func (c *AuthConfig) getAuthenticationRequestHandler() (authenticator.Request, error) {
var authRequestHandlers []authenticator.Request
if c.SessionAuth != nil {
authRequestHandlers = append(authRequestHandlers, c.SessionAuth)
}
for _, identityProvider := range c.Options.IdentityProviders {
identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry)
if configapi.IsPasswordAuthenticator(identityProvider) {
passwordAuthenticator, err := c.getPasswordAuthenticator(identityProvider)
if err != nil {
return nil, err
}
authRequestHandlers = append(authRequestHandlers, basicauthrequest.NewBasicAuthAuthentication(passwordAuthenticator, true))
} else {
switch provider := identityProvider.Provider.Object.(type) {
case (*configapi.RequestHeaderIdentityProvider):
var authRequestHandler authenticator.Request
authRequestConfig := &headerrequest.Config{
UserNameHeaders: provider.Headers,
}
authRequestHandler = headerrequest.NewAuthenticator(identityProvider.Name, authRequestConfig, identityMapper)
// Wrap with an x509 verifier
if len(provider.ClientCA) > 0 {
caData, err := ioutil.ReadFile(provider.ClientCA)
if err != nil {
return nil, fmt.Errorf("Error reading %s: %v", provider.ClientCA, err)
}
opts := x509request.DefaultVerifyOptions()
opts.Roots = x509.NewCertPool()
if ok := opts.Roots.AppendCertsFromPEM(caData); !ok {
return nil, fmt.Errorf("Error loading certs from %s: %v", provider.ClientCA, err)
}
authRequestHandler = x509request.NewVerifier(opts, authRequestHandler)
}
authRequestHandlers = append(authRequestHandlers, authRequestHandler)
}
}
}
authRequestHandler := unionrequest.NewUnionAuthentication(authRequestHandlers...)
return authRequestHandler, nil
}
func newAuthenticator(config configapi.MasterConfig, etcdHelper tools.EtcdHelper, tokenGetter serviceaccount.ServiceAccountTokenGetter, apiClientCAs *x509.CertPool) authenticator.Request {
authenticators := []authenticator.Request{}
// ServiceAccount token
if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 {
publicKeys := []*rsa.PublicKey{}
for _, keyFile := range config.ServiceAccountConfig.PublicKeyFiles {
publicKey, err := serviceaccount.ReadPublicKey(keyFile)
if err != nil {
glog.Fatalf("Error reading service account key file %s: %v", keyFile, err)
}
publicKeys = append(publicKeys, publicKey)
}
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(publicKeys, true, tokenGetter)
authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true))
}
// OAuth token
if config.OAuthConfig != nil {
tokenAuthenticator := getEtcdTokenAuthenticator(etcdHelper)
authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true))
// Allow token as access_token param for WebSockets
authenticators = append(authenticators, paramtoken.New("access_token", tokenAuthenticator, true))
}
if configapi.UseTLS(config.ServingInfo.ServingInfo) {
// build cert authenticator
// TODO: add "system:" prefix in authenticator, limit cert to username
// TODO: add "system:" prefix to groups in authenticator, limit cert to group name
opts := x509request.DefaultVerifyOptions()
opts.Roots = apiClientCAs
certauth := x509request.New(opts, x509request.SubjectToUserConversion)
authenticators = append(authenticators, certauth)
}
// TODO: make anonymous auth optional?
ret := &unionrequest.Authenticator{
FailOnError: true,
Handlers: []authenticator.Request{
group.NewGroupAdder(unionrequest.NewUnionAuthentication(authenticators...), []string{bootstrappolicy.AuthenticatedGroup}),
authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
return &user.DefaultInfo{Name: unauthenticatedUsername, Groups: []string{bootstrappolicy.UnauthenticatedGroup}}, true, nil
}),
},
}
return ret
}
