Merge pull request #15968 from deads2k/oauth-03-use-client

Automatic merge from submit-queue

use oauth REST endpoints instead of raw etcd 

@mfojtik this is needed to remove direct etcd access which bypasses any admission checks and auditing and prevents the future separation of processes.

Author: openshift-merge-robot

pkg/auth/oauth/registry/grantchecker.go

@@ -5,25 +5,25 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	apirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/authentication/user"
 
 	"github.com/openshift/origin/pkg/auth/api"
+	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
 	"github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization"
 	"github.com/openshift/origin/pkg/oauth/scope"
-	"k8s.io/apiserver/pkg/authentication/user"
 )
 
 type ClientAuthorizationGrantChecker struct {
-	registry oauthclientauthorization.Registry
+	client oauthclient.OAuthClientAuthorizationInterface
 }
 
-func NewClientAuthorizationGrantChecker(registry oauthclientauthorization.Registry) *ClientAuthorizationGrantChecker {
-	return &ClientAuthorizationGrantChecker{registry}
+func NewClientAuthorizationGrantChecker(client oauthclient.OAuthClientAuthorizationInterface) *ClientAuthorizationGrantChecker {
+	return &ClientAuthorizationGrantChecker{client}
 }
 
 func (c *ClientAuthorizationGrantChecker) HasAuthorizedClient(user user.Info, grant *api.Grant) (approved bool, err error) {
-	id := c.registry.ClientAuthorizationName(user.GetName(), grant.Client.GetId())
-	authorization, err := c.registry.GetClientAuthorization(apirequest.NewContext(), id, &metav1.GetOptions{})
+	id := oauthclientauthorization.ClientAuthorizationName(user.GetName(), grant.Client.GetId())
+	authorization, err := c.client.Get(id, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		return false, nil
 	}

pkg/auth/oauth/registry/registry_test.go

@@ -9,19 +9,22 @@ import (
 
 	"github.com/RangelReale/osin"
 	"github.com/RangelReale/osincli"
+
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/authentication/user"
+	clienttesting "k8s.io/client-go/testing"
 
 	"github.com/openshift/origin/pkg/auth/api"
 	"github.com/openshift/origin/pkg/auth/oauth/handlers"
 	"github.com/openshift/origin/pkg/auth/userregistry/identitymapper"
 	oapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
-	"github.com/openshift/origin/pkg/oauth/registry/test"
+	oauthfake "github.com/openshift/origin/pkg/oauth/generated/internalclientset/fake"
 	"github.com/openshift/origin/pkg/oauth/server/osinserver"
 	"github.com/openshift/origin/pkg/oauth/server/osinserver/registrystorage"
 	userapi "github.com/openshift/origin/pkg/user/apis/user"
 	usertest "github.com/openshift/origin/pkg/user/registry/test"
-	"k8s.io/apiserver/pkg/authentication/user"
 )
 
 type testHandlers struct {
@@ -167,6 +170,7 @@ func TestRegistryAndServer(t *testing.T) {
 				Name: "user",
 			},
 			ClientAuth: &oapi.OAuthClientAuthorization{
+				ObjectMeta: metav1.ObjectMeta{Name: "user:test"},
 				UserName:   "user",
 				ClientName: "test",
 				Scopes:     []string{"user:info"},
@@ -185,6 +189,7 @@ func TestRegistryAndServer(t *testing.T) {
 				Name: "user",
 			},
 			ClientAuth: &oapi.OAuthClientAuthorization{
+				ObjectMeta: metav1.ObjectMeta{Name: "user:test"},
 				UserName:   "user",
 				ClientName: "test",
 				Scopes:     []string{"user:info", "user:check-access"},
@@ -203,6 +208,7 @@ func TestRegistryAndServer(t *testing.T) {
 				Name: "user",
 			},
 			ClientAuth: &oapi.OAuthClientAuthorization{
+				ObjectMeta: metav1.ObjectMeta{Name: "user:test"},
 				UserName:   "user",
 				ClientName: "test",
 				Scopes:     []string{"user:full"},
@@ -227,20 +233,15 @@ func TestRegistryAndServer(t *testing.T) {
 		h := &testHandlers{}
 		h.Authenticate = testCase.AuthSuccess
 		h.User = testCase.AuthUser
-		access, authorize := &test.AccessTokenRegistry{}, &test.AuthorizeTokenRegistry{}
-		client := &test.ClientRegistry{
-			Client: testCase.Client,
-		}
-		if testCase.Client == nil {
-			client.Err = apierrs.NewNotFound(oapi.Resource("OAuthClient"), "unknown")
+		objs := []runtime.Object{}
+		if testCase.Client != nil {
+			objs = append(objs, testCase.Client)
 		}
-		grant := &test.ClientAuthorizationRegistry{
-			ClientAuthorization: testCase.ClientAuth,
+		if testCase.ClientAuth != nil {
+			objs = append(objs, testCase.ClientAuth)
 		}
-		if testCase.ClientAuth == nil {
-			grant.GetErr = apierrs.NewNotFound(oapi.Resource("OAuthClientAuthorization"), "test:test")
-		}
-		storage := registrystorage.New(access, authorize, client, NewUserConversion())
+		fakeOAuthClient := oauthfake.NewSimpleClientset(objs...)
+		storage := registrystorage.New(fakeOAuthClient.Oauth().OAuthAccessTokens(), fakeOAuthClient.Oauth().OAuthAuthorizeTokens(), fakeOAuthClient.Oauth().OAuthClients(), NewUserConversion())
 		config := osinserver.NewDefaultServerConfig()
 
