use oauth client instead of registry

Author: deads2k

pkg/auth/oauth/registry/grantchecker.go

@@ -5,25 +5,25 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	apirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/authentication/user"
 
 	"github.com/openshift/origin/pkg/auth/api"
+	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
 	"github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization"
 	"github.com/openshift/origin/pkg/oauth/scope"
-	"k8s.io/apiserver/pkg/authentication/user"
 )
 
 type ClientAuthorizationGrantChecker struct {
-	registry oauthclientauthorization.Registry
+	client oauthclient.OAuthClientAuthorizationInterface
 }
 
-func NewClientAuthorizationGrantChecker(registry oauthclientauthorization.Registry) *ClientAuthorizationGrantChecker {
-	return &ClientAuthorizationGrantChecker{registry}
+func NewClientAuthorizationGrantChecker(client oauthclient.OAuthClientAuthorizationInterface) *ClientAuthorizationGrantChecker {
+	return &ClientAuthorizationGrantChecker{client}
 }
 
 func (c *ClientAuthorizationGrantChecker) HasAuthorizedClient(user user.Info, grant *api.Grant) (approved bool, err error) {
-	id := c.registry.ClientAuthorizationName(user.GetName(), grant.Client.GetId())
-	authorization, err := c.registry.GetClientAuthorization(apirequest.NewContext(), id, &metav1.GetOptions{})
+	id := oauthclientauthorization.ClientAuthorizationName(user.GetName(), grant.Client.GetId())
+	authorization, err := c.client.Get(id, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		return false, nil
 	}

pkg/auth/oauth/registry/tokenauthenticator.go

@@ -5,24 +5,24 @@ import (
 	"fmt"
 	"time"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kuser "k8s.io/apiserver/pkg/authentication/user"
+
 	"github.com/openshift/origin/pkg/auth/userregistry/identitymapper"
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	"github.com/openshift/origin/pkg/oauth/registry/oauthaccesstoken"
+	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
 	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	kuser "k8s.io/apiserver/pkg/authentication/user"
-	kapirequest "k8s.io/apiserver/pkg/endpoints/request"
 )
 
 type TokenAuthenticator struct {
-	tokens      oauthaccesstoken.Registry
+	tokens      oauthclient.OAuthAccessTokenInterface
 	users       userclient.UserResourceInterface
 	groupMapper identitymapper.UserToGroupMapper
 }
 
 var ErrExpired = errors.New("Token is expired")
 
-func NewTokenAuthenticator(tokens oauthaccesstoken.Registry, users userclient.UserResourceInterface, groupMapper identitymapper.UserToGroupMapper) *TokenAuthenticator {
+func NewTokenAuthenticator(tokens oauthclient.OAuthAccessTokenInterface, users userclient.UserResourceInterface, groupMapper identitymapper.UserToGroupMapper) *TokenAuthenticator {
 	return &TokenAuthenticator{
 		tokens:      tokens,
 		users:       users,
@@ -31,9 +31,7 @@ func NewTokenAuthenticator(tokens oauthaccesstoken.Registry, users userclient.Us
 }
 
 func (a *TokenAuthenticator) AuthenticateToken(value string) (kuser.Info, bool, error) {
-	ctx := kapirequest.NewContext()
-
-	token, err := a.tokens.GetAccessToken(ctx, value, &metav1.GetOptions{})
+	token, err := a.tokens.Get(value, metav1.GetOptions{})
 	if err != nil {
 		return nil, false, err
 	}

pkg/auth/server/grant/grant.go

@@ -11,14 +11,14 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
-	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 
 	"github.com/golang/glog"
 	"github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/server/csrf"
 	scopeauthorizer "github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	oapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
-	"github.com/openshift/origin/pkg/oauth/registry/oauthclient"
+	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
+	oauthclientregistry "github.com/openshift/origin/pkg/oauth/registry/oauthclient"
 	"github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization"
 	"github.com/openshift/origin/pkg/oauth/scope"
 )
@@ -82,11 +82,11 @@ type Grant struct {
 	auth           authenticator.Request
 	csrf           csrf.CSRF
 	render         FormRenderer
-	clientregistry oauthclient.Getter
-	authregistry   oauthclientauthorization.Registry
+	clientregistry oauthclientregistry.Getter
+	authregistry   oauthclient.OAuthClientAuthorizationInterface
 }
 
