Add tool enabling static users generation for Dex (#1235)

* Add static-users-generator tool
* Make dex acceptance test use user credentials from env variables instead of hardcoded values
* Remove default user credentials from ui-api-layer-acceptance-tests
* Add static-users-generator tool to CODEOWNERS
* Fix base64 padding related problems in reading JWT token payload in dex acceptance test
* Add kubadz and sjanota to service mesh & security related components in CODEOWNERS

Author: kubadz

CODEOWNERS

@@ -38,10 +38,10 @@
 /resources/core/charts/azure-broker/ @Tomasz-Smelcerz-SAP @strekm @jakkab @crabtree
 
 # The `cluster-users` subchart
-/resources/core/charts/cluster-users/ @piotrmsc
+/resources/core/charts/cluster-users/ @piotrmsc @kubadz @sjanota
 
 # The `configurations-generator` subchart
-/resources/core/charts/configurations-generator @piotrmsc @kubadz
+/resources/core/charts/configurations-generator @piotrmsc @kubadz @sjanota
 
 # The `connector-service` subchart
 /resources/application-connector/charts/connector-service/ @lszymik @akgalwas @janmedrek @Szymongib @franpog859 @Maladie @crabtree
@@ -59,7 +59,7 @@
 /resources/core/charts/console/ @pekura @maxmarkus @jesusreal @kwiatekus @dariadomagala @hardl @y-kkamil @antiheld
 
 # The `dex` subchart
-/resources/core/charts/dex/ @piotrmsc @kubadz
+/resources/core/charts/dex/ @piotrmsc @kubadz @sjanota
 
 # The `istio-rbac` subchart
 /resources/core/charts/istio-rbac/ @piotrmsc @kubadz @sjanota
@@ -147,7 +147,7 @@
 /components/apiserver-proxy/ @piotrmsc @kubadz @sjanota
 
 # Api controller Component
-/components/api-controller/ @piotrmsc @kubadz
+/components/api-controller/ @piotrmsc @kubadz @sjanota
 
 # Binding usage controller Component
 /components/binding-usage-controller/ @aszecowka @PK85 @mszostok @piotrmiskiewicz @polskikiel @jasiu001
@@ -162,7 +162,7 @@
 /components/environments/ @Tomasz-Smelcerz-SAP @strekm @jakkab @crabtree
 
 # Istio Extensions Component
-/components/istio-webhook/ @piotrmsc
+/components/istio-webhook/ @piotrmsc @sjanota @kubadz
 
 # Istio Extensions Component
 /components/istio-kyma-patch/ @piotrmsc @sjanota @kubadz
@@ -200,7 +200,7 @@
 # Tests
 # acceptance tests
 /tests/acceptance/ @mszostok @polskikiel @piotrmiskiewicz @aszecowka @PK85 @jasiu001
-/tests/acceptance/dex @pssap @piotrmsc
+/tests/acceptance/dex @sjanota @piotrmsc @kubadz
 
 # test-environments
 /tests/test-environemnts/ @Tomasz-Smelcerz-SAP @strekm @jakkab @crabtree
@@ -212,7 +212,7 @@
 /tests/logging/ @rakesh-garimella @joek @sayanh @venturasr @lilitgh
 
 # api-controller acceptance tests
-/tests/api-controller-acceptance-tests/ @piotrmsc
+/tests/api-controller-acceptance-tests/ @piotrmsc @kubadz @sjanota
 
 # UI API Layer acceptance tests
 /tests/ui-api-layer-acceptance-tests/ @akucharska @michal-hudy @pkosiec @mjasinski5 @aerfio @magicmatatjahu @aszecowka @PK85 @mszostok @piotrmiskiewicz @polskikiel @jasiu001
@@ -245,6 +245,9 @@
 # The changelog-generator directory
 /tools/changelog-generator/ @akucharska @michal-hudy @pkosiec @mjasinski5 @aerfio @magicmatatjahu
 
+# The static-users-generator directory
+/tools/static-users-generator/ @piotrmsc @sjanota @kubadz 
+
 # kubeless-test-client tests
 /tests/kubeless-test-client/ @rakesh-garimella @joek @sayanh @venturasr @lilitgh
 

orchestrator.Jenkinsfile

@@ -52,6 +52,7 @@ projects = [
     "tools/stability-checker": "stability-checker",
     "tools/etcd-backup": "etcd-backup",
     "tools/etcd-tls-setup": "etcd-tls-setup",
+    "tools/static-users-generator": "static-users-generator",
     "tests/test-logging-monitoring": "test-logging-monitoring",
     "tests/logging": "test-logging",
     "tests/acceptance": "acceptance-tests",

