agent authenticator changes

openshift · May 10, 2024 · 3940b8e · 3940b8e
1 parent 3e0b43d
commit 3940b8e
Show file tree

Hide file tree

Showing 9 changed files with 17 additions and 38 deletions.
diff --git a/cmd/agentbasedinstaller/client/main.go b/cmd/agentbasedinstaller/client/main.go
@@ -102,7 +102,6 @@ func main() {
 	if len(os.Args) < 2 {
 		log.Fatal("No subcommand specified")
 	}
-
 	switch os.Args[1] {
 	case "register":
 		// registers both cluster and infraenv

diff --git a/cmd/main.go b/cmd/main.go
@@ -270,16 +270,16 @@ func main() {
 	usageManager := usage.NewManager(log, notificationStream)
 	ocmClient := getOCMClient(log)
 
-	// decode only for agent installer
-	// if Options.Auth.AuthType == auth.TypeAgentLocal {
-	decodedECPublicKeyPEM, err := base64.StdEncoding.DecodeString(Options.Auth.ECPublicKeyPEM)
-	Options.Auth.ECPublicKeyPEM = string(decodedECPublicKeyPEM)
-	failOnError(err, "Error decoding public key:")
-
-	decodedECPrivateKeyPEM, err := base64.StdEncoding.DecodeString(Options.Auth.ECPrivateKeyPEM)
-	Options.Auth.ECPrivateKeyPEM = string(decodedECPrivateKeyPEM)
-	failOnError(err, "Error decoding private key:")
-	// }
+	if Options.Auth.AuthType == auth.TypeAgentLocal {
+		decodedECPublicKeyPEM, err := base64.StdEncoding.DecodeString(Options.Auth.ECPublicKeyPEM)
+		Options.Auth.ECPublicKeyPEM = string(decodedECPublicKeyPEM)
+		failOnError(err, "Error decoding public key:")
+
+		decodedECPrivateKeyPEM, err := base64.StdEncoding.DecodeString(Options.Auth.ECPrivateKeyPEM)
+		Options.Auth.ECPrivateKeyPEM = string(decodedECPrivateKeyPEM)
+		os.Setenv("EC_PRIVATE_KEY_PEM", string(decodedECPrivateKeyPEM))
+		failOnError(err, "Error decoding private key:")
+	}
 
 	authHandler, err := auth.NewAuthenticator(&Options.Auth, ocmClient, log.WithField("pkg", "auth"), db)
 	failOnError(err, "failed to create authenticator")

diff --git a/internal/cluster/auth.go b/internal/cluster/auth.go
@@ -30,9 +30,7 @@ func AgentToken(resource interface{}, authType auth.AuthType) (token string, err
 	switch authType {
 	case auth.TypeRHSSO:
 		token, err = cloudPullSecretToken(pullSecret)
-	case auth.TypeLocal:
-		token, err = gencrypto.LocalJWT(resId, gencrypto.InfraEnvKey)
-	case auth.TypeAgentLocal:
+	case auth.TypeLocal, auth.TypeAgentLocal:
 		token, err = gencrypto.LocalJWT(resId, gencrypto.InfraEnvKey)
 	case auth.TypeNone:
 		token = ""

diff --git a/internal/gencrypto/token.go b/internal/gencrypto/token.go
@@ -1,7 +1,6 @@
 package gencrypto
 
 import (
-	"encoding/base64"
 	"net/url"
 	"os"
 	"time"
@@ -25,11 +24,6 @@ type CryptoPair struct {
 
 func LocalJWT(id string, keyType LocalJWTKeyType) (string, error) {
 	key, ok := os.LookupEnv("EC_PRIVATE_KEY_PEM")
-	// if authType == auth.TypeAgentLocal {
-	// decode only for agent installer
-	decodedECPrivateKeyPEM, _ := base64.StdEncoding.DecodeString(key)
-	key = string(decodedECPrivateKeyPEM)
-	// }
 	if !ok || key == "" {
 		return "", errors.Errorf("EC_PRIVATE_KEY_PEM not found")
 	}

diff --git a/internal/ignition/ignition.go b/internal/ignition/ignition.go
@@ -1768,7 +1768,6 @@ func (ib *ignitionBuilder) shouldAppendOKDFiles(ctx context.Context, infraEnv *c
 	return okdRpmsImage, true
 }
 
-// here assisted service calls pullSecretToken which for agent installer or otherwise as well is called as an auth token
 func (ib *ignitionBuilder) FormatDiscoveryIgnitionFile(ctx context.Context, infraEnv *common.InfraEnv, cfg IgnitionConfig, safeForLogs bool, authType auth.AuthType, overrideDiscoveryISOType string) (string, error) {
 	pullSecretToken, err := clusterPkg.AgentToken(infraEnv, authType)
 	if err != nil {

