Fix lint errors

This commit is contained in:
Ryan Richard 2020-09-10 18:34:18 -07:00
parent 4fe609a043
commit 6deaa0fb1a
3 changed files with 54 additions and 45 deletions

View File

@ -35,6 +35,7 @@ import (
restclient "k8s.io/client-go/rest" restclient "k8s.io/client-go/rest"
"k8s.io/klog/v2" "k8s.io/klog/v2"
"github.com/suzerain-io/pinniped/internal/constable"
"github.com/suzerain-io/pinniped/internal/controller/apicerts" "github.com/suzerain-io/pinniped/internal/controller/apicerts"
"github.com/suzerain-io/pinniped/internal/controllerlib" "github.com/suzerain-io/pinniped/internal/controllerlib"
"github.com/suzerain-io/pinniped/internal/provider" "github.com/suzerain-io/pinniped/internal/provider"
@ -46,14 +47,13 @@ const (
// This string must match the name of the Service declared in the deployment yaml. // This string must match the name of the Service declared in the deployment yaml.
serviceName = "local-user-authenticator" serviceName = "local-user-authenticator"
// TODO there must be a better way to get this specific json result string without needing to hardcode it unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}`
unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}`
// TODO there must be a better way to get this specific json result string without needing to hardcode it
authenticatedResponseTemplate = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":true,"user":{"username":"%s","uid":"%s","groups":%s}}}` authenticatedResponseTemplate = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":true,"user":{"username":"%s","uid":"%s","groups":%s}}}`
singletonWorker = 1 singletonWorker = 1
defaultResyncInterval = 3 * time.Minute defaultResyncInterval = 3 * time.Minute
invalidRequest = constable.Error("invalid request")
) )
type webhook struct { type webhook struct {
@ -111,47 +111,11 @@ func (w *webhook) start(ctx context.Context, l net.Listener) error {
func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) { func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
defer req.Body.Close() defer req.Body.Close()
if req.URL.Path != "/authenticate" { username, password, err := getUsernameAndPasswordFromRequest(rsp, req)
klog.InfoS("received request path other than /authenticate", "path", req.URL.Path) if err != nil {
rsp.WriteHeader(http.StatusNotFound)
return return
} }
if req.Method != http.MethodPost {
klog.InfoS("received request method other than post", "method", req.Method)
rsp.WriteHeader(http.StatusMethodNotAllowed)
return
}
if !headerContains(req, "Content-Type", "application/json") {
klog.InfoS("content type is not application/json", "Content-Type", req.Header.Values("Content-Type"))
rsp.WriteHeader(http.StatusUnsupportedMediaType)
return
}
if !headerContains(req, "Accept", "application/json") &&
!headerContains(req, "Accept", "application/*") &&
!headerContains(req, "Accept", "*/*") {
klog.InfoS("client does not accept application/json", "Accept", req.Header.Values("Accept"))
rsp.WriteHeader(http.StatusUnsupportedMediaType)
return
}
var body authenticationv1.TokenReview
if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
klog.InfoS("failed to decode body", "err", err)
rsp.WriteHeader(http.StatusBadRequest)
return
}
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
if len(tokenSegments) != 2 {
klog.InfoS("bad token format in request")
rsp.WriteHeader(http.StatusBadRequest)
return
}
username := tokenSegments[0]
password := tokenSegments[1]
secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username) secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
notFound := k8serrors.IsNotFound(err) notFound := k8serrors.IsNotFound(err)
if err != nil && !notFound { if err != nil && !notFound {
@ -193,6 +157,50 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
respondWithAuthenticated(rsp, secret.ObjectMeta.Name, string(secret.UID), groups) respondWithAuthenticated(rsp, secret.ObjectMeta.Name, string(secret.UID), groups)
} }
func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Request) (string, string, error) {
if req.URL.Path != "/authenticate" {
klog.InfoS("received request path other than /authenticate", "path", req.URL.Path)
rsp.WriteHeader(http.StatusNotFound)
return "", "", invalidRequest
}
if req.Method != http.MethodPost {
klog.InfoS("received request method other than post", "method", req.Method)
rsp.WriteHeader(http.StatusMethodNotAllowed)
return "", "", invalidRequest
}
if !headerContains(req, "Content-Type", "application/json") {
klog.InfoS("content type is not application/json", "Content-Type", req.Header.Values("Content-Type"))
rsp.WriteHeader(http.StatusUnsupportedMediaType)
return "", "", invalidRequest
}
if !headerContains(req, "Accept", "application/json") &&
!headerContains(req, "Accept", "application/*") &&
!headerContains(req, "Accept", "*/*") {
klog.InfoS("client does not accept application/json", "Accept", req.Header.Values("Accept"))
rsp.WriteHeader(http.StatusUnsupportedMediaType)
return "", "", invalidRequest
}
var body authenticationv1.TokenReview
if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
klog.InfoS("failed to decode body", "err", err)
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
if len(tokenSegments) != 2 {
klog.InfoS("bad token format in request")
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
return tokenSegments[0], tokenSegments[1], nil
}
func headerContains(req *http.Request, headerName, s string) bool { func headerContains(req *http.Request, headerName, s string) bool {
headerValues := req.Header.Values(headerName) headerValues := req.Header.Values(headerName)
for i := range headerValues { for i := range headerValues {

View File

@ -451,9 +451,9 @@ func unauthenticatedResponseJSON() *string {
} }
func authenticatedResponseJSON(user, uid string, groups []string) *string { func authenticatedResponseJSON(user, uid string, groups []string) *string {
var quotedGroups []string quotedGroups := make([]string, len(groups))
for _, group := range groups { for i, group := range groups {
quotedGroups = append(quotedGroups, `"`+group+`"`) quotedGroups[i] = `"` + group + `"`
} }
// Very specific expected result. Avoid using json package so we know exactly what we're asserting. // Very specific expected result. Avoid using json package so we know exactly what we're asserting.

View File

@ -93,6 +93,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
}) })
for _, group := range expectedTestUserGroups { for _, group := range expectedTestUserGroups {
group := group
t.Run("access as group "+group, func(t *testing.T) { t.Run("access as group "+group, func(t *testing.T) {
addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},