Use helpers to get OAuth related Public URLs

Signed-off-by: Simo Sorce <[email protected]>

Author: simo5

Diff for: pkg/cmd/server/apis/config/helpers.go

@@ -642,3 +642,23 @@ func CIDRsOverlap(cidr1, cidr2 string) bool {
 	}
 	return ipNet1.Contains(ipNet2.IP) || ipNet2.Contains(ipNet1.IP)
 }
+
+func GetMasterPublicURL(config *MasterConfig) string {
+	master := ""
+	if config.OAuthConfig != nil {
+		master = config.OAuthConfig.MasterPublicURL
+	} else if config.ExternalOAuthConfig != nil {
+		master = config.ExternalOAuthConfig.MasterPublicURL
+	}
+	return master
+}
+
+func GetAssetPublicURL(config *MasterConfig) string {
+	asset := ""
+	if config.OAuthConfig != nil {
+		asset = config.OAuthConfig.AssetPublicURL
+	} else if config.ExternalOAuthConfig != nil {
+		asset = config.ExternalOAuthConfig.AssetPublicURL
+	}
+	return asset
+}

Diff for: pkg/cmd/server/origin/master.go

@@ -32,6 +32,9 @@ const (
 	openShiftOAuthAPIPrefix      = "/oauth"
 	openShiftLoginPrefix         = "/login"
 	openShiftOAuthCallbackPrefix = "/oauth2callback"
+	OpenShiftWebConsoleClientID  = "openshift-web-console"
+	OpenShiftBrowserClientID     = "openshift-browser-client"
+	OpenShiftCLIClientID         = "openshift-challenging-client"
 )
 
 func (c *MasterConfig) newOpenshiftAPIConfig(kubeAPIServerConfig apiserver.Config) (*OpenshiftAPIConfig, error) {
@@ -172,26 +175,22 @@ func (c *MasterConfig) newWebConsoleProxy() (http.Handler, error) {
 	return proxyHandler, nil
 }
 
-func (c *MasterConfig) newOAuthServerHandler(genericConfig *apiserver.Config) (http.Handler, map[string]apiserver.PostStartHookFunc, error) {
+func (c *MasterConfig) newOAuthServerHandler(genericConfig *apiserver.Config) (http.Handler, error) {
 	if c.Options.OAuthConfig == nil {
-		return http.NotFoundHandler(), nil, nil
+		return http.NotFoundHandler(), nil
 	}
 
 	config, err := NewOAuthServerConfigFromMasterConfig(c, genericConfig.SecureServingInfo.Listener)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 	config.GenericConfig.AuditBackend = genericConfig.AuditBackend
 	config.GenericConfig.AuditPolicyChecker = genericConfig.AuditPolicyChecker
 	oauthServer, err := config.Complete().New(apiserver.EmptyDelegate)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
-	return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain,
-		map[string]apiserver.PostStartHookFunc{
-			"oauth.openshift.io-StartOAuthClientsBootstrapping": config.StartOAuthClientsBootstrapping,
-		},
-		nil
+	return oauthServer.GenericAPIServer.PrepareRun().GenericAPIServer.Handler.FullHandlerChain, nil
 }
 
 func (c *MasterConfig) withAggregator(delegateAPIServer apiserver.DelegationTarget, kubeAPIServerConfig apiserver.Config, apiExtensionsInformers apiextensionsinformers.SharedInformerFactory) (*aggregatorapiserver.APIAggregator, error) {
@@ -367,15 +366,12 @@ func (c *MasterConfig) RunOpenShift(stopCh <-chan struct{}) error {
 }
 
 func (c *MasterConfig) buildHandlerChain(genericConfig *apiserver.Config) (func(apiHandler http.Handler, kc *apiserver.Config) http.Handler, map[string]apiserver.PostStartHookFunc, error) {
-	webconsolePublicURL := ""
-	if c.Options.OAuthConfig != nil {
-		webconsolePublicURL = c.Options.OAuthConfig.AssetPublicURL
-	}
+	webconsolePublicURL := configapi.GetAssetPublicURL(&c.Options)
 	webconsoleProxyHandler, err := c.newWebConsoleProxy()
 	if err != nil {
 		return nil, nil, err
 	}
-	oauthServerHandler, extraPostStartHooks, err := c.newOAuthServerHandler(genericConfig)
+	oauthServerHandler, err := c.newOAuthServerHandler(genericConfig)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -401,7 +397,9 @@ func (c *MasterConfig) buildHandlerChain(genericConfig *apiserver.Config) (func(
 
