// New returns an authenticator.Request or an error that supports the standard // Kubernetes authentication mechanisms. func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDefinitions, error) { var authenticators []authenticator.Request securityDefinitions := spec.SecurityDefinitions{} hasBasicAuth := false hasTokenAuth := false // front-proxy, BasicAuth methods, local first, then remote // Add the front proxy authenticator if requested if config.RequestHeaderConfig != nil { requestHeaderAuthenticator, err := headerrequest.NewSecure( config.RequestHeaderConfig.ClientCA, config.RequestHeaderConfig.AllowedClientNames, config.RequestHeaderConfig.UsernameHeaders, config.RequestHeaderConfig.GroupHeaders, config.RequestHeaderConfig.ExtraHeaderPrefixes, ) if err != nil { return nil, nil, err } authenticators = append(authenticators, requestHeaderAuthenticator) } if len(config.BasicAuthFile) > 0 { basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile) if err != nil { return nil, nil, err } authenticators = append(authenticators, basicAuth) hasBasicAuth = true } if len(config.KeystoneURL) > 0 { keystoneAuth, err := newAuthenticatorFromKeystoneURL(config.KeystoneURL, config.KeystoneCAFile) if err != nil { return nil, nil, err } authenticators = append(authenticators, keystoneAuth) hasBasicAuth = true } // X509 methods if len(config.ClientCAFile) > 0 { certAuth, err := newAuthenticatorFromClientCAFile(config.ClientCAFile) if err != nil { return nil, nil, err } authenticators = append(authenticators, certAuth) } // Bearer token methods, local first, then remote if len(config.TokenAuthFile) > 0 { tokenAuth, err := newAuthenticatorFromTokenFile(config.TokenAuthFile) if err != nil { return nil, nil, err } authenticators = append(authenticators, tokenAuth) hasTokenAuth = true } if len(config.ServiceAccountKeyFiles) > 0 { serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter) if err != nil { return nil, nil, err } authenticators = append(authenticators, serviceAccountAuth) hasTokenAuth = true } // NOTE(ericchiang): Keep the OpenID Connect after Service Accounts. // // Because both plugins verify JWTs whichever comes first in the union experiences // cache misses for all requests using the other. While the service account plugin // simply returns an error, the OpenID Connect plugin may query the provider to // update the keys, causing performance hits. if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 { oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCGroupsClaim) if err != nil { return nil, nil, err } authenticators = append(authenticators, oidcAuth) hasTokenAuth = true } if len(config.WebhookTokenAuthnConfigFile) > 0 { webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnCacheTTL) if err != nil { return nil, nil, err } authenticators = append(authenticators, webhookTokenAuth) hasTokenAuth = true } // always add anytoken last, so that every other token authenticator gets to try first if config.AnyToken { authenticators = append(authenticators, bearertoken.New(anytoken.AnyTokenAuthenticator{})) hasTokenAuth = true } if hasBasicAuth { securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{ SecuritySchemeProps: spec.SecuritySchemeProps{ Type: "basic", Description: "HTTP Basic authentication", }, } } if hasTokenAuth { securityDefinitions["BearerToken"] = &spec.SecurityScheme{ SecuritySchemeProps: spec.SecuritySchemeProps{ Type: "apiKey", Name: "authorization", In: "header", Description: "Bearer Token authentication", }, } } if len(authenticators) == 0 { if config.Anonymous { return anonymous.NewAuthenticator(), &securityDefinitions, nil } } switch len(authenticators) { case 0: return nil, &securityDefinitions, nil } authenticator := union.New(authenticators...) authenticator = group.NewGroupAdder(authenticator, []string{user.AllAuthenticated}) if config.Anonymous { // If the authenticator chain returns an error, return an error (don't consider a bad bearer token anonymous). authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator()) } return authenticator, &securityDefinitions, nil }
func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDefinitions, error) { authenticators := []authenticator.Request{} securityDefinitions := spec.SecurityDefinitions{} // front-proxy first, then remote // Add the front proxy authenticator if requested if c.RequestHeaderConfig != nil { requestHeaderAuthenticator, err := headerrequest.NewSecure( c.RequestHeaderConfig.ClientCA, c.RequestHeaderConfig.AllowedClientNames, c.RequestHeaderConfig.UsernameHeaders, c.RequestHeaderConfig.GroupHeaders, c.RequestHeaderConfig.ExtraHeaderPrefixes, ) if err != nil { return nil, nil, err } authenticators = append(authenticators, requestHeaderAuthenticator) } // x509 client cert auth if len(c.ClientCAFile) > 0 { clientCAs, err := cert.NewPool(c.ClientCAFile) if err != nil { return nil, nil, fmt.Errorf("unable to load client CA file %s: %v", c.ClientCAFile, err) } verifyOpts := x509.DefaultVerifyOptions() verifyOpts.Roots = clientCAs authenticators = append(authenticators, x509.New(verifyOpts, x509.CommonNameUserConversion)) } if c.TokenAccessReviewClient != nil { tokenAuth, err := webhooktoken.NewFromInterface(c.TokenAccessReviewClient, c.CacheTTL) if err != nil { return nil, nil, err } authenticators = append(authenticators, bearertoken.New(tokenAuth)) securityDefinitions["BearerToken"] = &spec.SecurityScheme{ SecuritySchemeProps: spec.SecuritySchemeProps{ Type: "apiKey", Name: "authorization", In: "header", Description: "Bearer Token authentication", }, } } if len(authenticators) == 0 { if c.Anonymous { return anonymous.NewAuthenticator(), &securityDefinitions, nil } return nil, nil, errors.New("No authentication method configured") } authenticator := group.NewGroupAdder(unionauth.New(authenticators...), []string{user.AllAuthenticated}) if c.Anonymous { authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator()) } return authenticator, &securityDefinitions, nil }