Adds auditing options and functionality to proxy

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/app/options/audit.go

@@ -2,6 +2,7 @@
 package options
 
 import (
+	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	cliflag "k8s.io/component-base/cli/flag"
@@ -23,3 +24,11 @@ func (a *AuditOptions) AddFlags(fs *pflag.FlagSet) *AuditOptions {
 	a.AuditOptions.AddFlags(fs)
 	return a
 }
+
+func (a *AuditOptions) DynamicConfigurationFlagChanged(cmd *cobra.Command) bool {
+	if ff := cmd.Flag("audit-dynamic-configuration"); ff != nil && ff.Changed {
+		return true
+	}
+
+	return false
+}

cmd/app/options/options.go

@@ -19,6 +19,7 @@ type Options struct {
 	App                *KubeOIDCProxyOptions
 	OIDCAuthentication *OIDCAuthenticationOptions
 	SecureServing      *SecureServingOptions
+	Audit              *AuditOptions
 	Client             *ClientOptions
 	Misc               *MiscOptions
 
@@ -33,6 +34,7 @@ func New() *Options {
 		App:                NewKubeOIDCProxyOptions(nfs),
 		OIDCAuthentication: NewOIDCAuthenticationOptions(nfs),
 		SecureServing:      NewSecureServingOptions(nfs),
+		Audit:              NewAuditOptions(nfs),
 		Client:             NewClientOptions(nfs),
 		Misc:               NewMiscOptions(nfs),
 
@@ -80,11 +82,19 @@ func (o *Options) Validate(cmd *cobra.Command) error {
 		errs = append(errs, errors.New("unable to securely serve on port 8080 (used by readiness probe)"))
 	}
 
+	if err := o.Audit.Validate(); len(err) > 0 {
+		errs = append(errs, err...)
+	}
+
 	if o.App.DisableImpersonation &&
 		(o.App.ExtraHeaderOptions.EnableClientIPExtraUserHeader || len(o.App.ExtraHeaderOptions.ExtraUserHeaders) > 0) {
 		errs = append(errs, errors.New("cannot add extra user headers when impersonation disabled"))
 	}
 
+	if o.Audit.DynamicConfigurationFlagChanged(cmd) {
+		errs = append(errs, errors.New("The flag --audit-dynamic-configuration may not be set"))
+	}
+
 	if len(errs) > 0 {
 		return k8sErrors.NewAggregate(errs)
 	}

cmd/app/run.go

@@ -72,19 +72,20 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 				return err
 			}
 
-			proxyConfig := &proxy.Config{
+			proxyOptions := &proxy.Config{
 				TokenReview:          opts.App.TokenPassthrough.Enabled,
 				DisableImpersonation: opts.App.DisableImpersonation,
 
-				FlushInterval: opts.App.FlushInterval,
+				FlushInterval:   opts.App.FlushInterval,
+				ExternalAddress: opts.SecureServing.BindAddress.String(),
 
 				ExtraUserHeaders:                opts.App.ExtraHeaderOptions.ExtraUserHeaders,
 				ExtraUserHeadersClientIPEnabled: opts.App.ExtraHeaderOptions.EnableClientIPExtraUserHeader,
 			}
 
 			// Initialise proxy with OIDC token authenticator
-			p, err := proxy.New(restConfig, opts.OIDCAuthentication,
-				tokenReviewer, secureServingInfo, proxyConfig)
+			p, err := proxy.New(restConfig, opts.OIDCAuthentication, opts.Audit,
+				tokenReviewer, secureServingInfo, proxyOptions)
 			if err != nil {
 				return err
 			}
@@ -109,6 +110,10 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 
 			<-waitCh
 
+			if err := p.RunShutdownHooks(); err != nil {
+				return err
+			}
+
 			return nil
 		},
 	}

