Refactor authn-k8s-client to be authentication flow generic

[tzheleznyak]

Desired Outcome

As part of the authn-jwt side car in K8S this is first stage where we do refactor, that will allow adding more authentication methods.

Defining interface for Config And Authenticator and factories creating instances of them.

Folder structure change

Connected Issue/Story

ONYX-14719

CyberArk internal issue link: insert issue ID

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: insert issue ID
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[nessiLahav]

LGTM

[shulifink]

@tzheleznyak - What is the use-case for this?

[tzheleznyak]

We are going to add support to authn-jwt to authn-k8s-client.
And this is the error message when the authn-client can't decide which authentication flow should run (authn-k8s or authn-jwt)

[shulifink]

How about "No authenticator configured. "

[shulifink]

or even better: "No authentication configured. "

[diverdane]

@tzheleznyak,

Thanks for taking on this challenge! I think the interfaces that you've defined are a good start at making this client more pluggable. I'd like to make some suggestions that might simplify things a little bit. This will take a bit of rearranging, so we can chat about this tomorrow, and maybe pull some other folks in to get some consensus (Kumbi and Johah might be good to include).

First, some high-level comments:

1. With the proposed directory structure, there seems to be a "mix of concerns" in the common
   and creators directory. For example, each of these directories contains code that does
   configuration work as well as code that does authentication work. Another way of looking at it,
   the configuration code is split out between the common and creators directories. (I'm
   thinking that this mix of concerns might have caused the cyclic dependency references???)
   I think it might be cleaner to organize things similar to the original directory structure:

   -pkg/
      - authenticator/     # Common authentication code
         - config/               # Common config code
         - k8s/                   # "Concrete" instantiations of config/authen interfaces for K8s
         - jwt/                     # "Concrete" instantiations of config/authen interfaces for JWT
   

2. I see that for each authenticator type (authn-k8s or authn-jwt), you're defining a config structure and an
   authenticator structure, with each structure satisfying the ConfigurationInterface and the
   AuthenticatorInterface interfaces respectively. I'm thinking that it might simplify things to have one combined
   "Authenticator" structure for each authenticator type. That structure can satisfy both
   ConfigurationInterface and AuthenticatorInterface interfaces. Going even further, we could
   potentially combine both interfaces into a single "Authenticator" interface, where each concrete
   realization of that interface knows e.g. what config variables are required, what defaults to use for
   config variables, and how to initialize and authenticate with Conjur. This would essentially combine
   everything we need to know about an authenticator. Once we create a structure that satisfies
   the single, "Authenticator" interface, then it's pretty easy and clean to pass it around to do
   configuration and authentication actions. We wouldn't have to do type switches/assertions like the following:

   var cfg = (*config).(*Config)
   

   I think there are some methods that can be dropped from the interface definitions, so that a
   combined interface might look like this:

   type Authenticator interface {                                         
     LoadConfig(settings map[string]string)                                                                                 
     GetEnvVariables() []string                                                  
     GetRequiredVariables() []string                                             
     GetDefaultValues() map[string]string                                        
     Init(config *ConfigurationInterface) (AuthenticatorInterface, error)                                                                                                                    
     Authenticate() error                                                                                          
   

}

[tzheleznyak]

@diverdane
Thanks for the detailed feedback

About 1:

During development i came across dependency loop when i tried putting interfaces and factories in the same package. It what made me split factories to one separate and the interfaces to the common package.

The common package is all code relevant to the main authenticator package that don't uses other packages inside authenticator and used by multiple packages inside authenticator.

The name creators can be discussed and i can remove this directory and move the factories one step back.

About 2:
I don't think we need to combine to one entity the ConfigInterface and AuthenticatorInterface. They have separate resnponsibilits . Config responsible for:

• Collecting Config Data - Currently from env but it future may be from future sources like DB/network and authenticator shouldn't care where it comes from
• Validating the config data
• Storing the config data

These are not responsibilits of the authenticator that should only support two things:

• Authenticate
• Providing access token

[doodlesbykumbi]

Some thoughts

[doodlesbykumbi]

In other repos we have been standardising on Unable. So these would all become Unable to ...

[doodlesbykumbi]

These methods are a bit strange because they don't make use of the struct at all, and so could be static.

[tzheleznyak]

But the usage inside Validate() and GatherSettings()
Is config.GetDefaultValues() so it will go to the config of the correct flow

[doodlesbykumbi]

I think it would be good for us to update this to NewAuthenticator to make it explicit what this method is creating.

[tzheleznyak]

Done

[doodlesbykumbi]

I'm not sure about the name of the method. I think we need something other than Init that better captures what this method is doing.

This should also probably be a free standing function (not a method) since it doesn't use the auth struct at all.

[tzheleznyak]

Lets discuss in the meeting

[diverdane]

This looks FANTASTIC!!! Thanks again for your patience on this! I really like how you broke out things into config and common.
I just have a few very minor editorial nits, otherwise this looks good-to-go.

[diverdane]

Looks like this moved? Should be pkg/authenticator/version.go?

[diverdane]

Oops. Typo, should be k8sAuthenticator.

[diverdane]

I don't want to hold up the merge on this, but Go style guides (e.g. https://go.dev/doc/effective_go#commentary) recommend that any exported names should have a preceding doc comment that begins with that name, e.g.

// NewAuthenticator creates an instance of the Authenticator interface based on configured authenticator type.

(My IDE is running golint automatically, so when I write a file I see warnings pop up. BTW golint is deprecated, but there are replacements, e.g. golangci-lint.)

[diverdane]

LGTM!!!

[nessiLahav]

LGTM

[alexkalish]

Internal issue: ONYX-14722.