AWS IAM: lakefs IDP interface

[ItamarYuran]

Closes #8992

To make further IAM auth implementations easier, I moved JWT retrieval logic into lakeFS and put it behind a small interface.

Edit by isan for CHANGELOG:

This PR introduces new configuration for IAM Login support for lakectl, the feature itself is not implemented yet.
Using the new configuration with older version of lakectl will cause it to fail.

• Not using the new configuration has no affect regardless of the version.

[github-actions]

E2E Test Results - DynamoDB Local - Local Block Adapter

[github-actions]

E2E Test Results - Quickstart

[Isan-Rivkin]

The package structure should allow extending it without refactor.
In the current form it's a mix of generic and AWS primitives.

For example:
The type IdentityTokenInfo is AWS specific but it's under the generic package externalidp.
The problem is that when we add azure token info, how would you call it? IdentityTokenInfoAzure? Then you'd refactor this one to IdentityTokenInfoAWS?

We should have a clear separation between external principal login VS AWS specific.

What do I actually suggest is 1 of 2 options, Im fine with either (The first one probably easier):

1. Add AWS to everything that is related to AWS, i.e IdentityTokenInfo -> AWSIdentityTokenInfo
2. Create a sub package to contain all AWS specific code under i.e externalidp/awsidp

[Isan-Rivkin]

There's no point in another function getJWT if it's only used in Login put the code there, otherwise it's bloating the code

[Isan-Rivkin]

*http.Client is (a) confusing name (b) too low level.

I suggest the following refactor:

1. Create a minimal interface (easier to test, less dependencies) with a single function ExternalPrincipalLoginWithResponse.

Note: that's already a part of the generated lakeFS client ClientWithResponsesInterface, but just this func.

type ExternalPrincipalLoginClient interface {
  ExternalPrincipalLoginWithResponse(ctx context.Context, body ExternalPrincipalLoginJSONRequestBody, reqEditors ...RequestEditorFn) (*ExternalPrincipalLoginResponse, error)
}

2. Refactor the existing NewAWSProvider function (help with testing and mock):

NewAWSProviderWithClient(params AWSIAMParams, client ExternalPrincipalLoginClient) *AWSProvider { 
   ...
}

3. Add additional New func: NewAWSProvider that will be used in everest:

func NewAWSProvider(params AWSIAMParams, lakeFSHost string) (*AWSProvider, error) {
	client, err := apigen.NewClientWithResponses(
		serverEndpoint,
		apigen.WithHTTPClient(httpClient),
	)
	if err != nil {
		return nil, err
	}
        return NewAWSProviderWithClient(params, client), nil
}

[Isan-Rivkin]

IDP == Identity Provider -> IDPProvider == IdentityProviderProvider 😋

Suggested change

	type IDPProvider interface {
	type Provider interface {

Since the package name contains the name idp and external, in go you don't need to duplicate the name, i.e this is enough:

import (
    ".../externalidp"
)

// usage is clear
externalidp.Provider

[Isan-Rivkin]

Please avoid making this func private, so we can easily go-get and test.
Also it should be part of the AWSProvider struct, e.g struct method.

[Isan-Rivkin]

This section is a good candidate to a separate function, it'll be easier to test it, i.e:

func NewIdentityTokenInfoFromURL(presignedURL string) (*IdentityTokenInfo, string, error)

Note: returning both the encoded string output of the identityTokenInfo and the struct itself - it allows to test it properly, writing a test for encoded string is harder if you want to verify specific fields.

[Isan-Rivkin]

1. Check http issue after regular error with ResponseAsError
2. Return struct AuthenticationToken not just the token, it contains more info and allows extending
3. No need for those nil checks below

import "github.com/treeverse/lakefs/pkg/api/helpers"

/// 
if err != nil {
    ... 
}
err = helpers.ResponseAsError(res)
if err != nil {
	return nil, err
}
return res.JSON200

[Jonathan-Rosenberg]

pkg/authentication/external_idp/aws_client.go

[Jonathan-Rosenberg]

either rename the file, or extract these to a general idp.go file

[Isan-Rivkin]

re-request when ready

[Isan-Rivkin]

say when ok

[Isan-Rivkin]

remove, shouldn't be used

[Isan-Rivkin]

No reason to define an explicit default here, the default of this type is already 0.
The struct instance will contain the default of time.Duration if it's not defined here, and it's 0.