pkg/proxy/audit/audit.go

@@ -0,0 +1,71 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package audit
+
+import (
+	"fmt"
+	"net/http"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
+	"k8s.io/apiserver/pkg/server"
+	genericfilters "k8s.io/apiserver/pkg/server/filters"
+
+	"github.com/jetstack/kube-oidc-proxy/cmd/app/options"
+)
+
+type Audit struct {
+	options      *options.AuditOptions
+	serverConfig *server.CompletedConfig
+}
+
+func New(options *options.AuditOptions, externalAddress string, secureServingInfo *server.SecureServingInfo) (*Audit, error) {
+	serverConfig := &server.Config{
+		ExternalAddress: externalAddress,
+		SecureServing:   secureServingInfo,
+
+		// Default to treating watch as a long-running operation
+		// Generic API servers have no inherent long-running subresources
+		LongRunningFunc: genericfilters.BasicLongRunningRequestCheck(
+			sets.NewString("watch"), sets.NewString()),
+	}
+
+	// We do not support dynamic auditing, so leave nil
+	if err := options.ApplyTo(serverConfig, nil, nil, nil, nil); err != nil {
+		return nil, err
+	}
+
+	completed := serverConfig.Complete(nil)
+
+	return &Audit{
+		options:      options,
+		serverConfig: &completed,
+	}, nil
+}
+
+func (a *Audit) Run(stopCh <-chan struct{}) error {
+	if a.serverConfig.AuditBackend != nil {
+		if err := a.serverConfig.AuditBackend.Run(stopCh); err != nil {
+			return fmt.Errorf("failed to run the audit backend: %s", err)
+		}
+	}
+
+	return nil
+}
+
+func (a *Audit) Shutdown() error {
+	if a.serverConfig.AuditBackend != nil {
+		a.serverConfig.AuditBackend.Shutdown()
+	}
+
+	return nil
+}
+
+func (a *Audit) WithRequest(handler http.Handler) http.Handler {
+	handler = genericapifilters.WithAudit(handler, a.serverConfig.AuditBackend, a.serverConfig.AuditPolicyChecker, a.serverConfig.LongRunningFunc)
+	return genericapifilters.WithRequestInfo(handler, a.serverConfig.RequestInfoResolver)
+}
+
+func (a *Audit) WithUnauthorized(handler http.Handler) http.Handler {
+	handler = genericapifilters.WithFailedAuthenticationAudit(handler, a.serverConfig.AuditBackend, a.serverConfig.AuditPolicyChecker)
+	return genericapifilters.WithRequestInfo(handler, a.serverConfig.RequestInfoResolver)
+}

pkg/proxy/audit/handler.go

@@ -0,0 +1,31 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package audit
+
+import (
+	"net/http"
+)
+
+// This struct is used to implement an http.Handler interface. This will not
+// actually serve but instead implements auditing during unauthenticated
+// requests. It is expected that consumers of this type will call `ServeHTTP`
+// when an unauthenticated request is received.
+type unauthenticatedHandler struct {
+	serveFunc func(http.ResponseWriter, *http.Request)
+}
+
+func NewUnauthenticatedHandler(a *Audit, serveFunc func(http.ResponseWriter, *http.Request)) http.Handler {
+	u := &unauthenticatedHandler{
+		serveFunc: serveFunc,
+	}
+
+	// if auditor is nil then return without wrapping
+	if a == nil {
+		return u
+	}
+
+	return a.WithUnauthorized(u)
+}
+
+func (u *unauthenticatedHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	u.serveFunc(rw, r)
+}

pkg/proxy/handlers.go

@@ -10,13 +10,19 @@ import (
 	"k8s.io/client-go/transport"
 	"k8s.io/klog"
 
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/audit"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/context"
 )
 
 func (p *Proxy) withHandlers(handler http.Handler) http.Handler {
 	// Set up proxy handlers
+	handler = p.auditor.WithRequest(handler)
 	handler = p.withImpersonateRequest(handler)
 	handler = p.withAuthenticateRequest(handler)
+
+	// Add the auditor backend as a shutdown hook
+	p.hooks.AddPreShutdownHook("AuditBackend", p.auditor.Shutdown)
+
 	return handler
 }
 
@@ -159,6 +165,11 @@ func (p *Proxy) withImpersonateRequest(handler http.Handler) http.Handler {
 
 // newErrorHandler returns a handler failed requests.
 func (p *Proxy) newErrorHandler() func(rw http.ResponseWriter, r *http.Request, err error) {
+	unauthedHandler := audit.NewUnauthenticatedHandler(p.auditor, func(rw http.ResponseWriter, r *http.Request) {
+		klog.V(2).Infof("unauthenticated user request %s", r.RemoteAddr)
+		http.Error(rw, "Unauthorized", http.StatusUnauthorized)
+	})
+
 	return func(rw http.ResponseWriter, r *http.Request, err error) {
 		if err == nil {
 			klog.Error("error was called with no error")
@@ -171,7 +182,8 @@ func (p *Proxy) newErrorHandler() func(rw http.ResponseWriter, r *http.Request,
 		// Failed auth
 		case errUnauthorized:
 			klog.V(2).Infof("unauthenticated user request %s", r.RemoteAddr)
-			http.Error(rw, "Unauthorized", http.StatusUnauthorized)
+			// If Unauthorized then error and report to audit
+			unauthedHandler.ServeHTTP(rw, r)
 			return
 
