c6c2c525a6
Also fix some tests that were broken by bumping golang and dependencies in the previous commits. Note that in addition to changes made to satisfy the linter which do not impact the behavior of the code, this commit also adds ReadHeaderTimeout to all usages of http.Server to satisfy the linter (and because it seemed like a good suggestion).
411 lines
11 KiB
Go
411 lines
11 KiB
Go
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
// Package localuserauthenticator provides a authentication webhook program.
|
|
//
|
|
// This webhook is meant to be used in demo settings to play around with
|
|
// Pinniped. As well, it can come in handy in integration tests.
|
|
//
|
|
// This webhook is NOT meant for use in production systems.
|
|
package localuserauthenticator
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"encoding/csv"
|
|
"encoding/json"
|
|
"fmt"
|
|
"mime"
|
|
"net"
|
|
"net/http"
|
|
"os"
|
|
"os/signal"
|
|
"strings"
|
|
"syscall"
|
|
"time"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
|
|
k8serrors "k8s.io/apimachinery/pkg/api/errors"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
kubeinformers "k8s.io/client-go/informers"
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
"go.pinniped.dev/internal/constable"
|
|
"go.pinniped.dev/internal/controller/apicerts"
|
|
"go.pinniped.dev/internal/controllerlib"
|
|
"go.pinniped.dev/internal/crypto/ptls"
|
|
"go.pinniped.dev/internal/dynamiccert"
|
|
"go.pinniped.dev/internal/kubeclient"
|
|
"go.pinniped.dev/internal/plog"
|
|
)
|
|
|
|
const (
|
|
// This string must match the name of the Namespace declared in the deployment yaml.
|
|
namespace = "local-user-authenticator"
|
|
// This string must match the name of the Service declared in the deployment yaml.
|
|
serviceName = "local-user-authenticator"
|
|
|
|
singletonWorker = 1
|
|
defaultResyncInterval = 3 * time.Minute
|
|
|
|
invalidRequest = constable.Error("invalid request")
|
|
)
|
|
|
|
type webhook struct {
|
|
certProvider dynamiccert.Private
|
|
secretInformer corev1informers.SecretInformer
|
|
}
|
|
|
|
func newWebhook(
|
|
certProvider dynamiccert.Private,
|
|
secretInformer corev1informers.SecretInformer,
|
|
) *webhook {
|
|
return &webhook{
|
|
certProvider: certProvider,
|
|
secretInformer: secretInformer,
|
|
}
|
|
}
|
|
|
|
// start runs the webhook in a separate goroutine and returns whether or not the
|
|
// webhook was started successfully.
|
|
func (w *webhook) start(ctx context.Context, l net.Listener) error {
|
|
c := ptls.Secure(nil)
|
|
c.GetCertificate = func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
certPEM, keyPEM := w.certProvider.CurrentCertKeyContent()
|
|
cert, err := tls.X509KeyPair(certPEM, keyPEM)
|
|
return &cert, err
|
|
}
|
|
server := http.Server{
|
|
Handler: w,
|
|
TLSConfig: c,
|
|
ReadHeaderTimeout: 10 * time.Second,
|
|
}
|
|
|
|
errCh := make(chan error)
|
|
go func() {
|
|
// Per ListenAndServeTLS doc, the {cert,key}File parameters can be empty
|
|
// since we want to use the certs from http.Server.TLSConfig.
