[KIALI-670]Token

[aljesusg]

NEED #223

Changed to JWT Working in expired at

[xeviknal]

I think it is pretty simple but powerful implementation of the token management. LGTM!

[jotak]

Can you return an error here?

[jotak]

Isn't the classical username+password check missing here, before generating the token?

[aljesusg]

I decided to generate token from username + password. The check is u, p, ok := r.BasicAuth()

[jotak]

But r.BasicAuth doesn't actually check anything, does it? I mean, we still need to make sure it matches somehow the username and password we have in our config file, conf.Server.Credentials.Username and conf.Server.Credentials.Password

[jotak]

Higher default for convenience, like 10 hours?

[aljesusg]

ok

[jotak]

Trying to find a flaw, but it seems good :)
However I wonder if we could use an existing JWT-like implementation that would be more widely tested & trusted.

[aljesusg]

keycloak not support golang I didn't find any JWT implementation in golang only some methods of thirds....

[israel-hdez]

I'd also prefer an existing JWT implementation.
This page list several ones for golang: https://jwt.io/

[aljesusg]

This is while we add the authentication against openshift that will be this Sprint, I don't know if it's a good idea spent time in work in a full JWT implementation @israel-hdez

[aljesusg]

Mmm there are only libraries of thirds...I am gonna check them

[aljesusg]

@lucasponce @jotak @xeviknal review the token authentication please

[jotak]

@aljesusg overall looks good. I'd like others to review as well as security is critical.

[aljesusg]

I did changes @xeviknal @lucasponce @jotak I don't know if it's necessary to spent time implementing jwt token when this is going to change soon. But If you think different, I'll do it

[jotak]

Not sure why my previous comment went outdated, I was saying:

r.BasicAuth doesn't actually check anything. I mean, we still need to make sure it matches somehow the username and password we have in our config file, conf.Server.Credentials.Username and conf.Server.Credentials.Password . Else I bet you can login with any credential :)

[aljesusg]

I don't know If I am udnerstanding you.
In server.go L-87 is checking that the username and password are the same

else if h.credentials.Username != "" || h.credentials.Password != "" {
		u, p, ok := r.BasicAuth()
		if !ok || h.credentials.Username != u || h.credentials.Password != p {
			statusCode = http.StatusUnauthorized
		}

h is called in the handler where proxyHandler have the config file credentials

proxyHandler := serverAuthProxyHandler{
		credentials: security.Credentials{
			Username: conf.Server.Credentials.Username,
			Password: conf.Server.Credentials.Password,
		},
		trueHandler: router,
	}
	http.HandleFunc("/", proxyHandler.handler)

So if a try to access with another credentials fail

[jotak]

Ok my bad, I didn't see the whole picture. If the authorization handler is still called in addition to the new one then I suppose it's fine! 👍

[aljesusg]

Changed to JWT Working in expired at

[aljesusg]

Maybe we should add in another PR the Expired time because there is a JIRA for that https://issues.jboss.org/browse/KIALI-533 .

What do you think @israel-hdez @jotak @xeviknal @lucasponce ?

[josejulio]

JWT is usually used (not a requirement, but i have seen that most services do this way) in the header 'Authorization' and usually has the format "Bearer the_token"
See jwt.io [1] and jira docs, wikipedia, etc.

I think we should comply unless there is a reason we can't do that.

[1]

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:

Authorization: Bearer <token>

[josejulio]

I think you are missing an step. Validate the "alg" claim. (taken from here)

// Don't forget to validate the alg is what you expect:
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
        return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
    }

If not validated, one could create a JWT with the "alg = none" and bypass your protection.
alg none means that the jwt is unsecured, but is still a valid JWT, and the RFC requires [1] that the libs implement that one.

See this post [2] for more info.

The none algorithm is a curious addition to JWT. It is intended to be used for situations where the integrity of the token has already been verified. Interestingly enough, it is one of only two algorithms that are mandatory to implement (the other being HS256).

[1] https://tools.ietf.org/html/rfc7519#section-8
[2]https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

[josejulio]

We could also configure validMethods

[josejulio]

Well, it seems that none is disabled by default https://github.com/dgrijalva/jwt-go/blob/master/none.go#L28
But anyway, we should only allow tokens signed with SigningMethodHS256

[josejulio]

The Expiration Time is a standard JWT claim [1], I don't think we should duplicate this value, but when parsing we could "unwrap" into a more friendly/verbose format if we want to use the contained data.

Besides, "Token" is signed and encoded, not encrypted, if consumers want to know their contents (claims) they could decode (using base64) the second segment or use a JWT lib, and for debugging purposes or quickly having a look at their values, you can use this site: https://jwt.io/ and paste the token there.

[1] https://tools.ietf.org/html/rfc7519#section-4.1.4

[aljesusg]

We wanna set a expiration time only @josejulio in the claim against the configuration file

[josejulio]

Not a blocker, but this field is duplicated, set once in the token (encoded) and once in the answer of GenerateToken (verbose).

[aljesusg]

If you see in the handlerRoot you can see that Token generated is the object returned to the user, in tokenclaim is the info to generate the token and the second one the output to the user where I inform him about when the token will be expired

[josejulio]

Yes, i see that, i only mean to say that the expiresAt is also self-contained in the token (the unix timestamp) and the consumer can use that too, we don't have to pull out every data from the claims.
Again, not a blocker, but would like to make that clear in case we want to add more data to the claims.

[aljesusg]

I did it by https://issues.jboss.org/browse/KIALI-533 for the sessions time out, but you are right about get the expired against the token

[josejulio]

Maybe we should add in another PR the Expired time because there is a JIRA for that https://issues.jboss.org/browse/KIALI-533 .

Is just matter of adding the proper claim to the JWT (check my other comments) and the validation is done by the JWT lib

[aljesusg]

Thanks @josejulio for comments, is still in WIP ^^

[aljesusg]

This is ready with ExpiredAt working too.

Can you review this @jotak @lucasponce @xeviknal ?

[lucasponce]

minor, but @jmazzitelli will be happy if we order the imports in
standard imports
LINE
third party imports
LINE
kiali imports

[aljesusg]

Changed, we should put this in the future style code guide ^^ Thanks @lucasponce

[lucasponce]

"Timing is everything" sounds like extracted from Thanos quotes. :-)

Not a blocker, it's funny.

[aljesusg]

Hahahaa Sorry ^^ I should put anothet kind of message xD

[aljesusg]

Maybe "Token expired ... Timing is everything"

[lucasponce]

LGTM but I would let @josejulio to take a look before to merge.

[lucasponce]

This print shouldn't be a log.info if it is intentional print not debug line ?

[aljesusg]

Removed

[lucasponce]

Same here

[aljesusg]

Removed

[lucasponce]

/api/token gets a token or status ?

[aljesusg]

Changed comment

[lucasponce]

wrong import order

[aljesusg]

Changed ^^ Jetbrains autoimport ^^

[lucasponce]

I would move this to Info/Warn.
I guess I would like to see in the log bad authentication entries.

[aljesusg]

Changed to Warning

[jotak]

In base 2? Is it intentional?

[aljesusg]

Nope ^^ mindblind

[aljesusg]

Changed^^

[israel-hdez]

Hmm... Probably we should add a warning in Readme regarding filesystem permissions now that the config file can have the secret.

[aljesusg]

Added the Documentation about the Secret

[aljesusg]

@israel-hdez @josejulio can we merge this now?

[aljesusg]

Thanks @josejulio

[jotak]

Thanks for the good work @aljesusg !