/
types.go
158 lines (135 loc) · 6.54 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
// Copyright 2017 The Kubernetes Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package api
import (
"time"
"k8s.io/client-go/tools/clientcmd/api"
)
const (
// Resource information that are used as encryption key storage. Can be accessible by multiple dashboard replicas.
EncryptionKeyHolderName = "kubernetes-dashboard-key-holder"
EncryptionKeyHolderNamespace = "kube-system"
// Resource information that are used as certificate storage for custom certificates used by the user.
CertificateHolderSecretName = "kubernetes-dashboard-certs"
CertificateHolderSecretNamespace = "kube-system"
// Expiration time (in seconds) of tokens generated by dashboard. Default: 15 min.
DefaultTokenTTL = 900
)
// AuthenticationModes represents auth modes supported by dashboard.
type AuthenticationModes map[AuthenticationMode]bool
// ProtectedResource represents basic information about resource that should be filtered out from Dashboard UI.
type ProtectedResource struct {
// ResourceName is a name of the protected resource.
ResourceName string
// ResourceNamespace is a namespace of the protected resource. Should be empty if resource is non-namespaced.
ResourceNamespace string
}
// IsEnabled returns true if given auth mode is supported, false otherwise.
func (self AuthenticationModes) IsEnabled(mode AuthenticationMode) bool {
_, exists := self[mode]
return exists
}
// Array returns array of auth modes supported by dashboard.
func (self AuthenticationModes) Array() []AuthenticationMode {
modes := []AuthenticationMode{}
for mode := range self {
modes = append(modes, mode)
}
return modes
}
// Add adds given auth mode to AuthenticationModes map
func (self AuthenticationModes) Add(mode AuthenticationMode) {
self[mode] = true
}
// AuthenticationMode represents auth mode supported by dashboard, i.e. basic.
type AuthenticationMode string
// String returns string representation of auth mode.
func (self AuthenticationMode) String() string {
return string(self)
}
// Authentication modes supported by dashboard should be defined below.
const (
Token AuthenticationMode = "token"
Basic AuthenticationMode = "basic"
)
// AuthManager is used for user authentication management.
type AuthManager interface {
// Login authenticates user based on provided LoginSpec and returns AuthResponse. AuthResponse contains
// generated token and list of non-critical errors such as 'Failed authentication'.
Login(*LoginSpec) (*AuthResponse, error)
// Refresh takes valid token that hasn't expired yet and returns a new one with expiration time set to TokenTTL. In
// case provided token has expired, token expiration error is returned.
Refresh(string) (string, error)
// AuthenticationModes returns array of auth modes supported by dashboard.
AuthenticationModes() []AuthenticationMode
// AuthenticationSkippable tells if the Skip button should be enabled or not
AuthenticationSkippable() bool
}
// TokenManager is responsible for generating and decrypting tokens used for authorization. Authorization is handled
// by K8S apiserver. Token contains AuthInfo structure used to create K8S api client.
type TokenManager interface {
// Generate secure token based on AuthInfo structure and save it tokens' payload.
Generate(api.AuthInfo) (string, error)
// Decrypt generated token and return AuthInfo structure that will be used for K8S api client creation.
Decrypt(string) (*api.AuthInfo, error)
// Refresh returns refreshed token based on provided token. In case provided token has expired, token expiration
// error is returned.
Refresh(string) (string, error)
// SetTokenTTL sets expiration time (in seconds) of generated tokens.
SetTokenTTL(time.Duration)
}
// Authenticator represents authentication methods supported by Dashboard. Currently supported types are:
// - Token based - Any bearer token accepted by apiserver
// - Basic - Username and password based authentication. Requires that apiserver has basic auth enabled also
// - Kubeconfig based - Authenticates user based on kubeconfig file. Only token/basic modes are supported within
// the kubeconfig file.
type Authenticator interface {
// GetAuthInfo returns filled AuthInfo structure that can be used for K8S api client creation.
GetAuthInfo() (api.AuthInfo, error)
}
// LoginSpec is extracted from request coming from Dashboard frontend during login request. It contains all the
// information required to authenticate user.
type LoginSpec struct {
// Username is the username for basic authentication to the kubernetes cluster.
Username string `json:"username"`
// Password is the password for basic authentication to the kubernetes cluster.
Password string `json:"password"`
// Token is the bearer token for authentication to the kubernetes cluster.
Token string `json:"token"`
// KubeConfig is the content of users' kubeconfig file. It will be parsed and auth data will be extracted.
// Kubeconfig can not contain any paths. All data has to be provided within the file.
KubeConfig string `json:"kubeConfig"`
}
// AuthResponse is returned from our backend as a response for login/refresh requests. It contains generated JWEToken
// and a list of non-critical errors such as 'Failed authentication'.
type AuthResponse struct {
// JWEToken is a token generated during login request that contains AuthInfo data in the payload.
JWEToken string `json:"jweToken"`
// Errors are a list of non-critical errors that happened during login request.
Errors []error `json:"errors"`
}
// TokenRefreshSpec contains token that is required by token refresh operation.
type TokenRefreshSpec struct {
// JWEToken is a token generated during login request that contains AuthInfo data in the payload.
JWEToken string `json:"jweToken"`
}
// LoginModesResponse contains list of auth modes supported by dashboard.
type LoginModesResponse struct {
Modes []AuthenticationMode `json:"modes"`
}
// LoginSkippableResponse contains a flag that tells the UI not to display the Skip button.
// Note that this only hides the button, it doesn't disable unauthenticated access.
type LoginSkippableResponse struct {
Skippable bool `json:"skippable"`
}