|
|
errCh <- server.ServeTLS(l, "", "")
|
|
}()
|
|
|
|
go func() {
|
|
select {
|
|
case err := <-errCh:
|
|
plog.Debug("server exited", "err", err)
|
|
case <-ctx.Done():
|
|
plog.Debug("server context cancelled", "err", ctx.Err())
|
|
if err := server.Shutdown(context.Background()); err != nil {
|
|
plog.Debug("server shutdown failed", "err", err)
|
|
}
|
|
}
|
|
}()
|
|
|
|
return nil
|
|
}
|
|
|
|
func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
|
|
username, password, err := getUsernameAndPasswordFromRequest(rsp, req)
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer func() { _ = req.Body.Close() }()
|
|
|
|
secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
|
|
notFound := k8serrors.IsNotFound(err)
|
|
if err != nil && !notFound {
|
|
plog.Debug("could not get secret", "err", err)
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if notFound {
|
|
plog.Debug("user not found")
|
|
respondWithUnauthenticated(rsp)
|
|
return
|
|
}
|
|
|
|
passwordMatches := bcrypt.CompareHashAndPassword(
|
|
secret.Data["passwordHash"],
|
|
[]byte(password),
|
|
) == nil
|
|
if !passwordMatches {
|
|
plog.Debug("authentication failed: wrong password")
|
|
respondWithUnauthenticated(rsp)
|
|
return
|
|
}
|
|
|
|
groups := []string{}
|
|
groupsBuf := bytes.NewBuffer(secret.Data["groups"])
|
|
if groupsBuf.Len() > 0 {
|
|
groupsCSVReader := csv.NewReader(groupsBuf)
|
|
groups, err = groupsCSVReader.Read()
|
|
if err != nil {
|
|
plog.Debug("could not read groups", "err", err)
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
trimLeadingAndTrailingWhitespace(groups)
|
|
}
|
|
|
|
plog.Debug("successful authentication")
|
|
respondWithAuthenticated(rsp, secret.ObjectMeta.Name, groups)
|
|
}
|
|
|
|
func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Request) (string, string, error) {
|
|
if req.URL.Path != "/authenticate" {
|
|
plog.Debug("received request path other than /authenticate", "path", req.URL.Path)
|
|
rsp.WriteHeader(http.StatusNotFound)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
if req.Method != http.MethodPost {
|
|
plog.Debug("received request method other than post", "method", req.Method)
|
|
rsp.WriteHeader(http.StatusMethodNotAllowed)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
if !headerContains(req, "Content-Type", "application/json") {
|
|
plog.Debug("content type is not application/json", "Content-Type", req.Header.Values("Content-Type"))
|
|
rsp.WriteHeader(http.StatusUnsupportedMediaType)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
if !headerContains(req, "Accept", "application/json") &&
|
|
!headerContains(req, "Accept", "application/*") &&
|
|
!headerContains(req, "Accept", "*/*") {
|
|
plog.Debug("client does not accept application/json", "Accept", req.Header.Values("Accept"))
|
|
rsp.WriteHeader(http.StatusUnsupportedMediaType)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
if req.Body == nil {
|
|
plog.Debug("invalid nil body")
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
var body authenticationv1beta1.TokenReview
|
|
if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
|
|
plog.Debug("failed to decode body", "err", err)
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
if body.APIVersion != authenticationv1beta1.SchemeGroupVersion.String() {
|
|
plog.Debug("invalid TokenReview apiVersion", "apiVersion", body.APIVersion)
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
if body.Kind != "TokenReview" {
|
|
plog.Debug("invalid TokenReview kind", "kind", body.Kind)
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
|
|
if len(tokenSegments) != 2 {
|
|
plog.Debug("bad token format in request")
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
return "", "", invalidRequest
|
|
}
|
|
|
|
return tokenSegments[0], tokenSegments[1], nil
|
|
}
|
|
|
|
func headerContains(req *http.Request, headerName, s string) bool {
|
|
headerValues := req.Header.Values(headerName)
|
|
for i := range headerValues {
|
|
mimeTypes := strings.Split(headerValues[i], ",")
|
|
for _, mimeType := range mimeTypes {
|
|
mediaType, _, _ := mime.ParseMediaType(mimeType)
|
|
if mediaType == s {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func trimLeadingAndTrailingWhitespace(ss []string) {
|
|
for i := range ss {
|
|
ss[i] = strings.TrimSpace(ss[i])
|
|
}
|
|
}
|
|
|
|
func respondWithUnauthenticated(rsp http.ResponseWriter) {
|
|
rsp.Header().Add("Content-Type", "application/json")
|
|
|
|
body := authenticationv1beta1.TokenReview{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "TokenReview",
|
|
APIVersion: authenticationv1beta1.SchemeGroupVersion.String(),
|
|
},
|
|
Status: authenticationv1beta1.TokenReviewStatus{
|
|
Authenticated: false,
|
|
},
|
|
}
|
|
if err := json.NewEncoder(rsp).Encode(body); err != nil {
|
|
plog.Debug("could not encode response", "err", err)
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
}
|
|
}
|
|
|
|
func respondWithAuthenticated(
|
|
rsp http.ResponseWriter,
|
|
username string,
|
|
groups []string,
|
|
) {
|
|
rsp.Header().Add("Content-Type", "application/json")
|
|
body := authenticationv1beta1.TokenReview{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "TokenReview",
|
|
APIVersion: authenticationv1beta1.SchemeGroupVersion.String(),
|
|
},
|
|
Status: authenticationv1beta1.TokenReviewStatus{
|
|
Authenticated: true,
|
|
User: authenticationv1beta1.UserInfo{
|
|
Username: username,
|
|
Groups: groups,
|
|
},
|
|
},
|
|
}
|
|
if err := json.NewEncoder(rsp).Encode(body); err != nil {
|
|
plog.Debug("could not encode response", "err", err)
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
}
|
|
}
|
|
|
|
func startControllers(
|
|
ctx context.Context,
|
|
dynamicCertProvider dynamiccert.Private,
|
|
kubeClient kubernetes.Interface,
|
|
kubeInformers kubeinformers.SharedInformerFactory,
|
|
) {
|
|
aVeryLongTime := time.Hour * 24 * 365 * 100
|
|
|
|
const certsSecretResourceName = "local-user-authenticator-tls-serving-certificate"
|
|
|
|
// Create controller manager.
