Move quasi-generic handlers out so controller can reuse them

Will be replaced in a future release with generic upstream filters.

Author: smarterclayton

pkg/cmd/server/handlers/authentication.go

@@ -0,0 +1,34 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/golang/glog"
+
+	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/auth/authenticator"
+)
+
+// AuthenticationHandlerFilter creates a filter object that will enforce authentication directly
+func AuthenticationHandlerFilter(handler http.Handler, authenticator authenticator.Request, contextMapper kapi.RequestContextMapper) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		user, ok, err := authenticator.AuthenticateRequest(req)
+		if err != nil || !ok {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		ctx, ok := contextMapper.Get(req)
+		if !ok {
+			http.Error(w, "Unable to find request context", http.StatusInternalServerError)
+			return
+		}
+		if err := contextMapper.Update(req, kapi.WithUser(ctx, user)); err != nil {
+			glog.V(4).Infof("Error setting authenticated context: %v", err)
+			http.Error(w, "Unable to set authenticated request context", http.StatusInternalServerError)
+			return
+		}
+
+		handler.ServeHTTP(w, req)
+	})
+}

pkg/cmd/server/handlers/authorization.go

@@ -0,0 +1,91 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+
+	restful "github.com/emicklei/go-restful"
+
+	kapi "k8s.io/kubernetes/pkg/api"
+	kapierrors "k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+
+	"github.com/openshift/origin/pkg/authorization/authorizer"
+)
+
+// AuthorizationFilter imposes normal authorization rules
+func AuthorizationFilter(handler http.Handler, authorizer authorizer.Authorizer, authorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder, contextMapper kapi.RequestContextMapper) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		attributes, err := authorizationAttributeBuilder.GetAttributes(req)
+		if err != nil {
+			Forbidden(err.Error(), attributes, w, req)
+			return
+		}
+		if attributes == nil {
+			Forbidden("No attributes", attributes, w, req)
+			return
+		}
+
+		ctx, exists := contextMapper.Get(req)
+		if !exists {
+			Forbidden("context not found", attributes, w, req)
+			return
+		}
+
+		allowed, reason, err := authorizer.Authorize(ctx, attributes)
+		if err != nil {
+			Forbidden(err.Error(), attributes, w, req)
+			return
+		}
+		if !allowed {
+			Forbidden(reason, attributes, w, req)
+			return
+		}
+
+		handler.ServeHTTP(w, req)
+	})
+}
+
+// Forbidden renders a simple forbidden error to the response
+func Forbidden(reason string, attributes authorizer.Action, w http.ResponseWriter, req *http.Request) {
+	kind := ""
+	resource := ""
+	group := ""
+	name := ""
+	// the attributes can be empty for two basic reasons:
+	// 1. malformed API request
+	// 2. not an API request at all
+	// In these cases, just assume default that will work better than nothing
+	if attributes != nil {
+		group = attributes.GetAPIGroup()
+		resource = attributes.GetResource()
+		kind = attributes.GetResource()
+		if len(attributes.GetAPIGroup()) > 0 {
+			kind = attributes.GetAPIGroup() + "." + kind
+		}
+		name = attributes.GetResourceName()
+	}
+
+	// Reason is an opaque string that describes why access is allowed or forbidden (forbidden by the time we reach here).
+	// We don't have direct access to kind or name (not that those apply either in the general case)
+	// We create a NewForbidden to stay close the API, but then we override the message to get a serialization
+	// that makes sense when a human reads it.
+	forbiddenError := kapierrors.NewForbidden(unversioned.GroupResource{Group: group, Resource: resource}, name, errors.New("") /*discarded*/)
+	forbiddenError.ErrStatus.Message = reason
+
+	formatted := &bytes.Buffer{}
+	output, err := runtime.Encode(kapi.Codecs.LegacyCodec(kapi.SchemeGroupVersion), &forbiddenError.ErrStatus)
+	if err != nil {
+		fmt.Fprintf(formatted, "%s", forbiddenError.Error())
+	} else {
+		json.Indent(formatted, output, "", "  ")
+	}
+
+	w.Header().Set("Content-Type", restful.MIME_JSON)
+	w.WriteHeader(http.StatusForbidden)
+	w.Write(formatted.Bytes())
+}

