Add Optional Token-Based Authentication with TLS Support#293
Draft
jblang wants to merge 1 commit into
Draft
Conversation
Add optional authentication to sbctl API server with both runtime (--enable-auth flag) and compile-time (-tags auth_required) enforcement. Features: - Bearer token authentication following OAuth 2.0 conventions - Auto-generated self-signed TLS certificates (24-hour validity) - 256-bit cryptographically secure tokens using crypto/rand - Constant-time token comparison to prevent timing attacks - Token and TLS cert automatically embedded in kubeconfig - HTTPS enforced when authentication is enabled - All API endpoints protected when auth is enabled - Backward compatible (auth disabled by default) Implementation: - Added token generation utility (pkg/api/token.go) - Added TLS certificate generation (pkg/api/tls.go) - Added authentication middleware with Bearer token validation - Added build tags for compile-time auth enforcement - Updated kubeconfig generation to include token and TLS cert - Added --enable-auth flag to serve and shell commands Security: - Uses crypto/rand for cryptographically secure token generation - Implements subtle.ConstantTimeCompare to prevent timing attacks - ECDSA P-256 for TLS certificates (modern, efficient) - Localhost-only binding (127.0.0.1) for additional security - Token not displayed in console output (embedded in kubeconfig) Testing: - Added 43 comprehensive tests (28 unit + 11 integration + 4 existing) - 100% test success rate - Tests cover token generation, TLS certs, auth middleware, and end-to-end flows - Verified all security features and edge cases Documentation: - Updated README with authentication usage examples - Added security features documentation - Fixed typo: "interractive" → "interactive" Breaking Changes: None (authentication is opt-in)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds optional token-based authentication to the sbctl API server, providing secure access control for kubectl commands when examining support bundles. Authentication can be enabled at runtime with the
--enable-authflag or enforced at compile-time with theauth_requiredbuild tag.Motivation
Features
Authentication
crypto/rand--enable-authflag onserveandshellcommands-tags auth_requiredbuild flagTLS Support
User Experience
Implementation Details
New Files
pkg/api/token.go- Cryptographically secure token generationpkg/api/tls.go- Self-signed TLS certificate generationpkg/api/auth_required.go- Build tag for compile-time enforcementpkg/api/auth_optional.go- Build tag for optional authentication (default)Modified Files
pkg/api/server.go- Added authentication middleware with Bearer token validationpkg/api/client.go- Updated kubeconfig generation to include token and TLS certcli/serve.go- Added--enable-authflag and token/TLS generationcli/shell.go- Added--enable-authflag and token/TLS generationREADME.md- Added authentication documentation and usage examplestests/suite_test.go- Fixed API signature to match updated functionTesting
Test Coverage
Test Categories
Test Files
pkg/api/token_test.go(82 lines)pkg/api/tls_test.go(218 lines)pkg/api/auth_test.go(283 lines)pkg/api/client_test.go(308 lines)tests/auth_test.go(283 lines)Usage Examples
Runtime Authentication (Serve Mode)
Runtime Authentication (Shell Mode)
Compile-Time Enforcement