2014-11-19 15:31:43 +00:00
|
|
|
/*
|
2015-05-01 16:19:44 +00:00
|
|
|
Copyright 2014 The Kubernetes Authors All rights reserved.
|
2014-11-19 15:31:43 +00:00
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package apiserver
|
|
|
|
|
|
|
|
|
|
import (
|
2015-05-01 16:02:38 +00:00
|
|
|
"crypto/rsa"
|
|
|
|
|
|
2014-11-19 15:31:43 +00:00
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator"
|
|
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator/bearertoken"
|
2015-05-01 16:02:38 +00:00
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
|
|
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/serviceaccount"
|
2015-03-30 21:24:22 +00:00
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
|
2015-04-06 23:34:42 +00:00
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/password/passwordfile"
|
|
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/request/basicauth"
|
2015-03-30 21:24:22 +00:00
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/request/union"
|
|
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/request/x509"
|
2014-11-19 15:31:43 +00:00
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/token/tokenfile"
|
|
|
|
|
)
|
|
|
|
|
|
2015-03-30 21:24:22 +00:00
|
|
|
// NewAuthenticator returns an authenticator.Request or an error
|
2015-05-01 16:02:38 +00:00
|
|
|
func NewAuthenticator(basicAuthFile, clientCAFile, tokenFile, serviceAccountKeyFile string, serviceAccountLookup bool, client client.Interface) (authenticator.Request, error) {
|
2015-04-06 23:34:42 +00:00
|
|
|
var authenticators []authenticator.Request
|
|
|
|
|
|
|
|
|
|
if len(basicAuthFile) > 0 {
|
|
|
|
|
basicAuth, err := newAuthenticatorFromBasicAuthFile(basicAuthFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
authenticators = append(authenticators, basicAuth)
|
|
|
|
|
}
|
2015-03-30 21:24:22 +00:00
|
|
|
|
|
|
|
|
if len(clientCAFile) > 0 {
|
|
|
|
|
certAuth, err := newAuthenticatorFromClientCAFile(clientCAFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
authenticators = append(authenticators, certAuth)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(tokenFile) > 0 {
|
|
|
|
|
tokenAuth, err := newAuthenticatorFromTokenFile(tokenFile)
|
2014-11-19 15:31:43 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2015-03-30 21:24:22 +00:00
|
|
|
authenticators = append(authenticators, tokenAuth)
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-01 16:02:38 +00:00
|
|
|
if len(serviceAccountKeyFile) > 0 {
|
|
|
|
|
serviceAccountAuth, err := newServiceAccountAuthenticator(serviceAccountKeyFile, serviceAccountLookup, client)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
authenticators = append(authenticators, serviceAccountAuth)
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-06 23:34:42 +00:00
|
|
|
switch len(authenticators) {
|
|
|
|
|
case 0:
|
2015-03-30 21:24:22 +00:00
|
|
|
return nil, nil
|
2015-04-06 23:34:42 +00:00
|
|
|
case 1:
|
2015-04-01 22:53:22 +00:00
|
|
|
return authenticators[0], nil
|
2015-04-06 23:34:42 +00:00
|
|
|
default:
|
|
|
|
|
return union.New(authenticators...), nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newAuthenticatorFromBasicAuthFile returns an authenticator.Request or an error
|
|
|
|
|
func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) {
|
|
|
|
|
basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2015-03-30 21:24:22 +00:00
|
|
|
}
|
|
|
|
|
|
2015-04-06 23:34:42 +00:00
|
|
|
return basicauth.New(basicAuthenticator), nil
|
2015-03-30 21:24:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newAuthenticatorFromTokenFile returns an authenticator.Request or an error
|
|
|
|
|
func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Request, error) {
|
|
|
|
|
tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return bearertoken.New(tokenAuthenticator), nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-01 16:02:38 +00:00
|
|
|
// newServiceAccountAuthenticator returns an authenticator.Request or an error
|
|
|
|
|
func newServiceAccountAuthenticator(keyfile string, lookup bool, client client.Interface) (authenticator.Request, error) {
|
|
|
|
|
publicKey, err := serviceaccount.ReadPublicKey(keyfile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]*rsa.PublicKey{publicKey}, lookup, client)
|
|
|
|
|
return bearertoken.New(tokenAuthenticator), nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-30 21:24:22 +00:00
|
|
|
// newAuthenticatorFromClientCAFile returns an authenticator.Request or an error
|
|
|
|
|
func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Request, error) {
|
|
|
|
|
roots, err := util.CertPoolFromFile(clientCAFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opts := x509.DefaultVerifyOptions()
|
|
|
|
|
opts.Roots = roots
|
|
|
|
|
|
|
|
|
|
return x509.New(opts, x509.CommonNameUserConversion), nil
|
2014-11-19 15:31:43 +00:00
|
|
|
}
|
