登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
开源项目 > 服务器应用 > 容器/虚拟机 &&
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
36 Star 396 Fork 71

GVPrancher / rancher

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
tunnel.go 9.64 KB
一键复制 编辑 原始数据 按行查看 历史
Darren Shepherd 提交于 2018-09-17 15:49 . Shard user controllers
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368
package tunnelserver



import (

	"crypto/md5"

	"encoding/base64"

	"encoding/hex"

	"encoding/json"

	"errors"

	"fmt"

	"net/http"

	"reflect"

	"strings"



	"github.com/rancher/norman/types/convert"

	"github.com/rancher/rancher/pkg/remotedialer"

	"github.com/rancher/types/apis/management.cattle.io/v3"

	"github.com/rancher/types/client/management/v3"

	"github.com/rancher/types/config"

	apierrors "k8s.io/apimachinery/pkg/api/errors"

	"k8s.io/apimachinery/pkg/apis/meta/v1"

	"k8s.io/client-go/tools/cache"

)



const (

	crtKeyIndex    = "crtKeyIndex"

	nodeKeyIndex   = "nodeKeyIndex"

	importedDriver = "imported"



	Token  = "X-API-Tunnel-Token"

	Params = "X-API-Tunnel-Params"

)



type cluster struct {

	Address string `json:"address"`

	Token   string `json:"token"`

	CACert  string `json:"caCert"`

}



type input struct {

	Node    *client.Node `json:"node"`

	Cluster *cluster     `json:"cluster"`

}



func NewTunnelServer(authorizer *Authorizer) *remotedialer.Server {

	return remotedialer.New(authorizer.authorizeTunnel, remotedialer.DefaultErrorWriter)

}



func NewAuthorizer(context *config.ScaledContext) *Authorizer {

	auth := &Authorizer{

		crtIndexer:    context.Management.ClusterRegistrationTokens("").Controller().Informer().GetIndexer(),

		clusterLister: context.Management.Clusters("").Controller().Lister(),

		nodeIndexer:   context.Management.Nodes("").Controller().Informer().GetIndexer(),

		machineLister: context.Management.Nodes("").Controller().Lister(),

		machines:      context.Management.Nodes(""),

		clusters:      context.Management.Clusters(""),

	}

	context.Management.ClusterRegistrationTokens("").Controller().Informer().AddIndexers(map[string]cache.IndexFunc{

		crtKeyIndex: auth.crtIndex,

	})

	context.Management.Nodes("").Controller().Informer().AddIndexers(map[string]cache.IndexFunc{

		nodeKeyIndex: auth.nodeIndex,

	})

	return auth

}



type Authorizer struct {

	crtIndexer    cache.Indexer

	clusterLister v3.ClusterLister

	nodeIndexer   cache.Indexer

	machineLister v3.NodeLister

	machines      v3.NodeInterface

	clusters      v3.ClusterInterface

}



type Client struct {

	Cluster *v3.Cluster

	Node    *v3.Node

	Token   string

	Server  string

}



func (t *Authorizer) authorizeTunnel(req *http.Request) (string, bool, error) {

	client, ok, err := t.Authorize(req)

	if client != nil && client.Node != nil {

		return client.Cluster.Name + ":" + client.Node.Name, ok, err

	} else if client != nil && client.Cluster != nil {

		return client.Cluster.Name, ok, err

	}



	return "", false, err

}



func (t *Authorizer) AuthorizeLocalNode(username, password string) (string, []string, *v3.Cluster, bool) {

	cluster, err := t.getClusterByToken(password)

	if err != nil || cluster == nil || cluster.Status.Driver != v3.ClusterDriverLocal {

		return "", nil, nil, false

	}

	if username == "kube-proxy" {

		return "system:kube-proxy", nil, cluster, true

	}

	return "system:node:" + username, []string{"system:nodes"}, cluster, true

}



func (t *Authorizer) Authorize(req *http.Request) (*Client, bool, error) {

	token := req.Header.Get(Token)

	if token == "" {

		return nil, false, nil

	}



	cluster, err := t.getClusterByToken(token)

