Add impersonation support

pkg/accesscontrol/access_control.go

@@ -8,7 +8,7 @@ import (
 )
 
 type AccessControl struct {
-	server.AllAccess
+	server.SchemaBasedAccess
 }
 
 func NewAccessControl() *AccessControl {

pkg/auth/filter.go

@@ -13,6 +13,7 @@ import (
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/transport"
 )
 
 type Authenticator interface {
@@ -125,7 +126,7 @@ func (w *webhookAuth) Authenticate(req *http.Request) (user.Info, bool, error) {
 	return resp.User, ok, err
 }
 
-func ToMiddleware(auth Authenticator) func(rw http.ResponseWriter, req *http.Request, next http.Handler) {
+func ToMiddleware(auth Authenticator) Middleware {
 	return func(rw http.ResponseWriter, req *http.Request, next http.Handler) {
 		info, ok, err := auth.Authenticate(req)
 		if err != nil {
@@ -144,3 +145,24 @@ func ToMiddleware(auth Authenticator) func(rw http.ResponseWriter, req *http.Req
 		next.ServeHTTP(rw, req)
 	}
 }
+
+func Impersonation(req *http.Request) (user.Info, bool, error) {
+	userName := req.Header.Get(transport.ImpersonateUserHeader)
+	if userName == "" {
+		return nil, false, nil
+	}
+
+	result := user.DefaultInfo{
+		Name:   userName,
+		Groups: req.Header[transport.ImpersonateGroupHeader],
+		Extra:  map[string][]string{},
+	}
+
+	for k, v := range req.Header {
+		if strings.HasPrefix(k, transport.ImpersonateUserExtraHeaderPrefix) {
+			result.Extra[k[len(transport.ImpersonateUserExtraHeaderPrefix):]] = v
+		}
+	}
+
+	return &result, true, nil
+}

pkg/client/factory.go

@@ -1,39 +1,43 @@
 package client
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/rancher/steve/pkg/attributes"
 	"github.com/rancher/steve/pkg/schemaserver/types"
+	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/rest"
 )
 
 type Factory struct {
+	impersonate    bool
+	clientCfg      *rest.Config
+	watchClientCfg *rest.Config
 	client         dynamic.Interface
-	watchClient dynamic.Interface
 	Config         *rest.Config
 }
 
-func NewFactory(cfg *rest.Config) (*Factory, error) {
+func NewFactory(cfg *rest.Config, impersonate bool) (*Factory, error) {
-	newCfg := rest.CopyConfig(cfg)
+	clientCfg := rest.CopyConfig(cfg)
-	newCfg.QPS = 10000
+	clientCfg.QPS = 10000
-	newCfg.Burst = 100
+	clientCfg.Burst = 100
-	c, err := dynamic.NewForConfig(newCfg)
+
+	watchClientCfg := rest.CopyConfig(cfg)
+	watchClientCfg.Timeout = 30 * time.Minute
+
+	dc, err := dynamic.NewForConfig(watchClientCfg)
 	if err != nil {
 		return nil, err
 	}
 
-	newCfg = rest.CopyConfig(cfg)
-	newCfg.Timeout = 30 * time.Minute
-	wc, err := dynamic.NewForConfig(newCfg)
-	if err != nil {
-		return nil, err
-	}
 	return &Factory{
-		client:      c,
+		client:         dc,
-		watchClient: wc,
+		impersonate:    impersonate,
-		Config:      newCfg,
+		clientCfg:      clientCfg,
+		watchClientCfg: watchClientCfg,
+		Config:         watchClientCfg,
 	}, nil
 }
 
