Adds token passthrough using the review token endpoint

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/options/options.go

@@ -9,6 +9,25 @@ import (
 	cliflag "k8s.io/component-base/cli/flag"
 )
 
+type TokenPassthroughOptions struct {
+	Audiences []string
+	Enabled   bool
+}
+
+func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringSliceVar(&t.Audiences, "token-audiences", t.Audiences, ""+
+		"List of the identifiers that the resource server presented with the token "+
+		"identifies as. Audience-aware token authenticators will verify that the token "+
+		"was intended for at least one of the audiences in this list. If no audiences "+
+		"are provided, the audience will default to the audience of the Kubernetes "+
+		"apiserver.")
+
+	fs.BoolVar(&t.Enabled, "token-passthrough", t.Enabled, ""+
+		"Requests with Bearer tokens that fail OIDC validation are tried against "+
+		"the API server using the Token Review endpoint. If successful, the request "+
+		"is sent on as is, with no impersonation.")
+}
+
 type OIDCAuthenticationOptions struct {
 	APIAudiences   []string
 	CAFile         string
@@ -32,26 +51,22 @@ func (o *OIDCAuthenticationOptions) Validate() error {
 
 func (o *OIDCAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+
-		"Identifiers of the API. The service account token authenticator will validate that "+
-		"tokens used against the API are bound to at least one of these audiences. If the "+
-		"--service-account-issuer flag is configured and this flag is not, this field "+
-		"defaults to a single element list containing the issuer URL .")
+		"Identifiers of the API. This can be used as an additional list of "+
+		"identifiers that exist in the target audiences of requests.")
 
 	fs.StringVar(&o.IssuerURL, "oidc-issuer-url", o.IssuerURL, ""+
-		"The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+
-		"If set, it will be used to verify the OIDC JSON Web Token (JWT).")
+		"The URL of the OpenID issuer, only HTTPS scheme will be accepted.")
 
 	fs.StringVar(&o.ClientID, "oidc-client-id", o.ClientID,
-		"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
+		"The client ID for the OpenID Connect client.")
 
 	fs.StringVar(&o.CAFile, "oidc-ca-file", o.CAFile, ""+
-		"If set, the OpenID server's certificate will be verified by one of the authorities "+
-		"in the oidc-ca-file, otherwise the host's root CA set will be used.")
+		"The OpenID server's certificate will be verified by one of the authorities "+
+		"in the oidc-ca-file, otherwise the host's root CA set will be used")
 
 	fs.StringVar(&o.UsernameClaim, "oidc-username-claim", "sub", ""+
-		"The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+
-		"is not guaranteed to be unique and immutable. This flag is experimental, please see "+
-		"the authentication documentation for further details.")
+		"The OpenID claim to use as the username. Note that claims other than the default ('sub') "+
+		"is not guaranteed to be unique and immutable")
 
 	fs.StringVar(&o.UsernamePrefix, "oidc-username-prefix", "", ""+
 		"If provided, all usernames will be prefixed with this value. If not provided, "+
@@ -60,8 +75,7 @@ func (o *OIDCAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 
 	fs.StringVar(&o.GroupsClaim, "oidc-groups-claim", "", ""+
 		"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+
-		"The claim value is expected to be a string or array of strings. This flag is experimental, "+
-		"please see the authentication documentation for further details.")
+		"The claim value is expected to be a string or array of strings.")
 
 	fs.StringVar(&o.GroupsPrefix, "oidc-groups-prefix", "", ""+
 		"If provided, all groups will be prefixed with this value to prevent conflicts with "+

cmd/run.go

@@ -44,6 +44,8 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	}
 	ssoptionsWithLB := ssoptions.WithLoopback()
 
+	tpOptions := new(options.TokenPassthroughOptions)
+
 	clientConfigFlags := genericclioptions.NewConfigFlags(true)
 
 	healthCheck := probe.New(strconv.Itoa(readinessProbePort))
@@ -124,6 +126,9 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	oidcfs := namedFlagSets.FlagSet("OIDC")
 	oidcOptions.AddFlags(oidcfs)
 
