JWT API

[atye]

Description

This PR resolves a security vulnerability with the https://github.com/dgrijalva/jwt-go library, https://access.redhat.com/security/cve/cve-2020-26160, by using a different library for JWT operations: https://github.com/lestrrat-go/jwx.

JWT operations are now abstracted to allow for various implementations without the need to refactor the services and handlers. To update the proxy-server and the tenatsvc with a TokenManager implemenation, you only need to update the associated main.go files.

The JWT interface defines a Token and a TokenManager:

type Token interface {
	// Claims returns the Claims of the Token
	Claims() (Claims, error)
	// SignedString returns a token string signed with the secret
	SignedString(secret string) (string, error)
}

The JWT interface defines a TokenManager with these operations:

type Manager interface {
	// NewPair returns an access/refresh pair from a Config
	NewPair(Config) (Pair, error)
	// NewWithClaims returns a Token built from the claims
	NewWithClaims(claims Claims) Token
	// ParseWithClaims unmarshals a token string into claims and returns the Token
	ParseWithClaims(token string, secret string, claims *Claims) (Token, error)
}

Issues

List the issues impacted by this PR:

Issue ID
#102

Checklist:

• I have performed a self-review of my own changes.

# make test
docker run --rm -it -v /git/karavi-authorization/policies:/policies/ openpolicyagent/opa test -v /policies/
data.karavi.authz.url.test_get_api_login_allowed: PASS (3.167891ms)
data.karavi.authz.url.test_post_proxy_refresh_token_allowed: PASS (757.861µs)
data.karavi.authz.url.test_get_api_version_allowed: PASS (890.317µs)
data.karavi.authz.url.test_get_system_instances_allowed: PASS (685.175µs)
data.karavi.authz.url.test_get_storagpool_instances_allowed: PASS (798.993µs)
data.karavi.authz.url.test_post_volume_instances_allowed: PASS (867.068µs)
data.karavi.authz.url.test_get_volume_instance_allowed: PASS (1.507001ms)
data.karavi.authz.url.test_post_volume_instances_queryIdByKey_allowed: PASS (644.113µs)
data.karavi.authz.url.test_get_system_sdc_allowed: PASS (876.608µs)
data.karavi.authz.url.test_post_volume_add_sdc_allowed: PASS (562.731µs)
data.karavi.authz.url.test_post_volume_remove_sdc_allowed: PASS (553.453µs)
data.karavi.authz.url.test_post_volume_remove_allowed: PASS (515.782µs)
data.karavi.volumes.create.test_small_request_allowed: PASS (1.633019ms)
data.karavi.volumes.create.test_large_request_not_allowed: PASS (383.914µs)
--------------------------------------------------------------------------------
PASS: 14/14
go test -count=1 -cover -race -timeout 30s -short ./...
?       karavi-authorization/cmd/karavictl      [no test files]
ok      karavi-authorization/cmd/karavictl/cmd  1.988s  coverage: 65.1% of statements
ok      karavi-authorization/cmd/proxy-server   0.057s  coverage: 0.7% of statements
?       karavi-authorization/cmd/sidecar-proxy  [no test files]
?       karavi-authorization/cmd/tenant-service [no test files]
ok      karavi-authorization/deploy     0.035s  coverage: 84.6% of statements
?       karavi-authorization/internal/decision  [no test files]
ok      karavi-authorization/internal/powerflex 9.019s  coverage: 88.9% of statements
ok      karavi-authorization/internal/proxy     6.083s  coverage: 69.4% of statements
ok      karavi-authorization/internal/quota     0.093s  coverage: 90.1% of statements
ok      karavi-authorization/internal/roles     0.004s  coverage: 93.2% of statements
ok      karavi-authorization/internal/tenantsvc 1.336s  coverage: 82.3% of statements
ok      karavi-authorization/internal/token     0.011s  coverage: 90.9% of statements
ok      karavi-authorization/internal/token/jwx 0.006s  coverage: 72.2% of statements
ok      karavi-authorization/internal/web       0.007s  coverage: 28.4% of statements
?       karavi-authorization/pb [no test files]

PowerFlex e2e:

=== RUN   TestAuthInstall
2021/05/19 13:21:39 Starting installing one-binary authorization test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations

  Scenario: Check that I can install karavi authorization                              # features/setup.feature:7
    Given an environment where kubernetes, storage system, and CSI driver are deployed # auth_steps_test.go:808 -> *feature
=== Installing Authorization ===
=== copying single binary to 10.247.66.155 ===
=== installing single binary in 10.247.66.155 ===
=== copy karavictl to current directory
=== installing karavictl on CSI driver host
    When I install karavi authorization                                                # auth_steps_test.go:814 -> *feature
=== Checking if Authorization is ready ===
    Then karavi authorization is installed                                             # auth_steps_test.go:141 -> *feature

1 scenarios (1 passed)
3 steps (3 passed)
1m27.001986717s
2021/05/19 13:23:06 Validation test finished
--- PASS: TestAuthInstall (87.01s)
=== RUN   TestAuthConfig
2021/05/19 13:23:06 Starting configuring authorization test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations
=== Checking if Authorization is ready ===

  Scenario: Check that I have a valid karavi authorization setup for e2e tests           # features/setup.feature:13
=== Configuring Authorization ===
=== Creating Storage ===
=== Creating Tenant ===
=== Creating Role for CSIGold ===
=== Binding Role for CSIGold ===
=== Creating Role for CSISilver ===
=== Binding Role for CSISilver ===
=== Generating token ===
=== Applying token ===
=== injecting sidecar in vxflexos ===    Given karavi authorization is installed                                              # auth_steps_test.go:141 -> *feature
    When I can configure karavi authorization with <storageType>, <tenant>,  and <roles> # auth_steps_test.go:145 -> *feature
    Then there is a storage system of <storageType> created                              # auth_steps_test.go:161 -> *feature
    And a tenant <tenant> is created                                                     # auth_steps_test.go:210 -> *feature
    And some <roles> for <storageType> are created                                       # auth_steps_test.go:235 -> *feature
    And the <roles> are bound to <tenant>                                                # auth_steps_test.go:280 -> *feature
    And a token for <tenant> is generated and applied to CSI <storageType> driver host   # auth_steps_test.go:313 -> *feature
    And sidecar is injected in the CSI <storageType> driver host                         # auth_steps_test.go:328 -> *feature

    Examples:
      | storageType | tenant         | roles                                 |
      | "powerflex" | "PancakeGroup" | "CSIGold:30000000,CSISilver:25000000" |

1 scenarios (1 passed)
8 steps (8 passed)
2m47.797275027s
2021/05/19 13:25:54 Validation test finished
--- PASS: TestAuthConfig (167.81s)
=== RUN   TestVolume
2021/05/19 13:25:54 Starting volume test
Feature: Karavi Authorization
  As a consumer of the Karavi Authorization
  I want to test karavi authorization
  So that they are known to work

  Scenario: Create and Delete Volume                                                # features/volume.feature:7
    Given Karavi Authorization is available and configured                          # auth_steps_test.go:431 -> *feature
    And I have <storageclass>                                                       # auth_steps_test.go:344 -> *feature
    When I create a  <pvc> request from <storageclass> with storage capacity <size> # auth_steps_test.go:354 -> *feature
    Then I can request a pod to consume <pvc>                                       # auth_steps_test.go:379 -> *feature
    And <pvc> is bound to storage                                                   # auth_steps_test.go:408 -> *feature
    And volume is created in backend storage                                        # auth_steps_test.go:684 -> *feature
    And I delete the pod and <pvc>                                                  # auth_steps_test.go:438 -> *feature
    And <pvc> is deleted from kubernetes                                            # auth_steps_test.go:451 -> *feature
    And volume is deleted from backend storage                                      # auth_steps_test.go:736 -> *feature

    Examples:
      | storageclass   | size  | pvc        |
      | "vxflexos-xfs" | "2Mi" | "lemonade" |
      | "vxflexos-xfs" | "3Mi" | "tea"      |
      | "vxflexos-xfs" | "1Mi" | "water"    |

  Scenario: Create volume with quota that exceeds the assigned quota limit for the authorized pool # features/volume.feature:32
    Given Karavi Authorization is available and configured                                         # auth_steps_test.go:431 -> *feature
    And I have <storageclass>                                                                      # auth_steps_test.go:344 -> *feature
    When I create a  <pvc> request from <storageclass> with storage capacity <size>                # auth_steps_test.go:354 -> *feature
    Then I can request a pod to consume <pvc>                                                      # auth_steps_test.go:379 -> *feature
    And request is denied as <pvc> exceeds capacity                                                # auth_steps_test.go:468 -> *feature
    And <pvc> is pending                                                                           # auth_steps_test.go:668 -> *feature
    And I delete the pod and <pvc>                                                                 # auth_steps_test.go:438 -> *feature
    And <pvc> is deleted from kubernetes                                                           # auth_steps_test.go:451 -> *feature

