Merge branch 'dev' into devops-refactor

# Conflicts: # cmd/controller-manager/app/controllers.go # hack/generate_client.sh # pkg/client/clientset/versioned/clientset.go # pkg/client/clientset/versioned/fake/clientset_generated.go # pkg/client/clientset/versioned/fake/register.go # pkg/client/clientset/versioned/scheme/register.go # pkg/client/informers/externalversions/generic.go
2020-04-01 11:04:09 +08:00
parent d55fcdcfe4 1bf8beb1e6
commit 1a6f563da1
65 changed files with 2650 additions and 1254 deletions
--- a/pkg/kapis/iam/v1alpha2/handler.go
+++ b/pkg/kapis/iam/v1alpha2/handler.go
@@ -2,7 +2,7 @@ package v1alpha2

 import (
 	"github.com/emicklei/go-restful"
-	"kubesphere.io/kubesphere/pkg/api/auth"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
 	"kubesphere.io/kubesphere/pkg/informers"
 	"kubesphere.io/kubesphere/pkg/models/iam/am"
 	"kubesphere.io/kubesphere/pkg/models/iam/im"
@@ -16,7 +16,7 @@ type iamHandler struct {
 	imOperator im.IdentityManagementInterface
 }

-func newIAMHandler(k8sClient k8s.Client, factory informers.InformerFactory, ldapClient ldappool.Interface, cacheClient cache.Interface, options *auth.AuthenticationOptions) *iamHandler {
+func newIAMHandler(k8sClient k8s.Client, factory informers.InformerFactory, ldapClient ldappool.Interface, cacheClient cache.Interface, options *authoptions.AuthenticationOptions) *iamHandler {
 	return &iamHandler{
 		amOperator: am.NewAMOperator(k8sClient.Kubernetes(), factory.KubernetesSharedInformerFactory()),
 		imOperator: im.NewLDAPOperator(ldapClient),
--- a/pkg/kapis/iam/v1alpha2/register.go
+++ b/pkg/kapis/iam/v1alpha2/register.go
@@ -22,7 +22,7 @@ import (
 	"github.com/emicklei/go-restful-openapi"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"kubesphere.io/kubesphere/pkg/api"
-	"kubesphere.io/kubesphere/pkg/api/auth"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
 	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/informers"
@@ -38,7 +38,7 @@ const groupName = "iam.kubesphere.io"

 var GroupVersion = schema.GroupVersion{Group: groupName, Version: "v1alpha2"}

-func AddToContainer(c *restful.Container, k8sClient k8s.Client, factory informers.InformerFactory, ldapClient ldappool.Interface, cacheClient cache.Interface, options *auth.AuthenticationOptions) error {
+func AddToContainer(c *restful.Container, k8sClient k8s.Client, factory informers.InformerFactory, ldapClient ldappool.Interface, cacheClient cache.Interface, options *authoptions.AuthenticationOptions) error {
 	ws := runtime.NewWebService(GroupVersion)

 	handler := newIAMHandler(k8sClient, factory, ldapClient, cacheClient, options)
--- a/pkg/kapis/oauth/handler.go
+++ b/pkg/kapis/oauth/handler.go
@@ -25,19 +25,21 @@ import (
 	"k8s.io/klog"
 	"kubesphere.io/kubesphere/pkg/api"
 	"kubesphere.io/kubesphere/pkg/api/auth"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider"
 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
 	"kubesphere.io/kubesphere/pkg/apiserver/request"
 	"net/http"
 )

 type oauthHandler struct {
-	issuer token.Issuer
-	config oauth.Configuration
+	issuer  token.Issuer
+	options *authoptions.AuthenticationOptions
 }

-func newOAUTHHandler(issuer token.Issuer, config oauth.Configuration) *oauthHandler {
-	return &oauthHandler{issuer: issuer, config: config}
+func newOAUTHHandler(issuer token.Issuer, options *authoptions.AuthenticationOptions) *oauthHandler {
+	return &oauthHandler{issuer: issuer, options: options}
 }

 // Implement webhook authentication interface
@@ -59,7 +61,7 @@ func (h *oauthHandler) TokenReviewHandler(req *restful.Request, resp *restful.Re
 		return
 	}

-	user, _, err := h.issuer.Verify(tokenReview.Spec.Token)
+	user, err := h.issuer.Verify(tokenReview.Spec.Token)

 	if err != nil {
 		klog.Errorln(err)
@@ -82,8 +84,9 @@ func (h *oauthHandler) AuthorizeHandler(req *restful.Request, resp *restful.Resp
 	user, ok := request.UserFrom(req.Request.Context())
 	clientId := req.QueryParameter("client_id")
 	responseType := req.QueryParameter("response_type")
+	redirectURI := req.QueryParameter("redirect_uri")

