-
Notifications
You must be signed in to change notification settings - Fork 328
/
handler.go
128 lines (118 loc) · 3.98 KB
/
handler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
/*
* Tencent is pleased to support the open source community by making TKEStack
* available.
*
* Copyright (C) 2012-2019 Tencent. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use
* this file except in compliance with the License. You may obtain a copy of the
* License at
*
* https://opensource.org/licenses/Apache-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package frontproxy
import (
"context"
"fmt"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
"net/http"
"net/http/httputil"
"net/url"
"strings"
"tkestack.io/tke/pkg/apiserver/authentication/authenticator/oidc"
gatewayconfig "tkestack.io/tke/pkg/gateway/apis/config"
"tkestack.io/tke/pkg/gateway/token"
"tkestack.io/tke/pkg/util/log"
"tkestack.io/tke/pkg/util/transport"
)
type handler struct {
oidcAuthenticator *oidc.Authenticator
reverseProxy *httputil.ReverseProxy
usernameHeader string
groupsHeader string
extraPrefixHeader string
protected bool
}
// NewHandler to create a reverse proxy handler and returns it.
// This mode of reverse proxy will resolve the token in the request cookie,
// call oidc to get the user identity, and pass it to the backend service as
// HTTP header.
func NewHandler(address string, cfg *gatewayconfig.FrontProxyComponent, oidcAuthenticator *oidc.Authenticator, protected bool) (http.Handler, error) {
u, err := url.Parse(address)
if err != nil {
log.Error("Failed to parse backend service address", log.String("address", address), log.Err(err))
return nil, err
}
tr, err := transport.NewTwoWayTLSTransport(cfg.CAFile, cfg.ClientCertFile, cfg.ClientKeyFile)
if err != nil {
log.Error("Failed to create two-way HTTPS transport",
log.String("caFile", cfg.CAFile),
log.String("clientCertFile", cfg.ClientCertFile),
log.String("clientKeyFile", cfg.ClientKeyFile),
log.Err(err))
return nil, err
}
reverseProxy := httputil.NewSingleHostReverseProxy(&url.URL{Scheme: u.Scheme, Host: u.Host})
reverseProxy.Transport = tr
reverseProxy.ErrorLog = log.StdErrLogger()
return &handler{
oidcAuthenticator: oidcAuthenticator,
reverseProxy: reverseProxy,
usernameHeader: cfg.UsernameHeader,
groupsHeader: cfg.GroupsHeader,
extraPrefixHeader: cfg.ExtraPrefixHeader,
protected: protected,
}, nil
}
func (h handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
if h.protected {
// read cookie
t, err := token.RetrieveToken(req)
if err != nil {
responsewriters.WriteRawJSON(http.StatusUnauthorized, errors.NewUnauthorized(err.Error()), w)
return
}
r, authenticated, err := h.oidcAuthenticator.AuthenticateToken(req.Context(), t.ID)
if err != nil {
responsewriters.WriteRawJSON(http.StatusInternalServerError, errors.NewInternalError(err), w)
return
}
if !authenticated {
responsewriters.WriteRawJSON(http.StatusUnauthorized, errors.NewUnauthorized("invalid token"), w)
return
}
header := make(http.Header, len(req.Header))
for key, values := range req.Header {
if strings.ToLower(key) != "cookie" {
newValues := make([]string, len(values))
copy(newValues, values)
header[key] = newValues
}
}
username := r.User.GetName()
if username != "" {
header.Set(h.usernameHeader, username)
}
groups := r.User.GetGroups()
if len(groups) > 0 {
header.Set(h.groupsHeader, strings.Join(groups, ","))
}
extra := r.User.GetExtra()
if len(extra) > 0 {
for k, v := range extra {
header.Set(fmt.Sprintf("%s%s", h.extraPrefixHeader, k), strings.Join(v, ","))
}
}
newReq := req.WithContext(context.Background())
newReq.Header = header
h.reverseProxy.ServeHTTP(w, newReq)
return
}
h.reverseProxy.ServeHTTP(w, req)
}