[v1.7 release] merge v1.7 to main (#439)

.github/compute-version/action.yaml

@@ -0,0 +1,16 @@
+name: Compute Version
+description: computes version of tornjak
+outputs:
+  version:
+    description: "tornjak version"
+    value: ${{ steps.version.outputs.version }}
+runs:
+  using: composite
+  steps:
+    - name: Generate Version
+      id: version
+      shell: bash
+      run: |
+        version="$(cat version.txt | cut -d '.' -f -2)"
+        echo VERSION=$version
+        echo "version=$version" >> $GITHUB_OUTPUT

.github/workflows/ci.yaml

@@ -15,10 +15,10 @@ jobs:
           EOF
 
       - name: Check out repository code
-        uses: actions/checkout@v4.1.2
+        uses: actions/checkout@v4.1.6
 
       - name: Install Golang
-        uses: actions/setup-go@v5.0.0
+        uses: actions/setup-go@v5.0.1
         with:
           go-version-file: go.mod
           check-latest: true
@@ -39,7 +39,7 @@ jobs:
         run: go mod download
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4.0.0
+        uses: golangci/golangci-lint-action@v6.0.1
         with:
           version: v1.57.2
           args: --timeout 7m

.github/workflows/master-build.yaml

@@ -19,9 +19,10 @@ jobs:
           EOF
 
       - name: Check out repository code
-        uses: actions/checkout@v4.1.2
+        uses: actions/checkout@v4.1.6
+
       - name: Log in to GHCR.io
-        uses: docker/login-action@v3.1.0
+        uses: docker/login-action@v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -30,11 +31,15 @@ jobs:
       - name: Get branch name
         id: branch_name
         run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+
+      - name: Compute Tornjak version
+        uses: ./.github/compute-version
+        id: version
 
       - name: Run build
         uses: ./.github/actions/build
         with:
-          tag-version: ${{ contains(fromJSON('["main", "v1.6"]'), steps.branch_name.outputs.branch) && true || false }}
+          tag-version: ${{ contains(fromJSON('["main", "${{ steps.version.outputs.version }}"]'), steps.branch_name.outputs.branch) && true || false }}
 
       - name: Print job result
         run: |
@@ -55,9 +60,9 @@ jobs:
           EOF
 
       - name: Check out repository code
-        uses: actions/checkout@v4.1.2
+        uses: actions/checkout@v4.1.6
       - name: Log in to GHCR.io
-        uses: docker/login-action@v3.1.0
+        uses: docker/login-action@v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -67,13 +72,17 @@ jobs:
         id: branch_name
         run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
 
+      - name: Compute Tornjak version
+        uses: ./.github/compute-version
+        id: version
+
       - name: Run build
         uses: ./.github/actions/build
         with:
           image-tag-prefix: ubi-
           backend-dockerfile: Dockerfile.backend-container.ubi
           frontend-dockerfile: frontend/Dockerfile.frontend-container.ubi
-          tag-version: ${{ contains(fromJSON('["main", "v1.6"]'), steps.branch_name.outputs.branch) && true || false }}
+          tag-version: ${{ contains(fromJSON('["main", "${{ steps.version.outputs.version }}"]'), steps.branch_name.outputs.branch) && true || false }}
 
       - name: Print job result
         run: |

api/agent/server.go

@@ -20,8 +20,9 @@ import (
 	"github.com/hashicorp/hcl/hcl/token"
 	"github.com/pkg/errors"
 
-	auth "github.com/spiffe/tornjak/pkg/agent/auth"
 	agentdb "github.com/spiffe/tornjak/pkg/agent/db"
+	"github.com/spiffe/tornjak/pkg/agent/authentication/authenticator"
+	"github.com/spiffe/tornjak/pkg/agent/authorization"
 )
 
 type Server struct {
@@ -36,7 +37,8 @@ type Server struct {
 
 	// Plugins
 	Db   agentdb.AgentDB
-	Auth auth.Auth
+	Authenticator authenticator.Authenticator
+	Authorizer authorization.Authorizer
 }
 
