improve identity provider plugin

Signed-off-by: hongming <talonwan@yunify.com>

pkg/models/auth/authenticator.go

@@ -0,0 +1,259 @@
+/*
+
+ Copyright 2020 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package auth
+
+import (
+	"fmt"
+	"golang.org/x/crypto/bcrypt"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider"
+	"kubesphere.io/kubesphere/pkg/constants"
+	"net/mail"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	authuser "k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/klog"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
+	kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
+	iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
+)
+
+var (
+	RateLimitExceededError  = fmt.Errorf("auth rate limit exceeded")
+	IncorrectPasswordError  = fmt.Errorf("incorrect password")
+	AccountIsNotActiveError = fmt.Errorf("account is not active")
+)
+
+type PasswordAuthenticator interface {
+	Authenticate(username, password string) (authuser.Info, string, error)
+}
+
+type OAuth2Authenticator interface {
+	Authenticate(provider, code string) (authuser.Info, string, error)
+}
+
+type passwordAuthenticator struct {
+	ksClient    kubesphere.Interface
+	userGetter  *userGetter
+	authOptions *authoptions.AuthenticationOptions
+}
+
+type oauth2Authenticator struct {
+	ksClient    kubesphere.Interface
+	userGetter  *userGetter
+	authOptions *authoptions.AuthenticationOptions
+}
+
+type userGetter struct {
+	userLister iamv1alpha2listers.UserLister
+}
+
+func NewPasswordAuthenticator(ksClient kubesphere.Interface,
+	userLister iamv1alpha2listers.UserLister,
+	options *authoptions.AuthenticationOptions) PasswordAuthenticator {
+	passwordAuthenticator := &passwordAuthenticator{
+		ksClient:    ksClient,
+		userGetter:  &userGetter{userLister: userLister},
+		authOptions: options,
+	}
+	return passwordAuthenticator
+}
+
+func NewOAuth2Authenticator(ksClient kubesphere.Interface,
+	userLister iamv1alpha2listers.UserLister,
+	options *authoptions.AuthenticationOptions) OAuth2Authenticator {
+	oauth2Authenticator := &oauth2Authenticator{
+		ksClient:    ksClient,
+		userGetter:  &userGetter{userLister: userLister},
+		authOptions: options,
+	}
+	return oauth2Authenticator
+}
+
+func (p *passwordAuthenticator) Authenticate(username, password string) (authuser.Info, string, error) {
+	// empty username or password are not allowed
+	if username == "" || password == "" {
+		return nil, "", IncorrectPasswordError
+	}
+	// generic identity provider has higher priority
+	for _, providerOptions := range p.authOptions.OAuthOptions.IdentityProviders {
+		// the admin account in kubesphere has the highest priority
+		if username == constants.AdminUserName {
+			break
+		}
+		if genericProvider, _ := identityprovider.CreateGenericProvider(providerOptions.Type, providerOptions.Provider); genericProvider != nil {
+			authenticated, err := genericProvider.Authenticate(username, password)
+			if err != nil {
+				if errors.IsUnauthorized(err) {
+					continue
+				}
+				return nil, providerOptions.Name, err
+			}
+			linkedAccount, err := p.userGetter.findLinkedAccount(providerOptions.Name, authenticated.GetUserID())
+			// using this method requires you to manually provision users.
+			if providerOptions.MappingMethod == oauth.MappingMethodLookup && linkedAccount == nil {
+				continue
+			}
+			if linkedAccount != nil {
+				return &authuser.DefaultInfo{Name: linkedAccount.GetName()}, providerOptions.Name, nil
+			}
+			// the user will automatically create and mapping when login successful.
+			if providerOptions.MappingMethod == oauth.MappingMethodAuto {
+				return preRegistrationUser(providerOptions.Name, authenticated), providerOptions.Name, nil
+			}
+		}
+	}
+
+	// kubesphere account
+	user, err := p.userGetter.findUser(username)
+	if err != nil {
+		// ignore not found error
+		if !errors.IsNotFound(err) {
+			klog.Error(err)
+			return nil, "", err
+		}
+	}
+
+	// check user status
+	if user != nil && (user.Status.State == nil || *user.Status.State != iamv1alpha2.UserActive) {
