feat(auth): support multiple identity provider associations (#6381)

Signed-off-by: hongming <coder.scala@gmail.com> Co-authored-by: hongming <coder.scala@gmail.com>
2025-03-03 16:28:39 +08:00
parent 33152139d6
commit c90729682f
12 changed files with 177 additions and 221 deletions
--- a/pkg/models/auth/oauth.go
+++ b/pkg/models/auth/oauth.go
@@ -11,7 +11,6 @@ import (
 	"net/http"

 	authuser "k8s.io/apiserver/pkg/authentication/user"
-	iamv1beta1 "kubesphere.io/api/iam/v1beta1"
 	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"

 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider"
@@ -19,15 +18,15 @@ import (

 type oauthAuthenticator struct {
 	client                 runtimeclient.Client
-	userGetter             *userMapper
+	userMapper             UserMapper
 	idpConfigurationGetter identityprovider.ConfigurationGetter
 }

-func NewOAuthAuthenticator(cacheClient runtimeclient.Client) OAuthAuthenticator {
+func NewOAuthAuthenticator(client runtimeclient.Client) OAuthAuthenticator {
 	authenticator := &oauthAuthenticator{
-		client:                 cacheClient,
-		userGetter:             &userMapper{cache: cacheClient},
-		idpConfigurationGetter: identityprovider.NewConfigurationGetter(cacheClient),
+		client:                 client,
+		userMapper:             &userMapper{cache: client},
+		idpConfigurationGetter: identityprovider.NewConfigurationGetter(client),
 	}
 	return authenticator
 }
@@ -49,36 +48,5 @@ func (o *oauthAuthenticator) Authenticate(ctx context.Context, provider string,
 		return nil, fmt.Errorf("failed to exchange identity for %s, error: %v", provider, err)
 	}

-	mappedUser, err := o.userGetter.FindMappedUser(ctx, providerConfig.Name, identity.GetUserID())
-	if err != nil {
-		return nil, fmt.Errorf("failed to find mapped user for %s, error: %v", provider, err)
-	}
-
-	if mappedUser == nil {
-		if providerConfig.MappingMethod == identityprovider.MappingMethodLookup {
-			return nil, fmt.Errorf("failed to find mapped user: %s", identity.GetUserID())
-		}
-
-		if providerConfig.MappingMethod == identityprovider.MappingMethodManual {
-			return newRreRegistrationUser(providerConfig.Name, identity), nil
-		}
-
-		if providerConfig.MappingMethod == identityprovider.MappingMethodAuto {
-			mappedUser = newMappedUser(providerConfig.Name, identity)
-
-			if err = o.client.Create(ctx, mappedUser); err != nil {
-				return nil, err
-			}
-
-			return &authuser.DefaultInfo{Name: mappedUser.GetName()}, nil
-		}
-
-		return nil, fmt.Errorf("invalid mapping method found %s", providerConfig.MappingMethod)
-	}
-
-	if mappedUser.Status.State == iamv1beta1.UserDisabled {
-		return nil, AccountIsNotActiveError
-	}
-
-	return &authuser.DefaultInfo{Name: mappedUser.GetName()}, nil
+	return authByIdentityProvider(ctx, o.client, o.userMapper, providerConfig, identity)
 }