feat(initial): Initial commit

Author: Zachary Seguin

.dockerignore

@@ -0,0 +1 @@
+deploy/

.gitignore

@@ -0,0 +1 @@
+jupyter-apis

CONTRIBUTING.md

@@ -0,0 +1,29 @@
+# Contributing
+
+([Français](#comment-contribuer))
+
+## How to Contribute
+
+When contributing, post comments and discuss changes you wish to make via Issues.
+
+Feel free to propose changes by creating Pull Requests. If you don't have write access, editing a file will create a Fork of this project for you to save your proposed changes to. Submitting a change to a file will write it to a new Branch in your Fork, so you can send a Pull Request.
+
+If this is your first time contributing on GitHub, don't worry! Let us know if you have any questions.
+
+### Security
+
+**Do not post any security issues on the public repository!** See [SECURITY.md](SECURITY.md)
+
+______________________
+
+## Comment contribuer
+
+Lorsque vous contribuez, veuillez également publier des commentaires et discuter des modifications que vous souhaitez apporter par l'entremise des enjeux (Issues).
+
+N'hésitez pas à proposer des modifications en créant des demandes de tirage (Pull Requests). Si vous n'avez pas accès au mode de rédaction, la modification d'un fichier créera une copie (Fork) de ce projet afin que vous puissiez enregistrer les modifications que vous proposez. Le fait de proposer une modification à un fichier l'écrira dans une nouvelle branche dans votre copie (Fork), de sorte que vous puissiez envoyer une demande de tirage (Pull Request).
+
+Si c'est la première fois que vous contribuez à GitHub, ne vous en faites pas! Faites-nous part de vos questions.
+
+### Sécurité
+
+**Ne publiez aucun problème de sécurité sur le dépôt publique!** Voir [SECURITY.md](SECURITY.md)

Dockerfile

@@ -0,0 +1,22 @@
+# Build with the golang image
+FROM golang:1.14-alpine AS build
+
+# Add git
+RUN apk add git
+
+# Set workdir
+WORKDIR /go/src/github.com/StatCan/jupyter-apis
+
+# Add dependencies
+COPY go.mod .
+COPY go.sum .
+RUN go mod download
+
+# Build
+COPY . .
+RUN CGO_ENABLED=0 go install .
+
+# Generate final image
+FROM scratch
+COPY --from=build /go/bin/jupyter-apis /jupyter-apis
+ENTRYPOINT [ "/jupyter-apis" ]

LICENSE

@@ -0,0 +1,20 @@
+MIT License
+
+Copyright (c) Her Majesty the Queen in Right of Canada, as represented by the Minister of Statistics Canada, 2020
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,31 @@
+[(Français)](#interface-de-programmation-dapplications-jupyter)
+
+## Jupyter Application Programming Interfaces
+
+A Golang replacement for the [Kubeflow](https://github.com/kubeflow/kubeflow) Jupyter Web APIs.
+
+### How to Contribute
+
+See [CONTRIBUTING.md](CONTRIBUTING.md)
+
+### License
+
+Unless otherwise noted, the source code of this project is covered under Crown Copyright, Government of Canada, and is distributed under the [MIT License](LICENSE).
+
+The Canada wordmark and related graphics associated with this distribution are protected under trademark law and copyright law. No permission is granted to use them outside the parameters of the Government of Canada's corporate identity program. For more information, see [Federal identity requirements](https://www.canada.ca/en/treasury-board-secretariat/topics/government-communications/federal-identity-requirements.html).
+
+______________________
+
+## Interface de programmation d'applications Jupyter
+
+Un remplacement Golang pour les API de Web de Jupyter, partie de [Kubeflow](https://github.com/kubeflow/kubeflow).
+
+### Comment contribuer
+
+Voir [CONTRIBUTING.md](CONTRIBUTING.md)
+
+### Licence
+
+Sauf indication contraire, le code source de ce projet est protégé par le droit d'auteur de la Couronne du gouvernement du Canada et distribué sous la [licence MIT](LICENSE).
+
+Le mot-symbole « Canada » et les éléments graphiques connexes liés à cette distribution sont protégés en vertu des lois portant sur les marques de commerce et le droit d'auteur. Aucune autorisation n'est accordée pour leur utilisation à l'extérieur des paramètres du programme de coordination de l'image de marque du gouvernement du Canada. Pour obtenir davantage de renseignements à ce sujet, veuillez consulter les [Exigences pour l'image de marque](https://www.canada.ca/fr/secretariat-conseil-tresor/sujets/communications-gouvernementales/exigences-image-marque.html).

