auth status route to api server (#342)

This commit is contained in:
RoyUP9
2021-10-12 11:03:58 +03:00
committed by GitHub
parent 56e801a582
commit 837e35255b
8 changed files with 111 additions and 11 deletions

View File

@@ -34,3 +34,13 @@ func PostTappedPods(c *gin.Context) {
func GetTappersCount(c *gin.Context) {
c.JSON(http.StatusOK, providers.TappersCount)
}
func GetAuthStatus(c *gin.Context) {
authStatus, err := providers.GetAuthStatus()
if err != nil {
c.JSON(http.StatusInternalServerError, err)
return
}
c.JSON(http.StatusOK, authStatus)
}

View File

@@ -0,0 +1,29 @@
package providers
import (
"encoding/json"
"fmt"
"github.com/up9inc/mizu/shared"
"os"
)
var authStatus *shared.AuthStatus
func GetAuthStatus() (*shared.AuthStatus, error) {
if authStatus == nil {
authStatus = &shared.AuthStatus{}
authStatusJson := os.Getenv(shared.AuthStatusEnvVar)
if authStatusJson == "" {
return authStatus, nil
}
err := json.Unmarshal([]byte(authStatusJson), authStatus)
if err != nil {
authStatus = nil
return nil, fmt.Errorf("failed to marshal auth status, err: %v", err)
}
}
return authStatus, nil
}

View File

@@ -11,4 +11,6 @@ func StatusRoutes(ginApp *gin.Engine) {
routeGroup.POST("/tappedPods", controllers.PostTappedPods)
routeGroup.GET("/tappersCount", controllers.GetTappersCount)
routeGroup.GET("/auth", controllers.GetAuthStatus)
}

View File

@@ -23,14 +23,9 @@ const loginTimeoutInMin = 2
var listenPorts = []int{3141, 4001, 5002, 6003, 7004, 8005, 9006, 10007}
func IsTokenExpired(tokenString string) (bool, error) {
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
claims, err := getTokenClaims(tokenString)
if err != nil {
return true, fmt.Errorf("failed to parse token, err: %v", err)
}
claims, ok := token.Claims.(jwt.MapClaims)
if !ok {
return true, fmt.Errorf("can't convert token's claims to standard claims")
return true, err
}
expiry := time.Unix(int64(claims["exp"].(float64)), 0)
@@ -38,6 +33,29 @@ func IsTokenExpired(tokenString string) (bool, error) {
return time.Now().After(expiry), nil
}
func GetTokenEmail(tokenString string) (string, error) {
claims, err := getTokenClaims(tokenString)
if err != nil {
return "", err
}
return claims["email"].(string), nil
}
func getTokenClaims(tokenString string) (jwt.MapClaims, error) {
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
if err != nil {
return nil, fmt.Errorf("failed to parse token, err: %v", err)
}
claims, ok := token.Claims.(jwt.MapClaims)
if !ok {
return nil, fmt.Errorf("can't convert token's claims to standard claims")
}
return claims, nil
}
func Login() error {
token, loginErr := loginInteractively()
if loginErr != nil {

