ECOPROJECT-4721 | fix: Validate JWT source_id in agent handlers

Signed-off-by: Aviel Segev <asegev@redhat.com>

Author: AvielSegev

internal/api_server/agentserver/server.go

@@ -72,15 +72,9 @@ func (s *AgentServer) Run(ctx context.Context) error {
 		metricMiddleware.Handler,
 		middleware.RequestID,
 		log.ConditionalLogger(s.cfg.Service.LogLevel, zap.L(), "router_agent"),
+		auth.NewAgentAuthenticator(s.cfg.Service.Auth.AgentAuthenticationEnabled, s.store).Authenticator,
 	)
 
-	zap.S().Infow("agent authentication", "enabled", s.cfg.Service.Auth.AgentAuthenticationEnabled)
-	if s.cfg.Service.Auth.AgentAuthenticationEnabled {
-		router.Use(
-			auth.NewAgentAuthenticator(s.store).Authenticator,
-		)
-	}
-
 	router.Use(
 		middleware.Recoverer,
 		oapimiddleware.OapiRequestValidatorWithOptions(swagger, &oapiOpts),

internal/auth/agent_authenticator.go

@@ -76,7 +76,17 @@ type AgentAuthenticator struct {
 	store store.Store
 }
 
-func NewAgentAuthenticator(store store.Store) *AgentAuthenticator {
+func NewAgentAuthenticator(enabled bool, store store.Store) Authenticator {
+	if enabled {
+		zap.S().Named("auth").Info("agent authentication enabled")
+		return newProductionAgentAuthenticator(store)
+	}
+
+	zap.S().Named("auth").Info("agent authentication disabled, using none authenticator")
+	return NewNoneAgentAuthenticator()
+}
+
+func newProductionAgentAuthenticator(store store.Store) *AgentAuthenticator {
 	return &AgentAuthenticator{store: store}
 }
 

internal/auth/agent_authenticator_test.go

@@ -1,9 +1,11 @@
 package auth_test
 
 import (
+	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"net/http"
@@ -60,7 +62,7 @@ var _ = Describe("agent authentication", Ordered, func() {
 
 			token := generateAgentToken("kid", "my_source", "GothamCity", privateKey)
 
-			agentAuthenticator := auth.NewAgentAuthenticator(s)
+			agentAuthenticator := auth.NewAgentAuthenticator(true, s).(*auth.AgentAuthenticator)
 
 			agentJwt, err := agentAuthenticator.Authenticate(token)
 			Expect(err).To(BeNil())
@@ -87,7 +89,7 @@ var _ = Describe("agent authentication", Ordered, func() {
 
 			token := generateAgentToken("missing-key-kid", "my_source", "GothamCity", privateKey)
 
-			agentAuthenticator := auth.NewAgentAuthenticator(s)
+			agentAuthenticator := auth.NewAgentAuthenticator(true, s).(*auth.AgentAuthenticator)
 
 			_, err = agentAuthenticator.Authenticate(token)
 			Expect(err).ToNot(BeNil())
@@ -112,7 +114,7 @@ var _ = Describe("agent authentication", Ordered, func() {
 
 			token := generateAgentToken("kid", "my_source", "GothamCity", signingKey)
 
-			agentAuthenticator := auth.NewAgentAuthenticator(s)
+			agentAuthenticator := auth.NewAgentAuthenticator(true, s).(*auth.AgentAuthenticator)
 
 			_, err = agentAuthenticator.Authenticate(token)
 			Expect(err).ToNot(BeNil())
@@ -140,7 +142,7 @@ var _ = Describe("agent authentication", Ordered, func() {
 
 			token := generateAgentToken("1234_kid", "my_source", "org_id", privateKey)
 
-			agentAuthenticator := auth.NewAgentAuthenticator(s)
+			agentAuthenticator := auth.NewAgentAuthenticator(true, s)
 			h := &handler{}
 			ts := httptest.NewServer(agentAuthenticator.Authenticator(h))
 			defer ts.Close()
@@ -159,6 +161,36 @@ var _ = Describe("agent authentication", Ordered, func() {
 		})
 	})
 