diff --git a/pkg/auth/agent_local_authenticator.go b/pkg/auth/agent_local_authenticator.go
@@ -30,7 +30,6 @@ func NewAgentLocalAuthenticator(cfg *Config, log logrus.FieldLogger, db *gorm.DB
 	if cfg.ECPublicKeyPEM == "" {
 		return nil, errors.Errorf("agent installer local authentication requires an ecdsa Public Key")
 	}
-	logrus.Infof("*** in NewAgentLocalAuthenticator, public key is %s", cfg.ECPublicKeyPEM)
 	key, err := jwt.ParseECPublicKeyFromPEM([]byte(cfg.ECPublicKeyPEM))
 	if err != nil {
 		return nil, err
@@ -61,7 +60,6 @@ func (a *AgentLocalAuthenticator) EnableOrgBasedFeatureGates() bool {
 }
 
 func (a *AgentLocalAuthenticator) AuthAgentAuth(token string) (interface{}, error) {
-	// Trim the "bearer" prefix if present. Check without removing
 	token = strings.TrimPrefix(token, "bearer ")
 	token = strings.TrimPrefix(token, "Bearer ")
 
@@ -89,12 +87,6 @@ func (a *AgentLocalAuthenticator) AuthAgentAuth(token string) (interface{}, erro
 			if infraEnvExists(a.db, infraEnvID) {
 				a.cache.Set(infraEnvID, "", cache.DefaultExpiration)
 			}
-			// not useful for agent. Always errors because infraenv needs to be registered?
-			// else {
-			// 	logrus.Infof("infraEnv %s does not exist", infraEnvID)
-			// 	err := errors.Errorf("infraEnv %s does not exist", infraEnvID)
-			// 	return nil, common.NewInfraError(http.StatusUnauthorized, err)
-			// }
 		}
 		a.log.Infof("Authenticating infraEnv %s JWT", infraEnvID)
 	}

diff --git a/pkg/auth/authenticator.go b/pkg/auth/authenticator.go
@@ -32,16 +32,16 @@ type Authenticator interface {
 }
 
 type Config struct {
-	AuthType        AuthType `envconfig:"AUTH_TYPE" default:""`
-	JwkCert         string   `envconfig:"JWKS_CERT"`
-	JwkCertURL      string   `envconfig:"JWKS_URL" default:"https://api.openshift.com/.well-known/jwks.json"`
-	ECPublicKeyPEM  string   `envconfig:"EC_PUBLIC_KEY_PEM"`
-	ECPrivateKeyPEM string   `envconfig:"EC_PRIVATE_KEY_PEM"`
+	AuthType       AuthType `envconfig:"AUTH_TYPE" default:""`
+	JwkCert        string   `envconfig:"JWKS_CERT"`
+	JwkCertURL     string   `envconfig:"JWKS_URL" default:"https://api.openshift.com/.well-known/jwks.json"`
+	ECPublicKeyPEM string   `envconfig:"EC_PUBLIC_KEY_PEM"`
 	// Will be split with "," as separator
 	AllowedDomains             string   `envconfig:"ALLOWED_DOMAINS" default:""`
 	AdminUsers                 []string `envconfig:"ADMIN_USERS" default:""`
 	EnableOrgTenancy           bool     `envconfig:"ENABLE_ORG_TENANCY" default:"false"`
 	EnableOrgBasedFeatureGates bool     `envconfig:"ENABLE_ORG_BASED_FEATURE_GATES" default:"false"`
+	ECPrivateKeyPEM            string   `envconfig:"EC_PRIVATE_KEY_PEM"`
 }
 
 func NewAuthenticator(cfg *Config, ocmClient *ocm.Client, log logrus.FieldLogger, db *gorm.DB) (a Authenticator, err error) {

diff --git a/pkg/auth/authenticator_test.go b/pkg/auth/authenticator_test.go
@@ -59,7 +59,7 @@ var _ = Describe("NewAuthenticator", func() {
 
 		a, err = NewAuthenticator(config, nil, logrus.New(), nil)
 		Expect(err).ToNot(HaveOccurred())
-		_, ok = a.(*LocalAuthenticator)
+		_, ok = a.(*AgentLocalAuthenticator)
 		Expect(ok).To(BeTrue())
 
 	})

diff --git a/pkg/auth/local_authenticator.go b/pkg/auth/local_authenticator.go
@@ -29,7 +29,6 @@ func NewLocalAuthenticator(cfg *Config, log logrus.FieldLogger, db *gorm.DB) (*L
 	if cfg.ECPublicKeyPEM == "" {
 		return nil, errors.Errorf("local authentication requires an ecdsa Public Key")
 	}
-	logrus.Infof("*** in local_authenticator cfg.ECPublicKeyPEM =%s", cfg.ECPublicKeyPEM)
 
 	key, err := jwt.ParseECPublicKeyFromPEM([]byte(cfg.ECPublicKeyPEM))
 	if err != nil {
@@ -124,8 +123,6 @@ func (a *LocalAuthenticator) CreateAuthenticator() func(_, _ string, _ security.
 }
 
 func validateToken(token string, pub crypto.PublicKey) (*jwt.Token, error) {
-	logrus.Infof("**** validateToken token=%s", token)
-	logrus.Infof("****  pub=%s", pub)
 	parser := &jwt.Parser{ValidMethods: []string{jwt.SigningMethodES256.Alg()}}
 	parsed, err := parser.Parse(token, func(t *jwt.Token) (interface{}, error) { return pub, nil })