2019-01-12 04:58:27 +00:00
|
|
|
/*
|
|
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package headerrequest
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/x509"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
|
|
x509request "k8s.io/apiserver/pkg/authentication/request/x509"
|
|
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
|
|
|
utilcert "k8s.io/client-go/util/cert"
|
|
|
|
)
|
|
|
|
|
2019-12-12 01:27:03 +00:00
|
|
|
// StringSliceProvider is a way to get a string slice value. It is heavily used for authentication headers among other places.
|
|
|
|
type StringSliceProvider interface {
|
|
|
|
// Value returns the current string slice. Callers should never mutate the returned value.
|
|
|
|
Value() []string
|
|
|
|
}
|
|
|
|
|
|
|
|
// StringSliceProviderFunc is a function that matches the StringSliceProvider interface
|
|
|
|
type StringSliceProviderFunc func() []string
|
|
|
|
|
|
|
|
// Value returns the current string slice. Callers should never mutate the returned value.
|
|
|
|
func (d StringSliceProviderFunc) Value() []string {
|
|
|
|
return d()
|
|
|
|
}
|
|
|
|
|
|
|
|
// StaticStringSlice a StringSliceProvider that returns a fixed value
|
|
|
|
type StaticStringSlice []string
|
|
|
|
|
|
|
|
// Value returns the current string slice. Callers should never mutate the returned value.
|
|
|
|
func (s StaticStringSlice) Value() []string {
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2019-01-12 04:58:27 +00:00
|
|
|
type requestHeaderAuthRequestHandler struct {
|
|
|
|
// nameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
|
2019-12-12 01:27:03 +00:00
|
|
|
nameHeaders StringSliceProvider
|
2019-01-12 04:58:27 +00:00
|
|
|
|
|
|
|
// groupHeaders are the headers to check (case-insensitively) for group membership. All values of all headers will be added.
|
2019-12-12 01:27:03 +00:00
|
|
|
groupHeaders StringSliceProvider
|
2019-01-12 04:58:27 +00:00
|
|
|
|
|
|
|
// extraHeaderPrefixes are the head prefixes to check (case-insensitively) for filling in
|
|
|
|
// the user.Info.Extra. All values of all matching headers will be added.
|
2019-12-12 01:27:03 +00:00
|
|
|
extraHeaderPrefixes StringSliceProvider
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
2019-12-12 01:27:03 +00:00
|
|
|
func New(nameHeaders, groupHeaders, extraHeaderPrefixes []string) (authenticator.Request, error) {
|
2019-01-12 04:58:27 +00:00
|
|
|
trimmedNameHeaders, err := trimHeaders(nameHeaders...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-12 01:27:03 +00:00
|
|
|
return NewDynamic(
|
|
|
|
StaticStringSlice(trimmedNameHeaders),
|
|
|
|
StaticStringSlice(trimmedGroupHeaders),
|
|
|
|
StaticStringSlice(trimmedExtraHeaderPrefixes),
|
|
|
|
), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request {
|
2019-01-12 04:58:27 +00:00
|
|
|
return &requestHeaderAuthRequestHandler{
|
2019-12-12 01:27:03 +00:00
|
|
|
nameHeaders: nameHeaders,
|
|
|
|
groupHeaders: groupHeaders,
|
|
|
|
extraHeaderPrefixes: extraHeaderPrefixes,
|
|
|
|
}
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func trimHeaders(headerNames ...string) ([]string, error) {
|
|
|
|
ret := []string{}
|
|
|
|
for _, headerName := range headerNames {
|
|
|
|
trimmedHeader := strings.TrimSpace(headerName)
|
|
|
|
if len(trimmedHeader) == 0 {
|
|
|
|
return nil, fmt.Errorf("empty header %q", headerName)
|
|
|
|
}
|
|
|
|
ret = append(ret, trimmedHeader)
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
|
|
|
|
if len(clientCA) == 0 {
|
|
|
|
return nil, fmt.Errorf("missing clientCA file")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wrap with an x509 verifier
|
|
|
|
caData, err := ioutil.ReadFile(clientCA)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("error reading %s: %v", clientCA, err)
|
|
|
|
}
|
|
|
|
opts := x509request.DefaultVerifyOptions()
|
|
|
|
opts.Roots = x509.NewCertPool()
|
|
|
|
certs, err := utilcert.ParseCertsPEM(caData)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("error loading certs from %s: %v", clientCA, err)