-func NewGrant(csrf csrf.CSRF, auth authenticator.Request, render FormRenderer, clientregistry oauthclient.Getter, authregistry oauthclientauthorization.Registry) *Grant {
+func NewGrant(csrf csrf.CSRF, auth authenticator.Request, render FormRenderer, clientregistry oauthclientregistry.Getter, authregistry oauthclient.OAuthClientAuthorizationInterface) *Grant {
 	return &Grant{
 		auth:           auth,
 		csrf:           csrf,
@@ -129,7 +129,7 @@ func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Requ
 	scopes := scope.Split(q.Get(scopeParam))
 	redirectURI := q.Get(redirectURIParam)
 
-	client, err := l.clientregistry.GetClient(apirequest.NewContext(), clientID, &metav1.GetOptions{})
+	client, err := l.clientregistry.Get(clientID, metav1.GetOptions{})
 	if err != nil || client == nil {
 		l.failed("Could not find client for client_id", w, req)
 		return
@@ -152,8 +152,8 @@ func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Requ
 	grantedScopes := []Scope{}
 	requestedScopes := []Scope{}
 
-	clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
-	if clientAuth, err := l.authregistry.GetClientAuthorization(apirequest.NewContext(), clientAuthID, &metav1.GetOptions{}); err == nil {
+	clientAuthID := oauthclientauthorization.ClientAuthorizationName(user.GetName(), client.Name)
+	if clientAuth, err := l.authregistry.Get(clientAuthID, metav1.GetOptions{}); err == nil {
 		grantedScopeNames = clientAuth.Scopes
 	}
 
@@ -233,7 +233,7 @@ func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Req
 	}
 
 	clientID := req.PostFormValue(clientIDParam)
-	client, err := l.clientregistry.GetClient(apirequest.NewContext(), clientID, &metav1.GetOptions{})
+	client, err := l.clientregistry.Get(clientID, metav1.GetOptions{})
 	if err != nil || client == nil {
 		l.failed("Could not find client for client_id", w, req)
 		return
@@ -244,14 +244,13 @@ func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Req
 		return
 	}
 
-	clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
+	clientAuthID := oauthclientauthorization.ClientAuthorizationName(user.GetName(), client.Name)
 
-	ctx := apirequest.NewContext()
-	clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID, &metav1.GetOptions{})
+	clientAuth, err := l.authregistry.Get(clientAuthID, metav1.GetOptions{})
 	if err == nil && clientAuth != nil {
 		// Add new scopes and update
 		clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
-		if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
+		if _, err = l.authregistry.Update(clientAuth); err != nil {
 			glog.Errorf("Unable to update authorization: %v", err)
 			l.failed("Could not update client authorization", w, req)
 			return
@@ -266,7 +265,7 @@ func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Req
 		}
 		clientAuth.Name = clientAuthID
 
-		if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
+		if _, err = l.authregistry.Create(clientAuth); err != nil {
 			glog.Errorf("Unable to create authorization: %v", err)
 			l.failed("Could not create client authorization", w, req)
 			return

pkg/cmd/server/origin/master.go

@@ -180,20 +180,24 @@ func (c *MasterConfig) newAssetServerHandler() (http.Handler, error) {
 	return assetServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain, nil
 }
 
-func (c *MasterConfig) newOAuthServerHandler() (http.Handler, error) {
+func (c *MasterConfig) newOAuthServerHandler() (http.Handler, map[string]apiserver.PostStartHookFunc, error) {
 	if c.Options.OAuthConfig == nil {
-		return http.NotFoundHandler(), nil
+		return http.NotFoundHandler(), nil, nil
 	}
 
 	config, err := NewOAuthServerConfigFromMasterConfig(c)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	oauthServer, err := config.Complete().New(apiserver.EmptyDelegate)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
-	return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain, nil
+	return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain,
+		map[string]apiserver.PostStartHookFunc{
+			"oauth.openshift.io-RegisterTokenRequestEndpoint": config.EnsureBootstrapOAuthClients,
+		},
+		nil
 }
 
 func (c *MasterConfig) withAggregator(delegateAPIServer apiserver.DelegationTarget, kubeAPIServerConfig apiserver.Config, apiExtensionsInformers apiextensionsinformers.SharedInformerFactory) (*aggregatorapiserver.APIAggregator, error) {
@@ -216,8 +220,9 @@ func (c *MasterConfig) Run(kubeAPIServerConfig *kubeapiserver.Config, controller
 	var err error
 	var apiExtensionsInformers apiextensionsinformers.SharedInformerFactory
 	var delegateAPIServer apiserver.DelegationTarget
+	var extraPostStartHooks map[string]apiserver.PostStartHookFunc
 
