blob: 116c6984a40c0bb724751e45c37bf7fb464ec2d6 [file] [log] [blame]
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package xds
import (
"context"
"errors"
"fmt"
"strings"
)
import (
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/peer"
"google.golang.org/grpc/status"
"istio.io/pkg/env"
)
import (
"github.com/apache/dubbo-go-pixiu/pilot/pkg/features"
"github.com/apache/dubbo-go-pixiu/pilot/pkg/model"
"github.com/apache/dubbo-go-pixiu/pkg/spiffe"
)
var AuthPlaintext = env.RegisterBoolVar("XDS_AUTH_PLAINTEXT", false,
"Authenticate plain text requests - used if Istiod is behind a gateway handling TLS").Get()
// authenticate authenticates the ADS request using the configured authenticators.
// Returns the validated principals or an error.
// If no authenticators are configured, or if the request is on a non-secure
// stream ( 15010 ) - returns an empty list of principals and no errors.
func (s *DiscoveryServer) authenticate(ctx context.Context) ([]string, error) {
if !features.XDSAuth {
return nil, nil
}
// Authenticate - currently just checks that request has a certificate signed with the our key.
// Protected by flag to avoid breaking upgrades - should be enabled in multi-cluster/meshexpansion where
// XDS is exposed.
peerInfo, ok := peer.FromContext(ctx)
if !ok {
return nil, errors.New("invalid context")
}
// Not a TLS connection, we will not perform authentication
// TODO: add a flag to prevent unauthenticated requests ( 15010 )
// request not over TLS on the insecure port
if _, ok := peerInfo.AuthInfo.(credentials.TLSInfo); !ok && !AuthPlaintext {
return nil, nil
}
authFailMsgs := []string{}
for _, authn := range s.Authenticators {
u, err := authn.Authenticate(ctx)
// If one authenticator passes, return
if u != nil && u.Identities != nil && err == nil {
return u.Identities, nil
}
authFailMsgs = append(authFailMsgs, fmt.Sprintf("Authenticator %s: %v", authn.AuthenticatorType(), err))
}
log.Errorf("Failed to authenticate client from %s: %s", peerInfo.Addr.String(), strings.Join(authFailMsgs, "; "))
return nil, errors.New("authentication failure")
}
func (s *DiscoveryServer) authorize(con *Connection, identities []string) error {
if con == nil || con.proxy == nil {
return nil
}
if features.EnableXDSIdentityCheck && identities != nil {
// TODO: allow locking down, rejecting unauthenticated requests.
id, err := checkConnectionIdentity(con.proxy, identities)
if err != nil {
log.Warnf("Unauthorized XDS: %v with identity %v: %v", con.peerAddr, identities, err)
return status.Newf(codes.PermissionDenied, "authorization failed: %v", err).Err()
}
con.proxy.VerifiedIdentity = id
}
return nil
}
func checkConnectionIdentity(proxy *model.Proxy, identities []string) (*spiffe.Identity, error) {
for _, rawID := range identities {
spiffeID, err := spiffe.ParseIdentity(rawID)
if err != nil {
continue
}
if proxy.ConfigNamespace != "" && spiffeID.Namespace != proxy.ConfigNamespace {
continue
}
if proxy.Metadata.ServiceAccount != "" && spiffeID.ServiceAccount != proxy.Metadata.ServiceAccount {
continue
}
return &spiffeID, nil
}
return nil, fmt.Errorf("no identities (%v) matched %v/%v", identities, proxy.ConfigNamespace, proxy.Metadata.ServiceAccount)
}