forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
browser_safe_request_info_resolver.go
75 lines (59 loc) · 2.22 KB
/
browser_safe_request_info_resolver.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package authorizer
import (
"net/http"
kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apiserver/request"
"k8s.io/kubernetes/pkg/util/sets"
)
type browserSafeRequestInfoResolver struct {
// infoFactory is used to determine info for the request
infoFactory RequestInfoFactory
// contextMapper is used to look up the context corresponding to a request
// to obtain the user associated with the request
contextMapper kapi.RequestContextMapper
// list of groups, any of which indicate the request is authenticated
authenticatedGroups sets.String
}
func NewBrowserSafeRequestInfoResolver(contextMapper kapi.RequestContextMapper, authenticatedGroups sets.String, infoFactory RequestInfoFactory) RequestInfoFactory {
return &browserSafeRequestInfoResolver{
contextMapper: contextMapper,
authenticatedGroups: authenticatedGroups,
infoFactory: infoFactory,
}
}
func (a *browserSafeRequestInfoResolver) NewRequestInfo(req *http.Request) (*request.RequestInfo, error) {
requestInfo, err := a.infoFactory.NewRequestInfo(req)
if err != nil {
return requestInfo, err
}
if !requestInfo.IsResourceRequest {
return requestInfo, nil
}
isProxyVerb := requestInfo.Verb == "proxy"
isProxySubresource := requestInfo.Subresource == "proxy"
if !isProxyVerb && !isProxySubresource {
// Requests to non-proxy resources don't expose HTML or HTTP-handling user content to browsers
return requestInfo, nil
}
if len(req.Header.Get("X-CSRF-Token")) > 0 {
// Browsers cannot set custom headers on direct requests
return requestInfo, nil
}
if ctx, hasContext := a.contextMapper.Get(req); hasContext {
user, hasUser := kapi.UserFrom(ctx)
if hasUser && a.authenticatedGroups.HasAny(user.GetGroups()...) {
// An authenticated request indicates this isn't a browser page load.
// Browsers cannot make direct authenticated requests.
// This depends on the API not enabling basic or cookie-based auth.
return requestInfo, nil
}
}
// TODO: compare request.Host to a list of hosts allowed for the requestInfo.Namespace (e.g. <namespace>.proxy.example.com)
if isProxyVerb {
requestInfo.Verb = "unsafeproxy"
}
if isProxySubresource {
requestInfo.Subresource = "unsafeproxy"
}
return requestInfo, nil
}