SECURITY.md

@@ -0,0 +1,11 @@
+([Français](#sécurité))
+
+# Security
+
+**Do not post any security issues on the public repository!** Security vulnerabilities must be reported by email to `[email protected]`
+
+______________________
+
+## Sécurité
+
+**Ne publiez aucun problème de sécurité sur le dépôt publique!** Les vulnérabilités de sécurité doivent être signalées par courriel à `[email protected]`

access.go

@@ -0,0 +1,86 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"net/url"
+
+	"github.com/gorilla/mux"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// kubeflowUserHandler returns an http.Handler which
+// wraps the provided handler h, and will
+// load the User ID of the user from the specific
+// header in the request and add it to the HTTP request information.
+func kubeflowUserHandler(header string, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		user := r.Header.Get(header)
+		if user != "" {
+			// Add the User information to the request.
+			r.URL.User = url.User(user)
+		}
+
+		h.ServeHTTP(w, r)
+	})
+}
+
+// checkAccess is a middleware HTTP handler function that will verify the
+// provided user's access against the Kubernetes API server. It loads the
+// user's ID from the `kubeflow-userid` Header, generated a SubjectAccessReview
+// request and submits it to the Kubernetes API server. The API server will
+// return whether the user is permitted to perform the requested action.
+//
+// subjectAccessReviewTemplate: A authorization.k8s.io/v1 SubjectAccessReview
+//                              object used as a template for the request.
+//		Note: the spec.User and Spec.ResourceAttributes.Namespace are REPLACED by this function.
+// next: The next handler to call if the user is authorized to access the desired resource
+func (s *server) checkAccess(subjectAccessReviewTemplate authorizationv1.SubjectAccessReview, next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		vars := mux.Vars(r)
+
+		// Make a copy of the template, so we don't replace content in the templated version
+		sar := subjectAccessReviewTemplate.DeepCopy()
+
+		// Load the user from kubeflow-userid. If there is no user provided,
+		// then do not continue to process the request.
+		user := r.URL.User.Username()
+		if user == "" {
+			log.Printf("no user found")
+			s.respond(w, r, APIResponse{
+				Success: false,
+				Log:     "no user found",
+			})
+			return
+		}
+
+		// Update the SubjectAccessReview request with the namespace and user information
+		sar.Spec.ResourceAttributes.Namespace = vars["namespace"]
+		sar.Spec.User = user
+
+		// Submit the SubjectAccessReview to the Kubernetes API server
+		resp, err := s.clientsets.kubernetes.AuthorizationV1().SubjectAccessReviews().Create(r.Context(), sar, v1.CreateOptions{})
+		if err != nil {
+			s.error(w, r, err)
+			return
+		}
+
+		// If the user is not permitted, log and return the error and do not process the request
+		if !resp.Status.Allowed {
+			msg := fmt.Sprintf("User %s is not permitted to %s %s.%s.%s for namespace: %s", sar.Spec.User, sar.Spec.ResourceAttributes.Verb, sar.Spec.ResourceAttributes.Group, sar.Spec.ResourceAttributes.Version, sar.Spec.ResourceAttributes.Resource, sar.Spec.ResourceAttributes.Namespace)
+
+			log.Println(msg)
+
+			s.respond(w, r, APIResponse{
+				Success: false,
+				Log:     msg,
+			})
+			return
+		}
+
+		// Finally, if the user is authorized
+		next(w, r)
+	}
+}