 			return handler
 		},
-		extraPostStartHooks,
+		map[string]apiserver.PostStartHookFunc{
+			"oauth.openshift.io-StartOAuthClientsBootstrapping": c.startOAuthClientsBootstrapping,
+		},
 		nil
 }
 

Diff for: pkg/cmd/server/origin/oauthclients.go

@@ -0,0 +1,127 @@
+package origin
+
+import (
+	"time"
+
+	"github.com/pborman/uuid"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/wait"
+	apiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/util/retry"
+
+	oauthapi "github.com/openshift/api/oauth/v1"
+	oauthclient "github.com/openshift/client-go/oauth/clientset/versioned/typed/oauth/v1"
+	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	oauthutil "github.com/openshift/origin/pkg/oauth/util"
+)
+
+func ensureOAuthClient(client oauthapi.OAuthClient, oauthClients oauthclient.OAuthClientInterface, preserveExistingRedirects, preserveExistingSecret bool) error {
+	_, err := oauthClients.Create(&client)
+	if err == nil || !errors.IsAlreadyExists(err) {
+		return err
+	}
+
+	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		existing, err := oauthClients.Get(client.Name, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+
+		// Ensure the correct challenge setting
+		existing.RespondWithChallenges = client.RespondWithChallenges
+		// Preserve an existing client secret
+		if !preserveExistingSecret || len(existing.Secret) == 0 {
+			existing.Secret = client.Secret
+		}
+
+		// Preserve redirects for clients other than the CLI client
+		// The CLI client doesn't care about the redirect URL, just the token or error fragment
+		if preserveExistingRedirects {
+			// Add in any redirects from the existing one
+			// This preserves any additional customized redirects in the default clients
+			redirects := sets.NewString(client.RedirectURIs...)
+			for _, redirect := range existing.RedirectURIs {
+				if !redirects.Has(redirect) {
+					client.RedirectURIs = append(client.RedirectURIs, redirect)
+					redirects.Insert(redirect)
+				}
+			}
+		}
+		existing.RedirectURIs = client.RedirectURIs
+
+		// If the GrantMethod is present, keep it for compatibility
+		// If it is empty, assign the requested strategy.
+		if len(existing.GrantMethod) == 0 {
+			existing.GrantMethod = client.GrantMethod
+		}
+
+		_, err = oauthClients.Update(existing)
+		return err
+	})
+}
+
+// TODO, this moves to the `apiserver.go` when we have it for this group
+// TODO TODO, this actually looks a lot like a controller or an add-on manager style thing.  Seems like we'd want to do this outside
+// EnsureBootstrapOAuthClients creates or updates the bootstrap oauth clients that openshift relies upon.
+func (c *MasterConfig) startOAuthClientsBootstrapping(context apiserver.PostStartHookContext) error {
+	if c.Options.OAuthConfig == nil && c.Options.ExternalOAuthConfig == nil {
+		return nil
+	}
+	assetPublicURL := configapi.GetAssetPublicURL(&c.Options)
+	masterPublicURL := configapi.GetMasterPublicURL(&c.Options)
+	oauthClient, err := oauthclient.NewForConfig(&c.PrivilegedLoopbackClientConfig)
+	if err != nil {
+		utilruntime.HandleError(err)
+		return nil
+	}
+	oauthClientClient := oauthClient.OAuthClients()
+
+	// the TODO above still applies, but this makes it possible for this poststarthook to do its job with a split kubeapiserver and not run forever
+	go func() {
+		wait.PollUntil(1*time.Second, func() (done bool, err error) {
+			webConsoleClient := oauthapi.OAuthClient{
+				ObjectMeta:            metav1.ObjectMeta{Name: OpenShiftWebConsoleClientID},
+				Secret:                "",
+				RespondWithChallenges: false,
+				RedirectURIs:          []string{assetPublicURL},
+				GrantMethod:           oauthapi.GrantHandlerAuto,
+			}
+			if err := ensureOAuthClient(webConsoleClient, oauthClientClient, true, false); err != nil {
+				utilruntime.HandleError(err)
+				return false, nil
+			}
+
+			browserClient := oauthapi.OAuthClient{
+				ObjectMeta:            metav1.ObjectMeta{Name: OpenShiftBrowserClientID},
+				Secret:                uuid.New(),
+				RespondWithChallenges: false,
+				RedirectURIs:          []string{oauthutil.OpenShiftOAuthTokenDisplayURL(masterPublicURL)},
+				GrantMethod:           oauthapi.GrantHandlerAuto,
+			}
+			if err := ensureOAuthClient(browserClient, oauthClientClient, true, true); err != nil {
+				utilruntime.HandleError(err)
+				return false, nil
+			}
+
+			cliClient := oauthapi.OAuthClient{
+				ObjectMeta:            metav1.ObjectMeta{Name: OpenShiftCLIClientID},
+				Secret:                "",
+				RespondWithChallenges: true,
+				RedirectURIs:          []string{oauthutil.OpenShiftOAuthTokenImplicitURL(masterPublicURL)},
+				GrantMethod:           oauthapi.GrantHandlerAuto,
+			}
+			if err := ensureOAuthClient(cliClient, oauthClientClient, false, false); err != nil {
+				utilruntime.HandleError(err)
+				return false, nil
+			}
+
+			return true, nil
+		}, context.StopCh)
+	}()
+
+	return nil
+}