-	conf, err := h.config.Load(clientId)
+	conf, err := h.options.OAuthOptions.OAuthClient(clientId)

 	if err != nil {
 		err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
@@ -103,7 +106,13 @@ func (h *oauthHandler) AuthorizeHandler(req *restful.Request, resp *restful.Resp
 		return
 	}

-	accessToken, clm, err := h.issuer.IssueTo(user)
+	expiresIn := h.options.OAuthOptions.AccessTokenMaxAge
+
+	if conf.AccessTokenMaxAge != nil {
+		expiresIn = *conf.AccessTokenMaxAge
+	}
+
+	accessToken, err := h.issuer.IssueTo(user, expiresIn)

 	if err != nil {
 		err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
@@ -111,11 +120,71 @@ func (h *oauthHandler) AuthorizeHandler(req *restful.Request, resp *restful.Resp
 		return
 	}

-	redirectURL := fmt.Sprintf("%s?access_token=%s&token_type=Bearer", conf.RedirectURL, accessToken)
-	expiresIn := clm.ExpiresAt - clm.IssuedAt
-	if expiresIn > 0 {
-		redirectURL = fmt.Sprintf("%s&expires_in=%v", redirectURL, expiresIn)
+	redirectURL, err := conf.ResolveRedirectURL(redirectURI)
+
+	if err != nil {
+		err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
+		resp.WriteError(http.StatusUnauthorized, err)
+		return
 	}

+	redirectURL = fmt.Sprintf("%s#access_token=%s&token_type=Bearer", redirectURL, accessToken)
+
+	if expiresIn > 0 {
+		redirectURL = fmt.Sprintf("%s&expires_in=%v", redirectURL, expiresIn.Seconds())
+	}
+
+	resp.Header().Set("Content-Type", "text/plain")
 	http.Redirect(resp, req.Request, redirectURL, http.StatusFound)
 }
+
+func (h *oauthHandler) OAuthCallBackHandler(req *restful.Request, resp *restful.Response) {
+
+	code := req.QueryParameter("code")
+	name := req.PathParameter("callback")
+
+	if code == "" {
+		err := apierrors.NewUnauthorized("Unauthorized: missing code")
+		resp.WriteError(http.StatusUnauthorized, err)
+	}
+
+	idP, err := h.options.OAuthOptions.IdentityProviderOptions(name)
+
+	if err != nil {
+		err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
+		resp.WriteError(http.StatusUnauthorized, err)
+	}
+
+	oauthIdentityProvider, err := identityprovider.ResolveOAuthProvider(idP.Type, idP.Provider)
+
+	if err != nil {
+		err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
+		resp.WriteError(http.StatusUnauthorized, err)
+	}
+
+	user, err := oauthIdentityProvider.IdentityExchange(code)
+
+	if err != nil {
+		err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
+		resp.WriteError(http.StatusUnauthorized, err)
+	}
+
+	expiresIn := h.options.OAuthOptions.AccessTokenMaxAge
+
+	accessToken, err := h.issuer.IssueTo(user, expiresIn)
+
+	if err != nil {
+		err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
+		resp.WriteError(http.StatusUnauthorized, err)
+		return
+	}
+
+	result := oauth.Token{
+		AccessToken: accessToken,
+		TokenType:   "Bearer",
+		ExpiresIn:   int(expiresIn.Seconds()),
+	}
+
+	resp.WriteEntity(result)
+	return
+}
--- a/pkg/kapis/oauth/register.go
+++ b/pkg/kapis/oauth/register.go
@@ -24,38 +24,70 @@ import (
 	"kubesphere.io/kubesphere/pkg/api"
 	"kubesphere.io/kubesphere/pkg/api/auth"
 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
 	"kubesphere.io/kubesphere/pkg/constants"
 	"net/http"
 )

-func AddToContainer(c *restful.Container, issuer token.Issuer, configuration oauth.Configuration) error {
+// ks-apiserver includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.
+// The OAuth server supports standard authorization code grant and the implicit grant OAuth authorization flows.
+// All requests for OAuth tokens involve a request to <ks-apiserver>/oauth/authorize.
+// Most authentication integrations place an authenticating proxy in front of this endpoint, or configure ks-apiserver
+// to validate credentials against a backing identity provider.
+// Requests to <ks-apiserver>/oauth/authorize can come from user-agents that cannot display interactive login pages, such as the CLI.
+func AddToContainer(c *restful.Container, issuer token.Issuer, options *authoptions.AuthenticationOptions) error {
 	ws := &restful.WebService{}
 	ws.Path("/oauth").
 		Consumes(restful.MIME_JSON).
 		Produces(restful.MIME_JSON)

