feat: Token validity check

pkg/deploy/gateway/gateway.go

@@ -274,6 +274,12 @@ func getGatewayServerConfigSpec(deployContext *deploy.DeployContext) (corev1.Con
 
 	if util.IsNativeUserModeEnabled(deployContext.CheCluster) {
 		cfg.AddAuthHeaderRewrite(serverComponentName)
+		// native user mode is currently only available on OpenShift but let's be defensive here so that
+		// this doesn't break once we enable it on Kubernetes, too. Token check will have to work
+		// differently on Kuberentes.
+		if util.IsOpenShift {
+			cfg.AddOpenShiftTokenCheck(serverComponentName)
+		}
 	}
 
 	return GetConfigmapForGatewayConfig(deployContext, serverComponentName, cfg)

pkg/deploy/gateway/gateway_test.go

@@ -20,13 +20,15 @@ import (
 	orgv1 "github.com/eclipse-che/che-operator/api/v1"
 	"github.com/eclipse-che/che-operator/pkg/deploy"
 	"github.com/eclipse-che/che-operator/pkg/util"
+	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/yaml"
 )
 
 func TestSyncAllToCluster(t *testing.T) {
@@ -241,3 +243,48 @@ func TestOauthProxyConfigUnauthorizedRegistries(t *testing.T) {
 		}
 	})
 }
+
+func TestTokenValidityCheckOnOpenShiftNativeUser(t *testing.T) {
+	onOpenShift4(func() {
+		orgv1.SchemeBuilder.AddToScheme(scheme.Scheme)
+		corev1.SchemeBuilder.AddToScheme(scheme.Scheme)
+
+		cm, err := getGatewayServerConfigSpec(&deploy.DeployContext{
+			CheCluster: &orgv1.CheCluster{
+				Spec: orgv1.CheClusterSpec{
+					Auth: orgv1.CheClusterSpecAuth{
+						NativeUserMode: util.NewBoolPointer(true),
+					},
+				},
+			},
+			ClusterAPI: deploy.ClusterAPI{
+				Scheme: scheme.Scheme,
+			},
+		})
+		assert.NoError(t, err)
+
+		cfg := &TraefikConfig{}
+
+		assert.NoError(t, yaml.Unmarshal([]byte(cm.Data["server.yml"]), cfg))
+
+		if assert.Contains(t, cfg.HTTP.Routers, "server") {
+			assert.Contains(t, cfg.HTTP.Routers["server"].Middlewares, "server-token-check")
+		}
+		if assert.Contains(t, cfg.HTTP.Middlewares, "server-token-check") && assert.NotNil(t, cfg.HTTP.Middlewares["server-token-check"].ForwardAuth) {
+			assert.Equal(t, "https://kubernetes.default.svc/apis/user.openshift.io/v1/users/~", cfg.HTTP.Middlewares["server-token-check"].ForwardAuth.Address)
+		}
+	})
+}
+
+func onOpenShift4(f func()) {
+	openshift := util.IsOpenShift
+	openshiftv4 := util.IsOpenShift4
+
+	util.IsOpenShift = true
+	util.IsOpenShift4 = true
+
+	f()
+
+	util.IsOpenShift = openshift
+	util.IsOpenShift4 = openshiftv4
+}

pkg/deploy/gateway/traefik_config.go

@@ -52,7 +52,9 @@ type TraefikConfigStripPrefix struct {
 }
 
 type TraefikConfigForwardAuth struct {
-	Address string `json:"address"`
+	Address            string            `json:"address"`
+	TrustForwardHeader bool              `json:"trustForwardHeader"`
+	TLS                *TraefikConfigTLS `json:"tls,omitempty"`
 }
 
 type TraefikPlugin struct {
@@ -64,3 +66,7 @@ type TraefikPluginHeaderRewrite struct {
 	To     string `json:"to"`
 	Prefix string `json:"prefix"`
 }
+
+type TraefikConfigTLS struct {
+	InsecureSkipVerify bool `json:"insecureSkipVerify"`
+}

pkg/deploy/gateway/traefik_config_util.go

@@ -61,3 +61,17 @@ func (cfg *TraefikConfig) AddAuthHeaderRewrite(componentName string) {
 		},
 	}
 }
+
+func (cfg *TraefikConfig) AddOpenShiftTokenCheck(componentName string) {
+	middlewareName := componentName + "-token-check"
+	cfg.HTTP.Routers[componentName].Middlewares = append(cfg.HTTP.Routers[componentName].Middlewares, middlewareName)
+	cfg.HTTP.Middlewares[middlewareName] = &TraefikConfigMiddleware{
+		ForwardAuth: &TraefikConfigForwardAuth{
+			Address:            "https://kubernetes.default.svc/apis/user.openshift.io/v1/users/~",
+			TrustForwardHeader: true,
+			TLS: &TraefikConfigTLS{
+				InsecureSkipVerify: true,
+			},
+		},
+	}
+}

pkg/deploy/gateway/traefik_config_util_test.go

@@ -40,6 +40,18 @@ func TestAddAuthHeaderRewrite(t *testing.T) {
 	assert.Contains(t, cfg.HTTP.Middlewares, cfg.HTTP.Routers[testComponentName].Middlewares[0], *cfg)
 }
 
+func TestAddOpenShiftTokenCheck(t *testing.T) {
+	cfg := CreateCommonTraefikConfig(testComponentName, testRule, 1, "http://svc:8080")
+	cfg.AddOpenShiftTokenCheck(testComponentName)
+
+	assert.Len(t, cfg.HTTP.Routers[testComponentName].Middlewares, 1, *cfg)
+	assert.Len(t, cfg.HTTP.Middlewares, 1, *cfg)
+	middlewareName := cfg.HTTP.Routers[testComponentName].Middlewares[0]
+	if assert.Contains(t, cfg.HTTP.Middlewares, middlewareName, *cfg) && assert.NotNil(t, cfg.HTTP.Middlewares[middlewareName].ForwardAuth) {
+		assert.Equal(t, "https://kubernetes.default.svc/apis/user.openshift.io/v1/users/~", cfg.HTTP.Middlewares[middlewareName].ForwardAuth.Address)
+	}
+}
+
 func TestMiddlewaresPreserveOrder(t *testing.T) {
 	t.Run("strip-header", func(t *testing.T) {
 		cfg := CreateCommonTraefikConfig(testComponentName, testRule, 1, "http://svc:8080")