Add option to configure an external OAuth server

simo5 · simo5 · commit c4c9565a35be · 2018-03-19T15:23:27.000-04:00
Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/pkg/cmd/server/apis/config/types.go b/pkg/cmd/server/apis/config/types.go
@@ -399,6 +399,10 @@ type MasterConfig struct {
 	EtcdConfig *EtcdConfig
 	// OAuthConfig, if present start the /oauth endpoint in this process
 	OAuthConfig *OAuthConfig
+
+	// ExternalOAuthConfig, if present configures an External OAuth Server
+	ExternalOAuthConfig *ExternalOAuthConfig
+
 	// DNSConfig, if present start the DNS server in this process
 	DNSConfig *DNSConfig
 
@@ -889,6 +893,19 @@ type OAuthTemplates struct {
 	Error string
 }
 
+type ExternalOAuthConfig struct {
+	// MetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata
+	// for an External OAuth server.
+	// See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	MetadataFile string
+
+	// MasterPublicURL is used for building valid client redirect URLs for internal and external access
+	MasterPublicURL string
+
+	// AssetPublicURL is used for building valid client redirect URLs for external access
+	AssetPublicURL string
+}
+
 type ServiceAccountConfig struct {
 	// ManagedNames is a list of service account names that will be auto-created in every namespace.
 	// If no names are specified, the ServiceAccountsController will not be started.
diff --git a/pkg/cmd/server/apis/config/v1/types.go b/pkg/cmd/server/apis/config/v1/types.go
@@ -247,6 +247,10 @@ type MasterConfig struct {
 	EtcdConfig *EtcdConfig `json:"etcdConfig"`
 	// OAuthConfig, if present start the /oauth endpoint in this process
 	OAuthConfig *OAuthConfig `json:"oauthConfig"`
+
+	// ExternalOAuthConfig, if present configures an External OAuth Server
+	ExternalOAuthConfig *ExternalOAuthConfig `json:"externalOAuthConfig"`
+
 	// DNSConfig, if present start the DNS server in this process
 	DNSConfig *DNSConfig `json:"dnsConfig"`
 
@@ -773,6 +777,20 @@ type OAuthTemplates struct {
 	Error string `json:"error"`
 }
 
+// ExternalOAuthConfig allos to configure external OAuth server discovery
+type ExternalOAuthConfig struct {
+	// MetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata
+	// for an External OAuth server.
+	// See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	MetadataFile string `json:"metadataFile"`
+
+	// MasterPublicURL is used for building valid client redirect URLs for internal and external access
+	MasterPublicURL string `json:"masterPublicURL"`
+
+	// AssetPublicURL is used for building valid client redirect URLs for external access
+	AssetPublicURL string `json:"assetPublicURL"`
+}
+
 // ServiceAccountConfig holds the necessary configuration options for a service account
 type ServiceAccountConfig struct {
 	// ManagedNames is a list of service account names that will be auto-created in every namespace.
diff --git a/pkg/cmd/server/apis/config/v1/zz_generated.deepcopy.go b/pkg/cmd/server/apis/config/v1/zz_generated.deepcopy.go
diff --git a/pkg/cmd/server/apis/config/zz_generated.deepcopy.go b/pkg/cmd/server/apis/config/zz_generated.deepcopy.go
diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -84,12 +84,15 @@ func (c *MasterConfig) newOpenshiftNonAPIConfig(kubeAPIServerConfig apiserver.Co
 			SharedInformerFactory: c.ClientGoKubeInformers,
 		},
 		ExtraConfig: NonAPIExtraConfig{
-			EnableOAuth: c.Options.OAuthConfig != nil,
+			EnableOAuth: c.Options.OAuthConfig != nil || c.Options.ExternalOAuthConfig != nil,
 		},
 	}
 	if c.Options.OAuthConfig != nil {
 		ret.ExtraConfig.MasterPublicURL = c.Options.OAuthConfig.MasterPublicURL
 	}
+	if c.Options.ExternalOAuthConfig != nil {
+		ret.ExtraConfig.OAuthMetadataFile = c.Options.ExternalOAuthConfig.MetadataFile
+	}
 
 	return ret
 }
diff --git a/pkg/cmd/server/origin/nonapiserver.go b/pkg/cmd/server/origin/nonapiserver.go
@@ -13,8 +13,9 @@ import (
 )
 
 type NonAPIExtraConfig struct {
-	MasterPublicURL string
-	EnableOAuth     bool
+	MasterPublicURL   string
+	EnableOAuth       bool
+	OAuthMetadataFile string
 }
 
