feat(auth): server side changes for new worker auth flow

api/admin/worker.go

@@ -0,0 +1,69 @@
+// Copyright (c) 2023 Target Brands, Inc. All rights reserved.
+//
+// Use of this source code is governed by the LICENSE file in this repository.
+
+package admin
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/go-vela/server/internal/token"
+	"github.com/go-vela/server/util"
+	"github.com/go-vela/types/constants"
+	"github.com/go-vela/types/library"
+
+	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
+)
+
+// swagger:operation POST /api/v1/admin/workers/{worker}/register-token admin RegisterToken
+//
+// Get a worker registration token
+//
+// ---
+// produces:
+// - application/json
+// parameters:
+// - in: path
+//   name: worker
+//   description: Hostname of the worker
+//   required: true
+//   type: string
+// security:
+//   - ApiKeyAuth: []
+// responses:
+//   '200':
+//     description: Successfully generated registration token
+//     schema:
+//       "$ref": "#/definitions/Token"
+//   '401':
+//     description: Unauthorized
+//     schema:
+//       "$ref": "#/definitions/Error"
+
+// RegisterToken represents the API handler to
+// generate a registration token for onboarding a worker.
+func RegisterToken(c *gin.Context) {
+	logrus.Info("Admin: generating registration token")
+
+	host := util.PathParameter(c, "worker")
+
+	tm := c.MustGet("token-manager").(*token.Manager)
+	rmto := &token.MintTokenOpts{
+		Hostname:      host,
+		TokenType:     constants.WorkerRegisterTokenType,
+		TokenDuration: tm.WorkerRegisterTokenDuration,
+	}
+
+	rt, err := tm.MintToken(rmto)
+	if err != nil {
+		retErr := fmt.Errorf("unable to generate registration token: %w", err)
+
+		util.HandleError(c, http.StatusInternalServerError, retErr)
+
+		return
+	}
+
+	c.JSON(http.StatusOK, library.Token{Token: &rt})
+}

api/build.go

@@ -1764,8 +1764,26 @@ func CancelBuild(c *gin.Context) {
 				return
 			}
 
+			tm := c.MustGet("token-manager").(*token.Manager)
+
+			// set mint token options
+			mto := &token.MintTokenOpts{
+				Hostname:      "vela-server",
+				TokenType:     constants.WorkerAuthTokenType,
+				TokenDuration: time.Minute * 1,
+			}
+
+			// mint token
+			tkn, err := tm.MintToken(mto)
+			if err != nil {
+				retErr := fmt.Errorf("unable to generate auth token: %w", err)
+				util.HandleError(c, http.StatusInternalServerError, retErr)
+
+				return
+			}
+
 			// add the token to authenticate to the worker
-			req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.MustGet("secret").(string)))
+			req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", tkn))
 
 			// perform the request to the worker
 			resp, err := client.Do(req)

api/token.go

@@ -7,9 +7,11 @@ package api
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/go-vela/server/internal/token"
 	"github.com/go-vela/server/router/middleware/auth"
+	"github.com/go-vela/server/router/middleware/claims"
 	"github.com/go-vela/server/util"
 
 	"github.com/go-vela/types/library"
@@ -65,3 +67,38 @@ func RefreshAccessToken(c *gin.Context) {
 
 	c.JSON(http.StatusOK, library.Token{Token: &newAccessToken})
 }
+
+// swagger:operation GET /validate-token authenticate ValidateServerToken
+//
+// Validate a server token
+//
+// ---
+// produces:
+// - application/json
+// security:
+//   - CookieAuth: []
+// responses:
+//   '200':
+//     description: Successfully validated a token
+//     schema:
+//       type: string
+//   '401':
+//     description: Unauthorized
+//     schema:
+//       "$ref": "#/definitions/Error"
+
+// ValidateServerToken will return the claims of a valid server token
+// if it is provided in the auth header.
+func ValidateServerToken(c *gin.Context) {
+	cl := claims.Retrieve(c)
+
+	if !strings.EqualFold(cl.Subject, "vela-server") {
+		retErr := fmt.Errorf("token is not a valid server token")
+
+		util.HandleError(c, http.StatusUnauthorized, retErr)
+
+		return
+	}
+
+	c.JSON(http.StatusOK, cl)
+}

api/worker.go

@@ -8,7 +8,10 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/go-vela/server/internal/token"
+	"github.com/go-vela/server/router/middleware/claims"
 	"github.com/go-vela/server/router/middleware/user"
+	"github.com/go-vela/types/constants"
 
 	"github.com/go-vela/server/database"
 	"github.com/go-vela/server/router/middleware/worker"
@@ -55,6 +58,7 @@ import (
 func CreateWorker(c *gin.Context) {
 	// capture middleware values
 	u := user.Retrieve(c)
+	cl := claims.Retrieve(c)
 
 	// capture body from API request
 	input := new(library.Worker)
@@ -85,7 +89,42 @@ func CreateWorker(c *gin.Context) {
 		return
 	}
 
