istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/security/authentication.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/security/authentication.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package security
    16  
    17  import (
    18  	"context"
    19  	"errors"
    20  
    21  	"google.golang.org/grpc/credentials"
    22  	"google.golang.org/grpc/peer"
    23  
    24  	"istio.io/istio/pilot/pkg/features"
    25  	"istio.io/istio/pkg/env"
    26  )
    27  
    28  var AuthPlaintext = env.Register("XDS_AUTH_PLAINTEXT", false,
    29  	"authenticate plain text requests - used if Istiod is running on a secure/trusted network").Get()
    30  
    31  // Authenticate authenticates the ADS request using the configured authenticators.
    32  // Returns the validated principals or an error.
    33  // If no authenticators are configured, or if the request is on a non-secure
    34  // stream ( 15010 ) - returns amn empty caller and no errors.
    35  func Authenticate(ctx context.Context, authenticators []Authenticator) (*Caller, error) {
    36  	if !features.XDSAuth {
    37  		return nil, nil
    38  	}
    39  
    40  	// authenticate - currently just checks that request has a certificate signed with the our key.
    41  	// Protected by flag to avoid breaking upgrades - should be enabled in multi-cluster/meshexpansion where
    42  	// XDS is exposed.
    43  	peerInfo, ok := peer.FromContext(ctx)
    44  	if !ok {
    45  		return nil, errors.New("invalid context")
    46  	}
    47  	// Not a TLS connection, we will not perform authentication
    48  	// TODO: add a flag to prevent unauthenticated requests ( 15010 )
    49  	// request not over TLS on the insecure port
    50  	if _, ok := peerInfo.AuthInfo.(credentials.TLSInfo); !ok && !AuthPlaintext {
    51  		return nil, nil
    52  	}
    53  
    54  	am := authenticationManager{
    55  		Authenticators: authenticators,
    56  	}
    57  	if u := am.authenticate(ctx); u != nil {
    58  		return u, nil
    59  	}
    60  	securityLog.Errorf("Failed to authenticate client from %s: %s", peerInfo.Addr.String(), am.FailedMessages())
    61  	return nil, errors.New("authentication failure")
    62  }