This repository has been archived by the owner on Aug 9, 2022. It is now read-only.
/
secret.go
102 lines (86 loc) · 3.23 KB
/
secret.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/*
Copyright © 2022 SUSE LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package server
import (
"encoding/base64"
"fmt"
"io"
"net/http"
"strings"
v1 "github.com/rancher-sandbox/rancheros-operator/pkg/apis/rancheros.cattle.io/v1"
"github.com/rancher-sandbox/rancheros-operator/pkg/clients"
roscontrollers "github.com/rancher-sandbox/rancheros-operator/pkg/generated/controllers/rancheros.cattle.io/v1"
corecontrollers "github.com/rancher/wrangler/pkg/generated/controllers/core/v1"
"github.com/sirupsen/logrus"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
)
type sharedSecretAuth struct {
secretCache corecontrollers.SecretCache
machineCache roscontrollers.MachineInventoryCache
}
func newSharedSecretAuth(clients *clients.Clients) *sharedSecretAuth {
server := &sharedSecretAuth{
secretCache: clients.Core.Secret().Cache(),
machineCache: clients.OS.MachineInventory().Cache(),
}
server.secretCache.AddIndexer(tokenIndex, func(obj *corev1.Secret) ([]string, error) {
if string(obj.Type) != tokenType {
return nil, nil
}
t := obj.Data[tokenKey]
if len(t) == 0 {
return nil, nil
}
return []string{base64.StdEncoding.EncodeToString(t)}, nil
})
server.machineCache.AddIndexer(machineBySecretNameIndex, func(obj *v1.MachineInventory) ([]string, error) {
if obj.Spec.MachineTokenSecretName == "" {
return nil, nil
}
return []string{obj.Namespace + "/" + obj.Spec.MachineTokenSecretName}, nil
})
return server
}
func (s *sharedSecretAuth) Authenticate(resp http.ResponseWriter, req *http.Request, registerNamespace string) (*v1.MachineInventory, bool, io.WriteCloser, error) {
token := strings.TrimPrefix(req.Header.Get("Authorization"), "Bearer ")
if token == "" || registerNamespace != "" {
return nil, true, nil, nil
}
secrets, err := s.secretCache.GetByIndex(tokenIndex, token)
if apierrors.IsNotFound(err) || len(secrets) == 0 {
return nil, false, nil, fmt.Errorf("token not found")
} else if err != nil {
return nil, false, nil, err
} else if len(secrets) > 1 {
logrus.Errorf("Multiple machine secrets with the same value [%s/%s, %s/%s, ...]",
secrets[0].Namespace, secrets[0].Name, secrets[1].Namespace, secrets[1].Name)
return nil, false, nil, fmt.Errorf("token not found")
}
machines, err := s.machineCache.GetByIndex(machineBySecretNameIndex, secrets[0].Namespace+"/"+secrets[0].Name)
if len(machines) > 1 {
logrus.Errorf("Multiple machine inventories with the token: %v", machines)
}
if apierrors.IsNotFound(err) || len(machines) != 1 {
return nil, false, nil, fmt.Errorf("machine not found")
} else if err != nil {
return nil, false, nil, err
}
return machines[0], false, writeCloser{resp}, nil
}
type writeCloser struct {
io.Writer
}
func (writeCloser) Close() error {
return nil
}