mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-24 17:47:46 +01:00
Add attribute admin username for authproxy
This commit adds the attribute "http_authproxy_admin_usernames", which is string that contains usernames separated by comma, when a user logs in and the username in the tokenreview status matches the setting of this attribute, the user will have administrator permission. Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
parent
85c08d62a4
commit
ad8eee8623
@ -130,6 +130,7 @@ var (
|
||||
{Name: common.HTTPAuthProxyEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
|
||||
{Name: common.HTTPAuthProxyTokenReviewEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
|
||||
{Name: common.HTTPAuthProxyAdminGroups, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
|
||||
{Name: common.HTTPAuthProxyAdminUsernames, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
|
||||
{Name: common.HTTPAuthProxyVerifyCert, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "true", ItemType: &BoolType{}},
|
||||
{Name: common.HTTPAuthProxySkipSearch, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "false", ItemType: &BoolType{}},
|
||||
{Name: common.HTTPAuthProxyServerCertificate, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
|
||||
|
@ -97,6 +97,7 @@ const (
|
||||
HTTPAuthProxyEndpoint = "http_authproxy_endpoint"
|
||||
HTTPAuthProxyTokenReviewEndpoint = "http_authproxy_tokenreview_endpoint"
|
||||
HTTPAuthProxyAdminGroups = "http_authproxy_admin_groups"
|
||||
HTTPAuthProxyAdminUsernames = "http_authproxy_admin_usernames"
|
||||
HTTPAuthProxyVerifyCert = "http_authproxy_verify_cert"
|
||||
HTTPAuthProxySkipSearch = "http_authproxy_skip_search"
|
||||
HTTPAuthProxyServerCertificate = "http_authproxy_server_certificate"
|
||||
|
@ -72,6 +72,7 @@ type HTTPAuthProxy struct {
|
||||
Endpoint string `json:"endpoint"`
|
||||
TokenReviewEndpoint string `json:"tokenreivew_endpoint"`
|
||||
AdminGroups []string `json:"admin_groups"`
|
||||
AdminUsernames []string `json:"admin_usernames"`
|
||||
VerifyCert bool `json:"verify_cert"`
|
||||
SkipSearch bool `json:"skip_search"`
|
||||
ServerCertificate string `json:"server_certificate"`
|
||||
|
@ -116,7 +116,7 @@ func (a *Auth) tokenReview(sessionID string) (*models.User, error) {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
u, err := authproxy.UserFromReviewStatus(reviewStatus, httpAuthProxySetting.AdminGroups)
|
||||
u, err := authproxy.UserFromReviewStatus(reviewStatus, httpAuthProxySetting.AdminGroups, httpAuthProxySetting.AdminUsernames)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -393,6 +393,7 @@ func HTTPAuthProxySetting() (*models.HTTPAuthProxy, error) {
|
||||
Endpoint: cfgMgr.Get(common.HTTPAuthProxyEndpoint).GetString(),
|
||||
TokenReviewEndpoint: cfgMgr.Get(common.HTTPAuthProxyTokenReviewEndpoint).GetString(),
|
||||
AdminGroups: splitAndTrim(cfgMgr.Get(common.HTTPAuthProxyAdminGroups).GetString(), ","),
|
||||
AdminUsernames: splitAndTrim(cfgMgr.Get(common.HTTPAuthProxyAdminUsernames).GetString(), ","),
|
||||
VerifyCert: cfgMgr.Get(common.HTTPAuthProxyVerifyCert).GetBool(),
|
||||
SkipSearch: cfgMgr.Get(common.HTTPAuthProxySkipSearch).GetBool(),
|
||||
ServerCertificate: cfgMgr.Get(common.HTTPAuthProxyServerCertificate).GetString(),
|
||||
|
@ -248,6 +248,7 @@ y1bQusZMygQezfCuEzsewF+OpANFovCTUEs6s5vyoVNP8lk=
|
||||
assert.Equal(t, *v, models.HTTPAuthProxy{
|
||||
Endpoint: "https://auth.proxy/suffix",
|
||||
AdminGroups: []string{"group1", "group2"},
|
||||
AdminUsernames: []string{},
|
||||
SkipSearch: true,
|
||||
VerifyCert: true,
|
||||
ServerCertificate: certificate,
|
||||
|
@ -78,14 +78,21 @@ func getTLSConfig(config *models.HTTPAuthProxy) rest.TLSClientConfig {
|
||||
|
||||
// UserFromReviewStatus transform a review status to a user model.
|
||||
// Group entries will be populated if needed.