-	c.JSON(http.StatusCreated, fmt.Sprintf("worker %s created", input.GetHostname()))
+	switch cl.TokenType {
+	case constants.ServerWorkerTokenType:
+		if secret, ok := c.Value("secret").(string); ok {
+			tkn := new(library.Token)
+			tkn.SetToken(secret)
+			c.JSON(http.StatusOK, tkn)
+		}
+
+		retErr := fmt.Errorf("symmetric token provided but not configured in server")
+		util.HandleError(c, http.StatusBadRequest, retErr)
+
+		return
+	default:
+		tm := c.MustGet("token-manager").(*token.Manager)
+
+		wmto := &token.MintTokenOpts{
+			TokenType:     constants.WorkerAuthTokenType,
+			TokenDuration: tm.WorkerAuthTokenDuration,
+			Hostname:      cl.Subject,
+		}
+
+		tkn := new(library.Token)
+
+		wt, err := tm.MintToken(wmto)
+		if err != nil {
+			retErr := fmt.Errorf("unable to generate auth token for worker %s: %w", input.GetHostname(), err)
+
+			util.HandleError(c, http.StatusInternalServerError, retErr)
+
+			return
+		}
+
+		tkn.SetToken(wt)
+
+		c.JSON(http.StatusCreated, tkn)
+	}
 }
 
 // swagger:operation GET /api/v1/workers workers GetWorkers
@@ -231,6 +270,13 @@ func UpdateWorker(c *gin.Context) {
 	// capture middleware values
 	u := user.Retrieve(c)
 	w := worker.Retrieve(c)
+	cl := claims.Retrieve(c)
+
+	// establish check in type
+	type WorkerCheckIn struct {
+		Worker *library.Worker `json:"worker,omitempty"`
+		Token  *library.Token  `json:"token,omitempty"`
+	}
 
 	// update engine logger with API metadata
 	//
@@ -272,20 +318,47 @@ func UpdateWorker(c *gin.Context) {
 		w.SetLastCheckedIn(input.GetLastCheckedIn())
 	}
 
-	// send API call to update the worker
-	err = database.FromContext(c).UpdateWorker(w)
-	if err != nil {
-		retErr := fmt.Errorf("unable to update worker %s: %w", w.GetHostname(), err)
+	// send API call to capture the updated worker
+	w, _ = database.FromContext(c).GetWorkerForHostname(w.GetHostname())
 
-		util.HandleError(c, http.StatusInternalServerError, retErr)
+	switch cl.TokenType {
+	case constants.UserAccessTokenType:
+		c.JSON(http.StatusOK, w)
+	case constants.ServerWorkerTokenType:
+		if secret, ok := c.Value("secret").(string); ok {
+			tkn := new(library.Token)
+			tkn.SetToken(secret)
+			c.JSON(http.StatusOK, WorkerCheckIn{Worker: w, Token: tkn})
+		}
+
+		retErr := fmt.Errorf("symmetric token provided but not configured in server")
+		util.HandleError(c, http.StatusBadRequest, retErr)
 
 		return
-	}
+	default:
+		tm := c.MustGet("token-manager").(*token.Manager)
 
-	// send API call to capture the updated worker
-	w, _ = database.FromContext(c).GetWorkerForHostname(w.GetHostname())
+		wmto := &token.MintTokenOpts{
+			TokenType:     constants.WorkerAuthTokenType,
+			TokenDuration: tm.WorkerAuthTokenDuration,
+			Hostname:      cl.Subject,
+		}
 
-	c.JSON(http.StatusOK, w)
+		tkn := new(library.Token)
+
+		wt, err := tm.MintToken(wmto)
+		if err != nil {
+			retErr := fmt.Errorf("unable to generate auth token for worker %s: %w", w.GetHostname(), err)
+
+			util.HandleError(c, http.StatusInternalServerError, retErr)
+
+			return
+		}
+
+		tkn.SetToken(wt)
+
+		c.JSON(http.StatusOK, WorkerCheckIn{Worker: w, Token: tkn})
+	}
 }
 
 // swagger:operation DELETE /api/v1/workers/{worker} workers DeleteWorker

cmd/vela-server/main.go

@@ -147,6 +147,18 @@ func main() {
 			Usage:   "sets the duration of the buffer for build token expiration based on repo build timeout",
 			Value:   5 * time.Minute,
 		},
+		&cli.DurationFlag{
+			EnvVars: []string{"VELA_WORKER_AUTH_TOKEN_DURATION", "WORKER_AUTH_TOKEN_DURATION"},
+			Name:    "worker-auth-token-duration",
+			Usage:   "sets the duration of the worker auth token",
+			Value:   20 * time.Minute,
+		},
+		&cli.DurationFlag{
+			EnvVars: []string{"VELA_WORKER_REGISTER_TOKEN_DURATION", "WORKER_REGISTER_TOKEN_DURATION"},
+			Name:    "worker-register-token-duration",
+			Usage:   "sets the duration of the worker register token",
+			Value:   1 * time.Minute,
+		},
 		// Compiler Flags
 		&cli.BoolFlag{
 			EnvVars: []string{"VELA_COMPILER_GITHUB", "COMPILER_GITHUB"},

