Authentication for metrics and version endpoint

Signed-off-by: naveenpaul1 <[email protected]>

Author: naveenpaul1

docs/NooBaaNonContainerized/ConfigFileCustomizations.md

@@ -449,7 +449,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     "LOG_TO_STDERR_ENABLED": false
     3. systemctl restart noobaa
     ```
-### 30. Notification log directory
+### 31. Notification log directory
 * <u>Key</u> `NOTIFICATION_LOG_DIR`
 * <u>Type</u> String
 * <u>Default</u> empty
@@ -462,7 +462,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     "NOTIFICATION_LOG_DIR": "/etc/notif"
     3. systemctl restart noobaa
 
-### 31. Prometheus HTTP enable flag -
+### 32. Prometheus HTTP enable flag -
 * <u>Key</u>: `ALLOW_HTTP_METRICS`  
 * <u>Type</u>: Boolean  
 * <u>Default</u>: true  
@@ -476,7 +476,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 32. Prometheus HTTPS enable flag -
+### 33. Prometheus HTTPS enable flag -
 * <u>Key</u>: `ALLOW_HTTPS_METRICS`  
 * <u>Type</u>: Boolean  
 * <u>Default</u>: true  
@@ -490,7 +490,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 33. Notification space monitor frequency flag -
+### 34. Notification space monitor frequency flag -
 * <u>Key</u>: `NOTIFICATION_REQ_PER_SPACE_CHECK`
 * <u>Type</u>: Positive integer
 * <u>Default</u>: 0
@@ -504,7 +504,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 34. Notification space monitor threshold flag -
+### 35. Notification space monitor threshold flag -
 * <u>Key</u>: `NOTIFICATION_SPACE_CHECK_THRESHOLD`
 * <u>Type</u>: Number
 * <u>Default</u>: 0.1
@@ -518,7 +518,7 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
-### 34. Dynamic supplemental groups allocation flag -
+### 36. Dynamic supplemental groups allocation flag -
 * <u>Key</u>: `NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS`
 * <u>Type</u>: boolean
 * <u>Default</u>: true

src/server/analytic_services/prometheus_reporting.js

@@ -13,6 +13,7 @@ const stats_aggregator = require('../system_services/stats_aggregator');
 const AggregatorRegistry = require('prom-client').AggregatorRegistry;
 const aggregatorRegistry = new AggregatorRegistry();
 const http_utils = require('../../util/http_utils');
+const jwt_utils = require('../../util/jwt_utils');
 
 // Currenty supported reprots
 const reports = Object.seal({
@@ -69,6 +70,21 @@ async function start_server(
         return;
     }
     const metrics_request_handler = async (req, res) => {
+        // TODO: This is a temporary condition to avoid the token authentication for metrics, 
+        // Need to add authentication for NSFS NC also after confirming flow with the Scale team
+        if (!process.env.NC_NSFS_NO_DB_ENV) {
+            try {
+                jwt_utils.authenticate_jwt_token(req);
+            } catch (err) {
+                res.writeHead(403, { 'Content-Type': 'text/plain' });
+                const reply = JSON.stringify({
+                    error: 'AccessDenied',
+                    message: 'Access Denied',
+                }, null, 2) + '\n';
+                res.end(reply);
+                return;
+            }
+        }
         // Serve all metrics on the root path for system that do have one or more fork running.
         if (fork_enabled) {
             // we would like this part to be first as clusterMetrics might fail.

src/server/web_server.js

@@ -34,6 +34,7 @@ const addr_utils = require('../util/addr_utils');
 const kube_utils = require('../util/kube_utils');
 const http_utils = require('../util/http_utils');
 const server_rpc = require('./server_rpc');
+const jwt_utils = require('../util/jwt_utils');
 
 const rootdir = path.join(__dirname, '..', '..');
 const dev_mode = (process.env.DEV_MODE === 'true');
@@ -218,6 +219,17 @@ async function get_log_level_handler(req, res) {
 }
 
 async function get_version_handler(req, res) {
+    try {
+        jwt_utils.authenticate_jwt_token(req);
+    } catch (err) {
+        res.writeHead(403, { 'Content-Type': 'text/plain' });
+        const reply = JSON.stringify({
+            error: 'AccessDenied',
+            message: 'Access Denied',
+        }, null, 2) + '\n';
+        res.end(reply);
+        return;
+    }
     const { status, version } = await getVersion(req.url);
     if (version) res.send(version);
     if (status !== 200) res.status(status);

src/util/jwt_utils.js

@@ -27,11 +27,38 @@ function make_internal_auth_token(object = {}, jwt_options = {}) {
     return make_auth_token(object, jwt_options);
 }
 
-function authorize_jwt_token(token) {
+/**
+ * authorize jwt token. Validate the jwt token inside passed validate_jwt method
+ * @param {string} token
+ * @param {Function} validate_jwt_func
+ */
+function authorize_jwt_token(token, validate_jwt_func = undefined) {
+    if (token && token.includes('Bearer ')) {
+        token = token.split(' ')[1];
+    }
+    return jwt.verify(token, get_jwt_secret(), validate_jwt_func);
+}
+
+/**
+ * autheticate jwt token for prometheus metrics and version request
+ * @param {nb.S3Request} req
+ */
+function authenticate_jwt_token(req) {
+    const token = req.headers.authorization;
     try {
-        return jwt.verify(token, get_jwt_secret());
+        if (!token) {
+            throw new Error('Missing authorization header');
+        }
+        authorize_jwt_token(token, function(err, decoded) {
+            if (err) {
+                throw err;
+            }
+            if (decoded.role !== "metrics-auth") {
+                throw new Error("Role based authorization failed");
+            }
+          });
     } catch (err) {
-        dbg.error('JWT VERIFY FAILED', token, err);
+        dbg.error('JWT verification failed for token : ', token, err);
         throw err;
     }
 }
@@ -40,3 +67,4 @@ exports.get_jwt_secret = get_jwt_secret;
 exports.make_auth_token = make_auth_token;
 exports.make_internal_auth_token = make_internal_auth_token;
 exports.authorize_jwt_token = authorize_jwt_token;
+exports.authenticate_jwt_token = authenticate_jwt_token;