Add authentication to openapi Spec
This commit is contained in:
mbohlool
@@ -19,6 +19,8 @@ package authenticator
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/go-openapi/spec"
|
||||
|
||||
"k8s.io/kubernetes/pkg/auth/authenticator"
|
||||
"k8s.io/kubernetes/pkg/auth/authenticator/bearertoken"
|
||||
"k8s.io/kubernetes/pkg/auth/group"
|
||||
@@ -58,30 +60,35 @@ type AuthenticatorConfig struct {
|
||||
|
||||
// New returns an authenticator.Request or an error that supports the standard
|
||||
// Kubernetes authentication mechanisms.
|
||||
func New(config AuthenticatorConfig) (authenticator.Request, error) {
|
||||
func New(config AuthenticatorConfig) (authenticator.Request, *spec.SecurityDefinitions, error) {
|
||||
var authenticators []authenticator.Request
|
||||
securityDefinitions := spec.SecurityDefinitions{}
|
||||
hasBasicAuth := false
|
||||
hasTokenAuth := false
|
||||
|
||||
// BasicAuth methods, local first, then remote
|
||||
if len(config.BasicAuthFile) > 0 {
|
||||
basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
authenticators = append(authenticators, basicAuth)
|
||||
hasBasicAuth = true
|
||||
}
|
||||
if len(config.KeystoneURL) > 0 {
|
||||
keystoneAuth, err := newAuthenticatorFromKeystoneURL(config.KeystoneURL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
authenticators = append(authenticators, keystoneAuth)
|
||||
hasBasicAuth = true
|
||||
}
|
||||
|
||||
// X509 methods
|
||||
if len(config.ClientCAFile) > 0 {
|
||||
certAuth, err := newAuthenticatorFromClientCAFile(config.ClientCAFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
authenticators = append(authenticators, certAuth)
|
||||
}
|
||||
@@ -90,16 +97,18 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
|
||||
if len(config.TokenAuthFile) > 0 {
|
||||
tokenAuth, err := newAuthenticatorFromTokenFile(config.TokenAuthFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
authenticators = append(authenticators, tokenAuth)
|
||||
hasTokenAuth = true
|
||||
}
|
||||
if len(config.ServiceAccountKeyFiles) > 0 {
|
||||
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
authenticators = append(authenticators, serviceAccountAuth)
|
||||
hasTokenAuth = true
|
||||
}
|
||||
// NOTE(ericchiang): Keep the OpenID Connect after Service Accounts.
|
||||
//
|
||||
@@ -110,32 +119,55 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
|
||||
if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {
|
||||
oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCGroupsClaim)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
authenticators = append(authenticators, oidcAuth)
|
||||
hasTokenAuth = true
|
||||
}
|
||||
if len(config.WebhookTokenAuthnConfigFile) > 0 {
|
||||
webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnCacheTTL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
authenticators = append(authenticators, webhookTokenAuth)
|
||||
hasTokenAuth = true
|
||||
}
|
||||
|
||||
// always add anytoken last, so that every other token authenticator gets to try first
|
||||
if config.AnyToken {
|
||||
authenticators = append(authenticators, bearertoken.New(anytoken.AnyTokenAuthenticator{}))
|
||||
hasTokenAuth = true
|
||||
}
|
||||
|
||||
if hasBasicAuth {
|
||||
securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{
|
||||
SecuritySchemeProps: spec.SecuritySchemeProps{
|
||||
Type: "basic",
|
||||
Description: "HTTP Basic authentication",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
if hasTokenAuth {
|
||||
securityDefinitions["BearerToken"] = &spec.SecurityScheme{
|
||||
SecuritySchemeProps: spec.SecuritySchemeProps{
|
||||
Type: "apiKey",
|
||||
Name: "authorization",
|
||||
In: "header",
|
||||
Description: "Bearer Token authentication",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
if len(authenticators) == 0 {
|
||||
if config.Anonymous {
|
||||
return anonymous.NewAuthenticator(), nil
|
||||
return anonymous.NewAuthenticator(), &securityDefinitions, nil
|
||||
}
|
||||
}
|
||||
|
||||
switch len(authenticators) {
|
||||
case 0:
|
||||
return nil, nil
|
||||
return nil, &securityDefinitions, nil
|
||||
}
|
||||
|
||||
authenticator := union.New(authenticators...)
|
||||
@@ -147,7 +179,7 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
|
||||
authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())
|
||||
}
|
||||
|
||||
return authenticator, nil
|
||||
return authenticator, &securityDefinitions, nil
|
||||
}
|
||||
|
||||
// IsValidServiceAccountKeyFile returns true if a valid public RSA key can be read from the given file
|
||||
|
||||
Reference in New Issue
Block a user