Merge pull request #128 from JoshVanL/user-extra-headers

Extra User Info Impersonation Headers

Author: jetstack-bot

Makefile

@@ -76,9 +76,10 @@ go_lint: $(BINDIR)/golangci-lint ## lint golang code for problems
 clean: ## clean up created files
 	rm -rf \
 		$(BINDIR) \
-		pkg/mocks/authenticator.go \
-		demo/bin \
-		test/e2e/framework/issuer/bin
+		$(CURDIR)/pkg/mocks/authenticator.go \
+		$(CURDIR)/demo/bin \
+		$(CURDIR)/test/e2e/framework/issuer/bin \
+		$(CURDIR)/test/e2e/framework/fake-apiserver/bin
 
 verify: depend verify_boilerplate go_fmt go_vet go_lint ## verify code and mod
 

README.md

@@ -128,6 +128,7 @@ users:
 ## Configuration
  - [Token Passthrough](./docs/tasks/token-passthrough.md)
  - [No Impersonation](./docs/tasks/no-impersonation.md)
+ - [Extra Impersonations Headers](./docs/tasks/extra-impersonation-headers.md)
 
 ## Development
 *NOTE*: building kube-oidc-proxy requires Go version 1.12 or higher.

cmd/app/options/kube_oidc_proxy.go

@@ -3,18 +3,39 @@ package options
 
 import (
 	"github.com/spf13/pflag"
+
+	"github.com/jetstack/kube-oidc-proxy/pkg/util/flags"
 )
 
+type KubeOIDCProxyOptions struct {
+	DisableImpersonation bool
+	ReadinessProbePort   int
+
+	TokenPassthrough   TokenPassthroughOptions
+	ExtraHeaderOptions ExtraHeaderOptions
+}
+
 type TokenPassthroughOptions struct {
 	Audiences []string
 	Enabled   bool
 }
 
-type KubeOIDCProxyOptions struct {
-	DisableImpersonation bool
-	TokenPassthrough     TokenPassthroughOptions
+type ExtraHeaderOptions struct {
+	EnableClientIPExtraUserHeader bool
 
-	ReadinessProbePort int
+	ExtraUserHeaders map[string][]string
+}
+
+func (k *KubeOIDCProxyOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.BoolVar(&k.DisableImpersonation, "disable-impersonation", k.DisableImpersonation,
+		"(Alpha) Disable the impersonation of authenticated requests. All "+
+			"authenticated requests will be forwarded as is.")
+
+	fs.IntVarP(&k.ReadinessProbePort, "readiness-probe-port", "P", 8080,
+		"Port to expose readiness probe.")
+
+	k.TokenPassthrough.AddFlags(fs)
+	k.ExtraHeaderOptions.AddFlags(fs)
 }
 
 func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
@@ -31,13 +52,15 @@ func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
 		"is sent on as is, with no impersonation.")
 }
 
-func (k *KubeOIDCProxyOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.BoolVar(&k.DisableImpersonation, "disable-impersonation", k.DisableImpersonation,
-		"(Alpha) Disable the impersonation of authenticated requests. All "+
-			"authenticated requests will be forwarded as is.")
-
-	fs.IntVarP(&k.ReadinessProbePort, "readiness-probe-port", "P", 8080,
-		"Port to expose readiness probe.")
+func (e *ExtraHeaderOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.BoolVar(&e.EnableClientIPExtraUserHeader, "extra-user-header-client-ip",
+		e.EnableClientIPExtraUserHeader, "(Alpha) If enabled, proxied requests will "+
+			"include the extra user header 'Impersonate-Extra-Remote-Client-IP: "+
+			"<REMOTE_ADDR>' where <REMOTE_ADDR> will contain the remote address of "+
+			"the source of the request.")
 
