ContainerImage.Pinniped/internal/concierge/impersonator/impersonator.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package impersonator

import (
	"encoding/base64"
	"encoding/json"
	"fmt"
	"net/http"
	"net/http/httputil"
	"net/url"
	"strings"

	"github.com/go-logr/logr"
	"k8s.io/apiserver/pkg/authentication/user"
	"k8s.io/client-go/rest"
	"k8s.io/client-go/transport"

	"go.pinniped.dev/generated/1.20/apis/concierge/login"
	loginv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/login/v1alpha1"
	"go.pinniped.dev/internal/controller/authenticator/authncache"
	"go.pinniped.dev/internal/kubeclient"
)

// allowedHeaders are the set of HTTP headers that are allowed to be forwarded through the impersonation proxy.
//nolint: gochecknoglobals
var allowedHeaders = []string{
	"Accept",
	"Accept-Encoding",
	"User-Agent",
	"Connection",
	"Upgrade",
}

type Proxy struct {
	cache *authncache.Cache
	proxy *httputil.ReverseProxy
	log   logr.Logger
}

func New(cache *authncache.Cache, log logr.Logger) (*Proxy, error) {
	return newInternal(cache, log, func() (*rest.Config, error) {
		client, err := kubeclient.New()
		if err != nil {
			return nil, err
		}
		return client.JSONConfig, nil
	})
}

func newInternal(cache *authncache.Cache, log logr.Logger, getConfig func() (*rest.Config, error)) (*Proxy, error) {
	kubeconfig, err := getConfig()
	if err != nil {
		return nil, fmt.Errorf("could not get in-cluster config: %w", err)
	}

	serverURL, err := url.Parse(kubeconfig.Host)
	if err != nil {
		return nil, fmt.Errorf("could not parse host URL from in-cluster config: %w", err)
	}

	kubeTransportConfig, err := kubeconfig.TransportConfig()
	if err != nil {
		return nil, fmt.Errorf("could not get in-cluster transport config: %w", err)
	}
	kubeTransportConfig.TLS.NextProtos = []string{"http/1.1"}

	kubeRoundTripper, err := transport.New(kubeTransportConfig)
	if err != nil {
		return nil, fmt.Errorf("could not get in-cluster transport: %w", err)
	}

	proxy := httputil.NewSingleHostReverseProxy(serverURL)
	proxy.Transport = kubeRoundTripper

	return &Proxy{
		cache: cache,
		proxy: proxy,
		log:   log,
	}, nil
}

func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	log := p.log.WithValues(
		"url", r.URL.String(),
		"method", r.Method,
	)

	tokenCredentialReq, err := extractToken(r)
	if err != nil {
		log.Error(err, "invalid token encoding")
		http.Error(w, "invalid token encoding", http.StatusBadRequest)
		return
	}
	log = log.WithValues(
		"authenticator", tokenCredentialReq.Spec.Authenticator,
		"authenticatorNamespace", tokenCredentialReq.Namespace,
	)

	userInfo, err := p.cache.AuthenticateTokenCredentialRequest(r.Context(), tokenCredentialReq)
	if err != nil {
		log.Error(err, "received invalid token")
		http.Error(w, "invalid token", http.StatusUnauthorized)
		return
	}

	if userInfo == nil {
		log.Info("received token that did not authenticate")
		http.Error(w, "not authenticated", http.StatusUnauthorized)
		return
	}
	log = log.WithValues("userID", userInfo.GetUID())

