zishuo/onepanel
1
0
Fork 0
mirror of https://github.com/onepanelio/onepanel.git synced 2025-10-05 05:36:50 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: allowed onepanel-auth-token header to provide authentication token.

Browse Source 
Updated server to make that key not require a grpc-gateway prefix.
This commit is contained in:
Andrey Melnikov
2020-07-20 20:52:36 -07:00
parent b01c0c41a8
commit 7af3c9dd7c
2 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
main.go
View File

@@ -15,6 +15,7 @@ import (
"net" "net"
"net/http" "net/http"
"path/filepath" "path/filepath"
"strings"
"github.com/gorilla/handlers" "github.com/gorilla/handlers"
grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware" grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
@@ -159,7 +160,7 @@ func startHTTPProxy() {
// Register gRPC server endpoint // Register gRPC server endpoint
// Note: Make sure the gRPC server is running properly and accessible // Note: Make sure the gRPC server is running properly and accessible
mux := runtime.NewServeMux() mux := runtime.NewServeMux(runtime.WithIncomingHeaderMatcher(customHeaderMatcher))
opts := []grpc.DialOption{grpc.WithInsecure()} opts := []grpc.DialOption{grpc.WithInsecure()}
registerHandler(api.RegisterWorkflowTemplateServiceHandlerFromEndpoint, ctx, mux, endpoint, opts) registerHandler(api.RegisterWorkflowTemplateServiceHandlerFromEndpoint, ctx, mux, endpoint, opts)
@@ -251,3 +252,16 @@ func watchConfigmapChanges(client *v1.Client, namespace string, stopCh <-chan st
neverStopCh := make(chan struct{}) neverStopCh := make(chan struct{})
controller.Run(neverStopCh) controller.Run(neverStopCh)
} }
// customHeaderMatcher is used to allow certain headers so we don't require a grpc-gateway prefix
func customHeaderMatcher(key string) (string, bool) {
lowerCaseKey := strings.ToLower(key)
switch lowerCaseKey {
case "onepanel-auth-token":
return lowerCaseKey, true
case "cookie":
return lowerCaseKey, true
default:
return runtime.DefaultHeaderMatcher(key)
}
}

5
server/auth/auth.go
View File

@@ -50,6 +50,10 @@ func getBearerToken(ctx context.Context) (*string, bool) {
} }
} }
for _, t := range md.Get("onepanel-auth-token") {
return &t, true
}
return nil, false return nil, false
} }
@@ -98,6 +102,7 @@ func IsAuthorized(c *v1.Client, namespace, verb, group, resource, name string) (
// 2. Is there a token? There should be a token for everything except logging in. // 2. Is there a token? There should be a token for everything except logging in.
func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfig) grpc.UnaryServerInterceptor { func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfig) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) { return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
// Check if the provided token is valid. This does not require a token in the header.
if info.FullMethod == "/api.AuthService/IsValidToken" { if info.FullMethod == "/api.AuthService/IsValidToken" {
md, ok := metadata.FromIncomingContext(ctx) md, ok := metadata.FromIncomingContext(ctx)
if !ok { if !ok {