-
Notifications
You must be signed in to change notification settings - Fork 32
fix: add logging to authentication errors in controller and router #812
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
d2393c4
8e33fea
ec9e5e1
5c36882
0a9fef8
1dc673f
8678877
453edf5
bd7193d
5c1e134
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,17 +2,44 @@ package auth | |
|
|
||
| import ( | ||
| "context" | ||
| "net" | ||
|
|
||
| jumpstarterdevv1alpha1 "github.com/jumpstarter-dev/jumpstarter-controller/api/v1alpha1" | ||
| "github.com/jumpstarter-dev/jumpstarter-controller/internal/authentication" | ||
| "github.com/jumpstarter-dev/jumpstarter-controller/internal/authorization" | ||
| "github.com/jumpstarter-dev/jumpstarter-controller/internal/oidc" | ||
| "google.golang.org/grpc/codes" | ||
| "google.golang.org/grpc/peer" | ||
| "google.golang.org/grpc/status" | ||
| "k8s.io/apiserver/pkg/authorization/authorizer" | ||
| kclient "sigs.k8s.io/controller-runtime/pkg/client" | ||
| "sigs.k8s.io/controller-runtime/pkg/log" | ||
| ) | ||
|
|
||
| // PeerAddr returns the remote IP address from the gRPC peer info stored in ctx, | ||
| // or "unknown" if unavailable. Port number and transport paths (e.g. Unix socket | ||
| // paths) are intentionally stripped to avoid leaking internal details. | ||
| func PeerAddr(ctx context.Context) string { | ||
| p, ok := peer.FromContext(ctx) | ||
| if !ok || p.Addr == nil { | ||
| return "unknown" | ||
| } | ||
| host, _, err := net.SplitHostPort(p.Addr.String()) | ||
| if err != nil { | ||
| return "unknown" | ||
| } | ||
| return host | ||
| } | ||
|
|
||
| // LogContext returns ctx with its logger enriched with the peer address under | ||
| // the "peer" key ("unknown" when no usable address is available, so all log | ||
| // lines share a uniform shape). The gRPC interceptors apply this to every RPC; | ||
| // it owns the peer enrichment, so loggers derived from ctx (including the | ||
| // auth-failure logs below) must not add "peer" again. | ||
| func LogContext(ctx context.Context) context.Context { | ||
| return log.IntoContext(ctx, log.FromContext(ctx, "peer", PeerAddr(ctx))) | ||
| } | ||
|
Comment on lines
+22
to
+41
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [MEDIUM] Suggested fix: extract AI-generated, human reviewed |
||
|
|
||
| type Auth struct { | ||
| client kclient.Client | ||
| authn authentication.ContextAuthenticator | ||
|
|
@@ -34,7 +61,11 @@ func NewAuth( | |
| } | ||
| } | ||
|
|
||
| func (s *Auth) AuthClient(ctx context.Context, namespace string) (*jumpstarterdevv1alpha1.Client, error) { | ||
| // VerifyClient authenticates the client token in ctx and returns the matching | ||
| // Client object without enforcing a namespace. Authentication failures are | ||
| // logged via the context logger, which carries the peer address when the | ||
| // caller applied LogContext (as the gRPC interceptors do). | ||
| func (s *Auth) VerifyClient(ctx context.Context) (*jumpstarterdevv1alpha1.Client, error) { | ||
| jclient, err := oidc.VerifyClientObjectToken( | ||
| ctx, | ||
| s.authn, | ||
|
|
@@ -43,18 +74,34 @@ func (s *Auth) AuthClient(ctx context.Context, namespace string) (*jumpstarterde | |
| s.client, | ||
| ) | ||
|
|
||
| if err != nil { | ||
| log.FromContext(ctx).Info("client authentication failed", "error", err.Error()) | ||
| return nil, err | ||
| } | ||
|
|
||
| return jclient, nil | ||
| } | ||
|
|
||
| func (s *Auth) AuthClient(ctx context.Context, namespace string) (*jumpstarterdevv1alpha1.Client, error) { | ||
| jclient, err := s.VerifyClient(ctx) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| if namespace != jclient.Namespace { | ||
| return nil, status.Error(codes.PermissionDenied, "namespace mismatch") | ||
| err := status.Error(codes.PermissionDenied, "namespace mismatch") | ||
| log.FromContext(ctx).Info("client authentication failed", "client", jclient.Name, "error", err.Error()) | ||
| return nil, err | ||
| } | ||
|
|
||
| return jclient, nil | ||
| } | ||
|
|
||
| func (s *Auth) AuthExporter(ctx context.Context, namespace string) (*jumpstarterdevv1alpha1.Exporter, error) { | ||
| // VerifyExporter authenticates the exporter token in ctx and returns the | ||
| // matching Exporter object without enforcing a namespace. Authentication | ||
| // failures are logged via the context logger, which carries the peer address | ||
| // when the caller applied LogContext (as the gRPC interceptors do). | ||
| func (s *Auth) VerifyExporter(ctx context.Context) (*jumpstarterdevv1alpha1.Exporter, error) { | ||
| jexporter, err := oidc.VerifyExporterObjectToken( | ||
| ctx, | ||
| s.authn, | ||
|
|
@@ -63,12 +110,24 @@ func (s *Auth) AuthExporter(ctx context.Context, namespace string) (*jumpstarter | |
| s.client, | ||
| ) | ||
|
|
||
| if err != nil { | ||
| log.FromContext(ctx).Info("exporter authentication failed", "error", err.Error()) | ||
| return nil, err | ||
| } | ||
|
|
||
| return jexporter, nil | ||
| } | ||
|
|
||
| func (s *Auth) AuthExporter(ctx context.Context, namespace string) (*jumpstarterdevv1alpha1.Exporter, error) { | ||
| jexporter, err := s.VerifyExporter(ctx) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| if namespace != jexporter.Namespace { | ||
| return nil, status.Error(codes.PermissionDenied, "namespace mismatch") | ||
| err := status.Error(codes.PermissionDenied, "namespace mismatch") | ||
| log.FromContext(ctx).Info("exporter authentication failed", "exporter", jexporter.Name, "error", err.Error()) | ||
| return nil, err | ||
| } | ||
|
|
||
| return jexporter, nil | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.