 type OpenshiftNonAPIConfig struct {
@@ -60,7 +61,7 @@ func (c completedOpenshiftNonAPIConfig) New(delegationTarget genericapiserver.De
 	// TODO move this up to the spot where we wire the oauth endpoint
 	// Set up OAuth metadata only if we are configured to use OAuth
 	if c.ExtraConfig.EnableOAuth {
-		initOAuthAuthorizationServerMetadataRoute(s.GenericAPIServer.Handler.NonGoRestfulMux, oauthMetadataEndpoint, c.ExtraConfig.MasterPublicURL)
+		initOAuthAuthorizationServerMetadataRoute(s.GenericAPIServer.Handler.NonGoRestfulMux, c.ExtraConfig)
 	}
 
 	return s, nil
@@ -76,15 +77,26 @@ const (
 // initOAuthAuthorizationServerMetadataRoute initializes an HTTP endpoint for OAuth 2.0 Authorization Server Metadata discovery
 // https://tools.ietf.org/id/draft-ietf-oauth-discovery-04.html#rfc.section.2
 // masterPublicURL should be internally and externally routable to allow all users to discover this information
-func initOAuthAuthorizationServerMetadataRoute(mux *genericmux.PathRecorderMux, path, masterPublicURL string) {
+func initOAuthAuthorizationServerMetadataRoute(mux *genericmux.PathRecorderMux, ExtraConfig *NonAPIExtraConfig) {
 	// Build OAuth metadata once
-	metadata, err := json.MarshalIndent(oauthutil.GetOauthMetadata(masterPublicURL), "", "  ")
-	if err != nil {
-		glog.Errorf("Unable to initialize OAuth authorization server metadata route: %v", err)
-		return
+	var metadata []byte
+	var err error
+
+	if len(ExtraConfig.OAuthMetadataFile) > 0 {
+		metadata, err = oauthutil.LoadOAuthMetadataFile(ExtraConfig.OAuthMetadataFile)
+		if err != nil {
+			glog.Error(err)
+			return
+		}
+	} else {
+		metadata, err = json.MarshalIndent(oauthutil.GetOauthMetadata(ExtraConfig.MasterPublicURL), "", "  ")
+		if err != nil {
+			glog.Errorf("Unable to initialize OAuth authorization server metadata route: %v", err)
+			return
+		}
 	}
 
-	mux.UnlistedHandleFunc(path, func(w http.ResponseWriter, req *http.Request) {
+	mux.UnlistedHandleFunc(oauthMetadataEndpoint, func(w http.ResponseWriter, req *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
 		w.Write(metadata)
diff --git a/pkg/oauth/util/discovery.go b/pkg/oauth/util/discovery.go
@@ -1,6 +1,10 @@
 package util
 
 import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+
 	"github.com/RangelReale/osin"
 	"github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	"github.com/openshift/origin/pkg/oauth/apis/oauth/validation"
@@ -51,3 +55,17 @@ func GetOauthMetadata(masterPublicURL string) OauthAuthorizationServerMetadata {
 		CodeChallengeMethodsSupported: validation.CodeChallengeMethodsSupported,
 	}
 }
+
+func LoadOAuthMetadataFile(metadataFile string) ([]byte, error) {
+	data, err := ioutil.ReadFile(metadataFile)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to read External OAuth Metadata file: %v", err)
+	}
+
+	oauthMetadata := OauthAuthorizationServerMetadata{}
+	if err := json.Unmarshal(data, &oauthMetadata); err != nil {
+		return nil, fmt.Errorf("Unable to decode External OAuth Metadata file: %v", err)
+	}
+
+	return data, nil
+}

Original file line number	Diff line number	Diff line change
`@@ -84,12 +84,15 @@ func (c *MasterConfig) newOpenshiftNonAPIConfig(kubeAPIServerConfig apiserver.Co`
`84`	`84`	`SharedInformerFactory: c.ClientGoKubeInformers,`
`85`	`85`	`},`
`86`	`86`	`ExtraConfig: NonAPIExtraConfig{`
`87`		`- EnableOAuth: c.Options.OAuthConfig != nil,`
	`87`	`+ EnableOAuth: c.Options.OAuthConfig != nil \|\| c.Options.ExternalOAuthConfig != nil,`
`88`	`88`	`},`
`89`	`89`	`}`
`90`	`90`	`if c.Options.OAuthConfig != nil {`
`91`	`91`	`ret.ExtraConfig.MasterPublicURL = c.Options.OAuthConfig.MasterPublicURL`
`92`	`92`	`}`
	`93`	`+ if c.Options.ExternalOAuthConfig != nil {`
	`94`	`+ ret.ExtraConfig.OAuthMetadataFile = c.Options.ExternalOAuthConfig.MetadataFile`
	`95`	`+ }`
`93`	`96`
`94`	`97`	`return ret`
`95`	`98`	`}`