package server import ( "net/http" "github.com/gorilla/mux" "github.com/rancher/k3s/pkg/daemons/config" "github.com/sirupsen/logrus" "k8s.io/apiserver/pkg/endpoints/request" ) func hasRole(mustRoles []string, roles []string) bool { for _, check := range roles { for _, role := range mustRoles { if role == check { return true } } } return false } func doAuth(roles []string, serverConfig *config.Control, next http.Handler, rw http.ResponseWriter, req *http.Request) { if serverConfig == nil || serverConfig.Runtime.Authenticator == nil { logrus.Errorf("authenticate not initialized") rw.WriteHeader(http.StatusUnauthorized) return } resp, ok, err := serverConfig.Runtime.Authenticator.AuthenticateRequest(req) if err != nil { logrus.Errorf("failed to authenticate request: %v", err) rw.WriteHeader(http.StatusInternalServerError) return } if !ok || !hasRole(roles, resp.User.GetGroups()) { rw.WriteHeader(http.StatusUnauthorized) return } ctx := request.WithUser(req.Context(), resp.User) req = req.WithContext(ctx) next.ServeHTTP(rw, req) } func authMiddleware(serverConfig *config.Control, roles ...string) mux.MiddlewareFunc { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { doAuth(roles, serverConfig, next, rw, req) }) } }