Merge pull request #606 from ericchiang/dev-self-managed-third-party-resources

dev branch: self managed third party resources
This commit is contained in:
Eric Chiang 2016-10-14 09:00:05 -07:00 committed by GitHub
commit 6a9df8ab1c
6 changed files with 146 additions and 96 deletions

View file

@ -28,7 +28,6 @@ ConfigMap for dex to use. These run dex as a deployment with configuration and
storage, allowing it to get started. storage, allowing it to get started.
``` ```
kubectl create -f thirdpartyresources.yaml
kubectl create configmap dex-config --from-file=config.yaml=config-k8s.yaml kubectl create configmap dex-config --from-file=config.yaml=config-k8s.yaml
kubectl create -f deployment.yaml kubectl create -f deployment.yaml
``` ```

View file

@ -1,57 +0,0 @@
# NOTE: Because of a bug in third party resources, each resource must be in it's
# own API Group.
#
# See fix at https://github.com/kubernetes/kubernetes/pull/28414
metadata:
name: auth-code.authcodes.oidc.coreos.com
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "A code which can be claimed for an access token."
versions:
- name: v1
---
metadata:
name: auth-request.authrequests.oidc.coreos.com
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "A request for an end user to authorize a client."
versions:
- name: v1
---
metadata:
name: o-auth2-client.oauth2clients.oidc.coreos.com
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "An OpenID Connect client."
versions:
- name: v1
---
metadata:
name: signing-key.signingkeies.oidc.coreos.com
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "Keys used to sign and verify OpenID Connect tokens."
versions:
- name: v1
---
metadata:
name: refresh-token.refreshtokens.oidc.coreos.com
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "Refresh tokens for clients to continuously act on behalf of an end user."
versions:
- name: v1
---
metadata:
name: password.passwords.oidc.coreos.com
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "Passwords managed by the OIDC server."
versions:
- name: v1

