diff --git a/glide.lock b/glide.lock index cdc3ee0134..3e1742806d 100644 --- a/glide.lock +++ b/glide.lock @@ -1,5 +1,5 @@ hash: 26808f3467ac919f9cb479eb435c10163b98f73a2825b254870723070efc75fa -updated: 2017-11-16T15:55:56.862057+01:00 +updated: 2017-11-16T22:08:17.052686+01:00 imports: - name: github.com/ajeddeloh/yaml version: 1072abfea31191db507785e2e0c1b8d1440d35a5 @@ -47,6 +47,8 @@ imports: version: 12c566d59fdb198f5a6d7ad7dfbf99f2a7e09929 subpackages: - cache/memory +- name: github.com/databus23/requestutil + version: 5ff8e981f38fcabfc52ff8fd7fc7cf401d6bec67 - name: github.com/davecgh/go-spew version: 6d212800a42e8ab5c146b8ace3490ee17e5225f9 subpackages: diff --git a/pkg/api/handlers/get_cluster_credentials.go b/pkg/api/handlers/get_cluster_credentials.go index 8b0ec82e83..3f7daa5785 100644 --- a/pkg/api/handlers/get_cluster_credentials.go +++ b/pkg/api/handlers/get_cluster_credentials.go @@ -5,16 +5,18 @@ import ( "fmt" "time" + "github.com/databus23/requestutil" "github.com/ghodss/yaml" "github.com/go-openapi/runtime/middleware" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/apis/meta/v1" + certutil "k8s.io/client-go/util/cert" + "github.com/sapcc/kubernikus/pkg/api" "github.com/sapcc/kubernikus/pkg/api/models" "github.com/sapcc/kubernikus/pkg/api/rest/operations" "github.com/sapcc/kubernikus/pkg/client/kubernetes" "github.com/sapcc/kubernikus/pkg/util" - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/apis/meta/v1" - certutil "k8s.io/client-go/util/cert" ) func NewGetClusterCredentials(rt *api.Runtime) operations.GetClusterCredentialsHandler { @@ -69,6 +71,8 @@ func (d *getClusterCredentials) Handle(params operations.GetClusterCredentialsPa cert := bundle.Sign(util.Config{ Sign: fmt.Sprintf("%s@%s", principal.Name, principal.Domain), Organization: organizations, + Province: []string{principal.AuthURL, kluster.Spec.Openstack.ProjectID}, + Locality: []string{fmt.Sprintf("%s://%s", requestutil.Scheme(params.HTTPRequest), requestutil.HostWithPort(params.HTTPRequest))}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, ValidFor: 24 * time.Hour, }) diff --git a/pkg/cmd/kubernikusctl/auth/refresh.go b/pkg/cmd/kubernikusctl/auth/refresh.go index b7384cc4de..bfda8cb758 100644 --- a/pkg/cmd/kubernikusctl/auth/refresh.go +++ b/pkg/cmd/kubernikusctl/auth/refresh.go @@ -23,6 +23,7 @@ import ( type RefreshOptions struct { kubeconfigPath string context string + force bool url *url.URL @@ -55,6 +56,7 @@ func (o *RefreshOptions) BindFlags(flags *pflag.FlagSet) { flags.StringVar(&o.openstack.Password, "password", o.openstack.Password, "User password [OS_PASSWORD]") flags.StringVar(&o.kubeconfigPath, "kubeconfig", o.kubeconfigPath, "Overwrites kubeconfig auto-detection with explicit path") flags.StringVar(&o.context, "context", o.context, "Overwrites current-context in kubeconfig") + flags.BoolVar(&o.force, "force", o.force, "Force refresh") } func (o *RefreshOptions) Validate(c *cobra.Command, args []string) (err error) { @@ -103,28 +105,23 @@ func (o *RefreshOptions) Run(c *cobra.Command) error { if ok, err := o.isCertificateValid(); err != nil { return errors.Wrap(err, "Verification of certifcates failed.") } else { - if ok { + if ok && !o.force { glog.V(2).Infof("Certificates are good. Doing nothing.") return nil } } - if identityEndpoint, err := o.autoDetectAuthURL(); err != nil { - errors.Wrap(err, "Auto-Detection of auth-url caused an error") + if identityEndpoint, projectID, err := o.autoDetectKubernikusOpenstackMetadata(); err != nil { + return errors.Wrap(err, "Auto-Detection of Openstack auth endpoint failed.") } else { glog.V(2).Infof("Detected auth-url: %v", identityEndpoint) o.openstack.IdentityEndpoint = identityEndpoint - } - - if projectID, err := o.autoDetectProjectID(); err != nil { - errors.Wrap(err, "Auto-Detection of project scope caused an error") - } else { glog.V(2).Infof("Detected authentication scope for project-id: %v", projectID) o.openstack.Scope.ProjectID = projectID } if kurl, err := o.autoDetectKubernikusURL(); err != nil { - errors.Wrap(err, "Auto-Detection of Kubernikus URL caused an error") + return errors.Wrap(err, "Auto-Detection of Kubernikus URL caused an error") } else { glog.V(2).Infof("Detected Kubernikus URL: %v", kurl) _url, err := url.Parse(kurl) @@ -135,14 +132,14 @@ func (o *RefreshOptions) Run(c *cobra.Command) error { } if username, err := o.autoDetectUsername(); err != nil { - errors.Wrap(err, "Auto-Detection of Username failed") + return errors.Wrap(err, "Auto-Detection of Username failed") } else { glog.V(2).Infof("Detected username: %v", username) o.openstack.Username = username } if domainName, err := o.autoDetectUserDomainName(); err != nil { - errors.Wrap(err, "Auto-Detection of user-domain-name failed") + return errors.Wrap(err, "Auto-Detection of user domain failed") } else { glog.V(2).Infof("Detected domain-name: %v", domainName) o.openstack.DomainName = domainName @@ -207,26 +204,23 @@ func (o *RefreshOptions) isKubernikusContext() (bool, error) { return false, err } - if len(caCert.Issuer.OrganizationalUnit) < 2 { + if len(caCert.Subject.OrganizationalUnit) < 2 { return false, nil } - return caCert.Issuer.OrganizationalUnit[0] == util.CA_ISSUER_KUBERNIKUS_IDENTIFIER_0 && - caCert.Issuer.OrganizationalUnit[1] == util.CA_ISSUER_KUBERNIKUS_IDENTIFIER_1, nil + return caCert.Subject.OrganizationalUnit[0] == util.CA_ISSUER_KUBERNIKUS_IDENTIFIER_0 && + caCert.Subject.OrganizationalUnit[1] == util.CA_ISSUER_KUBERNIKUS_IDENTIFIER_1, nil } -func (o *RefreshOptions) autoDetectKubernikusCAMetadata(index int) (string, error) { - cert, err := o.getCACertifciate() +func (o *RefreshOptions) autoDetectKubernikusOpenstackMetadata() (string, string, error) { + cert, err := o.getClientCertificate() if err != nil { - return "", err - } - if len(cert.Issuer.Province) < 1 { - return "", errors.Errorf("CA certificate didn't contain Kubernikus metadata") + return "", "", err } - if index > 1 { - return "", errors.Errorf("Invalid Metadata") + if len(cert.Subject.Province) < 2 { + return "", "", errors.Errorf("Client certificate didn't contain Kubernikus metadata") } - return cert.Issuer.Province[index], nil + return cert.Subject.Province[0], cert.Subject.Province[1], nil } func (o *RefreshOptions) autoDetectKubernikusClientMetadata() (string, string, error) { @@ -246,24 +240,16 @@ func (o *RefreshOptions) autoDetectKubernikusClientMetadata() (string, string, e return parts[0], parts[1], nil } -func (o *RefreshOptions) autoDetectAuthURL() (string, error) { - return o.autoDetectKubernikusCAMetadata(0) -} - -func (o *RefreshOptions) autoDetectProjectID() (string, error) { - return o.autoDetectKubernikusCAMetadata(1) -} - func (o *RefreshOptions) autoDetectKubernikusURL() (string, error) { - cert, err := o.getCACertifciate() + cert, err := o.getClientCertificate() if err != nil { return "", err } - if len(cert.Issuer.Locality) == 0 { + if len(cert.Subject.Locality) == 0 { return "", errors.Errorf("CA certificate didn't contain Kubernikus metadata") } - return cert.Issuer.Locality[0], nil + return cert.Subject.Locality[0], nil } func (o *RefreshOptions) autoDetectUsername() (string, error) { diff --git a/pkg/util/certificates.go b/pkg/util/certificates.go index 587f823628..efb59c9105 100644 --- a/pkg/util/certificates.go +++ b/pkg/util/certificates.go @@ -132,6 +132,8 @@ type Config struct { Sign string Organization []string OrganizationalUnit []string + Province []string + Locality []string AltNames AltNames Usages []x509.ExtKeyUsage ValidFor time.Duration @@ -176,7 +178,6 @@ func CreateCertificates(kluster *v1.Kluster, apiURL, authURL, domain string) (ma createCA(kluster.Name, "ApiServer Nodes", &certs.ApiServer.Nodes.CA) createCA(kluster.Name, "Kubelet Clients", &certs.Kubelet.Clients.CA) createCA(kluster.Name, "TLS", &certs.TLS.CA) - createEnrichedCA(kluster, apiURL, authURL, "TLS", &certs.TLS.CA) certs.Etcd.Clients.ApiServer = certs.signEtcdClient("apiserver") certs.Etcd.Peers.Universal = certs.signEtcdPeer("universal") @@ -250,7 +251,7 @@ func (c Certificates) signTLS(name