	if err != nil || cluster == nil {

		return nil, false, err

	}



	input, err := t.readInput(cluster, req)

	if err != nil {

		return nil, false, err

	}



	if input.Node != nil {

		register := strings.HasSuffix(req.URL.Path, "/register")



		node, ok, err := t.authorizeNode(register, cluster, input.Node, req)

		if err != nil {

			return nil, false, err

		}

		if register && node.Status.NodeConfig != nil && input.Node.CustomConfig != nil {

			node = node.DeepCopy()

			node.Status.NodeConfig.Address = input.Node.CustomConfig.Address

			node.Status.NodeConfig.InternalAddress = input.Node.CustomConfig.InternalAddress

		}

		return &Client{

			Cluster: cluster,

			Node:    node,

			Token:   token,

			Server:  req.Host,

		}, ok, err

	}



	if input.Cluster != nil {

		cluster, ok, err := t.authorizeCluster(cluster, input.Cluster, req)

		return &Client{

			Cluster: cluster,

			Token:   token,

			Server:  req.Host,

		}, ok, err

	}



	return nil, false, nil

}



func (t *Authorizer) getMachine(cluster *v3.Cluster, inNode *client.Node) (*v3.Node, error) {

	machineName := machineName(inNode)

	machine, err := t.machineLister.Get(cluster.Name, machineName)

	if apierrors.IsNotFound(err) {

		if objs, err := t.nodeIndexer.ByIndex(nodeKeyIndex, fmt.Sprintf("%s/%s", cluster.Name, inNode.RequestedHostname)); err == nil {

			for _, obj := range objs {

				return obj.(*v3.Node), err

			}

		}



		machine, err := t.machineLister.Get(cluster.Name, inNode.RequestedHostname)

		if err == nil {

			return machine, nil

		}

	}



	return machine, err

}



func (t *Authorizer) authorizeNode(register bool, cluster *v3.Cluster, inNode *client.Node, req *http.Request) (*v3.Node, bool, error) {

	machine, err := t.getMachine(cluster, inNode)

	if apierrors.IsNotFound(err) {

		if !register {

			return nil, false, err

		}

		machine, err = t.createNode(inNode, cluster, req)

		if err != nil {

			return nil, false, err

		}

	} else if err != nil && machine == nil {

		return nil, false, err

	}



	if register {

		machine, err = t.updateNode(machine, inNode, cluster)

		if err != nil {

			return nil, false, err

		}

	}



	machine, err = t.updateDockerInfo(machine, inNode)

	return machine, true, err

}



func (t *Authorizer) createNode(inNode *client.Node, cluster *v3.Cluster, req *http.Request) (*v3.Node, error) {

	customConfig := t.toCustomConfig(inNode)

	if customConfig == nil {

		return nil, errors.New("invalid input, missing custom config")

	}



	if customConfig.Address == "" {

		return nil, errors.New("invalid input, address empty")

	}



	name := machineName(inNode)



	machine := &v3.Node{

		ObjectMeta: v1.ObjectMeta{

			Name:      name,

			Namespace: cluster.Name,

		},

		Spec: v3.NodeSpec{

			Etcd:              inNode.Etcd,

			ControlPlane:      inNode.ControlPlane,

			Worker:            inNode.Worker,

			RequestedHostname: inNode.RequestedHostname,

			CustomConfig:      customConfig,

			Imported:          true,

		},

	}



	return t.machines.Create(machine)

}



func (t *Authorizer) updateDockerInfo(machine *v3.Node, inNode *client.Node) (*v3.Node, error) {

	if inNode.DockerInfo == nil {

		return machine, nil

	}



	dockerInfo := &v3.DockerInfo{}

	err := convert.ToObj(inNode.DockerInfo, dockerInfo)

	if err != nil {

		return nil, err

	}



	newMachine := machine.DeepCopy()

	newMachine.Status.DockerInfo = dockerInfo

	if !reflect.DeepEqual(machine, newMachine) {

		return t.machines.Update(newMachine)

