improve IAM module

Signed-off-by: hongming <talonwan@yunify.com>
2020-05-22 09:35:05 +08:00
parent 0d12529051
commit 8f93266ec0
640 changed files with 50221 additions and 18179 deletions
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go
@@ -24,26 +24,47 @@ import (
 	"net/url"
 	"strings"

-	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
 	"k8s.io/apiserver/pkg/authentication/user"
 	utilcert "k8s.io/client-go/util/cert"
 )

+// StringSliceProvider is a way to get a string slice value.  It is heavily used for authentication headers among other places.
+type StringSliceProvider interface {
+	// Value returns the current string slice.  Callers should never mutate the returned value.
+	Value() []string
+}
+
+// StringSliceProviderFunc is a function that matches the StringSliceProvider interface
+type StringSliceProviderFunc func() []string
+
+// Value returns the current string slice.  Callers should never mutate the returned value.
+func (d StringSliceProviderFunc) Value() []string {
+	return d()
+}
+
+// StaticStringSlice a StringSliceProvider that returns a fixed value
+type StaticStringSlice []string
+
+// Value returns the current string slice.  Callers should never mutate the returned value.
+func (s StaticStringSlice) Value() []string {
+	return s
+}
+
 type requestHeaderAuthRequestHandler struct {
 	// nameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
-	nameHeaders []string
+	nameHeaders StringSliceProvider

 	// groupHeaders are the headers to check (case-insensitively) for group membership.  All values of all headers will be added.
-	groupHeaders []string
+	groupHeaders StringSliceProvider

 	// extraHeaderPrefixes are the head prefixes to check (case-insensitively) for filling in
 	// the user.Info.Extra.  All values of all matching headers will be added.
-	extraHeaderPrefixes []string
+	extraHeaderPrefixes StringSliceProvider
 }

-func New(nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
+func New(nameHeaders, groupHeaders, extraHeaderPrefixes []string) (authenticator.Request, error) {
 	trimmedNameHeaders, err := trimHeaders(nameHeaders...)
 	if err != nil {
 		return nil, err
@@ -57,11 +78,19 @@ func New(nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []stri
 		return nil, err
 	}

+	return NewDynamic(
+		StaticStringSlice(trimmedNameHeaders),
+		StaticStringSlice(trimmedGroupHeaders),
+		StaticStringSlice(trimmedExtraHeaderPrefixes),
+	), nil
+}
+
+func NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request {
 	return &requestHeaderAuthRequestHandler{
-		nameHeaders:         trimmedNameHeaders,
-		groupHeaders:        trimmedGroupHeaders,
-		extraHeaderPrefixes: trimmedExtraHeaderPrefixes,
-	}, nil
+		nameHeaders:         nameHeaders,
+		groupHeaders:        groupHeaders,
+		extraHeaderPrefixes: extraHeaderPrefixes,
+	}
 }

 func trimHeaders(headerNames ...string) ([]string, error) {
@@ -78,11 +107,6 @@ func trimHeaders(headerNames ...string) ([]string, error) {
 }

 func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
-	headerAuthenticator, err := New(nameHeaders, groupHeaders, extraHeaderPrefixes)
-	if err != nil {
-		return nil, err
-	}
-
 	if len(clientCA) == 0 {
 		return nil, fmt.Errorf("missing clientCA file")
 	}
@@ -102,26 +126,51 @@ func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string,
 		opts.Roots.AddCert(cert)
 	}

-	return x509request.NewVerifier(opts, headerAuthenticator, sets.NewString(proxyClientNames...)), nil
+	trimmedNameHeaders, err := trimHeaders(nameHeaders...)
+	if err != nil {
+		return nil, err
+	}
+	trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
+	if err != nil {
+		return nil, err
+	}
+	trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewDynamicVerifyOptionsSecure(
+		x509request.StaticVerifierFn(opts),
+		StaticStringSlice(proxyClientNames),
+		StaticStringSlice(trimmedNameHeaders),
+		StaticStringSlice(trimmedGroupHeaders),
+		StaticStringSlice(trimmedExtraHeaderPrefixes),
+	), nil
+}
+
+func NewDynamicVerifyOptionsSecure(verifyOptionFn x509request.VerifyOptionFunc, proxyClientNames, nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request {
+	headerAuthenticator := NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes)
+
+	return x509request.NewDynamicCAVerifier(verifyOptionFn, headerAuthenticator, proxyClientNames)
 }

