backend: Add /clusters/clusterName/me endpoint

skoeva · skoeva · commit 9a6761c43aa2 · 2025-10-01T16:54:27.000-04:00
diff --git a/backend/cmd/headlamp.go b/backend/cmd/headlamp.go
@@ -43,6 +43,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
+	"github.com/jmespath/go-jmespath"
 	auth "github.com/kubernetes-sigs/headlamp/backend/pkg/auth"
 	"github.com/kubernetes-sigs/headlamp/backend/pkg/cache"
 	cfg "github.com/kubernetes-sigs/headlamp/backend/pkg/config"
@@ -84,6 +85,9 @@ type HeadlampConfig struct {
 	telemetryConfig           cfg.Config
 	oidcScopes                []string
 	telemetryHandler          *telemetry.RequestHandler
+	meUsernamePaths           string
+	meEmailPaths              string
+	meGroupsPaths             string
 }
 
 const DrainNodeCacheTTL = 20 // seconds
@@ -477,6 +481,9 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 		portforward.GetPortForwardByID(config.cache, w, r)
 	}).Methods("GET")
 
+	// Expose user info so the frontend can show the current user in the top bar using the per-cluster auth cookie.
+	r.HandleFunc("/clusters/{clusterName}/me", config.handleMe).Methods("GET")
+
 	config.handleClusterRequests(r)
 
 	r.HandleFunc("/externalproxy", func(w http.ResponseWriter, r *http.Request) {
@@ -1465,6 +1472,146 @@ func (c *HeadlampConfig) handleClusterRequests(router *mux.Router) {
 	handleClusterAPI(c, router)
 }
 
+// handleMe returns user info extracted from the per-cluster OIDC cookie so the UI can display the current user.
+// Claim discovery is controlled via the Headlamp configuration (HEADLAMP_CONFIG_ME_* env / --me-*-path flags),
+// which accept comma-separated JMESPath expressions to support different identity providers and nested claim layouts.
+func (c *HeadlampConfig) handleMe(w http.ResponseWriter, r *http.Request) {
+	clusterName := mux.Vars(r)["clusterName"]
+	if clusterName == "" {
+		http.Error(w, "cluster not specified", http.StatusBadRequest)
+		return
+	}
+
+	token, err := auth.GetTokenFromCookie(r, clusterName)
+	if err != nil || token == "" {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	parts := strings.SplitN(token, ".", 3)
+	if len(parts) != 3 || parts[1] == "" {
+		http.Error(w, "invalid token", http.StatusUnauthorized)
+		return
+	}
+
+	claims, err := auth.DecodeBase64JSON(parts[1])
+	if err != nil {
+		http.Error(w, "invalid token claims", http.StatusUnauthorized)
+		return
+	}
+
+	usernamePaths := c.meUsernamePaths
+	if strings.TrimSpace(usernamePaths) == "" {
+		usernamePaths = cfg.DefaultMeUsernamePath
+	}
+
+	emailPaths := c.meEmailPaths
+	if strings.TrimSpace(emailPaths) == "" {
+		emailPaths = cfg.DefaultMeEmailPath
+	}
+
+	groupsPaths := c.meGroupsPaths
+	if strings.TrimSpace(groupsPaths) == "" {
+		groupsPaths = cfg.DefaultMeGroupsPath
+	}
+
+	username := stringValueFromJMESPaths(claims, usernamePaths)
+	email := stringValueFromJMESPaths(claims, emailPaths)
+	groups := stringSliceFromJMESPaths(claims, groupsPaths)
+
+	// Prevent caching to avoid 304 Not Modified responses from intermediaries/dev server
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, private")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+	w.Header().Del("ETag")
+	_ = json.NewEncoder(w).Encode(map[string]interface{}{
+		"username": username,
+		"email":    email,
+		"groups":   groups,
+	})
+}
+
+// stringValueFromJMESPaths tries multiple comma-separated JMESPath expressions and returns the first string result.
+func stringValueFromJMESPaths(payload map[string]interface{}, pathCSV string) string {
+	for _, p := range strings.Split(pathCSV, ",") {
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+
+		res, err := jmespath.Search(p, payload)
+		if err != nil || res == nil {
+			continue
+		}
+
+		switch v := res.(type) {
+		case string:
+			if v != "" {
+				return v
+			}
+		case fmt.Stringer:
+			vs := v.String()
+			if vs != "" {
+				return vs
+			}
+		case float64:
+			return fmt.Sprintf("%v", v)
+		case int64:
+			return fmt.Sprintf("%v", v)
+		case map[string]interface{}:
+			b, _ := json.Marshal(v)
+			if len(b) > 0 {
+				return string(b)
+			}
+		}
+	}
+
+	return ""
+}
+
+// stringSliceFromJMESPaths tries multiple comma-separated JMESPath expressions and returns the first []string result.
+func stringSliceFromJMESPaths(payload map[string]interface{}, pathCSV string) []string {
+	for _, p := range strings.Split(pathCSV, ",") {
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+
+		res, err := jmespath.Search(p, payload)
+		if err != nil || res == nil {
+			continue
+		}
+
+		switch v := res.(type) {
+		case []interface{}:
+			out := make([]string, 0, len(v))
+
+			for _, it := range v {
+				switch s := it.(type) {
+				case string:
+					out = append(out, s)
+				case float64:
+					out = append(out, fmt.Sprintf("%v", s))
+				case int64:
+					out = append(out, fmt.Sprintf("%v", s))
+				default:
+					b, _ := json.Marshal(s)
+					if len(b) > 0 {
+						out = append(out, string(b))
+					}
+				}
+			}
+
+			return out
+		case []string:
+			return v
+		}
+	}
+
+	return []string{}
+}
+
 func (c *HeadlampConfig) getClusters() []Cluster {
 	clusters := []Cluster{}
 
