-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add token authentication method for websocket browser clients #47740
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package(default_visibility = ["//visibility:public"]) | ||
|
||
licenses(["notice"]) | ||
|
||
load( | ||
"@io_bazel_rules_go//go:def.bzl", | ||
"go_library", | ||
"go_test", | ||
) | ||
|
||
go_library( | ||
name = "go_default_library", | ||
srcs = ["protocol.go"], | ||
tags = ["automanaged"], | ||
deps = [ | ||
"//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", | ||
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", | ||
"//vendor/k8s.io/apiserver/pkg/util/wsstream:go_default_library", | ||
], | ||
) | ||
|
||
go_test( | ||
name = "go_default_test", | ||
srcs = ["protocol_test.go"], | ||
library = ":go_default_library", | ||
tags = ["automanaged"], | ||
deps = [ | ||
"//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", | ||
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", | ||
], | ||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
/* | ||
Copyright 2017 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package websocket | ||
|
||
import ( | ||
"encoding/base64" | ||
"errors" | ||
"net/http" | ||
"net/textproto" | ||
"strings" | ||
"unicode/utf8" | ||
|
||
"k8s.io/apiserver/pkg/authentication/authenticator" | ||
"k8s.io/apiserver/pkg/authentication/user" | ||
"k8s.io/apiserver/pkg/util/wsstream" | ||
) | ||
|
||
const bearerProtocolPrefix = "base64url.bearer.authorization.k8s.io." | ||
|
||
var protocolHeader = textproto.CanonicalMIMEHeaderKey("Sec-WebSocket-Protocol") | ||
|
||
var invalidToken = errors.New("invalid bearer token") | ||
|
||
// ProtocolAuthenticator allows a websocket connection to provide a bearer token as a subprotocol | ||
// in the format "base64url.bearer.authorization.<base64url-without-padding(bearer-token)>" | ||
type ProtocolAuthenticator struct { | ||
// auth is the token authenticator to use to validate the token | ||
auth authenticator.Token | ||
} | ||
|
||
func NewProtocolAuthenticator(auth authenticator.Token) *ProtocolAuthenticator { | ||
return &ProtocolAuthenticator{auth} | ||
} | ||
|
||
func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { | ||
// Only accept websocket connections | ||
if !wsstream.IsWebSocketRequest(req) { | ||
return nil, false, nil | ||
} | ||
|
||
token := "" | ||
sawTokenProtocol := false | ||
filteredProtocols := []string{} | ||
for _, protocolHeader := range req.Header[protocolHeader] { | ||
for _, protocol := range strings.Split(protocolHeader, ",") { | ||
protocol = strings.TrimSpace(protocol) | ||
|
||
if !strings.HasPrefix(protocol, bearerProtocolPrefix) { | ||
filteredProtocols = append(filteredProtocols, protocol) | ||
continue | ||
} | ||
|
||
if sawTokenProtocol { | ||
return nil, false, errors.New("multiple base64.bearer.authorization tokens specified") | ||
} | ||
sawTokenProtocol = true | ||
|
||
encodedToken := strings.TrimPrefix(protocol, bearerProtocolPrefix) | ||
decodedToken, err := base64.RawURLEncoding.DecodeString(encodedToken) | ||
if err != nil { | ||
return nil, false, errors.New("invalid base64.bearer.authorization token encoding") | ||
} | ||
if !utf8.Valid(decodedToken) { | ||
return nil, false, errors.New("invalid base64.bearer.authorization token") | ||
} | ||
token = string(decodedToken) | ||
} | ||
} | ||
|
||
// Must pass at least one other subprotocol so that we can remove the one containing the bearer token, | ||
// and there is at least one to echo back to the client | ||
if len(token) > 0 && len(filteredProtocols) == 0 { | ||
return nil, false, errors.New("missing additional subprotocol") | ||
} | ||
|
||
if len(token) == 0 { | ||
return nil, false, nil | ||
} | ||
|
||
user, ok, err := a.auth.AuthenticateToken(token) | ||
|
||
// on success, remove the protocol with the token | ||
if ok { | ||
// https://tools.ietf.org/html/rfc6455#section-11.3.4 indicates the Sec-WebSocket-Protocol header may appear multiple times | ||
// in a request, and is logically the same as a single Sec-WebSocket-Protocol header field that contains all values | ||
req.Header.Set(protocolHeader, strings.Join(filteredProtocols, ",")) | ||
} | ||
|
||
// If the token authenticator didn't error, provide a default error | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why do we set an error here? Can't it still be evaluated by other bearer token authenticators? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes, the containing union continues on error, but does not fall back to anonymous There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
It seems to be a failure of the authentication interface that an evaluation error (I can't check because of X) is abused to sometimes contain a failure reason (you're denied because the token expired). Evaluation errors should fall through, but failures should just stop. The lack of this distinction makes building chains non-obvious and often creates nested unions of chains only a couple items. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we can certainly consider changes to the interface if richer information would make composition better, but that's out of scope for this PR |
||
if !ok && err == nil { | ||
err = invalidToken | ||
} | ||
|
||
return user, ok, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should the filtered protocols be joined by
", "
? In your example, there is a space.