    Examples:
      | storageclass   | size    | pvc      |
      | "vxflexos-xfs" | "999Gi" | "coffee" |
      | "vxflexos-xfs" | "40Ti"  | "soda"   |

  Scenario: Create volume with an unauthorized pool                                 # features/volume.feature:54
    Given Karavi Authorization is available and configured                          # auth_steps_test.go:431 -> *feature
    And I create a <pool> in backend storage                                        # auth_steps_test.go:516 -> *feature
    And I create new <storageclass> to point to <pool>                              # auth_steps_test.go:552 -> *feature
    When I create a  <pvc> request from <storageclass> with storage capacity <size> # auth_steps_test.go:354 -> *feature
    Then I can request a pod to consume <pvc>                                       # auth_steps_test.go:379 -> *feature
    And request is denied for not having access to <pool>                           # auth_steps_test.go:596 -> *feature
    And <pvc> is pending                                                            # auth_steps_test.go:668 -> *feature
    And I delete the pod and <pvc>                                                  # auth_steps_test.go:438 -> *feature
    And <pvc> is deleted from kubernetes                                            # auth_steps_test.go:451 -> *feature
    And delete <storageclass> from kubernetes                                       # auth_steps_test.go:571 -> *feature
    And delete <pool> from backend storage                                          # auth_steps_test.go:580 -> *feature

    Examples:
      | storageclass       | size  | pvc      | pool         |
      | "vxflexos-rock"    | "3Mi" | "lipton" | "CSIRock"    |
      | "vxflexos-diamond" | "1Mi" | "milk"   | "CSIDiamond" |

7 scenarios (7 passed)
65 steps (65 passed)
3m44.612958063s
2021/05/19 13:29:38 Volume test finished
--- PASS: TestVolume (224.62s)
=== RUN   TestTenant
2021/05/19 13:29:38 Starting tenant test

No scenarios
No steps
26.562µs
2021/05/19 13:29:38 tenant test finished
--- PASS: TestTenant (0.01s)
=== RUN   TestAuthCleanUP
2021/05/19 13:29:38 Starting authorization cleanup test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations

  Scenario: Clean up karavi authorization setup for e2e tests                      # features/setup.feature:33
=== Cleaning Authorization config ===
=== Revoke tenant token ===
=== Delete secret token from CSI driver host ===
=== Delete Tenant ===
=== Delete Role for CSISilver=powerflex=7daac1901d31400f=mypool=25000000 ===
=== Delete Role for CSIGold=powerflex=7daac1901d31400f=mypool=30000000 ===
=== Delete Storage ===
    Given Karavi Authorization is available and configured                         # auth_steps_test.go:431 -> *feature
    And I clean up karavi authorization with <storageType>, <tenant>,  and <roles> # auth_steps_test.go:800 -> *feature

    Examples: # Example MUST match `init-setup-check`
      | storageType | tenant         | roles                                 |
      | "powerflex" | "PancakeGroup" | "CSIGold:30000000,CSISilver:25000000" |

1 scenarios (1 passed)
2 steps (2 passed)
5.381538087s
2021/05/19 13:29:44 Validation test finished
--- PASS: TestAuthCleanUP (5.39s)
=== RUN   TestAuthUninstall
2021/05/19 13:29:44 Starting uninstalling authorization test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations
=== Checking if Authorization is ready ===

  Scenario: Check that I can uninstall karavi authorization # features/setup.feature:47
    Given karavi authorization is installed                 # auth_steps_test.go:141 -> *feature
=== Uninstalling Authorization ===
=== Uninstall Authorization ===
=== Clean Up config files ===
    And I can Uninstall karavi authorization                # auth_steps_test.go:811 -> *feature

1 scenarios (1 passed)
2 steps (2 passed)
18.420025483s
2021/05/19 13:30:02 Validation test finished
--- PASS: TestAuthUninstall (18.43s)
PASS
status 0
ok      karavi-testing/karavi-authorization/auth-test   503.329s

PowerMax e2e:

=== RUN   TestAuthInstall
2021/05/19 13:34:40 Starting installing one-binary authorization test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations

  Scenario: Check that I can install karavi authorization                              # features/setup.feature:7
    Given an environment where kubernetes, storage system, and CSI driver are deployed # auth_steps_test.go:808 -> *feature
=== Installing Authorization ===
=== copying single binary to 10.247.66.155 ===
=== installing single binary in 10.247.66.155 ===
=== copy karavictl to current directory
=== installing karavictl on CSI driver host
    When I install karavi authorization                                                # auth_steps_test.go:814 -> *feature
=== Checking if Authorization is ready ===
    Then karavi authorization is installed                                             # auth_steps_test.go:141 -> *feature

