuthConfig")
 	}
 
-	token := authConfig.(*gencrypto.AuthConfig).Token
+	var authToken string
+	if authConfig != nil {
+		authToken = authConfig.(*gencrypto.AuthConfig).AgentAuthToken
+	}
 
-	return token, nil
+	return authToken, nil
 }
 
 // IsRestAPILive Determine if the Agent Rest API on node zero has initialized

pkg/asset/agent/gencrypto/auth_utils.go

@@ -1,8 +1,12 @@
 package gencrypto
 
 import (
+	"time"
+
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/pkg/errors"
 )
 
 // UserAuthHeaderWriter sets the JWT authorization token.
@@ -11,3 +15,24 @@ func UserAuthHeaderWriter(token string) runtime.ClientAuthInfoWriter {
 		return r.SetHeaderParam("Authorization", token)
 	})
 }
+
+// ParseExpirationFromToken checks if the token is expired or not.
+func ParseExpirationFromToken(tokenString string) (time.Time, error) {
+	token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return time.Time{}, err
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return time.Time{}, errors.Errorf("malformed token claims in url")
+	}
+	exp, ok := claims["exp"].(float64)
+	if !ok {
+		return time.Time{}, errors.Errorf("token missing 'exp' claim")
+	}
+	expTime := time.Unix(int64(exp), 0)
+	expiresAt := strfmt.DateTime(expTime)
+	expiryTime := time.Time(expiresAt)
+
+	return expiryTime, nil
+}

pkg/asset/agent/gencrypto/auth_utils_test.go

@@ -0,0 +1,53 @@
+package gencrypto
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseExpirationFromToken(t *testing.T) {
+	publicKey, privateKey, err := keyPairPEM()
+	assert.NotEmpty(t, publicKey)
+	assert.NotEmpty(t, privateKey)
+	assert.NoError(t, err)
+
+	infraEnvID := uuid.New().String()
+
+	tokenNoExp, err := generateToken(infraEnvID, privateKey)
+	assert.NotEmpty(t, tokenNoExp)
+	assert.NoError(t, err)
+
+	expiry := time.Now().UTC().Add(30 * time.Second)
+	tokenWithExp, err := generateToken(infraEnvID, privateKey, expiry)
+	assert.NotEmpty(t, tokenWithExp)
+	assert.NoError(t, err)
+
+	cases := []struct {
+		name, token, errorMessage string
+		expectedErr               bool
+	}{
+		{
+			name:         "exp-claim-not-set",
+			token:        tokenNoExp,
+			expectedErr:  true,
+			errorMessage: "token missing 'exp' claim",
+		},
+		{
+			name:  "exp-claim-set",
+			token: tokenWithExp,
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err = ParseExpirationFromToken(tc.token)
+			if tc.expectedErr {
+				assert.EqualError(t, err, tc.errorMessage)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}