View file

@ -20,6 +20,7 @@ import (
"time" "time"
"github.com/gtank/cryptopasta" "github.com/gtank/cryptopasta"
"golang.org/x/net/context"
yaml "gopkg.in/yaml.v2" yaml "gopkg.in/yaml.v2"
"github.com/coreos/dex/storage" "github.com/coreos/dex/storage"
@ -27,27 +28,17 @@ import (
) )
type client struct { type client struct {
client *http.Client client *http.Client
baseURL string baseURL string
namespace string namespace string
// API version of the oidc resources. For example "oidc.coreos.com". This is
// currently not configurable, but could be in the future.
apiVersion string apiVersion string
now func() time.Time // This is called once the client's Close method is called to signal goroutines,
// such as the one creating third party resources, to stop.
// BUG: currently each third party API group can only have one resource in it, cancel context.CancelFunc
// so for each resource this storage uses, it need a unique API group.
//
// Prepend the name of each resource to the API group for a predictable mapping.
//
// See: https://github.com/kubernetes/kubernetes/pull/28414
prependResourceNameToAPIGroup bool
}
func (c *client) apiVersionForResource(resource string) string {
if !c.prependResourceNameToAPIGroup {
return c.apiVersion
}
return resource + "." + c.apiVersion
} }
func (c *client) urlFor(apiVersion, namespace, resource, name string) string { func (c *client) urlFor(apiVersion, namespace, resource, name string) string {
@ -56,10 +47,6 @@ func (c *client) urlFor(apiVersion, namespace, resource, name string) string {
basePath = "api/" basePath = "api/"
} }
if c.prependResourceNameToAPIGroup && apiVersion != "" && resource != "" {
apiVersion = resource + "." + apiVersion
}
var p string var p string
if namespace != "" { if namespace != "" {
p = path.Join(basePath, apiVersion, "namespaces", namespace, resource, name) p = path.Join(basePath, apiVersion, "namespaces", namespace, resource, name)
@ -72,15 +59,28 @@ func (c *client) urlFor(apiVersion, namespace, resource, name string) string {
return c.baseURL + "/" + p return c.baseURL + "/" + p
} }
// Define an error interface so we can get at the underlying status code if it's
// absolutely necessary. For instance when we need to see if an error indicates
// a resource already exists.
type httpError interface {
StatusCode() int
}
var _ httpError = (*httpErr)(nil)
type httpErr struct { type httpErr struct {
method string method string
url string url string
status string status int
body []byte body []byte
} }
func (e *httpErr) StatusCode() int {
return e.status
}
func (e *httpErr) Error() string { func (e *httpErr) Error() string {
return fmt.Sprintf("%s %s %s: response from server \"%s\"", e.method, e.url, e.status, bytes.TrimSpace(e.body)) return fmt.Sprintf("%s %s %s: response from server \"%s\"", e.method, e.url, http.StatusText(e.status), bytes.TrimSpace(e.body))
} }
func checkHTTPErr(r *http.Response, validStatusCodes ...int) error { func checkHTTPErr(r *http.Response, validStatusCodes ...int) error {
@ -100,7 +100,7 @@ func checkHTTPErr(r *http.Response, validStatusCodes ...int) error {
method = r.Request.Method method = r.Request.Method
url = r.Request.URL.String() url = r.Request.URL.String()
} }
err = &httpErr{method, url, r.Status, body} err = &httpErr{method, url, r.StatusCode, body}
log.Printf("%s", err) log.Printf("%s", err)
if r.StatusCode == http.StatusNotFound { if r.StatusCode == http.StatusNotFound {
@ -134,12 +134,16 @@ func (c *client) list(resource string, v interface{}) error {
} }
func (c *client) post(resource string, v interface{}) error { func (c *client) post(resource string, v interface{}) error {
return c.postResource(c.apiVersion, c.namespace, resource, v)
}
func (c *client) postResource(apiVersion, namespace, resource string, v interface{}) error {
body, err := json.Marshal(v) body, err := json.Marshal(v)
if err != nil { if err != nil {
return fmt.Errorf("marshal object: %v", err) return fmt.Errorf("marshal object: %v", err)
} }
url := c.urlFor(c.apiVersion, c.namespace, resource, "") url := c.urlFor(apiVersion, namespace, resource, "")
resp, err := c.client.Post(url, "application/json", bytes.NewReader(body)) resp, err := c.client.Post(url, "application/json", bytes.NewReader(body))
if err != nil { if err != nil {
return err return err
@ -277,8 +281,6 @@ func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string) (
baseURL: cluster.Server, baseURL: cluster.Server,
namespace: namespace, namespace: namespace,
apiVersion: "oidc.coreos.com/v1", apiVersion: "oidc.coreos.com/v1",
now: time.Now,
prependResourceNameToAPIGroup: true,
}, nil }, nil
} }