 		h.AuthorizeHandler = osinserver.AuthorizeHandlers{
@@ -250,7 +251,7 @@ func TestRegistryAndServer(t *testing.T) {
 				h,
 			),
 			handlers.NewGrantCheck(
-				NewClientAuthorizationGrantChecker(grant),
+				NewClientAuthorizationGrantChecker(fakeOAuthClient.Oauth().OAuthClientAuthorizations()),
 				h,
 				h,
 			),
@@ -299,9 +300,9 @@ func TestRegistryAndServer(t *testing.T) {
 }
 
 func TestAuthenticateTokenNotFound(t *testing.T) {
-	tokenRegistry := &test.AccessTokenRegistry{Err: apierrs.NewNotFound(oapi.Resource("OAuthAccessToken"), "token")}
+	fakeOAuthClient := oauthfake.NewSimpleClientset()
 	userRegistry := usertest.NewUserRegistry()
-	tokenAuthenticator := NewTokenAuthenticator(tokenRegistry, userRegistry, identitymapper.NoopGroupMapper{})
+	tokenAuthenticator := NewTokenAuthenticator(fakeOAuthClient.Oauth().OAuthAccessTokens(), userRegistry, identitymapper.NoopGroupMapper{})
 
 	userInfo, found, err := tokenAuthenticator.AuthenticateToken("token")
 	if found {
@@ -318,9 +319,12 @@ func TestAuthenticateTokenNotFound(t *testing.T) {
 	}
 }
 func TestAuthenticateTokenOtherGetError(t *testing.T) {
-	tokenRegistry := &test.AccessTokenRegistry{Err: errors.New("get error")}
+	fakeOAuthClient := oauthfake.NewSimpleClientset()
+	fakeOAuthClient.PrependReactor("get", "oauthaccesstokens", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) {
+		return true, nil, errors.New("get error")
+	})
 	userRegistry := usertest.NewUserRegistry()
-	tokenAuthenticator := NewTokenAuthenticator(tokenRegistry, userRegistry, identitymapper.NoopGroupMapper{})
+	tokenAuthenticator := NewTokenAuthenticator(fakeOAuthClient.Oauth().OAuthAccessTokens(), userRegistry, identitymapper.NoopGroupMapper{})
 
