Roland.Ma
142
vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/auth.go
generated
vendored
Normal file
142
vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/controlplane/auth.go
generated
vendored
Normal file
@@ -0,0 +1,142 @@
|
||||
/*
|
||||
Copyright 2021 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package controlplane
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"path/filepath"
|
||||
|
||||
"k8s.io/client-go/rest"
|
||||
"sigs.k8s.io/controller-runtime/pkg/internal/testing/certs"
|
||||
"sigs.k8s.io/controller-runtime/pkg/internal/testing/process"
|
||||
)
|
||||
|
||||
// User represents a Kubernetes user.
|
||||
type User struct {
|
||||
// Name is the user's Name.
|
||||
Name string
|
||||
// Groups are the groups to which the user belongs.
|
||||
Groups []string
|
||||
}
|
||||
|
||||
// Authn knows how to configure an API server for a particular type of authentication,
|
||||
// and provision users under that authentication scheme.
|
||||
//
|
||||
// The methods must be called in the following order (as presented below in the interface
|
||||
// for a mnemonic):
|
||||
//
|
||||
// 1. Configure
|
||||
// 2. Start
|
||||
// 3. AddUsers (0+ calls)
|
||||
// 4. Stop.
|
||||
type Authn interface {
|
||||
// Configure provides the working directory to this authenticator,
|
||||
// and configures the given API server arguments to make use of this authenticator.
|
||||
//
|
||||
// Should be called first.
|
||||
Configure(workDir string, args *process.Arguments) error
|
||||
// Start runs this authenticator. Will be called just before API server start.
|
||||
//
|
||||
// Must be called after Configure.
|
||||
Start() error
|
||||
// AddUser provisions a user, returning a copy of the given base rest.Config
|
||||
// configured to authenticate as that users.
|
||||
//
|
||||
// May only be called while the authenticator is "running".
|
||||
AddUser(user User, baseCfg *rest.Config) (*rest.Config, error)
|
||||
// Stop shuts down this authenticator.
|
||||
Stop() error
|
||||
}
|
||||
|
||||
// CertAuthn is an authenticator (Authn) that makes use of client certificate authn.
|
||||
type CertAuthn struct {
|
||||
// ca is the CA used to sign the client certs
|
||||
ca *certs.TinyCA
|
||||
// certDir is the directory used to write the CA crt file
|
||||
// so that the API server can read it.
|
||||
certDir string
|
||||
}
|
||||
|
||||
// NewCertAuthn creates a new client-cert-based Authn with a new CA.
|
||||
func NewCertAuthn() (*CertAuthn, error) {
|
||||
ca, err := certs.NewTinyCA()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to provision client certificate auth CA: %w", err)
|
||||
}
|
||||
return &CertAuthn{
|
||||
ca: ca,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// AddUser provisions a new user that's authenticated via certificates, with
|
||||
// the given uesrname and groups embedded in the certificate as expected by the
|
||||
// API server.
|
||||
func (c *CertAuthn) AddUser(user User, baseCfg *rest.Config) (*rest.Config, error) {
|
||||
certs, err := c.ca.NewClientCert(certs.ClientInfo{
|
||||
Name: user.Name,
|
||||
Groups: user.Groups,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create client certificates for %s: %w", user.Name, err)
|
||||
}
|
||||
|
||||
crt, key, err := certs.AsBytes()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to serialize client certificates for %s: %w", user.Name, err)
|
||||
}
|
||||
|
||||
cfg := rest.CopyConfig(baseCfg)
|
||||
cfg.CertData = crt
|
||||
cfg.KeyData = key
|
||||
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
// caCrtPath returns the path to the on-disk client-cert CA crt file.
|
||||
func (c *CertAuthn) caCrtPath() string {
|
||||
return filepath.Join(c.certDir, "client-cert-auth-ca.crt")
|
||||
}
|
||||
|
||||
// Configure provides the working directory to this authenticator,
|
||||
// and configures the given API server arguments to make use of this authenticator.
|
||||
func (c *CertAuthn) Configure(workDir string, args *process.Arguments) error {
|
||||
c.certDir = workDir
|
||||
args.Set("client-ca-file", c.caCrtPath())
|
||||
return nil
|
||||
}
|
||||
|
||||
// Start runs this authenticator. Will be called just before API server start.
|
||||
//
|
||||
// Must be called after Configure.
|
||||
func (c *CertAuthn) Start() error {
|
||||
if len(c.certDir) == 0 {
|
||||
return fmt.Errorf("start called before configure")
|
||||
}
|
||||
caCrt := c.ca.CA.CertBytes()
|
||||
if err := ioutil.WriteFile(c.caCrtPath(), caCrt, 0640); err != nil { //nolint:gosec
|
||||
return fmt.Errorf("unable to save the client certificate CA to %s: %w", c.caCrtPath(), err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Stop shuts down this authenticator.
|
||||
func (c *CertAuthn) Stop() error {
|
||||
// no-op -- our workdir is cleaned up for us automatically
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user