View file

@ -4,11 +4,13 @@ import (
"errors" "errors"
"fmt" "fmt"
"log" "log"
"net/http"
"os" "os"
"path/filepath" "path/filepath"
"time" "time"
homedir "github.com/mitchellh/go-homedir" homedir "github.com/mitchellh/go-homedir"
"golang.org/x/net/context"
"github.com/coreos/dex/storage" "github.com/coreos/dex/storage"
"github.com/coreos/dex/storage/kubernetes/k8sapi" "github.com/coreos/dex/storage/kubernetes/k8sapi"
@ -45,7 +47,6 @@ func (c *Config) Open() (storage.Storage, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
return cli, nil return cli, nil
} }
@ -81,10 +82,57 @@ func (c *Config) open() (*client, error) {
return nil, err return nil, err
} }
return newClient(cluster, user, namespace) cli, err := newClient(cluster, user, namespace)
if err != nil {
return nil, fmt.Errorf("create client: %v", err)
}
// Don't try to synchronize this because creating third party resources is not
// a synchronous event. Even after the API server returns a 200, it can still
// take several seconds for them to actually appear.
ctx, cancel := context.WithCancel(context.Background())
go func() {
for {
if err := cli.createThirdPartyResources(); err != nil {
log.Printf("failed creating third party resources: %v", err)
} else {
return
}
select {
case <-ctx.Done():
return
case <-time.After(30 * time.Second):
}
}
}()
// If the client is closed, stop trying to create third party resources.
cli.cancel = cancel
return cli, nil
}
func (cli *client) createThirdPartyResources() error {
for _, r := range thirdPartyResources {
err := cli.postResource("extensions/v1beta1", "", "thirdpartyresources", r)
if err != nil {
if e, ok := err.(httpError); ok {
if e.StatusCode() == http.StatusConflict {
log.Printf("third party resource already created %q", r.ObjectMeta.Name)
continue
}
}
return err
}
log.Printf("create third party resource %q", r.ObjectMeta.Name)
}
return nil
} }
func (cli *client) Close() error { func (cli *client) Close() error {
if cli.cancel != nil {
cli.cancel()
}
return nil return nil
} }
@ -108,7 +156,7 @@ func (cli *client) CreateRefresh(r storage.RefreshToken) error {
refresh := RefreshToken{ refresh := RefreshToken{
TypeMeta: k8sapi.TypeMeta{ TypeMeta: k8sapi.TypeMeta{
Kind: kindRefreshToken, Kind: kindRefreshToken,
APIVersion: cli.apiVersionForResource(resourceRefreshToken), APIVersion: cli.apiVersion,
}, },
ObjectMeta: k8sapi.ObjectMeta{ ObjectMeta: k8sapi.ObjectMeta{
Name: r.RefreshToken, Name: r.RefreshToken,

View file

@ -60,7 +60,7 @@ func TestURLFor(t *testing.T) {
} }
for _, test := range tests { for _, test := range tests {
c := &client{baseURL: test.baseURL, prependResourceNameToAPIGroup: false} c := &client{baseURL: test.baseURL}
got := c.urlFor(test.apiVersion, test.namespace, test.resource, test.name) got := c.urlFor(test.apiVersion, test.namespace, test.resource, test.name)
if got != test.want { if got != test.want {
t.Errorf("(&client{baseURL:%q}).urlFor(%q, %q, %q, %q): expected %q got %q", t.Errorf("(&client{baseURL:%q}).urlFor(%q, %q, %q, %q): expected %q got %q",

