[WIP] authenticated microservices

gradle/libs.versions.toml

@@ -30,6 +30,7 @@ testcontainers = "1.17.5"
 okhttp3 = "4.10.0"
 reckon = "0.16.1"
 commons-compress = "1.21"
+commons-io = "2.11.0"
 picocli = "4.6.3"
 zip4j = "2.11.2"
 ktoml = "0.2.13"
@@ -93,12 +94,14 @@ spring-security-test = { module = "org.springframework.security:spring-security-
 spring-boot-gradle-plugin = { module = "org.springframework.boot:spring-boot-gradle-plugin", version.ref = "spring-boot" }
 spring-cloud-starter-gateway = { module = "org.springframework.cloud:spring-cloud-starter-gateway", version.ref = "spring-cloud" }
 spring-cloud-starter-kubernetes-client-config = { module = "org.springframework.cloud:spring-cloud-starter-kubernetes-client-config", version.ref = "spring-cloud-kubernetes" }
+spring-cloud-starter-kubernetes-fabric8-config = { module = "org.springframework.cloud:spring-cloud-starter-kubernetes-fabric8-config", version.ref = "spring-cloud-kubernetes" }
 spring-boot-starter-oauth2-client = { module = "org.springframework.boot:spring-boot-starter-oauth2-client" }
 spring-context-indexer = { module = "org.springframework:spring-context-indexer", version.ref = "spring" }
 spring-data-jpa = { module = "org.springframework.data:spring-data-jpa" }
 spring-kafka = { module = "org.springframework.kafka:spring-kafka" }
 spring-kafka-test = { module = "org.springframework.kafka:spring-kafka-test" }
 spring-web = { module = "org.springframework:spring-web", version.ref = "spring" }
+spring-webflux = { module = "org.springframework:spring-webflux", version.ref = "spring" }
 jackson-module-kotlin = { module = "com.fasterxml.jackson.module:jackson-module-kotlin" }
 
 kafka-clients = { module = "org.apache.kafka:kafka-clients", version.ref = "kafka-client" }
@@ -158,6 +161,7 @@ diktat-gradle-plugin = { module = "org.cqfn.diktat:diktat-gradle-plugin", versio
 detekt-gradle-plugin = { module = "io.gitlab.arturbosch.detekt:detekt-gradle-plugin", version.ref = "detekt" }
 reckon-gradle-plugin = { module = "org.ajoberstar.reckon:reckon-gradle", version.ref = "reckon" }
 commons-compress = { module = "org.apache.commons:commons-compress", version.ref = "commons-compress" }
+commons-io = { module = "commons-io:commons-io", version.ref = "commons-io" }
 picocli = { module = "info.picocli:picocli", version.ref = "picocli" }
 zip4j = { module = "net.lingala.zip4j:zip4j", version.ref = "zip4j" }
 kotlinx-cli = { module = "org.jetbrains.kotlinx:kotlinx-cli", version.ref = "kotlinx-cli" }

save-backend/build.gradle.kts

@@ -118,8 +118,9 @@ dependencies {
     implementation(libs.spring.boot.starter.security)
     implementation(libs.spring.security.core)
     implementation(libs.hibernate.micrometer)
-    implementation(libs.spring.cloud.starter.kubernetes.client.config)
+    implementation(libs.spring.cloud.starter.kubernetes.fabric8.config)
     implementation(libs.reactor.extra)
+    implementation(libs.commons.io)
     testImplementation(libs.spring.security.test)
     testImplementation(projects.testUtils)
 }

save-backend/src/main/kotlin/com/saveourtool/save/backend/configs/WebSecurityConfig.kt

