go-vela · ecrupper · Mar 23, 2023 · Feb 28, 2023 · Mar 9, 2023 · Mar 14, 2023
@@ -0,0 +1,69 @@
+// Copyright (c) 2023 Target Brands, Inc. All rights reserved.
+//
+// Use of this source code is governed by the LICENSE file in this repository.
+
+package admin
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/go-vela/server/internal/token"
+	"github.com/go-vela/server/util"
+	"github.com/go-vela/types/constants"
+	"github.com/go-vela/types/library"
+
+	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
+)
+
+// swagger:operation POST /api/v1/admin/workers/{worker}/register-token admin RegisterToken
+//
+// Get a worker registration token
+//
+// ---
+// produces:
+// - application/json
+// parameters:
+// - in: path
+//   name: worker
+//   description: Hostname of the worker
+//   required: true
+//   type: string
+// security:
+//   - ApiKeyAuth: []
+// responses:
+//   '200':
+//     description: Successfully generated registration token
+//     schema:
+//       "$ref": "#/definitions/Token"
+//   '401':
+//     description: Unauthorized
+//     schema:
+//       "$ref": "#/definitions/Error"
+
+// RegisterToken represents the API handler to
+// generate a registration token for onboarding a worker.
+func RegisterToken(c *gin.Context) {
+	logrus.Info("Admin: generating registration token")
+
+	host := util.PathParameter(c, "worker")
+
+	tm := c.MustGet("token-manager").(*token.Manager)
+	rmto := &token.MintTokenOpts{
+		Hostname:      host,
+		TokenType:     constants.WorkerRegisterTokenType,
+		TokenDuration: tm.WorkerRegisterTokenDuration,
+	}
+
+	rt, err := tm.MintToken(rmto)
+	if err != nil {
+		retErr := fmt.Errorf("unable to generate registration token: %w", err)
+
+		util.HandleError(c, http.StatusInternalServerError, retErr)
+
+		return
+	}
+
+	c.JSON(http.StatusOK, library.Token{Token: &rt})
+}
@@ -1764,8 +1764,26 @@ func CancelBuild(c *gin.Context) {
 				return
 			}
 
+			tm := c.MustGet("token-manager").(*token.Manager)
+
+			// set mint token options
+			mto := &token.MintTokenOpts{
+				Hostname:      "vela-server",
+				TokenType:     constants.WorkerAuthTokenType,
+				TokenDuration: time.Minute * 1,
+			}
+
+			// mint token
+			tkn, err := tm.MintToken(mto)
+			if err != nil {
+				retErr := fmt.Errorf("unable to generate auth token: %w", err)
+				util.HandleError(c, http.StatusInternalServerError, retErr)
+
+				return
+			}
+
 			// add the token to authenticate to the worker
-			req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.MustGet("secret").(string)))
+			req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", tkn))
 
 			// perform the request to the worker
 			resp, err := client.Do(req)

@@ -7,9 +7,11 @@ package api
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/go-vela/server/internal/token"
 	"github.com/go-vela/server/router/middleware/auth"
+	"github.com/go-vela/server/router/middleware/claims"
 	"github.com/go-vela/server/util"
 
 	"github.com/go-vela/types/library"
@@ -65,3 +67,38 @@ func RefreshAccessToken(c *gin.Context) {
 
 	c.JSON(http.StatusOK, library.Token{Token: &newAccessToken})
 }
+
+// swagger:operation GET /validate-token authenticate ValidateServerToken
+//
+// Validate a server token
+//
+// ---
+// produces:
+// - application/json
+// security:
+//   - CookieAuth: []
+// responses:
+//   '200':
+//     description: Successfully validated a token
+//     schema:
+//       type: string
+//   '401':
+//     description: Unauthorized
+//     schema:
+//       "$ref": "#/definitions/Error"
+
+// ValidateServerToken will return the claims of a valid server token
+// if it is provided in the auth header.
+func ValidateServerToken(c *gin.Context) {
+	cl := claims.Retrieve(c)
+
+	if !strings.EqualFold(cl.Subject, "vela-server") {
+		retErr := fmt.Errorf("token is not a valid server token")
+
+		util.HandleError(c, http.StatusUnauthorized, retErr)
+
+		return
+	}
+
+	c.JSON(http.StatusOK, cl)
+}
@@ -8,7 +8,10 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/go-vela/server/internal/token"
+	"github.com/go-vela/server/router/middleware/claims"
 	"github.com/go-vela/server/router/middleware/user"
+	"github.com/go-vela/types/constants"
 