[Isan-Rivkin]

Side note on those defaults
you know that other services re-using this configuration will need to define their own defaults, right?
Viper instantiation is specific to lakectl, not other binaries like everest that has their own viper instance initiating defaults.

I'm OK to keeping these if you'd like now because those are good defaults that we will want when we implement this logic in lakectl, but they will not be reflected in any other binary such as everest.

[Isan-Rivkin]

typo mim?

[Isan-Rivkin]

Part of go and out go styling, encapsulate consts in logical groups, all of the above are query params, and those are just random consts

Suggested change

	DefaultSTSLoginExpire = 15 * time.Minute
	mimLengthSplitCreds = 3
	const (
	DefaultSTSLoginExpire = 15 * time.Minute
	mimLengthSplitCreds = 3
	)

[Isan-Rivkin]

Suggested change

	var ErrInvalidCredentialsFormat = errors.New("missing required parts in credentials")
	var ErrInvalidCredentialsFormat = errors.New("missing required parts in query param X-Amz-Credential")

[Isan-Rivkin]

Suggested change

	return nil, fmt.Errorf("invalid credentials format: %w", ErrInvalidCredentialsFormat)
	return nil, fmt.Errorf("min length for query param not '%d' ('%s'): %w",mimLengthSplitCreds, splitedCreds, ErrInvalidCredentialsFormat)

[Isan-Rivkin]

I'd strongly consider removing this function.
After our ping-pong's it's been reduced to really 1 line of code creds, err := cfg.Credentials.Retrieve(ctx) , not used in lakeFS.
It has no extra logic so the tests are essentially just testing AWS sdk cfg.Credentials.Retrieve function that we don't need to test.

In other words, a whole lot of bloat to the code for a single func call that is not implemented by us anyway.

[Isan-Rivkin]

test func name should match PresignGetCallerIdentityFromAuthParams

[Isan-Rivkin]

function name should be TestPresignGetCallerIdentityFromAuthParams

[Isan-Rivkin]

unused remove

[Isan-Rivkin]

please export to global-const so that it can be re-used by everest and other tools as well as verified in tests.
i.e something like:

const (
   // Header that should contain the lakeFS host and will signed as part of the identity token request by default
    HostServerIDHeader ...
)

[Isan-Rivkin]

use AuthMethod

[Isan-Rivkin]

use AuthMethod

[Isan-Rivkin]

This is not a bug but a potential for one if the presignClient moves somewhere else and will be injected from the outside.
Should make the name constant, it'll make sure only single middleware of this type will be added to the presign client otherwise will error.

[Isan-Rivkin]

Suggested change

	return presign.URL, err
	return presign.URL, nil

[Isan-Rivkin]

remove

[Isan-Rivkin]

instead parse the url and check actual query params and Their values are correact

import "net/url" 

parsedURL, err := url.Parse(presignedURL)
	require.NoError(t, err)
	queryParams := parsedURL.Query()
	// nothing less, nothing more, assert all expected values and check existance for signature

[Isan-Rivkin]

remove this check, empty can only be if err returned and you already check for err.

[Isan-Rivkin]

please use variables for all those and re-use, easier to change and read:
13*time.Minute, 9*time.Minute,

[Isan-Rivkin]

This test actually exposes a bug, no?
we must have 3 parameters: secret key, access key AND session token
This will prolly reflect when u verify the presign url below.

[Isan-Rivkin]

use x-lakefs-server-id as variable exported from aws_client.go

[Isan-Rivkin]

use x-lakefs-server-id as variable exported from aws_client.go

[Isan-Rivkin]

also please verify X-Amz-Security-Token and X-Amz-SignedHeaders

[Isan-Rivkin]

function name should be TestPresignGetCallerIdentityFromAuthParams

[Isan-Rivkin]

Isn't require.Equal(t, "a-nice-header;host;x-custom-test", q.Get("X-Amz-SignedHeaders")) enough?

can be deleted, no?

signedHeaders := q.Get("X-Amz-SignedHeaders")
require.Contains(t, signedHeaders, "a-nice-header")
require.Contains(t, signedHeaders, "x-custom-test")

[Isan-Rivkin]

Very nice, LGTM!
please verify 2 things and merge:

1. remove extra lines testing signed headers
2. security token, is changing? if not check exact.

[Isan-Rivkin]

@ItamarYuran 🕺 🥳