@@ -42,11 +46,30 @@ func (p *Factory) DynamicClient() dynamic.Interface {
 }
 
 func (p *Factory) Client(ctx *types.APIRequest, s *types.APISchema, namespace string) (dynamic.ResourceInterface, error) {
-	gvr := attributes.GVR(s)
+	return p.newClient(ctx, p.clientCfg, s, namespace)
-	return p.client.Resource(gvr).Namespace(namespace), nil
 }
 
 func (p *Factory) ClientForWatch(ctx *types.APIRequest, s *types.APISchema, namespace string) (dynamic.ResourceInterface, error) {
-	gvr := attributes.GVR(s)
+	return p.newClient(ctx, p.watchClientCfg, s, namespace)
-	return p.watchClient.Resource(gvr).Namespace(namespace), nil
+}
+
+func (p *Factory) newClient(ctx *types.APIRequest, cfg *rest.Config, s *types.APISchema, namespace string) (dynamic.ResourceInterface, error) {
+	if p.impersonate {
+		user, ok := request.UserFrom(ctx.Context())
+		if !ok {
+			return nil, fmt.Errorf("user not found for impersonation")
+		}
+		cfg = rest.CopyConfig(cfg)
+		cfg.Impersonate.UserName = user.GetName()
+		cfg.Impersonate.Groups = user.GetGroups()
+		cfg.Impersonate.Extra = user.GetExtra()
+	}
+
+	client, err := dynamic.NewForConfig(cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	gvr := attributes.GVR(s)
+	return client.Resource(gvr).Namespace(namespace), nil
 }

pkg/proxy/proxy.go

@@ -7,7 +7,9 @@ import (
 	"strings"
 
 	"github.com/rancher/wrangler/pkg/kubeconfig"
+	"github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/util/proxy"
+	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
 )
@@ -23,6 +25,34 @@ func HandlerFromConfig(prefix, kubeConfig string) (http.Handler, error) {
 	return Handler(prefix, cfg)
 }
 
+func ImpersonatingHandler(prefix string, cfg *rest.Config) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		impersonate(rw, req, prefix, cfg)
+	})
+}
+
+func impersonate(rw http.ResponseWriter, req *http.Request, prefix string, cfg *rest.Config) {
+	user, ok := request.UserFrom(req.Context())
+	if !ok {
+		rw.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	cfg = rest.CopyConfig(cfg)
+	cfg.Impersonate.UserName = user.GetName()
+	cfg.Impersonate.Groups = user.GetGroups()
+	cfg.Impersonate.Extra = user.GetExtra()
+
+	handler, err := Handler(prefix, cfg)
+	if err != nil {
+		logrus.Errorf("failed to impersonate %v for proxy: %v", user, err)
+		rw.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	handler.ServeHTTP(rw, req)
+}
+
 // Mostly copied from "kubectl proxy" code
 func Handler(prefix string, cfg *rest.Config) (http.Handler, error) {
 	host := cfg.Host

pkg/schemaserver/server/access.go

@@ -9,49 +9,49 @@ import (
 	"github.com/rancher/wrangler/pkg/slice"
 )
 
-type AllAccess struct {
+type SchemaBasedAccess struct {
 }
 
-func (*AllAccess) CanCreate(apiOp *types.APIRequest, schema *types.APISchema) error {
+func (*SchemaBasedAccess) CanCreate(apiOp *types.APIRequest, schema *types.APISchema) error {
 	if slice.ContainsString(schema.CollectionMethods, http.MethodPost) {
 		return nil
 	}
 	return httperror.NewAPIError(validation.PermissionDenied, "can not create "+schema.ID)
 }
 
-func (*AllAccess) CanGet(apiOp *types.APIRequest, schema *types.APISchema) error {
+func (*SchemaBasedAccess) CanGet(apiOp *types.APIRequest, schema *types.APISchema) error {
 	if slice.ContainsString(schema.ResourceMethods, http.MethodGet) {
 		return nil
 	}
 	return httperror.NewAPIError(validation.PermissionDenied, "can not get "+schema.ID)
 }
 
-func (*AllAccess) CanList(apiOp *types.APIRequest, schema *types.APISchema) error {
+func (*SchemaBasedAccess) CanList(apiOp *types.APIRequest, schema *types.APISchema) error {
 	if slice.ContainsString(schema.CollectionMethods, http.MethodGet) {
 		return nil
 	}
 	return httperror.NewAPIError(validation.PermissionDenied, "can not list "+schema.ID)
 }
 
