登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
开源项目 > 服务器应用 > 容器/虚拟机 &&
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
36 Star 396 Fork 71

GVPrancher / rancher

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
authenticate.go 4.51 KB
一键复制 编辑 原始数据 按行查看 历史
Dan Ramich 提交于 2019-06-12 13:38 . goimport linting changes
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
package requests



import (

	"context"

	"fmt"

	"net/http"

	"strings"



	"github.com/rancher/rancher/pkg/auth/tokens"

	"github.com/rancher/rancher/pkg/clusterrouter"

	v3 "github.com/rancher/types/apis/management.cattle.io/v3"

	"github.com/rancher/types/config"

	apierrors "k8s.io/apimachinery/pkg/api/errors"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"k8s.io/apiserver/pkg/authentication/user"

	"k8s.io/client-go/tools/cache"

)



type Authenticator interface {

	Authenticate(req *http.Request) (authed bool, user string, groups []string, err error)

	TokenFromRequest(req *http.Request) (*v3.Token, error)

}



func NewAuthenticator(ctx context.Context, mgmtCtx *config.ScaledContext) Authenticator {

	tokenInformer := mgmtCtx.Management.Tokens("").Controller().Informer()

	tokenInformer.AddIndexers(map[string]cache.IndexFunc{tokenKeyIndex: tokenKeyIndexer})



	return &tokenAuthenticator{

		ctx:                 ctx,

		tokenIndexer:        tokenInformer.GetIndexer(),

		tokenClient:         mgmtCtx.Management.Tokens(""),

		userAttributeLister: mgmtCtx.Management.UserAttributes("").Controller().Lister(),

		userAttributes:      mgmtCtx.Management.UserAttributes(""),

		userLister:          mgmtCtx.Management.Users("").Controller().Lister(),

	}

}



type tokenAuthenticator struct {

	ctx                 context.Context

	tokenIndexer        cache.Indexer

	tokenClient         v3.TokenInterface

	userAttributes      v3.UserAttributeInterface

	userAttributeLister v3.UserAttributeLister

	userLister          v3.UserLister

}



const (

	tokenKeyIndex = "authn.management.cattle.io/token-key-index"

)



func tokenKeyIndexer(obj interface{}) ([]string, error) {

	token, ok := obj.(*v3.Token)

	if !ok {

		return []string{}, nil

	}



	return []string{token.Token}, nil

}



func (a *tokenAuthenticator) Authenticate(req *http.Request) (bool, string, []string, error) {

	token, err := a.TokenFromRequest(req)

	if err != nil {

		return false, "", []string{}, err

	}



	if token.Enabled != nil && !*token.Enabled {

		return false, "", []string{}, fmt.Errorf("user's token is not enabled")

	}

	if token.ClusterName != "" && token.ClusterName != clusterrouter.GetClusterID(req) {

		return false, "", []string{}, fmt.Errorf("clusterID does not match")

	}



	attribs, err := a.userAttributeLister.Get("", token.UserID)

	if err != nil && !apierrors.IsNotFound(err) {

		return false, "", []string{}, err

	}



	u, err := a.userLister.Get("", token.UserID)

	if err != nil {

		return false, "", []string{}, err

	}



	if u.Enabled != nil && !*u.Enabled {

		return false, "", []string{}, fmt.Errorf("user is not enabled")

	}



	var groups []string

	hitProvider := false

	if attribs != nil {

		for provider, gps := range attribs.GroupPrincipals {

			if provider == token.AuthProvider {

				hitProvider = true

			}

			for _, principal := range gps.Items {

				name := strings.TrimPrefix(principal.Name, "local://")

				groups = append(groups, name)

			}

		}

	}



	// fallback to legacy token.GroupPrincipals

	if !hitProvider {

		for _, principal := range token.GroupPrincipals {

			// TODO This is a short cut for now. Will actually need to lookup groups in future

			name := strings.TrimPrefix(principal.Name, "local://")

			groups = append(groups, name)

		}

	}



	groups = append(groups, user.AllAuthenticated)



	return true, token.UserID, groups, nil

}



func (a *tokenAuthenticator) TokenFromRequest(req *http.Request) (*v3.Token, error) {

	tokenAuthValue := tokens.GetTokenAuthFromRequest(req)

	if tokenAuthValue == "" {

		return nil, fmt.Errorf("must authenticate")

	}



	tokenName, tokenKey := tokens.SplitTokenParts(tokenAuthValue)

	if tokenName == "" || tokenKey == "" {

		return nil, fmt.Errorf("must authenticate")

	}



	lookupUsingClient := false

	objs, err := a.tokenIndexer.ByIndex(tokenKeyIndex, tokenKey)

	if err != nil {

		if apierrors.IsNotFound(err) {

			lookupUsingClient = true

		} else {

			return nil, fmt.Errorf("failed to retrieve auth token from cache, error: %v", err)

		}

	} else if len(objs) == 0 {

		lookupUsingClient = true

	}



	storedToken := &v3.Token{}

	if lookupUsingClient {

		storedToken, err = a.tokenClient.Get(tokenName, metav1.GetOptions{})

		if err != nil {

			if apierrors.IsNotFound(err) {

				return nil, fmt.Errorf("must authenticate")

			}

			return nil, fmt.Errorf("failed to retrieve auth token, error: %#v", err)

		}

	} else {

		storedToken = objs[0].(*v3.Token)

	}



	if storedToken.Token != tokenKey || storedToken.ObjectMeta.Name != tokenName {

		return nil, fmt.Errorf("must authenticate")

	}



	if tokens.IsExpired(*storedToken) {

		return nil, fmt.Errorf("must authenticate")

	}



	return storedToken, nil

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.2.13-rc1
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
344bd9b3 5694891 D2dac590 5694891