mirror of https://github.com/k3s-io/k3s
191 lines
5.3 KiB
Go
191 lines
5.3 KiB
Go
/*
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package headerrequest
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
x509request "k8s.io/apiserver/pkg/authentication/request/x509"
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
|
utilcert "k8s.io/client-go/util/cert"
|
|
)
|
|
|
|
type requestHeaderAuthRequestHandler struct {
|
|
// nameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
|
|
nameHeaders []string
|
|
|
|
// groupHeaders are the headers to check (case-insensitively) for group membership. All values of all headers will be added.
|
|
groupHeaders []string
|
|
|
|
// extraHeaderPrefixes are the head prefixes to check (case-insensitively) for filling in
|
|
// the user.Info.Extra. All values of all matching headers will be added.
|
|
extraHeaderPrefixes []string
|
|
}
|
|
|
|
func New(nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
|
|
trimmedNameHeaders, err := trimHeaders(nameHeaders...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &requestHeaderAuthRequestHandler{
|
|
nameHeaders: trimmedNameHeaders,
|
|
groupHeaders: trimmedGroupHeaders,
|
|
extraHeaderPrefixes: trimmedExtraHeaderPrefixes,
|
|
}, nil
|
|
}
|
|
|
|
func trimHeaders(headerNames ...string) ([]string, error) {
|
|
ret := []string{}
|
|
for _, headerName := range headerNames {
|
|
trimmedHeader := strings.TrimSpace(headerName)
|
|
if len(trimmedHeader) == 0 {
|
|
return nil, fmt.Errorf("empty header %q", headerName)
|
|
}
|
|
ret = append(ret, trimmedHeader)
|
|
}
|
|
|
|
return ret, nil
|
|
}
|
|
|
|
func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
|
|
headerAuthenticator, err := New(nameHeaders, groupHeaders, extraHeaderPrefixes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(clientCA) == 0 {
|
|
return nil, fmt.Errorf("missing clientCA file")
|
|
}
|
|
|
|
// Wrap with an x509 verifier
|
|
caData, err := ioutil.ReadFile(clientCA)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error reading %s: %v", clientCA, err)
|
|
}
|
|
opts := x509request.DefaultVerifyOptions()
|
|
opts.Roots = x509.NewCertPool()
|
|
certs, err := utilcert.ParseCertsPEM(caData)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error loading certs from %s: %v", clientCA, err)
|
|
}
|
|
for _, cert := range certs {
|
|
opts.Roots.AddCert(cert)
|
|
}
|
|
|
|
return x509request.NewVerifier(opts, headerAuthenticator, sets.NewString(proxyClientNames...)), nil
|
|
}
|
|
|
|
func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
|
|
name := headerValue(req.Header, a.nameHeaders)
|
|
if len(name) == 0 {
|
|
return nil, false, nil
|
|
}
|
|
groups := allHeaderValues(req.Header, a.groupHeaders)
|
|
extra := newExtra(req.Header, a.extraHeaderPrefixes)
|
|
|
|
// clear headers used for authentication
|
|
for _, headerName := range a.nameHeaders {
|
|
req.Header.Del(headerName)
|
|
}
|
|
for _, headerName := range a.groupHeaders {
|
|
req.Header.Del(headerName)
|
|
}
|
|
for k := range extra {
|
|
for _, prefix := range a.extraHeaderPrefixes {
|
|
req.Header.Del(prefix + k)
|
|
}
|
|
}
|
|
|
|
return &authenticator.Response{
|
|
User: &user.DefaultInfo{
|
|
Name: name,
|
|
Groups: groups,
|
|
Extra: extra,
|
|
},
|
|
}, true, nil
|
|
}
|
|
|
|
func headerValue(h http.Header, headerNames []string) string {
|
|
for _, headerName := range headerNames {
|
|
headerValue := h.Get(headerName)
|
|
if len(headerValue) > 0 {
|
|
return headerValue
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
func allHeaderValues(h http.Header, headerNames []string) []string {
|
|
ret := []string{}
|
|
for _, headerName := range headerNames {
|
|
headerKey := http.CanonicalHeaderKey(headerName)
|
|
values, ok := h[headerKey]
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
for _, headerValue := range values {
|
|
if len(headerValue) > 0 {
|
|
ret = append(ret, headerValue)
|
|
}
|
|
}
|
|
}
|
|
return ret
|
|
}
|
|
|
|
func unescapeExtraKey(encodedKey string) string {
|
|
key, err := url.PathUnescape(encodedKey) // Decode %-encoded bytes.
|
|
if err != nil {
|
|
return encodedKey // Always record extra strings, even if malformed/unencoded.
|
|
}
|
|
return key
|
|
}
|
|
|
|
func newExtra(h http.Header, headerPrefixes []string) map[string][]string {
|
|
ret := map[string][]string{}
|
|
|
|
// we have to iterate over prefixes first in order to have proper ordering inside the value slices
|
|
for _, prefix := range headerPrefixes {
|
|
for headerName, vv := range h {
|
|
if !strings.HasPrefix(strings.ToLower(headerName), strings.ToLower(prefix)) {
|
|
continue
|
|
}
|
|
|
|
extraKey := unescapeExtraKey(strings.ToLower(headerName[len(prefix):]))
|
|
ret[extraKey] = append(ret[extraKey], vv...)
|
|
}
|
|
}
|
|
|
|
return ret
|
|
}
|