Matthias Andreas Benkard | 832a54e | 2019-01-29 09:27:38 +0100 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2017 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package group |
| 18 | |
| 19 | import ( |
| 20 | "net/http" |
| 21 | |
| 22 | "k8s.io/apiserver/pkg/authentication/authenticator" |
| 23 | "k8s.io/apiserver/pkg/authentication/user" |
| 24 | ) |
| 25 | |
| 26 | // AuthenticatedGroupAdder adds system:authenticated group when appropriate |
| 27 | type AuthenticatedGroupAdder struct { |
| 28 | // Authenticator is delegated to make the authentication decision |
| 29 | Authenticator authenticator.Request |
| 30 | } |
| 31 | |
| 32 | // NewAuthenticatedGroupAdder wraps a request authenticator, and adds the system:authenticated group when appropriate. |
| 33 | // Authentication must succeed, the user must not be system:anonymous, the groups system:authenticated or system:unauthenticated must |
| 34 | // not be present |
| 35 | func NewAuthenticatedGroupAdder(auth authenticator.Request) authenticator.Request { |
| 36 | return &AuthenticatedGroupAdder{auth} |
| 37 | } |
| 38 | |
| 39 | func (g *AuthenticatedGroupAdder) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { |
| 40 | u, ok, err := g.Authenticator.AuthenticateRequest(req) |
| 41 | if err != nil || !ok { |
| 42 | return nil, ok, err |
| 43 | } |
| 44 | |
| 45 | if u.GetName() == user.Anonymous { |
| 46 | return u, true, nil |
| 47 | } |
| 48 | for _, group := range u.GetGroups() { |
| 49 | if group == user.AllAuthenticated || group == user.AllUnauthenticated { |
| 50 | return u, true, nil |
| 51 | } |
| 52 | } |
| 53 | |
| 54 | return &user.DefaultInfo{ |
| 55 | Name: u.GetName(), |
| 56 | UID: u.GetUID(), |
| 57 | Groups: append(u.GetGroups(), user.AllAuthenticated), |
| 58 | Extra: u.GetExtra(), |
| 59 | }, true, nil |
| 60 | } |