-	k.TokenPassthrough.AddFlags(fs)
+	fs.Var(flags.NewStringToStringSliceValue(&e.ExtraUserHeaders), "extra-user-headers",
+		"(Alpha) A list of key value pairs of extra user headers to pass with "+
+			"proxied requests as part of the impersonated request. A single key can "+
+			"hold multiple values.")
 }

cmd/app/run.go

@@ -51,8 +51,6 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 		Use:  appName,
 		Long: "kube-oidc-proxy is a reverse proxy to authenticate users to Kubernetes API servers with Open ID Connect Authentication.",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			var err error
-
 			if cmd.Flag("version").Value.String() == "true" {
 				version.PrintVersionAndExit()
 			}
@@ -65,6 +63,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				return errors.New("unable to securely serve on port 8080, used by readiness prob")
 			}
 
+			var err error
 			var restConfig *rest.Config
 			if clientConfigOptions.ClientFlagsChanged(cmd) {
 				// one or more client flags have been set to use client flag built
@@ -100,6 +99,9 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 			proxyOptions := &proxy.Options{
 				TokenReview:          kopOptions.TokenPassthrough.Enabled,
 				DisableImpersonation: kopOptions.DisableImpersonation,
+
+				ExtraUserHeaders:                kopOptions.ExtraHeaderOptions.ExtraUserHeaders,
+				ExtraUserHeadersClientIPEnabled: kopOptions.ExtraHeaderOptions.EnableClientIPExtraUserHeader,
 			}
 
 			// Initialise proxy with OIDC token authenticator

deploy/charts/kube-oidc-proxy/templates/_helpers.tpl

@@ -55,4 +55,4 @@ Required claims serialized to CLI argument
 {{- end -}}
 {{ join "," $local }}
 {{- end -}}
-{{- end -}}
+{{- end -}}

deploy/charts/kube-oidc-proxy/templates/deployment.yaml

@@ -68,6 +68,12 @@ spec:
           - "--token-passthrough-audiences={{ join "," .Values.tokenPassthrough.audiences }}"
           {{ end }}
           {{ end }}
+          {{- if .Values.extraImpersonationHeaders.clientIP }}
+          - "--extra-user-header-client-ip"
+          {{ end }}
+          {{- if .Values.extraImpersonationHeaders.headers }}
+          - "--extra-user-headers={{ .Values.extraImpersonationHeaders.headers }}"
+          {{ end }}
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         env:

deploy/charts/kube-oidc-proxy/values.yaml

@@ -54,6 +54,13 @@ tokenPassthrough:
   enabled: false
   audiences: []
 
+# To add extra impersonation headers
+# https://github.com/jetstack/kube-oidc-proxy/blob/master/docs/tasks/extra-impersonation-headers.md
+extraImpersonationHeaders:
+  clientIP: false
+  #headers: key1=foo,key2=bar,key1=bar
+
+
 ingress:
   enabled: false
   annotations: {}

docs/tasks/extra-impersonation-headers.md

@@ -0,0 +1,32 @@
+# Extra Impersonation Headers
+
+kube-oidc-proxy has support for adding 'extra' headers to the impersonation user
+info. This can be useful for passing extra information onto the target server
+about the proxy or client. kube-oidc-proxy currently supports two configuration
+options.
+
+# Client IP
+
+The following flag can be passed which will append the remote client IP as an
+extra header:
+
+`--extra-user-header-client-ip`
+
+Proxied requests will then contain the header
+`Impersonate-Extra-Remote-Client-Ip: <REMOTE_ADDR>` where  `<REMOTE_ADDR>` is
+the address of the source connection of the request. Note that this IP address
+may not be the real client IP address when the request is being proxied.
+
+# Extra User Headers
+
+The following flag accepts a number of key value pairs that will be added as
+extra impersonation headers with proxied requests. This flag accepts a number of
+key value pairs, separated by commas, where a single key may have multiple
+values:
+
+`--extra-user-headers=key1=foo,key2=bar,key1=bar`
+
+Proxied requests will then contain the headers
+
+`Impersonate-Extra-Key1: foo,bar`
+`Impersonate-Extra-Key2: foo`

pkg/proxy/proxy.go

@@ -24,6 +24,10 @@ import (
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
 )
 
+const (
+	UserHeaderClientIPKey = "Remote-Client-IP"
+)
+
 var (
 	errUnauthorized      = errors.New("Unauthorized")
 	errImpersonateHeader = errors.New("Impersonate-User in header")
@@ -38,6 +42,9 @@ var (
 type Options struct {
 	DisableImpersonation bool
 	TokenReview          bool
+
+	ExtraUserHeaders                map[string][]string
+	ExtraUserHeadersClientIPEnabled bool
 }
 
 type Proxy struct {
@@ -195,12 +202,36 @@ func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) {
 		groups = append(groups, authuser.AllAuthenticated)
 	}
 