 func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
-	name := headerValue(req.Header, a.nameHeaders)
+	name := headerValue(req.Header, a.nameHeaders.Value())
 	if len(name) == 0 {
 		return nil, false, nil
 	}
-	groups := allHeaderValues(req.Header, a.groupHeaders)
-	extra := newExtra(req.Header, a.extraHeaderPrefixes)
+	groups := allHeaderValues(req.Header, a.groupHeaders.Value())
+	extra := newExtra(req.Header, a.extraHeaderPrefixes.Value())

 	// clear headers used for authentication
-	for _, headerName := range a.nameHeaders {
+	for _, headerName := range a.nameHeaders.Value() {
 		req.Header.Del(headerName)
 	}
-	for _, headerName := range a.groupHeaders {
+	for _, headerName := range a.groupHeaders.Value() {
 		req.Header.Del(headerName)
 	}
 	for k := range extra {
-		for _, prefix := range a.extraHeaderPrefixes {
+		for _, prefix := range a.extraHeaderPrefixes.Value() {
 			req.Header.Del(prefix + k)
 		}
 	}
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/x509/verify_options.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/x509/verify_options.go
@@ -0,0 +1,71 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package x509
+
+import (
+	"crypto/x509"
+	"fmt"
+
+	"k8s.io/client-go/util/cert"
+)
+
+// StaticVerifierFn is a VerifyOptionFunc that always returns the same value.  This allows verify options that cannot change.
+func StaticVerifierFn(opts x509.VerifyOptions) VerifyOptionFunc {
+	return func() (x509.VerifyOptions, bool) {
+		return opts, true
+	}
+}
+
+// NewStaticVerifierFromFile creates a new verification func from a file.  It reads the content and then fails.
+// It will return a nil function if you pass an empty CA file.
+func NewStaticVerifierFromFile(clientCA string) (VerifyOptionFunc, error) {
+	if len(clientCA) == 0 {
+		return nil, nil
+	}
+
+	// Wrap with an x509 verifier
+	var err error
+	opts := DefaultVerifyOptions()
+	opts.Roots, err = cert.NewPool(clientCA)
+	if err != nil {
+		return nil, fmt.Errorf("error loading certs from  %s: %v", clientCA, err)
+	}
+
+	return StaticVerifierFn(opts), nil
+}
+
+// StringSliceProvider is a way to get a string slice value.  It is heavily used for authentication headers among other places.
+type StringSliceProvider interface {
+	// Value returns the current string slice.  Callers should never mutate the returned value.
+	Value() []string
+}
+
+// StringSliceProviderFunc is a function that matches the StringSliceProvider interface
+type StringSliceProviderFunc func() []string
+
+// Value returns the current string slice.  Callers should never mutate the returned value.
+func (d StringSliceProviderFunc) Value() []string {
+	return d()
+}
+
+// StaticStringSlice a StringSliceProvider that returns a fixed value
+type StaticStringSlice []string
+
+// Value returns the current string slice.  Callers should never mutate the returned value.
+func (s StaticStringSlice) Value() []string {
+	return s
+}
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
@@ -82,16 +82,28 @@ func (f UserConversionFunc) User(chain []*x509.Certificate) (*authenticator.Resp
 	return f(chain)
 }

+// VerifyOptionFunc is function which provides a shallow copy of the VerifyOptions to the authenticator.  This allows
+// for cases where the options (particularly the CAs) can change.  If the bool is false, then the returned VerifyOptions
+// are ignored and the authenticator will express "no opinion".  This allows a clear signal for cases where a CertPool
+// is eventually expected, but not currently present.
+type VerifyOptionFunc func() (x509.VerifyOptions, bool)
+
 // Authenticator implements request.Authenticator by extracting user info from verified client certificates
 type Authenticator struct {
-	opts x509.VerifyOptions
-	user UserConversion
+	verifyOptionsFn VerifyOptionFunc
+	user            UserConversion
 }

