refactor authentication (#1950)

pkg/apiserver/apiserver.go

@@ -9,11 +9,13 @@ import (
 	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
+	"k8s.io/apiserver/pkg/authentication/request/union"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
 	"k8s.io/klog"
 	"kubesphere.io/kubesphere/pkg/api/iam"
-	"kubesphere.io/kubesphere/pkg/apiserver/authentication"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/authenticators/jwttoken"
+	authenticationrequest "kubesphere.io/kubesphere/pkg/apiserver/authentication/request"
 	"kubesphere.io/kubesphere/pkg/apiserver/dispatch"
 	"kubesphere.io/kubesphere/pkg/apiserver/filters"
 	"kubesphere.io/kubesphere/pkg/apiserver/request"
@@ -179,7 +181,8 @@ func (s *APIServer) buildHandlerChain() {
 	handler = filters.WithMultipleClusterDispatcher(handler, dispatch.DefaultClusterDispatch)
 	handler = filters.WithAuthorization(handler, authorizerfactory.NewAlwaysAllowAuthorizer())
 
-	handler = filters.WithAuthentication(handler, bearertoken.New(authentication.NewTokenAuthenticator(s.CacheClient)), failed)
+	authn := union.New(&authenticationrequest.AnonymousAuthenticator{}, bearertoken.New(jwttoken.NewTokenAuthenticator(s.CacheClient, s.AuthenticateOptions.JwtSecret)))
+	handler = filters.WithAuthentication(handler, authn, failed)
 	handler = filters.WithRequestInfo(handler, requestInfoResolver)
 
 	s.Server.Handler = handler

pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go

@@ -0,0 +1,57 @@
+package jwttoken
+
+import (
+	"context"
+	"fmt"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"kubesphere.io/kubesphere/pkg/api/iam/token"
+	"kubesphere.io/kubesphere/pkg/server/errors"
+	"kubesphere.io/kubesphere/pkg/simple/client/cache"
+)
+
+var errTokenExpired = errors.New("expired token")
+
+// TokenAuthenticator implements kubernetes token authenticate interface with our custom logic.
+// TokenAuthenticator will retrieve user info from cache by given token. If empty or invalid token
+// was given, authenticator will still give passed response at the condition user will be user.Anonymous
+// and group from user.AllUnauthenticated. This helps requests be passed along the handler chain,
+// because some resources are public accessible.
+type tokenAuthenticator struct {
+	cacheClient    cache.Interface
+	jwtTokenIssuer token.Issuer
+}
+
+func NewTokenAuthenticator(cacheClient cache.Interface, jwtSecret string) authenticator.Token {
+	return &tokenAuthenticator{
+		cacheClient:    cacheClient,
+		jwtTokenIssuer: token.NewJwtTokenIssuer(token.DefaultIssuerName, []byte(jwtSecret)),
+	}
+}
+
+func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
+	providedUser, err := t.jwtTokenIssuer.Verify(token)
+	if err != nil {
+		return nil, false, err
+	}
+
+	_, err = t.cacheClient.Get(tokenKeyForUsername(providedUser.Name(), token))
+	if err != nil {
+		return nil, false, errTokenExpired
+	}
+
+	// Should we need to refresh token?
+
+	return &authenticator.Response{
+		User: &user.DefaultInfo{
+			Name:   providedUser.Name(),
+			UID:    providedUser.UID(),
+			Groups: []string{user.AllAuthenticated},
+		},
+	}, true, nil
+
+}
+
+func tokenKeyForUsername(username, token string) string {
+	return fmt.Sprintf("kubesphere:users:%s:token:%s", username, token)
+}

pkg/apiserver/authentication/request/anonymous.go

@@ -0,0 +1,24 @@
+package request
+
+import (
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"net/http"
+	"strings"
+)
+
+type AnonymousAuthenticator struct{}
+
+func (a *AnonymousAuthenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
+	auth := strings.TrimSpace(req.Header.Get("Authorization"))
+	if auth == "" {
+		return &authenticator.Response{
+			User: &user.DefaultInfo{
+				Name:   user.Anonymous,
+				UID:    "",
+				Groups: []string{user.AllUnauthenticated},
+			},
+		}, true, nil
+	}
+	return nil, false, nil
+}

pkg/apiserver/authentication/token/token.go

@@ -0,0 +1 @@
+package token

pkg/apiserver/authentication/token_authenticator.go

@@ -1,36 +0,0 @@
-package authentication
-
-import (
-	"context"
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
-	"kubesphere.io/kubesphere/pkg/simple/client/cache"
-)
-
-// TokenAuthenticator implements kubernetes token authenticate interface with our custom logic.
-// TokenAuthenticator will retrieve user info from cache by given token. If empty or invalid token
-// was given, authenticator will still give passed response at the condition user will be user.Anonymous
-// and group from user.AllUnauthenticated. This helps requests be passed along the handler chain,
-// because some resources are public accessible.
-type tokenAuthenticator struct {
-	cacheClient cache.Interface
-}
-
-func NewTokenAuthenticator(cacheClient cache.Interface) authenticator.Token {
-	return &tokenAuthenticator{
-		cacheClient: cacheClient,
-	}
-}
-
-func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
-	//if len(token) == 0 {
-	return &authenticator.Response{
-		User: &user.DefaultInfo{
-			Name:   user.Anonymous,
-			UID:    "",
-			Groups: []string{user.AllUnauthenticated},
-			Extra:  nil,
-		},
-	}, true, nil
-	//}
-}