View file

@ -11,6 +11,64 @@ import (
"github.com/coreos/dex/storage/kubernetes/k8sapi" "github.com/coreos/dex/storage/kubernetes/k8sapi"
) )
var tprMeta = k8sapi.TypeMeta{
APIVersion: "extensions/v1beta1",
Kind: "ThirdPartyResource",
}
// The set of third party resources required by the storage. These are managed by
// the storage so it can migrate itself by creating new resources.
var thirdPartyResources = []k8sapi.ThirdPartyResource{
{
ObjectMeta: k8sapi.ObjectMeta{
Name: "auth-code.oidc.coreos.com",
},
TypeMeta: tprMeta,
Description: "A code which can be claimed for an access token.",
Versions: []k8sapi.APIVersion{{Name: "v1"}},
},
{
ObjectMeta: k8sapi.ObjectMeta{
Name: "auth-request.oidc.coreos.com",
},
TypeMeta: tprMeta,
Description: "A request for an end user to authorize a client.",
Versions: []k8sapi.APIVersion{{Name: "v1"}},
},
{
ObjectMeta: k8sapi.ObjectMeta{
Name: "o-auth2-client.oidc.coreos.com",
},
TypeMeta: tprMeta,
Description: "An OpenID Connect client.",
Versions: []k8sapi.APIVersion{{Name: "v1"}},
},
{
ObjectMeta: k8sapi.ObjectMeta{
Name: "signing-key.oidc.coreos.com",
},
TypeMeta: tprMeta,
Description: "Keys used to sign and verify OpenID Connect tokens.",
Versions: []k8sapi.APIVersion{{Name: "v1"}},
},
{
ObjectMeta: k8sapi.ObjectMeta{
Name: "refresh-token.oidc.coreos.com",
},
TypeMeta: tprMeta,
Description: "Refresh tokens for clients to continuously act on behalf of an end user.",
Versions: []k8sapi.APIVersion{{Name: "v1"}},
},
{
ObjectMeta: k8sapi.ObjectMeta{
Name: "password.oidc.coreos.com",
},
TypeMeta: tprMeta,
Description: "Passwords managed by the OIDC server.",
Versions: []k8sapi.APIVersion{{Name: "v1"}},
},
}
// There will only ever be a single keys resource. Maintain this by setting a // There will only ever be a single keys resource. Maintain this by setting a
// common name. // common name.
const keysName = "openid-connect-keys" const keysName = "openid-connect-keys"
@ -45,7 +103,7 @@ func (cli *client) fromStorageClient(c storage.Client) Client {
return Client{ return Client{
TypeMeta: k8sapi.TypeMeta{ TypeMeta: k8sapi.TypeMeta{
Kind: kindClient, Kind: kindClient,
APIVersion: cli.apiVersionForResource(resourceClient), APIVersion: cli.apiVersion,
}, },
ObjectMeta: k8sapi.ObjectMeta{ ObjectMeta: k8sapi.ObjectMeta{
Name: c.ID, Name: c.ID,
@ -162,7 +220,7 @@ func (cli *client) fromStorageAuthRequest(a storage.AuthRequest) AuthRequest {
req := AuthRequest{ req := AuthRequest{
TypeMeta: k8sapi.TypeMeta{ TypeMeta: k8sapi.TypeMeta{
Kind: kindAuthRequest, Kind: kindAuthRequest,
APIVersion: cli.apiVersionForResource(resourceAuthRequest), APIVersion: cli.apiVersion,
}, },
ObjectMeta: k8sapi.ObjectMeta{ ObjectMeta: k8sapi.ObjectMeta{
Name: a.ID, Name: a.ID,
@ -216,7 +274,7 @@ func (cli *client) fromStoragePassword(p storage.Password) Password {
return Password{ return Password{
TypeMeta: k8sapi.TypeMeta{ TypeMeta: k8sapi.TypeMeta{
Kind: kindPassword, Kind: kindPassword,
APIVersion: cli.apiVersionForResource(resourcePassword), APIVersion: cli.apiVersion,
}, },
ObjectMeta: k8sapi.ObjectMeta{ ObjectMeta: k8sapi.ObjectMeta{
Name: emailToID(email), Name: emailToID(email),
@ -270,7 +328,7 @@ func (cli *client) fromStorageAuthCode(a storage.AuthCode) AuthCode {
return AuthCode{ return AuthCode{
TypeMeta: k8sapi.TypeMeta{ TypeMeta: k8sapi.TypeMeta{
Kind: kindAuthCode, Kind: kindAuthCode,
APIVersion: cli.apiVersionForResource(resourceAuthCode), APIVersion: cli.apiVersion,
}, },
ObjectMeta: k8sapi.ObjectMeta{ ObjectMeta: k8sapi.ObjectMeta{
Name: a.ID, Name: a.ID,
@ -346,7 +404,7 @@ func (cli *client) fromStorageKeys(keys storage.Keys) Keys {
return Keys{ return Keys{
TypeMeta: k8sapi.TypeMeta{ TypeMeta: k8sapi.TypeMeta{
Kind: kindKeys, Kind: kindKeys,
APIVersion: cli.apiVersionForResource(resourceKeys), APIVersion: cli.apiVersion,
}, },
ObjectMeta: k8sapi.ObjectMeta{ ObjectMeta: k8sapi.ObjectMeta{
Name: keysName, Name: keysName,