Implement GitHub authentication

[djelusic]

In order to have team features we need a way to authenticate and authorize users. The current idea is to use GitHub as an identity provider and perform authorization based on organization roles.

The GitHub oauth flow is described here. We will be using the web application flow which is a bit more user friendly since it doesn't require the user to manually enter a code. Instead, it requires us to host a small callback application on our side which will be used by GitHub to perform authentication.

An overview of the architecture can be seen here:

1. The user runs a mantil CLI command which requires authentication. If a token is not already present, this triggers GitHub authentication by opening a browser window. The CLI opens a NATS channel and waits for a response.
2. After successfully authenticating, GitHub invokes the callback URL of our oauth app. The lambda handler behind this URL uses the oauth app credentials to create a GitHub token.
3. The callback handler invokes an auth function on the mantil node which knows the public/private key pair used to generate JWT tokens. It then performs authorization by checking organization access rights and allowed projects/users (stored somewhere on the node) and creates the corresponding JWT token.
4. The auth function then sends the token back to the user's NATS channel.

[djelusic]

I implemented a first version of this. It can be enabled by setting the github-org flag when using mantil aws install to create a node, for example: mantil aws install daniel --aws-profile daniel --github-org mantil-team Now the node is tied to the mantil-team organization and will require authentication when executing project and node commands.

After successfully authenticating, the node will create a JWT token based on the user's role in the organization and the allowed projects/users for the node:

• organization admins will get a token with the Owner role which grants them access to everything including managing the node (adding allowed users/projects and creating long lived tokens for automation)
• regular members of the organization will get a token with the Member role if they are on the list of allowed users for the node. This token will grant them permissions to deploy projects allowed on the node.

Admins can manage node users and projects using the mantil user add and mantil project add commands. For example: mantil user add djelusic --node daniel and mantil project add --node daniel --name project --repo=https://www.github.com/mantil-team/project

To test this you will ideally need a github organization with at least two members, one admin and one regular member. For convenience I added a logout command which will erase the stored token and allow you to log in with a different user: mantil logout daniel Here daniel is the name of the node.

[djelusic]

After some discussion we implemented a few changes to this flow:

• the node handles all user authorization now, meaning we don't use GitHub org roles to determine user roles anymore. This also means that nodes will be tied to a GitHub user instead of an organization
• mantil project add is gone, a user that has access to the node can deploy any project
• node management functions (adding/removing users) are now under a node subcommand
• added a mantil node login command which will set up everything needed for a user to access the node

So now an example flow might look like this:

Someone with admin accces to the AWS account creates a node and ties it to their GitHub user.

mantil aws install daniel --aws-profile=daniel --github-user=djelusic

After creating the node they have admin rights to manage it. They can now add users using the user-add command:

mantil node user-add --node daniel --github-user some-user --role user

which will return

Successfully added user some-user. They can now login using the command "mantil node login https://8ilfp3l7yh.execute-api.eu-central-1.amazonaws.com"

Then the user can use this command to log in and start deploying projects to the node. However with the user role they won't have permissions to access node management functions. For that they need the admin role. To upgrade their role you can simply run:

mantil node user-add --node daniel --github-user some-user --role admin

After logging in again they will have admin permissions.

Users can also be removed using the user-remove command, for example:

mantil node user-remove some-user --node daniel