vendor files

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/BUILD

@@ -0,0 +1,49 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["config.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/authenticator",
+    deps = [
+        "//pkg/serviceaccount:go_default_library",
+        "//vendor/github.com/go-openapi/spec:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/group:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/request/anonymous:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/request/union:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/request/websocket:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/token/cache:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
+        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/keystone:go_default_library",
+        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
+        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",
+        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:go_default_library",
+        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
+        "//vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp:go_default_library",
+        "//vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc:go_default_library",
+        "//vendor/k8s.io/client-go/util/cert:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/config.go

@@ -0,0 +1,326 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authenticator
+
+import (
+	"time"
+
+	"github.com/go-openapi/spec"
+
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
+	"k8s.io/apiserver/pkg/authentication/group"
+	"k8s.io/apiserver/pkg/authentication/request/anonymous"
+	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
+	"k8s.io/apiserver/pkg/authentication/request/headerrequest"
+	"k8s.io/apiserver/pkg/authentication/request/union"
+	"k8s.io/apiserver/pkg/authentication/request/websocket"
+	"k8s.io/apiserver/pkg/authentication/request/x509"
+	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
+	"k8s.io/apiserver/pkg/authentication/token/tokenfile"
+	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
+	"k8s.io/apiserver/plugin/pkg/authenticator/password/keystone"
+	"k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile"
+	"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
+	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/kubernetes/pkg/serviceaccount"
+
+	// Initialize all known client auth plugins.
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+)
+
+type AuthenticatorConfig struct {
+	Anonymous                   bool
+	BasicAuthFile               string
+	BootstrapToken              bool
+	ClientCAFile                string
+	TokenAuthFile               string
+	OIDCIssuerURL               string
+	OIDCClientID                string
+	OIDCCAFile                  string
+	OIDCUsernameClaim           string
+	OIDCUsernamePrefix          string
+	OIDCGroupsClaim             string
+	OIDCGroupsPrefix            string
+	ServiceAccountKeyFiles      []string
+	ServiceAccountLookup        bool
+	KeystoneURL                 string
+	KeystoneCAFile              string
+	WebhookTokenAuthnConfigFile string
+	WebhookTokenAuthnCacheTTL   time.Duration
+
+	TokenSuccessCacheTTL time.Duration
+	TokenFailureCacheTTL time.Duration
+
+	RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig
+
+	// TODO, this is the only non-serializable part of the entire config.  Factor it out into a clientconfig
+	ServiceAccountTokenGetter   serviceaccount.ServiceAccountTokenGetter
+	BootstrapTokenAuthenticator authenticator.Token
+}
+
+// New returns an authenticator.Request or an error that supports the standard
+// Kubernetes authentication mechanisms.
+func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDefinitions, error) {
+	var authenticators []authenticator.Request
+	var tokenAuthenticators []authenticator.Token
+	securityDefinitions := spec.SecurityDefinitions{}
+	hasBasicAuth := false
+
+	// front-proxy, BasicAuth methods, local first, then remote
+	// Add the front proxy authenticator if requested
+	if config.RequestHeaderConfig != nil {
+		requestHeaderAuthenticator, err := headerrequest.NewSecure(
+			config.RequestHeaderConfig.ClientCA,
+			config.RequestHeaderConfig.AllowedClientNames,
+			config.RequestHeaderConfig.UsernameHeaders,
+			config.RequestHeaderConfig.GroupHeaders,
+			config.RequestHeaderConfig.ExtraHeaderPrefixes,
+		)
+		if err != nil {
+			return nil, nil, err
+		}
+		authenticators = append(authenticators, requestHeaderAuthenticator)
+	}
+
+	if len(config.BasicAuthFile) > 0 {
+		basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile)
+		if err != nil {
+			return nil, nil, err
+		}
+		authenticators = append(authenticators, basicAuth)
+		hasBasicAuth = true
+	}
+	if len(config.KeystoneURL) > 0 {
+		keystoneAuth, err := newAuthenticatorFromKeystoneURL(config.KeystoneURL, config.KeystoneCAFile)
+		if err != nil {
+			return nil, nil, err
+		}
+		authenticators = append(authenticators, keystoneAuth)
+		hasBasicAuth = true
+	}
+
+	// X509 methods
+	if len(config.ClientCAFile) > 0 {
+		certAuth, err := newAuthenticatorFromClientCAFile(config.ClientCAFile)
+		if err != nil {
+			return nil, nil, err
+		}
+		authenticators = append(authenticators, certAuth)
+	}
+
+	// Bearer token methods, local first, then remote
+	if len(config.TokenAuthFile) > 0 {
+		tokenAuth, err := newAuthenticatorFromTokenFile(config.TokenAuthFile)
+		if err != nil {
+			return nil, nil, err
+		}
+		tokenAuthenticators = append(tokenAuthenticators, tokenAuth)
+	}
+	if len(config.ServiceAccountKeyFiles) > 0 {
+		serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
+		if err != nil {
+			return nil, nil, err
+		}
+		tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
+	}
+	if config.BootstrapToken {
+		if config.BootstrapTokenAuthenticator != nil {
+			// TODO: This can sometimes be nil because of
