Allow to call getCurrentUser and oAuth API with machine token

[vinokurig]

What does this PR do?

Allow to get current user with machine token; Allow to call other oAuth service API with machine token. This is needed for github and openShift authentication to work in multi-user mode.

What issues does this PR fix or reference?

#15261

Release Notes

Docs PR

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:16383

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

[metlos]

Code looks fine, I'm just concerned about the security implications of this... Could you please address my comments below?

[metlos]

The token endpoint means that we're allowing any plugin or custom code in the workspace to impersonate the current user and talk to the Che API. This basically means that you can for example access other workspaces from the current workspace, create new workspaces, delete workspaces, etc...

I would call that a security issue, because it is conceivable to imagine that a user might import an "infected" devfile that would contain some code that could read the machine token from the env and wreck havoc in all the user workspaces - reading secret data, delete stuff, DDoS the cluster with hundreds of workspace start requests, etc.

[vinokurig]

The token method is already opened. Actually I don't understand how oAuth API can influence the che API. It allows to get the GitHub or OpenShift token, but that was discussed earlier.
cc @skabashnyuk

[metlos]

To be fair, I misunderstood the purpose of the API 🙄 But I still think this is a dangerous thing. If for example the user authenticated with OpenShift authenticator as himself and the workspace is able to get hold of the openshift token (which I think it would with this change?), then the workspace can also go to keycloak and use the openshift token to get access token for the Che API. From there we're at a place I described in the above comment.

Maybe I'm wrong (I'm fairly new to this auth business to be fair) but giving the whole of workspace (which can come from various sources) is a dangerous thing. If nothing else it opens up the door to phishing attacks (please import this devfile with a component with only a slightly misspelled image name, nothing wrong can happen...).

[skabashnyuk]

Do not merge it, please. Give us some time to think about it.

will wait for more responses

[skabashnyuk]

I agree with @metlos POV. We are making machine token too powerful. My concerns are similar to the single token method of OAuth service of resed here #15705 (comment)

I want to let @benoitf @l0rd @davidfestal decide is that acceptable.
Previous pr #15705 was approved by @benoitf

[l0rd]

@skabashnyuk @metlos do we have other options? The goal is to preconfigure oc, the OpenShift VS Code extension and any other k8s client with the current user OpenShift credentials (when Che is configured to use OpenShift OAuth). How can we achieve that without making machine tokens "more powerful"?

Anyway on VS Code, not Che, extensions have access to local filesystem and k8s tokens. I don't think it's considered as a VS Code vulnerability but it requires that users should install only extensions that they trust. For Che it should be the same.

[skabashnyuk]

do we have other options? The goal is to preconfigure oc, the OpenShift VS Code extension and any other k8s client with the current user OpenShift credentials (when Che is configured to use OpenShift OAuth). How can we achieve that without making machine tokens "more powerful"?

We understand the goal, it's understandable and logical. We just have concerns in the way how it is going to be implemented.
An alternative is to have something similar to the mechanism of how we obtain cookie for jwt-proxy. The main idea is to have a web application on che-server side that is located on the space in which users have no control. And this application can provide all necessary functionality authorizing users with machine tokens from one site and executing operation with keycloak token from the other side.

abandon review

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:16383

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

[skabashnyuk]

.toInstance(new MachineAuthenticatedResource("oauth", "token")); this line can be removed too?

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:16383

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.