finleap-connect
diff --git a/‎api/gateway/messages.proto‎
Lines changed: 147 additions & 0 deletions b/‎api/gateway/messages.proto‎
Lines changed: 147 additions & 0 deletions
diff --git a/‎api/gateway/service.proto‎
Lines changed: 19 additions & 37 deletions b/‎api/gateway/service.proto‎
Lines changed: 19 additions & 37 deletions
diff --git a/‎build/package/helm/gateway/README.md‎
Lines changed: 2 additions & 4 deletions b/‎build/package/helm/gateway/README.md‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎build/package/helm/gateway/templates/deployment.yaml‎
Lines changed: 0 additions & 2 deletions b/‎build/package/helm/gateway/templates/deployment.yaml‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎build/package/helm/gateway/values.yaml‎
Lines changed: 1 addition & 5 deletions b/‎build/package/helm/gateway/values.yaml‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎build/package/helm/monoskope/README.md‎
Lines changed: 1 addition & 3 deletions b/‎build/package/helm/monoskope/README.md‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎build/package/helm/monoskope/templates/ambassador/mappings/gateway.yaml‎
Lines changed: 16 additions & 0 deletions b/‎build/package/helm/monoskope/templates/ambassador/mappings/gateway.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎build/package/helm/monoskope/templates/gateway/cert-auth.yaml‎
Lines changed: 1 addition & 2 deletions b/‎build/package/helm/monoskope/templates/gateway/cert-auth.yaml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎build/package/helm/monoskope/values.yaml‎
Lines changed: 0 additions & 2 deletions b/‎build/package/helm/monoskope/values.yaml‎
Lines changed: 0 additions & 2 deletions
@@ -0,0 +1,147 @@
+// Copyright 2021 Monoskope Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+// This file follows google's gRPC naming conventions:
+// https://cloud.google.com/apis/design/naming_convention
+
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/duration.proto";
+import "validate/validate.proto";
+
+option go_package = "github.com/finleap-connect/monoskope/pkg/api/gateway";
+
+package gateway;
+
+message UpstreamAuthenticationRequest {
+  // callback_url is the URL where the authorization code
+  // will be redirected to by the upstream IDP
+  string callback_url = 1 [ (validate.rules).string.uri = true ];
+}
+
+message UpstreamAuthenticationResponse {
+  // upstream_idp_redirect is the URL of the IDP to authenticate against
+  string upstream_idp_redirect = 1 [ (validate.rules).string.uri = true ];
+  // state is the encoded, server-side nonced state containing the callback.
+  // This has to be presented to the server along with the actual m8
+  // AuthenticationRequest.
+  string state = 2;
+}
+
+message AuthenticationRequest {
+  // code is the auth code received by the IDP
+  string code = 1;
+  // state is the encoded, nonced AuthState
+  string state = 2;
+}
+
+message AuthenticationResponse {
+  // access_token is a JWT to authenticate against the m8 API
+  string access_token = 1;
+  // expiry is the timestamp when the token expires
+  google.protobuf.Timestamp expiry = 2;
+  // username is the username known the m8 control plane
+  string username = 3;
+}
+
+message AuthState {
+  // callback_url is the url to send the auth token response too
+  string callback_url = 1 [ (validate.rules).string.uri = true ];
+}
+
+// AuthInformation is the response to an AuthState message.
+// It contains the URL
+message AuthInformation {
+  // auth_code_url is the URL of the IDP to authenticate against
+  string auth_code_url = 1 [ (validate.rules).string.uri = true ];
+  // state is the encoded, nonced AuthState
+  string state = 2;
+}
+
+// AuthCode is the request to exchange the auth code received from
+// an upstream identity provider against a token issued by m8 for
+// authentication.
+message AuthCode {
+  // code is the auth code received by the IDP
+  string code = 1;
+  // state is the encoded, nonced AuthState
+  string state = 2;
+  // callback_url is the url to send the auth token response too
+  string callback_url = 3 [ (validate.rules).string.uri = true ];
+}
+
+// AuthResponse is the response to an AuthCode message.
+// It contains a JWT to authenticate against the m8 API.
+message AuthResponse {
+  // access_token is a JWT to authenticate against the m8 API
+  string access_token = 1;
+  // expiry is the timestamp when the token expires
+  google.protobuf.Timestamp expiry = 2;
+  // username is the username known the m8 control plane
+  string username = 3;
+}
+
+// ClusterAuthTokenRequest is send in order to retrieve an auth token valid to
+// authenticate against a certain cluster with a specific role.
+message ClusterAuthTokenRequest {
+  // Unique identifier of the cluster (UUID 128-bit number)
+  string cluster_id = 1 [ (validate.rules).string.uuid = true ];
+  // Kubernetes role name
+  string role = 2
+      [ (validate.rules).string = {pattern : "^[a-z0-9-]+$", max_bytes : 60} ];
+}
+
+// ClusterAuthTokenResponse contains an auth token valid to
+// authenticate against a certain cluster with a specific role.
+message ClusterAuthTokenResponse {
+  // JWT to authenticate against a K8s cluster
+  string access_token = 1;
+  // Timestamp when the token expires
+  google.protobuf.Timestamp expiry = 2;
+}
+
+// APITokenRequest is send in order to retrieve an API token valid to
+// authenticate against Monoskope and authorize specific scopes.
+message APITokenRequest {
+  // Scope the resulting token is issued for
+  repeated AuthorizationScope authorization_scopes = 1;
+
+  // Duration for which the issued token will be valid
+  google.protobuf.Duration validity = 2;
+
+  oneof user {
+    // Unique identifier of an existing user (UUID 128-bit number)
+    string user_id = 3 [ (validate.rules).string.uuid = true ];
+    // Name of the user the token is valid for (not necessarily a real user)
+    string username = 4;
+  }
+}
+
+// APITokenResponse is the answer to an APITokenRequest
+// containing a JWT to authenticate against the m8 API.
+message APITokenResponse {
+  // JWT to authenticate against the m8 API
+  string access_token = 1;
+  // Timestamp when the token expires
+  google.protobuf.Timestamp expiry = 2;
+}
+
+// AuthorizationScope is an enum defining the available API scopes.
+enum AuthorizationScope {
+  NONE = 0;              // Dummy to prevent accidents
+  API = 1;               // Read-write for the complete API
+  WRITE_SCIM = 2;        // Read-write for endpoints under "/scim"
+  WRITE_K8SOPERATOR = 3; // Read-write for K8sOperator endpoints
+}
@@ -17,55 +17,37 @@ syntax = "proto3";
 // This file follows google's gRPC naming conventions:
 // https://cloud.google.com/apis/design/naming_convention
 
