internal/concierge/impersonator: reuse kube bearertoken.Authenticator
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
parent
22a3e73bac
commit
b3cdc438ce
@ -14,11 +14,14 @@ import (
|
|||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
|
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
"k8s.io/client-go/transport"
|
"k8s.io/client-go/transport"
|
||||||
|
|
||||||
"go.pinniped.dev/generated/1.20/apis/concierge/login"
|
"go.pinniped.dev/generated/1.20/apis/concierge/login"
|
||||||
|
"go.pinniped.dev/internal/constable"
|
||||||
"go.pinniped.dev/internal/controller/authenticator/authncache"
|
"go.pinniped.dev/internal/controller/authenticator/authncache"
|
||||||
"go.pinniped.dev/internal/kubeclient"
|
"go.pinniped.dev/internal/kubeclient"
|
||||||
)
|
)
|
||||||
@ -95,38 +98,61 @@ func (p *proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
tokenCredentialReq, err := extractToken(r, p.jsonDecoder)
|
// Never mutate request (see http.Handler docs).
|
||||||
|
newR := r.Clone(r.Context())
|
||||||
|
|
||||||
|
authentication, authenticated, err := bearertoken.New(authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
|
||||||
|
tokenCredentialReq, err := extractToken(token, p.jsonDecoder)
|
||||||
|
if err != nil {
|
||||||
|
log.Error(err, "invalid token encoding")
|
||||||
|
return nil, false, &httpError{message: "invalid token encoding", code: http.StatusBadRequest}
|
||||||
|
}
|
||||||
|
|
||||||
|
log = log.WithValues(
|
||||||
|
"authenticator", tokenCredentialReq.Spec.Authenticator,
|
||||||
|
)
|
||||||
|
|
||||||
|
userInfo, err := p.cache.AuthenticateTokenCredentialRequest(newR.Context(), tokenCredentialReq)
|
||||||
|
if err != nil {
|
||||||
|
log.Error(err, "received invalid token")
|
||||||
|
return nil, false, &httpError{message: "invalid token", code: http.StatusUnauthorized}
|
||||||
|
}
|
||||||
|
if userInfo == nil {
|
||||||
|
log.Info("received token that did not authenticate")
|
||||||
|
return nil, false, &httpError{message: "not authenticated", code: http.StatusUnauthorized}
|
||||||
|
}
|
||||||
|
log = log.WithValues("userID", userInfo.GetUID())
|
||||||
|
|
||||||
|
return &authenticator.Response{User: userInfo}, true, nil
|
||||||
|
})).AuthenticateRequest(newR)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(err, "invalid token encoding")
|
httpErr, ok := err.(*httpError)
|
||||||
|
if !ok {
|
||||||
|
log.Error(err, "unrecognized error")
|
||||||
|
http.Error(w, "unrecognized error", http.StatusInternalServerError)
|
||||||
|
}
|
||||||
|
http.Error(w, httpErr.message, httpErr.code)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !authenticated {
|
||||||
|
log.Error(constable.Error("token authenticator did not find token"), "invalid token encoding")
|
||||||
http.Error(w, "invalid token encoding", http.StatusBadRequest)
|
http.Error(w, "invalid token encoding", http.StatusBadRequest)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
log = log.WithValues(
|
|
||||||
"authenticator", tokenCredentialReq.Spec.Authenticator,
|
|
||||||
)
|
|
||||||
|
|
||||||
userInfo, err := p.cache.AuthenticateTokenCredentialRequest(r.Context(), tokenCredentialReq)
|
newR.Header = getProxyHeaders(authentication.User, r.Header)
|
||||||
if err != nil {
|
|
||||||
log.Error(err, "received invalid token")
|
|
||||||
http.Error(w, "invalid token", http.StatusUnauthorized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if userInfo == nil {
|
|
||||||
log.Info("received token that did not authenticate")
|
|
||||||
http.Error(w, "not authenticated", http.StatusUnauthorized)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
log = log.WithValues("userID", userInfo.GetUID())
|
|
||||||
|
|
||||||
// Never mutate request (see http.Handler docs).