pkg/cmd/server/handlers/impersonation.go

@@ -0,0 +1,142 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+
+	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/auth/user"
+	"k8s.io/kubernetes/pkg/httplog"
+	"k8s.io/kubernetes/pkg/serviceaccount"
+
+	authenticationapi "github.com/openshift/origin/pkg/auth/api"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	"github.com/openshift/origin/pkg/authorization/authorizer"
+	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
+	userapi "github.com/openshift/origin/pkg/user/api"
+	uservalidation "github.com/openshift/origin/pkg/user/api/validation"
+)
+
+type GroupCache interface {
+	GroupsFor(string) ([]*userapi.Group, error)
+}
+
+// ImpersonationFilter checks for impersonation rules against the current user.
+func ImpersonationFilter(handler http.Handler, a authorizer.Authorizer, groupCache GroupCache, contextMapper kapi.RequestContextMapper) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		requestedUser := req.Header.Get(authenticationapi.ImpersonateUserHeader)
+		if len(requestedUser) == 0 {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
+		subjects := authorizationapi.BuildSubjects([]string{requestedUser}, req.Header[authenticationapi.ImpersonateGroupHeader],
+			// validates whether the usernames are regular users or system users
+			uservalidation.ValidateUserName,
+			// validates group names are regular groups or system groups
+			uservalidation.ValidateGroupName)
+
+		ctx, exists := contextMapper.Get(req)
+		if !exists {
+			Forbidden("context not found", nil, w, req)
+			return
+		}
+
+		// if groups are not specified, then we need to look them up differently depending on the type of user
+		// if they are specified, then they are the authority
+		groupsSpecified := len(req.Header[authenticationapi.ImpersonateGroupHeader]) > 0
+
+		// make sure we're allowed to impersonate each subject.  While we're iterating through, start building username
+		// and group information
+		username := ""
+		groups := []string{}
+		for _, subject := range subjects {
+			actingAsAttributes := &authorizer.DefaultAuthorizationAttributes{
+				Verb: "impersonate",
+			}
+
+			switch subject.GetObjectKind().GroupVersionKind().GroupKind() {
+			case userapi.Kind(authorizationapi.GroupKind):
+				actingAsAttributes.APIGroup = userapi.GroupName
+				actingAsAttributes.Resource = authorizationapi.GroupResource
+				actingAsAttributes.ResourceName = subject.Name
+				groups = append(groups, subject.Name)
+
+			case userapi.Kind(authorizationapi.SystemGroupKind):
+				actingAsAttributes.APIGroup = userapi.GroupName
+				actingAsAttributes.Resource = authorizationapi.SystemGroupResource
+				actingAsAttributes.ResourceName = subject.Name
+				groups = append(groups, subject.Name)
+
+			case userapi.Kind(authorizationapi.UserKind):
+				actingAsAttributes.APIGroup = userapi.GroupName
+				actingAsAttributes.Resource = authorizationapi.UserResource
+				actingAsAttributes.ResourceName = subject.Name
+				username = subject.Name
+				if !groupsSpecified {
+					if actualGroups, err := groupCache.GroupsFor(subject.Name); err == nil {
+						for _, group := range actualGroups {
+							groups = append(groups, group.Name)
+						}
+					}
+					groups = append(groups, bootstrappolicy.AuthenticatedGroup, bootstrappolicy.AuthenticatedOAuthGroup)
+				}
+
+			case userapi.Kind(authorizationapi.SystemUserKind):
+				actingAsAttributes.APIGroup = userapi.GroupName
+				actingAsAttributes.Resource = authorizationapi.SystemUserResource
+				actingAsAttributes.ResourceName = subject.Name
+				username = subject.Name
+				if !groupsSpecified {
+					if subject.Name == bootstrappolicy.UnauthenticatedUsername {
+						groups = append(groups, bootstrappolicy.UnauthenticatedGroup)
+					} else {
+						groups = append(groups, bootstrappolicy.AuthenticatedGroup)
+					}
+				}
+
+			case kapi.Kind(authorizationapi.ServiceAccountKind):
+				actingAsAttributes.APIGroup = kapi.GroupName
+				actingAsAttributes.Resource = authorizationapi.ServiceAccountResource
+				actingAsAttributes.ResourceName = subject.Name
+				username = serviceaccount.MakeUsername(subject.Namespace, subject.Name)
+				if !groupsSpecified {
+					groups = append(serviceaccount.MakeGroupNames(subject.Namespace, subject.Name), bootstrappolicy.AuthenticatedGroup)
+				}
+
+			default:
+				Forbidden(fmt.Sprintf("unknown subject type: %v", subject), actingAsAttributes, w, req)
+				return
+			}
+
+			authCheckCtx := kapi.WithNamespace(ctx, subject.Namespace)
+
+			allowed, reason, err := a.Authorize(authCheckCtx, actingAsAttributes)
+			if err != nil {
+				Forbidden(err.Error(), actingAsAttributes, w, req)
+				return
+			}
+			if !allowed {
+				Forbidden(reason, actingAsAttributes, w, req)
+				return
+			}
+		}
+
+		var extra map[string][]string
+		if requestScopes, ok := req.Header[authenticationapi.ImpersonateUserScopeHeader]; ok {
+			extra = map[string][]string{authorizationapi.ScopesKey: requestScopes}
+		}
+
+		newUser := &user.DefaultInfo{
+			Name:   username,
+			Groups: groups,
+			Extra:  extra,
+		}
+		contextMapper.Update(req, kapi.WithUser(ctx, newUser))
+
+		oldUser, _ := kapi.UserFrom(ctx)
+		httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)
+
+		handler.ServeHTTP(w, req)
+	})
+}

pkg/cmd/server/origin/auth.go

@@ -762,27 +762,3 @@ func (redirectSuccessHandler) AuthenticationSucceeded(user kuser.Info, then stri
 	http.Redirect(w, req, then, http.StatusFound)
 	return true, nil
 }
-
-// authenticationHandlerFilter creates a filter object that will enforce authentication directly
-func authenticationHandlerFilter(handler http.Handler, authenticator authenticator.Request, contextMapper kapi.RequestContextMapper) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		user, ok, err := authenticator.AuthenticateRequest(req)
-		if err != nil || !ok {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
-			return
-		}
-
-		ctx, ok := contextMapper.Get(req)
-		if !ok {
-			http.Error(w, "Unable to find request context", http.StatusInternalServerError)
-			return
-		}
-		if err := contextMapper.Update(req, kapi.WithUser(ctx, user)); err != nil {
-			glog.V(4).Infof("Error setting authenticated context: %v", err)
-			http.Error(w, "Unable to set authenticated request context", http.StatusInternalServerError)
-			return
-		}
-
-		handler.ServeHTTP(w, req)
-	})
-}