Add JWT flow

[tzheleznyak]

Desired Outcome

Added JWT flow to the authenticator

Connected Issue/Story

ONYX-14722

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: insert issue ID
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[doodlesbykumbi]

Some comments

[sashaCher]

Do we want to add support for accept-encoding header?
Conjur is able to return access token already encoded base64 instead of plain json (1, 2)

[tzheleznyak]

Currently the components that use authn-k8s-client do the encode themselves . I think this is good idea but not in scope. I wanted to be aligned with the auhtn-k8s flow

[tzheleznyak]

@szamir1 @shulifink
May you review my code

[nessiLahav]

i think we should align the context handling with this code

[tzheleznyak]

This what we talked about and i fixed

[tzheleznyak]

Oh i see i done it in all error handling in the function

[nessiLahav]

Small comments, great job

[szh]

Looking good, left a few comments

[szh]

LGTM! 👍

[diverdane]

Looks good!!!
Some editorial comments and a possible missing strconv.Itoa().

[diverdane]

Instead of looping through the range of settings, couldn't we see if the "JWT_TOKEN_PATH" entry exists and then use it? Something like this?:

    if path, exists := settings["JWT_TOKEN_PATH"]; exists {
        config.JWTTokenFilePath = path
    }

[tzheleznyak]

Good point thanks

[diverdane]

When an int is typecast using string(), the int value is interpreted as Unicode. I believe that what we need here is:

    req.Header.Set("Content-Length", strconv.Itoa(len(formattedJwt)))

[diverdane]

The if block ends with a return, so the } else { isn't needed. That is, this should be:

	if len(username) > 0 {
		return fmt.Sprintf("%s/%s/%s/authenticate", authnURL, account, url.QueryEscape(username))
	}
	return fmt.Sprintf("%s/%s/authenticate", authnURL, account)

[diverdane]

Instead of using an if/else block here, you could optionally use switch without a statement (i.e. evaluating expressions in the case statements). I think this makes it a little more obvious that there are 3 possible results for which we're looking. For example:

	switch {
	case strings.Contains(url, k8sAuthenticator.AuthnType):
		return &k8sAuthenticator.Config{}, nil
	case strings.Contains(url, jwtAuthenticator.AuthnType):
		return &jwtAuthenticator.Config{}, nil
	default:
		return nil, fmt.Errorf(log.CAKC063, url)
	}

[diverdane]

You could also use a switch statement here. I think this makes it a little more obvious that there are three possible outcomes (2 good, 1 bad):

	switch level {
	case validVal:
		log.EnableDebugMode()
	case "":
		// Log level not configured
		break
	default:
		// Log level is configured but it's invalid
		log.Warn(log.CAKC034, level, validVal)
	}

[tzheleznyak]

Good point. Moved it to ConfigFactory to be in one place

[nessiLahav]

LGTM

I fixed your comments so i will merge. If there anything else let me know and i will open separate PR :)