@@ -6,11 +6,14 @@ package com.saveourtool.save.backend.configs
 
 import com.saveourtool.save.backend.utils.ConvertingAuthenticationManager
 import com.saveourtool.save.backend.utils.CustomAuthenticationBasicConverter
+import com.saveourtool.save.backend.utils.ServiceAccountAuthenticatingManager
+import com.saveourtool.save.backend.utils.ServiceAccountTokenExtractorConverter
 import com.saveourtool.save.domain.Role
 import com.saveourtool.save.v1
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Profile
+import org.springframework.core.annotation.Order
 import org.springframework.http.HttpStatus
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy
@@ -25,6 +28,9 @@ import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.security.web.server.SecurityWebFilterChain
 import org.springframework.security.web.server.authentication.AuthenticationWebFilter
 import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint
+import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher
+import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers
 import javax.annotation.PostConstruct
 
 @EnableWebFluxSecurity
@@ -36,22 +42,28 @@ class WebSecurityConfig(
     @Autowired private var defaultMethodSecurityExpressionHandler: DefaultMethodSecurityExpressionHandler
 ) {
     @Bean
+    @Order(1)
     fun securityWebFilterChain(
         http: ServerHttpSecurity
     ): SecurityWebFilterChain = http.run {
-        // All `/internal/**` and `/actuator/**` requests should be sent only from internal network,
-        // they are not proxied from gateway.
-        authorizeExchange()
-            .pathMatchers("/", "/internal/**", "/actuator/**", *publicEndpoints.toTypedArray())
-            .permitAll()
-            // resources for frontend
-            .pathMatchers("/*.html", "/*.js*", "/*.css", "/img/**", "/*.ico", "/*.png", "/particles.json")
-            .permitAll()
+        securityMatcher(
+            AndServerWebExchangeMatcher(
+                ServerWebExchangeMatchers.anyExchange(),
+                NegatedServerWebExchangeMatcher(
+                    ServerWebExchangeMatchers.pathMatchers("/actuator", "/actuator/**", "/internal/**")
+                )
+            )
+        )
     }
+        .run {
+            authorizeExchange()
+                .pathMatchers(*publicEndpoints.toTypedArray())
+                .permitAll()
+        }
         .and()
         .run {
             authorizeExchange()
-                .pathMatchers("/**")
+                .pathMatchers("/api/**")
                 .authenticated()
         }
         .and()
@@ -118,10 +130,51 @@ class WebSecurityConfig(
             "/api/$v1/contests/*/*/best",
         )
     }
+
+    @Profile("kubernetes")
+    @Bean
+    @Order(2)
+    fun internalSecuredSecurityChain(
+        http: ServerHttpSecurity,
+        serviceAccountAuthenticatingManager: ServiceAccountAuthenticatingManager,
+        serviceAccountTokenExtractorConverter: ServiceAccountTokenExtractorConverter,
+    ): SecurityWebFilterChain = http.run {
+        authorizeExchange().pathMatchers("/actuator/**")
+            // all requests to `/actuator` should be sent only from inside the cluster
+            // access to this port should be controlled by a NetworkPolicy
+            .permitAll()
+            .and()
+            .authorizeExchange()
+            .pathMatchers("/internal/**")
+            .authenticated()
+            .and()
+            .addFilterBefore(
+                AuthenticationWebFilter(serviceAccountAuthenticatingManager).apply {
+                    setServerAuthenticationConverter(serviceAccountTokenExtractorConverter)
+                },
+                SecurityWebFiltersOrder.HTTP_BASIC
+            )
+            .build()
+    }
+
+    @Profile("!kubernetes")
+    @Bean
+    @Order(2)
+    fun internalInsecureSecurityChain(
+        http: ServerHttpSecurity
+    ): SecurityWebFilterChain = http.run {
+        // All `/internal/**` and `/actuator/**` requests should be sent only from internal network,
+        // they are not proxied from gateway.
+        authorizeExchange().pathMatchers("/internal/**", "/actuator/**")
+            .permitAll()
+            .and()
+            .build()
+    }
 }
 