|
|
||||||
newR := r.WithContext(r.Context())
|
|
||||||
newR.Header = getProxyHeaders(userInfo, r.Header)
|
|
||||||
|
|
||||||
log.Info("proxying authenticated request")
|
log.Info("proxying authenticated request")
|
||||||
p.proxy.ServeHTTP(w, newR)
|
p.proxy.ServeHTTP(w, newR)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type httpError struct {
|
||||||
|
message string
|
||||||
|
code int
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *httpError) Error() string { return e.message }
|
||||||
|
|
||||||
func ensureNoImpersonationHeaders(r *http.Request) error {
|
func ensureNoImpersonationHeaders(r *http.Request) error {
|
||||||
if _, ok := r.Header[transport.ImpersonateUserHeader]; ok {
|
if _, ok := r.Header[transport.ImpersonateUserHeader]; ok {
|
||||||
return fmt.Errorf("%q header already exists", transport.ImpersonateUserHeader)
|
return fmt.Errorf("%q header already exists", transport.ImpersonateUserHeader)
|
||||||
@ -191,16 +217,8 @@ func getProxyHeaders(userInfo user.Info, requestHeaders http.Header) http.Header
|
|||||||
return newHeaders
|
return newHeaders
|
||||||
}
|
}
|
||||||
|
|
||||||
func extractToken(req *http.Request, jsonDecoder runtime.Decoder) (*login.TokenCredentialRequest, error) {
|
func extractToken(token string, jsonDecoder runtime.Decoder) (*login.TokenCredentialRequest, error) {
|
||||||
authHeader := req.Header.Get("Authorization")
|
tokenCredentialRequestJSON, err := base64.RawURLEncoding.DecodeString(token)
|
||||||
if authHeader == "" {
|
|
||||||
return nil, fmt.Errorf("missing authorization header")
|
|
||||||
}
|
|
||||||
if !strings.HasPrefix(authHeader, "Bearer ") {
|
|
||||||
return nil, fmt.Errorf("authorization header must be of type Bearer")
|
|
||||||
}
|
|
||||||
encoded := strings.TrimPrefix(authHeader, "Bearer ")
|
|
||||||
tokenCredentialRequestJSON, err := base64.RawURLEncoding.DecodeString(encoded)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("invalid base64 in encoded bearer token: %w", err)
|
return nil, fmt.Errorf("invalid base64 in encoded bearer token: %w", err)
|
||||||
}
|
}
|
||||||
@ -209,6 +227,7 @@ func extractToken(req *http.Request, jsonDecoder runtime.Decoder) (*login.TokenC
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("invalid object encoded in bearer token: %w", err)
|
return nil, fmt.Errorf("invalid object encoded in bearer token: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
tokenCredentialRequest, ok := obj.(*login.TokenCredentialRequest)
|
tokenCredentialRequest, ok := obj.(*login.TokenCredentialRequest)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("invalid TokenCredentialRequest encoded in bearer token: got %T", obj)
|
return nil, fmt.Errorf("invalid TokenCredentialRequest encoded in bearer token: got %T", obj)
|
||||||
|
@ -190,7 +190,7 @@ func TestImpersonator(t *testing.T) {
|
|||||||
request: newRequest(map[string][]string{}),
|
request: newRequest(map[string][]string{}),
|
||||||
wantHTTPBody: "invalid token encoding\n",
|
wantHTTPBody: "invalid token encoding\n",
|
||||||
wantHTTPStatus: http.StatusBadRequest,
|
wantHTTPStatus: http.StatusBadRequest,
|
||||||
wantLogs: []string{"\"error\"=\"missing authorization header\" \"msg\"=\"invalid token encoding\" \"method\"=\"GET\" \"url\"=\"http://pinniped.dev/blah\""},
|
wantLogs: []string{"\"error\"=\"token authenticator did not find token\" \"msg\"=\"invalid token encoding\" \"method\"=\"GET\" \"url\"=\"http://pinniped.dev/blah\""},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "authorization header missing bearer prefix",
|
name: "authorization header missing bearer prefix",
|
||||||
@ -198,7 +198,7 @@ func TestImpersonator(t *testing.T) {
|
|||||||
request: newRequest(map[string][]string{"Authorization": {impersonationtoken.Make(t, "test-token", &goodAuthenticator, defaultAPIGroup)}}),
|
request: newRequest(map[string][]string{"Authorization": {impersonationtoken.Make(t, "test-token", &goodAuthenticator, defaultAPIGroup)}}),
|
||||||
wantHTTPBody: "invalid token encoding\n",
|
wantHTTPBody: "invalid token encoding\n",
|
||||||
wantHTTPStatus: http.StatusBadRequest,
|
wantHTTPStatus: http.StatusBadRequest,
|
||||||
wantLogs: []string{"\"error\"=\"authorization header must be of type Bearer\" \"msg\"=\"invalid token encoding\" \"method\"=\"GET\" \"url\"=\"http://pinniped.dev/blah\""},
|
wantLogs: []string{"\"error\"=\"token authenticator did not find token\" \"msg\"=\"invalid token encoding\" \"method\"=\"GET\" \"url\"=\"http://pinniped.dev/blah\""},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "token is not base64 encoded",
|
name: "token is not base64 encoded",
|
||||||
|
Loading…
Reference in New Issue
Block a user