cmd/vela-server/token.go

@@ -19,11 +19,13 @@ func setupTokenManager(c *cli.Context) *token.Manager {
 	logrus.Debug("Creating token manager from CLI configuration")
 
 	tm := &token.Manager{
-		PrivateKey:               c.String("vela-server-private-key"),
-		SignMethod:               jwt.SigningMethodHS256,
-		UserAccessTokenDuration:  c.Duration("user-access-token-duration"),
-		UserRefreshTokenDuration: c.Duration("user-refresh-token-duration"),
-		BuildTokenBufferDuration: c.Duration("build-token-buffer-duration"),
+		PrivateKey:                  c.String("vela-server-private-key"),
+		SignMethod:                  jwt.SigningMethodHS256,
+		UserAccessTokenDuration:     c.Duration("user-access-token-duration"),
+		UserRefreshTokenDuration:    c.Duration("user-refresh-token-duration"),
+		BuildTokenBufferDuration:    c.Duration("build-token-buffer-duration"),
+		WorkerAuthTokenDuration:     c.Duration("worker-auth-token-duration"),
+		WorkerRegisterTokenDuration: c.Duration("worker-register-token-duration"),
 	}
 
 	return tm

cmd/vela-server/validate.go

@@ -52,10 +52,6 @@ func validateCore(c *cli.Context) error {
 		return fmt.Errorf("clone-image (VELA_CLONE_IMAGE) flag is not properly configured")
 	}
 
-	if len(c.String("vela-secret")) == 0 {
-		return fmt.Errorf("vela-secret (VELA_SECRET) flag is not properly configured")
-	}
-
 	if len(c.String("vela-server-private-key")) == 0 {
 		return fmt.Errorf("vela-server-private-key (VELA_SERVER_PRIVATE_KEY) flag is not properly configured")
 	}

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/drone/envsubst v1.0.3
 	github.com/gin-gonic/gin v1.9.0
 	github.com/go-playground/assert/v2 v2.2.0
-	github.com/go-vela/types v0.18.1
+	github.com/go-vela/types v0.18.2-0.20230321015315-6c723879639c
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-github/v50 v50.1.0

go.sum

@@ -148,8 +148,8 @@ github.com/go-playground/validator/v10 v10.11.2 h1:q3SHpufmypg+erIExEKUmsgmhDTyh
 github.com/go-playground/validator/v10 v10.11.2/go.mod h1:NieE624vt4SCTJtD87arVLvdmjPAeV8BQlHtMnw9D7s=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
-github.com/go-vela/types v0.18.1 h1:V/luHLnCEaJhD1m9PZCZicIasg8Op6MCK+utkz+gQiU=
-github.com/go-vela/types v0.18.1/go.mod h1:6MzMhLaXKSZ9wiJveieqnBd2+4ZMS7yv7+POGSITyS8=
+github.com/go-vela/types v0.18.2-0.20230321015315-6c723879639c h1:lnCL1knUGvgZQG4YBHSs/CZnxNBfqFUBlGhyq9LO9uk=
+github.com/go-vela/types v0.18.2-0.20230321015315-6c723879639c/go.mod h1:6MzMhLaXKSZ9wiJveieqnBd2+4ZMS7yv7+POGSITyS8=
 github.com/goccy/go-json v0.10.0 h1:mXKd9Qw4NuzShiRlOXKews24ufknHO7gx30lsDyokKA=
 github.com/goccy/go-json v0.10.0/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=

internal/token/manager.go

@@ -25,4 +25,10 @@ type Manager struct {
 
 	// BuildTokenBufferDuration specifies the additional token duration of build tokens beyond repo timeout
 	BuildTokenBufferDuration time.Duration
+
+	// WorkerAuthTokenDuration specifies the token duration for worker auth (check in)
+	WorkerAuthTokenDuration time.Duration
+
+	// WorkerRegisterTokenDuration specifies the token duration for worker register
+	WorkerRegisterTokenDuration time.Duration
 }

internal/token/mint.go

@@ -69,6 +69,13 @@ func (tm *Manager) MintToken(mto *MintTokenOpts) (string, error) {
 		claims.Repo = mto.Repo
 		claims.Subject = mto.Hostname
 
+	case constants.WorkerAuthTokenType, constants.WorkerRegisterTokenType:
+		if len(mto.Hostname) == 0 {
+			return "", fmt.Errorf("missing host name for %s token", mto.TokenType)
+		}
+
+		claims.Subject = mto.Hostname
+
 	default:
 		return "", errors.New("invalid token type")
 	}

mock/server/authentication.go

@@ -73,3 +73,17 @@ func getAuthenticateFromToken(c *gin.Context) {
 
 	c.JSON(http.StatusOK, body)
 }
+
+// validateToken returns mock response for a http GET.
+//
+// Don't pass "Token" in header to receive an error message. Pass "0" in "Token" header to receive invalid token resp.
+func validateToken(c *gin.Context) {
+	err := "error"
+
+	token := c.Request.Header.Get("Token")
+	if len(token) == 0 {
+		c.AbortWithStatusJSON(http.StatusUnauthorized, types.Error{Message: &err})
+	}
+
+	c.JSON(http.StatusOK, "vela-server")
+}