Merge 16af7f5 into d28fc04

AthenZ · Jun 1, 2018 · 036bfc9 · 036bfc9
2 parents d28fc04 + 16af7f5
commit 036bfc9
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 5 deletions.
diff --git a/api.go b/api.go
@@ -10,6 +10,8 @@ import (
 	"os"
 	"time"
 
+	"crypto/tls"
+
 	authn "k8s.io/api/authentication/v1beta1"
 	authz "k8s.io/api/authorization/v1beta1"
 )
@@ -53,6 +55,8 @@ func GetLogger(ctx context.Context) Logger {
 // IdentityToken provides an ntoken for Athenz access for the authorization handler itself.
 type IdentityToken func() (string, error)
 
+type IdentityAthenzX509 func() (*tls.Config, error)
+
 // AthenzPrincipal represents a valid Athenz principal.
 type AthenzPrincipal struct {
 	Domain  string // Athenz domain
@@ -116,10 +120,12 @@ type AuthenticationConfig struct {
 
 // AuthorizationConfig is the authorization configuration
 type AuthorizationConfig struct {
-	Config                     // the base config
-	HelpMessage string         // additional message for the user on internal authz errors
-	Token       IdentityToken  // the token provider for calls to Athenz
-	Mapper      ResourceMapper // the resource mapper
+	Config                                   // the base config
+	HelpMessage           string             // additional message for the user on internal authz errors
+	Token                 IdentityToken      // the token provider for calls to Athenz
+	AthenzX509            IdentityAthenzX509 // the x509 provider for calls to Athenz
+	AthenzClientAuthnMode bool               // enable/disable x509 mode for Identity athenz x509
+	Mapper                ResourceMapper     // the resource mapper
 }
 
 // NewAuthenticator returns a handler that can service an authentication request.

diff --git a/authz.go b/authz.go
@@ -65,6 +65,28 @@ func (a *authorizer) client(ctx context.Context) (*client, error) {
 	return newClient(a.Endpoint, a.Timeout, xp), nil
 }
 
+// clientX509 returns the client set up with x509 cert and key to make calls to Athenz.
+func (a *authorizer) clientX509(ctx context.Context) (*client, error) {
+
+	config, err := a.AthenzX509()
+	if err != nil {
+		return nil, err
+	}
+	xpX509 := &http.Transport{
+		TLSClientConfig: config,
+	}
+
+	debugXp := &debugTransport{}
+	if isLogEnabled(ctx, LogTraceAthenz) {
+		debugXp = &debugTransport{
+			log:          getLogger(ctx),
+			RoundTripper: xpX509,
+		}
+		return newClient(a.Endpoint, a.Timeout, debugXp), nil
+	}
+	return newClient(a.Endpoint, a.Timeout, xpX509), nil
+}
+
 // getSubjectAccessReview extracts the subject access review object from the request and returns it.
 func (a *authorizer) getSubjectAccessReview(ctx context.Context, req *http.Request) (*authz.SubjectAccessReview, error) {
 	b, err := ioutil.ReadAll(req.Body)
@@ -131,8 +153,13 @@ func (a *authorizer) authorize(ctx context.Context, sr authz.SubjectAccessReview
 	}
 	internal := "internal setup error."
 	var via string
+	var client *client
 	for _, check := range checks {
-		client, err := a.client(ctx)
+		if a.AthenzX509 != nil {
+			client, err = a.clientX509(ctx)
+		} else {
+			client, err = a.client(ctx)
+		}
 		if err != nil {
 			return deny(NewAuthzError(err, internal), true)
 		}