[WIP] Inspector server authentication

[enoodle]

Currently I implemented only one type of authentication with token through kubernetes. If we want this can be changed to a more configurable and with other sophisticated authentication methods. I added a new argument to the image inspector --server-auth-type and the current possible values are None (default) and KubernetesToken

based on #11 for convenience.

[simon3z]

@enoodle the token must not be passed as a parameter.

Secrets should be passed either as env variables or files.

The single-token authentication implementation as in this PR is nice but I would set it aside for now, because the most interesting one is to demand to kubernetes the authentication/authorization.

E.g. similar to what hawkular-metrics does (but with different rules), here.

    private boolean isAuthorized(String method, String token, String projectId) {
        try {
            String verb = getVerb(method);

            String path = "/oapi/v1/subjectaccessreviews";
            URL url = new URL(KUBERNETES_MASTER_URL + path);

            HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();

            //Configure the outgoing request
            connection.setRequestMethod("POST");
            connection.setDoOutput(true);
            //Set Headers
            connection.setRequestProperty("Accept", "application/json");
            connection.setRequestProperty("Content-type", "application/json");
            connection.setRequestProperty("Authorization", token);

            //Add the body
            try (
                OutputStream outputStream = connection.getOutputStream();
            ) {
                for (byte b : generateSubjectAccessReview(projectId, verb).getBytes()) {
                    outputStream.write(b);
                }
            }

            //Perform the Operation
            connection.connect();
            int responseCode = connection.getResponseCode();
            if (responseCode == 201) {
                ObjectMapper objectMapper = new ObjectMapper();
                JsonNode jsonNode = objectMapper.readTree(connection.getInputStream());

                if (jsonNode.get("allowed").asText().equals("true")) {
                    return true;
                }

            } else {
                return false;
            }

        } catch (IOException e) {
            logger.error("Error trying to authenticate against the OpenShift server", e);
        }

        return false;
    }

And remember that here we have the advantage of being a Go application, which means that you can use the "official" kubernetes client library (no need for low-level http rest-api requests).

cc @pweil-

Note: We'll have to check how to pass headers through the kubernetes api-server proxy.

[enoodle]

@simon3z I am not 100% sure that this is the correct use of that API. It is more the check if a user is authorized to access a certain resource in the system than to authenticate the user. here hawkular is changing the token to also authenticate but i am not sure that this whole thing is working as you intend. Might be that I am wrong.

[simon3z]

Please move this to https://github.com/openshift/image-inspector/