View File

@@ -3,6 +3,7 @@ package cmd
import (
"context"
"fmt"
"github.com/up9inc/mizu/cli/auth"
"path"
"regexp"
"strings"
@@ -48,6 +49,12 @@ func RunMizuTap() {
return
}
authStatus, err := getAuthStatus()
if err != nil {
logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error getting auth status: %v", errormessage.FormatError(err)))
return
}
var mizuValidationRules string
if config.Config.Tap.EnforcePolicyFile != "" {
mizuValidationRules, err = readValidationRules(config.Config.Tap.EnforcePolicyFile)
@@ -103,7 +110,7 @@ func RunMizuTap() {
}
defer finishMizuExecution(kubernetesProvider)
if err := createMizuResources(ctx, kubernetesProvider, mizuApiFilteringOptions, mizuValidationRules); err != nil {
if err := createMizuResources(ctx, kubernetesProvider, mizuApiFilteringOptions, mizuValidationRules, authStatus); err != nil {
logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error creating resources: %v", errormessage.FormatError(err)))
return
}
@@ -125,14 +132,14 @@ func readValidationRules(file string) (string, error) {
return string(newContent), nil
}
func createMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions, mizuValidationRules string) error {
func createMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions, mizuValidationRules string, authStatus *shared.AuthStatus) error {
if !config.Config.IsNsRestrictedMode() {
if err := createMizuNamespace(ctx, kubernetesProvider); err != nil {
return err
}
}
if err := createMizuApiServer(ctx, kubernetesProvider, mizuApiFilteringOptions); err != nil {
if err := createMizuApiServer(ctx, kubernetesProvider, mizuApiFilteringOptions, authStatus); err != nil {
return err
}
@@ -153,7 +160,7 @@ func createMizuNamespace(ctx context.Context, kubernetesProvider *kubernetes.Pro
return err
}
func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions) error {
func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions, authStatus *shared.AuthStatus) error {
var err error
state.mizuServiceAccountExists, err = createRBACIfNecessary(ctx, kubernetesProvider)
@@ -175,6 +182,7 @@ func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Pro
ServiceAccountName: serviceAccountName,
IsNamespaceRestricted: config.Config.IsNsRestrictedMode(),
MizuApiFilteringOptions: mizuApiFilteringOptions,
AuthStatus: authStatus,
MaxEntriesDBSizeBytes: config.Config.Tap.MaxEntriesDBSizeBytes(),
Resources: config.Config.Tap.ApiServerResources,
ImagePullPolicy: config.Config.ImagePullPolicy(),
@@ -215,6 +223,22 @@ func getMizuApiFilteringOptions() (*api.TrafficFilteringOptions, error) {
}, nil
}
func getAuthStatus() (*shared.AuthStatus, error) {
if config.Config.Tap.Workspace == "" {
return &shared.AuthStatus{}, nil
}
email, err := auth.GetTokenEmail(config.Config.Auth.Token)
if err != nil {
return nil, err
}
return &shared.AuthStatus{
Email: email,
Model: config.Config.Tap.Workspace,
}, nil
}
func updateMizuTappers(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions) error {
nodeToTappedPodIPMap := getNodeHostToTappedPodIpsMap(state.currentlyTappedPods)

View File

@@ -152,6 +152,7 @@ type ApiServerOptions struct {
ServiceAccountName string
IsNamespaceRestricted bool
MizuApiFilteringOptions *api.TrafficFilteringOptions
AuthStatus *shared.AuthStatus
MaxEntriesDBSizeBytes int64
Resources configStructs.Resources
ImagePullPolicy core.PullPolicy
@@ -162,6 +163,12 @@ func (provider *Provider) CreateMizuApiServerPod(ctx context.Context, opts *ApiS
if err != nil {
return nil, err
}
marshaledAuthStatus, err := json.Marshal(opts.AuthStatus)
if err != nil {
return nil, err
}
configMapVolumeName := &core.ConfigMapVolumeSource{}
configMapVolumeName.Name = mizu.ConfigMapName
configMapOptional := true
@@ -217,6 +224,10 @@ func (provider *Provider) CreateMizuApiServerPod(ctx context.Context, opts *ApiS
Name: shared.MizuFilteringOptionsEnvVar,
Value: string(marshaledFilteringOptions),
},
{
Name: shared.AuthStatusEnvVar,
Value: string(marshaledAuthStatus),
},
{
Name: shared.MaxEntriesDBSizeBytesEnvVar,
Value: strconv.FormatInt(opts.MaxEntriesDBSizeBytes, 10),

View File

@@ -2,6 +2,7 @@ package shared
const (
MizuFilteringOptionsEnvVar = "SENSITIVE_DATA_FILTERING_OPTIONS"
AuthStatusEnvVar = "AUTH_STATUS"
HostModeEnvVar = "HOST_MODE"
NodeNameEnvVar = "NODE_NAME"
TappedAddressesPerNodeDictEnvVar = "TAPPED_ADDRESSES_PER_HOST"

View File

@@ -56,6 +56,11 @@ type TLSLinkInfo struct {
ResolvedSourceName string `json:"resolvedSourceName"`
}
type AuthStatus struct {
Email string `json:"email"`
Model string `json:"model"`
}
func CreateWebSocketStatusMessage(tappingStatus TapStatus) WebSocketStatusMessage {
return WebSocketStatusMessage{
WebSocketMessageMetadata: &WebSocketMessageMetadata{