Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/capsule-proxy/templates/flowschema.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,8 @@ spec:
apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
clusterScope: true
- verbs: ["create"]
apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
clusterScope: true
{{- end }}
1 change: 0 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ go 1.26.4
require (
github.com/go-logr/logr v1.4.3
github.com/golang-jwt/jwt/v5 v5.3.1
github.com/gorilla/handlers v1.5.2
github.com/gorilla/mux v1.8.1
github.com/onsi/ginkgo/v2 v2.29.0
github.com/onsi/gomega v1.41.0
Expand Down
2 changes: 0 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -134,8 +134,6 @@ github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 h1:EwtI+Al+DeppwYX2oX
github.com/google/pprof v0.0.0-20260402051712-545e8a4df936/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
Expand Down
8 changes: 4 additions & 4 deletions internal/webserver/errors/panic.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,11 @@ func HandleUnauthorized(w http.ResponseWriter, err error, message string) {
}

w.Header().Set("content-type", "application/json")
w.WriteHeader(http.StatusForbidden)

//nolint:errchkjson
b, _ := json.Marshal(status)
_, _ = w.Write(b)

panic(message)
}

func HandleError(w http.ResponseWriter, err error, message string) {
Expand All @@ -42,15 +41,16 @@ func HandleError(w http.ResponseWriter, err error, message string) {
Kind: "Status",
APIVersion: "v1",
},
Status: metav1.StatusFailure,
Message: message,
Reason: metav1.StatusReasonInternalError,
Code: http.StatusInternalServerError,
}

w.Header().Set("content-type", "application/json")
w.WriteHeader(http.StatusInternalServerError)

//nolint:errchkjson
b, _ := json.Marshal(status)
_, _ = w.Write(b)

panic(message)
}
8 changes: 6 additions & 2 deletions internal/webserver/middleware/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,19 @@ func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc {
}
if err = client.Create(request.Context(), &tr); err != nil {
errors.HandleError(writer, err, "cannot create TokenReview")

return
}

if statusErr := tr.Status.Error; len(statusErr) > 0 {
invalidatedToken.Insert(token)

errors.HandleUnauthorized(writer, goerrors.New(statusErr), "cannot authenticate the token due to error")

return
}
case invalidatedToken.Has(token):
errors.HandleUnauthorized(writer, goerrors.New("token is invalid"), "cannot authenticate the token due to error")

return
}

next.ServeHTTP(writer, request)
Expand Down
57 changes: 37 additions & 20 deletions internal/webserver/middleware/user_in_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package middleware

import (
"errors"
"net/http"
"regexp"
"slices"
Expand All @@ -15,31 +16,33 @@ import (

"github.com/projectcapsule/capsule-proxy/internal/controllers"
req "github.com/projectcapsule/capsule-proxy/internal/request"
weberrors "github.com/projectcapsule/capsule-proxy/internal/webserver/errors"
)

func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, ignoredUserGroups sets.Set[string], ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp, skipImpersonationReview bool, xfcc_header string, fn func(writer http.ResponseWriter, request *http.Request)) mux.MiddlewareFunc {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
if ignoredUserGroups.Len() > 0 {
var (
err error
user string
groups []string
)

request, user, groups, err = req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header)
if err != nil {
log.Error(err, "Cannot retrieve username and group from request")
}

if slices.ContainsFunc(groups, func(group string) bool {
return ignoredUserGroups.Has(group)
}) {
log.V(5).Info("current user belongs to ignored groups", "user", user)
fn(writer, request)

return
}
if ignoredUserGroups.Len() == 0 {
next.ServeHTTP(writer, request)

return
}

request, user, groups, err := req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header)
if err != nil {
log.Error(err, "Cannot retrieve username and group from request")
handleResolveUserAndGroupsError(writer, err)

return
}

if slices.ContainsFunc(groups, func(group string) bool {
return ignoredUserGroups.Has(group)
}) {
log.V(5).Info("current user belongs to ignored groups", "user", user)
fn(writer, request)

return
}

next.ServeHTTP(writer, request)
Expand All @@ -53,6 +56,9 @@ func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, cl
request, user, groups, err := req.ResolveUserAndGroups(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview, xfcc_header)
if err != nil {
log.Error(err, "Cannot retrieve username and group from request")
handleResolveUserAndGroupsError(writer, err)

return
}

log.V(10).Info("request groups", "groups", groups)
Expand All @@ -76,3 +82,14 @@ func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, cl
})
}
}

func handleResolveUserAndGroupsError(writer http.ResponseWriter, err error) {
var unauthorizedErr *req.ErrUnauthorized
if errors.As(err, &unauthorizedErr) {
weberrors.HandleUnauthorized(writer, err, "cannot retrieve user and group from the request")

return
}

weberrors.HandleError(writer, err, "cannot retrieve user and group from the request")
}
69 changes: 56 additions & 13 deletions internal/webserver/webserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"context"
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"io"
"net"
Expand All @@ -22,9 +23,8 @@ import (

