k3s/pkg/server/auth.go

package server

import (
	"net/http"

	"github.com/gorilla/mux"
	"github.com/rancher/k3s/pkg/daemons/config"
	"github.com/sirupsen/logrus"
	"k8s.io/apiserver/pkg/endpoints/request"
)

func hasRole(mustRoles []string, roles []string) bool {
	for _, check := range roles {
		for _, role := range mustRoles {
			if role == check {
				return true
			}
		}
	}
	return false
}

func doAuth(roles []string, serverConfig *config.Control, next http.Handler, rw http.ResponseWriter, req *http.Request) {
	switch {
	case serverConfig == nil:
		logrus.Errorf("Authenticate not initialized: serverConfig is nil")
		rw.WriteHeader(http.StatusUnauthorized)
		return
	case serverConfig.Runtime.Authenticator == nil:
		logrus.Errorf("Authenticate not initialized: serverConfig.Runtime.Authenticator is nil")
		rw.WriteHeader(http.StatusUnauthorized)
		return
	default:
		//
	}

	resp, ok, err := serverConfig.Runtime.Authenticator.AuthenticateRequest(req)
	if err != nil {
		logrus.Errorf("Failed to authenticate request from %s: %v", req.RemoteAddr, err)
		rw.WriteHeader(http.StatusInternalServerError)
		return
	}

	if !ok || !hasRole(roles, resp.User.GetGroups()) {
		rw.WriteHeader(http.StatusUnauthorized)
		return
	}

	ctx := request.WithUser(req.Context(), resp.User)
	req = req.WithContext(ctx)
	next.ServeHTTP(rw, req)
}

func authMiddleware(serverConfig *config.Control, roles ...string) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
			doAuth(roles, serverConfig, next, rw, req)
		})
	}
}
Initial Commit 2019-01-01 08:23:01 +00:00			`package server`

			`import (`
			`"net/http"`

			`"github.com/gorilla/mux"`
Continued refactoring 2019-01-09 16:54:15 +00:00			`"github.com/rancher/k3s/pkg/daemons/config"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"github.com/sirupsen/logrus"`
			`"k8s.io/apiserver/pkg/endpoints/request"`
			`)`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`func hasRole(mustRoles []string, roles []string) bool {`
			`for _, check := range roles {`
			`for _, role := range mustRoles {`
			`if role == check {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

			`func doAuth(roles []string, serverConfig config.Control, next http.Handler, rw http.ResponseWriter, req http.Request) {`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`switch {`
			`case serverConfig == nil:`
			`logrus.Errorf("Authenticate not initialized: serverConfig is nil")`
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`rw.WriteHeader(http.StatusUnauthorized)`
Initial Commit 2019-01-01 08:23:01 +00:00			`return`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`case serverConfig.Runtime.Authenticator == nil:`
			`logrus.Errorf("Authenticate not initialized: serverConfig.Runtime.Authenticator is nil")`
			`rw.WriteHeader(http.StatusUnauthorized)`
			`return`
			`default:`
			`//`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`

			`resp, ok, err := serverConfig.Runtime.Authenticator.AuthenticateRequest(req)`
			`if err != nil {`
Initial Logging Output Update (#2246) This attempts to update logging statements to make them consistent through out the code base. It also adds additional context to messages where possible, simplifies messages, and updates level where necessary. 2020-09-21 16:56:03 +00:00			`logrus.Errorf("Failed to authenticate request from %s: %v", req.RemoteAddr, err)`
Initial Commit 2019-01-01 08:23:01 +00:00			`rw.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`if !ok \|\| !hasRole(roles, resp.User.GetGroups()) {`
Initial Commit 2019-01-01 08:23:01 +00:00			`rw.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`

			`ctx := request.WithUser(req.Context(), resp.User)`
			`req = req.WithContext(ctx)`
			`next.ServeHTTP(rw, req)`
			`}`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`func authMiddleware(serverConfig *config.Control, roles ...string) mux.MiddlewareFunc {`
Initial Commit 2019-01-01 08:23:01 +00:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {`
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`doAuth(roles, serverConfig, next, rw, req)`
Initial Commit 2019-01-01 08:23:01 +00:00			`})`
			`}`
			`}`