k3s/pkg/server/auth.go

package server

import (
	"net/http"

	"github.com/gorilla/mux"
	"github.com/k3s-io/k3s/pkg/daemons/config"
	"github.com/k3s-io/k3s/pkg/generated/clientset/versioned/scheme"
	"github.com/sirupsen/logrus"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
	"k8s.io/apiserver/pkg/endpoints/request"
)

func hasRole(mustRoles []string, roles []string) bool {
	for _, check := range roles {
		for _, role := range mustRoles {
			if role == check {
				return true
			}
		}
	}
	return false
}

func doAuth(roles []string, serverConfig *config.Control, next http.Handler, rw http.ResponseWriter, req *http.Request) {
	switch {
	case serverConfig == nil:
		logrus.Errorf("Authenticate not initialized: serverConfig is nil")
		unauthorized(rw, req)
		return
	case serverConfig.Runtime.Authenticator == nil:
		logrus.Errorf("Authenticate not initialized: serverConfig.Runtime.Authenticator is nil")
		unauthorized(rw, req)
		return
	}

	resp, ok, err := serverConfig.Runtime.Authenticator.AuthenticateRequest(req)
	if err != nil {
		logrus.Errorf("Failed to authenticate request from %s: %v", req.RemoteAddr, err)
		unauthorized(rw, req)
		return
	}

	if !ok || !hasRole(roles, resp.User.GetGroups()) {
		forbidden(rw, req)
		return
	}

	ctx := request.WithUser(req.Context(), resp.User)
	req = req.WithContext(ctx)
	next.ServeHTTP(rw, req)
}

func authMiddleware(serverConfig *config.Control, roles ...string) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
			doAuth(roles, serverConfig, next, rw, req)
		})
	}
}

func unauthorized(resp http.ResponseWriter, req *http.Request) {
	responsewriters.ErrorNegotiated(
		&apierrors.StatusError{ErrStatus: metav1.Status{
			Status:  metav1.StatusFailure,
			Code:    http.StatusUnauthorized,
			Reason:  metav1.StatusReasonUnauthorized,
			Message: "not authorized",
		}},
		scheme.Codecs.WithoutConversion(), schema.GroupVersion{}, resp, req,
	)
}

func forbidden(resp http.ResponseWriter, req *http.Request) {
	responsewriters.ErrorNegotiated(
		&apierrors.StatusError{ErrStatus: metav1.Status{
			Status:  metav1.StatusFailure,
			Code:    http.StatusForbidden,
			Reason:  metav1.StatusReasonForbidden,
			Message: "forbidden",
		}},
		scheme.Codecs.WithoutConversion(), schema.GroupVersion{}, resp, req,
	)
}
Initial Commit 2019-01-01 08:23:01 +00:00			`package server`

			`import (`
			`"net/http"`

			`"github.com/gorilla/mux"`
[master] changing package to k3s-io (#4846) * changing package to k3s-io Signed-off-by: Luther Monson <luther.monson@gmail.com> Co-authored-by: Derek Nola <derek.nola@suse.com> 2022-03-02 23:47:27 +00:00			`"github.com/k3s-io/k3s/pkg/daemons/config"`
Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-04-27 09:09:58 +00:00			`"github.com/k3s-io/k3s/pkg/generated/clientset/versioned/scheme"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"github.com/sirupsen/logrus"`
Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-04-27 09:09:58 +00:00			`apierrors "k8s.io/apimachinery/pkg/api/errors"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/runtime/schema"`
			`"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"k8s.io/apiserver/pkg/endpoints/request"`
			`)`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`func hasRole(mustRoles []string, roles []string) bool {`
			`for _, check := range roles {`
			`for _, role := range mustRoles {`
			`if role == check {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

			`func doAuth(roles []string, serverConfig config.Control, next http.Handler, rw http.ResponseWriter, req http.Request) {`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`switch {`
			`case serverConfig == nil:`
			`logrus.Errorf("Authenticate not initialized: serverConfig is nil")`
Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-04-27 09:09:58 +00:00			`unauthorized(rw, req)`
Initial Commit 2019-01-01 08:23:01 +00:00			`return`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`case serverConfig.Runtime.Authenticator == nil:`
			`logrus.Errorf("Authenticate not initialized: serverConfig.Runtime.Authenticator is nil")`
Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-04-27 09:09:58 +00:00			`unauthorized(rw, req)`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`return`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`

			`resp, ok, err := serverConfig.Runtime.Authenticator.AuthenticateRequest(req)`
			`if err != nil {`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`logrus.Errorf("Failed to authenticate request from %s: %v", req.RemoteAddr, err)`
Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-04-27 09:09:58 +00:00			`unauthorized(rw, req)`
Initial Commit 2019-01-01 08:23:01 +00:00			`return`
			`}`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`if !ok \|\| !hasRole(roles, resp.User.GetGroups()) {`
Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-04-27 09:09:58 +00:00			`forbidden(rw, req)`
Initial Commit 2019-01-01 08:23:01 +00:00			`return`
			`}`

			`ctx := request.WithUser(req.Context(), resp.User)`
			`req = req.WithContext(ctx)`
			`next.ServeHTTP(rw, req)`
			`}`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`func authMiddleware(serverConfig *config.Control, roles ...string) mux.MiddlewareFunc {`
Initial Commit 2019-01-01 08:23:01 +00:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {`
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`doAuth(roles, serverConfig, next, rw, req)`
Initial Commit 2019-01-01 08:23:01 +00:00			`})`
			`}`
			`}`
Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-04-27 09:09:58 +00:00
			`func unauthorized(resp http.ResponseWriter, req *http.Request) {`
			`responsewriters.ErrorNegotiated(`
			`&apierrors.StatusError{ErrStatus: metav1.Status{`
			`Status: metav1.StatusFailure,`
			`Code: http.StatusUnauthorized,`
			`Reason: metav1.StatusReasonUnauthorized,`
			`Message: "not authorized",`
			`}},`
			`scheme.Codecs.WithoutConversion(), schema.GroupVersion{}, resp, req,`
			`)`
			`}`

			`func forbidden(resp http.ResponseWriter, req *http.Request) {`
			`responsewriters.ErrorNegotiated(`
			`&apierrors.StatusError{ErrStatus: metav1.Status{`
			`Status: metav1.StatusFailure,`
			`Code: http.StatusForbidden,`
			`Reason: metav1.StatusReasonForbidden,`
			`Message: "forbidden",`
			`}},`
			`scheme.Codecs.WithoutConversion(), schema.GroupVersion{}, resp, req,`
			`)`
			`}`