saveourtool · petertrr · Sep 15, 2022 · Sep 16, 2022 · Sep 16, 2022 · Sep 29, 2022
diff --git a/authentication-service/build.gradle.kts b/authentication-service/build.gradle.kts
@@ -23,8 +23,15 @@ kotlin {
 dependencies {
     implementation(projects.saveCloudCommon)
     implementation(libs.spring.boot.starter.security)
+    implementation("org.springframework:spring-jdbc")
     implementation(libs.spring.security.core)
     implementation("org.springframework:spring-jdbc")
+    implementation(libs.spring.security.config)
+    implementation(libs.spring.security.web)
+    implementation(libs.spring.boot.autoconfigure) {
+        because("This dependency contains `ConditionalOnCloudPlatform`")
+    }
+    implementation(libs.fabric8.kubernetes.client)
     testImplementation(libs.spring.security.test)
     testImplementation(libs.junit.jupiter.api)
 }

diff --git a/...e/src/main/kotlin/com/saveourtool/save/authservice/config/SecurityWebClientCustomizers.kt b/...e/src/main/kotlin/com/saveourtool/save/authservice/config/SecurityWebClientCustomizers.kt
@@ -0,0 +1,93 @@
+/**
+ * Customization for spring `WebClient`
+ */
+
+package com.saveourtool.save.authservice.config
+
+import com.saveourtool.save.authservice.utils.SA_HEADER_NAME
+import com.saveourtool.save.utils.debug
+import com.saveourtool.save.utils.getLogger
+import org.springframework.beans.factory.annotation.Value
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnCloudPlatform
+import org.springframework.boot.cloud.CloudPlatform
+import org.springframework.boot.web.reactive.function.client.WebClientCustomizer
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.web.reactive.function.client.ClientRequest
+import org.springframework.web.reactive.function.client.WebClient
+
+import java.nio.file.Path
+import java.time.Duration
+import java.util.concurrent.atomic.AtomicLong
+import java.util.concurrent.atomic.AtomicReference
+
+import kotlin.io.path.readText
+
+/**
+ * A configuration class that can be used to import all related [WebClientCustomizer] beans.
+ */
+@Configuration
+open class SecurityWebClientCustomizers {
+    @Bean
+    @ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
+    @Suppress("MISSING_KDOC_ON_FUNCTION", "MISSING_KDOC_CLASS_ELEMENTS")
+    open fun serviceAccountTokenHeaderWebClientCustomizer(
+        @Value("\${com.saveourtool.cloud.kubernetes.sa-token.expiration.minutes:5}") expirationTimeMinutes: Long
+    ) = ServiceAccountTokenHeaderWebClientCustomizer(expirationTimeMinutes)
+}
+
+/**
+ * A [WebClientCustomizer] that appends Kubernetes' ServiceAccount token as a custom header.
+ *
+ * @param expirationTimeMinutes for how long token should be reused from memory before reading it from the file again.
+ */
+class ServiceAccountTokenHeaderWebClientCustomizer(
+    expirationTimeMinutes: Long,
+) : WebClientCustomizer {
+    @Suppress("GENERIC_VARIABLE_WRONG_DECLARATION")
+    private val logger = getLogger<ServiceAccountTokenHeaderWebClientCustomizer>()
+    private val wrapper = ExpiringValueWrapper(Duration.ofMinutes(expirationTimeMinutes)) {
+        val token = Path.of("/var/run/secrets/tokens/service-account-projected-token").readText()
+        token
+    }
+
+    override fun customize(builder: WebClient.Builder) {
+        builder.filter { request, next ->
+            val token = wrapper.getValue()
+            logger.debug { "Appending `$SA_HEADER_NAME` header to the request ${request.method()} to ${request.url()}" }
+            ClientRequest.from(request)
+                .header(SA_HEADER_NAME, token)
+                .build()
+                .let(next::exchange)
+        }
+    }
+}
+
+/**
+ * A wrapper around a value of type [T] that caches it for [expirationTimeMillis] and then recalculates
+ * using [valueGetter]
+ *
+ * @param expirationTime value expiration time
+ * @property valueGetter a function to calculate the value of type [T]
+ */
+class ExpiringValueWrapper<T : Any>(
+    expirationTime: Duration,
