169 lines
4.2 KiB
Go
169 lines
4.2 KiB
Go
package testauth
|
|
|
|
import (
|
|
"fmt"
|
|
"sync"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
"github.com/hashicorp/consul/agent/consul/authmethod"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/go-uuid"
|
|
)
|
|
|
|
func init() {
|
|
authmethod.Register("testing", newValidator)
|
|
}
|
|
|
|
var (
|
|
tokenDatabaseMu sync.Mutex
|
|
tokenDatabase map[string]map[string]map[string]string // session => token => fieldmap
|
|
)
|
|
|
|
func StartSession() string {
|
|
sessionID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return sessionID
|
|
}
|
|
|
|
func ResetSession(sessionID string) {
|
|
tokenDatabaseMu.Lock()
|
|
defer tokenDatabaseMu.Unlock()
|
|
if tokenDatabase != nil {
|
|
delete(tokenDatabase, sessionID)
|
|
}
|
|
}
|
|
|
|
func InstallSessionToken(sessionID string, token string, namespace, name, uid string) {
|
|
fields := map[string]string{
|
|
serviceAccountNamespaceField: namespace,
|
|
serviceAccountNameField: name,
|
|
serviceAccountUIDField: uid,
|
|
}
|
|
|
|
tokenDatabaseMu.Lock()
|
|
defer tokenDatabaseMu.Unlock()
|
|
if tokenDatabase == nil {
|
|
tokenDatabase = make(map[string]map[string]map[string]string)
|
|
}
|
|
sdb, ok := tokenDatabase[sessionID]
|
|
if !ok {
|
|
sdb = make(map[string]map[string]string)
|
|
tokenDatabase[sessionID] = sdb
|
|
}
|
|
sdb[token] = fields
|
|
}
|
|
|
|
func GetSessionToken(sessionID string, token string) (map[string]string, bool) {
|
|
tokenDatabaseMu.Lock()
|
|
defer tokenDatabaseMu.Unlock()
|
|
if tokenDatabase == nil {
|
|
return nil, false
|
|
}
|
|
sdb, ok := tokenDatabase[sessionID]
|
|
if !ok {
|
|
return nil, false
|
|
}
|
|
fields, ok := sdb[token]
|
|
if !ok {
|
|
return nil, false
|
|
}
|
|
|
|
fmCopy := make(map[string]string)
|
|
for k, v := range fields {
|
|
fmCopy[k] = v
|
|
}
|
|
|
|
return fmCopy, true
|
|
}
|
|
|
|
type Config struct {
|
|
SessionID string // unique identifier for this set of tokens in the database
|
|
|
|
enterpriseConfig `mapstructure:",squash"`
|
|
}
|
|
|
|
func newValidator(method *structs.ACLAuthMethod) (authmethod.Validator, error) {
|
|
if method.Type != "testing" {
|
|
return nil, fmt.Errorf("%q is not a testing auth method", method.Name)
|
|
}
|
|
|
|
var config Config
|
|
if err := authmethod.ParseConfig(method.Config, &config); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if config.SessionID == "" {
|
|
// If you don't explicitly create one, we create a random one but you
|
|
// won't have access to it. Useful if you are testing everything EXCEPT
|
|
// ValidateToken().
|
|
config.SessionID = StartSession()
|
|
}
|
|
|
|
return &Validator{
|
|
name: method.Name,
|
|
config: &config,
|
|
}, nil
|
|
}
|
|
|
|
type Validator struct {
|
|
name string
|
|
config *Config
|
|
}
|
|
|
|
func (v *Validator) Name() string { return v.name }
|
|
|
|
// ValidateLogin takes raw user-provided auth method metadata and ensures it is
|
|
// sane, provably correct, and currently valid. Relevant identifying data is
|
|
// extracted and returned for immediate use by the role binding process.
|
|
//
|
|
// Depending upon the method, it may make sense to use these calls to continue
|
|
// to extend the life of the underlying token.
|
|
//
|
|
// Returns auth method specific metadata suitable for the Role Binding process.
|
|
func (v *Validator) ValidateLogin(loginToken string) (map[string]string, *structs.EnterpriseMeta, error) {
|
|
fields, valid := GetSessionToken(v.config.SessionID, loginToken)
|
|
if !valid {
|
|
return nil, nil, acl.ErrNotFound
|
|
}
|
|
|
|
return fields, v.testAuthEntMetaFromFields(fields), nil
|
|
}
|
|
|
|
func (v *Validator) AvailableFields() []string { return availableFields }
|
|
|
|
const (
|
|
serviceAccountNamespaceField = "serviceaccount.namespace"
|
|
serviceAccountNameField = "serviceaccount.name"
|
|
serviceAccountUIDField = "serviceaccount.uid"
|
|
)
|
|
|
|
var availableFields = []string{
|
|
serviceAccountNamespaceField,
|
|
serviceAccountNameField,
|
|
serviceAccountUIDField,
|
|
}
|
|
|
|
// MakeFieldMapSelectable converts a field map as returned by ValidateLogin
|
|
// into a structure suitable for selection with a binding rule.
|
|
func (v *Validator) MakeFieldMapSelectable(fieldMap map[string]string) interface{} {
|
|
return &selectableVars{
|
|
ServiceAccount: selectableServiceAccount{
|
|
Namespace: fieldMap[serviceAccountNamespaceField],
|
|
Name: fieldMap[serviceAccountNameField],
|
|
UID: fieldMap[serviceAccountUIDField],
|
|
},
|
|
}
|
|
}
|
|
|
|
type selectableVars struct {
|
|
ServiceAccount selectableServiceAccount `bexpr:"serviceaccount"`
|
|
}
|
|
|
|
type selectableServiceAccount struct {
|
|
Namespace string `bexpr:"namespace"`
|
|
Name string `bexpr:"name"`
|
|
UID string `bexpr:"uid"`
|
|
}
|