 	userInfo, found, err := tokenAuthenticator.AuthenticateToken("token")
 	if found {
@@ -329,23 +333,22 @@ func TestAuthenticateTokenOtherGetError(t *testing.T) {
 	if err == nil {
 		t.Error("Expected error is missing!")
 	}
-	if err.Error() != tokenRegistry.Err.Error() {
-		t.Errorf("Expected error %v, but got error %v", tokenRegistry.Err, err)
+	if err.Error() != "get error" {
+		t.Errorf("Expected error %v, but got error %v", "get error", err)
 	}
 	if userInfo != nil {
 		t.Errorf("Unexpected user: %v", userInfo)
 	}
 }
 func TestAuthenticateTokenExpired(t *testing.T) {
-	tokenRegistry := &test.AccessTokenRegistry{
-		Err: nil,
-		AccessToken: &oapi.OAuthAccessToken{
-			ObjectMeta: metav1.ObjectMeta{CreationTimestamp: metav1.Time{Time: time.Now().Add(-1 * time.Hour)}},
+	fakeOAuthClient := oauthfake.NewSimpleClientset(
+		&oapi.OAuthAccessToken{
+			ObjectMeta: metav1.ObjectMeta{Name: "token", CreationTimestamp: metav1.Time{Time: time.Now().Add(-1 * time.Hour)}},
 			ExpiresIn:  600, // 10 minutes
 		},
-	}
+	)
 	userRegistry := usertest.NewUserRegistry()
-	tokenAuthenticator := NewTokenAuthenticator(tokenRegistry, userRegistry, identitymapper.NoopGroupMapper{})
+	tokenAuthenticator := NewTokenAuthenticator(fakeOAuthClient.Oauth().OAuthAccessTokens(), userRegistry, identitymapper.NoopGroupMapper{})
 
 	userInfo, found, err := tokenAuthenticator.AuthenticateToken("token")
 	if found {
@@ -359,19 +362,18 @@ func TestAuthenticateTokenExpired(t *testing.T) {
 	}
 }
 func TestAuthenticateTokenValidated(t *testing.T) {
-	tokenRegistry := &test.AccessTokenRegistry{
-		Err: nil,
-		AccessToken: &oapi.OAuthAccessToken{
-			ObjectMeta: metav1.ObjectMeta{CreationTimestamp: metav1.Time{Time: time.Now()}},
+	fakeOAuthClient := oauthfake.NewSimpleClientset(
+		&oapi.OAuthAccessToken{
+			ObjectMeta: metav1.ObjectMeta{Name: "token", CreationTimestamp: metav1.Time{Time: time.Now()}},
 			ExpiresIn:  600, // 10 minutes
 			UserName:   "foo",
 			UserUID:    string("bar"),
 		},
-	}
+	)
 	userRegistry := usertest.NewUserRegistry()
 	userRegistry.GetUsers["foo"] = &userapi.User{ObjectMeta: metav1.ObjectMeta{UID: "bar"}}
 
-	tokenAuthenticator := NewTokenAuthenticator(tokenRegistry, userRegistry, identitymapper.NoopGroupMapper{})
+	tokenAuthenticator := NewTokenAuthenticator(fakeOAuthClient.Oauth().OAuthAccessTokens(), userRegistry, identitymapper.NoopGroupMapper{})
 
 	userInfo, found, err := tokenAuthenticator.AuthenticateToken("token")
 	if !found {

pkg/auth/oauth/registry/tokenauthenticator.go

@@ -5,24 +5,24 @@ import (
 	"fmt"
 	"time"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kuser "k8s.io/apiserver/pkg/authentication/user"
+
 	"github.com/openshift/origin/pkg/auth/userregistry/identitymapper"
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	"github.com/openshift/origin/pkg/oauth/registry/oauthaccesstoken"
+	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
 	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	kuser "k8s.io/apiserver/pkg/authentication/user"
-	kapirequest "k8s.io/apiserver/pkg/endpoints/request"
 )
 
 type TokenAuthenticator struct {
-	tokens      oauthaccesstoken.Registry
+	tokens      oauthclient.OAuthAccessTokenInterface
 	users       userclient.UserResourceInterface
 	groupMapper identitymapper.UserToGroupMapper
 }
 
 var ErrExpired = errors.New("Token is expired")
 
-func NewTokenAuthenticator(tokens oauthaccesstoken.Registry, users userclient.UserResourceInterface, groupMapper identitymapper.UserToGroupMapper) *TokenAuthenticator {
+func NewTokenAuthenticator(tokens oauthclient.OAuthAccessTokenInterface, users userclient.UserResourceInterface, groupMapper identitymapper.UserToGroupMapper) *TokenAuthenticator {
 	return &TokenAuthenticator{
 		tokens:      tokens,
 		users:       users,
@@ -31,9 +31,7 @@ func NewTokenAuthenticator(tokens oauthaccesstoken.Registry, users userclient.Us
 }
 
