Add support for authenticated iframe (with JWT) (#51)

* Add support for authenticated iframe (with JWT)

The image renderer from Grafana is very slow and cpu heavy. iframe is
not an option for most cases because it needs anonymous access to
Grafana. This commit adds JWT support to secure the Grafana access
when using iframe.
When a graph is loaded in Icinga web interface, the signed JWT token is
sent to Grafana in the request, if JWT is validated graph is displayed,
if anything goes wrong with the token validation, Grafana will refuse the
access.

The JWT token uses RSA keys, these keys are generated automatically in
/etc when the user saves the configuration with jwt enabled.

Co-authored-by: Jorge Boncompte <[email protected]>
Co-authored-by: Emerson Pinter <[email protected]>
Co-authored-by: Markus Opolka <[email protected]>

Author: 3 people

application/forms/Config/GeneralConfigForm.php

@@ -331,5 +331,53 @@ public function createElements(array $formData)
                 ]
             );
         }
+
+        if (isset($formData['grafana_accessmode']) && ( $formData['grafana_accessmode'] === 'iframe' )) {
+            $this->addElement(
+                'checkbox',
+                'grafana_jwtEnable',
+                array(
+                    'label' => $this->translate('Enable JWT'),
+                    'value' => false,
+                    'description' => $this->translate('Enable JWT. Grafana host will receive the JWT token to authorize the user.'),
+                    'class' => 'autosubmit',
+                )
+            );
+            if (isset($formData['grafana_jwtEnable'])) {
+                $this->addElement(
+                    'number',
+                    'grafana_jwtExpires',
+                    array(
+                        'label'         => $this->translate('JWT Expiration'),
+                        'placeholder'   => 30,
+                        'description'   => $this->translate('JWT Token expiration in seconds. A very short time is recommended. Default 30 seconds.'),
+                        'required'      => false,
+                        'class' => 'autosubmit',
+                    )
+                );
+                $this->addElement(
+                    'text',
+                    'grafana_jwtIssuer',
+                    array(
+                        'placeholder'   => 'https://localhost',
+                        'label'         => $this->translate('JWT Issuer'),
+                        'description'   => $this->translate('The issuer of the token (e.g. URL of this system). Can be used as a validation when other systems receive the token. Default is empty, no issuer.'),
+                        'required'      => false,
+                        'class' => 'autosubmit',
+                    )
+                );
+                $this->addElement(
+                    'text',
+                    'grafana_jwtUser',
+                    array(
+                        'placeholder'   => 'username',
+                        'label'         => $this->translate('JWT Subject (login)'),
+                        'description'   => $this->translate('The username or email to be used as login. Leave empty to use the Icinga Web username.'),
+                        'required'      => false,
+                        'class' => 'autosubmit',
+                    )
+                );
+            }
+        }
     }
 }