-func (*AllAccess) CanUpdate(apiOp *types.APIRequest, obj types.APIObject, schema *types.APISchema) error {
+func (*SchemaBasedAccess) CanUpdate(apiOp *types.APIRequest, obj types.APIObject, schema *types.APISchema) error {
 	if slice.ContainsString(schema.ResourceMethods, http.MethodPut) {
 		return nil
 	}
 	return httperror.NewAPIError(validation.PermissionDenied, "can not update "+schema.ID)
 }
 
-func (*AllAccess) CanDelete(apiOp *types.APIRequest, obj types.APIObject, schema *types.APISchema) error {
+func (*SchemaBasedAccess) CanDelete(apiOp *types.APIRequest, obj types.APIObject, schema *types.APISchema) error {
 	if slice.ContainsString(schema.ResourceMethods, http.MethodDelete) {
 		return nil
 	}
 	return httperror.NewAPIError(validation.PermissionDenied, "can not delete "+schema.ID)
 }
 
-func (a *AllAccess) CanWatch(apiOp *types.APIRequest, schema *types.APISchema) error {
+func (a *SchemaBasedAccess) CanWatch(apiOp *types.APIRequest, schema *types.APISchema) error {
 	return a.CanList(apiOp, schema)
 }
 
-func (*AllAccess) CanAction(apiOp *types.APIRequest, schema *types.APISchema, name string) error {
+func (*SchemaBasedAccess) CanAction(apiOp *types.APIRequest, schema *types.APISchema, name string) error {
 	if _, ok := schema.ActionHandlers[name]; ok {
 		return httperror.NewAPIError(validation.PermissionDenied, "no such action "+name)
 	}

pkg/schemaserver/server/server.go

@@ -56,7 +56,7 @@ func DefaultAPIServer() *Server {
 				Encoder:     types.YAMLEncoder,
 			},
 		},
-		AccessControl: &AllAccess{},
+		AccessControl: &SchemaBasedAccess{},
 		Defaults: Defaults{
 			ByIDHandler:   handlers.ByIDHandler,
 			CreateHandler: handlers.CreateHandler,

pkg/schemaserver/types/types.go

@@ -75,8 +75,21 @@ type APISchema struct {
 	Store               Store                   `json:"-"`
 }
 
+func copyHandlers(m map[string]http.Handler) map[string]http.Handler {
+	if m == nil {
+		return nil
+	}
+	result := make(map[string]http.Handler, len(m))
+	for k, v := range m {
+		result[k] = v
+	}
+
+	return result
+}
 func (a *APISchema) DeepCopy() *APISchema {
 	r := *a
+	r.ActionHandlers = copyHandlers(a.ActionHandlers)
+	r.LinkHandlers = copyHandlers(a.ActionHandlers)
 	r.Schema = r.Schema.DeepCopy()
 	return &r
 }

pkg/server/handler/apiserver.go

@@ -18,6 +18,7 @@ import (
 
 func New(cfg *rest.Config, sf schema.Factory, authMiddleware auth.Middleware, next http.Handler, routerFunc router.RouterFunc) (http.Handler, error) {
 	var (
+		proxy http.Handler
 		err   error
 	)
 
@@ -27,10 +28,14 @@ func New(cfg *rest.Config, sf schema.Factory, authMiddleware auth.Middleware, ne
 	}
 	a.server.AccessControl = accesscontrol.NewAccessControl()
 
-	proxy, err := k8sproxy.Handler("/", cfg)
+	if authMiddleware == nil {
+		proxy, err = k8sproxy.Handler("/", cfg)
 		if err != nil {
 			return nil, err
 		}
+	} else {
+		proxy = k8sproxy.ImpersonatingHandler("/", cfg)
+	}
 
 	w := authMiddleware.Wrap
 	handlers := router.Handlers{

pkg/server/server.go

@@ -51,7 +51,7 @@ func setup(ctx context.Context, server *Server) (http.Handler, *schema.Collectio
 		return nil, nil, err
 	}
 
-	cf, err := client.NewFactory(server.RestConfig)
+	cf, err := client.NewFactory(server.RestConfig, server.AuthMiddleware != nil)
 	if err != nil {
 		return nil, nil, err
 	}