[#16] Implementing security for api-server

.access.json

@@ -0,0 +1,6 @@
+{
+  "endpoints": [
+  ],
+  "admin": {
+  }
+}

.endpoints.json

@@ -0,0 +1,4 @@
+{
+  "endpoints": [
+  ]
+}

.env

@@ -6,12 +6,20 @@ PLUGIN_NAME='ActiveMQ Artemis Jolokia api-server'
 SERVER_CERT=/var/serving-cert/tls.crt
 SERVER_KEY=/var/serving-cert/tls.key
 
+# logging
+LOG_LEVEL='info'
+ENABLE_REQUEST_LOG='false'
+
+# security
+
 # replace the token in production deployment
 SECRET_ACCESS_TOKEN=1e13d44f998dee277deae621a9012cf300b94c91
 
-# to trust jolokia certs
-NODE_TLS_REJECT_UNAUTHORIZED='0'
+API_SERVER_SECURITY_ENABLED=true
+API_SERVER_SECURITY_AUTH_TYPE=jwt
+USERS_FILE_URL=.users.json
+ROLES_FILE_URL=.roles.json
+ENDPOINTS_FILE_URL=.endpoints.json
+ACCESS_CONTROL_FILE_URL=.access.json
 
-# logging
-LOG_LEVEL='info'
-ENABLE_REQUEST_LOG='false'
+API_SERVER_ADMIN_USER=admin

.gitignore

@@ -121,3 +121,8 @@ dist
 .yarn/build-state.yml
 .yarn/install-state.gz
 .pnp.*
+
+# vs code config
+.vscode
+
+

.roles.json

@@ -0,0 +1,4 @@
+{
+  "roles": [
+  ]
+}

.test.access.json

@@ -0,0 +1,23 @@
+{
+  "endpoints": [
+    {
+      "name": "broker1",
+      "roles": ["role1", "manager"]
+    },
+    {
+      "name": "broker2",
+      "roles": ["role2", "manager"]
+    },
+    {
+      "name": "broker3",
+      "roles": ["manager"]
+    },
+    {
+      "name": "broker4",
+      "roles": ["manager"]
+    }
+  ],
+  "admin": {
+    "roles": ["manager"]
+  }
+}

.test.endpoints.json

@@ -0,0 +1,57 @@
+{
+  "endpoints": [
+    {
+      "name": "broker1",
+      "url": "http://127.0.0.1:8161",
+      "auth": [
+        {
+          "scheme": "basic",
+          "data": {
+            "username": "guest",
+            "password": "guest"
+          }
+        }
+      ]
+    },
+    {
+      "name": "broker2",
+      "url": "http://127.0.0.2:8161",
+      "auth": [
+        {
+          "scheme": "basic",
+          "data": {
+            "username": "guest",
+            "password": "guest"
+          }
+        }
+      ]
+    },
+    {
+      "name": "broker3",
+      "url": "http://127.0.0.3:8161",
+      "auth": [
+        {
+          "scheme": "basic",
+          "data": {
+            "username": "guest",
+            "password": "guest"
+          }
+        }
+      ]
+    },
+    {
+      "name": "broker4",
+      "url": "https://artemis-broker-jolokia-0-svc-ing-default.artemiscloud.io:443",
+      "jolokiaPrefix": "/jolokia/",
+      "auth": [
+        {
+          "scheme": "cert",
+          "data": {
+            "certpath": "test-api-server.crt",
+            "keypath": "test-api-server.key"
+          }
+        }
+      ]
+    }
+  ]
+}

.test.env

@@ -0,0 +1,26 @@
+
+PLUGIN_VERSION=1.0.0
+PLUGIN_NAME='ActiveMQ Artemis Jolokia api-server'
+
+# dev cert
+SERVER_CERT=/var/serving-cert/tls.crt
+SERVER_KEY=/var/serving-cert/tls.key
+
+# replace the token in production deployment
+SECRET_ACCESS_TOKEN=1e13d44f998dee277deae621a9012cf300b94c91
+
+# to trust jolokia certs
+NODE_TLS_REJECT_UNAUTHORIZED='0'
+
+# logging
+LOG_LEVEL='debug'
+ENABLE_REQUEST_LOG=false
+
+# security
+API_SERVER_SECURITY_ENABLED=true
+USERS_FILE_URL=.test.users.json
+ROLES_FILE_URL=.test.roles.json
+ENDPOINTS_FILE_URL=.test.endpoints.json
+ACCESS_CONTROL_FILE_URL=.test.access.json
+
+API_SERVER_ADMIN_USER=admin