-	// set impersonation header using authenticated user identity
+	extra := user.GetExtra()
+
+	if extra == nil {
+		extra = make(map[string][]string)
+	}
+
+	// If client IP user extra header option set then append the remote client
+	// address.
+	if p.options.ExtraUserHeadersClientIPEnabled {
+		klog.V(6).Infof("adding impersonate extra user header %s: %s (%s)",
+			UserHeaderClientIPKey, req.RemoteAddr, reqCpy.RemoteAddr)
+
+		extra[UserHeaderClientIPKey] = append(extra[UserHeaderClientIPKey], req.RemoteAddr)
+	}
+
+	// Add custom extra user headers to impersonation request
+	for k, vs := range p.options.ExtraUserHeaders {
+		for _, v := range vs {
+			klog.V(6).Infof("adding impersonate extra user header %s: %s (%s)",
+				k, v, reqCpy.RemoteAddr)
+
+			extra[k] = append(extra[k], v)
+		}
+	}
 
+	// Set impersonation header using authenticated user identity.
 	conf := transport.ImpersonationConfig{
 		UserName: user.GetName(),
 		Groups:   groups,
-		Extra:    user.GetExtra(),
+		Extra:    extra,
 	}
 
 	rt := transport.NewImpersonatingRoundTripper(conf, p.clientTransport)

pkg/proxy/proxy_test.go

@@ -400,3 +400,88 @@ func Test_RoundTrip(t *testing.T) {
 		t.Errorf("unexpected round trip error, exp=nil got=%s", err)
 	}
 }
+
+func TestExtraHeadersOptions(t *testing.T) {
+	remoteAddr := "8.8.8.8"
+
+	tests := map[string]struct {
+		options  *Options
+		expExtra map[string][]string
+	}{
+		"if no extra headers set or client IP enabled then expect no extras": {
+			options: &Options{
+				ExtraUserHeaders:                nil,
+				ExtraUserHeadersClientIPEnabled: false,
+			},
+			expExtra: nil,
+		},
+		"if extra headers set but no client IP enabled then should return added extras": {
+			options: &Options{
+				ExtraUserHeaders: map[string][]string{
+					"foo": []string{"a", "b"},
+					"bar": []string{"c", "d", "e"},
+				},
+				ExtraUserHeadersClientIPEnabled: false,
+			},
+			expExtra: map[string][]string{
+				"Impersonate-Extra-Foo": []string{"a", "b"},
+				"Impersonate-Extra-Bar": []string{"c", "d", "e"},
+			},
+		},
+		"if no extra headers set but client IP enabled then should return added client IP": {
+			options: &Options{
+				ExtraUserHeaders:                nil,
+				ExtraUserHeadersClientIPEnabled: true,
+			},
+			expExtra: map[string][]string{
+				"Impersonate-Extra-Remote-Client-Ip": []string{"8.8.8.8"},
+			},
+		},
+		"if extra headers set and client IP enabled then should return extra headers and client IP": {
+			options: &Options{
+				ExtraUserHeaders: map[string][]string{
+					"foo": []string{"a", "b"},
+					"bar": []string{"c", "d", "e"},
+				},
+				ExtraUserHeadersClientIPEnabled: true,
+			},
+			expExtra: map[string][]string{
+				"Impersonate-Extra-Foo":              []string{"a", "b"},
+				"Impersonate-Extra-Bar":              []string{"c", "d", "e"},
+				"Impersonate-Extra-Remote-Client-Ip": []string{"8.8.8.8"},
+			},
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			p := newTestProxy(t)
+			p.options = test.options
+
+			req := &http.Request{
+				Header: http.Header{
+					"Authorization": []string{"bearer fake-token"},
+				},
+				RemoteAddr: remoteAddr,
+			}
+
+			authResponse := &authenticator.Response{
+				User: &user.DefaultInfo{
+					Name:   "a-user",
+					Groups: []string{authuser.AllAuthenticated},
+				},
+			}
+
+			p.fakeToken.EXPECT().AuthenticateToken(gomock.Any(), "fake-token").Return(authResponse, true, nil)
+
+			p.fakeRT.expUser = "a-user"
+			p.fakeRT.expGroup = []string{authuser.AllAuthenticated}
+			p.fakeRT.expExtra = test.expExtra
+
+			_, err := p.RoundTrip(req)
+			if err != nil {
+				t.Errorf("got unexpected error: %s", err)
+			}
+		})
+	}
+}