+		if user.Status.State != nil && *user.Status.State == iamv1alpha2.UserAuthLimitExceeded {
+			klog.Errorf("%s, username: %s", RateLimitExceededError, username)
+			return nil, "", RateLimitExceededError
+		} else {
+			// state not active
+			klog.Errorf("%s, username: %s", AccountIsNotActiveError, username)
+			return nil, "", AccountIsNotActiveError
+		}
+	}
+
+	// if the password is not empty, means that the password has been reset, even if the user was mapping from IDP
+	if user != nil && user.Spec.EncryptedPassword != "" {
+		if err = PasswordVerify(user.Spec.EncryptedPassword, password); err != nil {
+			klog.Error(err)
+			return nil, "", err
+		}
+		u := &authuser.DefaultInfo{
+			Name: user.Name,
+		}
+		// check if the password is initialized
+		if uninitialized := user.Annotations[iamv1alpha2.UninitializedAnnotation]; uninitialized != "" {
+			u.Extra = map[string][]string{
+				iamv1alpha2.ExtraUninitialized: {uninitialized},
+			}
+		}
+		return u, "", nil
+	}
+
+	return nil, "", IncorrectPasswordError
+}
+
+func preRegistrationUser(idp string, identity identityprovider.Identity) authuser.Info {
+	return &authuser.DefaultInfo{
+		Name: iamv1alpha2.PreRegistrationUser,
+		Extra: map[string][]string{
+			iamv1alpha2.ExtraIdentityProvider: {idp},
+			iamv1alpha2.ExtraUID:              {identity.GetUserID()},
+			iamv1alpha2.ExtraUsername:         {identity.GetUsername()},
+			iamv1alpha2.ExtraEmail:            {identity.GetEmail()},
+			iamv1alpha2.ExtraDisplayName:      {identity.GetDisplayName()},
+		},
+		Groups: []string{iamv1alpha2.PreRegistrationUserGroup},
+	}
+}
+
+func (o oauth2Authenticator) Authenticate(provider, code string) (authuser.Info, string, error) {
+	providerOptions, err := o.authOptions.OAuthOptions.IdentityProviderOptions(provider)
+	// identity provider not registered
+	if err != nil {
+		klog.Error(err)
+		return nil, "", err
+	}
+	oauthIdentityProvider, err := identityprovider.CreateOAuthProvider(providerOptions.Type, providerOptions.Provider)
+	if err != nil {
+		klog.Error(err)
+		return nil, "", err
+	}
+	authenticated, err := oauthIdentityProvider.IdentityExchange(code)
+	if err != nil {
+		klog.Error(err)
+		return nil, "", err
+	}
+
+	user, err := o.userGetter.findLinkedAccount(providerOptions.Name, authenticated.GetUserID())
+	if user == nil && providerOptions.MappingMethod == oauth.MappingMethodLookup {
+		klog.Error(err)
+		return nil, "", err
+	}
+	// the user will automatically create and mapping when login successful.
+	if user == nil && providerOptions.MappingMethod == oauth.MappingMethodAuto {
+		return preRegistrationUser(providerOptions.Name, authenticated), providerOptions.Name, nil
+	}
+	if user != nil {
+		return &authuser.DefaultInfo{Name: user.GetName()}, providerOptions.Name, nil
+	}
+
+	return nil, "", errors.NewNotFound(iamv1alpha2.Resource("user"), authenticated.GetUsername())
+}
+
+func PasswordVerify(encryptedPassword, password string) error {
+	if err := bcrypt.CompareHashAndPassword([]byte(encryptedPassword), []byte(password)); err != nil {
+		return IncorrectPasswordError
+	}
+	return nil
+}
+
+// findUser
+func (u *userGetter) findUser(username string) (*iamv1alpha2.User, error) {
+	if _, err := mail.ParseAddress(username); err != nil {
+		return u.userLister.Get(username)
+	} else {
+		users, err := u.userLister.List(labels.Everything())
+		if err != nil {
+			klog.Error(err)
+			return nil, err
+		}
+		for _, find := range users {
+			if find.Spec.Email == username {
+				return find, nil
+			}
+		}
+	}
+
+	return nil, errors.NewNotFound(iamv1alpha2.Resource("user"), username)
+}
+
+func (u *userGetter) findLinkedAccount(idp, uid string) (*iamv1alpha2.User, error) {
+	selector := labels.SelectorFromSet(labels.Set{
+		iamv1alpha2.IdentifyProviderLabel: idp,
+		iamv1alpha2.OriginUIDLabel:        uid,
+	})
+
+	users, err := u.userLister.List(selector)
+	if err != nil {
+		klog.Error(err)
+		return nil, err
+	}
+	if len(users) != 1 {
+		return nil, errors.NewNotFound(iamv1alpha2.Resource("user"), uid)
+	}
+
+	return users[0], err
+}