release.Jenkinsfile

@@ -55,6 +55,7 @@ projects = [
     "tools/stability-checker",
     "tools/etcd-backup",
     "tools/etcd-tls-setup",
+    "tools/static-users-generator",
     "tests/test-logging-monitoring",
     "tests/logging",
     "tests/acceptance",

tests/acceptance/dex/dex_test.go

@@ -24,8 +24,8 @@ const (
 	domainEnvName                         = "KYMA_DOMAIN"
 	isLocalEnvEnvName                     = "IS_LOCAL_ENV"
 	clientId                              = "kyma-client"
-	username                              = "[email protected]"
-	password                              = "nimda123"
+	usernameEnvName                       = "DEX_USER_EMAIL"
+	passwordEnvName                       = "DEX_USER_PASSWORD"
 )
 
 func TestSpec(t *testing.T) {
@@ -66,6 +66,16 @@ func TestSpec(t *testing.T) {
 		t.Fatal(domainEnvName + " env variable not set")
 	}
 
+	username, envFound := os.LookupEnv(usernameEnvName)
+	if !envFound {
+		t.Fatal(usernameEnvName + " env variable not set")
+	}
+
+	password, envFound := os.LookupEnv(passwordEnvName)
+	if !envFound {
+		t.Fatal(passwordEnvName + " env variable not set")
+	}
+
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
@@ -117,7 +127,10 @@ func TestSpec(t *testing.T) {
 
 		tokenParts := strings.Split(idToken, ".")
 
-		tokenPayloadEncoded := tokenParts[1] + "="
+		tokenPayloadEncoded := tokenParts[1]
+
+		missingTokenBytes := (3 - len(tokenPayloadEncoded)%3) % 3
+		tokenPayloadEncoded += strings.Repeat("=", missingTokenBytes)
 
 		tokenPayloadDecoded, err := base64.StdEncoding.DecodeString(tokenPayloadEncoded)
 		if err != nil {

tests/ui-api-layer-acceptance-tests/graphql/config.go

@@ -11,9 +11,9 @@ import (
 type envConfig struct {
 	Domain          string `envconfig:"default=kyma.local"`
 	GraphQLEndpoint string `envconfig:"optional,GRAPHQL_ENDPOINT"`
-	Username        string `envconfig:"[email protected]"`
-	Password        string `envconfig:"default=nimda123"`
-	IsLocalCluster  bool   `envconfig:"default=true"`
+	Username        string
+	Password        string
+	IsLocalCluster  bool `envconfig:"default=true"`
 }
 
 type config struct {

tools/static-users-generator/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:3.8
+
+ENV KUBE_VERSION="v1.11.3"
+
+RUN apk add --no-cache jq apache2-utils bash
+RUN wget -q https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl \
+	&& chmod +x /usr/local/bin/kubectl
+
+COPY ./scripts/config_replace.sh /
+
+LABEL [email protected]:kyma-project/kyma.git
+
+ENTRYPOINT ["/bin/bash", "/config_replace.sh"]

tools/static-users-generator/Jenkinsfile

@@ -0,0 +1,62 @@
+#!/usr/bin/env groovy
+def label = "kyma-${UUID.randomUUID().toString()}"
+def application = 'static-users-generator'
+def dockerPushRoot = "${env.DOCKER_REGISTRY}${params.PUSH_DIR}"
+def dockerImageTag = params.APP_VERSION
+
+echo """
+********************************
+Job started with the following parameters:
+DOCKER_REGISTRY=${env.DOCKER_REGISTRY}
+PUSH_DIR=${params.PUSH_DIR}
+DOCKER_CREDENTIALS=${env.DOCKER_CREDENTIALS}
+GIT_REVISION=${params.GIT_REVISION}
+GIT_BRANCH=${params.GIT_BRANCH}
+APP_VERSION=${params.APP_VERSION}
+APP_FOLDER=${env.APP_FOLDER}
+FULL_BUILD=${params.FULL_BUILD}
+********************************
+"""
+
+podTemplate(label: label) {
+    node(label) {
+        try {
+            timestamps {
+                timeout(time:20, unit:"MINUTES") {
+                    ansiColor('xterm') {
+                        stage("setup") {
+                            checkout scm
+
+                            if(dockerImageTag == ""){
+                               error("No version for docker tag defined, please set APP_VERSION parameter for master branch or GIT_BRANCH parameter for any branch")
+                            }
+
+                            withCredentials([usernamePassword(credentialsId: env.DOCKER_CREDENTIALS, passwordVariable: 'pwd', usernameVariable: 'uname')]) {
+                                sh "docker login -u $uname -p '$pwd' $env.DOCKER_REGISTRY"
+                            }
+                        }
+
+                        stage("build image $application") {
+                            dir(env.APP_FOLDER){
+                                sh "docker build -t ${dockerPushRoot}${application}:latest . --label version=${dockerImageTag} --label component=${application}"
+                            }
+                        }
+
+                        stage("push image $application") {
+                            sh "docker tag ${dockerPushRoot}${application}:latest ${dockerPushRoot}${application}:${dockerImageTag}"
+                            sh "docker push ${dockerPushRoot}${application}:${dockerImageTag}"
+                            if (params.GIT_BRANCH == 'master') {
+                                sh "docker push ${dockerPushRoot}${application}:latest"
+                            }
+                        }
+                    }
+                }
+            }
+        } catch (ex) {
+            echo "Got exception: ${ex}"
+            currentBuild.result = "FAILURE"
+            def body = "${currentBuild.currentResult} ${env.JOB_NAME}${env.BUILD_DISPLAY_NAME}: on branch: ${params.GIT_BRANCH}. See details: ${env.BUILD_URL}"
+            emailext body: body, recipientProviders: [[$class: 'DevelopersRecipientProvider'], [$class: 'CulpritsRecipientProvider'], [$class: 'RequesterRecipientProvider']], subject: "${currentBuild.currentResult}: Job '${env.JOB_NAME} [${env.BUILD_NUMBER}]'"
+        }
+    }
+}

