feat: implement Service Account / Local Users

[alexmt]

Closes #3185
Closes #2108
Closes #3221

PR introduces local users support in Argo CD.

• API changes
• CLI changes
• Unit Tests
• UI
• E2E Tests
• Docs

CLI commands

• List existing accounts:

argocd account list                                                                                                                                                      NAME   ENABLED  CAPABILITIES
admin  true     apiKey, login
test   true     apiKey

• get account details:

Name:               admin
Enabled:            true
Capabilities:       apiKey, login

Tokens:
ID                                    ISSUED AT                  EXPIRING AT
2b8174fb-5e67-4f34-80d8-511f91422a6a  2020-03-09T14:31:25-07:00  never
c4f53804-0182-4021-b502-09a947f0488f  2020-03-09T14:26:34-07:00  2020-03-09T14:26:34-07:00 (expired)

• generate token for an account:

argocd account generate-token --account test
xxxxxxxxxxxxxxxxxxxxx

• delete existing account token:

argocd account delete-token 2b8174fb-5e67-4f34-80d8-511f91422a6a

• change local user password:

 argocd account update-password --account <name> --current-password <current-user-password> --new-password <new-password-for-localuser>

UI

[codecov]

Codecov Report

Merging #3215 into master will increase coverage by 0.17%.
The diff coverage is 41.39%.

@@            Coverage Diff             @@
##           master    #3215      +/-   ##
==========================================
+ Coverage   38.81%   38.99%   +0.17%     
==========================================
  Files         169      172       +3     
  Lines       18321    18764     +443     
  Branches      272      237      -35     
==========================================
+ Hits         7112     7317     +205     
- Misses      10333    10540     +207     
- Partials      876      907      +31     

Impacted Files	Coverage Δ
cmd/argocd/commands/account.go	0.00% <0.00%> (ø)
ui/src/app/shared/models.ts	100.00% <ø> (ø)
util/settings/settings.go	38.72% <11.11%> (+0.81%)	⬆️
util/session/sessionmanager.go	55.94% <55.55%> (-2.46%)	⬇️
ui/src/app/shared/services/accounts-service.ts	58.33% <58.33%> (ø)
server/account/account.go	63.02% <69.69%> (+19.27%)	⬆️
util/settings/accounts.go	73.33% <73.33%> (ø)
server/project/project.go	59.43% <100.00%> (ø)
server/rbacpolicy/rbacpolicy.go	80.30% <100.00%> (+0.61%)	⬆️
server/server.go	57.59% <100.00%> (ø)
... and 9 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42d5723...0addefc. Read the comment docs.

[jannfis]

Wow, awesome work. Looks good to me so far, I have some minor comments see below.

[jannfis]

IMHO should provide information on the argument the command optional takes - i.e. the account name. Also should be made clear in the example that with no parameters, current account will be get, and if parameter given, information for named account will be retrieved.

[alexmt]

Agree. Updated example of all commands that defaults to the current account.

[jannfis]

Same as above, information about the arguments should be given.

[jannfis]

Here as well - more information about the parameters, please.

[alexmt]

done

[jannfis]

Hm, is this not used anywhere?

[alexmt]

Yes, look like we forgot to delete it after some refactoring.

[jannfis]

This comment should be adapted to reflect reality. Probably there are more

[alexmt]

fixed

[jannfis]

Indentation

[alexmt]

fixed

[jannfis]

We should clarify what id is used for here.

[alexmt]

done. Updated comment

[jannfis]

General thought on this package - I think all Public methods and types should be rather well commented.

[alexmt]

Agree. Added missing comments

[jannfis]

Hm, do we really want to allow admin account access to API by default? Or is that for backwards compatibility? If so, we should make a deprecation notice, that admin access to API will be disabled from v2 onwards or something similar.

[alexmt]

Nice catch. Admin account should not be able to generate API keys by default. That functionality does not exist before 1.5 so we are not breaking backward compatibility. Updated the default capabilities.

[jannfis]

General thought on this test package. I think we should also test for bad/malformed input data, that would also come up with more code coverage.

[alexmt]

Done. Added missing tests

[alexmt]

Thank you for review @jannfis ! PTAL

[jannfis]

LGTM

[alex1989hu]

@alexmt: thanks for the documentation part

[omerlh]

Something unclear to me - look like you can define a token in the config map (by looking on the PR), but how can you use this token? What defined in the PR is claims, how can I sign it?

[alexmt]

hello @omerlh ,

User copy generated token and use it same as token generated during normal login process. Only token id, issuedAt and expiringAt time fields are stored in secret. This allows user to know when the token is going to expire and revoke it if necessary

[omerlh]

So there is no declarative way to create tokens? only using the CLI?

[daurnimator]

This results in "apiKey, login" getting turned into "apiKey,login"