string, dnsNames []string, ips []net.IP) Bund return c.TLS.CA.Sign(config) } -func createCA(satellite, name string, bundle *Bundle) { +func createCA(klusterName, name string, bundle *Bundle) { bundle.PrivateKey, _ = certutil.NewPrivateKey() now := time.Now() @@ -258,30 +259,7 @@ func createCA(satellite, name string, bundle *Bundle) { SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: name, - OrganizationalUnit: []string{"SAP Converged Cloud", "Kubernikus", satellite}, - }, - NotBefore: now.UTC(), - NotAfter: now.Add(caValidity).UTC(), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, - IsCA: true, - } - - certDERBytes, _ := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, bundle.PrivateKey.Public(), bundle.PrivateKey) - bundle.Certificate, _ = x509.ParseCertificate(certDERBytes) -} - -func createEnrichedCA(kluster *v1.Kluster, kubernikusAPIURL, authURL, common_name string, bundle *Bundle) { - bundle.PrivateKey, _ = certutil.NewPrivateKey() - - now := time.Now() - tmpl := x509.Certificate{ - SerialNumber: new(big.Int).SetInt64(0), - Subject: pkix.Name{ - CommonName: common_name, - OrganizationalUnit: []string{CA_ISSUER_KUBERNIKUS_IDENTIFIER_0, CA_ISSUER_KUBERNIKUS_IDENTIFIER_1, kluster.Name}, - Province: []string{authURL, kluster.Spec.Openstack.ProjectID}, - Locality: []string{kubernikusAPIURL}, + OrganizationalUnit: []string{CA_ISSUER_KUBERNIKUS_IDENTIFIER_0, CA_ISSUER_KUBERNIKUS_IDENTIFIER_1, klusterName}, }, NotBefore: now.UTC(), NotAfter: now.Add(caValidity).UTC(), @@ -311,6 +289,8 @@ func (ca Bundle) Sign(config Config) Bundle { CommonName: config.Sign, Organization: config.Organization, OrganizationalUnit: config.OrganizationalUnit, + Province: config.Province, + Locality: config.Locality, }, DNSNames: config.AltNames.DNSNames, IPAddresses: config.AltNames.IPs, diff --git a/vendor/github.com/databus23/requestutil/LICENSE b/vendor/github.com/databus23/requestutil/LICENSE new file mode 100644 index 0000000000..3fcf1fb2a9 --- /dev/null +++ b/vendor/github.com/databus23/requestutil/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2015 Fabian Ruff + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/databus23/requestutil/request.go b/vendor/github.com/databus23/requestutil/request.go new file mode 100644 index 0000000000..23adb28c54 --- /dev/null +++ b/vendor/github.com/databus23/requestutil/request.go @@ -0,0 +1,63 @@ +//Package requestutil provides some helper function for extracting scheme, host +//and port information from http requests. +package requestutil + +import ( + "net/http" + "regexp" + "strconv" + "strings" +) + +//Scheme returns the protocol (http or https) used by the requesting client +func Scheme(req *http.Request) string { + + if req.Header.Get("X-Forwarded-Ssl") == "on" { + return "https" + } + if len(req.Header["X-Forwarded-Scheme"]) > 0 { + return req.Header.Get("X-Forwarded-Scheme") + } + if len(req.Header["X-Forwarded-Proto"]) > 0 { + return strings.Split(req.Header.Get("X-Forwarded-Proto"), ",")[0] + } + if req.TLS != nil { + return "https" + } + return "http" + +} + +//HostWithPort returns the HTTP Host: header used by the requesting client +func HostWithPort(req *http.Request) string { + if len(req.Header["X-Forwarded-Host"]) > 0 { + forwardedHosts := regexp.MustCompile(`,\s?`).Split(req.Header["X-Forwarded-Host"][0], -1) + return forwardedHosts[len(forwardedHosts)-1] + } + return req.Host +} + +//Host returns just the host part of HostWithPort +func Host(req *http.Request) string { + return strings.Split(HostWithPort(req), ":")[0] +} + +//Port returns the port used by the originating client +func Port(req *http.Request) int { + if parts := strings.Split(HostWithPort(req), ":"); len(parts) > 1 { + port, _ := strconv.Atoi(parts[1]) + return port + } + if len(req.Header["X-Forwarded-Port"]) > 0 { + port, _ := strconv.Atoi(req.Header["X-Forwarded-Port"][0]) + return port + } + return defaultPorts(Scheme(req)) +} + +func defaultPorts(scheme string) int { + if scheme == "https" { + return 443 + } + return 80 +}