Add access.TokenController for monitoring-aware token-based access control

[stephen-soltesz]

This change adds access.TokenController which is capable of admitting or rejecting clients based on an "access_token" HTTP parameter. This change explicitly allows monitoring to issue access_tokens, and assign a context value to the HTTP request context, so that subsequent access controllers can a) identify monitoring requests, b) allow the test even if it would ordinarily be rejected.

To provide the option of exempting monitoring clients, the TokenController should be applied first in a sequence of access controllers.

This controller is not yet enabled.

---

This change is 

[coveralls]

Pull Request Test Coverage Report for Build 1231

• 55 of 55 (100.0%) changed or added relevant lines in 2 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.5%) to 80.902%

---

Totals
Change from base Build 1225:	0.5%
Covered Lines:	1758
Relevant Lines:	2173

---

💛 - Coveralls

[gfr10598]

Reviewable status: complete! 1 of 1 approvals obtained (waiting on @gfr10598 and @stephen-soltesz)

---

access/control.go, line 1 at r1 (raw file):

package access

Nice!

---

access/token.go, line 19 at r1 (raw file):

	tokenAccessRequests = promauto.NewCounterVec(
		prometheus.CounterOpts{
			Name: "ndt_access_tokencontroller_requests_total",

Would you consider shortening this? ndt_token_requests_total? The other parts are implicit in the process, and I expect this will be unique across processes.

---

access/token.go, line 20 at r1 (raw file):

		prometheus.CounterOpts{
			Name: "ndt_access_tokencontroller_requests_total",
			Help: "Total number of requests handled by the access tokencontroller.",

Should help include "ndt"?

---

access/token.go, line 74 at r1 (raw file):

	if token == "" && !requireTokens {
		// The access token is missing and tokens are not requried, so accept the request.
		tokenAccessRequests.WithLabelValues("accepted").Inc()

Seems like this should have a different label, maybe "no-token"

[stephen-soltesz]

Reviewable status: complete! 1 of 1 approvals obtained (waiting on @gfr10598)

---

access/token.go, line 19 at r1 (raw file):

Previously, gfr10598 (Gregory Russell) wrote…

Would you consider shortening this? ndt_token_requests_total? The other parts are implicit in the process, and I expect this will be unique across processes.

I've made it a little shorter by removing "controller".

---

access/token.go, line 20 at r1 (raw file):

Previously, gfr10598 (Gregory Russell) wrote…

Should help include "ndt"?

Done.

---

access/token.go, line 74 at r1 (raw file):

Previously, gfr10598 (Gregory Russell) wrote…

Seems like this should have a different label, maybe "no-token"

I'm trying to keep the label request=accepted or request=rejected consistent across the controllers -- I expect this to be important for feedback to the locate service in the future.

I think you're right that it will be helpful to know why a token was accepted or not. So, I've added an additional label for reason= which may be "empty" (no access_token provided and not required), "invalid" (provided but not verified), and "" from a valid claim. Since we'll control the set of issuers, it would only ever be "monitoring" or the locate service issuer id.