Diff for: pkg/oauthserver/oauthserver/auth.go

@@ -14,7 +14,6 @@ import (
 	"github.com/RangelReale/osincli"
 	"github.com/golang/glog"
 
-	kerrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	knet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -24,7 +23,6 @@ import (
 	kuser "k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/client-go/util/cert"
-	"k8s.io/client-go/util/retry"
 
 	oauthapi "github.com/openshift/api/oauth/v1"
 	oauthclient "github.com/openshift/client-go/oauth/clientset/versioned/typed/oauth/v1"
@@ -66,7 +64,6 @@ const (
 	openShiftLoginPrefix         = "/login"
 	openShiftApproveSubpath      = "approve"
 	OpenShiftOAuthCallbackPrefix = "/oauth2callback"
-	OpenShiftWebConsoleClientID  = "openshift-web-console"
 	OpenShiftBrowserClientID     = "openshift-browser-client"
 	OpenShiftCLIClientID         = "openshift-challenging-client"
 )
@@ -218,51 +215,6 @@ func newOpenShiftOAuthClientConfig(clientId, clientSecret, masterPublicURL, mast
 	return config
 }
 
-func ensureOAuthClient(client oauthapi.OAuthClient, oauthClients oauthclient.OAuthClientInterface, preserveExistingRedirects, preserveExistingSecret bool) error {
-	_, err := oauthClients.Create(&client)
-	if err == nil || !kerrs.IsAlreadyExists(err) {
-		return err
-	}
-
-	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		existing, err := oauthClients.Get(client.Name, metav1.GetOptions{})
-		if err != nil {
-			return err
-		}
-
-		// Ensure the correct challenge setting
-		existing.RespondWithChallenges = client.RespondWithChallenges
-		// Preserve an existing client secret
-		if !preserveExistingSecret || len(existing.Secret) == 0 {
-			existing.Secret = client.Secret
-		}
-
-		// Preserve redirects for clients other than the CLI client
-		// The CLI client doesn't care about the redirect URL, just the token or error fragment
-		if preserveExistingRedirects {
-			// Add in any redirects from the existing one
-			// This preserves any additional customized redirects in the default clients
-			redirects := sets.NewString(client.RedirectURIs...)
-			for _, redirect := range existing.RedirectURIs {
-				if !redirects.Has(redirect) {
-					client.RedirectURIs = append(client.RedirectURIs, redirect)
-					redirects.Insert(redirect)
-				}
-			}
-		}
-		existing.RedirectURIs = client.RedirectURIs
-
-		// If the GrantMethod is present, keep it for compatibility
-		// If it is empty, assign the requested strategy.
-		if len(existing.GrantMethod) == 0 {
-			existing.GrantMethod = client.GrantMethod
-		}
-
-		_, err = oauthClients.Update(existing)
-		return err
-	})
-}
-
 // getCSRF returns the object responsible for generating and checking CSRF tokens
 func (c *OAuthServerConfig) getCSRF() csrf.CSRF {
 	secure := isHTTPS(c.ExtraOAuthConfig.Options.MasterPublicURL)