	}

	return machine, nil

}



func (t *Authorizer) updateNode(machine *v3.Node, inNode *client.Node, cluster *v3.Cluster) (*v3.Node, error) {

	newMachine := machine.DeepCopy()

	newMachine.Spec.Etcd = inNode.Etcd

	newMachine.Spec.ControlPlane = inNode.ControlPlane

	newMachine.Spec.Worker = inNode.Worker

	if !reflect.DeepEqual(machine, newMachine) {

		return t.machines.Update(newMachine)

	}

	return machine, nil

}



func (t *Authorizer) authorizeCluster(cluster *v3.Cluster, inCluster *cluster, req *http.Request) (*v3.Cluster, bool, error) {

	var (

		err error

	)



	if cluster.Status.Driver != importedDriver && cluster.Status.Driver != "" {

		return cluster, true, nil

	}



	changed := false

	if cluster.Status.Driver == "" {

		cluster.Status.Driver = importedDriver

		changed = true

	}



	apiEndpoint := "https://" + inCluster.Address

	token := inCluster.Token

	caCert := inCluster.CACert



	if cluster.Status.Driver == importedDriver {

		if cluster.Status.APIEndpoint != apiEndpoint ||

			cluster.Status.ServiceAccountToken != token ||

			cluster.Status.CACert != caCert {

			cluster.Status.APIEndpoint = apiEndpoint

			cluster.Status.ServiceAccountToken = token

			cluster.Status.CACert = caCert

			changed = true

		}

	}



	if changed {

		_, err = t.clusters.Update(cluster)

	}



	return cluster, true, err

}



func (t *Authorizer) readInput(cluster *v3.Cluster, req *http.Request) (*input, error) {

	params := req.Header.Get(Params)

	var input input



	bytes, err := base64.StdEncoding.DecodeString(params)

	if err != nil {

		return nil, err

	}



	if err := json.Unmarshal(bytes, &input); err != nil {

		return nil, err

	}



	if input.Node == nil && input.Cluster == nil {

		return nil, errors.New("missing node or cluster registration info")

	}



	if input.Node != nil && input.Node.RequestedHostname == "" {

		return nil, errors.New("invalid input, hostname empty")

	}



	if input.Cluster != nil && input.Cluster.Address == "" {

		return nil, errors.New("invalid input, address empty")

	}



	if input.Cluster != nil && input.Cluster.Token == "" {

		return nil, errors.New("invalid input, token empty")

	}



	if input.Cluster != nil && input.Cluster.CACert == "" {

		return nil, errors.New("invalid input, caCert empty")

	}



	return &input, nil

}



func machineName(machine *client.Node) string {

	digest := md5.Sum([]byte(machine.RequestedHostname))

	return "m-" + hex.EncodeToString(digest[:])[:12]

}



func (t *Authorizer) getClusterByToken(token string) (*v3.Cluster, error) {

	keys, err := t.crtIndexer.ByIndex(crtKeyIndex, token)

	if err != nil {

		return nil, err

	}



	for _, obj := range keys {

		crt := obj.(*v3.ClusterRegistrationToken)

		return t.clusterLister.Get("", crt.Spec.ClusterName)

	}



	return nil, errors.New("cluster not found")

}



func (t *Authorizer) crtIndex(obj interface{}) ([]string, error) {

	crt := obj.(*v3.ClusterRegistrationToken)

	return []string{crt.Status.Token}, nil

}



func (t *Authorizer) nodeIndex(obj interface{}) ([]string, error) {

	node := obj.(*v3.Node)

	return []string{fmt.Sprintf("%s/%s", node.Namespace, node.Status.NodeName)}, nil

}



func (t *Authorizer) toCustomConfig(machine *client.Node) *v3.CustomConfig {

	if machine == nil || machine.CustomConfig == nil {

		return nil

	}



	result := &v3.CustomConfig{}

	if err := convert.ToObj(machine.CustomConfig, result); err != nil {

		return nil

	}

	return result

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.1.0
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
344bd9b3 5694891 D2dac590 5694891