diff --git a/backend/cmd/server.go b/backend/cmd/server.go
@@ -107,6 +107,9 @@ func createHeadlampConfig(conf *config.Config) *HeadlampConfig {
 		oidcScopes:                strings.Split(conf.OidcScopes, ","),
 		oidcSkipTLSVerify:         conf.OidcSkipTLSVerify,
 		oidcUseAccessToken:        conf.OidcUseAccessToken,
+		meUsernamePaths:           conf.MeUsernamePath,
+		meEmailPaths:              conf.MeEmailPath,
+		meGroupsPaths:             conf.MeGroupsPath,
 		cache:                     cache,
 		multiplexer:               multiplexer,
 		telemetryConfig:           buildTelemetryConfig(conf),
diff --git a/backend/go.mod b/backend/go.mod
@@ -30,6 +30,7 @@ require (
 require (
 	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
+	github.com/jmespath/go-jmespath v0.4.0
 	github.com/prometheus/client_golang v1.22.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0
 	go.opentelemetry.io/otel v1.35.0
diff --git a/backend/go.sum b/backend/go.sum
@@ -290,6 +290,7 @@ github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
diff --git a/backend/pkg/config/config.go b/backend/pkg/config/config.go
@@ -20,6 +20,12 @@ import (
 
 const defaultPort = 4466
 
+const (
+	DefaultMeUsernamePath = "preferred_username,username,name"
+	DefaultMeEmailPath    = "email"
+	DefaultMeGroupsPath   = "groups,realm_access.roles"
+)
+
 type Config struct {
 	InCluster                 bool   `koanf:"in-cluster"`
 	DevMode                   bool   `koanf:"dev"`
@@ -46,6 +52,9 @@ type Config struct {
 	OidcUseAccessToken        bool   `koanf:"oidc-use-access-token"`
 	OidcSkipTLSVerify         bool   `koanf:"oidc-skip-tls-verify"`
 	OidcCAFile                string `koanf:"oidc-ca-file"`
+	MeUsernamePath            string `koanf:"me-username-path"`
+	MeEmailPath               string `koanf:"me-email-path"`
+	MeGroupsPath              string `koanf:"me-groups-path"`
 	// telemetry configs
 	ServiceName        string   `koanf:"service-name"`
 	ServiceVersion     *string  `koanf:"service-version"`
@@ -218,6 +227,21 @@ func setKubeConfigPath(config *Config) {
 	}
 }
 