|
||||
func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups []string) (*models.User, error) {
|
||||
|
||||
func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups []string, adminUsernames []string) (*models.User, error) {
|
||||
if !status.Authenticated {
|
||||
return nil, fmt.Errorf("failed to authenticate the token, error in status: %s", status.Error)
|
||||
}
|
||||
user := &models.User{
|
||||
Username: status.User.Username,
|
||||
}
|
||||
for _, au := range adminUsernames {
|
||||
if status.User.Username == au {
|
||||
log.Debugf("Username: %s in the adminusers list, assigning user admin permission", au)
|
||||
user.AdminRoleInAuth = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if len(status.User.Groups) > 0 {
|
||||
userGroups := models.UserGroupsFromName(status.User.Groups, common.HTTPGroupType)
|
||||
groupIDList, err := group.PopulateGroup(userGroups)
|
||||
@ -94,7 +101,7 @@ func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups
|
||||
}
|
||||
log.Debugf("current user's group ID list is %+v", groupIDList)
|
||||
user.GroupIDs = groupIDList
|
||||
if len(adminGroups) > 0 {
|
||||
if len(adminGroups) > 0 && !user.AdminRoleInAuth { // skip checking admin group if user already has admin role
|
||||
agm := make(map[string]struct{})
|
||||
for _, ag := range adminGroups {
|
||||
agm[ag] = struct{}{}
|
||||
@ -108,5 +115,4 @@ func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups
|
||||
}
|
||||
}
|
||||
return user, nil
|
||||
|
||||
}
|
||||
|
@ -29,6 +29,7 @@ func TestUserFromReviewStatus(t *testing.T) {
|
||||
cases := []struct {
|
||||
input v1beta1.TokenReviewStatus
|
||||
adminGroups []string
|
||||
adminUsernames []string
|
||||
expect result
|
||||
}{
|
||||
{
|
||||
@ -37,6 +38,7 @@ func TestUserFromReviewStatus(t *testing.T) {
|
||||
Error: "connection error",
|
||||
},
|
||||
adminGroups: []string{"admin"},
|
||||
adminUsernames: []string{},
|
||||
expect: result{
|
||||
hasErr: true,
|
||||
},
|
||||
@ -50,6 +52,7 @@ func TestUserFromReviewStatus(t *testing.T) {
|
||||
},
|
||||
},
|
||||
adminGroups: []string{"admin"},
|
||||
adminUsernames: []string{},
|
||||
expect: result{
|
||||
hasErr: false,
|
||||
username: "jack",
|
||||
@ -67,6 +70,7 @@ func TestUserFromReviewStatus(t *testing.T) {
|
||||
Error: "",
|
||||
},
|
||||
adminGroups: []string{"group2", "admin"},
|
||||
adminUsernames: []string{},
|
||||
expect: result{
|
||||
hasErr: false,
|
||||
username: "daniel",
|
||||
@ -84,16 +88,17 @@ func TestUserFromReviewStatus(t *testing.T) {
|
||||
Error: "",
|
||||
},
|
||||
adminGroups: []string{},
|
||||
adminUsernames: []string{"daniel", "admin"},
|
||||
expect: result{
|
||||
hasErr: false,
|
||||
username: "daniel",
|
||||
groupLen: 2,
|
||||
adminInAuth: false,
|
||||
adminInAuth: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, c := range cases {
|
||||
u, err := UserFromReviewStatus(c.input, c.adminGroups)
|
||||
u, err := UserFromReviewStatus(c.input, c.adminGroups, c.adminUsernames)
|
||||
if c.expect.hasErr == true {
|
||||
assert.NotNil(t, err)
|
||||
} else {
|
||||
|
@ -86,7 +86,7 @@ func (a *authProxy) Generate(req *http.Request) security.Context {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
u2, err := authproxy.UserFromReviewStatus(tokenReviewStatus, httpAuthProxyConf.AdminGroups)
|
||||
u2, err := authproxy.UserFromReviewStatus(tokenReviewStatus, httpAuthProxyConf.AdminGroups, httpAuthProxyConf.AdminUsernames)
|
||||
if err != nil {
|
||||
log.Errorf("failed to get user information from token review status: %v", err)
|
||||
return nil
|
||||
|
@ -58,6 +58,7 @@ func TestAuthProxy(t *testing.T) {
|
||||
VerifyCert: false,
|
||||
TokenReviewEndpoint: server.URL,
|
||||
AdminGroups: []string{},
|
||||
AdminUsernames: []string{},
|
||||
})
|
||||
|
||||
// No onboard
|
||||
|
Loading…
Reference in New Issue
Block a user