-import "google/protobuf/timestamp.proto";
-import "validate/validate.proto";
+import "api/gateway/messages.proto";
 
 option go_package = "github.com/finleap-connect/monoskope/pkg/api/gateway";
 
 package gateway;
 
 // API of the Monoskope Gateway.
 service Gateway {
-  rpc GetAuthInformation(AuthState) returns (AuthInformation);
-  rpc ExchangeAuthCode(AuthCode) returns (AuthResponse);
+  rpc GetAuthInformation(AuthState) returns (AuthInformation) {
+    option deprecated = true;
+  };
+  rpc ExchangeAuthCode(AuthCode) returns (AuthResponse) {
+    option deprecated = true;
+  };
+
+  // PrepareAuthentication returns the URL to call to authenticate against the
+  // upstream IDP
+  rpc RequestUpstreamAuthentication(UpstreamAuthenticationRequest)
+      returns (UpstreamAuthenticationResponse);
+  // RequestAuthentication is called to exchange the authorization code with the
+  // upstream IDP and to authenticate with the m8 control plane
+  rpc RequestAuthentication(AuthenticationRequest)
+      returns (AuthenticationResponse);
 }
 
 // ClusterAuth is the API to request token for cluster authentication from
 service ClusterAuth {
   rpc GetAuthToken(ClusterAuthTokenRequest) returns (ClusterAuthTokenResponse);
 }
 