tools/static-users-generator/README.md

@@ -0,0 +1,17 @@
+# Static users generator
+
+## Overview
+
+The tool used to configure static users in Dex. Reads users from secrets labelled `"dex-user-config": "true"` and appends them into the Dex config-map.
+
+## Installation
+
+The tool is a Dex init-container used by default in a Kyma installation.
+
+## Development
+
+To build the image of static-users-generator execute:
+
+```bash
+docker build -t static-users-generator:latest .
+```

tools/static-users-generator/scripts/config_replace.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+set -e #terminate script immediately in case of errors
+
+TEMPDIR=$(mktemp -d)
+
+cp "/config/src/config.yaml" ${TEMPDIR}
+
+TEMP_FILE_PATH="${TEMPDIR}/config.yaml"
+DEST_FILE_PATH="/config/dst/config.yaml"
+PLACEHOLDER="#__STATIC_PASSWORDS__"
+
+NEWLINE="%"
+
+NUM=0
+for secret in $(kubectl get secrets -l dex-user-config=true --all-namespaces -o json | jq -r -c '.items | .[] | .data')
+do
+
+  EMAIL=$(echo -n ${secret} | jq -r '.email')
+  if [ "${EMAIL}" == "null" ]
+  then
+    continue
+  fi
+
+  EMAIL=$(echo -n ${EMAIL} | base64 -d)
+  
+  USERNAME=$(echo -n ${secret} | jq -r '.username')
+  if [ "${USERNAME}" == "null" ]
+  then
+    continue
+  fi
+
+  USERNAME=$(echo -n ${USERNAME} | base64 -d)
+
+  PASSWORD=$(echo -n ${secret} | jq -r '.password')
+
+  if [ "${PASSWORD}" == "null" ]
+  then
+    continue
+  fi
+
+  PASSWORD=$(echo -n ${PASSWORD} | base64 -d)
+
+  HASH=$(htpasswd -bnBC 12 "" ${PASSWORD} | tr -d ':\n')
+
+  echo "successfully created user: ${USERNAME}"
+
+  NUM=$(( NUM + 1 ))
+
+  # generate userID
+  USER_ID=$(cat /dev/urandom | LC_ALL=C tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
+  
+  # prepare config map to enable static users
+  if [ $NUM -eq 1 ]
+  then
+    sed -i "s;${PLACEHOLDER};staticPasswords:${NEWLINE}${PLACEHOLDER};g" "${TEMP_FILE_PATH}"
+  fi
+
+  VALUE="- email: ${EMAIL}${NEWLINE}  hash: ${HASH}${NEWLINE}  username: ${USERNAME}${NEWLINE}  userID: ${USER_ID}${NEWLINE}${PLACEHOLDER}"
+  sed -i "s;${PLACEHOLDER};${VALUE};g" "${TEMP_FILE_PATH}"
+done
+
+# remove placeholder
+sed -i "s;${PLACEHOLDER};"";g" "${TEMP_FILE_PATH}"
+
+# if there were static users created
+if [ $NUM -gt 0 ]
+then
+  # replace newline placeholders with the real newline and save the configuration file in directory which will be mounted to dex container
+  cat ${TEMP_FILE_PATH} | tr "${NEWLINE}" "\n" > ${DEST_FILE_PATH}
+else
+  # copy the configuration file to directory which will be mounted to dex container
+  cp ${TEMP_FILE_PATH} ${DEST_FILE_PATH}
+fi