k3s/pkg/server/auth/auth.go

package auth

import (
	"net/http"

	"github.com/gorilla/mux"
	"github.com/k3s-io/k3s/pkg/daemons/config"
	"github.com/k3s-io/k3s/pkg/util"
	"github.com/pkg/errors"
	"github.com/sirupsen/logrus"
	"k8s.io/apiserver/pkg/endpoints/request"
)

func hasRole(mustRoles []string, roles []string) bool {
	for _, check := range roles {
		for _, role := range mustRoles {
			if role == check {
				return true
			}
		}
	}
	return false
}

func doAuth(roles []string, serverConfig *config.Control, next http.Handler, rw http.ResponseWriter, req *http.Request) {
	switch {
	case serverConfig == nil:
		logrus.Errorf("Authenticate not initialized: serverConfig is nil")
		util.SendError(errors.New("not authorized"), rw, req, http.StatusUnauthorized)
		return
	case serverConfig.Runtime.Authenticator == nil:
		logrus.Errorf("Authenticate not initialized: serverConfig.Runtime.Authenticator is nil")
		util.SendError(errors.New("not authorized"), rw, req, http.StatusUnauthorized)
		return
	}

	resp, ok, err := serverConfig.Runtime.Authenticator.AuthenticateRequest(req)
	if err != nil {
		logrus.Errorf("Failed to authenticate request from %s: %v", req.RemoteAddr, err)
		util.SendError(errors.New("not authorized"), rw, req, http.StatusUnauthorized)
		return
	}

	if !ok || !hasRole(roles, resp.User.GetGroups()) {
		util.SendError(errors.New("forbidden"), rw, req, http.StatusForbidden)
		return
	}

	ctx := request.WithUser(req.Context(), resp.User)
	req = req.WithContext(ctx)
	next.ServeHTTP(rw, req)
}

func Middleware(serverConfig *config.Control, roles ...string) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
			doAuth(roles, serverConfig, next, rw, req)
		})
	}
}
Move etcd snapshot management CLI to request/response Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-03-28 00:48:13 +00:00			`package auth`
Initial Commit 2019-01-01 08:23:01 +00:00
			`import (`
			`"net/http"`

			`"github.com/gorilla/mux"`
[master] changing package to k3s-io (#4846) * changing package to k3s-io Signed-off-by: Luther Monson <luther.monson@gmail.com> Co-authored-by: Derek Nola <derek.nola@suse.com> 2022-03-02 23:47:27 +00:00			`"github.com/k3s-io/k3s/pkg/daemons/config"`
Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-03-11 22:18:55 +00:00			`"github.com/k3s-io/k3s/pkg/util"`
			`"github.com/pkg/errors"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"github.com/sirupsen/logrus"`
			`"k8s.io/apiserver/pkg/endpoints/request"`
			`)`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`func hasRole(mustRoles []string, roles []string) bool {`
			`for _, check := range roles {`
			`for _, role := range mustRoles {`
			`if role == check {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

			`func doAuth(roles []string, serverConfig config.Control, next http.Handler, rw http.ResponseWriter, req http.Request) {`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`switch {`
			`case serverConfig == nil:`
			`logrus.Errorf("Authenticate not initialized: serverConfig is nil")`
Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-03-11 22:18:55 +00:00			`util.SendError(errors.New("not authorized"), rw, req, http.StatusUnauthorized)`
Initial Commit 2019-01-01 08:23:01 +00:00			`return`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`case serverConfig.Runtime.Authenticator == nil:`
			`logrus.Errorf("Authenticate not initialized: serverConfig.Runtime.Authenticator is nil")`
Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-03-11 22:18:55 +00:00			`util.SendError(errors.New("not authorized"), rw, req, http.StatusUnauthorized)`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`return`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`

			`resp, ok, err := serverConfig.Runtime.Authenticator.AuthenticateRequest(req)`
			`if err != nil {`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`logrus.Errorf("Failed to authenticate request from %s: %v", req.RemoteAddr, err)`
Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-03-11 22:18:55 +00:00			`util.SendError(errors.New("not authorized"), rw, req, http.StatusUnauthorized)`
Initial Commit 2019-01-01 08:23:01 +00:00			`return`
			`}`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`if !ok \|\| !hasRole(roles, resp.User.GetGroups()) {`
Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-03-11 22:18:55 +00:00			`util.SendError(errors.New("forbidden"), rw, req, http.StatusForbidden)`
Initial Commit 2019-01-01 08:23:01 +00:00			`return`
			`}`

			`ctx := request.WithUser(req.Context(), resp.User)`
			`req = req.WithContext(ctx)`
			`next.ServeHTTP(rw, req)`
			`}`

Move etcd snapshot management CLI to request/response Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-03-28 00:48:13 +00:00			`func Middleware(serverConfig *config.Control, roles ...string) mux.MiddlewareFunc {`
Initial Commit 2019-01-01 08:23:01 +00:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {`
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`doAuth(roles, serverConfig, next, rw, req)`
Initial Commit 2019-01-01 08:23:01 +00:00			`})`
			`}`
			`}`