Merge pull request #660 from Vafilor/feat/revert.jwt

feat: revert jwt changes as it creates issues with workflow authentication logic
revert: remove util/tokens/jwt as it is no longer used.
2025-10-04 21:32:39 +08:00 · 2020-10-14 12:15:27 -07:00 · 2020-10-14 11:54:23 -07:00 · 2020-10-14 11:53:05 -07:00 · 2020-10-13 16:15:28 -07:00 · 2020-10-13 16:09:22 -07:00
8 changed files with 52 additions and 112 deletions
--- a/api/api.swagger.json
+++ b/api/api.swagger.json
@@ -2984,7 +2984,7 @@
        "domain": {
          "type": "string"
        },
-        "jwtToken": {
+        "token": {
          "type": "string"
        },
        "username": {
--- a/api/auth.pb.go
+++ b/api/auth.pb.go
@@ -265,7 +265,7 @@ type IsValidTokenResponse struct {
 	unknownFields protoimpl.UnknownFields

 	Domain   string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
-	JwtToken string `protobuf:"bytes,2,opt,name=jwtToken,proto3" json:"jwtToken,omitempty"`
+	Token    string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
 	Username string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"`
 }

@@ -308,9 +308,9 @@ func (x *IsValidTokenResponse) GetDomain() string {
 	return ""
 }

-func (x *IsValidTokenResponse) GetJwtToken() string {
+func (x *IsValidTokenResponse) GetToken() string {
 	if x != nil {
-		return x.JwtToken
+		return x.Token
 	}
 	return ""
 }
@@ -352,28 +352,28 @@ var file_auth_proto_rawDesc = []byte{
 	0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14,
 	0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74,
-	0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x66, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54,
+	0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x60, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54,
 	0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06,
 	0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f,
-	0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x6a, 0x77, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6a, 0x77, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
-	0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xe6, 0x01, 0x0a,
-	0x0b, 0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x68, 0x0a, 0x0c,
-	0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x18, 0x2e, 0x61,
-	0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56,
-	0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69, 0x73,
-	0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x74, 0x6f,
-	0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a, 0x12, 0x6d, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68,
-	0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4,
-	0x93, 0x02, 0x22, 0x22, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74,
-	0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x3a, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f,
-	0x72, 0x69, 0x7a, 0x65, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6d, 0x61, 0x69, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xe6, 0x01, 0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x68, 0x0a, 0x0c, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69,
+	0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56,
+	0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f,
+	0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x1d, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74,
+	0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a,
+	0x12, 0x6d, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
+	0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x12, 0x2f,
+	0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74,
+	0x68, 0x3a, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/api/auth.proto
+++ b/api/auth.proto
@@ -44,6 +44,6 @@ message IsValidTokenRequest {

 message IsValidTokenResponse {
    string domain = 1;
-    string jwtToken = 2;
+    string token = 2;
    string username = 3;
 }
--- a/pkg/util/tokens/jwt.go
+++ b/pkg/util/tokens/jwt.go
@@ -1,48 +0,0 @@
-package tokens
-
-import (
-	"fmt"
-	"github.com/dgrijalva/jwt-go"
-)
-
-// TokenContent represents the content we store in a JWT token - the username and k8s token
-type TokenContent struct {
-	Username string
-	Token    string
-}
-
-// CreateJWTToken creates a jwt token containing a username and another token using the input secret
-func CreateJWTToken(username string, token string, secret []byte) (string, error) {
-	result := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
-		"username": username,
-		"token":    token,
-	})
-
-	// Sign and get the complete encoded token as a string using the secret
-	return result.SignedString(secret)
-}
-
-// ParseJWTToken parses the token string into a TokenContent
-func ParseJWTToken(tokenString string, secret []byte) (content *TokenContent, err error) {
-	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		// Don't forget to validate the alg is what you expect:
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
-		}
-
-		return secret, nil
-	})
-
-	if err != nil {
-		return nil, err
-	}
-
-	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
-		return &TokenContent{
-			Username: claims["username"].(string),
-			Token:    claims["token"].(string),
-		}, nil
-	}
-
-	return nil, fmt.Errorf("Unknown error getting token, claim or token is not ok")
-}
--- a/pkg/workflow_execution.go
+++ b/pkg/workflow_execution.go
@@ -1851,14 +1851,14 @@ func workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, wo

 func workflowExecutionsSelectBuilder(namespace, workflowTemplateUID, workflowTemplateVersion string, includeSystem bool) sq.SelectBuilder {
 	sb := workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, workflowTemplateVersion, includeSystem)
-	sb = sb.Columns(getWorkflowExecutionColumns("we", "")...).
+	sb = sb.Columns(getWorkflowExecutionColumns("we")...).
 		Columns(`wtv.version "workflow_template.version"`, `wtv.created_at "workflow_template.created_at"`, `wt.name "workflow_template.name"`, `wt.uid "workflow_template.uid"`)

 	return sb
 }

 func (c *Client) getWorkflowExecutionAndTemplate(namespace string, uid string) (workflow *WorkflowExecution, err error) {
-	sb := sb.Select(getWorkflowExecutionColumns("we", "")...).
+	sb := sb.Select(getWorkflowExecutionColumns("we")...).
 		Columns(getWorkflowTemplateColumns("wt", "workflow_template")...).
 		Columns(`wtv.manifest "workflow_template.manifest"`, `wtv.version "workflow_template.version"`).
 		From("workflow_executions we").
--- a/server/auth/auth.go
+++ b/server/auth/auth.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"github.com/onepanelio/core/api"
 	"github.com/onepanelio/core/pkg/util"
-	"github.com/onepanelio/core/pkg/util/tokens"
 	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"net/http"
 	"strings"
@@ -41,6 +40,9 @@ func getBearerToken(ctx context.Context) (*string, bool) {
 			return nil, false
 		}
 		t = strings.ReplaceAll(t, prefix, "")
+		if t == "null" {
+			return nil, false
+		}
 		return &t, true
 	}