-message AuthState { string callback_url = 1; }
-
-message AuthInformation {
-  string auth_code_url = 1;
-  string state = 2;
-}
-
-message AuthCode {
-  string code = 1;
-  string state = 2;
-  string callback_url = 3;
-}
-
-message AuthResponse {
-  string access_token = 1;
-  google.protobuf.Timestamp expiry = 2;
-  string username = 3;
-}
-
-// ClusterAuthTokenRequest is send in order to retrieve an auth token valid to
-// authenticate against a certain cluster with a specific role
-message ClusterAuthTokenRequest {
-  // Unique identifier of the cluster (UUID 128-bit number)
-  string cluster_id = 1 [(validate.rules).string.uuid = true];
-  // Kubernetes role name
-  string role = 2 [(validate.rules).string = {pattern: "^[a-z]+$", max_bytes: 60}];
-}
-
-// ClusterAuthTokenResponse contains an auth token valid to
-// authenticate against a certain cluster with a specific role
-message ClusterAuthTokenResponse {
-  string access_token = 1;
-  google.protobuf.Timestamp expiry = 2;
+// APIToken is the API to request API tokens with
+service APIToken {
+  rpc RequestAPIToken(APITokenRequest) returns (APITokenResponse);
 }
@@ -9,7 +9,6 @@ Monoskope Gateway
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| auth.identityProviderName | string | `""` | The identifier of the issuer, e.g. DEX or whatever identifies your identities upstream |
 | auth.identityProviderURL | string | `""` | The URL of the issuer to use for OIDC |
 | auth.redirectUris | list | `["http://localhost:8000","http://localhost:18000"]` | The allowed redirect URIs for authentication flow |
 | auth.scopes | list | `["openid","profile","email"]` | Additional scopes to request from upstream IDP |
@@ -25,11 +24,10 @@ Monoskope Gateway
 | image.repository | string | `"ghcr.io/finleap-connect/monoskope/gateway"` |  |
 | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
-| k8sTokenValidity | string | `"10s"` | Duration for which issued K8s auth tokens are valid |
+| k8sTokenValidity | string | `"360s"` | Duration for which issued K8s auth tokens are valid |
 | keepAlive | bool | `false` |  |
-| keySecret | object | `{"name":"","validity":"24h"}` | The secret containing private key for signing JWTs. Must contain tls.key containing the private key for signing and tls.crt containing public key for verification. |
+| keySecret | object | `{"name":""}` | The secret containing private key for signing JWTs. Must contain tls.key containing the private key for signing and tls.crt containing public key for verification. |
 | keySecret.name | string | `""` | Name of the secret to be used by the gateway, required |
-| keySecret.validity | string | `"24h"` | How long to cache public key's |
 | labels | object | `{}` |  |
 | livenessProbe.enabled | bool | `true` |  |
 | livenessProbe.failureThreshold | int | `10` |  |
 
@@ -96,11 +96,9 @@ spec:
             - --http-api-addr=:8081
             - --metrics-addr=:9102
             - {{ (printf "--query-handler-api-addr=%s-%s:%v" (.Values.queryHandler.prefix | default .Release.Name ) .Values.queryHandler.host .Values.queryHandler.port ) }}
-            - --identity-provider-name={{ required "A valid .Values.auth.identityProviderName entry is required!" .Values.auth.identityProviderName }}
             - --identity-provider-url={{ required "A valid .Values.auth.identityProviderURL entry is required!" .Values.auth.identityProviderURL }}
             - --scopes={{ join "," .Values.auth.scopes }}
             - --redirect-uris={{ join "," .Values.auth.redirectUris }}
-            - --key-cache-duration={{ .Values.keySecret.validity }}
             - --k8s-token-validity={{ .Values.k8sTokenValidity }}
             - --auth-token-validity={{ .Values.authTokenValidity }}
             - --gateway-url={{ required "A valid .Values.auth.selfURL entry is required!" .Values.auth.selfURL }}
 
@@ -87,8 +87,6 @@ keepAlive: false
 auth:
   # -- The URL of the issuer to Gateway itself
   selfURL: ""
-  # -- The identifier of the issuer, e.g. DEX or whatever identifies your identities upstream
-  identityProviderName: ""
   # -- The URL of the issuer to use for OIDC
   identityProviderURL: ""
   # -- Additional scopes to request from upstream IDP
@@ -112,11 +110,9 @@ oidcSecret:
 keySecret:
   # -- Name of the secret to be used by the gateway, required
   name: ""
-  # -- How long to cache public key's
-  validity: 24h
 