+	tpfs := namedFlagSets.FlagSet("Token Passthrough (Alpha)")
+	tpOptions.AddFlags(tpfs)
+
 	ssoptionsWithLB.AddFlags(namedFlagSets.FlagSet("secure serving"))
 
 	clientConfigFlags.CacheDir = nil

pkg/proxy/tokenreview/fake/tokenreview.go

@@ -0,0 +1,30 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package fake
+
+import (
+	authv1 "k8s.io/api/authentication/v1"
+)
+
+type FakeReviewer struct {
+	CreateFn func(*authv1.TokenReview) (*authv1.TokenReview, error)
+}
+
+func New() *FakeReviewer {
+	return &FakeReviewer{
+		CreateFn: func(*authv1.TokenReview) (*authv1.TokenReview, error) {
+			return nil, nil
+		},
+	}
+}
+
+func (f *FakeReviewer) Create(req *authv1.TokenReview) (*authv1.TokenReview, error) {
+	return f.CreateFn(req)
+}
+
+func (f *FakeReviewer) WithCreate(req *authv1.TokenReview, err error) *FakeReviewer {
+	f.CreateFn = func(*authv1.TokenReview) (*authv1.TokenReview, error) {
+		return req, err
+	}
+
+	return f
+}

pkg/proxy/tokenreview/tokenreview.go

@@ -0,0 +1,53 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package tokenreview
+
+import (
+	"fmt"
+
+	authv1 "k8s.io/api/authentication/v1"
+	"k8s.io/client-go/kubernetes"
+	clientauthv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
+	"k8s.io/client-go/rest"
+)
+
+type TokenReview struct {
+	reviewRequester clientauthv1.TokenReviewInterface
+	audiences       []string
+}
+
+func New(restConfig *rest.Config, audiences []string) (*TokenReview, error) {
+	kubeclient, err := kubernetes.NewForConfig(restConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return &TokenReview{
+		reviewRequester: kubeclient.AuthenticationV1().TokenReviews(),
+		audiences:       audiences,
+	}, nil
+}
+
+func (t *TokenReview) Review(token string) (bool, error) {
+	review := t.buildReview(token)
+
+	resp, err := t.reviewRequester.Create(review)
+	if err != nil {
+		return false, err
+	}
+
+	if len(resp.Status.Error) > 0 {
+		return false, fmt.Errorf("error authenticating using token review: %s",
+			resp.Status.Error)
+	}
+
+	return resp.Status.Authenticated, nil
+}
+
+func (t *TokenReview) buildReview(token string) *authv1.TokenReview {
+	return &authv1.TokenReview{
+		Spec: authv1.TokenReviewSpec{
+			Token:     token,
+			Audiences: t.audiences,
+		},
+	}
+}

pkg/proxy/tokenreview/tokenreview_test.go

@@ -0,0 +1,90 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package tokenreview
+
+import (
+	"errors"
+	"reflect"
+	"testing"
+
+	authv1 "k8s.io/api/authentication/v1"
+
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview/fake"
+)
+
+type testT struct {
+	reviewResp *authv1.TokenReview
+	errResp    error
+
+	expAuth bool
+	expErr  error
+}
+
+func TestReview(t *testing.T) {
+
+	tests := map[string]testT{
+		"if a create fails then this error is returned": {
+			reviewResp: nil,
+			errResp:    errors.New("create error response"),
+			expAuth:    false,
+			expErr:     errors.New("create error response"),
+		},
+
+		"if an error exists in the status of the response pass error back": {
+			reviewResp: &authv1.TokenReview{
+				Status: authv1.TokenReviewStatus{
+					Error: "status error",
+				},
+			},
+			errResp: nil,
+			expAuth: false,
+			expErr:  errors.New("error authenticating using token review: status error"),
+		},
+
+		"if the response returns unauthenticated, return false": {
+			reviewResp: &authv1.TokenReview{
+				Status: authv1.TokenReviewStatus{
+					Authenticated: false,
+				},
+			},
+			errResp: nil,
+			expAuth: false,
+			expErr:  nil,
+		},
+
+		"if the response returns authenticated, return true": {
+			reviewResp: &authv1.TokenReview{
+				Status: authv1.TokenReviewStatus{
+					Authenticated: true,
+				},
+			},
+			errResp: nil,
+			expAuth: true,
+			expErr:  nil,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			runTest(t, test)
+		})
+	}
+}
+
+func runTest(t *testing.T, test testT) {
+	tReviewer := &TokenReview{
+		audiences:       nil,
+		reviewRequester: fake.New().WithCreate(test.reviewResp, test.errResp),
+	}
+
+	authed, err := tReviewer.Review("test-token")
+
+	if !reflect.DeepEqual(test.expErr, err) {
+		t.Errorf("got unexpected error, exp=%v got=%v",
+			test.expErr, err)
+	}
+
+	if test.expAuth != authed {
+		t.Errorf("got unexpected authed, exp=%t got=%t",
+			test.expAuth, authed)
+	}
+}