doc/08-config-jwt.md

@@ -0,0 +1,70 @@
+# JWT Configuration
+
+JWT is used to send a signed token to Grafana, so the graphs only load if the JWT token is validated by Grafana. If the token is expired or not valid, Grafana will redirect the iframe to the login page.
+
+### Icinga configuration
+In the Icinga Web configuration:
+
+1. Change "Grafana access" to "iFrame" and "Enable JWT"
+
+2. Choose an expiration, issuer and user.
+    - A short expiration is recommended, because the token is being sent in the URL.
+    - Set an issuer, for a better validation. Must be set the same on both sides. The default is empty, no issuer.
+    - Use an existing Grafana username so the graphs are accessed using that user.
+
+3. When you save the configuration, the RSA keys will be created at /etc/icingaweb2/modules/grafana/ (jwt.key.priv and jwt.key.pub).
+    - For now, other directories are not supported, the filenames are hard coded in the file library/Grafana/Helpers/JwtToken.php.
+    - If any kind of errors happens while creating the keys (e.g. permission denied), you will have to create the keys and copy them to the directory /etc/icingaweb2/modules/grafana/, use the commands below.
+
+4. The private key (jwt.key.priv), should kept safe, Grafana server only needs the public key. If you have multiple Icinga Web servers, copy the keys to the other servers.
+
+```
+openssl genrsa -out /etc/icingaweb2/modules/grafana/jwt.key.priv 2048
+
+openssl rsa -in /etc/icingaweb2/modules/grafana/jwt.key.priv -pubout -outform PEM -out /etc/icingaweb2/modules/grafana/jwt.key.pub
+```
+
+### Grafana
+
+The configuration options for Grafana JWT Auth can be found here: [https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/jwt/](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/jwt/).
+
+Example `grafana.ini`:
+
+```
+[auth.jwt]
+# By default, auth.jwt is disabled.
+enabled = true
+
+# HTTP header to look into to get a JWT token.
+header_name = X-JWT-Assertion
+
+# Specify a claim to use as a username to sign in.
+username_claim = sub
+
+# Specify a claim to use as an email to sign in.
+email_claim = sub
+
+# enable JWT authentication in the URL
+url_login = true
+
+# PEM-encoded key file in PKIX, PKCS #1, PKCS #8 or SEC 1 format.
+key_file = /etc/grafana/icinga.pem
+
+# This can be seen as a required "subset" of a JWT Claims Set.
+# expect_claims = {"iss": "https://icinga.yourdomain"}
+
+# role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
+
+# To skip the assignment of roles and permissions upon login via JWT and handle them via other mechanisms like the user interface, we can skip the organization role synchronization with the following configuration.
+skip_org_role_sync = true
+```
+
+1. Read the docs, and configure your grafana.ini
+
+2. Copy the **public key** from Icinga (/etc/icingaweb2/modules/grafana/jwt.key.pub) to the path configured in "key_file".
+
+3. Enable url_login, header_name and username_claim/email_claim these options are required.
+
+4. Enable allow_embedding in the security section.
+
+5. Restart Grafana

library/Grafana/Helpers/JwtToken.php

@@ -0,0 +1,108 @@
+<?php
+
+namespace Icinga\Module\Grafana\Helpers;
+
+use OpenSSLAsymmetricKey;
+use InvalidArgumentException;
+use RuntimeException;
+
+class JwtToken
+{
+    const RSA_KEY_BITS = 2048;
+    const JWT_PRIVATEKEY_FILE = '/etc/icingaweb2/modules/grafana/jwt.key.priv';
+    const JWT_PUBLICKEY_FILE = '/etc/icingaweb2/modules/grafana/jwt.key.pub';
+
+    /**
+     * Create JWT Token
+     */
+    public static function create(string $sub, int $exp = 0, string $iss = null, array $claims = null): string
+    {
+        $privateKeyFile = JwtToken::JWT_PRIVATEKEY_FILE;
+
+        $privateKey = openssl_pkey_get_private(
+            file_get_contents($privateKeyFile),
+        );
+
+        $payload = [
+            'sub' => $sub,
+            'iat' => time(),
+            'nbf' => time(),
+        ];
+
+        if (isset($claims)) {
+            $payload = array_merge($payload, $claims);
+        }
+
+        if (!empty($iss)) {
+            $payload['iss'] = $iss;
+        }
+
+        return JwtToken::encode($payload, $privateKey, 'RS256', $exp);
+    }
+
+    /**
+     * Generate Private and Public RSA Keys
+     */
+    public static function generateRsaKeys()
+    {
+        $ret = file_exists(JwtToken::JWT_PRIVATEKEY_FILE);
+        if ($ret) {
+            return;
+        }
+
+        $config = array(
+            "private_key_bits" => JwtToken::RSA_KEY_BITS,
+            "private_key_type" => OPENSSL_KEYTYPE_RSA,
+        );
+
+        $res = openssl_pkey_new($config);
+        openssl_pkey_export($res, $privKey);
+        $pubKey = openssl_pkey_get_details($res);
+        $pubKey = $pubKey["key"];
+
+        file_put_contents(JwtToken::JWT_PRIVATEKEY_FILE, $privKey);
+        file_put_contents(JwtToken::JWT_PUBLICKEY_FILE, $pubKey);
+    }
+
+    private static function encode(array $payload, OpenSSLAsymmetricKey $privateKey, string $algorithm = 'RS256', int $expiration = 3600): string
+    {
+        //  Verify that the algorithm is compatible with asymmetric keys
+        if ($algorithm !== 'RS256' && $algorithm !== 'RS512') {
+            throw new InvalidArgumentException("Unsupported algorithm for assymmetric keys: $algorithm");
+        }
+
+        // Define the JWT header
+        $header = json_encode([
+            'alg' => $algorithm,
+            'typ' => 'JWT'
+        ]);
+
+        // Add expiration time to the payload
+        if ($expiration > 0) {
+            $payload['exp'] = time() + $expiration;
+        }
+
+        // Encode header and payload to base64 URL
+        $base64Header = JwtToken::base64UrlEncode($header);
+        $base64Payload = JwtToken::base64UrlEncode(json_encode($payload));
+
+        // Create the signature
+        $dataToSign = "$base64Header.$base64Payload";
+        $signature = '';
+        $success = openssl_sign($dataToSign, $signature, $privateKey, OPENSSL_ALGO_SHA256);
+        if (!$success) {
+            throw new RuntimeException("Failed to sign the JWT with the private key.");
+        }
+
+        // Encode signature to base64 URL
+        $base64Signature = JwtToken::base64UrlEncode($signature);
+
+        // Return the complete token
+        return "$base64Header.$base64Payload.$base64Signature";
+    }
+
+    private static function base64UrlEncode(string $data): string
+    {
+        return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
+    }
+}

