Unverified Commit cf3a9309 authored by k8s-ci-robot's avatar k8s-ci-robot Committed by GitHub

Merge pull request #69607 from mikedanese/audctx

tokenreview: add APIAudiences config to generic API server and augment context
parents e42f5215 21fd8f20
...@@ -44,7 +44,7 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut ...@@ -44,7 +44,7 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut
handler = genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs) handler = genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs)
} }
if authenticationInfo != nil { if authenticationInfo != nil {
handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler) handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler, nil)
} }
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver) handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
handler = genericfilters.WithPanicRecovery(handler) handler = genericfilters.WithPanicRecovery(handler)
......
...@@ -252,7 +252,7 @@ func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz ...@@ -252,7 +252,7 @@ func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver) handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs) handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs)
handler = genericapifilters.WithAuthentication(handler, authn, failedHandler) handler = genericapifilters.WithAuthentication(handler, authn, failedHandler, nil)
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver) handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
handler = genericfilters.WithPanicRecovery(handler) handler = genericfilters.WithPanicRecovery(handler)
......
...@@ -29,7 +29,7 @@ import ( ...@@ -29,7 +29,7 @@ import (
genericapiserver "k8s.io/apiserver/pkg/server" genericapiserver "k8s.io/apiserver/pkg/server"
genericoptions "k8s.io/apiserver/pkg/server/options" genericoptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/util/flag" "k8s.io/apiserver/pkg/util/flag"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator" kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
) )
...@@ -283,8 +283,8 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -283,8 +283,8 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
} }
} }
func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.AuthenticatorConfig { func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticator.AuthenticatorConfig {
ret := authenticator.AuthenticatorConfig{ ret := kubeauthenticator.AuthenticatorConfig{
TokenSuccessCacheTTL: s.TokenSuccessCacheTTL, TokenSuccessCacheTTL: s.TokenSuccessCacheTTL,
TokenFailureCacheTTL: s.TokenFailureCacheTTL, TokenFailureCacheTTL: s.TokenFailureCacheTTL,
} }
...@@ -367,6 +367,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error ...@@ -367,6 +367,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
} }
c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0 c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
c.Authentication.APIAudiences = o.ServiceAccounts.APIAudiences
return nil return nil
} }
......
...@@ -32,7 +32,7 @@ import ( ...@@ -32,7 +32,7 @@ import (
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler { func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
handler := apiHandler handler := apiHandler
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil) handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil, nil)
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc) handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
......
...@@ -7,7 +7,10 @@ load( ...@@ -7,7 +7,10 @@ load(
go_library( go_library(
name = "go_default_library", name = "go_default_library",
srcs = ["interfaces.go"], srcs = [
"helpers.go",
"interfaces.go",
],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/authenticator", importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/authenticator",
importpath = "k8s.io/apiserver/pkg/authentication/authenticator", importpath = "k8s.io/apiserver/pkg/authentication/authenticator",
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"], deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
......
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package authenticator
// Audiences is a container for the Audiences of a token.
type Audiences []string
...@@ -50,12 +50,15 @@ func init() { ...@@ -50,12 +50,15 @@ func init() {
// stores any such user found onto the provided context for the request. If authentication fails or returns an error // stores any such user found onto the provided context for the request. If authentication fails or returns an error
// the failed handler is used. On success, "Authorization" header is removed from the request and handler // the failed handler is used. On success, "Authorization" header is removed from the request and handler
// is invoked to serve the request. // is invoked to serve the request.
func WithAuthentication(handler http.Handler, auth authenticator.Request, failed http.Handler) http.Handler { func WithAuthentication(handler http.Handler, auth authenticator.Request, failed http.Handler, apiAuds authenticator.Audiences) http.Handler {
if auth == nil { if auth == nil {
glog.Warningf("Authentication is disabled") glog.Warningf("Authentication is disabled")
return handler return handler
} }
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
if len(apiAuds) > 0 {
req = req.WithContext(genericapirequest.WithAudiences(req.Context(), apiAuds))
}
user, ok, err := auth.AuthenticateRequest(req) user, ok, err := auth.AuthenticateRequest(req)
if err != nil || !ok { if err != nil || !ok {
if err != nil { if err != nil {
......