 @EnableWebFluxSecurity
 @Profile("!secure")
+@Order(1)
 @Suppress("MISSING_KDOC_TOP_LEVEL", "MISSING_KDOC_CLASS_ELEMENTS", "MISSING_KDOC_ON_FUNCTION")
 class NoopWebSecurityConfig {
     @Bean

save-backend/src/main/kotlin/com/saveourtool/save/backend/utils/ConvertingAuthenticationManager.kt

@@ -4,6 +4,7 @@ import com.saveourtool.save.backend.service.UserDetailsService
 import com.saveourtool.save.utils.AuthenticationDetails
 import com.saveourtool.save.utils.IdentitySourceAwareUserDetails
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.context.annotation.Primary
 import org.springframework.security.authentication.BadCredentialsException
 import org.springframework.security.authentication.ReactiveAuthenticationManager
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
@@ -19,6 +20,7 @@ import reactor.kotlin.core.publisher.switchIfEmpty
  * where user identity is already guaranteed.
  */
 @Component
+@Primary
 class ConvertingAuthenticationManager(
     @Autowired private var userDetailsService: UserDetailsService
 ) : ReactiveAuthenticationManager {

save-backend/src/main/kotlin/com/saveourtool/save/backend/utils/KubernetesAuthenticationUtils.kt

@@ -0,0 +1,67 @@
+package com.saveourtool.save.backend.utils
+
+import com.saveourtool.save.utils.debug
+import com.saveourtool.save.utils.getLogger
+import io.fabric8.kubernetes.api.model.authentication.TokenReview
+import io.fabric8.kubernetes.client.KubernetesClient
+import io.fabric8.kubernetes.client.utils.Serialization
+import org.intellij.lang.annotations.Language
+import org.springframework.boot.autoconfigure.condition.ConditionalOnCloudPlatform
+import org.springframework.boot.cloud.CloudPlatform
+import org.springframework.security.authentication.ReactiveAuthenticationManager
+import org.springframework.security.core.Authentication
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
+import org.springframework.stereotype.Component
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+import reactor.kotlin.core.publisher.toMono
+
+@Component
+@ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
+class ServiceAccountTokenExtractorConverter : ServerAuthenticationConverter {
+    override fun convert(exchange: ServerWebExchange): Mono<Authentication> {
+        return Mono.justOrEmpty(
+            exchange.request.headers["X-Service-Account-Token"]?.firstOrNull()
+        ).map { token ->
+            PreAuthenticatedAuthenticationToken("TokenSupplier", token)
+        }
+    }
+}
+
+@Component
+@ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
+class ServiceAccountAuthenticatingManager(
+    val kubernetesClient: KubernetesClient,
+) : ReactiveAuthenticationManager {
+    override fun authenticate(authentication: Authentication): Mono<Authentication> {
+        return (authentication as PreAuthenticatedAuthenticationToken).credentials.toMono().map { token ->
+            @Language("yaml")
+            val tokenReview = """
+            |apiVersion: authentication.k8s.io/v1
+            |kind: TokenReview
+            |metadata:
+            |  name: service-account-validity-check
+            |  namespace: ${kubernetesClient.namespace}
+            |spec:
+            |  token: $token
+        """.trimMargin()
+            logger.debug {
+                "Will create k8s resource from the following YAML:\n${tokenReview.prependIndent("    ")}"
+            }
+            val response = kubernetesClient.resource(tokenReview).createOrReplace() as TokenReview
+            logger.debug {
+                "Got the following response from the API server:\n${
+                    Serialization.yamlMapper().writeValueAsString(response).prependIndent("    ")
+                }"
+            }
+            response
+        }
+            .map { response ->
+                authentication.isAuthenticated = response.status.error == null && response.status.authenticated
+                authentication
+            }
+    }
+
+    private val logger = getLogger<ServiceAccountAuthenticatingManager>()
+}

save-backend/src/main/resources/bootstrap.yml

@@ -18,7 +18,8 @@ spring:
     kubernetes:
       enabled: true
       config:
-        enabled: false
+        enabled: true
+        paths: /home/cnb/config/application.properties
       secrets:
         enabled: true
         paths: ${DATABASE_SECRETS_PATH}

