tokenreview: add APIAudiences config to generic API server and augment context

Kubernetes-commit: 21fd8f204128a7847786927b460d95be34a6dbde
2018-10-09 22:04:52 -07:00 · 2018-10-09 22:04:52 -07:00 · 37ab80320b
parent 616a943945
commit 37ab80320b
5 changed files with 46 additions and 2 deletions
--- a/pkg/authentication/authenticator/helpers.go
+++ b/pkg/authentication/authenticator/helpers.go
@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authenticator
+
+// Audiences is a container for the Audiences of a token.
+type Audiences []string
--- a/pkg/endpoints/filters/authentication.go
+++ b/pkg/endpoints/filters/authentication.go
@ -50,12 +50,15 @@ func init() {
 // stores any such user found onto the provided context for the request. If authentication fails or returns an error
 // the failed handler is used. On success, "Authorization" header is removed from the request and handler
 // is invoked to serve the request.
-func WithAuthentication(handler http.Handler, auth authenticator.Request, failed http.Handler) http.Handler {
+func WithAuthentication(handler http.Handler, auth authenticator.Request, failed http.Handler, apiAuds authenticator.Audiences) http.Handler {
 	if auth == nil {
 		glog.Warningf("Authentication is disabled")
 		return handler
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if len(apiAuds) > 0 {
+			req = req.WithContext(genericapirequest.WithAudiences(req.Context(), apiAuds))
+		}
 		user, ok, err := auth.AuthenticateRequest(req)
 		if err != nil || !ok {
 			if err != nil {
--- a/pkg/endpoints/filters/authentication_test.go
+++ b/pkg/endpoints/filters/authentication_test.go
@ -50,6 +50,7 @@ func TestAuthenticateRequest(t *testing.T) {
 		http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
 			t.Errorf("unexpected call to failed")
 		}),
+		nil,
 	)

 	auth.ServeHTTP(httptest.NewRecorder(), &http.Request{Header: map[string][]string{"Authorization": {"Something"}}})
@ -69,6 +70,7 @@ func TestAuthenticateRequestFailed(t *testing.T) {
 		http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
 			close(failed)
 		}),
+		nil,
 	)

 	auth.ServeHTTP(httptest.NewRecorder(), &http.Request{})
@ -88,6 +90,7 @@ func TestAuthenticateRequestError(t *testing.T) {
 		http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
 			close(failed)
 		}),
+		nil,
 	)

 	auth.ServeHTTP(httptest.NewRecorder(), &http.Request{})
--- a/pkg/endpoints/request/context.go
+++ b/pkg/endpoints/request/context.go
@ -21,6 +21,7 @@ import (

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/apis/audit"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 )

@ -36,6 +37,9 @@ const (

 	// auditKey is the context key for the audit event.
 	auditKey
+
+	// audiencesKey is the context key for request audiences.
+	audiencesKey
 )

 // NewContext instantiates a base context object for request flows.
@ -91,3 +95,14 @@ func AuditEventFrom(ctx context.Context) *audit.Event {
 	ev, _ := ctx.Value(auditKey).(*audit.Event)
 	return ev
 }
+
+// WithAudiences returns a context that stores a request's expected audiences.
+func WithAudiences(ctx context.Context, auds authenticator.Audiences) context.Context {
+	return context.WithValue(ctx, audiencesKey, auds)
+}
+
+// AudiencesFrom returns a request's expected audiences stored in the request context.
+func AudiencesFrom(ctx context.Context) (authenticator.Audiences, bool) {
+	auds, ok := ctx.Value(audiencesKey).(authenticator.Audiences)
+	return auds, ok
+}
--- a/pkg/server/config.go
+++ b/pkg/server/config.go
@ -227,6 +227,9 @@ type SecureServingInfo struct {
 }

 type AuthenticationInfo struct {
+	// APIAudiences is a list of identifier that the API identifies as. This is
+	// used by some authenticators to validate audience bound credentials.
+	APIAudiences authenticator.Audiences
 	// Authenticator determines which subject is making the request
 	Authenticator authenticator.Request
 	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
@ -534,7 +537,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
 	handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
 	failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)
 	failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)
-	handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler)
+	handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)
 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
 	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
 	handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)