ContainerImage.Pinniped/internal/concierge/impersonator/impersonator.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package impersonator

import (
	"encoding/base64"
	"fmt"
	"net/http"
	"net/http/httputil"
	"net/url"
	"strings"

	"github.com/go-logr/logr"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apiserver/pkg/authentication/user"
	"k8s.io/client-go/rest"
	"k8s.io/client-go/transport"

	"go.pinniped.dev/generated/1.20/apis/concierge/login"
	"go.pinniped.dev/internal/controller/authenticator/authncache"
	"go.pinniped.dev/internal/kubeclient"
)

// allowedHeaders are the set of HTTP headers that are allowed to be forwarded through the impersonation proxy.
//nolint: gochecknoglobals
var allowedHeaders = []string{
	"Accept",
	"Accept-Encoding",
	"User-Agent",
	"Connection",
	"Upgrade",
}

type proxy struct {
	cache       *authncache.Cache
	jsonDecoder runtime.Decoder
	proxy       *httputil.ReverseProxy
	log         logr.Logger
}

func New(cache *authncache.Cache, jsonDecoder runtime.Decoder, log logr.Logger) (http.Handler, error) {
	return newInternal(cache, jsonDecoder, log, func() (*rest.Config, error) {
		client, err := kubeclient.New()
		if err != nil {
			return nil, err
		}
		return client.JSONConfig, nil
	})
}

func newInternal(cache *authncache.Cache, jsonDecoder runtime.Decoder, log logr.Logger, getConfig func() (*rest.Config, error)) (*proxy, error) {
	kubeconfig, err := getConfig()
	if err != nil {
		return nil, fmt.Errorf("could not get in-cluster config: %w", err)
	}

	serverURL, err := url.Parse(kubeconfig.Host)
	if err != nil {
		return nil, fmt.Errorf("could not parse host URL from in-cluster config: %w", err)
	}

	kubeTransportConfig, err := kubeconfig.TransportConfig()
	if err != nil {
		return nil, fmt.Errorf("could not get in-cluster transport config: %w", err)
	}
	kubeTransportConfig.TLS.NextProtos = []string{"http/1.1"}

	kubeRoundTripper, err := transport.New(kubeTransportConfig)
	if err != nil {
		return nil, fmt.Errorf("could not get in-cluster transport: %w", err)
	}

	reverseProxy := httputil.NewSingleHostReverseProxy(serverURL)
	reverseProxy.Transport = kubeRoundTripper

	return &proxy{
		cache:       cache,
		jsonDecoder: jsonDecoder,
		proxy:       reverseProxy,
		log:         log,
	}, nil
}

func (p *proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	log := p.log.WithValues(
		"url", r.URL.String(),
		"method", r.Method,
	)

	tokenCredentialReq, err := extractToken(r, p.jsonDecoder)
	if err != nil {
		log.Error(err, "invalid token encoding")
		http.Error(w, "invalid token encoding", http.StatusBadRequest)
		return
	}
	log = log.WithValues(
		"authenticator", tokenCredentialReq.Spec.Authenticator,
	)

	userInfo, err := p.cache.AuthenticateTokenCredentialRequest(r.Context(), tokenCredentialReq)
	if err != nil {
		log.Error(err, "received invalid token")
		http.Error(w, "invalid token", http.StatusUnauthorized)
		return
	}

	if userInfo == nil {
		log.Info("received token that did not authenticate")
		http.Error(w, "not authenticated", http.StatusUnauthorized)
		return
	}
	log = log.WithValues("userID", userInfo.GetUID())

	// Never mutate request (see http.Handler docs).
	newR := r.WithContext(r.Context())
	newR.Header = getProxyHeaders(userInfo, r.Header)

	log.Info("proxying authenticated request")
	p.proxy.ServeHTTP(w, newR)
}

func getProxyHeaders(userInfo user.Info, requestHeaders http.Header) http.Header {
	newHeaders := http.Header{}
	newHeaders.Set("Impersonate-User", userInfo.GetName())
	for _, group := range userInfo.GetGroups() {
		newHeaders.Add("Impersonate-Group", group)
	}
	for _, header := range allowedHeaders {
		values := requestHeaders.Values(header)
		for i := range values {
			newHeaders.Add(header, values[i])
		}
	}
	return newHeaders
}