library/Grafana/ProvidedHook/Icingadb/GeneralConfigFormHook.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace Icinga\Module\Grafana\ProvidedHook\Icingadb;
+
+use Icinga\Application\Hook\ConfigFormEventsHook;
+use Icinga\Module\Grafana\Forms\Config\GeneralConfigForm;
+use Icinga\Web\Form;
+use Icinga\Module\Grafana\Helpers\JwtToken;
+
+class GeneralConfigFormHook extends ConfigFormEventsHook
+{
+
+    public function appliesTo(Form $form)
+    {
+        return $form instanceof GeneralConfigForm;
+    }
+
+    public function onSuccess(Form $form)
+    {
+        if ($form->getElement('grafana_jwtEnable')->getValue()) {
+            JwtToken::generateRsaKeys();
+        }
+    }
+}

library/Grafana/ProvidedHook/Icingadb/IcingaDbGrapher.php

@@ -26,6 +26,7 @@
 use ipl\Web\Url;
 use ipl\Web\Widget\Icon;
 use ipl\Web\Widget\Link;
+use Icinga\Module\Grafana\Helpers\JwtToken;
 
 /**
  * IcingaDbGrapher contains methods for retrieving and rendering the data from Grafana
@@ -81,6 +82,10 @@ trait IcingaDbGrapher
     protected $orgId;
     protected $customVars;
     protected $pngUrl;
+    protected $jwtIssuer = "https://localhost";
+    protected $jwtEnable = false;
+    protected $jwtUser;
+    protected $jwtExpires = 30;
 
     protected function init()
     {
@@ -163,6 +168,11 @@ protected function init()
                 $this->auth = "";
             }
         }
+
+        $this->jwtIssuer = $this->config->get('jwtIssuer');
+        $this->jwtEnable = $this->config->get('jwtEnable', $this->jwtEnable);
+        $this->jwtExpires = $this->config->get('jwtExpires', $this->jwtExpires);
+        $this->jwtUser = $this->config->get('jwtUser', $this->permission->getUser()->getUsername());
     }
 
     public function has(Model $object): bool
@@ -300,6 +310,11 @@ private function getMyPreviewHtml($serviceName, $hostName, HtmlDocument $preview
                 urlencode($this->timerangeto)
             );
 
+            if ($this->jwtEnable) {
+                $authToken = JwtToken::create($this->jwtUser, $this->jwtExpires, !empty($this->jwtIssuer) ? $this->jwtIssuer:null, [ 'roles' => [ 'Viewer' ] ]);
+                $iFramesrc .= sprintf("&auth_token=%s", urlencode($authToken));
+            }
+
             $iframeHtml = Html::tag(
                 'iframe',
                 [

run.php

@@ -1,8 +1,10 @@
 <?php
 
 use Icinga\Module\Grafana\ProvidedHook\Icingadb\IcingadbSupport;
+use Icinga\Module\Grafana\ProvidedHook\Icingadb\GeneralConfigFormHook;
 
 $this->provideHook('icingadb/HostActions');
 $this->provideHook('icingadb/IcingadbSupport');
 $this->provideHook('icingadb/HostDetailExtension');
 $this->provideHook('icingadb/ServiceDetailExtension');
+$this->provideHook('ConfigFormEvents', GeneralConfigFormHook::class);