auth status route to api server (#342)

2025-09-12 21:01:36 +00:00 · 2021-10-12 11:03:58 +03:00
parent 56e801a582
commit 837e35255b
8 changed files with 111 additions and 11 deletions
--- a/agent/pkg/controllers/status_controller.go
+++ b/agent/pkg/controllers/status_controller.go
@@ -34,3 +34,13 @@ func PostTappedPods(c *gin.Context) {
 func GetTappersCount(c *gin.Context) {
 	c.JSON(http.StatusOK, providers.TappersCount)
 }
+
+func GetAuthStatus(c *gin.Context) {
+	authStatus, err := providers.GetAuthStatus()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, authStatus)
+}
--- a/agent/pkg/providers/auth_provider.go
+++ b/agent/pkg/providers/auth_provider.go
@@ -0,0 +1,29 @@
+package providers
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/up9inc/mizu/shared"
+	"os"
+)
+
+var authStatus *shared.AuthStatus
+
+func GetAuthStatus() (*shared.AuthStatus, error) {
+	if authStatus == nil {
+		authStatus = &shared.AuthStatus{}
+
+		authStatusJson := os.Getenv(shared.AuthStatusEnvVar)
+		if authStatusJson == "" {
+			return authStatus, nil
+		}
+
+		err := json.Unmarshal([]byte(authStatusJson), authStatus)
+		if err != nil {
+			authStatus = nil
+			return nil, fmt.Errorf("failed to marshal auth status, err: %v", err)
+		}
+	}
+
+	return authStatus, nil
+}
--- a/agent/pkg/routes/status_routes.go
+++ b/agent/pkg/routes/status_routes.go
@@ -11,4 +11,6 @@ func StatusRoutes(ginApp *gin.Engine) {
 	routeGroup.POST("/tappedPods", controllers.PostTappedPods)

 	routeGroup.GET("/tappersCount", controllers.GetTappersCount)
+
+	routeGroup.GET("/auth", controllers.GetAuthStatus)
 }
--- a/cli/auth/authProvider.go
+++ b/cli/auth/authProvider.go
@@ -23,14 +23,9 @@ const loginTimeoutInMin = 2
 var listenPorts = []int{3141, 4001, 5002, 6003, 7004, 8005, 9006, 10007}

 func IsTokenExpired(tokenString string) (bool, error) {
-	token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
+	claims, err := getTokenClaims(tokenString)
 	if err != nil {
-		return true, fmt.Errorf("failed to parse token, err: %v", err)
-	}
-
-	claims, ok := token.Claims.(jwt.MapClaims)
-	if !ok {
-		return true, fmt.Errorf("can't convert token's claims to standard claims")
+		return true, err
 	}

 	expiry := time.Unix(int64(claims["exp"].(float64)), 0)
@@ -38,6 +33,29 @@ func IsTokenExpired(tokenString string) (bool, error) {
 	return time.Now().After(expiry), nil
 }

+func GetTokenEmail(tokenString string) (string, error) {
+	claims, err := getTokenClaims(tokenString)
+	if err != nil {
+		return "", err
+	}
+
+	return claims["email"].(string), nil
+}
+
+func getTokenClaims(tokenString string) (jwt.MapClaims, error) {
+	token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse token, err: %v", err)
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, fmt.Errorf("can't convert token's claims to standard claims")
+	}
+
+	return claims, nil
+}
+
 func Login() error {
 	token, loginErr := loginInteractively()
 	if loginErr != nil {
--- a/cli/cmd/tapRunner.go
+++ b/cli/cmd/tapRunner.go
@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"github.com/up9inc/mizu/cli/auth"
 	"path"
 	"regexp"
 	"strings"
@@ -48,6 +49,12 @@ func RunMizuTap() {
 		return
 	}

+	authStatus, err := getAuthStatus()
+	if err != nil {
+		logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error getting auth status: %v", errormessage.FormatError(err)))
+		return
+	}
+
 	var mizuValidationRules string
 	if config.Config.Tap.EnforcePolicyFile != "" {
 		mizuValidationRules, err = readValidationRules(config.Config.Tap.EnforcePolicyFile)
@@ -103,7 +110,7 @@ func RunMizuTap() {
 	}

 	defer finishMizuExecution(kubernetesProvider)
-	if err := createMizuResources(ctx, kubernetesProvider, mizuApiFilteringOptions, mizuValidationRules); err != nil {
+	if err := createMizuResources(ctx, kubernetesProvider, mizuApiFilteringOptions, mizuValidationRules, authStatus); err != nil {
 		logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error creating resources: %v", errormessage.FormatError(err)))
 		return
 	}
@@ -125,14 +132,14 @@ func readValidationRules(file string) (string, error) {
 	return string(newContent), nil
 }