	// Never mutate request (see http.Handler docs).
	newR := r.WithContext(r.Context())
	newR.Header = getProxyHeaders(userInfo, r.Header)

	log.Info("proxying authenticated request")
	p.proxy.ServeHTTP(w, newR)
}

func getProxyHeaders(userInfo user.Info, requestHeaders http.Header) http.Header {
	newHeaders := http.Header{}
	newHeaders.Set("Impersonate-User", userInfo.GetName())
	for _, group := range userInfo.GetGroups() {
		newHeaders.Add("Impersonate-Group", group)
	}
	for _, header := range allowedHeaders {
		values := requestHeaders.Values(header)
		for i := range values {
			newHeaders.Add(header, values[i])
		}
	}
	return newHeaders
}

func extractToken(req *http.Request) (*login.TokenCredentialRequest, error) {
	authHeader := req.Header.Get("Authorization")
	if authHeader == "" {
		return nil, fmt.Errorf("missing authorization header")
	}
	if !strings.HasPrefix(authHeader, "Bearer ") {
		return nil, fmt.Errorf("authorization header must be of type Bearer")
	}
	encoded := strings.TrimPrefix(authHeader, "Bearer ")
	tokenCredentialRequestJSON, err := base64.RawURLEncoding.DecodeString(encoded)
	if err != nil {
		return nil, fmt.Errorf("invalid base64 in encoded bearer token: %w", err)
	}

	var v1alpha1Req loginv1alpha1.TokenCredentialRequest
	if err := json.Unmarshal(tokenCredentialRequestJSON, &v1alpha1Req); err != nil {
		return nil, fmt.Errorf("invalid TokenCredentialRequest encoded in bearer token: %w", err)
	}
	var internalReq login.TokenCredentialRequest
	if err := loginv1alpha1.Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(&v1alpha1Req, &internalReq, nil); err != nil {
		return nil, fmt.Errorf("failed to convert v1alpha1 TokenCredentialRequest to internal version: %w", err)
	}
	return &internalReq, nil
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package impersonator`

			`import (`
			`"encoding/base64"`
			`"encoding/json"`
			`"fmt"`
			`"net/http"`
			`"net/http/httputil"`
			`"net/url"`
			`"strings"`

			`"github.com/go-logr/logr"`
			`"k8s.io/apiserver/pkg/authentication/user"`
			`"k8s.io/client-go/rest"`
			`"k8s.io/client-go/transport"`

			`"go.pinniped.dev/generated/1.20/apis/concierge/login"`
			`loginv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/login/v1alpha1"`
			`"go.pinniped.dev/internal/controller/authenticator/authncache"`
internal/concierge/impersonator: use kubeconfig from kubeclient Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 20:28:56 +00:00			`"go.pinniped.dev/internal/kubeclient"`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`)`

			`// allowedHeaders are the set of HTTP headers that are allowed to be forwarded through the impersonation proxy.`
			`//nolint: gochecknoglobals`
			`var allowedHeaders = []string{`
			`"Accept",`
			`"Accept-Encoding",`
			`"User-Agent",`
			`"Connection",`
			`"Upgrade",`
			`}`

			`type Proxy struct {`
			`cache *authncache.Cache`
			`proxy *httputil.ReverseProxy`
			`log logr.Logger`
			`}`

			`func New(cache authncache.Cache, log logr.Logger) (Proxy, error) {`
internal/concierge/impersonator: use kubeconfig from kubeclient Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 20:28:56 +00:00			`return newInternal(cache, log, func() (*rest.Config, error) {`
			`client, err := kubeclient.New()`
			`if err != nil {`
			`return nil, err`
			`}`
			`return client.JSONConfig, nil`
			`})`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`

			`func newInternal(cache authncache.Cache, log logr.Logger, getConfig func() (rest.Config, error)) (*Proxy, error) {`
			`kubeconfig, err := getConfig()`
			`if err != nil {`
			`return nil, fmt.Errorf("could not get in-cluster config: %w", err)`
			`}`

			`serverURL, err := url.Parse(kubeconfig.Host)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not parse host URL from in-cluster config: %w", err)`
			`}`

			`kubeTransportConfig, err := kubeconfig.TransportConfig()`
			`if err != nil {`
			`return nil, fmt.Errorf("could not get in-cluster transport config: %w", err)`
			`}`
			`kubeTransportConfig.TLS.NextProtos = []string{"http/1.1"}`