+	Context("none authenticator middleware", func() {
+		It("successfully extracts sourceId from request body", func() {
+			innerHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				// Verify AgentJWT is in context
+				agentJWT := auth.MustHaveAgent(r.Context())
+				Expect(agentJWT.SourceID).To(Equal("test-source-123"))
+
+				// Verify body is still readable for downstream
+				var body map[string]interface{}
+				err := json.NewDecoder(r.Body).Decode(&body)
+				Expect(err).To(BeNil(), "Body should be readable by downstream handler")
+				Expect(body["sourceId"]).To(Equal("test-source-123"))
+
+				w.WriteHeader(200)
+			})
+
+			noneAuthenticator := auth.NewNoneAgentAuthenticator()
+			ts := httptest.NewServer(noneAuthenticator.Authenticator(innerHandler))
+			defer ts.Close()
+
+			body := `{"sourceId":"test-source-123"}`
+			req, err := http.NewRequest(http.MethodPost, ts.URL, bytes.NewBufferString(body))
+			Expect(err).To(BeNil())
+
+			resp, rerr := http.DefaultClient.Do(req)
+			Expect(rerr).To(BeNil())
+			Expect(resp.StatusCode).To(Equal(200))
+		})
+	})
+
 })
 
 func generateAgentToken(kid, sourceID, orgID string, signingKey *rsa.PrivateKey) string {

internal/auth/none_agent_authenticator.go

@@ -0,0 +1,48 @@
+package auth
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+)
+
+type NoneAgentAuthenticator struct{}
+
+func NewNoneAgentAuthenticator() *NoneAgentAuthenticator {
+	return &NoneAgentAuthenticator{}
+}
+
+func (n *NoneAgentAuthenticator) Authenticator(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		bodyBytes, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("failed to read request body: %v", err), http.StatusBadRequest)
+			return
+		}
+		_ = r.Body.Close()
+
+		var req struct {
+			SourceID string `json:"sourceId"`
+		}
+
+		if err := json.Unmarshal(bodyBytes, &req); err != nil {
+			http.Error(w, fmt.Sprintf("missing source id from request body: %v", err), http.StatusBadRequest)
+			return
+		}
+
+		r.Body = io.NopCloser(bytes.NewReader(bodyBytes))
+
+		agentJWT := AgentJWT{
+			ExpireAt: time.Now().Add(defaultExpirationPeriod * time.Hour),
+			IssueAt:  time.Now(),
+			Issuer:   "none",
+			OrgID:    "internal",
+			SourceID: req.SourceID,
+		}
+		ctx := NewTokenContext(r.Context(), agentJWT)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}

internal/handlers/v1alpha1/agent.go

@@ -7,6 +7,7 @@ import (
 
 	v1alpha1 "github.com/kubev2v/migration-planner/api/v1alpha1/agent"
 	agentServer "github.com/kubev2v/migration-planner/internal/api/server/agent"
+	"github.com/kubev2v/migration-planner/internal/auth"
 	apiMappers "github.com/kubev2v/migration-planner/internal/handlers/v1alpha1/mappers"
 	"github.com/kubev2v/migration-planner/internal/handlers/validator"
 	"github.com/kubev2v/migration-planner/internal/service"
@@ -31,6 +32,13 @@ func (h *AgentHandler) UpdateSourceInventory(ctx context.Context, request agentS
 		return agentServer.UpdateSourceInventory400JSONResponse{Message: "empty body"}, nil
 	}
 
+	agentJWT := auth.MustHaveAgent(ctx)
+	if agentJWT.SourceID != request.Id.String() {
+		return agentServer.UpdateSourceInventory403JSONResponse{
+			Message: fmt.Sprintf("agent is not authorized to update source %s", request.Id),
+		}, nil
+	}
+
 	data, err := json.Marshal(request.Body.Inventory)
 	if err != nil {
 		return agentServer.UpdateSourceInventory500JSONResponse{Message: err.Error()}, nil
@@ -74,6 +82,13 @@ func (h *AgentHandler) UpdateAgentStatus(ctx context.Context, request agentServe
 		return agentServer.UpdateAgentStatus400JSONResponse{Message: err.Error()}, nil
 	}
 
+	agentJWT := auth.MustHaveAgent(ctx)
+	if agentJWT.SourceID != request.Body.SourceId.String() {
+		return agentServer.UpdateAgentStatus403JSONResponse{
+			Message: fmt.Sprintf("agent is not authorized to update source %s", request.Body.SourceId),
+		}, nil
+	}
+
 	_, created, err := h.srv.UpdateAgentStatus(ctx, mappers.AgentUpdateForm{
 		ID:         request.Id,
 		SourceID:   request.Body.SourceId,