Authentication for metrics and version endpoint

Signed-off-by: naveenpaul1 <[email protected]>

Author: naveenpaul1

docs/NooBaaNonContainerized/ConfigFileCustomizations.md

@@ -449,7 +449,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     "LOG_TO_STDERR_ENABLED": false
     3. systemctl restart noobaa
     ```
-### 30. Notification log directory
+### 31. Notification log directory
 * <u>Key</u> `NOTIFICATION_LOG_DIR`
 * <u>Type</u> String
 * <u>Default</u> empty
@@ -462,7 +462,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     "NOTIFICATION_LOG_DIR": "/etc/notif"
     3. systemctl restart noobaa
 
-### 31. Prometheus HTTP enable flag -
+### 32. Prometheus HTTP enable flag -
 * <u>Key</u>: `ALLOW_HTTP_METRICS`  
 * <u>Type</u>: Boolean  
 * <u>Default</u>: true  
@@ -476,7 +476,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 32. Prometheus HTTPS enable flag -
+### 33. Prometheus HTTPS enable flag -
 * <u>Key</u>: `ALLOW_HTTPS_METRICS`  
 * <u>Type</u>: Boolean  
 * <u>Default</u>: true  
@@ -490,7 +490,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 33. Notification space monitor frequency flag -
+### 34. Notification space monitor frequency flag -
 * <u>Key</u>: `NOTIFICATION_REQ_PER_SPACE_CHECK`
 * <u>Type</u>: Positive integer
 * <u>Default</u>: 0
@@ -504,7 +504,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 34. Notification space monitor threshold flag -
+### 35. Notification space monitor threshold flag -
 * <u>Key</u>: `NOTIFICATION_SPACE_CHECK_THRESHOLD`
 * <u>Type</u>: Number
 * <u>Default</u>: 0.1
@@ -518,7 +518,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 34. Dynamic supplemental groups allocation flag -
+### 36. Dynamic supplemental groups allocation flag -
 * <u>Key</u>: `NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS`
 * <u>Type</u>: boolean
 * <u>Default</u>: true

src/server/analytic_services/prometheus_reporting.js

@@ -69,6 +69,12 @@ async function start_server(
         return;
     }
     const metrics_request_handler = async (req, res) => {
+        // TODO: This is a temporary condition to avoid the token authentication for metrics, 
+        // Need to add authentication for NSFS NC also after confirming flow with the Scale team
+        if (!process.env.NC_NSFS_NO_DB_ENV) {
+            // Authorize bearer token metrics endpoint
+            http_utils.authorize_bearer(req, res, [ "metrics-auth", "admin" ]);
+        }
         // Serve all metrics on the root path for system that do have one or more fork running.
         if (fork_enabled) {
             // we would like this part to be first as clusterMetrics might fail.

src/server/web_server.js

@@ -218,6 +218,8 @@ async function get_log_level_handler(req, res) {
 }
 
 async function get_version_handler(req, res) {
+    // Authorize bearer token version endpoint
+    http_utils.authorize_bearer(req, res, [ "metrics-auth", "admin" ]);
     const { status, version } = await getVersion(req.url);
     if (version) res.send(version);
     if (status !== 200) res.status(status);

src/util/http_utils.js

@@ -946,6 +946,43 @@ function set_response_headers_from_request(req, res) {
     if (req.query['response-expires']) res.setHeader('Expires', req.query['response-expires']);
 }
 
+/**
+ * autheticate jwt token for prometheus metrics and version request
+ * @param {nb.S3Request} req
+ * @param {nb.S3Response} res
+ * @param {string[]} roles
+ */
+function authorize_bearer(req, res, roles) {
+    let token = req.headers.authorization;
+    try {
+        if (!token) {
+            dbg.error('Missing authorization header : ', token);
+            throw new S3Error(S3Error.AccessDenied);
+        }
+        if (!token.includes('Bearer ')) {
+            dbg.error('JWT token is missing the Bearer prefix, ', token);
+            throw new S3Error(S3Error.AccessDenied);
+        }
+        token = token.split(' ')[1];
+        const decoded = jwt_utils.authorize_jwt_token(token);
+        // Role 'metrics-auth' is used in operator RPC call, 
+        // If needs to change update operator RPC call first
+        if (!roles.includes(decoded.role)) {
+            dbg.error('Bearer token authorization failed : ', token);
+            throw new S3Error(S3Error.AccessDenied);
+        }
+    } catch (err) {
+        dbg.error('JWT verification failed for token : ', token, err);
+        res.writeHead(403, { 'Content-Type': 'application/json' });
+        const reply = JSON.stringify({
+            error: 'AccessDenied',
+            message: err.message,
+        }, null, 2);
+        res.end(reply);
+        return false;
+    }
+}
+
 exports.parse_url_query = parse_url_query;
 exports.parse_client_ip = parse_client_ip;
 exports.get_md_conditions = get_md_conditions;
@@ -984,3 +1021,4 @@ exports.CONTENT_TYPE_APP_JSON = CONTENT_TYPE_APP_JSON;
 exports.CONTENT_TYPE_APP_XML = CONTENT_TYPE_APP_XML;
 exports.CONTENT_TYPE_APP_FORM_URLENCODED = CONTENT_TYPE_APP_FORM_URLENCODED;
 exports.set_response_headers_from_request = set_response_headers_from_request;
+exports.authorize_bearer = authorize_bearer;

src/util/jwt_utils.js

@@ -27,6 +27,10 @@ function make_internal_auth_token(object = {}, jwt_options = {}) {
     return make_auth_token(object, jwt_options);
 }
 
+/**
+ * authorize jwt token by verifying it against the jwt secret
+ * @param {string} token
+ */
 function authorize_jwt_token(token) {
     try {
         return jwt.verify(token, get_jwt_secret());