save-cloud-charts/save-cloud/templates/_helpers.tpl

@@ -79,4 +79,18 @@ configMap:
   items:
     - key: application.properties
       path: application.properties
+{{- end}}
+
+{{- define "spring-boot.sa-token-mount" -}}
+name: service-account-projected-token
+mountPath: /var/run/secrets/tokens
+{{- end }}
+
+{{- define "spring-boot.sa-token-volume" -}}
+name: service-account-projected-token
+projected:
+  sources:
+    - serviceAccountToken:
+        path: service-account-projected-token
+        expirationSeconds: 7200
 {{- end}}

save-cloud-charts/save-cloud/templates/backend-configmap.yaml

@@ -8,3 +8,5 @@ data:
     backend.orchestrator-url=http://orchestrator
     server.shutdown=graceful
     management.endpoints.web.exposure.include=*
+    spring.datasource.url=${spring.datasource.backend-url}
+    logging.level.org.springframework.cloud=DEBUG

save-cloud-charts/save-cloud/templates/backend-deployment.yaml

@@ -18,6 +18,7 @@ spec:
       annotations:
         {{- include "pod.common.annotations" (dict "service" .Values.backend ) | nindent 8 }}
     spec:
+      serviceAccountName: microservice-sa
       restartPolicy: Always
       {{- include "cnb.securityContext" . | nindent 6 }}
       containers:
@@ -35,6 +36,7 @@ spec:
               mountPath: /home/cnb/files
             - name: database-secret
               mountPath: {{ .Values.mysql.dbPasswordFile }}
+            - {{ include "spring-boot.sa-token-mount" . | indent 14 | trim }}
           {{- include "spring-boot.management" .Values.backend | nindent 10 }}
           resources:
             limits:
@@ -109,3 +111,4 @@ spec:
             secretName: db-secrets
         - name: migrations-data
           emptyDir: {}
+        - {{ include "spring-boot.sa-token-volume" (dict "service" .Values.backend) | indent 10 | trim }}

save-cloud-charts/save-cloud/templates/preprocessor-deployment.yaml

@@ -31,6 +31,7 @@ spec:
             - {{ include "spring-boot.config-volume-mount" . | indent 14 | trim }}
             - name: repos-storage
               mountPath: /home/cnb
+            - {{ include "spring-boot.sa-token-mount" . | indent 14 | trim }}
           {{- include "spring-boot.management" .Values.preprocessor | nindent 10 }}
           resources:
             limits:
@@ -44,3 +45,4 @@ spec:
           # and each pod of preprocessor can `git clone` on its own.
           hostPath:
             path: /tmp/save/repos
+        - {{ include "spring-boot.sa-token-volume" (dict "service" .Values.backend) | indent 10 | trim }}

save-cloud-charts/save-cloud/templates/service-accounts.yaml

@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: microservice-sa
+
+---
+
+# https://docs.spring.io/spring-cloud-kubernetes/docs/current/reference/html/#service-account
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: microservice
+rules:
+  - apiGroups: [""]  # "" indicates the core API group
+    resources: [configmaps, secrets]
+    verbs: [list, get, watch]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: microservice-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: microservice-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: microservice
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: microservice
+rules:
+  - apiGroups: ["authentication.k8s.io"]
+    resources: [tokenreviews]
+    verbs: ["create"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: microservice-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: microservice-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: microservice

save-cloud-common/build.gradle.kts

@@ -45,6 +45,7 @@ kotlin {
                 implementation(project.dependencies.platform(libs.spring.boot.dependencies))
                 implementation(libs.spring.security.core)
                 implementation(libs.spring.web)
+                implementation(libs.spring.webflux)
                 implementation(libs.spring.boot)
                 implementation(libs.spring.data.jpa)
                 implementation(libs.jackson.module.kotlin)