 # -- Duration for which issued K8s auth tokens are valid
-k8sTokenValidity: 10s
+k8sTokenValidity: 360s
 
 # -- Duration for which issued Monoskope auth tokens are valid
 authTokenValidity: 12h
@@ -13,7 +13,7 @@ Monoskope implements the management and operation of tenants, users and their ro
 | file://../eventstore | eventstore | 0.0.1-local |
 | file://../gateway | gateway | 0.0.1-local |
 | file://../queryhandler | queryhandler | 0.0.1-local |
-| https://charts.bitnami.com/bitnami | rabbitmq | 8.17.0 |
+| https://charts.bitnami.com/bitnami | rabbitmq | 8.24.3 |
 | https://charts.cockroachdb.com/ | cockroachdb | 6.1.2 |
 | https://getambassador.io | ambassador | 6.7.11 |
 
@@ -81,7 +81,6 @@ Monoskope implements the management and operation of tenants, users and their ro
 | eventstore.storeDatabase.configSecret | string | `"m8-db-client-config"` |  |
 | eventstore.storeDatabase.tlsSecret | string | `"m8-db-client-auth-cert"` |  |
 | fullnameOverride | string | `""` |  |
-| gateway.auth.identityProviderName | string | `""` | The identifier of the issuer, e.g. DEX or whatever identifies your identities upstream |
 | gateway.auth.identityProviderURL | string | `""` | The URL of the issuer to use for OIDC |
 | gateway.auth.selfURL | string | `""` | The URL of the issuer to Gateway itself |
 | gateway.enabled | bool | `true` |  |
@@ -123,7 +122,6 @@ Monoskope implements the management and operation of tenants, users and their ro
 | rabbitmq.extraConfiguration | string | `"load_definitions = /app/rabbitmq-definitions.json\nauth_mechanisms.1 = EXTERNAL\nssl_cert_login_from = common_name\nssl_options.depth = 2"` |  |
 | rabbitmq.extraPlugins | string | `"rabbitmq_auth_mechanism_ssl"` |  |
 | rabbitmq.image.pullPolicy | string | `"Always"` |  |
-| rabbitmq.image.tag | string | `"3.8.9"` |  |
 | rabbitmq.loadDefinition.enabled | bool | `true` |  |
 | rabbitmq.loadDefinition.existingSecret | string | `"m8-rabbitmq-load-definition"` |  |
 | rabbitmq.metrics.enabled | bool | `false` |  |
 
@@ -78,5 +78,21 @@ spec:
   rewrite: /keys
   service: {{.Release.Name}}-gateway:{{.Values.gateway.service.httpApiPort}}
 ---
+apiVersion: getambassador.io/v1
+kind: Mapping
+metadata:
+  name: {{ include "monoskope.fullname" . }}-gateway-apitoken-mapping
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "monoskope.labels" . | nindent 4 }}
+    {{- with (.Values.labels | default .Values.global.labels) }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  grpc: true
+  timeout_ms: 20000
+  prefix: /gateway.APIToken/
+  rewrite: /gateway.APIToken/
+  service: {{.Release.Name}}-gateway:{{.Values.gateway.service.grpcApiPort}}
 {{- end }}
 {{- end }}
@@ -10,8 +10,7 @@ metadata:
     {{- end }}
 spec:
   secretName: {{ .Values.pki.authentication.keySecretName }}
-  duration: {{ .Values.pki.certificates.duration }}
-  renewBefore: {{ .Values.pki.certificates.renewBefore }}
+  duration: 876000h # 100y cause this is to be rotated manually
   privateKey:
     rotationPolicy: Always
   issuerRef:
 
@@ -49,8 +49,6 @@ gateway:
   auth:
     # -- The URL of the issuer to Gateway itself
     selfURL: ""
-    # -- The identifier of the issuer, e.g. DEX or whatever identifies your identities upstream
-    identityProviderName: ""
     # -- The URL of the issuer to use for OIDC
     identityProviderURL: ""
   # -- The secret containing private key for signing JWTs.