improve identity provider plugin
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
@@ -18,10 +18,13 @@ package basic
|
||||
|
||||
import (
|
||||
"context"
|
||||
"k8s.io/klog"
|
||||
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/request"
|
||||
"kubesphere.io/kubesphere/pkg/models/auth"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/im"
|
||||
)
|
||||
|
||||
// TokenAuthenticator implements kubernetes token authenticate interface with our custom logic.
|
||||
@@ -30,28 +33,36 @@ import (
|
||||
// and group from user.AllUnauthenticated. This helps requests be passed along the handler chain,
|
||||
// because some resources are public accessible.
|
||||
type basicAuthenticator struct {
|
||||
authenticator im.PasswordAuthenticator
|
||||
authenticator auth.PasswordAuthenticator
|
||||
loginRecorder auth.LoginRecorder
|
||||
}
|
||||
|
||||
func NewBasicAuthenticator(authenticator im.PasswordAuthenticator) authenticator.Password {
|
||||
func NewBasicAuthenticator(authenticator auth.PasswordAuthenticator, loginRecorder auth.LoginRecorder) authenticator.Password {
|
||||
return &basicAuthenticator{
|
||||
authenticator: authenticator,
|
||||
loginRecorder: loginRecorder,
|
||||
}
|
||||
}
|
||||
|
||||
func (t *basicAuthenticator) AuthenticatePassword(ctx context.Context, username, password string) (*authenticator.Response, bool, error) {
|
||||
|
||||
providedUser, err := t.authenticator.Authenticate(username, password)
|
||||
|
||||
authenticated, provider, err := t.authenticator.Authenticate(username, password)
|
||||
if err != nil {
|
||||
if t.loginRecorder != nil && err == auth.IncorrectPasswordError {
|
||||
var sourceIP, userAgent string
|
||||
if requestInfo, ok := request.RequestInfoFrom(ctx); ok {
|
||||
sourceIP = requestInfo.SourceIP
|
||||
userAgent = requestInfo.UserAgent
|
||||
}
|
||||
if err := t.loginRecorder.RecordLogin(username, iamv1alpha2.BasicAuth, provider, sourceIP, userAgent, err); err != nil {
|
||||
klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", username, err)
|
||||
}
|
||||
}
|
||||
return nil, false, err
|
||||
}
|
||||
|
||||
return &authenticator.Response{
|
||||
User: &user.DefaultInfo{
|
||||
Name: providedUser.GetName(),
|
||||
UID: providedUser.GetUID(),
|
||||
Groups: append(providedUser.GetGroups(), user.AllAuthenticated),
|
||||
Name: authenticated.GetName(),
|
||||
Groups: append(authenticated.GetGroups(), user.AllAuthenticated),
|
||||
},
|
||||
}, true, nil
|
||||
}
|
||||
|
||||
@@ -18,13 +18,13 @@ package jwttoken
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/klog"
|
||||
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/models/auth"
|
||||
|
||||
iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/im"
|
||||
)
|
||||
|
||||
// TokenAuthenticator implements kubernetes token authenticate interface with our custom logic.
|
||||
@@ -33,11 +33,11 @@ import (
|
||||
// and group from user.AllUnauthenticated. This helps requests be passed along the handler chain,
|
||||
// because some resources are public accessible.
|
||||
type tokenAuthenticator struct {
|
||||
tokenOperator im.TokenManagementInterface
|
||||
tokenOperator auth.TokenManagementInterface
|
||||
userLister iamv1alpha2listers.UserLister
|
||||
}
|
||||
|
||||
func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token {
|
||||
func NewTokenAuthenticator(tokenOperator auth.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token {
|
||||
return &tokenAuthenticator{
|
||||
tokenOperator: tokenOperator,
|
||||
userLister: userLister,
|
||||
@@ -51,6 +51,16 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string
|
||||
return nil, false, err
|
||||
}
|
||||
|
||||
if providedUser.GetName() == iamv1alpha2.PreRegistrationUser {
|
||||
return &authenticator.Response{
|
||||
User: &user.DefaultInfo{
|
||||
Name: providedUser.GetName(),
|
||||
Extra: providedUser.GetExtra(),
|
||||
Groups: providedUser.GetGroups(),
|
||||
},
|
||||
}, true, nil
|
||||
}
|
||||
|
||||
dbUser, err := t.userLister.Get(providedUser.GetName())
|
||||
if err != nil {
|
||||
return nil, false, err
|
||||
@@ -58,8 +68,7 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string
|
||||
|
||||
return &authenticator.Response{
|
||||
User: &user.DefaultInfo{
|
||||
Name: providedUser.GetName(),
|
||||
UID: providedUser.GetUID(),
|
||||
Name: dbUser.GetName(),
|
||||
Groups: append(dbUser.Spec.Groups, user.AllAuthenticated),
|
||||
},
|
||||
}, true, nil
|
||||
|
||||
Reference in New Issue
Block a user