Put prometheus metrics behind federation/origin token

config/config.go

@@ -204,6 +204,8 @@ func DiscoverFederation() error {
 		viper.Set("NamespaceURL", metadata.NamespaceRegistrationEndpoint)
 	}
 
+	viper.Set("FederationURI", metadata.JwksUri)
+
 	return nil
 }
 

director/redirect_test.go

@@ -183,7 +183,7 @@ func TestDirectorRegistration(t *testing.T) {
 	rInv.POST("/", RegisterOrigin)
 	cInv.Request, _ = http.NewRequest(http.MethodPost, "/", bytes.NewBuffer([]byte(`{"Namespaces": [{"Path": "/foo/bar", "URL": "https://get-your-tokens.org"}]}`)))
 
-	cInv.Request.Header.Set("Authorization", string(signedInv))
+	cInv.Request.Header.Set("Authorization", "Bearer "+string(signedInv))
 	cInv.Request.Header.Set("Content-Type", "application/json")
 
 	rInv.ServeHTTP(wInv, cInv.Request)

web_ui/prometheus.go

@@ -17,8 +17,10 @@ package web_ui
 
 import (
 	"context"
+	"crypto/ecdsa"
 	"errors"
 	"fmt"
+	"io"
 	"math"
 	"net/http"
 	"net/url"
@@ -35,6 +37,9 @@ import (
 	"github.com/go-kit/log"
 	"github.com/go-kit/log/level"
 	"github.com/grafana/regexp"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/mwitkow/go-conntrack"
 	"github.com/oklog/run"
 	pelican_config "github.com/pelicanplatform/pelican/config"
@@ -138,6 +143,117 @@ func runtimeInfo() (api_v1.RuntimeInfo, error) {
 	return api_v1.RuntimeInfo{}, nil
 }
 
+func checkPromToken(av1 *route.Router) gin.HandlerFunc {
+	/* A function which wraps around the av1 router to force a jwk token check using
+	 * the origin's private key. It will check the request's URL and Header for a token
+	 * and if found it will then attempt to validate the token. If valid, it will continue
+	 * the routing as normal, otherwise it will return an error"
+	 */
+	return func(c *gin.Context) {
+		req := c.Request
+
+		var strToken string
+		var token jwt.Token
+		var err error
+		if authzQuery := req.URL.Query()["authz"]; len(authzQuery) > 0 {
+			strToken = authzQuery[0]
+		} else if authzHeader := req.Header["Authorization"]; len(authzHeader) > 0 {
+			strToken = strings.TrimPrefix(authzHeader[0], "Bearer ")
+		} else {
+			c.JSON(403, gin.H{"error": "Permission Denied: Missing token"})
+			return
+		}
+
+		// Parsing the token (unverified) in order to get its issuer without having the jwks
+		token, err = jwt.Parse([]byte(strToken), jwt.WithVerify(false))
+
+		if err != nil {
+			c.JSON(400, gin.H{"error": "Failed to parse token"})
+		}
+
+		fedURL := viper.GetString("FederationURL")
+
+		var bKey *jwk.Key
+		if fedURL == token.Issuer() {
+			err := pelican_config.DiscoverFederation()
+			if err != nil {
+				c.JSON(400, gin.H{"error": "Failed to discover the federation information"})
+			}
+			fedURIFile := viper.GetString("FederationURI")
+			response, err := http.Get(fedURIFile)
+			if err != nil {
+				c.JSON(400, gin.H{"error": "Failed to get federation key file"})
+			}
+			defer response.Body.Close()
+			contents, err := io.ReadAll(response.Body)
+			if err != nil {
+				c.JSON(400, gin.H{"error": "Failed to read federation key file"})
+				return
+			}
+			keys, err := jwk.Parse(contents)
+			//key, err := jwk.ParseKey(contents, jwk.WithPEM(true))
+			if err != nil {
+				c.JSON(400, gin.H{"error": "Failed to parse Federation key file"})
+				return
+			}
+			key, ok := keys.Key(0)
+			if !ok {
+				c.JSON(400, gin.H{"error": "No key in keyset"})
+			}
+			bKey = &key
+		} else {
+			bKey, err = pelican_config.GetOriginJWK()
+			if err != nil {
+				c.JSON(400, gin.H{"error": "Failed to retrieve private key"})
+				return
+			}
+		}
+
+		var raw ecdsa.PrivateKey
+		if err = (*bKey).Raw(&raw); err != nil {
+			c.JSON(400, gin.H{"error": "Failed to extract signing key"})
+			return
+		}
+
+		parsed, err := jwt.Parse([]byte(strToken), jwt.WithKey(jwa.ES256, raw.PublicKey))
+
+		if err != nil {
+			c.JSON(403, gin.H{"error": "Permission Denied: Invalid token"})
+			return
+		}
+
+		/*
+		* The signature is verified, now we need to make sure this token actually gives us
+		* permission to access prometheus metrics
+		* NOTE: The validate function also handles checking `iat` and `exp` to make sure the token
+		*       remains valid.
+		 */
+		scopeValidator := jwt.ValidatorFunc(func(_ context.Context, tok jwt.Token) jwt.ValidationError {
+			scope_any, present := tok.Get("scope")
+			if !present {
+				return jwt.NewValidationError(errors.New("No scope is present; required for authorization"))
+			}
+			scope, ok := scope_any.(string)
+			if !ok {
+				return jwt.NewValidationError(errors.New("scope claim in token is not string-valued"))
+			}
+
+			for _, scope := range strings.Split(scope, " ") {
+				if scope == "prometheus.read" {
+					return nil
+				}
+			}
+			return jwt.NewValidationError(errors.New("Token does not contain prometheus access authorization"))
+		})
+		if err = jwt.Validate(parsed, jwt.WithValidator(scopeValidator)); err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "server could not validate the provided access token"})
+			return
+		}
+
+		av1.ServeHTTP(c.Writer, c.Request)
+	}
+}
+
 func ConfigureEmbeddedPrometheus(engine *gin.Engine) error {
 
 	cfg := flagConfig{}
@@ -341,7 +457,7 @@ func ConfigureEmbeddedPrometheus(engine *gin.Engine) error {
 	//WithInstrumentation(setPathWithPrefix("/api/v1"))
 	apiV1.Register(av1)
 
-	engine.GET("/api/v1.0/prometheus/*any", gin.WrapH(av1))
+	engine.GET("/api/v1.0/prometheus/*any", checkPromToken(av1))
 
 	reloaders := []reloader{
 		{