istio

authentication.go
62 строки · 2.2 Кб
Перенос по словам
1
// Copyright Istio Authors
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     http://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14

15
package security
16

17
import (
18
	"context"
19
	"errors"
20

21
	"google.golang.org/grpc/credentials"
22
	"google.golang.org/grpc/peer"
23

24
	"istio.io/istio/pilot/pkg/features"
25
	"istio.io/istio/pkg/env"
26
)
27

28
var AuthPlaintext = env.Register("XDS_AUTH_PLAINTEXT", false,
29
	"authenticate plain text requests - used if Istiod is running on a secure/trusted network").Get()
30

31
// Authenticate authenticates the ADS request using the configured authenticators.
32
// Returns the validated principals or an error.
33
// If no authenticators are configured, or if the request is on a non-secure
34
// stream ( 15010 ) - returns amn empty caller and no errors.
35
func Authenticate(ctx context.Context, authenticators []Authenticator) (*Caller, error) {
36
	if !features.XDSAuth {
37
		return nil, nil
38
	}
39

40
	// authenticate - currently just checks that request has a certificate signed with the our key.
41
	// Protected by flag to avoid breaking upgrades - should be enabled in multi-cluster/meshexpansion where
42
	// XDS is exposed.
43
	peerInfo, ok := peer.FromContext(ctx)
44
	if !ok {
45
		return nil, errors.New("invalid context")
46
	}
47
	// Not a TLS connection, we will not perform authentication
48
	// TODO: add a flag to prevent unauthenticated requests ( 15010 )
49
	// request not over TLS on the insecure port
50
	if _, ok := peerInfo.AuthInfo.(credentials.TLSInfo); !ok && !AuthPlaintext {
51
		return nil, nil
52
	}
53

54
	am := authenticationManager{
55
		Authenticators: authenticators,
56
	}
57
	if u := am.authenticate(ctx); u != nil {
58
		return u, nil
59
	}
60
	securityLog.Errorf("Failed to authenticate client from %s: %s", peerInfo.Addr.String(), am.FailedMessages())
61
	return nil, errors.New("authentication failure")
62
}
63
istio

Использование cookies
