-
Notifications
You must be signed in to change notification settings - Fork 17
/
http.go
117 lines (98 loc) · 4.01 KB
/
http.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package agent
import (
"context"
"fmt"
"net/http"
"net/http/httputil"
"strings"
"time"
"github.com/gorilla/mux"
"github.com/juju/errors"
"github.com/prometheus/client_golang/prometheus/promhttp"
"github.com/rancher/prometheus-auth/pkg/kube"
log "github.com/sirupsen/logrus"
authentication "k8s.io/api/authentication/v1"
)
func (a *agent) httpBackend() http.Handler {
proxy := httputil.NewSingleHostReverseProxy(a.cfg.proxyURL)
router := mux.NewRouter()
if log.GetLevel() == log.DebugLevel {
router.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
log.Debugf("%s - %s", req.Method, req.URL.Path)
next.ServeHTTP(resp, req)
})
})
}
// enable metrics
router.Path("/_/metrics").Methods("GET").Handler(promhttp.Handler())
// proxy white list
router.Path("/alerts").Methods("GET").Handler(proxy)
router.Path("/graph").Methods("GET").Handler(proxy)
router.Path("/status").Methods("GET").Handler(proxy)
router.Path("/flags").Methods("GET").Handler(proxy)
router.Path("/config").Methods("GET").Handler(proxy)
router.Path("/rules").Methods("GET").Handler(proxy)
router.Path("/targets").Methods("GET").Handler(proxy)
router.Path("/version").Methods("GET").Handler(proxy)
router.Path("/service-discovery").Methods("GET").Handler(proxy)
router.PathPrefix("/consoles/").Methods("GET").Handler(proxy)
router.PathPrefix("/static/").Methods("GET").Handler(proxy)
router.PathPrefix("/user/").Methods("GET").Handler(proxy)
router.Path("/metrics").Methods("GET").Handler(proxy)
router.Path("/-/healthy").Methods("GET").Handler(proxy)
router.Path("/-/ready").Methods("GET").Handler(proxy)
router.PathPrefix("/debug/").Methods("GET").Handler(proxy)
// access control
router.PathPrefix("/").Handler(accessControl(a, proxy))
return router
}
func accessControl(agt *agent, proxyHandler http.Handler) http.Handler {
router := mux.NewRouter()
router.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var userInfo authentication.UserInfo
var err error
accessToken := strings.TrimPrefix(r.Header.Get(authorizationHeaderKey), "Bearer ")
// try to authenticate the access token
if len(accessToken) == 0 {
err = errors.New("no access token provided")
} else {
userInfo, err = agt.tokens.Authenticate(accessToken)
}
if err != nil {
// either not token was provided or user is unauthenticated with k8s API
http.Error(w, err.Error(), http.StatusUnauthorized)
return
}
// direct proxy
if kube.MatchingUsers(agt.userInfo, userInfo) {
proxyHandler.ServeHTTP(w, r)
return
}
apiCtx := &apiContext{
tag: fmt.Sprintf("%016x", time.Now().Unix()),
response: w,
request: r,
proxyHandler: proxyHandler,
filterReaderLabelSet: agt.cfg.filterReaderLabelSet,
namespaceSet: agt.namespaces.Query(accessToken),
remoteAPI: agt.remoteAPI,
}
newReqCtx := context.WithValue(r.Context(), apiContextKey, apiCtx)
next.ServeHTTP(w, r.WithContext(newReqCtx))
})
})
router.Path("/api/v1/query").Methods("GET", "POST").Handler(apiContextHandler(hijackQuery))
router.Path("/api/v1/query_range").Methods("GET", "POST").Handler(apiContextHandler(hijackQueryRange))
router.Path("/api/v1/series").Methods("GET").Handler(apiContextHandler(hijackSeries))
router.Path("/api/v1/read").Methods("POST").Handler(apiContextHandler(hijackRead))
router.Path("/api/v1/label/__name__/values").Methods("GET").Handler(apiContextHandler(hijackLabelName))
router.Path("/api/v1/label/namespace/values").Methods("GET").Handler(apiContextHandler(hijackLabelNamespaces))
router.Path("/api/v1/label/{name}/values").Methods("GET").Handler(proxyHandler)
router.Path("/federate").Methods("GET").Handler(apiContextHandler(hijackFederate))
router.PathPrefix("/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "unauthorized", http.StatusUnauthorized)
})
return router
}