1 scenarios (1 passed)
3 steps (3 passed)
1m25.548548596s
2021/05/19 13:36:05 Validation test finished
--- PASS: TestAuthInstall (85.56s)
=== RUN   TestAuthConfig
2021/05/19 13:36:05 Starting configuring authorization test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations
=== Checking if Authorization is ready ===
=== Configuring Authorization ===
=== Creating Storage ===
=== Creating Tenant ===
=== Creating Role for CSISilver ===
=== Binding Role for CSISilver ===
=== Creating Role for CSIGold ===
=== Binding Role for CSIGold ===
=== Generating token ===
=== Applying token ===
=== injecting sidecar in powermax ===
    Examples:
      | storageType | tenant         | roles                                 |
      | "powermax"  | "PancakeGroup" | "CSIGold:30000000,CSISilver:25000000" |

1 scenarios (1 passed)
8 steps (8 passed)
3m18.00788523s
2021/05/19 13:39:23 Validation test finished
--- PASS: TestAuthConfig (198.02s)
=== RUN   TestVolume
2021/05/19 13:39:23 Starting volume test
Feature: Karavi Authorization
  As a consumer of the Karavi Authorization
  I want to test karavi authorization
  So that they are known to work

    Examples:
      | storageclass     | size   | pvc        |
      | "powermax-iscsi" | "50Mi" | "lemonade" |
      | "powermax-iscsi" | "51Mi" | "tea"      |
      | "powermax-iscsi" | "49Mi" | "water"    |

    Examples:
      | storageclass     | size    | pvc      |
      | "powermax-iscsi" | "999Gi" | "coffee" |
      | "powermax-iscsi" | "40Ti"  | "soda"   |

5 scenarios (5 passed)
43 steps (43 passed)
3m0.76961087s
2021/05/19 13:42:24 Volume test finished
--- PASS: TestVolume (180.78s)
=== RUN   TestTenant
2021/05/19 13:42:24 Starting tenant test

No scenarios
No steps
78.333µs
2021/05/19 13:42:24 tenant test finished
--- PASS: TestTenant (0.01s)
=== RUN   TestAuthCleanUP
2021/05/19 13:42:24 Starting authorization cleanup test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations
=== Cleaning Authorization config ===
=== Revoke tenant token ===
=== Delete secret token from CSI driver host ===
=== Delete Tenant ===
=== Delete Storage ===

    Examples: # Example MUST match `init-setup-check`
      | storageType | tenant         | roles                                 |
      | "powermax"  | "PancakeGroup" | "CSIGold:30000000,CSISilver:25000000" |

1 scenarios (1 passed)
2 steps (2 passed)
2.884635266s
2021/05/19 13:42:27 Validation test finished
--- PASS: TestAuthCleanUP (2.89s)
=== RUN   TestAuthUninstall
2021/05/19 13:42:27 Starting uninstalling authorization test
Feature: Setup Test
  As a consumer of the Karavi Authorization
  I want to test karavi authorization setup
  So that it is known that I can perform all authorization operations
=== Checking if Authorization is ready ===

  Scenario: Check that I can uninstall karavi authorization # features/setup.feature:47
    Given karavi authorization is installed                 # auth_steps_test.go:141 -> *feature
=== Uninstalling Authorization ===
=== Uninstall Authorization ===
=== Clean Up config files ===
    And I can Uninstall karavi authorization                # auth_steps_test.go:811 -> *feature

1 scenarios (1 passed)
2 steps (2 passed)
17.992486698s
2021/05/19 13:42:45 Validation test finished
--- PASS: TestAuthUninstall (18.00s)
PASS
status 0
ok      karavi-testing/karavi-authorization/auth-test   485.324s

[ioeicicdsvc]

@atye: Thank you for submitting your pull request!

Please make sure you have followed our contributing guidelines. We will review it as soon as possible.

---

We want your feedback! If you have any questions or suggestions regarding our contributing process/workflow, please reach out to us at karavi@dell.com.

[hoppea2]

Other than the IP and the typo LGTM

We need to add the readme changes to the diagram to be more generically applicable to every Dell EMC storage system/starting guide changes for OpenShift version support

[atye]

@gallacher

Doc updates handled in #104.