|
|
controllerManager := controllerlib.
|
|
NewManager().
|
|
WithController(
|
|
apicerts.NewCertsManagerController(
|
|
namespace,
|
|
certsSecretResourceName,
|
|
map[string]string{
|
|
"app": "local-user-authenticator",
|
|
},
|
|
kubeClient,
|
|
kubeInformers.Core().V1().Secrets(),
|
|
controllerlib.WithInformer,
|
|
controllerlib.WithInitialEvent,
|
|
aVeryLongTime,
|
|
"local-user-authenticator CA",
|
|
serviceName,
|
|
),
|
|
singletonWorker,
|
|
).
|
|
WithController(
|
|
apicerts.NewCertsObserverController(
|
|
namespace,
|
|
certsSecretResourceName,
|
|
dynamicCertProvider,
|
|
kubeInformers.Core().V1().Secrets(),
|
|
controllerlib.WithInformer,
|
|
),
|
|
singletonWorker,
|
|
)
|
|
|
|
kubeInformers.Start(ctx.Done())
|
|
|
|
go controllerManager.Start(ctx)
|
|
}
|
|
|
|
func startWebhook(
|
|
ctx context.Context,
|
|
l net.Listener,
|
|
dynamicCertProvider dynamiccert.Private,
|
|
secretInformer corev1informers.SecretInformer,
|
|
) error {
|
|
return newWebhook(dynamicCertProvider, secretInformer).start(ctx, l)
|
|
}
|
|
|
|
func waitForSignal() os.Signal {
|
|
signalCh := make(chan os.Signal, 1)
|
|
signal.Notify(signalCh, os.Interrupt)
|
|
return <-signalCh
|
|
}
|
|
|
|
func run(ctx context.Context) error {
|
|
client, err := kubeclient.New()
|
|
if err != nil {
|
|
return fmt.Errorf("cannot create k8s client: %w", err)
|
|
}
|
|
|
|
kubeInformers := kubeinformers.NewSharedInformerFactoryWithOptions(
|
|
client.Kubernetes,
|
|
defaultResyncInterval,
|
|
kubeinformers.WithNamespace(namespace),
|
|
)
|
|
|
|
dynamicCertProvider := dynamiccert.NewServingCert("local-user-authenticator-tls-serving-certificate")
|
|
|
|
startControllers(ctx, dynamicCertProvider, client.Kubernetes, kubeInformers)
|
|
plog.Debug("controllers are ready")
|
|
|
|
//nolint:gosec // Intentionally binding to all network interfaces.
|
|
l, err := net.Listen("tcp", ":8443")
|
|
if err != nil {
|
|
return fmt.Errorf("cannot create listener: %w", err)
|
|
}
|
|
defer func() { _ = l.Close() }()
|
|
|
|
err = startWebhook(ctx, l, dynamicCertProvider, kubeInformers.Core().V1().Secrets())
|
|
if err != nil {
|
|
return fmt.Errorf("cannot start webhook: %w", err)
|
|
}
|
|
plog.Debug("webhook is ready", "address", l.Addr().String())
|
|
|
|
gotSignal := waitForSignal()
|
|
plog.Debug("webhook exiting", "signal", gotSignal)
|
|
|
|
return nil
|
|
}
|
|
|
|
func main() error { // return an error instead of plog.Fatal to allow defer statements to run
|
|
ctx := signalCtx()
|
|
|
|
// Hardcode the logging level to debug, since this is a test app and it is very helpful to have
|
|
// verbose logs to debug test failures.
|
|
if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, plog.LogSpec{Level: plog.LevelDebug}); err != nil {
|
|
plog.Fatal(err)
|
|
}
|
|
|
|
return run(ctx)
|
|
}
|
|
|
|
func Main() {
|
|
if err := main(); err != nil {
|
|
plog.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func signalCtx() context.Context {
|
|
signalCh := make(chan os.Signal, 1)
|
|
signal.Notify(signalCh, os.Interrupt, syscall.SIGTERM)
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
go func() {
|
|
defer cancel()
|
|
|
|
s := <-signalCh
|
|
plog.Debug("saw signal", "signal", s)
|
|
}()
|
|
|
|
return ctx
|
|
}
|