Skip to content

Commit

Permalink
Merge check implementations
Browse files Browse the repository at this point in the history
  • Loading branch information
@jotak
jotak committed Feb 6, 2023
1 parent 3565287 commit cd5b64d
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 36 deletions.
3 changes: 2 additions & 1 deletion cmd/plugin-backend.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"github.com/sirupsen/logrus"

"github.com/netobserv/network-observability-console-plugin/pkg/kubernetes/auth"
"github.com/netobserv/network-observability-console-plugin/pkg/kubernetes/client"
"github.com/netobserv/network-observability-console-plugin/pkg/loki"
"github.com/netobserv/network-observability-console-plugin/pkg/server"
)
Expand Down Expand Up @@ -86,7 +87,7 @@ func main() {
if checkType == auth.CheckNone {
log.Warn("INSECURE: auth checker is disabled")
}
checker, err := auth.NewChecker(checkType)
checker, err := auth.NewChecker(checkType, client.NewInCluster)
if err != nil {
log.WithError(err).Fatal("auth checker error")
}
Expand Down
33 changes: 7 additions & 26 deletions pkg/kubernetes/auth/check_auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,14 @@ type Checker interface {
CheckAuth(ctx context.Context, header http.Header) error
}

func NewChecker(typez CheckType) (Checker, error) {
func NewChecker(typez CheckType, apiProvider client.APIProvider) (Checker, error) {
switch typez {
case CheckNone:
return &NoopChecker{}, nil
case CheckAuthenticated:
return &ValidBearerTokenChecker{apiProvider: client.NewInCluster}, nil
return &BearerTokenChecker{apiProvider: apiProvider, predicates: []tokenReviewPredicate{mustBeAuthenticated}}, nil
case CheckAdmin:
return &AdminBearerTokenChecker{apiProvider: client.NewInCluster}, nil
return &BearerTokenChecker{apiProvider: apiProvider, predicates: []tokenReviewPredicate{mustBeAuthenticated, mustBeClusterAdmin}}, nil
}
return nil, fmt.Errorf("auth checker type unknown: %s. Must be one of %s, %s, %s", typez, CheckAdmin, CheckAuthenticated, CheckNone)
}
Expand Down Expand Up @@ -101,39 +101,20 @@ func mustBeClusterAdmin(rvw *authv1.TokenReview) error {
return errors.New("user not in cluster-admins group")
}

type ValidBearerTokenChecker struct {
type BearerTokenChecker struct {
Checker
apiProvider client.APIProvider
predicates []tokenReviewPredicate
}

func (c *ValidBearerTokenChecker) CheckAuth(ctx context.Context, header http.Header) error {
func (c *BearerTokenChecker) CheckAuth(ctx context.Context, header http.Header) error {
hlog.Debug("Checking authenticated user")
token, err := getUserToken(header)
if err != nil {
return err
}
hlog.Debug("Checking auth: token found")
if err = runTokenReview(ctx, c.apiProvider, token, []tokenReviewPredicate{mustBeAuthenticated}); err != nil {
return err
}

hlog.Debug("Checking auth: passed")
return nil
}

type AdminBearerTokenChecker struct {
Checker
apiProvider client.APIProvider
}

func (c *AdminBearerTokenChecker) CheckAuth(ctx context.Context, header http.Header) error {
hlog.Debug("Checking authenticated user")
token, err := getUserToken(header)
if err != nil {
return err
}
hlog.Debug("Checking auth: token found")
if err = runTokenReview(ctx, c.apiProvider, token, []tokenReviewPredicate{mustBeAuthenticated, mustBeClusterAdmin}); err != nil {
if err = runTokenReview(ctx, c.apiProvider, token, c.predicates); err != nil {
return err
}

Expand Down
21 changes: 13 additions & 8 deletions pkg/kubernetes/auth/check_auth_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func setupChecker(typez CheckType, m *TokenReviewMock) Checker {
checker, _ := NewChecker(typez, func() (client.KubeAPI, error) { return m, nil })
return checker
}

func TestCheckAuth_NoAuth(t *testing.T) {
m := TokenReviewMock{}
m.mockNoAuth()

// Any user authenticated mode
checkAny := ValidBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkAny := setupChecker(CheckAuthenticated, &m)

// No header => fail
err := checkAny.CheckAuth(context.TODO(), http.Header{})
Expand All @@ -30,7 +35,7 @@ func TestCheckAuth_NoAuth(t *testing.T) {
require.Equal(t, "user not authenticated", err.Error())

// Admin mode
checkerAdmin := AdminBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkerAdmin := setupChecker(CheckAdmin, &m)

// No header => fail
err = checkerAdmin.CheckAuth(context.TODO(), http.Header{})
Expand All @@ -54,7 +59,7 @@ func TestCheckAuth_NormalUser(t *testing.T) {
m.mockNormalUser()

// Any user authenticated mode
checkAny := ValidBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkAny := setupChecker(CheckAuthenticated, &m)

// No header => fail
err := checkAny.CheckAuth(context.TODO(), http.Header{})
Expand All @@ -65,7 +70,7 @@ func TestCheckAuth_NormalUser(t *testing.T) {
require.NoError(t, err)

// Admin mode
checkerAdmin := AdminBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkerAdmin := setupChecker(CheckAdmin, &m)

// No header => fail
err = checkerAdmin.CheckAuth(context.TODO(), http.Header{})
Expand All @@ -89,7 +94,7 @@ func TestCheckAuth_Admin(t *testing.T) {
m.mockAdmin()

// Any user authenticated mode
checkAny := ValidBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkAny := setupChecker(CheckAuthenticated, &m)

// No header => fail
err := checkAny.CheckAuth(context.TODO(), http.Header{})
Expand All @@ -100,7 +105,7 @@ func TestCheckAuth_Admin(t *testing.T) {
require.NoError(t, err)

// Admin mode
checkerAdmin := AdminBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkerAdmin := setupChecker(CheckAdmin, &m)

// No header => fail
err = checkerAdmin.CheckAuth(context.TODO(), http.Header{})
Expand All @@ -125,7 +130,7 @@ func TestCheckAuth_APIError(t *testing.T) {
m.mockError()

// Any user authenticated mode
checkAny := ValidBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkAny := setupChecker(CheckAuthenticated, &m)

// No header => fail
err := checkAny.CheckAuth(context.TODO(), http.Header{})
Expand All @@ -137,7 +142,7 @@ func TestCheckAuth_APIError(t *testing.T) {
require.Equal(t, fakeError, err.Error())

// Admin mode
checkerAdmin := AdminBearerTokenChecker{apiProvider: func() (client.KubeAPI, error) { return &m, nil }}
checkerAdmin := setupChecker(CheckAdmin, &m)

// No header => fail
err = checkerAdmin.CheckAuth(context.TODO(), http.Header{})
Expand Down
2 changes: 1 addition & 1 deletion pkg/server/server_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ func TestServerUnauthorized(t *testing.T) {
URL: &url.URL{Scheme: "http", Host: "localhost:3100"},
},
Port: testPort,
}, &auth.AdminBearerTokenChecker{})
}, &auth.BearerTokenChecker{})
}()

t.Logf("Started test http server: %v", serverURL)
Expand Down

0 comments on commit cd5b64d

Please sign in to comment.