/
auth_render.go
180 lines (140 loc) · 4.71 KB
/
auth_render.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
package renderer
import (
"fmt"
corev1 "k8s.io/api/core/v1"
stnrconfv1 "github.com/l7mp/stunner/pkg/apis/v1"
"github.com/l7mp/stunner-gateway-operator/internal/store"
)
func (r *Renderer) renderAuth(c *RenderContext) (*stnrconfv1.AuthConfig, error) {
gwConf := c.gwConf
r.log.V(3).Info("renderAuth", "gateway-config", store.GetObjectKey(gwConf), "spec", gwConf.Spec)
// external auth ref overrides inline refs
if c.gwConf.Spec.AuthRef != nil {
return r.renderExternalAuth(c)
}
return r.renderInlineAuth(c)
}
func (r *Renderer) renderInlineAuth(c *RenderContext) (*stnrconfv1.AuthConfig, error) {
gwConf := c.gwConf
// r.log.V(4).Info("renderInlineAuth", "gateway-config", store.GetObjectKey(gwConf))
realm := stnrconfv1.DefaultRealm
if gwConf.Spec.Realm != nil {
realm = *gwConf.Spec.Realm
}
auth := stnrconfv1.AuthConfig{
Realm: realm,
Credentials: make(map[string]string),
}
atype, err := getAuthType(gwConf.Spec.AuthType)
if err != nil {
return nil, err
}
switch atype {
case stnrconfv1.AuthTypePlainText:
if gwConf.Spec.Username == nil || gwConf.Spec.Password == nil {
return nil, NewCriticalError(InvalidUsernamePassword)
}
auth.Credentials["username"] = *gwConf.Spec.Username
auth.Credentials["password"] = *gwConf.Spec.Password
case stnrconfv1.AuthTypeLongTerm:
if gwConf.Spec.SharedSecret == nil {
return nil, NewCriticalError(InvalidSharedSecret)
}
auth.Credentials["secret"] = *gwConf.Spec.SharedSecret
}
auth.Type = atype.String()
// validate so that defaults get filled in
if err = auth.Validate(); err != nil {
return nil, NewCriticalError(InvalidAuthConfig)
}
r.log.V(2).Info("renderInlineAuth ready", "gateway-config", store.GetObjectKey(gwConf), "result",
fmt.Sprintf("%#v", auth))
return &auth, nil
}
func (r *Renderer) renderExternalAuth(c *RenderContext) (*stnrconfv1.AuthConfig, error) {
gwConf := c.gwConf
// r.log.V(4).Info("renderExternalAuth", "gateway-config", store.GetObjectKey(gwConf))
realm := stnrconfv1.DefaultRealm
if gwConf.Spec.Realm != nil {
realm = *gwConf.Spec.Realm
}
auth := stnrconfv1.AuthConfig{
Realm: realm,
Credentials: make(map[string]string),
}
ref := c.gwConf.Spec.AuthRef
n, err := getSecretNameFromRef(ref, gwConf.GetNamespace())
if err != nil {
// report concrete error here, return a critical error
r.log.Info("invalid auth Secret", "gateway-config", store.GetObjectKey(c.gwConf),
"ref", dumpSecretRef(ref, gwConf.GetNamespace()), "error", err.Error())
return nil, NewCriticalError(ExternalAuthCredentialsNotFound)
}
secret := store.AuthSecrets.GetObject(n)
if secret == nil {
// report concrete error here, return a critical error
r.log.Info("auth Secret not found", "gateway-config", store.GetObjectKey(c.gwConf),
"ref", dumpSecretRef(ref, gwConf.GetNamespace()), "name", n)
return nil, NewCriticalError(ExternalAuthCredentialsNotFound)
}
if secret.Type != corev1.SecretTypeOpaque {
r.log.Info("expecting Secret of type \"Opaque\" (trying to use Secret anyway)",
"gateway-config", store.GetObjectKey(c.gwConf), "secret", n.String())
}
var hint *string
if stype, ok := secret.Data["type"]; ok {
stype := string(stype)
hint = &stype
}
atype, err := getAuthType(hint)
if err != nil {
return nil, err
}
switch atype {
case stnrconfv1.AuthTypePlainText:
username, usernameOk := secret.Data["username"]
password, passwordOk := secret.Data["password"]
if !usernameOk || !passwordOk {
return nil, NewCriticalError(InvalidUsernamePassword)
}
auth.Credentials["username"] = string(username)
auth.Credentials["password"] = string(password)
case stnrconfv1.AuthTypeLongTerm:
sharedSecret, sharedSecretOk := secret.Data["secret"]
// accept long form
if !sharedSecretOk {
sharedSecret, sharedSecretOk = secret.Data["sharedSecret"]
}
if !sharedSecretOk {
return nil, NewCriticalError(InvalidSharedSecret)
}
auth.Credentials["secret"] = string(sharedSecret)
}
auth.Type = atype.String()
// validate so that defaults get filled in
if err = auth.Validate(); err != nil {
return nil, NewCriticalError(InvalidAuthConfig)
}
r.log.V(2).Info("renderExternalAuth ready", "gateway-config", store.GetObjectKey(gwConf),
"secret", n.String(), "result", fmt.Sprintf("%#v", auth))
return &auth, nil
}
func getAuthType(hint *string) (stnrconfv1.AuthType, error) {
authType := stnrconfv1.DefaultAuthType
if hint != nil {
authType = *hint
}
// aliases
switch authType {
// plaintext
case "static", "plaintext":
authType = "plaintext"
case "ephemeral", "timewindowed", "longterm":
authType = "longterm"
}
atype, err := stnrconfv1.NewAuthType(authType)
if err != nil {
return stnrconfv1.AuthTypeUnknown, NewCriticalError(InvalidAuthType)
}
return atype, nil
}