 func (a *TokenAuthenticator) AuthenticateToken(value string) (kuser.Info, bool, error) {
-	ctx := kapirequest.NewContext()
-
-	token, err := a.tokens.GetAccessToken(ctx, value, &metav1.GetOptions{})
+	token, err := a.tokens.Get(value, metav1.GetOptions{})
 	if err != nil {
 		return nil, false, err
 	}

pkg/auth/server/grant/grant.go

@@ -11,14 +11,14 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
-	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 
 	"github.com/golang/glog"
 	"github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/server/csrf"
 	scopeauthorizer "github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	oapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
-	"github.com/openshift/origin/pkg/oauth/registry/oauthclient"
+	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
+	oauthclientregistry "github.com/openshift/origin/pkg/oauth/registry/oauthclient"
 	"github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization"
 	"github.com/openshift/origin/pkg/oauth/scope"
 )
@@ -82,11 +82,11 @@ type Grant struct {
 	auth           authenticator.Request
 	csrf           csrf.CSRF
 	render         FormRenderer
-	clientregistry oauthclient.Getter
-	authregistry   oauthclientauthorization.Registry
+	clientregistry oauthclientregistry.Getter
+	authregistry   oauthclient.OAuthClientAuthorizationInterface
 }
 
-func NewGrant(csrf csrf.CSRF, auth authenticator.Request, render FormRenderer, clientregistry oauthclient.Getter, authregistry oauthclientauthorization.Registry) *Grant {
+func NewGrant(csrf csrf.CSRF, auth authenticator.Request, render FormRenderer, clientregistry oauthclientregistry.Getter, authregistry oauthclient.OAuthClientAuthorizationInterface) *Grant {
 	return &Grant{
 		auth:           auth,
 		csrf:           csrf,
@@ -129,7 +129,7 @@ func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Requ
 	scopes := scope.Split(q.Get(scopeParam))
 	redirectURI := q.Get(redirectURIParam)
 
-	client, err := l.clientregistry.GetClient(apirequest.NewContext(), clientID, &metav1.GetOptions{})
+	client, err := l.clientregistry.Get(clientID, metav1.GetOptions{})
 	if err != nil || client == nil {
 		l.failed("Could not find client for client_id", w, req)
 		return
@@ -152,8 +152,8 @@ func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Requ
 	grantedScopes := []Scope{}
 	requestedScopes := []Scope{}
 
-	clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
-	if clientAuth, err := l.authregistry.GetClientAuthorization(apirequest.NewContext(), clientAuthID, &metav1.GetOptions{}); err == nil {
+	clientAuthID := oauthclientauthorization.ClientAuthorizationName(user.GetName(), client.Name)
+	if clientAuth, err := l.authregistry.Get(clientAuthID, metav1.GetOptions{}); err == nil {
 		grantedScopeNames = clientAuth.Scopes
 	}
 
@@ -233,7 +233,7 @@ func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Req
 	}
 
 	clientID := req.PostFormValue(clientIDParam)
-	client, err := l.clientregistry.GetClient(apirequest.NewContext(), clientID, &metav1.GetOptions{})
+	client, err := l.clientregistry.Get(clientID, metav1.GetOptions{})
 	if err != nil || client == nil {
 		l.failed("Could not find client for client_id", w, req)
 		return
@@ -244,14 +244,13 @@ func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Req
 		return
 	}
 
-	clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
+	clientAuthID := oauthclientauthorization.ClientAuthorizationName(user.GetName(), client.Name)
 
-	ctx := apirequest.NewContext()
-	clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID, &metav1.GetOptions{})
+	clientAuth, err := l.authregistry.Get(clientAuthID, metav1.GetOptions{})
 	if err == nil && clientAuth != nil {
 		// Add new scopes and update
 		clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
-		if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
+		if _, err = l.authregistry.Update(clientAuth); err != nil {
 			glog.Errorf("Unable to update authorization: %v", err)
 			l.failed("Could not update client authorization", w, req)
 			return
@@ -266,7 +265,7 @@ func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Req
 		}
 		clientAuth.Name = clientAuthID
 
-		if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
+		if _, err = l.authregistry.Create(clientAuth); err != nil {
 			glog.Errorf("Unable to create authorization: %v", err)
 			l.failed("Could not create client authorization", w, req)
 			return