+    private val valueGetter: () -> T,
+) {
+    private val expirationTimeMillis = expirationTime.toMillis()
+    private val lastUpdateTimeMillis = AtomicLong(0)
+    private val value: AtomicReference<T> = AtomicReference()
+
+    /**
+     * @return cached value or refreshes the value and returns it
+     */
+    fun getValue(): T {
+        val current = System.currentTimeMillis()
+        if (current - lastUpdateTimeMillis.get() > expirationTimeMillis) {
+            value.lazySet(valueGetter())
+            lastUpdateTimeMillis.lazySet(current)
+        }
+        return value.get()
+    }
+}
diff --git a/...tion-service/src/main/kotlin/com/saveourtool/save/authservice/config/WebSecurityConfig.kt b/...tion-service/src/main/kotlin/com/saveourtool/save/authservice/config/WebSecurityConfig.kt
@@ -12,6 +12,8 @@ import com.saveourtool.save.v1
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Profile
+import org.springframework.core.Ordered
+import org.springframework.core.annotation.Order
 import org.springframework.http.HttpStatus
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
 import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity
@@ -23,22 +25,34 @@ import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.security.web.server.SecurityWebFilterChain
 import org.springframework.security.web.server.authentication.AuthenticationWebFilter
 import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers
 
 import javax.annotation.PostConstruct
 
+/**
+ * Common configuration for web security which exposes [SecurityWebFilterChain] beans.
+ * Note: configuration of [ServerHttpSecurity] should start with [ServerHttpSecurity.securityMatcher] invocation
+ * to be able to use multiple [SecurityWebFilterChain]s. See [comments form this answer](https://stackoverflow.com/a/54792674)
+ * for details.
+ */
 @EnableWebFluxSecurity
 @EnableReactiveMethodSecurity
 @Profile("secure")
-@Suppress("MISSING_KDOC_TOP_LEVEL", "MISSING_KDOC_CLASS_ELEMENTS", "MISSING_KDOC_ON_FUNCTION")
+@Suppress("MISSING_KDOC_CLASS_ELEMENTS", "MISSING_KDOC_ON_FUNCTION")
 class WebSecurityConfig(
     private val authenticationManager: ConvertingAuthenticationManager,
     @Autowired private var defaultMethodSecurityExpressionHandler: DefaultMethodSecurityExpressionHandler
 ) {
     @Bean
+    @Order(Ordered.LOWEST_PRECEDENCE)
     fun securityWebFilterChain(
         http: ServerHttpSecurity
     ): SecurityWebFilterChain = http.run {
-        authorizeExchange()
+        securityMatcher(
+            // This `SecurityWebFilterChain` should be applicable to all requests not matched above
+            ServerWebExchangeMatchers.anyExchange()
+        )
+            .authorizeExchange()
             .pathMatchers(*publicEndpoints.toTypedArray())
             .permitAll()
             // resources for frontend
@@ -120,7 +134,9 @@ class NoopWebSecurityConfig {
     @Bean
     fun securityWebFilterChain(
         http: ServerHttpSecurity
-    ): SecurityWebFilterChain = http.authorizeExchange()
+    ): SecurityWebFilterChain = http
+        .securityMatcher(ServerWebExchangeMatchers.anyExchange())
+        .authorizeExchange()
         .anyExchange()
         .permitAll()
         .and()

diff --git a/.../main/kotlin/com/saveourtool/save/authservice/security/ConvertingAuthenticationManager.kt b/.../main/kotlin/com/saveourtool/save/authservice/security/ConvertingAuthenticationManager.kt
@@ -6,6 +6,7 @@ import com.saveourtool.save.authservice.utils.IdentitySourceAwareUserDetails
 import com.saveourtool.save.authservice.utils.extractUserNameAndIdentitySource
 
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.context.annotation.Primary
 import org.springframework.security.authentication.BadCredentialsException
 import org.springframework.security.authentication.ReactiveAuthenticationManager
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
@@ -21,6 +22,7 @@ import reactor.kotlin.core.publisher.switchIfEmpty
  * where user identity is already guaranteed.