Diff for: pkg/oauthserver/oauthserver/oauth_apiserver.go

@@ -5,15 +5,11 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"time"
 
 	"github.com/pborman/uuid"
 
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/apimachinery/pkg/util/wait"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/features"
@@ -24,13 +20,11 @@ import (
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
 
-	oauthapi "github.com/openshift/api/oauth/v1"
 	oauthclient "github.com/openshift/client-go/oauth/clientset/versioned/typed/oauth/v1"
 	routeclient "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1"
 	userclient "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
-	oauthutil "github.com/openshift/origin/pkg/oauth/util"
 	"github.com/openshift/origin/pkg/oauthserver/server/session"
 )
 
@@ -224,53 +218,3 @@ func (c *OAuthServerConfig) buildHandlerChainForOAuth(startingHandler http.Handl
 	handler = genericfilters.WithPanicRecovery(handler)
 	return handler
 }
-
-// TODO, this moves to the `apiserver.go` when we have it for this group
-// TODO TODO, this actually looks a lot like a controller or an add-on manager style thing.  Seems like we'd want to do this outside
-// EnsureBootstrapOAuthClients creates or updates the bootstrap oauth clients that openshift relies upon.
-func (c *OAuthServerConfig) StartOAuthClientsBootstrapping(context genericapiserver.PostStartHookContext) error {
-	// the TODO above still applies, but this makes it possible for this poststarthook to do its job with a split kubeapiserver and not run forever
-	go func() {
-		wait.PollUntil(1*time.Second, func() (done bool, err error) {
-			webConsoleClient := oauthapi.OAuthClient{
-				ObjectMeta:            metav1.ObjectMeta{Name: OpenShiftWebConsoleClientID},
-				Secret:                "",
-				RespondWithChallenges: false,
-				RedirectURIs:          c.ExtraOAuthConfig.AssetPublicAddresses,
-				GrantMethod:           oauthapi.GrantHandlerAuto,
-			}
-			if err := ensureOAuthClient(webConsoleClient, c.ExtraOAuthConfig.OAuthClientClient, true, false); err != nil {
-				utilruntime.HandleError(err)
-				return false, nil
-			}
-
-			browserClient := oauthapi.OAuthClient{
-				ObjectMeta:            metav1.ObjectMeta{Name: OpenShiftBrowserClientID},
-				Secret:                uuid.New(),
-				RespondWithChallenges: false,
-				RedirectURIs:          []string{oauthutil.OpenShiftOAuthTokenDisplayURL(c.ExtraOAuthConfig.Options.MasterPublicURL)},
-				GrantMethod:           oauthapi.GrantHandlerAuto,
-			}
-			if err := ensureOAuthClient(browserClient, c.ExtraOAuthConfig.OAuthClientClient, true, true); err != nil {
-				utilruntime.HandleError(err)
-				return false, nil
-			}
-
-			cliClient := oauthapi.OAuthClient{
-				ObjectMeta:            metav1.ObjectMeta{Name: OpenShiftCLIClientID},
-				Secret:                "",
-				RespondWithChallenges: true,
-				RedirectURIs:          []string{oauthutil.OpenShiftOAuthTokenImplicitURL(c.ExtraOAuthConfig.Options.MasterPublicURL)},
-				GrantMethod:           oauthapi.GrantHandlerAuto,
-			}
-			if err := ensureOAuthClient(cliClient, c.ExtraOAuthConfig.OAuthClientClient, false, false); err != nil {
-				utilruntime.HandleError(err)
-				return false, nil
-			}
-
-			return true, nil
-		}, context.StopCh)
-	}()
-
-	return nil
-}