+// setMeDefaults ensures the /clusters/{clusterName}/me claim paths fall back to defaults when unset.
+func setMeDefaults(config *Config) {
+	if strings.TrimSpace(config.MeUsernamePath) == "" {
+		config.MeUsernamePath = DefaultMeUsernamePath
+	}
+
+	if strings.TrimSpace(config.MeEmailPath) == "" {
+		config.MeEmailPath = DefaultMeEmailPath
+	}
+
+	if strings.TrimSpace(config.MeGroupsPath) == "" {
+		config.MeGroupsPath = DefaultMeGroupsPath
+	}
+}
+
 // Parse Loads the config from flags and env.
 // env vars should start with HEADLAMP_CONFIG_ and use _ as separator
 // If a value is set both in flags and env then flag takes priority.
@@ -266,6 +290,7 @@ func Parse(args []string) (*Config, error) {
 	// 7. Post-process: patch plugin flag and kubeconfig path.
 	patchWatchPluginsChanges(&config, explicitFlags)
 	setKubeConfigPath(&config)
+	setMeDefaults(&config)
 
 	// 8. Validate parsed config.
 	if err := config.Validate(); err != nil {
@@ -347,6 +372,12 @@ func flagset() *flag.FlagSet {
 	f.Bool("oidc-skip-tls-verify", false, "Skip TLS verification for OIDC")
 	f.String("oidc-ca-file", "", "CA file for OIDC")
 	f.Bool("oidc-use-access-token", false, "Setup oidc to pass through the access_token instead of the default id_token")
+	f.String("me-username-path", DefaultMeUsernamePath,
+		"Comma separated JMESPath expressions used to read username from the JWT payload")
+	f.String("me-email-path", DefaultMeEmailPath,
+		"Comma separated JMESPath expressions used to read email from the JWT payload")
+	f.String("me-groups-path", DefaultMeGroupsPath,
+		"Comma separated JMESPath expressions used to read groups from the JWT payload")
 	// Telemetry flags.
 	f.String("service-name", "headlamp", "Service name for telemetry")
 	f.String("service-version", "0.30.0", "Service version for telemetry")
diff --git a/backend/pkg/config/config_test.go b/backend/pkg/config/config_test.go
@@ -41,13 +41,17 @@ func TestParseBasic(t *testing.T) {
 				assert.Equal(t, "", conf.ListenAddr)
 				assert.Equal(t, uint(4466), conf.Port)
 				assert.Equal(t, "profile,email", conf.OidcScopes)
+				assert.Equal(t, config.DefaultMeUsernamePath, conf.MeUsernamePath)
+				assert.Equal(t, config.DefaultMeEmailPath, conf.MeEmailPath)
+				assert.Equal(t, config.DefaultMeGroupsPath, conf.MeGroupsPath)
 			},
 		},
 		{
 			name: "with_args",
 			args: []string{"go run ./cmd", "--port=3456"},
 			verify: func(t *testing.T, conf *config.Config) {
 				assert.Equal(t, uint(3456), conf.Port)
+				assert.Equal(t, config.DefaultMeUsernamePath, conf.MeUsernamePath)
 			},
 		},
 	}
@@ -90,6 +94,20 @@ var ParseWithEnvTests = []struct {
 			assert.Equal(t, uint(9876), conf.Port)
 		},
 	},
+	{
+		name: "me_paths",
+		args: []string{"go run ./cmd"},
+		env: map[string]string{
+			"HEADLAMP_CONFIG_ME_USERNAME_PATH": "user.name",
+			"HEADLAMP_CONFIG_ME_EMAIL_PATH":    "user.email",
+			"HEADLAMP_CONFIG_ME_GROUPS_PATH":   "user.groups",
+		},
+		verify: func(t *testing.T, conf *config.Config) {
+			assert.Equal(t, "user.name", conf.MeUsernamePath)
+			assert.Equal(t, "user.email", conf.MeEmailPath)
+			assert.Equal(t, "user.groups", conf.MeGroupsPath)
+		},
+	},
 	{
 		name: "kubeconfig_from_default_env",
 		args: []string{"go run ./cmd"},