-	kubeAPIServerConfig.GenericConfig.BuildHandlerChainFunc, err = c.buildHandlerChain()
+	kubeAPIServerConfig.GenericConfig.BuildHandlerChainFunc, extraPostStartHooks, err = c.buildHandlerChain()
 	if err != nil {
 		return err
 	}
@@ -255,79 +260,84 @@ func (c *MasterConfig) Run(kubeAPIServerConfig *kubeapiserver.Config, controller
 	// add post-start hooks
 	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("template.openshift.io-sharednamespace", c.ensureOpenShiftSharedResourcesNamespace)
 	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("authorization.openshift.io-bootstrapclusterroles", bootstrappolicy.Policy().EnsureRBACPolicy())
+	for name, fn := range extraPostStartHooks {
+		aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie(name, fn)
+	}
 
 	go aggregatedAPIServer.GenericAPIServer.PrepareRun().Run(stopCh)
 
 	// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
 	return cmdutil.WaitForSuccessfulDial(true, aggregatedAPIServer.GenericAPIServer.SecureServingInfo.BindNetwork, aggregatedAPIServer.GenericAPIServer.SecureServingInfo.BindAddress, 100*time.Millisecond, 100*time.Millisecond, 100)
 }
 
-func (c *MasterConfig) buildHandlerChain() (func(apiHandler http.Handler, kc *apiserver.Config) http.Handler, error) {
+func (c *MasterConfig) buildHandlerChain() (func(apiHandler http.Handler, kc *apiserver.Config) http.Handler, map[string]apiserver.PostStartHookFunc, error) {
 	assetServerHandler, err := c.newAssetServerHandler()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
-	oauthServerHandler, err := c.newOAuthServerHandler()
+	oauthServerHandler, extraPostStartHooks, err := c.newOAuthServerHandler()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	return func(apiHandler http.Handler, genericConfig *apiserver.Config) http.Handler {
-		// these are after the kube handler
-		handler := c.versionSkewFilter(apiHandler, genericConfig.RequestContextMapper)
-		handler = namespacingFilter(handler, genericConfig.RequestContextMapper)
-
-		// these are all equivalent to the kube handler chain
-		///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-		handler = serverhandlers.AuthorizationFilter(handler, c.Authorizer, c.AuthorizationAttributeBuilder, genericConfig.RequestContextMapper)
-		handler = serverhandlers.ImpersonationFilter(handler, c.Authorizer, cache.NewGroupCache(c.UserInformers.User().InternalVersion().Groups()), genericConfig.RequestContextMapper)
-		// audit handler must comes before the impersonationFilter to read the original user
-		if c.Options.AuditConfig.Enabled {
-			var writer io.Writer
-			if len(c.Options.AuditConfig.AuditFilePath) > 0 {
-				writer = &lumberjack.Logger{
-					Filename:   c.Options.AuditConfig.AuditFilePath,
-					MaxAge:     c.Options.AuditConfig.MaximumFileRetentionDays,
-					MaxBackups: c.Options.AuditConfig.MaximumRetainedFiles,
-					MaxSize:    c.Options.AuditConfig.MaximumFileSizeMegabytes,
+			// these are after the kube handler
+			handler := c.versionSkewFilter(apiHandler, genericConfig.RequestContextMapper)
+			handler = namespacingFilter(handler, genericConfig.RequestContextMapper)
+
+			// these are all equivalent to the kube handler chain
+			///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+			handler = serverhandlers.AuthorizationFilter(handler, c.Authorizer, c.AuthorizationAttributeBuilder, genericConfig.RequestContextMapper)
+			handler = serverhandlers.ImpersonationFilter(handler, c.Authorizer, cache.NewGroupCache(c.UserInformers.User().InternalVersion().Groups()), genericConfig.RequestContextMapper)
+			// audit handler must comes before the impersonationFilter to read the original user
+			if c.Options.AuditConfig.Enabled {
+				var writer io.Writer
+				if len(c.Options.AuditConfig.AuditFilePath) > 0 {
+					writer = &lumberjack.Logger{
+						Filename:   c.Options.AuditConfig.AuditFilePath,
+						MaxAge:     c.Options.AuditConfig.MaximumFileRetentionDays,
+						MaxBackups: c.Options.AuditConfig.MaximumRetainedFiles,
+						MaxSize:    c.Options.AuditConfig.MaximumFileSizeMegabytes,
+					}
+				} else {
+					// backwards compatible writer to regular log
+					writer = cmdutil.NewGLogWriterV(0)
 				}
-			} else {
-				// backwards compatible writer to regular log
-				writer = cmdutil.NewGLogWriterV(0)
+				c.AuditBackend = auditlog.NewBackend(writer)
+				auditPolicyChecker := auditpolicy.NewChecker(&auditinternal.Policy{
