Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jwt): implement JWT auth for asset downloads #719

Merged
merged 42 commits into from
Nov 22, 2021
Merged

feat(jwt): implement JWT auth for asset downloads #719

merged 42 commits into from
Nov 22, 2021

Conversation

andrewazores
Copy link
Member

@andrewazores andrewazores commented Oct 14, 2021
edited
Loading

Fixes #718
Depends on cryostatio/cryostat-web#319

This PR primarily adds a new POST /api/beta/auth/token API handler. This handler takes the usual Authorization and X-JMX-Authorization headers as well as the resource multipart form attribute and delegates off to the AssetJwtHelper. These three factors are encoded into a JWT, which is then symmetrically encrypted. The handler then responds back to the client with a resourceUrl like http://cryostat.example:1234/api/beta/reports/foo.jfr?token=thetoken. All the client needs to do is then issue a GET http://cryostat.example:1234/api/beta/reports/foo.jfr?token=thetoken and the requested resource will be sent - assuming that by the time this is done the token is still valid, since they expire somewhat quickly. The Authorization header encoded into the token is checked at the time of the GET request to ensure that the user bearing the token has the required permissions for the resource they are requesting, and the X-JMX-Authorization header content encoded into the token is used if needed when establishing any potential JMX connection opened by the request, and the request URL is checked against the original resource attribute to ensure the token was generated for this exact resource. If any of these checks fail then the client receives a 401 response. There are GET /api/beta/recordings/:recordingName, GET /api/beta/targets/:targetId/recordings/:recordingName, GET /api/beta/reports/:recordingName, GET /api/beta/targets/:targetId/reports/:recordingName, and GET /api/beta/targets/:targetId/templates/:templateName/type/:templateType handlers implemented which all accept the JWT rather than requiring Authorization/X-JMX-Authorization headers.

@andrewazores andrewazores added the feat New feature or request label Oct 14, 2021
@andrewazores andrewazores force-pushed the jwt branch 6 times, most recently from 0885942 to edf9455 Compare October 20, 2021 02:33
@andrewazores andrewazores force-pushed the jwt branch 3 times, most recently from 67861de to 727c77d Compare October 29, 2021 19:54
@andrewazores andrewazores force-pushed the jwt branch 2 times, most recently from f65d610 to 8c2f4b5 Compare November 5, 2021 17:27
@andrewazores andrewazores mentioned this pull request Nov 11, 2021
Merged
@andrewazores andrewazores marked this pull request as ready for review November 11, 2021 00:33
@andrewazores
Copy link
Member Author

This PR is rather large because there's a bunch of new API surface and tests added, but the core of it and the interesting bits are contained in the new AuthTokenPostHandler, AssetJwtHelper, and AbstractJwtConsumingHandler.

@ebaron @hareetd @jan-law any takers for review?

@andrewazores
Copy link
Member Author

Looks like I have some itest cleanup to check on or something.

@andrewazores
Copy link
Member Author

itests are fixed, turned out to be a small and silly issue.

@jan-law jan-law self-requested a review November 15, 2021 17:53
@github-actions
Copy link
Contributor

🎉 Great news! Looks like all the dependencies have been resolved:

💡 To add or remove a dependency please update this issue/PR description.

Brought to you by Dependent Issues (:robot: ). Happy coding!

jan-law
jan-law approved these changes Nov 22, 2021
View reviewed changes
Copy link
Contributor

@jan-law jan-law left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@andrewazores andrewazores merged commit 9b1b372 into cryostatio:main Nov 22, 2021
@andrewazores andrewazores deleted the jwt branch November 22, 2021 16:22
@andrewazores andrewazores mentioned this pull request May 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-law jan-law jan-law approved these changes

Assignees
No one assigned
Labels
feat New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement API handlers for downloading resources (reports, recordings, templates) using JWT
2 participants
@andrewazores @jan-law