+			tokenAuthenticators = append(tokenAuthenticators, config.BootstrapTokenAuthenticator)
+		}
+	}
+	// NOTE(ericchiang): Keep the OpenID Connect after Service Accounts.
+	//
+	// Because both plugins verify JWTs whichever comes first in the union experiences
+	// cache misses for all requests using the other. While the service account plugin
+	// simply returns an error, the OpenID Connect plugin may query the provider to
+	// update the keys, causing performance hits.
+	if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {
+		oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCUsernamePrefix, config.OIDCGroupsClaim, config.OIDCGroupsPrefix)
+		if err != nil {
+			return nil, nil, err
+		}
+		tokenAuthenticators = append(tokenAuthenticators, oidcAuth)
+	}
+	if len(config.WebhookTokenAuthnConfigFile) > 0 {
+		webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnCacheTTL)
+		if err != nil {
+			return nil, nil, err
+		}
+		tokenAuthenticators = append(tokenAuthenticators, webhookTokenAuth)
+	}
+
+	if hasBasicAuth {
+		securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{
+			SecuritySchemeProps: spec.SecuritySchemeProps{
+				Type:        "basic",
+				Description: "HTTP Basic authentication",
+			},
+		}
+	}
+
+	if len(tokenAuthenticators) > 0 {
+		// Union the token authenticators
+		tokenAuth := tokenunion.New(tokenAuthenticators...)
+		// Optionally cache authentication results
+		if config.TokenSuccessCacheTTL > 0 || config.TokenFailureCacheTTL > 0 {
+			tokenAuth = tokencache.New(tokenAuth, config.TokenSuccessCacheTTL, config.TokenFailureCacheTTL)
+		}
+		authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth))
+		securityDefinitions["BearerToken"] = &spec.SecurityScheme{
+			SecuritySchemeProps: spec.SecuritySchemeProps{
+				Type:        "apiKey",
+				Name:        "authorization",
+				In:          "header",
+				Description: "Bearer Token authentication",
+			},
+		}
+	}
+
+	if len(authenticators) == 0 {
+		if config.Anonymous {
+			return anonymous.NewAuthenticator(), &securityDefinitions, nil
+		}
+	}
+
+	switch len(authenticators) {
+	case 0:
+		return nil, &securityDefinitions, nil
+	}
+
+	authenticator := union.New(authenticators...)
+
+	authenticator = group.NewAuthenticatedGroupAdder(authenticator)
+
+	if config.Anonymous {
+		// If the authenticator chain returns an error, return an error (don't consider a bad bearer token
+		// or invalid username/password combination anonymous).
+		authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())
+	}
+
+	return authenticator, &securityDefinitions, nil
+}
+
+// IsValidServiceAccountKeyFile returns true if a valid public RSA key can be read from the given file
+func IsValidServiceAccountKeyFile(file string) bool {
+	_, err := certutil.PublicKeysFromFile(file)
+	return err == nil
+}
+
+// newAuthenticatorFromBasicAuthFile returns an authenticator.Request or an error
+func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) {
+	basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return basicauth.New(basicAuthenticator), nil
+}
+
+// newAuthenticatorFromTokenFile returns an authenticator.Token or an error
+func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, error) {
+	tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return tokenAuthenticator, nil
+}
+
+// newAuthenticatorFromOIDCIssuerURL returns an authenticator.Token or an error.
+func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, usernamePrefix, groupsClaim, groupsPrefix string) (authenticator.Token, error) {
+	const noUsernamePrefix = "-"
+
+	if usernamePrefix == "" && usernameClaim != "email" {
+		// Old behavior. If a usernamePrefix isn't provided, prefix all claims other than "email"
+		// with the issuerURL.
+		//
+		// See https://github.com/kubernetes/kubernetes/issues/31380
+		usernamePrefix = issuerURL + "#"
+	}
+
+	if usernamePrefix == noUsernamePrefix {
+		// Special value indicating usernames shouldn't be prefixed.
+		usernamePrefix = ""
+	}
+
+	tokenAuthenticator, err := oidc.New(oidc.OIDCOptions{
+		IssuerURL:      issuerURL,
+		ClientID:       clientID,
+		CAFile:         caFile,
+		UsernameClaim:  usernameClaim,
+		UsernamePrefix: usernamePrefix,
+		GroupsClaim:    groupsClaim,
+		GroupsPrefix:   groupsPrefix,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return tokenAuthenticator, nil
+}
+
+// newServiceAccountAuthenticator returns an authenticator.Token or an error
+func newServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
+	allPublicKeys := []interface{}{}
+	for _, keyfile := range keyfiles {
+		publicKeys, err := certutil.PublicKeysFromFile(keyfile)
+		if err != nil {
+			return nil, err
+		}
+		allPublicKeys = append(allPublicKeys, publicKeys...)
+	}
+
+	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(allPublicKeys, lookup, serviceAccountGetter)
+	return tokenAuthenticator, nil
+}
+
+// newAuthenticatorFromClientCAFile returns an authenticator.Request or an error
+func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Request, error) {
+	roots, err := certutil.NewPool(clientCAFile)
+	if err != nil {
+		return nil, err
+	}
+
+	opts := x509.DefaultVerifyOptions()
+	opts.Roots = roots
+
+	return x509.New(opts, x509.CommonNameUserConversion), nil
+}
+
+// newAuthenticatorFromKeystoneURL returns an authenticator.Request or an error
+func newAuthenticatorFromKeystoneURL(keystoneURL string, keystoneCAFile string) (authenticator.Request, error) {
+	keystoneAuthenticator, err := keystone.NewKeystoneAuthenticator(keystoneURL, keystoneCAFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return basicauth.New(keystoneAuthenticator), nil
+}
+
+func newWebhookTokenAuthenticator(webhookConfigFile string, ttl time.Duration) (authenticator.Token, error) {
+	webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, ttl)
+	if err != nil {
+		return nil, err
+	}
+
+	return webhookTokenAuthenticator, nil
+}