 // New returns a request.Authenticator that verifies client certificates using the provided
 // VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion
 func New(opts x509.VerifyOptions, user UserConversion) *Authenticator {
-	return &Authenticator{opts, user}
+	return NewDynamic(StaticVerifierFn(opts), user)
+}
+
+// NewDynamic returns a request.Authenticator that verifies client certificates using the provided
+// VerifyOptionFunc (which may be dynamic), and converts valid certificate chains into user.Info using the provided UserConversion
+func NewDynamic(verifyOptionsFn VerifyOptionFunc, user UserConversion) *Authenticator {
+	return &Authenticator{verifyOptionsFn, user}
 }

 // AuthenticateRequest authenticates the request using presented client certificates
@@ -101,7 +113,11 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R
 	}

 	// Use intermediates, if provided
-	optsCopy := a.opts
+	optsCopy, ok := a.verifyOptionsFn()
+	// if there are intentionally no verify options, then we cannot authenticate this request
+	if !ok {
+		return nil, false, nil
+	}
 	if optsCopy.Intermediates == nil && len(req.TLS.PeerCertificates) > 1 {
 		optsCopy.Intermediates = x509.NewCertPool()
 		for _, intermediate := range req.TLS.PeerCertificates[1:] {
@@ -133,17 +149,23 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R

 // Verifier implements request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
 type Verifier struct {
-	opts x509.VerifyOptions
-	auth authenticator.Request
+	verifyOptionsFn VerifyOptionFunc
+	auth            authenticator.Request

 	// allowedCommonNames contains the common names which a verified certificate is allowed to have.
 	// If empty, all verified certificates are allowed.
-	allowedCommonNames sets.String
+	allowedCommonNames StringSliceProvider
 }

 // NewVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
 func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request {
-	return &Verifier{opts, auth, allowedCommonNames}
+	return NewDynamicCAVerifier(StaticVerifierFn(opts), auth, StaticStringSlice(allowedCommonNames.List()))
+}
+
+// NewDynamicCAVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
+// TODO make the allowedCommonNames dynamic
+func NewDynamicCAVerifier(verifyOptionsFn VerifyOptionFunc, auth authenticator.Request, allowedCommonNames StringSliceProvider) authenticator.Request {
+	return &Verifier{verifyOptionsFn, auth, allowedCommonNames}
 }

 // AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth
@@ -153,7 +175,11 @@ func (a *Verifier) AuthenticateRequest(req *http.Request) (*authenticator.Respon
 	}

 	// Use intermediates, if provided
-	optsCopy := a.opts
+	optsCopy, ok := a.verifyOptionsFn()
+	// if there are intentionally no verify options, then we cannot authenticate this request
+	if !ok {
+		return nil, false, nil
+	}
 	if optsCopy.Intermediates == nil && len(req.TLS.PeerCertificates) > 1 {
 		optsCopy.Intermediates = x509.NewCertPool()
 		for _, intermediate := range req.TLS.PeerCertificates[1:] {
@@ -172,12 +198,14 @@ func (a *Verifier) AuthenticateRequest(req *http.Request) (*authenticator.Respon

 func (a *Verifier) verifySubject(subject pkix.Name) error {
 	// No CN restrictions
-	if len(a.allowedCommonNames) == 0 {
+	if len(a.allowedCommonNames.Value()) == 0 {
 		return nil
 	}
 	// Enforce CN restrictions
-	if a.allowedCommonNames.Has(subject.CommonName) {
-		return nil
+	for _, allowedCommonName := range a.allowedCommonNames.Value() {
+		if allowedCommonName == subject.CommonName {
+			return nil
+		}
 	}
 	return fmt.Errorf("x509: subject with cn=%s is not in the allowed list", subject.CommonName)
 }