  */
 @Component
+@Primary
 class ConvertingAuthenticationManager(
     @Autowired private var authenticationUserDetailsService: AuthenticationUserDetailsService
 ) : ReactiveAuthenticationManager {

diff --git a/...e/src/main/kotlin/com/saveourtool/save/authservice/utils/KubernetesAuthenticationUtils.kt b/...e/src/main/kotlin/com/saveourtool/save/authservice/utils/KubernetesAuthenticationUtils.kt
@@ -0,0 +1,208 @@
+/**
+ * Utilities to configure Kubernetes ServiceAccount token-based authentication in Spring Security.
+ */
+
+package com.saveourtool.save.authservice.utils
+
+import com.saveourtool.save.utils.debug
+import com.saveourtool.save.utils.getLogger
+
+import io.fabric8.kubernetes.api.model.authentication.TokenReview
+import io.fabric8.kubernetes.client.KubernetesClient
+import io.fabric8.kubernetes.client.utils.Serialization
+import org.intellij.lang.annotations.Language
+import org.springframework.boot.autoconfigure.condition.ConditionalOnCloudPlatform
+import org.springframework.boot.cloud.CloudPlatform
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Import
+import org.springframework.core.annotation.Order
+import org.springframework.http.HttpStatus
+import org.springframework.security.authentication.BadCredentialsException
+import org.springframework.security.authentication.ReactiveAuthenticationManager
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder
+import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.core.Authentication
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import org.springframework.security.web.server.SecurityWebFilterChain
+import org.springframework.security.web.server.authentication.AuthenticationWebFilter
+import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint
+import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
+import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers
+import org.springframework.stereotype.Component
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+import reactor.kotlin.core.publisher.switchIfEmpty
+import reactor.kotlin.core.publisher.toMono
+
+const val SA_HEADER_NAME = "X-Service-Account-Token"
+
+/**
+ * A Configuration class that can be used to import all related beans to set up Spring Security
+ * to work with Kubernetes ServiceAccount tokens.
+ */
+@Configuration
+@Import(
+    ServiceAccountTokenExtractorConverter::class,
+    ServiceAccountAuthenticatingManager::class,
+)
+@Suppress(
+    "AVOID_USING_UTILITY_CLASS",  // Spring beans need to be declared inside `@Configuration` class.
+)
+class KubernetesAuthenticationUtils {
+    @ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
+    @Bean
+    @Order(2)
+    @Suppress(
+        "MISSING_KDOC_CLASS_ELEMENTS",
+        "MISSING_KDOC_ON_FUNCTION",
+    )
+    fun internalSecuredSecurityChain(
+        http: ServerHttpSecurity,
+        serviceAccountAuthenticatingManager: ServiceAccountAuthenticatingManager,
+        serviceAccountTokenExtractorConverter: ServiceAccountTokenExtractorConverter,
+    ): SecurityWebFilterChain = http.run {
+        securityMatcher(
+            NegatedServerWebExchangeMatcher(
+                ServerWebExchangeMatchers.pathMatchers("/api/**", "/sandbox/api/**")
+            )
+        )
+            .authorizeExchange()
+            .pathMatchers("/actuator/**")
+            // all requests to `/actuator` should be sent only from inside the cluster
+            // access to this port should be controlled by a NetworkPolicy
+            .permitAll()
+            .and()
+            .authorizeExchange()
+            .pathMatchers("/**")
+            .authenticated()
+            .and()
+            .serviceAccountTokenAuthentication(serviceAccountTokenExtractorConverter, serviceAccountAuthenticatingManager)
+            .csrf()
+            .disable()
+            .logout()
+            .disable()
+            .formLogin()
+            .disable()
+            .build()
+    }
+
+    /**
+     * No-op security config when not running in Kubernetes.
+     * FixMe: can be removed in favor of common `WebSecurityConfig` from authService?
+     */
+    @ConditionalOnCloudPlatform(CloudPlatform.NONE)
+    @Bean
+    @Order(2)
+    @Suppress(
+        "MISSING_KDOC_CLASS_ELEMENTS",
+        "MISSING_KDOC_ON_FUNCTION",
+        "KDOC_WITHOUT_PARAM_TAG",
+        "KDOC_WITHOUT_RETURN_TAG",
+    )
+    fun internalInsecureSecurityChain(
+        http: ServerHttpSecurity
+    ): SecurityWebFilterChain = http.run {
+        securityMatcher(
+            ServerWebExchangeMatchers.pathMatchers("/internal/**", "/actuator/**")
+        )
+            .authorizeExchange()
+            .pathMatchers("/internal/**", "/actuator/**")
+            .permitAll()
+            .and()
+            .csrf()
+            .disable()
+            .build()
+    }
+}
+
+/**
+ * A [ServerAuthenticationConverter] that attempts to convert a [ServerWebExchange] to an [Authentication]
+ * if it encounters a SA token in [SA_HEADER_NAME] header.
