122 lines
3.3 KiB
Go
122 lines
3.3 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package auth
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"regexp"
|
|
|
|
"k8s.io/kubernetes/pkg/api"
|
|
"k8s.io/kubernetes/pkg/apis/extensions"
|
|
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/parser"
|
|
)
|
|
|
|
const (
|
|
authType = "ingress.kubernetes.io/auth-type"
|
|
authSecret = "ingress.kubernetes.io/auth-secret"
|
|
authRealm = "ingress.kubernetes.io/auth-realm"
|
|
|
|
// DefAuthDirectory default directory used to store files
|
|
// to authenticate request
|
|
DefAuthDirectory = "/etc/ingress-controller/auth"
|
|
)
|
|
|
|
func init() {
|
|
// TODO: check permissions required
|
|
os.MkdirAll(DefAuthDirectory, 0655)
|
|
}
|
|
|
|
var (
|
|
authTypeRegex = regexp.MustCompile(`basic|digest`)
|
|
|
|
// ErrInvalidAuthType is return in case of unsupported authentication type
|
|
ErrInvalidAuthType = errors.New("invalid authentication type")
|
|
|
|
// ErrMissingSecretName is returned when the name of the secret is missing
|
|
ErrMissingSecretName = errors.New("secret name is missing")
|
|
|
|
// ErrMissingAuthInSecret is returned when there is no auth key in secret data
|
|
ErrMissingAuthInSecret = errors.New("the secret does not contains the auth key")
|
|
)
|
|
|
|
// BasicDigest returns authentication configuration for an Ingress rule
|
|
type BasicDigest struct {
|
|
Type string `json:"type"`
|
|
Realm string `json:"realm"`
|
|
File string `json:"file"`
|
|
Secured bool `json:"secured"`
|
|
}
|
|
|
|
// ParseAnnotations parses the annotations contained in the ingress
|
|
// rule used to add authentication in the paths defined in the rule
|
|
// and generated an htpasswd compatible file to be used as source
|
|
// during the authentication process
|
|
func ParseAnnotations(ing *extensions.Ingress, authDir string, fn func(string) (*api.Secret, error)) (*BasicDigest, error) {
|
|
if ing.GetAnnotations() == nil {
|
|
return &BasicDigest{}, parser.ErrMissingAnnotations
|
|
}
|
|
|
|
at, err := parser.GetStringAnnotation(authType, ing)
|
|
if err != nil {
|
|
return &BasicDigest{}, err
|
|
}
|
|
|
|
if !authTypeRegex.MatchString(at) {
|
|
return &BasicDigest{}, ErrInvalidAuthType
|
|
}
|
|
|
|
s, err := parser.GetStringAnnotation(authSecret, ing)
|
|
if err != nil {
|
|
return &BasicDigest{}, err
|
|
}
|
|
|
|
secret, err := fn(fmt.Sprintf("%v/%v", ing.Namespace, s))
|
|
if err != nil {
|
|
return &BasicDigest{}, err
|
|
}
|
|
|
|
realm, _ := parser.GetStringAnnotation(authRealm, ing)
|
|
|
|
passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
|
|
err = dumpSecret(passFile, secret)
|
|
if err != nil {
|
|
return &BasicDigest{}, err
|
|
}
|
|
|
|
return &BasicDigest{
|
|
Type: at,
|
|
Realm: realm,
|
|
File: passFile,
|
|
Secured: true,
|
|
}, nil
|
|
}
|
|
|
|
// dumpSecret dumps the content of a secret into a file
|
|
// in the expected format for the specified authorization
|
|
func dumpSecret(filename string, secret *api.Secret) error {
|
|
val, ok := secret.Data["auth"]
|
|
if !ok {
|
|
return ErrMissingAuthInSecret
|
|
}
|
|
|
|
// TODO: check permissions required
|
|
return ioutil.WriteFile(filename, val, 0777)
|
|
}
|