.test.roles.json

@@ -0,0 +1,16 @@
+{
+  "roles": [
+    {
+      "name": "role1",
+      "uids": ["user1"]
+    },
+    {
+      "name": "role2",
+      "uids": ["user1", "user2"]
+    },
+    {
+      "name": "manager",
+      "uids": ["root"]
+    }
+  ]
+}

.test.users.json

@@ -0,0 +1,26 @@
+{
+  "users": [
+    {
+      "id": "user1",
+      "email": "user1@example.com",
+      "hash": "$2a$12$nv9iV5/UNuV4Mdj1Jf8zfuUraqboSRtSQqCmtOc4F7rdwmOb9IzNu"
+    },
+    {
+      "id": "user2",
+      "hash": "$2a$12$VHZ9aJ5A87YeFop4xVW.aOMm95ClU.EviyT9o0i8HYLdG6w6ctMfW"
+    },
+    {
+      "id": "root",
+      "email": "user3@example.com",
+      "hash": "$2a$12$VHZ9aJ5A87YeFop4xVW.aOMm95ClU.EviyT9o0i8HYLdG6w6ctMfW"
+    },
+    {
+      "id": "usernoroles",
+      "hash": "$2a$12$J.CGc062y9YhdvYEqqiqoetDronJwUFKR0f2fGARwgHuasAt/QKa2"
+    },
+    {
+      "id": "admin",
+      "hash": "$2a$15$deBI0sO4Cvn2gr/QA5pju.94Klh377Np.mcYteBgYlQuyeIwyK4UK"
+    }
+  ]
+}

.users.json

@@ -0,0 +1,8 @@
+{
+  "users": [
+    {
+      "id": "admin",
+      "hash": "$2a$15$deBI0sO4Cvn2gr/QA5pju.94Klh377Np.mcYteBgYlQuyeIwyK4UK"
+    }
+  ]
+}

README.md

@@ -67,6 +67,68 @@ jwt tokens. It has a default value in .env for dev purposes.
 
 In production you should override it with your own secret.
 
-The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile. 
+The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile.
 It makes sure when you build the api server image a new random key is used.
 
+## Security Model of the API Server
+
+The API Server provides a security model that provides authentication and authorization of incoming clients.
+The security can be enabled/disabled (i.e. via `API_SERVER_SECURITY_ENABLED` env var)
+
+### Authentication
+
+Currently the api server support `jwt` token authentication.
+
+#### The login api
+
+The login api is defined in openapi.yml
+
+```yaml
+/server/login
+```
+
+A client logs in to an api server by sending a POST request to the login path. The request body contains login information (i.e. username and password for jwt authentication type)
+
+Please refer to [api.md](api.md) for details of the log api.
+
+Currently the security manager uses local file to store user's info. The default users file name is `.users.json`
+The users file name can be configured using `USERS_FILE_URL` env var. See `.test.users.json` for sample values.
+
+---
+
+**NOTE**
+
+The api server can be configured with a `super user` that has full access to the
+api server's APIs without authorization. The default super user name is `admin` and
+password is `admin`. You can use env var `API_SERVER_ADMIN_USER` to appoint a different
+super user.
+
+## Due to its all powerfulness, it is adviced to configure a `super user` to replace the default one.
+
+### Authorization
+
+The server uses RBAC (Role Based Access Control) authorization. User/role mappings are stored in a local file. By default the file
+name is `.roles.json` and can be configured using `ROLES_FILE_URL` env var. See `.test.roles.json` for sample values.
+
+The permissions are defined in a local file. By default the file name is `.access.json` and can be configured using
+`ACCESS_CONTROL_FILE_URL` env var. See `.test.access.json` for sample values.
+
+### Endpoints Management
+
+The server keeps a list of jolokia endpoints for clients to access. The endpoints are loaded from a local file named
+`.endpoints.json`. Each top leve entry represents a jolokia endpoint. An entry has a unique name and details to access the jolokia api. See `.test.endpoints.json` for sample values.
+
+### Accessing a jolokia endpoint
+
+When an authenticated client sends a request to the api-server, it should present its token in the request header
+
+    'Authorization: Bearer `token`'
+
+It also need to give the `targetEndpoint` in the query part of the request if the request is to access an jolokia endpoint.
+
+For example `/execBrokerOperation?targetEndpoint=broker1`.
+
+### Direct Proxy
+
+Direct Proxy means a client can pass a broker's endpoint info to the api-server in order to access it via the api-server.
+For example the [self-provisioning plugin](https://github.com/artemiscloud/activemq-artemis-self-provisioning-plugin) uses this api to access the jolokia of a broker's jolokia endpoint.