 // config type, as defined by SPIRE
@@ -429,15 +431,18 @@ func (s *Server) verificationMiddleware(next http.Handler) http.Handler {
 			cors(w, r)
 			return
 		}
-		err := s.Auth.Verify(r)
+
+		userInfo := s.Authenticator.AuthenticateRequest(r)
+
+		err := s.Authorizer.AuthorizeRequest(r, userInfo)
 		if err != nil {
 			emsg := fmt.Sprintf("Error authorizing request: %v", err.Error())
 			// error should be written already
 			retError(w, emsg, http.StatusUnauthorized)
 			return
-		} else {
-			next.ServeHTTP(w, r)
 		}
+
+		next.ServeHTTP(w, r)
 	}
 	return http.HandlerFunc(f)
 }
@@ -540,41 +545,61 @@ func (s *Server) home(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func (s *Server) health(w http.ResponseWriter, r *http.Request) {
+	var ret = "Endpoint is healthy."
+
+	cors(w, r)
+	je := json.NewEncoder(w)
+
+	var err = je.Encode(ret)
+	if err != nil {
+		emsg := fmt.Sprintf("Error: %v", err.Error())
+		retError(w, emsg, http.StatusBadRequest)
+	}
+}
+
+
 func (s *Server) GetRouter() http.Handler {
 	rtr := mux.NewRouter()
 
+	apiRtr := rtr.PathPrefix("/").Subrouter()
+	healthRtr := rtr.PathPrefix("/healthz").Subrouter()
+
+	// Healthcheck (never goes through authn/authz layers)
+	healthRtr.HandleFunc("", s.health)
+
 	// Home
-	rtr.HandleFunc("/", s.home)
+	apiRtr.HandleFunc("/", s.home)
 
 	// SPIRE server healthcheck
-	rtr.HandleFunc("/api/debugserver", s.debugServer)
-	rtr.HandleFunc("/api/healthcheck", s.healthcheck)
+	apiRtr.HandleFunc("/api/debugserver", s.debugServer)
+	apiRtr.HandleFunc("/api/healthcheck", s.healthcheck)
 
 	// Agents
-	rtr.HandleFunc("/api/agent/list", s.agentList)
-	rtr.HandleFunc("/api/agent/ban", s.agentBan)
-	rtr.HandleFunc("/api/agent/delete", s.agentDelete)
-	rtr.HandleFunc("/api/agent/createjointoken", s.agentCreateJoinToken)
+	apiRtr.HandleFunc("/api/agent/list", s.agentList)
+	apiRtr.HandleFunc("/api/agent/ban", s.agentBan)
+	apiRtr.HandleFunc("/api/agent/delete", s.agentDelete)
+	apiRtr.HandleFunc("/api/agent/createjointoken", s.agentCreateJoinToken)
 
 	// Entries
-	rtr.HandleFunc("/api/entry/list", s.entryList)
-	rtr.HandleFunc("/api/entry/create", s.entryCreate)
-	rtr.HandleFunc("/api/entry/delete", s.entryDelete)
+	apiRtr.HandleFunc("/api/entry/list", s.entryList)
+	apiRtr.HandleFunc("/api/entry/create", s.entryCreate)
+	apiRtr.HandleFunc("/api/entry/delete", s.entryDelete)
 