pkg/models/auth/authenticator_test.go

@@ -0,0 +1,40 @@
+/*
+
+ Copyright 2020 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package auth
+
+import (
+	"golang.org/x/crypto/bcrypt"
+	"testing"
+)
+
+func TestEncryptPassword(t *testing.T) {
+	password := "P@88w0rd"
+	encryptedPassword, err := hashPassword(password)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err = PasswordVerify(encryptedPassword, password); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func hashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
+	return string(bytes), err
+}

pkg/models/auth/login_recoder.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
+	"strings"
+)
+
+type LoginRecorder interface {
+	RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, sourceIP string, userAgent string, authErr error) error
+}
+
+type loginRecorder struct {
+	ksClient kubesphere.Interface
+}
+
+func NewLoginRecorder(ksClient kubesphere.Interface) LoginRecorder {
+	return &loginRecorder{
+		ksClient: ksClient,
+	}
+}
+
+func (l *loginRecorder) RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, sourceIP string, userAgent string, authErr error) error {
+	// This is a temporary solution in case of user login with email,
+	// '@' is not allowed in Kubernetes object name.
+	username = strings.Replace(username, "@", "-", -1)
+
+	loginEntry := &iamv1alpha2.LoginRecord{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: fmt.Sprintf("%s-", username),
+			Labels: map[string]string{
+				iamv1alpha2.UserReferenceLabel: username,
+			},
+		},
+		Spec: iamv1alpha2.LoginRecordSpec{
+			Type:      loginType,
+			Provider:  provider,
+			Success:   true,
+			Reason:    iamv1alpha2.AuthenticatedSuccessfully,
+			SourceIP:  sourceIP,
+			UserAgent: userAgent,
+		},
+	}
+
+	if authErr != nil {
+		loginEntry.Spec.Success = false
+		loginEntry.Spec.Reason = authErr.Error()
+	}
+
+	_, err := l.ksClient.IamV1alpha2().LoginRecords().Create(loginEntry)
+	if err != nil {
+		klog.Error(err)
+		return err
+	}
+	return nil
+}

