feat: kubesphere 4.0 (#6115)
* feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> * feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> --------- Signed-off-by: ci-bot <ci-bot@kubesphere.io> Co-authored-by: ks-ci-bot <ks-ci-bot@example.com> Co-authored-by: joyceliu <joyceliu@yunify.com>
This commit is contained in:
KubeSphere CI Bot
committed by
GitHub
GitHub
parent
b5015ec7b9
commit
447a51f08b
@@ -1,20 +1,7 @@
|
||||
/*
|
||||
|
||||
Copyright 2020 The KubeSphere Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
*/
|
||||
* Please refer to the LICENSE file in the root directory of the project.
|
||||
* https://github.com/kubesphere/kubesphere/blob/master/LICENSE
|
||||
*/
|
||||
|
||||
package auth
|
||||
|
||||
@@ -22,21 +9,13 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/mail"
|
||||
"strings"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
authuser "k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/klog/v2"
|
||||
iamv1beta1 "kubesphere.io/api/iam/v1beta1"
|
||||
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider"
|
||||
|
||||
iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
|
||||
|
||||
iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -52,7 +31,7 @@ var (
|
||||
// "k8s.io/apimachinery/pkg/api", and restful.ServerError defined at package
|
||||
// "github.com/emicklei/go-restful/v3", or the server cannot handle error correctly.
|
||||
type PasswordAuthenticator interface {
|
||||
Authenticate(ctx context.Context, provider, username, password string) (authuser.Info, string, error)
|
||||
Authenticate(ctx context.Context, provider, username, password string) (authuser.Info, error)
|
||||
}
|
||||
|
||||
// OAuthAuthenticator authenticate users by OAuth 2.0 Authorization Framework. Note that implement this
|
||||
@@ -60,76 +39,32 @@ type PasswordAuthenticator interface {
|
||||
// "k8s.io/apimachinery/pkg/api", and restful.ServerError defined at package
|
||||
// "github.com/emicklei/go-restful/v3", or the server cannot handle error correctly.
|
||||
type OAuthAuthenticator interface {
|
||||
Authenticate(ctx context.Context, provider string, req *http.Request) (authuser.Info, string, error)
|
||||
Authenticate(ctx context.Context, provider string, req *http.Request) (authuser.Info, error)
|
||||
}
|
||||
|
||||
type userGetter struct {
|
||||
userLister iamv1alpha2listers.UserLister
|
||||
}
|
||||
|
||||
func preRegistrationUser(idp string, identity identityprovider.Identity) authuser.Info {
|
||||
func newRreRegistrationUser(idp string, identity identityprovider.Identity) authuser.Info {
|
||||
return &authuser.DefaultInfo{
|
||||
Name: iamv1alpha2.PreRegistrationUser,
|
||||
Name: iamv1beta1.PreRegistrationUser,
|
||||
Extra: map[string][]string{
|
||||
iamv1alpha2.ExtraIdentityProvider: {idp},
|
||||
iamv1alpha2.ExtraUID: {identity.GetUserID()},
|
||||
iamv1alpha2.ExtraUsername: {identity.GetUsername()},
|
||||
iamv1alpha2.ExtraEmail: {identity.GetEmail()},
|
||||
iamv1beta1.ExtraIdentityProvider: {idp},
|
||||
iamv1beta1.ExtraUID: {identity.GetUserID()},
|
||||
iamv1beta1.ExtraUsername: {identity.GetUsername()},
|
||||
iamv1beta1.ExtraEmail: {identity.GetEmail()},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func mappedUser(idp string, identity identityprovider.Identity) *iamv1alpha2.User {
|
||||
func newMappedUser(idp string, identity identityprovider.Identity) *iamv1beta1.User {
|
||||
// username convert
|
||||
username := strings.ToLower(identity.GetUsername())
|
||||
return &iamv1alpha2.User{
|
||||
return &iamv1beta1.User{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: username,
|
||||
Labels: map[string]string{
|
||||
iamv1alpha2.IdentifyProviderLabel: idp,
|
||||
iamv1alpha2.OriginUIDLabel: identity.GetUserID(),
|
||||
iamv1beta1.IdentifyProviderLabel: idp,
|
||||
iamv1beta1.OriginUIDLabel: identity.GetUserID(),
|
||||
},
|
||||
},
|
||||
Spec: iamv1alpha2.UserSpec{Email: identity.GetEmail()},
|
||||
Spec: iamv1beta1.UserSpec{Email: identity.GetEmail()},
|
||||
}
|
||||
}
|
||||
|
||||
// findUser returns the user associated with the username or email
|
||||
func (u *userGetter) findUser(username string) (*iamv1alpha2.User, error) {
|
||||
if _, err := mail.ParseAddress(username); err != nil {
|
||||
return u.userLister.Get(username)
|
||||
}
|
||||
|
||||
users, err := u.userLister.List(labels.Everything())
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, user := range users {
|
||||
if user.Spec.Email == username {
|
||||
return user, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, errors.NewNotFound(iamv1alpha2.Resource("user"), username)
|
||||
}
|
||||
|
||||
// findMappedUser returns the user which mapped to the identity
|
||||
func (u *userGetter) findMappedUser(idp, uid string) (*iamv1alpha2.User, error) {
|
||||
selector := labels.SelectorFromSet(labels.Set{
|
||||
iamv1alpha2.IdentifyProviderLabel: idp,
|
||||
iamv1alpha2.OriginUIDLabel: uid,
|
||||
})
|
||||
|
||||
users, err := u.userLister.List(selector)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
if len(users) != 1 {
|
||||
return nil, errors.NewNotFound(iamv1alpha2.Resource("user"), uid)
|
||||
}
|
||||
|
||||
return users[0], err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user