func extractToken(req *http.Request, jsonDecoder runtime.Decoder) (*login.TokenCredentialRequest, error) {
	authHeader := req.Header.Get("Authorization")
	if authHeader == "" {
		return nil, fmt.Errorf("missing authorization header")
	}
	if !strings.HasPrefix(authHeader, "Bearer ") {
		return nil, fmt.Errorf("authorization header must be of type Bearer")
	}
	encoded := strings.TrimPrefix(authHeader, "Bearer ")
	tokenCredentialRequestJSON, err := base64.RawURLEncoding.DecodeString(encoded)
	if err != nil {
		return nil, fmt.Errorf("invalid base64 in encoded bearer token: %w", err)
	}

	obj, err := runtime.Decode(jsonDecoder, tokenCredentialRequestJSON)
	if err != nil {
		return nil, fmt.Errorf("invalid object encoded in bearer token: %w", err)
	}
	tokenCredentialRequest, ok := obj.(*login.TokenCredentialRequest)
	if !ok {
		return nil, fmt.Errorf("invalid TokenCredentialRequest encoded in bearer token: got %T", obj)
	}

	return tokenCredentialRequest, nil
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package impersonator`

			`import (`
			`"encoding/base64"`
			`"fmt"`
			`"net/http"`
			`"net/http/httputil"`
			`"net/url"`
			`"strings"`

			`"github.com/go-logr/logr"`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`"k8s.io/apimachinery/pkg/runtime"`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`"k8s.io/apiserver/pkg/authentication/user"`
			`"k8s.io/client-go/rest"`
			`"k8s.io/client-go/transport"`

			`"go.pinniped.dev/generated/1.20/apis/concierge/login"`
			`"go.pinniped.dev/internal/controller/authenticator/authncache"`
internal/concierge/impersonator: use kubeconfig from kubeclient Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 20:28:56 +00:00			`"go.pinniped.dev/internal/kubeclient"`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`)`

			`// allowedHeaders are the set of HTTP headers that are allowed to be forwarded through the impersonation proxy.`
			`//nolint: gochecknoglobals`
			`var allowedHeaders = []string{`
			`"Accept",`
			`"Accept-Encoding",`
			`"User-Agent",`
			`"Connection",`
			`"Upgrade",`
			`}`

Move starting/stopping impersonation proxy server to a new controller - Watch a configmap to read the configuration of the impersonation proxy and reconcile it. - Implements "auto" mode by querying the API for control plane nodes. - WIP: does not create a load balancer or proper TLS certificates yet. Those will come in future commits. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-02-12 01:22:47 +00:00			`type proxy struct {`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`cache *authncache.Cache`
			`jsonDecoder runtime.Decoder`
			`proxy *httputil.ReverseProxy`
			`log logr.Logger`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`

internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`func New(cache *authncache.Cache, jsonDecoder runtime.Decoder, log logr.Logger) (http.Handler, error) {`
			`return newInternal(cache, jsonDecoder, log, func() (*rest.Config, error) {`
internal/concierge/impersonator: use kubeconfig from kubeclient Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 20:28:56 +00:00			`client, err := kubeclient.New()`
			`if err != nil {`
			`return nil, err`
			`}`
			`return client.JSONConfig, nil`
			`})`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`

internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`func newInternal(cache authncache.Cache, jsonDecoder runtime.Decoder, log logr.Logger, getConfig func() (rest.Config, error)) (*proxy, error) {`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`kubeconfig, err := getConfig()`
			`if err != nil {`
			`return nil, fmt.Errorf("could not get in-cluster config: %w", err)`
			`}`

			`serverURL, err := url.Parse(kubeconfig.Host)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not parse host URL from in-cluster config: %w", err)`
			`}`

			`kubeTransportConfig, err := kubeconfig.TransportConfig()`
			`if err != nil {`
			`return nil, fmt.Errorf("could not get in-cluster transport config: %w", err)`
			`}`
			`kubeTransportConfig.TLS.NextProtos = []string{"http/1.1"}`

			`kubeRoundTripper, err := transport.New(kubeTransportConfig)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not get in-cluster transport: %w", err)`
			`}`