+ */
+@Component
+@ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
+class ServiceAccountTokenExtractorConverter : ServerAuthenticationConverter {
+    @Suppress("GENERIC_VARIABLE_WRONG_DECLARATION")
+    private val logger = getLogger<ServiceAccountTokenExtractorConverter>()
+    override fun convert(exchange: ServerWebExchange): Mono<Authentication> = Mono.justOrEmpty(
+        exchange.request.headers[SA_HEADER_NAME]?.firstOrNull()
+    ).map { token ->
+        logger.debug { "Starting to process `$SA_HEADER_NAME` of an incoming request [${exchange.request.method} ${exchange.request.uri}]" }
+        PreAuthenticatedAuthenticationToken("TokenSupplier", token)
+    }
+}
+
+/**
+ * A [ReactiveAuthenticationManager] that is intended to be used together with [ServerAuthenticationConverter].
+ * Attempts to authenticate an [Authentication] validating ServiceAccount token using TokeReview API.
+ */
+@Component
+@ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
+class ServiceAccountAuthenticatingManager(
+    private val kubernetesClient: KubernetesClient,
+) : ReactiveAuthenticationManager {
+    @Suppress("GENERIC_VARIABLE_WRONG_DECLARATION")
+    private val logger = getLogger<ServiceAccountAuthenticatingManager>()
+    override fun authenticate(authentication: Authentication): Mono<Authentication> = authentication.toMono()
+        .filter { it is PreAuthenticatedAuthenticationToken }
+        .map { preAuthenticatedAuthenticationToken ->
+            val tokenReview = tokenReviewSpec(preAuthenticatedAuthenticationToken.credentials as String)
+            logger.debug {
+                "Will create k8s resource from the following YAML:\n${tokenReview.prependIndent("    ")}"
+            }
+            val response = kubernetesClient.resource(tokenReview).createOrReplace() as TokenReview
+            logger.debug {
+                "Got the following response from the API server:\n${
+                    Serialization.yamlMapper().writeValueAsString(response).prependIndent("    ")
+                }"
+            }
+            response
+        }
+        .filter { response ->
+            val isAuthenticated = response.status.error.isNullOrEmpty() && response.status.authenticated
+            logger.debug { "After the response from TokenReview, request authentication is $isAuthenticated" }
+            isAuthenticated
+        }
+        .map<Authentication> {
+            with(authentication) {
+                UsernamePasswordAuthenticationToken.authenticated(principal, credentials, authorities)
+            }
+        }
+        .switchIfEmpty {
+            Mono.error { BadCredentialsException("Invalid token") }
+        }
+
+    @Language("YAML")
+    private fun tokenReviewSpec(token: String): String = """
+                |apiVersion: authentication.k8s.io/v1
+                |kind: TokenReview
+                |metadata:
+                |  name: service-account-validity-check
+                |  namespace: ${kubernetesClient.namespace}
+                |spec:
+                |  token: $token
+            """.trimMargin()
+}
+
+/**
+ * Configures authentication and authorization using Kubernetes ServiceAccount tokens.
+ * This method requires two beans which can be imported with [KubernetesAuthenticationUtils] configuration class.
+ */
+@Suppress("KDOC_WITHOUT_PARAM_TAG", "KDOC_WITHOUT_RETURN_TAG")
+fun ServerHttpSecurity.serviceAccountTokenAuthentication(
+    serviceAccountTokenExtractorConverter: ServiceAccountTokenExtractorConverter,
+    serviceAccountAuthenticatingManager: ServiceAccountAuthenticatingManager,
+): ServerHttpSecurity = addFilterBefore(
+    AuthenticationWebFilter(serviceAccountAuthenticatingManager).apply {
+        setServerAuthenticationConverter(serviceAccountTokenExtractorConverter)
+    },
+    SecurityWebFiltersOrder.HTTP_BASIC
+)
+    .exceptionHandling {
+        it.authenticationEntryPoint(
+            HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED)
+        )
+    }