 	"github.com/go-vela/server/database"
 	"github.com/go-vela/server/router/middleware/worker"
@@ -38,9 +41,9 @@ import (
 //   - ApiKeyAuth: []
 // responses:
 //   '201':
-//     description: Successfully created the worker
+//     description: Successfully created the worker and retrieved auth token
 //     schema:
-//       type: string
+//       "$ref": "#definitions/Token"
 //   '400':
 //     description: Unable to create the worker
 //     schema:
@@ -55,6 +58,7 @@ import (
 func CreateWorker(c *gin.Context) {
 	// capture middleware values
 	u := user.Retrieve(c)
+	cl := claims.Retrieve(c)
 
 	// capture body from API request
 	input := new(library.Worker)
@@ -85,7 +89,46 @@ func CreateWorker(c *gin.Context) {
 		return
 	}
 
-	c.JSON(http.StatusCreated, fmt.Sprintf("worker %s created", input.GetHostname()))
+	switch cl.TokenType {
+	// if symmetric token configured, send back symmetric token
+	case constants.ServerWorkerTokenType:
+		if secret, ok := c.Value("secret").(string); ok {
+			tkn := new(library.Token)
+			tkn.SetToken(secret)
+			c.JSON(http.StatusOK, tkn)
+
+			return
+		}
+
+		retErr := fmt.Errorf("symmetric token provided but not configured in server")
+		util.HandleError(c, http.StatusBadRequest, retErr)
+
+		return
+	// if worker register token, send back auth token
+	default:
+		tm := c.MustGet("token-manager").(*token.Manager)
+
+		wmto := &token.MintTokenOpts{
+			TokenType:     constants.WorkerAuthTokenType,
+			TokenDuration: tm.WorkerAuthTokenDuration,
+			Hostname:      cl.Subject,
+		}
+
+		tkn := new(library.Token)
+
+		wt, err := tm.MintToken(wmto)
+		if err != nil {
+			retErr := fmt.Errorf("unable to generate auth token for worker %s: %w", input.GetHostname(), err)
+
+			util.HandleError(c, http.StatusInternalServerError, retErr)
+
+			return
+		}
+
+		tkn.SetToken(wt)
+
+		c.JSON(http.StatusCreated, tkn)
+	}
 }
 
 // swagger:operation GET /api/v1/workers workers GetWorkers
@@ -226,7 +269,7 @@ func GetWorker(c *gin.Context) {
 //       "$ref": "#/definitions/Error"
 
 // UpdateWorker represents the API handler to
-// create a worker in the configured backend.
+// update a worker in the configured backend.
 func UpdateWorker(c *gin.Context) {
 	// capture middleware values
 	u := user.Retrieve(c)
@@ -288,6 +331,95 @@ func UpdateWorker(c *gin.Context) {
 	c.JSON(http.StatusOK, w)
 }
 
+// swagger:operation POST /api/v1/workers/{worker}/refresh workers RefreshWorkerAuth
+//
+// Refresh authorization token for worker
+//
+// ---
+// produces:
+// - application/json
+// parameters:
+// - in: path
+//   name: worker
+//   description: Name of the worker
+//   required: true
+//   type: string
+// security:
+//   - ApiKeyAuth: []
+// responses:
+//   '200':
+//     description: Successfully refreshed auth
+//     schema:
+//       "$ref": "#/definitions/Token"
+//   '400':
+//     description: Unable to refresh worker auth
+//     schema:
+//       "$ref": "#/definitions/Error"
+//   '404':
+//     description: Unable to refresh worker auth
+//     schema:
+//       "$ref": "#/definitions/Error"
+//   '500':
+//     description: Unable to refresh worker auth
+//     schema:
+//       "$ref": "#/definitions/Error"
+
+// RefreshWorkerAuth represents the API handler to
+// refresh the auth token for a worker.
+func RefreshWorkerAuth(c *gin.Context) {
+	// capture middleware values
+	w := worker.Retrieve(c)
+	cl := claims.Retrieve(c)
+
+	// update engine logger with API metadata
+	//
+	// https://pkg.go.dev/github.com/sirupsen/logrus?tab=doc#Entry.WithFields
+	logrus.WithFields(logrus.Fields{
+		"worker": w.GetHostname(),
+	}).Infof("refreshing worker %s authentication", w.GetHostname())
+
+	switch cl.TokenType {
+	// if symmetric token configured, send back symmetric token
+	case constants.ServerWorkerTokenType:
+		if secret, ok := c.Value("secret").(string); ok {
+			tkn := new(library.Token)
+			tkn.SetToken(secret)
+			c.JSON(http.StatusOK, tkn)
+
+			return
+		}
+
+		retErr := fmt.Errorf("symmetric token provided but not configured in server")
+		util.HandleError(c, http.StatusBadRequest, retErr)
+
+		return
+	// if worker auth / register token, send back auth token
+	case constants.WorkerAuthTokenType, constants.WorkerRegisterTokenType:
+		tm := c.MustGet("token-manager").(*token.Manager)
+
+		wmto := &token.MintTokenOpts{
+			TokenType:     constants.WorkerAuthTokenType,
+			TokenDuration: tm.WorkerAuthTokenDuration,
+			Hostname:      cl.Subject,
+		}
+
+		tkn := new(library.Token)
+
+		wt, err := tm.MintToken(wmto)
+		if err != nil {
+			retErr := fmt.Errorf("unable to generate auth token for worker %s: %w", w.GetHostname(), err)
+
+			util.HandleError(c, http.StatusInternalServerError, retErr)
+
+			return
+		}
+
+		tkn.SetToken(wt)
+
+		c.JSON(http.StatusCreated, tkn)
+	}
+}
+
 // swagger:operation DELETE /api/v1/workers/{worker} workers DeleteWorker
 //
 // Delete a worker for the configured backend

