10000 🚨 Short authz URL by sttts · Pull Request #121 · kube-bind/kube-bind · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

🚨 Short authz URL #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 24, 2022
Merged

🚨 Short authz URL #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8e43612
kubectl-bind: indent URL
sttts Oct 23, 2022
a40ec02
Only pass port for callback URL
sttts Oct 23, 2022
392e959
kubectl-bind: 6 chars base62 is enough for cluster ID
sttts Oct 23, 2022
75406e5
kubectl-bind: 6 chars base62 is enough for session ID
sttts Oct 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions contrib/example-backend/http/handler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,9 @@ func (h *handler) handleAuthorize(w http.ResponseWriter, r *http.Request) {
SessionID: r.URL.Query().Get("s"),
ClusterID: r.URL.Query().Get("c"),
}
if p := r.URL.Query().Get("p"); p != "" && code.RedirectURL == "" {
code.RedirectURL = fmt.Sprintf("http://localhost:%s/callback", p)
}
if code.RedirectURL == "" || code.SessionID == "" || code.ClusterID == "" {
logger.Error(errors.New("missing redirect url or session id or cluster id"), "failed to authorize")
http.Error(w, "missing redirect_url or session_id", http.StatusBadRequest)
Expand Down
20 changes: 14 additions & 6 deletions pkg/kubectl/bind/plugin/authenticate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"errors"
"fmt"
"io"
"net"
"net/http"
"net/url"

Expand Down Expand Up @@ -52,7 +53,7 @@ func getProvider(url string) (*kubebindv1alpha1.BindingProvider, error) {
return provider, nil
}

func (b *BindOptions) authenticate(provider *kubebindv1alpha1.BindingProvider, authEndpoint, sessionID, clusterID string, urlCh chan<- string) error {
func (b *BindOptions) authenticate(provider *kubebindv1alpha1.BindingProvider, callback, sessionID, clusterID string, urlCh chan<- string) error {
var oauth2Method *kubebindv1alpha1.OAuth2CodeGrant
for _, m := range provider.AuthenticationMethods {
if m.Method == "OAuth2CodeGrant" {
Expand All @@ -69,17 +70,26 @@ func (b *BindOptions) authenticate(provider *kubebindv1alpha1.BindingProvider, a
return fmt.Errorf("failed to parse auth url: %v", err)
}

cbURL, err := url.Parse(callback)
if err != nil {
return fmt.Errorf("failed to parse callback url: %v", err)
}
_, cbPort, err := net.SplitHostPort(cbURL.Host)
if err != nil {
return fmt.Errorf("failed to parse callback port: %v", err)
}

values := u.Query()
values.Add("u", authEndpoint)
values.Add("p", cbPort)
values.Add("s", sessionID)
values.Add("c", clusterID)
u.RawQuery = values.Encode()

fmt.Fprintf(b.Options.ErrOut, "\nTo authenticate, visit %s in your browser", u.String()) // nolint: errcheck
fmt.Fprintf(b.Options.ErrOut, "\nTo authenticate, visit in your browser:\n\n\t%s", u.String()) // nolint: errcheck

// TODO(sttts): callback backend, not 127.0.0.1
if false {
fmt.Fprintf(b.Options.ErrOut, " or scan the QRCode below")
fmt.Fprintf(b.Options.ErrOut, "\n\nor scan the QRCode below:")
config := qrterminal.Config{
Level: qrterminal.L,
Writer: b.Options.ErrOut,
Expand All @@ -89,8 +99,6 @@ func (b *BindOptions) authenticate(provider *kubebindv1alpha1.BindingProvider, a
}
qrterminal.GenerateWithConfig(u.String(), config)
}
fmt.Fprintf(b.Options.ErrOut, ".")

if urlCh != nil {
urlCh <- u.String()
}
Expand Down
29 changes: 25 additions & 4 deletions pkg/kubectl/bind/plugin/bind.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,12 @@ package plugin
import (
"bytes"
"context"
"crypto/sha256"
"encoding/json"
"errors"
"fmt"
"math/big"
"math/rand"
"net/url"
"os"
"os/exec"
Expand All @@ -36,7 +39,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/rand"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/cli-runtime/pkg/genericclioptions"
kubeclient "k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -164,8 +166,6 @@ func (b *BindOptions) Run(ctx context.Context, urlCh chan<- string) error {
return fmt.Errorf("unsupported binding provider version: %q", provider.APIVersion)
}

sessionID := rand.String(rand.IntnRange(20, 30))

ns, err := kubeClient.CoreV1().Namespaces().Get(ctx, "kube-bind", metav1.GetOptions{})
if err != nil && !apierrors.IsNotFound(err) {
return err
Expand All @@ -179,7 +179,8 @@ func (b *BindOptions) Run(ctx context.Context, urlCh chan<- string) error {
return err
}
}
if err := b.authenticate(provider, auth.Endpoint(ctx), sessionID, string(ns.UID), urlCh); err != nil {
sessionID := SessionID()
if err := b.authenticate(provider, auth.Endpoint(ctx), sessionID, ClusterID(ns), urlCh); err != nil {
return err
}

Expand Down Expand Up @@ -316,3 +317,23 @@ func (b *BindOptions) Run(ctx context.Context, urlCh chan<- string) error {

return nil
}

func ClusterID(ns *corev1.Namespace) string {
hash := sha256.Sum224([]byte(ns.UID))
base62hash := toBase62(hash)
return base62hash[:6] // 50 billion
}

func SessionID() string {
var b [28]byte
if _, err := rand.Read(b[:]); err != nil {
panic(err)
}
return toBase62(b)[:6] // 50 billion
}

func toBase62(hash [28]byte) string {
var i big.Int
i.SetBytes(hash[:])
return i.Text(62)
}
0