[#16] Implementing security for api-server

.env

@@ -9,9 +9,13 @@ SERVER_KEY=/var/serving-cert/tls.key
 # replace the token in production deployment
 SECRET_ACCESS_TOKEN=1e13d44f998dee277deae621a9012cf300b94c91
 
-# to trust jolokia certs
-NODE_TLS_REJECT_UNAUTHORIZED='0'
-
 # logging
 LOG_LEVEL='info'
 ENABLE_REQUEST_LOG='false'
+
+# security
+API_SERVER_SECURITY_ENABLED=false
+USERS_FILE_URL=.users.json
+ROLES_FILE_URL=.roles.json
+ENDPOINTS_FILE_URL=.endpoints.json
+ACCESS_CONTROL_FILE_URL=.access.json

.gitignore

@@ -121,3 +121,13 @@ dist
 .yarn/build-state.yml
 .yarn/install-state.gz
 .pnp.*
+
+# vs code config
+.vscode
+
+# security files
+.users.json
+.roles.json
+.endpoints.json
+.access.json
+

.test.access.json

@@ -0,0 +1,19 @@
+{
+  "endpoints": [
+    {
+      "name": "broker1",
+      "roles": ["role1", "manager"]
+    },
+    {
+      "name": "broker2",
+      "roles": ["role2", "manager"]
+    },
+    {
+      "name": "broker3",
+      "roles": ["manager"]
+    }
+  ],
+  "admin": {
+    "roles": ["manager"]
+  }
+}

.test.endpoints.json

@@ -0,0 +1,57 @@
+{
+  "endpoints": [
+    {
+      "name": "broker1",
+      "url": "http://127.0.0.1:8161",
+      "auth": [
+        {
+          "scheme": "basic",
+          "data": {
+            "username": "guest",
+            "password": "guest"
+          }
+        }
+      ]
+    },
+    {
+      "name": "broker2",
+      "url": "http://127.0.0.2:8161",
+      "auth": [
+        {
+          "scheme": "basic",
+          "data": {
+            "username": "guest",
+            "password": "guest"
+          }
+        }
+      ]
+    },
+    {
+      "name": "broker3",
+      "url": "http://127.0.0.3:8161",
+      "auth": [
+        {
+          "scheme": "basic",
+          "data": {
+            "username": "guest",
+            "password": "guest"
+          }
+        }
+      ]
+    },
+    {
+      "name": "broker4",
+      "url": "https://artemis-broker-jolokia-0-svc-ing-default.artemiscloud.io:443",
+      "jolokiaPrefix": "/jolokia/",
+      "auth": [
+        {
+          "scheme": "cert",
+          "data": {
+            "certpath": "test-api-server.crt",
+            "keypath": "test-api-server.key"
+          }
+        }
+      ]
+    }
+  ]
+}

.test.env

@@ -0,0 +1,24 @@
+
+PLUGIN_VERSION=1.0.0
+PLUGIN_NAME='ActiveMQ Artemis Jolokia api-server'
+
+# dev cert
+SERVER_CERT=/var/serving-cert/tls.crt
+SERVER_KEY=/var/serving-cert/tls.key
+
+# replace the token in production deployment
+SECRET_ACCESS_TOKEN=1e13d44f998dee277deae621a9012cf300b94c91
+
+# to trust jolokia certs
+NODE_TLS_REJECT_UNAUTHORIZED='0'
+
+# logging
+LOG_LEVEL='debug'
+ENABLE_REQUEST_LOG='false'
+
+# security
+API_SERVER_SECURITY_ENABLED=true
+USERS_FILE_URL=.test.users.json
+ROLES_FILE_URL=.test.roles.json
+ENDPOINTS_FILE_URL=.test.endpoints.json
+ACCESS_CONTROL_FILE_URL=.test.access.json