@@ -147,6 +147,18 @@ func main() {
 			Usage:   "sets the duration of the buffer for build token expiration based on repo build timeout",
 			Value:   5 * time.Minute,
 		},
+		&cli.DurationFlag{
+			EnvVars: []string{"VELA_WORKER_AUTH_TOKEN_DURATION", "WORKER_AUTH_TOKEN_DURATION"},
+			Name:    "worker-auth-token-duration",
+			Usage:   "sets the duration of the worker auth token",
+			Value:   20 * time.Minute,
+		},
+		&cli.DurationFlag{
+			EnvVars: []string{"VELA_WORKER_REGISTER_TOKEN_DURATION", "WORKER_REGISTER_TOKEN_DURATION"},
+			Name:    "worker-register-token-duration",
+			Usage:   "sets the duration of the worker register token",
+			Value:   1 * time.Minute,
+		},
 		// Compiler Flags
 		&cli.BoolFlag{
 			EnvVars: []string{"VELA_COMPILER_GITHUB", "COMPILER_GITHUB"},

@@ -19,11 +19,13 @@ func setupTokenManager(c *cli.Context) *token.Manager {
 	logrus.Debug("Creating token manager from CLI configuration")
 
 	tm := &token.Manager{
-		PrivateKey:               c.String("vela-server-private-key"),
-		SignMethod:               jwt.SigningMethodHS256,
-		UserAccessTokenDuration:  c.Duration("user-access-token-duration"),
-		UserRefreshTokenDuration: c.Duration("user-refresh-token-duration"),
-		BuildTokenBufferDuration: c.Duration("build-token-buffer-duration"),
+		PrivateKey:                  c.String("vela-server-private-key"),
+		SignMethod:                  jwt.SigningMethodHS256,
+		UserAccessTokenDuration:     c.Duration("user-access-token-duration"),
+		UserRefreshTokenDuration:    c.Duration("user-refresh-token-duration"),
+		BuildTokenBufferDuration:    c.Duration("build-token-buffer-duration"),
+		WorkerAuthTokenDuration:     c.Duration("worker-auth-token-duration"),
+		WorkerRegisterTokenDuration: c.Duration("worker-register-token-duration"),
 	}
 
 	return tm

@@ -52,10 +52,6 @@ func validateCore(c *cli.Context) error {
 		return fmt.Errorf("clone-image (VELA_CLONE_IMAGE) flag is not properly configured")
 	}
 
-	if len(c.String("vela-secret")) == 0 {
-		return fmt.Errorf("vela-secret (VELA_SECRET) flag is not properly configured")
-	}
-
 	if len(c.String("vela-server-private-key")) == 0 {
 		return fmt.Errorf("vela-server-private-key (VELA_SERVER_PRIVATE_KEY) flag is not properly configured")
 	}

@@ -13,7 +13,7 @@ require (
 	github.com/drone/envsubst v1.0.3
 	github.com/gin-gonic/gin v1.9.0
 	github.com/go-playground/assert/v2 v2.2.0
-	github.com/go-vela/types v0.18.1
+	github.com/go-vela/types v0.18.2-0.20230321015315-6c723879639c
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-github/v50 v50.1.0