|
|
|
|
}
|
|
|
|
for _, cert := range certs {
|
|
|
|
opts.Roots.AddCert(cert)
|
|
|
|
}
|
|
|
|
|
2019-12-12 01:27:03 +00:00
|
|
|
trimmedNameHeaders, err := trimHeaders(nameHeaders...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return NewDynamicVerifyOptionsSecure(
|
|
|
|
x509request.StaticVerifierFn(opts),
|
|
|
|
StaticStringSlice(proxyClientNames),
|
|
|
|
StaticStringSlice(trimmedNameHeaders),
|
|
|
|
StaticStringSlice(trimmedGroupHeaders),
|
|
|
|
StaticStringSlice(trimmedExtraHeaderPrefixes),
|
|
|
|
), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewDynamicVerifyOptionsSecure(verifyOptionFn x509request.VerifyOptionFunc, proxyClientNames, nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request {
|
|
|
|
headerAuthenticator := NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes)
|
|
|
|
|
|
|
|
return x509request.NewDynamicCAVerifier(verifyOptionFn, headerAuthenticator, proxyClientNames)
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
|
2019-12-12 01:27:03 +00:00
|
|
|
name := headerValue(req.Header, a.nameHeaders.Value())
|
2019-01-12 04:58:27 +00:00
|
|
|
if len(name) == 0 {
|
|
|
|
return nil, false, nil
|
|
|
|
}
|
2019-12-12 01:27:03 +00:00
|
|
|
groups := allHeaderValues(req.Header, a.groupHeaders.Value())
|
|
|
|
extra := newExtra(req.Header, a.extraHeaderPrefixes.Value())
|
2019-01-12 04:58:27 +00:00
|
|
|
|
|
|
|
// clear headers used for authentication
|
2019-12-12 01:27:03 +00:00
|
|
|
for _, headerName := range a.nameHeaders.Value() {
|
2019-01-12 04:58:27 +00:00
|
|
|
req.Header.Del(headerName)
|
|
|
|
}
|
2019-12-12 01:27:03 +00:00
|
|
|
for _, headerName := range a.groupHeaders.Value() {
|
2019-01-12 04:58:27 +00:00
|
|
|
req.Header.Del(headerName)
|
|
|
|
}
|
|
|
|
for k := range extra {
|
2019-12-12 01:27:03 +00:00
|
|
|
for _, prefix := range a.extraHeaderPrefixes.Value() {
|
2019-01-12 04:58:27 +00:00
|
|
|
req.Header.Del(prefix + k)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return &authenticator.Response{
|
|
|
|
User: &user.DefaultInfo{
|
|
|
|
Name: name,
|
|
|
|
Groups: groups,
|
|
|
|
Extra: extra,
|
|
|
|
},
|
|
|
|
}, true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func headerValue(h http.Header, headerNames []string) string {
|
|
|
|
for _, headerName := range headerNames {
|
|
|
|
headerValue := h.Get(headerName)
|
|
|
|
if len(headerValue) > 0 {
|
|
|
|
return headerValue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
|
|
|
func allHeaderValues(h http.Header, headerNames []string) []string {
|
|
|
|
ret := []string{}
|
|
|
|
for _, headerName := range headerNames {
|
|
|
|
headerKey := http.CanonicalHeaderKey(headerName)
|
|
|
|
values, ok := h[headerKey]
|
|
|
|
if !ok {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, headerValue := range values {
|
|
|
|
if len(headerValue) > 0 {
|
|
|
|
ret = append(ret, headerValue)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ret
|
|
|
|
}
|
|
|
|
|
|
|
|
func unescapeExtraKey(encodedKey string) string {
|
|
|
|
key, err := url.PathUnescape(encodedKey) // Decode %-encoded bytes.
|
|
|
|
if err != nil {
|
|
|
|
return encodedKey // Always record extra strings, even if malformed/unencoded.
|
|
|
|
}
|
|
|
|
return key
|
|
|
|
}
|
|
|
|
|
|
|
|
func newExtra(h http.Header, headerPrefixes []string) map[string][]string {
|
|
|
|
ret := map[string][]string{}
|
|
|
|
|
|
|
|
// we have to iterate over prefixes first in order to have proper ordering inside the value slices
|
|
|
|
for _, prefix := range headerPrefixes {
|
|
|
|
for headerName, vv := range h {
|
|
|
|
if !strings.HasPrefix(strings.ToLower(headerName), strings.ToLower(prefix)) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
extraKey := unescapeExtraKey(strings.ToLower(headerName[len(prefix):]))
|
|
|
|
ret[extraKey] = append(ret[extraKey], vv...)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret
|
|
|
|
}
|