 	// Tornjak specific
-	rtr.HandleFunc("/api/tornjak/serverinfo", s.tornjakGetServerInfo)
+	apiRtr.HandleFunc("/api/tornjak/serverinfo", s.tornjakGetServerInfo)
 	// Agents Selectors
-	rtr.HandleFunc("/api/tornjak/selectors/register", s.tornjakPluginDefine)
-	rtr.HandleFunc("/api/tornjak/selectors/list", s.tornjakSelectorsList)
-	rtr.HandleFunc("/api/tornjak/agents/list", s.tornjakAgentsList)
+	apiRtr.HandleFunc("/api/tornjak/selectors/register", s.tornjakPluginDefine)
+	apiRtr.HandleFunc("/api/tornjak/selectors/list", s.tornjakSelectorsList)
+	apiRtr.HandleFunc("/api/tornjak/agents/list", s.tornjakAgentsList)
 	// Clusters
-	rtr.HandleFunc("/api/tornjak/clusters/list", s.clusterList)
-	rtr.HandleFunc("/api/tornjak/clusters/create", s.clusterCreate)
-	rtr.HandleFunc("/api/tornjak/clusters/edit", s.clusterEdit)
-	rtr.HandleFunc("/api/tornjak/clusters/delete", s.clusterDelete)
+	apiRtr.HandleFunc("/api/tornjak/clusters/list", s.clusterList)
+	apiRtr.HandleFunc("/api/tornjak/clusters/create", s.clusterCreate)
+	apiRtr.HandleFunc("/api/tornjak/clusters/edit", s.clusterEdit)
+	apiRtr.HandleFunc("/api/tornjak/clusters/delete", s.clusterDelete)
 
 	// Middleware
-	rtr.Use(s.verificationMiddleware)
+	apiRtr.Use(s.verificationMiddleware)
 
 	// UI
 	spa := spaHandler{staticPath: "ui-agent", indexPath: "index.html"}
@@ -755,40 +780,78 @@ func NewAgentsDB(dbPlugin *ast.ObjectItem) (agentdb.AgentDB, error) {
 	}
 }
 
-// NewAuth returns a new Auth
-func NewAuth(authPlugin *ast.ObjectItem) (auth.Auth, error) {
-	key, data, _ := getPluginConfig(authPlugin)
-	/*if err != nil { // default used, no error
-		verifier := auth.NewNullVerifier()
-		return verifier, nil
-	}*/
+// NewAuthenticator returns a new Authenticator
+func NewAuthenticator(authenticatorPlugin *ast.ObjectItem) (authenticator.Authenticator, error) {
+	key, data, _ := getPluginConfig(authenticatorPlugin)
 
 	switch key {
-	case "KeycloakAuth":
+	case "Keycloak":
 		// check if data is defined
 		if data == nil {
-			return nil, errors.New("KeycloakAuth UserManagement plugin ('config > plugins > UserManagement KeycloakAuth > plugin_data') no populated")
+			return nil, errors.New("Keycloak Authenticator plugin ('config > plugins > Authenticator Keycloak > plugin_data') not populated")
 		}
-		fmt.Printf("KeycloakAuth Usermanagement Data: %+v\n", data)
+		fmt.Printf("Authenticator Keycloak Plugin Data: %+v\n", data)
 		// decode config to struct
-		var config pluginAuthKeycloak
+		var config pluginAuthenticatorKeycloak
 		if err := hcl.DecodeObject(&config, data); err != nil {
-			return nil, errors.Errorf("Couldn't parse Auth config: %v", err)
+			return nil, errors.Errorf("Couldn't parse Authenticator config: %v", err)
 		}
 
 		// Log warning if audience is nil that aud claim is not checked
 		if config.Audience == "" {
-			fmt.Printf("WARNING: Auth plugin has no expected audience configured - `aud` claim will not be checked (please populate 'config > plugins > UserManagement KeycloakAuth > plugin_data > audience')")
+			fmt.Println("WARNING: Auth plugin has no expected audience configured - `aud` claim will not be checked (please populate 'config > plugins > UserManagement KeycloakAuth > plugin_data > audience')")
+		}
+
+		// create authenticator TODO make json an option?
+		authenticator, err := authenticator.NewKeycloakAuthenticator(true, config.IssuerURL, config.Audience)
+		if err != nil {
+			return nil, errors.Errorf("Couldn't configure Authenticator: %v", err)
+		}
+		return authenticator, nil
+	default:
+		return nil, errors.Errorf("Invalid option for Authenticator named %s", key)
+	}
+}
+
+// NewAuthorizer returns a new Authorizer
+func NewAuthorizer(authorizerPlugin *ast.ObjectItem) (authorization.Authorizer, error) {
+	key, data, _ := getPluginConfig(authorizerPlugin)
+
+	switch key {
+	case "RBAC":
+		// check if data is defined
+		if data == nil {
+			return nil, errors.New("RBAC Authorizer plugin ('config > plugins > Authorizer RBAC > plugin_data') not populated")
 		}
+		fmt.Printf("Authorizer RBAC Plugin Data: %+v\n", data)
 