@@ -69,15 +71,11 @@ func getClient(ctx context.Context, kubeConfig *v1.Config, db *v1.DB, sysConfig
 		return nil, status.Error(codes.Unauthenticated, `Missing or invalid "authorization" header.`)
 	}

-	tokenContent, err := tokens.ParseJWTToken(*bearerToken, sysConfig.HMACKey())
-	if err != nil {
-		return nil, err
+	if sysConfig["token"] != *bearerToken {
+		sysConfig["token"] = *bearerToken
 	}

-	sysConfig["jwtToken"] = *bearerToken
-	sysConfig["jwtUsername"] = tokenContent.Username
-
-	kubeConfig.BearerToken = tokenContent.Token
+	kubeConfig.BearerToken = *bearerToken

 	client, err := v1.NewClient(kubeConfig, db, sysConfig)
 	if err != nil {
@@ -182,17 +180,7 @@ func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfi
 				return nil, err
 			}

-			hmac := sysConfig.HMACKey()
-			if len(hmac) == 0 {
-				return nil, errors.New("HMAC key not found in secrets - this value is required")
-			}
-
-			jwtToken, err := tokens.CreateJWTToken(tokenRequest.Username, rawToken, hmac)
-			if err != nil {
-				return nil, err
-			}
-
-			md.Set("onepanel-auth-token", jwtToken)
+			md.Set("onepanel-auth-token", rawToken)

 			ctx, err = getClient(ctx, kubeConfig, db, sysConfig)
 			if err != nil {
--- a/server/auth_server.go
+++ b/server/auth_server.go
@@ -68,8 +68,7 @@ func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequ
 	}
 	res = &api.IsValidTokenResponse{
 		Domain: config["ONEPANEL_DOMAIN"],
-		JwtToken: config["jwtToken"],
-		Username: config["jwtUsername"],
+		Token:  config["token"],
 	}

 	return res, nil
--- a/server/label_server.go
+++ b/server/label_server.go
@@ -7,21 +7,22 @@ import (
 	"github.com/onepanelio/core/server/auth"
 )

-func resourceIdentifierToArgoResource(identifier string) string {
+func getGroupAndResourceByIdentifier(identifier string) (group, resource string) {
+	group = "argoproj.io"
 	switch identifier {
 	case v1.TypeWorkflowTemplate:
-		return "workflowtemplates"
+		return group, "workflowtemplates"
 	case v1.TypeWorkflowTemplateVersion:
-		return "workflowtemplates"
+		return group, "workflowtemplates"
 	case v1.TypeWorkflowExecution:
-		return "workflows"
+		return group, "workflows"
 	case v1.TypeCronWorkflow:
-		return "cronworkflows"
+		return group, "cronworkflows"
 	case v1.TypeWorkspace:
-		return "statefulset"
+		return "onepanel.io", "workspaces"
 	}

-	return ""
+	return "", ""
 }

 func mapLabelsToKeyValue(labels []*v1.Label) []*api.KeyValue {
@@ -54,10 +55,10 @@ func NewLabelServer() *LabelServer {
 }

 func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)

 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "get", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "get", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -73,10 +74,10 @@ func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest)
 }

 func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)

 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "create", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "create", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -97,10 +98,10 @@ func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest)
 }

 func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)

 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -121,11 +122,11 @@ func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsR
 }

 func (s *LabelServer) DeleteLabel(ctx context.Context, req *api.DeleteLabelRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)

 	client := getClient(ctx)
 	// update verb here since we are not deleting the resource, but labels
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
Author	SHA1	Message	Date
Andrey Melnikov	6c5b6c877e	Merge pull request #660 from Vafilor/feat/revert.jwt feat: revert jwt changes as it creates issues with workflow authentication logic	2020-10-14 12:15:27 -07:00
Andrey Melnikov	67e684a715	revert: remove util/tokens/jwt as it is no longer used.	2020-10-14 11:54:23 -07:00
Andrey Melnikov	20c4950b69	feat: revert jwt token from auth	2020-10-14 11:53:05 -07:00
Andrey Melnikov	5e5c3cca67	Merge pull request #657 from rushtehrani/fix/workspace-resource fix: Update label function to return group and resource	2020-10-13 16:15:28 -07:00
Andrey Melnikov	575a33c272	Merge pull request #658 from Vafilor/feat/onepanel.io.653-additional-fixes fix: issue with concurrent map access	2020-10-13 16:09:22 -07:00
rushtehrani	8e9b95aa12	update label function to return group and resource	2020-10-13 16:06:08 -07:00
Andrey Melnikov	38f1aafaec	fix: issue with concurrent map access	2020-10-13 16:02:40 -07:00
rushtehrani	30ebda4918	use workspaces instead of statefulset for resource	2020-10-13 15:47:20 -07:00
Andrey Melnikov	ce972f2988	Merge pull request #656 from Vafilor/feat/onepanel.io.653-additional-fixes fix: bad token issue	2020-10-13 15:27:45 -07:00
Andrey Melnikov	ede4c67c8f	fix: bad token issue	2020-10-13 15:17:56 -07:00