 			// User request with impersonation

pkg/proxy/hooks/hooks.go

@@ -0,0 +1,45 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package hooks
+
+import (
+	"fmt"
+	"sync"
+
+	k8sErrors "k8s.io/apimachinery/pkg/util/errors"
+)
+
+type Hooks struct {
+	preShutdownHooks    map[string]ShutdownHook
+	preShutdownHookLock sync.Mutex
+}
+
+type ShutdownHook func() error
+
+func New() *Hooks {
+	return &Hooks{
+		preShutdownHooks: make(map[string]ShutdownHook),
+	}
+}
+
+func (h *Hooks) AddPreShutdownHook(name string, hook ShutdownHook) {
+	h.preShutdownHookLock.Lock()
+	defer h.preShutdownHookLock.Unlock()
+
+	h.preShutdownHooks[name] = hook
+}
+
+// RunPreShutdownHooks runs the PreShutdownHooks for the server
+func (h *Hooks) RunPreShutdownHooks() error {
+	var errs []error
+
+	h.preShutdownHookLock.Lock()
+	defer h.preShutdownHookLock.Unlock()
+
+	for name, entry := range h.preShutdownHooks {
+		if err := entry(); err != nil {
+			errs = append(errs, fmt.Errorf("PreShutdownHook %q failed: %v", name, err))
+		}
+	}
+
+	return k8sErrors.NewAggregate(errs)
+}

pkg/proxy/proxy.go

@@ -19,7 +19,9 @@ import (
 	"k8s.io/klog"
 
 	"github.com/jetstack/kube-oidc-proxy/cmd/app/options"
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/audit"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/context"
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/hooks"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
 )
 
@@ -43,7 +45,8 @@ type Config struct {
 	DisableImpersonation bool
 	TokenReview          bool
 
-	FlushInterval time.Duration
+	FlushInterval   time.Duration
+	ExternalAddress string
 
 	ExtraUserHeaders                map[string][]string
 	ExtraUserHeadersClientIPEnabled bool
@@ -56,18 +59,23 @@ type Proxy struct {
 	tokenAuther       authenticator.Token
 	tokenReviewer     *tokenreview.TokenReview
 	secureServingInfo *server.SecureServingInfo
+	auditor           *audit.Audit
 
 	restConfig            *rest.Config
 	clientTransport       http.RoundTripper
 	noAuthClientTransport http.RoundTripper
 
 	config *Config
 
+	hooks       *hooks.Hooks
 	handleError errorHandlerFn
 }
 
-func New(restConfig *rest.Config, oidcOptions *options.OIDCAuthenticationOptions,
-	tokenReviewer *tokenreview.TokenReview, ssinfo *server.SecureServingInfo,
+func New(restConfig *rest.Config,
+	oidcOptions *options.OIDCAuthenticationOptions,
+	auditOptions *options.AuditOptions,
+	tokenReviewer *tokenreview.TokenReview,
+	ssinfo *server.SecureServingInfo,
 	config *Config) (*Proxy, error) {
 
 	// generate tokenAuther from oidc config
@@ -87,13 +95,20 @@ func New(restConfig *rest.Config, oidcOptions *options.OIDCAuthenticationOptions
 		return nil, err
 	}
 
+	auditor, err := audit.New(auditOptions, config.ExternalAddress, ssinfo)
+	if err != nil {
+		return nil, err
+	}
+
 	return &Proxy{
 		restConfig:        restConfig,
+		hooks:             hooks.New(),
 		tokenReviewer:     tokenReviewer,
 		secureServingInfo: ssinfo,
 		config:            config,
 		oidcRequestAuther: bearertoken.New(tokenAuther),
 		tokenAuther:       tokenAuther,
+		auditor:           auditor,
 	}, nil
 }
 
@@ -149,6 +164,11 @@ func (p *Proxy) serve(handler http.Handler, stopCh <-chan struct{}) (<-chan stru
 	// Setup proxy handlers
 	handler = p.withHandlers(handler)
 
+	// Run auditor
+	if err := p.auditor.Run(stopCh); err != nil {
+		return nil, err
+	}
+
 	// securely serve using serving config
 	waitCh, err := p.secureServingInfo.Serve(handler, time.Second*60, stopCh)
 	if err != nil {
@@ -240,3 +260,7 @@ func (p *Proxy) roundTripperForRestConfig(config *rest.Config) (http.RoundTrippe
 func (p *Proxy) OIDCTokenAuthenticator() authenticator.Token {
 	return p.tokenAuther
 }
+
+func (p *Proxy) RunShutdownHooks() error {
+	return p.hooks.RunPreShutdownHooks()
+}