+					// This is for backwards compatibility maintaining the old visibility, ie. just
+					// raw overview of the requests comming in.
+					Rules: []auditinternal.PolicyRule{{Level: auditinternal.LevelMetadata}},
+				})
+				handler = apifilters.WithAudit(handler, genericConfig.RequestContextMapper, c.AuditBackend, auditPolicyChecker, genericConfig.LongRunningFunc)
 			}
-			c.AuditBackend = auditlog.NewBackend(writer)
-			auditPolicyChecker := auditpolicy.NewChecker(&auditinternal.Policy{
-				// This is for backwards compatibility maintaining the old visibility, ie. just
-				// raw overview of the requests comming in.
-				Rules: []auditinternal.PolicyRule{{Level: auditinternal.LevelMetadata}},
-			})
-			handler = apifilters.WithAudit(handler, genericConfig.RequestContextMapper, c.AuditBackend, auditPolicyChecker, genericConfig.LongRunningFunc)
-		}
-		handler = serverhandlers.AuthenticationHandlerFilter(handler, c.Authenticator, genericConfig.RequestContextMapper)
-		handler = apiserverfilters.WithCORS(handler, c.Options.CORSAllowedOrigins, nil, nil, nil, "true")
-		handler = apiserverfilters.WithTimeoutForNonLongRunningRequests(handler, genericConfig.RequestContextMapper, genericConfig.LongRunningFunc)
-		// TODO: MaxRequestsInFlight should be subdivided by intent, type of behavior, and speed of
-		// execution - updates vs reads, long reads vs short reads, fat reads vs skinny reads.
-		// NOTE: read vs. write is implemented in Kube 1.6+
-		handler = apiserverfilters.WithMaxInFlightLimit(handler, genericConfig.MaxRequestsInFlight, genericConfig.MaxMutatingRequestsInFlight, genericConfig.RequestContextMapper, genericConfig.LongRunningFunc)
-		handler = apifilters.WithRequestInfo(handler, apiserver.NewRequestInfoResolver(genericConfig), genericConfig.RequestContextMapper)
-		handler = apirequest.WithRequestContext(handler, genericConfig.RequestContextMapper)
-		handler = apiserverfilters.WithPanicRecovery(handler)
-		///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-		// these handlers are all before the normal kube chain
-		handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
-
-		if c.WebConsoleEnabled() {
-			handler = assetapiserver.WithAssetServerRedirect(handler, c.Options.AssetConfig.PublicURL)
-		}
-		// these handlers are actually separate API servers which have their own handler chains.
-		// our server embeds these
-		handler = c.withConsoleRedirection(handler, assetServerHandler, c.Options.AssetConfig)
-		handler = c.withOAuthRedirection(handler, oauthServerHandler)
-
-		return handler
-	}, nil
+			handler = serverhandlers.AuthenticationHandlerFilter(handler, c.Authenticator, genericConfig.RequestContextMapper)
+			handler = apiserverfilters.WithCORS(handler, c.Options.CORSAllowedOrigins, nil, nil, nil, "true")
+			handler = apiserverfilters.WithTimeoutForNonLongRunningRequests(handler, genericConfig.RequestContextMapper, genericConfig.LongRunningFunc)
+			// TODO: MaxRequestsInFlight should be subdivided by intent, type of behavior, and speed of
+			// execution - updates vs reads, long reads vs short reads, fat reads vs skinny reads.
+			// NOTE: read vs. write is implemented in Kube 1.6+
+			handler = apiserverfilters.WithMaxInFlightLimit(handler, genericConfig.MaxRequestsInFlight, genericConfig.MaxMutatingRequestsInFlight, genericConfig.RequestContextMapper, genericConfig.LongRunningFunc)
+			handler = apifilters.WithRequestInfo(handler, apiserver.NewRequestInfoResolver(genericConfig), genericConfig.RequestContextMapper)
+			handler = apirequest.WithRequestContext(handler, genericConfig.RequestContextMapper)
+			handler = apiserverfilters.WithPanicRecovery(handler)
+			///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+			// these handlers are all before the normal kube chain
+			handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
+
+			if c.WebConsoleEnabled() {
+				handler = assetapiserver.WithAssetServerRedirect(handler, c.Options.AssetConfig.PublicURL)
+			}
+			// these handlers are actually separate API servers which have their own handler chains.
+			// our server embeds these
+			handler = c.withConsoleRedirection(handler, assetServerHandler, c.Options.AssetConfig)
+			handler = c.withOAuthRedirection(handler, oauthServerHandler)
+
+			return handler
+		},
+		extraPostStartHooks,
+		nil
 }
 
 func (c *MasterConfig) withConsoleRedirection(handler, assetServerHandler http.Handler, assetConfig *configapi.AssetConfig) http.Handler {