.test.roles.json

@@ -0,0 +1,16 @@
+{
+  "roles": [
+    {
+      "name": "role1",
+      "uids": ["user1"]
+    },
+    {
+      "name": "role2",
+      "uids": ["user1", "user2"]
+    },
+    {
+      "name": "manager",
+      "uids": ["root"]
+    }
+  ]
+}

.test.users.json

@@ -0,0 +1,18 @@
+{
+  "users": [
+    {
+      "id": "user1",
+      "email": "[email protected]",
+      "hash": "$2a$12$nv9iV5/UNuV4Mdj1Jf8zfuUraqboSRtSQqCmtOc4F7rdwmOb9IzNu"
+    },
+    {
+      "id": "user2",
+      "hash": "$2a$12$VHZ9aJ5A87YeFop4xVW.aOMm95ClU.EviyT9o0i8HYLdG6w6ctMfW"
+    },
+    {
+      "id": "root",
+      "email": "[email protected]",
+      "hash": "$2a$12$VHZ9aJ5A87YeFop4xVW.aOMm95ClU.EviyT9o0i8HYLdG6w6ctMfW"
+    }
+  ]
+}

Dockerfile

@@ -40,17 +40,19 @@ WORKDIR /usr/share/amq-spp
 RUN npm install connect \
 cors \
 express \
-express-openapi-validator \
-swagger-routes-express \
-typescript \
-validator \
-yaml \
 base-64 \
+js-yaml \
 jsonwebtoken \
 dotenv \
+swagger-routes-express \
+express-openapi-validator \
 express-rate-limit \
-node-fetch@2 \
-@peculiar/x509
+express-pino-logger \
+pino \
+bcrypt \
+fs-json-store \
+passport \
+passport-jwt
 
 RUN echo "node /usr/share/amq-spp/dist/app.js" > run.sh
 RUN chmod +x run.sh

README.md

@@ -59,3 +59,56 @@ To undeploy, run
 ```sh
 ./undeploy.sh
 ```
+
+## Security Model of the API Server
+
+The API Server provides a security model that provides authentication and authorization of incoming clients.
+The security can be enabled/disabled (i.e. via `API_SERVER_SECURITY_ENABLED` env var)
+
+### Authentication
+
+The authentication provides api to support:
+
+1. Bearer token authentication default
+
+A clients logs in with its credentials and gets a bearer token (jwt token).
+
+The Authentication is configured via `API_SERVER_AUTH_METHOD` (currently bearer).
+
+#### The login api
+
+The login api is defined in openapi.yml
+
+```yaml
+/server/login
+```
+
+A client logs in to an api server by sending a POST request to the login path. The request body contains login information.
+The request body is a json object which must contain a 'authen-type' property.
+
+```yaml
+authen-type: 'basic' (currently supported)
+```
+
+Depending on the `authen-type` other properties may be provided. For `basic` type, the `username` and `password` may be provided.
+
+### Authorization
+
+The server uses RBAC (Role Based Access Control). The user/role mapping can be managed by the server locally or on a
+remote service (for example a ldap server). It maintains a ACL that defines which roles can access an broker jolokia endpoint.
+
+role-name -> list of permission items (endpoint-list permissions, etc)
+
+for example:
+
+role1 -> endpoint-list: endpoint1 (maybe with some constraints? but it can be restricted on the broker's edit/view constraints), endpoint2 ...
+... (more permission types may be added, for example, whether or not allow to configure/modify the endpoint list)
+
+The endpoint list can be configured as such:
+
+endpoint name (e.g. broker0, or endpoint1) -> connection info (e.g. http://localhost:8161, user, password)
+
+### Direct Proxy
+
+Direct Proxy means a client can pass a broker's endpoint info to the api-server in order to access it via the api-server.
+Some clients (like spp) run inside a browser that cannot directly call the broker's jolokia's API due to browser restrictions (cors, or http->https constraints, or cert issues if mTLS, that can be overcomed by api-server who run as a node js process), but they know all the access info of an jolokia broker.