...@@ -50,6 +50,7 @@ func TestAuthenticateRequest(t *testing.T) { ...@@ -50,6 +50,7 @@ func TestAuthenticateRequest(t *testing.T) {
http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) { http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
t.Errorf("unexpected call to failed") t.Errorf("unexpected call to failed")
}), }),
nil,
) )
auth.ServeHTTP(httptest.NewRecorder(), &http.Request{Header: map[string][]string{"Authorization": {"Something"}}}) auth.ServeHTTP(httptest.NewRecorder(), &http.Request{Header: map[string][]string{"Authorization": {"Something"}}})
...@@ -69,6 +70,7 @@ func TestAuthenticateRequestFailed(t *testing.T) { ...@@ -69,6 +70,7 @@ func TestAuthenticateRequestFailed(t *testing.T) {
http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) { http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
close(failed) close(failed)
}), }),
nil,
) )
auth.ServeHTTP(httptest.NewRecorder(), &http.Request{}) auth.ServeHTTP(httptest.NewRecorder(), &http.Request{})
...@@ -88,6 +90,7 @@ func TestAuthenticateRequestError(t *testing.T) { ...@@ -88,6 +90,7 @@ func TestAuthenticateRequestError(t *testing.T) {
http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) { http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
close(failed) close(failed)
}), }),
nil,
) )
auth.ServeHTTP(httptest.NewRecorder(), &http.Request{}) auth.ServeHTTP(httptest.NewRecorder(), &http.Request{})
......
...@@ -35,6 +35,7 @@ go_library( ...@@ -35,6 +35,7 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/golang/glog:go_default_library",
], ],
......
...@@ -21,6 +21,7 @@ import ( ...@@ -21,6 +21,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/apis/audit" "k8s.io/apiserver/pkg/apis/audit"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
) )
...@@ -36,6 +37,9 @@ const ( ...@@ -36,6 +37,9 @@ const (
// auditKey is the context key for the audit event. // auditKey is the context key for the audit event.
auditKey auditKey
// audiencesKey is the context key for request audiences.
audiencesKey
) )
// NewContext instantiates a base context object for request flows. // NewContext instantiates a base context object for request flows.
...@@ -91,3 +95,14 @@ func AuditEventFrom(ctx context.Context) *audit.Event { ...@@ -91,3 +95,14 @@ func AuditEventFrom(ctx context.Context) *audit.Event {
ev, _ := ctx.Value(auditKey).(*audit.Event) ev, _ := ctx.Value(auditKey).(*audit.Event)
return ev return ev
} }
// WithAudiences returns a context that stores a request's expected audiences.
func WithAudiences(ctx context.Context, auds authenticator.Audiences) context.Context {
return context.WithValue(ctx, audiencesKey, auds)
}
// AudiencesFrom returns a request's expected audiences stored in the request context.
func AudiencesFrom(ctx context.Context) (authenticator.Audiences, bool) {
auds, ok := ctx.Value(audiencesKey).(authenticator.Audiences)
return auds, ok
}
...@@ -227,6 +227,9 @@ type SecureServingInfo struct { ...@@ -227,6 +227,9 @@ type SecureServingInfo struct {
} }
type AuthenticationInfo struct { type AuthenticationInfo struct {
// APIAudiences is a list of identifier that the API identifies as. This is
// used by some authenticators to validate audience bound credentials.
APIAudiences authenticator.Audiences
// Authenticator determines which subject is making the request // Authenticator determines which subject is making the request
Authenticator authenticator.Request Authenticator authenticator.Request
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth // SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
...@@ -534,7 +537,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { ...@@ -534,7 +537,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth) failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)
failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker) failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)
handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler) handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup) handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment