blob: 9f0453b15f232c082b3eeb08b40ed01dce423082 [file] [log] [blame]
Matthias Andreas Benkard832a54e2019-01-29 09:27:38 +01001/*
2Copyright 2017 The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17package group
18
19import (
20 "net/http"
21
22 "k8s.io/apiserver/pkg/authentication/authenticator"
23 "k8s.io/apiserver/pkg/authentication/user"
24)
25
26// AuthenticatedGroupAdder adds system:authenticated group when appropriate
27type AuthenticatedGroupAdder struct {
28 // Authenticator is delegated to make the authentication decision
29 Authenticator authenticator.Request
30}
31
32// NewAuthenticatedGroupAdder wraps a request authenticator, and adds the system:authenticated group when appropriate.
33// Authentication must succeed, the user must not be system:anonymous, the groups system:authenticated or system:unauthenticated must
34// not be present
35func NewAuthenticatedGroupAdder(auth authenticator.Request) authenticator.Request {
36 return &AuthenticatedGroupAdder{auth}
37}
38
39func (g *AuthenticatedGroupAdder) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
40 u, ok, err := g.Authenticator.AuthenticateRequest(req)
41 if err != nil || !ok {
42 return nil, ok, err
43 }
44
45 if u.GetName() == user.Anonymous {
46 return u, true, nil
47 }
48 for _, group := range u.GetGroups() {
49 if group == user.AllAuthenticated || group == user.AllUnauthenticated {
50 return u, true, nil
51 }
52 }
53
54 return &user.DefaultInfo{
55 Name: u.GetName(),
56 UID: u.GetUID(),
57 Groups: append(u.GetGroups(), user.AllAuthenticated),
58 Extra: u.GetExtra(),
59 }, true, nil
60}