Move starting/stopping impersonation proxy server to a new controller - Watch a configmap to read the configuration of the impersonation proxy and reconcile it. - Implements "auto" mode by querying the API for control plane nodes. - WIP: does not create a load balancer or proper TLS certificates yet. Those will come in future commits. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-02-12 01:22:47 +00:00			`reverseProxy := httputil.NewSingleHostReverseProxy(serverURL)`
			`reverseProxy.Transport = kubeRoundTripper`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00
Move starting/stopping impersonation proxy server to a new controller - Watch a configmap to read the configuration of the impersonation proxy and reconcile it. - Implements "auto" mode by querying the API for control plane nodes. - WIP: does not create a load balancer or proper TLS certificates yet. Those will come in future commits. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-02-12 01:22:47 +00:00			`return &proxy{`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`cache: cache,`
			`jsonDecoder: jsonDecoder,`
			`proxy: reverseProxy,`
			`log: log,`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}, nil`
			`}`

Move starting/stopping impersonation proxy server to a new controller - Watch a configmap to read the configuration of the impersonation proxy and reconcile it. - Implements "auto" mode by querying the API for control plane nodes. - WIP: does not create a load balancer or proper TLS certificates yet. Those will come in future commits. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-02-12 01:22:47 +00:00			`func (p proxy) ServeHTTP(w http.ResponseWriter, r http.Request) {`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`log := p.log.WithValues(`
			`"url", r.URL.String(),`
			`"method", r.Method,`
			`)`

internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`tokenCredentialReq, err := extractToken(r, p.jsonDecoder)`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`if err != nil {`
			`log.Error(err, "invalid token encoding")`
			`http.Error(w, "invalid token encoding", http.StatusBadRequest)`
			`return`
			`}`
			`log = log.WithValues(`
			`"authenticator", tokenCredentialReq.Spec.Authenticator,`
			`)`

			`userInfo, err := p.cache.AuthenticateTokenCredentialRequest(r.Context(), tokenCredentialReq)`
			`if err != nil {`
			`log.Error(err, "received invalid token")`
			`http.Error(w, "invalid token", http.StatusUnauthorized)`
			`return`
			`}`

			`if userInfo == nil {`
			`log.Info("received token that did not authenticate")`
			`http.Error(w, "not authenticated", http.StatusUnauthorized)`
			`return`
			`}`
Only log user ID, not user name/groups. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-01-22 18:12:12 +00:00			`log = log.WithValues("userID", userInfo.GetUID())`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 18:25:24 +00:00			`// Never mutate request (see http.Handler docs).`
			`newR := r.WithContext(r.Context())`
			`newR.Header = getProxyHeaders(userInfo, r.Header)`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00
			`log.Info("proxying authenticated request")`
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-09 18:25:24 +00:00			`p.proxy.ServeHTTP(w, newR)`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`

			`func getProxyHeaders(userInfo user.Info, requestHeaders http.Header) http.Header {`
			`newHeaders := http.Header{}`
			`newHeaders.Set("Impersonate-User", userInfo.GetName())`
			`for _, group := range userInfo.GetGroups() {`
			`newHeaders.Add("Impersonate-Group", group)`
			`}`
			`for _, header := range allowedHeaders {`
			`values := requestHeaders.Values(header)`
			`for i := range values {`
			`newHeaders.Add(header, values[i])`
			`}`
			`}`
			`return newHeaders`
			`}`

internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`func extractToken(req http.Request, jsonDecoder runtime.Decoder) (login.TokenCredentialRequest, error) {`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`authHeader := req.Header.Get("Authorization")`
			`if authHeader == "" {`
			`return nil, fmt.Errorf("missing authorization header")`
			`}`
			`if !strings.HasPrefix(authHeader, "Bearer ") {`
			`return nil, fmt.Errorf("authorization header must be of type Bearer")`
			`}`
			`encoded := strings.TrimPrefix(authHeader, "Bearer ")`
			`tokenCredentialRequestJSON, err := base64.RawURLEncoding.DecodeString(encoded)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid base64 in encoded bearer token: %w", err)`
			`}`

internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`obj, err := runtime.Decode(jsonDecoder, tokenCredentialRequestJSON)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid object encoded in bearer token: %w", err)`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`tokenCredentialRequest, ok := obj.(*login.TokenCredentialRequest)`
			`if !ok {`
			`return nil, fmt.Errorf("invalid TokenCredentialRequest encoded in bearer token: got %T", obj)`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00
			`return tokenCredentialRequest, nil`
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 00:37:02 +00:00			`}`