pkg/models/auth/token.go

@@ -0,0 +1,146 @@
+/*
+
+ Copyright 2020 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package auth
+
+import (
+	"fmt"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/klog"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
+	"kubesphere.io/kubesphere/pkg/simple/client/cache"
+	"time"
+)
+
+type TokenManagementInterface interface {
+	// Verify verifies a token, and return a User if it's a valid token, otherwise return error
+	Verify(token string) (user.Info, error)
+	// IssueTo issues a token a User, return error if issuing process failed
+	IssueTo(user user.Info) (*oauth.Token, error)
+}
+
+type tokenOperator struct {
+	issuer  token.Issuer
+	options *authoptions.AuthenticationOptions
+	cache   cache.Interface
+}
+
+func NewTokenOperator(cache cache.Interface, options *authoptions.AuthenticationOptions) TokenManagementInterface {
+	operator := &tokenOperator{
+		issuer:  token.NewTokenIssuer(options.JwtSecret, options.MaximumClockSkew),
+		options: options,
+		cache:   cache,
+	}
+	return operator
+}
+
+func (t tokenOperator) Verify(tokenStr string) (user.Info, error) {
+	authenticated, tokenType, err := t.issuer.Verify(tokenStr)
+	if err != nil {
+		klog.Error(err)
+		return nil, err
+	}
+	if t.options.OAuthOptions.AccessTokenMaxAge == 0 ||
+		tokenType == token.StaticToken {
+		return authenticated, nil
+	}
+	if err := t.tokenCacheValidate(authenticated.GetName(), tokenStr); err != nil {
+		klog.Error(err)
+		return nil, err
+	}
+	return authenticated, nil
+}
+
+func (t tokenOperator) IssueTo(user user.Info) (*oauth.Token, error) {
+	accessTokenExpiresIn := t.options.OAuthOptions.AccessTokenMaxAge
+	refreshTokenExpiresIn := accessTokenExpiresIn + t.options.OAuthOptions.AccessTokenInactivityTimeout
+
+	accessToken, err := t.issuer.IssueTo(user, token.AccessToken, accessTokenExpiresIn)
+	if err != nil {
+		klog.Error(err)
+		return nil, err
+	}
+
+	refreshToken, err := t.issuer.IssueTo(user, token.RefreshToken, refreshTokenExpiresIn)
+	if err != nil {
+		klog.Error(err)
+		return nil, err
+	}
+
+	result := &oauth.Token{
+		AccessToken:  accessToken,
+		TokenType:    "Bearer",
+		RefreshToken: refreshToken,
+		ExpiresIn:    int(accessTokenExpiresIn.Seconds()),
+	}
+
+	if !t.options.MultipleLogin {
+		if err = t.revokeAllUserTokens(user.GetName()); err != nil {
+			klog.Error(err)
+			return nil, err
+		}
+	}
+
+	if accessTokenExpiresIn > 0 {
+		if err = t.cacheToken(user.GetName(), accessToken, accessTokenExpiresIn); err != nil {
+			klog.Error(err)
+			return nil, err
+		}
+		if err = t.cacheToken(user.GetName(), refreshToken, refreshTokenExpiresIn); err != nil {
+			klog.Error(err)
+			return nil, err
+		}
+	}
+
+	return result, nil
+}
+
+func (t tokenOperator) revokeAllUserTokens(username string) error {
+	pattern := fmt.Sprintf("kubesphere:user:%s:token:*", username)
+	if keys, err := t.cache.Keys(pattern); err != nil {
+		klog.Error(err)
+		return err
+	} else if len(keys) > 0 {
+		if err := t.cache.Del(keys...); err != nil {
+			klog.Error(err)
+			return err
+		}
+	}
+	return nil
+}
+
+func (t tokenOperator) tokenCacheValidate(username, token string) error {
+	key := fmt.Sprintf("kubesphere:user:%s:token:%s", username, token)
+	if exist, err := t.cache.Exists(key); err != nil {
+		return err
+	} else if !exist {
+		return fmt.Errorf("token not found in cache")
+	}
+	return nil
+}
+
+func (t tokenOperator) cacheToken(username, token string, duration time.Duration) error {
+	key := fmt.Sprintf("kubesphere:user:%s:token:%s", username, token)
+	if err := t.cache.Set(key, token, duration); err != nil {
+		klog.Error(err)
+		return err
+	}
+	return nil
+}