ROX-32452: implement token generation service for the OCP plugin

[rhybrillou]

Description

PR stack:

• ROX-32452: create token generation service for the OCP plugin #18456
  • refactor: create common issuer source for token generation services #18543
    • refactor: use new issuer source for rox token services #18544
      • ROX-32452: implement token generation service for the OCP plugin #18545 👈

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

change me!

[rhacs-bot]

Images are ready for the commit at a432044.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-844-ga432044e39.

[codecov]

Codecov Report

❌ Patch coverage is 89.58333% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.14%. Comparing base (d16f7a5) to head (a432044).

Files with missing lines	Patch %	Lines
central/auth/ocpplugin/service/singleton.go	43.75%	9 Missing ⚠️
central/auth/ocpplugin/service/service_impl.go	85.36%	6 Missing ⚠️

Additional details and impacted files

@@                              Coverage Diff                              @@
##           master-yann/plug-common-tokenbased-source   #18545      +/-   ##
=============================================================================
+ Coverage                                      49.12%   49.14%   +0.02%     
=============================================================================
  Files                                           2649     2652       +3     
  Lines                                         198837   198981     +144     
=============================================================================
+ Hits                                           97669    97795     +126     
- Misses                                         93732    93750      +18     
  Partials                                        7436     7436              

Flag	Coverage Δ
go-unit-tests	49.14% <89.58%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parametalol]

Any particular reason to put this service under central/auth? Other services are under central.

[stehessel]

I would probably avoid mentioning the ocp plugin too explicitly here. Sure that is the end use case, but from Central's point of view, it is serving an internal token service. What Sensor then does with these tokens is out of scope for Central. For example, what if we expand the feature to plain k8s plugins? It would be awkward to have ocp everywhere just because it was the first end consumer of the api.

[stehessel]

Microservice?

[stehessel]

Suggested change

	roleNameFormat = "Generated role for PermissionSet %s and AccessScope %s"
	roleNameFormat = "Generated role for permission set %s and access scope %s"

Or change the formatting in the other strings to be consistent about the case.

[stehessel]

Why is this string not extracted like the others?

[stehessel]

Suggested change

// region helpers

Not helpful imo.

[stehessel]

Shouldn't this one be errox.InvalidArgs as well?

[stehessel]

We should certainly prune the dynamic resources, especially the access scopes and roles. Would the permission sets, access scopes and roles be visible in the UI similar to user created resources?

[rhybrillou]

From @parametalol - comment lines 58 to 73 on central/auth/ocpplugin/service/service_impl.go in the first commit (reference at time of writing: 3755769#diff-892fd289d36f704f4f0565732fe8df62e7726ca57d0f1afe2c367aca1b2cadfcR73 )

• The expiry could be assed via the WithExpiry option
• issuedAt should be taken from the tokenInfo
  I'm not even sure that Roles, IssuedAt and ExpiresAt are needed in the response

[rhybrillou]

The call to s.issuer.Issue now uses the WithExpiry option to set the expiration in the issued token.
The response message is now reduced to its minimal form: a single string containing the issued token.

[rhybrillou]

From @parametalol comment lines 96 and 97 on central/auth/ocpplugin/service/service_impl.go in the first commit (reference at time of writing: 3755769#diff-892fd289d36f704f4f0565732fe8df62e7726ca57d0f1afe2c367aca1b2cadfcR97)
If we need only IDs, maybe we could optimize the getters now and in the future: (change suggestion not ported over).

[rhybrillou]

The API was updated to return the identifier string for access scopes and permission sets (role name for roles).
The functions were renamed to reflect the fact that they are not simple getters on objects, but rather change the underlying database.

[rhybrillou]

From @parametalol comment line 105 on central/auth/ocpplugin/service/service_impl.go in the first commit (reference at time of writing: 3755769#diff-892fd289d36f704f4f0565732fe8df62e7726ca57d0f1afe2c367aca1b2cadfcR105)
Would it make sense to add Traits_DYNAMIC for visibility or other needs?

[rhybrillou]

That is a good idea. Not implemented in the current PR.
It would be a candidate for a follow-up PR, as it might touch multiple locations in the code, most likely

stackrox/pkg/declarativeconfig/context.go

Lines 38 to 47 in 387c138

	// CanModifyResource returns whether context holder is allowed to modify resource.
	func CanModifyResource(ctx context.Context, resource ResourceWithTraits) bool {
	if ctx.Value(originCheckerKey{}) == allowOnlyDeclarativeOperations {
	return IsDeclarativeOrigin(resource)
	}
	if ctx.Value(originCheckerKey{}) == allowModifyDeclarativeOrImperative {
	return IsDeclarativeOrigin(resource) || resource.GetTraits().GetOrigin() == storage.Traits_IMPERATIVE
	}
	return resource.GetTraits().GetOrigin() == storage.Traits_IMPERATIVE
	}

and maybe some others.
It would likely require to add primitives like IsImperativeOrigin and IsDynamicOrigin and use them in traits validation conditions.