-		// create verifier TODO make json an option?
-		verifier, err := auth.NewKeycloakVerifier(true, config.IssuerURL, config.Audience)
+		// decode config to struct
+		var config pluginAuthorizerRBAC
+		if err := hcl.DecodeObject(&config, data); err != nil {
+			return nil, errors.Errorf("Couldn't parse Authorizer config: %v", err)
+		}
+
+		// decode into role list and apiMapping
+		roleList := make(map[string]string)
+		apiMapping := make(map[string][]string)
+		for _, role := range config.RoleList {
+			roleList[role.Name] = role.Desc
+			// print warning for empty string
+			if role.Name == "" {
+				fmt.Println("WARNING: using the empty string for an API enables access to all authenticated users")
+			}
+		}
+		for _, api := range config.APIRoleMappings {
+			apiMapping[api.Name] = api.AllowedRoles
+		}
+
+		authorizer, err := authorization.NewRBACAuthorizer(config.Name, roleList, apiMapping)
 		if err != nil {
-			return nil, errors.Errorf("Couldn't configure Auth: %v", err)
+			return nil, errors.Errorf("Couldn't configure Authorizer: %v", err)
 		}
-		return verifier, nil
+		return authorizer, nil
 	default:
-		return nil, errors.Errorf("Invalid option for UserManagement named %s", key)
+		return nil, errors.Errorf("Invalid option for Authorizer named %s", key)
 	}
 }
 
@@ -814,7 +877,8 @@ func (s *Server) VerifyConfiguration() error {
 
 func (s *Server) ConfigureDefaults() error {
 	// no authorization is a default
-	s.Auth = auth.NewNullVerifier()
+	s.Authenticator = authenticator.NewNullAuthenticator()
+	s.Authorizer = authorization.NewNullAuthorizer()
 	return nil
 }
 
@@ -864,11 +928,17 @@ func (s *Server) Configure() error {
 			if err != nil {
 				return errors.Errorf("Cannot configure datastore plugin: %v", err)
 			}
-		// configure auth
-		case "UserManagement":
-			s.Auth, err = NewAuth(pluginObject)
+		// configure Authenticator
+		case "Authenticator":
+			s.Authenticator, err = NewAuthenticator(pluginObject)
+			if err != nil {
+				return errors.Errorf("Cannot configure Authenticator plugin: %v", err)
+			}
+		// configure Authorizer
+		case "Authorizer":
+			s.Authorizer, err = NewAuthorizer(pluginObject)
 			if err != nil {
-				return errors.Errorf("Cannot configure auth plugin: %v", err)
+				return errors.Errorf("Cannot configure Authorizer plugin: %v", err)
 			}
 		}
 		// TODO Handle when multiple plugins configured

api/agent/types.go

@@ -108,7 +108,23 @@ type pluginDataStoreSQL struct {
 	Filename   string `hcl:"filename"`
 }
 
-type pluginAuthKeycloak struct {
+type pluginAuthenticatorKeycloak struct {
 	IssuerURL string `hcl:"issuer"`
 	Audience  string `hcl:"audience"`
 }
+
+type AuthRole struct {
+	Name string `hcl:",key"`
+	Desc string `hcl:"desc"`
+}
+
+type APIRoleMapping struct {
+	Name string `hcl:",key"`
+	AllowedRoles []string `hcl:"allowed_roles"`
+}
+
+type pluginAuthorizerRBAC struct {
+	Name string `hcl:"name"`
+	RoleList []*AuthRole `hcl:"role,block"`
+	APIRoleMappings []*APIRoleMapping `hcl:"API,block"`
+}