-	handler := newOAUTHHandler(issuer, configuration)
+	handler := newOAUTHHandler(issuer, options)

 	// Implement webhook authentication interface
 	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
 	ws.Route(ws.POST("/authenticate").
-		Doc("TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.").
+		Doc("TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be "+
+			"cached by the webhook token authenticator plugin in the kube-apiserver.").
 		Reads(auth.TokenReview{}).
 		To(handler.TokenReviewHandler).
 		Returns(http.StatusOK, api.StatusOK, auth.TokenReview{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))

-	// TODO Built-in oauth2 server (provider)
-	// web console use 'Resource Owner Password Credentials Grant' or 'Client Credentials Grant' request for an OAuth token
-	// https://tools.ietf.org/html/rfc6749#section-4.3
-	// https://tools.ietf.org/html/rfc6749#section-4.4
-
-	// curl -u admin:P@88w0rd 'http://ks-apiserver.kubesphere-system.svc/oauth/authorize?client_id=kubesphere-console-client&response_type=token' -v
+	// Only support implicit grant flow
+	// https://tools.ietf.org/html/rfc6749#section-4.2
 	ws.Route(ws.GET("/authorize").
+		Doc("All requests for OAuth tokens involve a request to <ks-apiserver>/oauth/authorize.").
+		Param(ws.QueryParameter("response_type", "The value MUST be one of \"code\" for requesting an "+
+			"authorization code as described by [RFC6749] Section 4.1.1, \"token\" for requesting an access token (implicit grant)"+
+			" as described by [RFC6749] Section 4.2.2.").Required(true)).
+		Param(ws.QueryParameter("client_id", "The client identifier issued to the client during the "+
+			"registration process described by [RFC6749] Section 2.2.").Required(true)).
+		Param(ws.QueryParameter("redirect_uri", "After completing its interaction with the resource owner, "+
+			"the authorization server directs the resource owner's user-agent back to the client.The redirection endpoint "+
+			"URI MUST be an absolute URI as defined by [RFC3986] Section 4.3.").Required(false)).
 		To(handler.AuthorizeHandler))
 	//ws.Route(ws.POST("/token"))
-	//ws.Route(ws.POST("/callback/{callback}"))
+
+	// Authorization callback URL, where the end of the URL contains the identity provider name.
+	// The provider name is also used to build the callback URL.
+	ws.Route(ws.GET("/callback/{callback}").
+		Doc("OAuth callback API, the path param callback is config by identity provider").
+		Param(ws.QueryParameter("access_token", "The access token issued by the authorization server.").
+			Required(true)).
+		Param(ws.QueryParameter("token_type", "The type of the token issued as described in [RFC6479] Section 7.1. "+
+			"Value is case insensitive.").Required(true)).
+		Param(ws.QueryParameter("expires_in", "The lifetime in seconds of the access token.  For "+
+			"example, the value \"3600\" denotes that the access token will "+
+			"expire in one hour from the time the response was generated."+
+			"If omitted, the authorization server SHOULD provide the "+
+			"expiration time via other means or document the default value.")).
+		Param(ws.QueryParameter("scope", "if identical to the scope requested by the client;"+
+			"otherwise, REQUIRED.  The scope of the access token as described by [RFC6479] Section 3.3.").Required(false)).
+		Param(ws.QueryParameter("state", "if the \"state\" parameter was present in the client authorization request."+
+			"The exact value received from the client.").Required(true)).
+		To(handler.OAuthCallBackHandler).
+		Returns(http.StatusOK, api.StatusOK, oauth.Token{}))

 	c.Add(ws)

--- a/pkg/kapis/serverconfig/v1alpha2/register.go
+++ b/pkg/kapis/serverconfig/v1alpha2/register.go
@@ -0,0 +1,51 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+const (
+	GroupName = "config.kubesphere.io"
+)
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+func AddToContainer(c *restful.Container, config *apiserverconfig.Config) error {
+	webservice := runtime.NewWebService(GroupVersion)
+
+	webservice.Route(webservice.GET("/configs/oauth").
+		Doc("Information about the authorization server are published.").
+		To(func(request *restful.Request, response *restful.Response) {
+			response.WriteEntity(config.AuthenticationOptions.OAuthOptions)
+		}))
+
+	webservice.Route(webservice.GET("/configs/configz").
+		Doc("Information about the server configuration").
+		To(func(request *restful.Request, response *restful.Response) {
+			response.WriteAsJson(config.ToMap())
+		}))
+
+	c.Add(webservice)
+	return nil
+}