admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d852e8276f9455508ef9bc077bfca00d50ef971
kubesphere/pkg/apiserver/authentication/authenticators/jwt/jwt.go
hongming 0d852e8276 chore: update copyright headers (#6496) 
Signed-off-by: hongming <coder.scala@gmail.com>
2025-04-30 15:53:51 +08:00

100 lines
3.3 KiB
Go
Raw Blame History

/*
* Copyright 2024 the KubeSphere Authors.
* Please refer to the LICENSE file in the root directory of the project.
* https://github.com/kubesphere/kubesphere/blob/master/LICENSE
*/
package jwt
import (
"context"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/klog/v2"
clusterv1alpha1 "kubesphere.io/api/cluster/v1alpha1"
corev1alpha1 "kubesphere.io/api/core/v1alpha1"
iamv1beta1 "kubesphere.io/api/iam/v1beta1"
runtimecache "sigs.k8s.io/controller-runtime/pkg/cache"
"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
"kubesphere.io/kubesphere/pkg/models/auth"
"kubesphere.io/kubesphere/pkg/utils/serviceaccount"
)
// TokenAuthenticator implements kubernetes token authenticate interface with our custom logic.
// TokenAuthenticator will retrieve user info from cache by given token. If empty or invalid token
// was given, authenticator will still give passed response at the condition user will be user.Anonymous
// and group from user.AllUnauthenticated. This helps requests be passed along the handler chain,
// because some resources are public accessible.
type tokenAuthenticator struct {
tokenOperator auth.TokenManagementInterface
cache runtimecache.Cache
clusterRole string
}
func NewTokenAuthenticator(cache runtimecache.Cache, tokenOperator auth.TokenManagementInterface, clusterRole string) authenticator.Token {
return &tokenAuthenticator{
tokenOperator: tokenOperator,
cache: cache,
clusterRole: clusterRole,
}
}
func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
verified, err := t.tokenOperator.Verify(token)
if err != nil {
klog.Warning(err)
return nil, false, err
}
if serviceaccount.IsServiceAccountToken(verified.Subject) {
if t.clusterRole == string(clusterv1alpha1.ClusterRoleHost) {
_, err = t.validateServiceAccount(ctx, verified)
if err != nil {
return nil, false, err
}
}
return &authenticator.Response{
User: verified.User,
}, true, nil
}
if verified.User.GetName() == iamv1beta1.PreRegistrationUser {
return &authenticator.Response{
User: verified.User,
}, true, nil
}
if t.clusterRole == string(clusterv1alpha1.ClusterRoleHost) {
userInfo := &iamv1beta1.User{}
if err := t.cache.Get(ctx, types.NamespacedName{Name: verified.User.GetName()}, userInfo); err != nil {
return nil, false, err
}
// AuthLimitExceeded state should be ignored
if userInfo.Status.State == iamv1beta1.UserDisabled {
return nil, false, auth.AccountIsNotActiveError
}
}
return &authenticator.Response{
User: &user.DefaultInfo{
Name: verified.User.GetName(),
// TODO(wenhaozhou) Add user`s groups(can be searched by GroupBinding)
Groups: []string{user.AllAuthenticated},
},
}, true, nil
}
func (t *tokenAuthenticator) validateServiceAccount(ctx context.Context, verify *token.VerifiedResponse) (*corev1alpha1.ServiceAccount, error) {
// Ensure the relative service account exist
name, namespace := serviceaccount.SplitUsername(verify.Username)
sa := &corev1alpha1.ServiceAccount{}
if err := t.cache.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, sa); err != nil {
return nil, err
}
return sa, nil
}
Reference in New Issue View Git Blame Copy Permalink