			`kubeRoundTripper, err := transport.New(kubeTransportConfig)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not get in-cluster transport: %w", err)`
			`}`

			`proxy := httputil.NewSingleHostReverseProxy(serverURL)`
			`proxy.Transport = kubeRoundTripper`

			`return &Proxy{`
			`cache: cache,`
			`proxy: proxy,`
			`log: log,`
			`}, nil`
			`}`

			`func (p Proxy) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`log := p.log.WithValues(`
			`"url", r.URL.String(),`
			`"method", r.Method,`
			`)`

			`tokenCredentialReq, err := extractToken(r)`
			`if err != nil {`
			`log.Error(err, "invalid token encoding")`
			`http.Error(w, "invalid token encoding", http.StatusBadRequest)`
			`return`
			`}`
			`log = log.WithValues(`
			`"authenticator", tokenCredentialReq.Spec.Authenticator,`
			`"authenticatorNamespace", tokenCredentialReq.Namespace,`
			`)`

			`userInfo, err := p.cache.AuthenticateTokenCredentialRequest(r.Context(), tokenCredentialReq)`
			`if err != nil {`
			`log.Error(err, "received invalid token")`
			`http.Error(w, "invalid token", http.StatusUnauthorized)`
			`return`
			`}`

			`if userInfo == nil {`
			`log.Info("received token that did not authenticate")`
			`http.Error(w, "not authenticated", http.StatusUnauthorized)`
			`return`
			`}`
Only log user ID, not user name/groups. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-01-22 18:12:12 +00:00			`log = log.WithValues("userID", userInfo.GetUID())`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 18:25:24 +00:00			`// Never mutate request (see http.Handler docs).`
			`newR := r.WithContext(r.Context())`
			`newR.Header = getProxyHeaders(userInfo, r.Header)`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00
			`log.Info("proxying authenticated request")`
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 18:25:24 +00:00			`p.proxy.ServeHTTP(w, newR)`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`

			`func getProxyHeaders(userInfo user.Info, requestHeaders http.Header) http.Header {`
			`newHeaders := http.Header{}`
			`newHeaders.Set("Impersonate-User", userInfo.GetName())`
			`for _, group := range userInfo.GetGroups() {`
			`newHeaders.Add("Impersonate-Group", group)`
			`}`
			`for _, header := range allowedHeaders {`
			`values := requestHeaders.Values(header)`
			`for i := range values {`
			`newHeaders.Add(header, values[i])`
			`}`
			`}`
			`return newHeaders`
			`}`

			`func extractToken(req http.Request) (login.TokenCredentialRequest, error) {`
			`authHeader := req.Header.Get("Authorization")`
			`if authHeader == "" {`
			`return nil, fmt.Errorf("missing authorization header")`
			`}`
			`if !strings.HasPrefix(authHeader, "Bearer ") {`
			`return nil, fmt.Errorf("authorization header must be of type Bearer")`
			`}`
			`encoded := strings.TrimPrefix(authHeader, "Bearer ")`
			`tokenCredentialRequestJSON, err := base64.RawURLEncoding.DecodeString(encoded)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid base64 in encoded bearer token: %w", err)`
			`}`

			`var v1alpha1Req loginv1alpha1.TokenCredentialRequest`
			`if err := json.Unmarshal(tokenCredentialRequestJSON, &v1alpha1Req); err != nil {`
			`return nil, fmt.Errorf("invalid TokenCredentialRequest encoded in bearer token: %w", err)`
			`}`
			`var internalReq login.TokenCredentialRequest`
			`if err := loginv1alpha1.Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(&v1alpha1Req, &internalReq, nil); err != nil {`
			`return nil, fmt.Errorf("failed to convert v1alpha1 TokenCredentialRequest to internal version: %w", err)`
			`}`
			`return &internalReq, nil`
			`}`