deploy/deploy.yaml

@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: jupyter-apis
+    app.kubernetes.io/instance: jupyter-apis
+    app.kubernetes.io/name: jupyter-apis
+  name: jupyter-apis
+  namespace: kubeflow
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: jupyter-apis
+      app.kubernetes.io/instance: jupyter-apis
+      app.kubernetes.io/name: jupyter-apis
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: jupyter-apis
+        app.kubernetes.io/instance: jupyter-apis
+        app.kubernetes.io/name: jupyter-apis
+    spec:
+      containers:
+      - image: zachomedia/jupyter-apis:latest
+        imagePullPolicy: Always
+        name: jupyter-web-app
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+          name: http
+        resources: {}
+      imagePullSecrets:
+      - name: k8scc01covidacr-registry-connection
+      serviceAccountName: jupyter-web-app-service-account
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jupyter-apis
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/component: jupyter-apis
+    app.kubernetes.io/instance: jupyter-apis
+    app.kubernetes.io/name: jupyter-apis
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  labels:
+    app.kubernetes.io/component: jupyter-web-app
+    app.kubernetes.io/instance: jupyter-web-app-v1.0.0
+    app.kubernetes.io/managed-by: kfctl
+    app.kubernetes.io/name: jupyter-web-app
+    app.kubernetes.io/part-of: kubeflow
+    app.kubernetes.io/version: v1.0.0
+  name: jupyter-web-app
+  namespace: kubeflow
+spec:
+  gateways:
+  - kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - match:
+    - uri:
+        prefix: /jupyter/api/storageclasses/
+      method:
+        exact: GET
+    rewrite:
+      uri: /api/storageclasses/
+    route:
+    - destination:
+        host: jupyter-apis.kubeflow.svc.cluster.local
+        port:
+          number: 80
+  - match:
+    - uri:
+        prefix: /jupyter/api/namespaces/
+      method:
+        exact: GET
+    rewrite:
+      uri: /api/namespaces/
+    route:
+    - destination:
+        host: jupyter-apis.kubeflow.svc.cluster.local
+        port:
+          number: 80
+  - headers:
+      request:
+        add:
+          x-forwarded-prefix: /jupyter
+    match:
+    - uri:
+        prefix: /jupyter/
+    rewrite:
+      uri: /
+    route:
+    - destination:
+        host: jupyter-web-app-service.kubeflow.svc.cluster.local
+        port:
+          number: 80

deploy/restore.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  labels:
+    app.kubernetes.io/component: jupyter-web-app
+    app.kubernetes.io/instance: jupyter-web-app-v1.0.0
+    app.kubernetes.io/managed-by: kfctl
+    app.kubernetes.io/name: jupyter-web-app
+    app.kubernetes.io/part-of: kubeflow
+    app.kubernetes.io/version: v1.0.0
+  name: jupyter-web-app
+  namespace: kubeflow
+spec:
+  gateways:
+  - kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - headers:
+      request:
+        add:
+          x-forwarded-prefix: /jupyter
+    match:
+    - uri:
+        prefix: /jupyter/
+    rewrite:
+      uri: /
+    route:
+    - destination:
+        host: jupyter-web-app-service.kubeflow.svc.cluster.local
+        port:
+          number: 80

go.mod

@@ -0,0 +1,29 @@
+module github.com/StatCan/jupyter-apis
+
+go 1.14
+
+require (
+	github.com/StatCan/kubeflow-controller v0.0.0-20200805150330-c19fa4b0fcb6
+	github.com/andanhm/go-prettytime v1.0.0
+	github.com/gorilla/handlers v1.4.2
+	github.com/gorilla/mux v1.7.4
+	github.com/hashicorp/vault/api v1.0.4 // indirect
+	github.com/imdario/mergo v0.3.10 // indirect
+	github.com/kr/pretty v0.2.0 // indirect
+	golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899 // indirect
+	golang.org/x/net v0.0.0-20200707034311-ab3426394381 // indirect
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
+	golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e // indirect
+	k8s.io/api v0.18.6
+	k8s.io/apimachinery v0.18.6
+	k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible
+	sigs.k8s.io/controller-runtime v0.0.0-00010101000000-000000000000
+)
+
+replace k8s.io/client-go => k8s.io/client-go v0.18.6
+
+replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.18.6
+
+replace sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.6.2
+
+replace github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.0