"github.com/go-logr/logr"
"github.com/golang-jwt/jwt/v5"
"github.com/gorilla/handlers"
"github.com/gorilla/mux"
"github.com/pkg/errors"
pkgerrors "github.com/pkg/errors"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
capsulerbac "github.com/projectcapsule/capsule/pkg/api/rbac"
"golang.org/x/net/http/httpguts"
Expand Down Expand Up @@ -82,7 +82,7 @@ func NewKubeFilter(

reverseProxyTransport, err := opts.ReverseProxyTransport()
if err != nil {
return nil, errors.Wrap(err, "cannot create transport for reverse proxy")
return nil, pkgerrors.Wrap(err, "cannot create transport for reverse proxy")
}

reverseProxy.Transport = reverseProxyTransport
Expand All @@ -92,12 +92,12 @@ func NewKubeFilter(

err = corev1.AddToScheme(scheme)
if err != nil {
return nil, errors.Wrap(err, "cannot add corev1 to scheme")
return nil, pkgerrors.Wrap(err, "cannot add corev1 to scheme")
}

err = authorizationv1.AddToScheme(scheme)
if err != nil {
return nil, errors.Wrap(err, "cannot add authorizationv1 to scheme")
return nil, pkgerrors.Wrap(err, "cannot add authorizationv1 to scheme")
}

codecFactory := serializer.NewCodecFactory(scheme)
Expand Down Expand Up @@ -167,7 +167,7 @@ func (n *kubeFilter) NeedLeaderElection() bool {
//nolint:funlen
func (n *kubeFilter) Start(ctx context.Context) error {
r := mux.NewRouter()
r.Use(handlers.RecoveryHandler())
r.Use(n.recoveryMiddleware)

r.Path("/_healthz").Subrouter().HandleFunc("", func(writer http.ResponseWriter, _ *http.Request) {
writer.WriteHeader(http.StatusOK)
Expand Down Expand Up @@ -283,13 +283,13 @@ func (n *kubeFilter) ReadinessProbe(req *http.Request) (err error) {
var r *http.Request

if r, err = http.NewRequestWithContext(req.Context(), http.MethodGet, url, nil); err != nil {
return errors.Wrap(err, "cannot create request")
return pkgerrors.Wrap(err, "cannot create request")
}

var resp *http.Response

if resp, err = clt.Do(r); err != nil {
return errors.Wrap(err, "cannot make local _healthz request")
return pkgerrors.Wrap(err, "cannot make local _healthz request")
}

defer func() {
Expand Down Expand Up @@ -349,13 +349,17 @@ func (n *kubeFilter) authorizationMiddleware(next http.Handler) http.Handler {

request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header)
if err != nil {
server.HandleError(writer, err, "cannot retrieve user and group from the request")
n.handleResolveUserAndGroupsError(writer, err)

return
}

//nolint:contextcheck
proxyTenants, err := n.getTenantsForOwner(request.Context(), username, groups)
if err != nil {
server.HandleError(writer, err, "cannot list Tenant resources")

return
}

obj, gvk, err := n.universalDecoder.Decode(body, nil, nil)
Expand Down Expand Up @@ -547,12 +551,16 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
sr.HandleFunc("", func(writer http.ResponseWriter, request *http.Request) {
request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header)
if err != nil {
server.HandleError(writer, err, "cannot retrieve user and group from the request")
n.handleResolveUserAndGroupsError(writer, err)

return
}

proxyTenants, err := n.getTenantsForOwner(ctx, username, groups)
if err != nil {
server.HandleError(writer, err, "cannot list Tenant resources")

return
}

var selector labels.Selector
Expand All @@ -574,19 +582,23 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
case err != nil:
var t moderrors.Error
if errors.As(err, &t) {
writer.Header().Set("Content-Type", "application/json")

if t.Status().Code > 0 {
writer.WriteHeader(int(t.Status().Code))
} else {
writer.WriteHeader(http.StatusInternalServerError)
}

writer.Header().Set("Content-Type", "application/json")

b, _ := json.Marshal(t.Status())
_, _ = writer.Write(b)

panic(err.Error())
return
}

server.HandleError(writer, err, err.Error())

return
case selector == nil:
// if there's no selector, let it pass to the
n.impersonateHandler(writer, request)
Expand All @@ -597,6 +609,37 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
}
}

func (n *kubeFilter) recoveryMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
defer func() {
recovered := recover()
if recovered == nil {
return
}

if err, ok := recovered.(error); ok && errors.Is(err, http.ErrAbortHandler) {
panic(err)
}

n.log.Error(fmt.Errorf("%v", recovered), "panic while handling request")
server.HandleError(writer, fmt.Errorf("internal server error"), "panic while handling request")
}()

next.ServeHTTP(writer, request)
})
}

func (n *kubeFilter) handleResolveUserAndGroupsError(writer http.ResponseWriter, err error) {
var unauthorizedErr *req.ErrUnauthorized
if errors.As(err, &unauthorizedErr) {
server.HandleUnauthorized(writer, err, "cannot retrieve user and group from the request")

return
}

server.HandleError(writer, err, "cannot retrieve user and group from the request")
}

func (n *kubeFilter) getTenantsForOwner(ctx context.Context, username string, groups []string) (proxyTenants []*tenant.ProxyTenant, err error) {
if strings.HasPrefix(username, serviceaccount.ServiceAccountUsernamePrefix) {
proxyTenants, err = n.getProxyTenantsForOwnerKind(ctx, capsulerbac.ServiceAccountOwner, username)
Expand Down