-func createMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions, mizuValidationRules string) error {
+func createMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions, mizuValidationRules string, authStatus *shared.AuthStatus) error {
 	if !config.Config.IsNsRestrictedMode() {
 		if err := createMizuNamespace(ctx, kubernetesProvider); err != nil {
 			return err
 		}
 	}

-	if err := createMizuApiServer(ctx, kubernetesProvider, mizuApiFilteringOptions); err != nil {
+	if err := createMizuApiServer(ctx, kubernetesProvider, mizuApiFilteringOptions, authStatus); err != nil {
 		return err
 	}

@@ -153,7 +160,7 @@ func createMizuNamespace(ctx context.Context, kubernetesProvider *kubernetes.Pro
 	return err
 }

-func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions) error {
+func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions, authStatus *shared.AuthStatus) error {
 	var err error

 	state.mizuServiceAccountExists, err = createRBACIfNecessary(ctx, kubernetesProvider)
@@ -175,6 +182,7 @@ func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Pro
 		ServiceAccountName:      serviceAccountName,
 		IsNamespaceRestricted:   config.Config.IsNsRestrictedMode(),
 		MizuApiFilteringOptions: mizuApiFilteringOptions,
+		AuthStatus:              authStatus,
 		MaxEntriesDBSizeBytes:   config.Config.Tap.MaxEntriesDBSizeBytes(),
 		Resources:               config.Config.Tap.ApiServerResources,
 		ImagePullPolicy:         config.Config.ImagePullPolicy(),
@@ -215,6 +223,22 @@ func getMizuApiFilteringOptions() (*api.TrafficFilteringOptions, error) {
 	}, nil
 }

+func getAuthStatus() (*shared.AuthStatus, error) {
+	if config.Config.Tap.Workspace == "" {
+		return &shared.AuthStatus{}, nil
+	}
+
+	email, err := auth.GetTokenEmail(config.Config.Auth.Token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &shared.AuthStatus{
+		Email: email,
+		Model: config.Config.Tap.Workspace,
+	}, nil
+}
+
 func updateMizuTappers(ctx context.Context, kubernetesProvider *kubernetes.Provider, mizuApiFilteringOptions *api.TrafficFilteringOptions) error {
 	nodeToTappedPodIPMap := getNodeHostToTappedPodIpsMap(state.currentlyTappedPods)

--- a/cli/kubernetes/provider.go
+++ b/cli/kubernetes/provider.go
@@ -152,6 +152,7 @@ type ApiServerOptions struct {
 	ServiceAccountName      string
 	IsNamespaceRestricted   bool
 	MizuApiFilteringOptions *api.TrafficFilteringOptions
+	AuthStatus              *shared.AuthStatus
 	MaxEntriesDBSizeBytes   int64
 	Resources               configStructs.Resources
 	ImagePullPolicy         core.PullPolicy
@@ -162,6 +163,12 @@ func (provider *Provider) CreateMizuApiServerPod(ctx context.Context, opts *ApiS
 	if err != nil {
 		return nil, err
 	}
+
+	marshaledAuthStatus, err := json.Marshal(opts.AuthStatus)
+	if err != nil {
+		return nil, err
+	}
+
 	configMapVolumeName := &core.ConfigMapVolumeSource{}
 	configMapVolumeName.Name = mizu.ConfigMapName
 	configMapOptional := true
@@ -217,6 +224,10 @@ func (provider *Provider) CreateMizuApiServerPod(ctx context.Context, opts *ApiS
 							Name:  shared.MizuFilteringOptionsEnvVar,
 							Value: string(marshaledFilteringOptions),
 						},
+						{
+							Name: shared.AuthStatusEnvVar,
+							Value: string(marshaledAuthStatus),
+						},
 						{
 							Name:  shared.MaxEntriesDBSizeBytesEnvVar,
 							Value: strconv.FormatInt(opts.MaxEntriesDBSizeBytes, 10),
--- a/shared/consts.go
+++ b/shared/consts.go
@@ -2,6 +2,7 @@ package shared

 const (
 	MizuFilteringOptionsEnvVar       = "SENSITIVE_DATA_FILTERING_OPTIONS"
+	AuthStatusEnvVar                 = "AUTH_STATUS"
 	HostModeEnvVar                   = "HOST_MODE"
 	NodeNameEnvVar                   = "NODE_NAME"
 	TappedAddressesPerNodeDictEnvVar = "TAPPED_ADDRESSES_PER_HOST"
--- a/shared/models.go
+++ b/shared/models.go
@@ -56,6 +56,11 @@ type TLSLinkInfo struct {
 	ResolvedSourceName      string `json:"resolvedSourceName"`
 }

+type AuthStatus struct {
+	Email string `json:"email"`
+	Model string `json:"model"`
+}
+
 func CreateWebSocketStatusMessage(tappingStatus TapStatus) WebSocketStatusMessage {
 	return WebSocketStatusMessage{
 		WebSocketMessageMetadata: &WebSocketMessageMetadata{