From 05bfe877c42d0ae9b01f720d4cef695c0902dfcf Mon Sep 17 00:00:00 2001 From: Igor Vinokur Date: Fri, 7 Feb 2020 16:06:50 +0200 Subject: [PATCH 1/7] Apply OpenShift OAuth provider --- assembly/assembly-wsmaster-war/pom.xml | 5 + .../webapp/WEB-INF/classes/che/che.properties | 5 + .../helm/che/templates/configmap.yaml | 3 + deploy/kubernetes/helm/che/values.yaml | 4 + .../templates/che-server-template.yaml | 20 +++- pom.xml | 5 + wsmaster/che-core-api-auth-openshift/pom.xml | 59 +++++++++++ .../che/security/oauth/OpenShiftModule.java | 31 ++++++ .../oauth/OpenShiftOAuthAuthenticator.java | 97 +++++++++++++++++++ wsmaster/pom.xml | 1 + 10 files changed, 229 insertions(+), 1 deletion(-) create mode 100644 wsmaster/che-core-api-auth-openshift/pom.xml create mode 100644 wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftModule.java create mode 100644 wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java diff --git a/assembly/assembly-wsmaster-war/pom.xml b/assembly/assembly-wsmaster-war/pom.xml index 12d6a7f496b..355a38a0432 100644 --- a/assembly/assembly-wsmaster-war/pom.xml +++ b/assembly/assembly-wsmaster-war/pom.xml @@ -111,6 +111,10 @@ org.eclipse.che.core che-core-api-auth + + org.eclipse.che.core + che-core-api-auth-openshift + org.eclipse.che.core che-core-api-auth-shared @@ -426,6 +430,7 @@ com.h2database:h2 org.eclipse.che.core:che-core-db-vendor-mysql org.eclipse.che.core:che-core-sql-schema + org.eclipse.che.core:che-core-api-auth-openshift org.eclipse.che.core:che-core-api-ssh-shared org.eclipse.che.multiuser:che-multiuser-sql-schema org.jgroups:jgroups diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index 6c30ada0bf7..68f12b9133b 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -161,6 +161,11 @@ che.oauth.github.authuri= https://github.com/login/oauth/authorize che.oauth.github.tokenuri= https://github.com/login/oauth/access_token che.oauth.github.redirecturis= http://localhost:${CHE_PORT}/api/oauth/callback +# You can setup GitHub OAuth to automate authentication to remote repositories. +# You need to first register this application with GitHub OAuth. +che.oauth.openshift.clientid=NULL +che.oauth.openshift.clientsecret=NULL +che.oauth.openshift.endpoint= NULL ### Internal diff --git a/deploy/kubernetes/helm/che/templates/configmap.yaml b/deploy/kubernetes/helm/che/templates/configmap.yaml index 7aad45fc4e1..d52775c0d4c 100644 --- a/deploy/kubernetes/helm/che/templates/configmap.yaml +++ b/deploy/kubernetes/helm/che/templates/configmap.yaml @@ -68,6 +68,9 @@ data: CHE_MULTIUSER: {{ .Values.global.multiuser | quote }} CHE_OAUTH_GITHUB_CLIENTID: {{ .Values.global.gitHubClientID | quote}} CHE_OAUTH_GITHUB_CLIENTSECRET: {{ .Values.global.gitHubClientSecret | quote}} + CHE_OAUTH_OPENSHIFT_CLIENTID: {{ .Values.global.openShiftClientID | quote}} + CHE_OAUTH_OPENSHIFT_CLIENTSECRET: {{ .Values.global.openShiftClientSecret | quote}} + CHE_OAUTH_OPENSHIFT_ENDPOINT: {{ .Values.global.openShiftEndpoint | quote}} JAVA_OPTS: "-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Xms20m " CHE_WORKSPACE_AUTO_START: "false" {{- if .Values.global.tls.enabled }} diff --git a/deploy/kubernetes/helm/che/values.yaml b/deploy/kubernetes/helm/che/values.yaml index 2d9084ecb49..ffb098e72a4 100644 --- a/deploy/kubernetes/helm/che/values.yaml +++ b/deploy/kubernetes/helm/che/values.yaml @@ -59,6 +59,10 @@ global: gitHubClientID: "" gitHubClientSecret: "" + openShiftClientID: "" + openShiftClientSecret: "" + openShiftAuthUri: "" + openShiftTokenUri: "" # Possible values: common, per-workspace, unique cheWorkspacesPVCStrategy: "common" pvcClaim: "1Gi" diff --git a/deploy/openshift/templates/che-server-template.yaml b/deploy/openshift/templates/che-server-template.yaml index bab32c0337e..0e6ec6a17fc 100644 --- a/deploy/openshift/templates/che-server-template.yaml +++ b/deploy/openshift/templates/che-server-template.yaml @@ -140,6 +140,12 @@ objects: value: "${CHE_OAUTH_GITHUB_CLIENTID}" - name: CHE_OAUTH_GITHUB_CLIENTSECRET value: "${CHE_OAUTH_GITHUB_CLIENTSECRET}" + - name: CHE_OAUTH_OPENSHIFT_CLIENTID + value: "${CHE_OAUTH_OPENSHIFT_CLIENTID}" + - name: CHE_OAUTH_OPENSHIFT_CLIENTSECRET + value: "${CHE_OAUTH_OPENSHIFT_CLIENTSECRET}" + - name: CHE_OAUTH_OPENSHIFT_ENDPOINT + value: "${CHE_OAUTH_OPENSHIFT_ENDPOINT}" - name: JAVA_OPTS value: "-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 @@ -341,7 +347,19 @@ parameters: value: '' - name: CHE_OAUTH_GITHUB_CLIENTSECRET displayName: GitHub Client Secret - description: GitHub OAuth app client servet. Applicable to Che single user only! + description: GitHub OAuth app client secret. Applicable to Che single user only! + value: '' +- name: CHE_OAUTH_OPENSHIFT_CLIENTID + displayName: OpenShift Client ID + description: OpenShift OAuth app client ID. Applicable to Che single user only! + value: '' +- name: CHE_OAUTH_OPENSHIFT_CLIENTSECRET + displayName: OpenShift Client Secret + description: OpenShift OAuth app client secret. Applicable to Che single user only! + value: '' +- name: CHE_OAUTH_OPENSHIFT_ENDPOINT + displayName: OpenShift endpoint + description: OpenShift endpoint. Applicable to Che single user only! value: '' - name: CHE_WORKSPACE_PLUGIN__REGISTRY__URL displayName: Eclipse Che plugin registry URL diff --git a/pom.xml b/pom.xml index 6da0539b3d2..d81a6af3f8b 100644 --- a/pom.xml +++ b/pom.xml @@ -130,6 +130,11 @@ che-core-api-auth-github ${che.version} + + org.eclipse.che.core + che-core-api-auth-openshift + ${che.version} + org.eclipse.che.core che-core-api-auth-shared diff --git a/wsmaster/che-core-api-auth-openshift/pom.xml b/wsmaster/che-core-api-auth-openshift/pom.xml new file mode 100644 index 00000000000..932862e462c --- /dev/null +++ b/wsmaster/che-core-api-auth-openshift/pom.xml @@ -0,0 +1,59 @@ + + + + 4.0.0 + + che-master-parent + org.eclipse.che.core + 7.9.0-SNAPSHOT + + che-core-api-auth-openshift + jar + Che Core :: API :: Authentication OpenShift + + + com.google.guava + guava + + + com.google.http-client + google-http-client + + + com.google.inject + guice + + + javax.inject + javax.inject + + + org.eclipse.che.core + che-core-api-auth + + + org.eclipse.che.core + che-core-api-auth-shared + + + org.eclipse.che.core + che-core-commons-annotations + + + org.eclipse.che.core + che-core-commons-inject + + + diff --git a/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftModule.java b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftModule.java new file mode 100644 index 00000000000..acc28996c9c --- /dev/null +++ b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftModule.java @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2012-2018 Red Hat, Inc. + * This program and the accompanying materials are made + * available under the terms of the Eclipse Public License 2.0 + * which is available at https://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + * + * Contributors: + * Red Hat, Inc. - initial API and implementation + */ +package org.eclipse.che.security.oauth; + +import com.google.inject.AbstractModule; +import com.google.inject.multibindings.Multibinder; +import org.eclipse.che.inject.DynaModule; + +/** + * Setup OpenShiftOAuthAuthenticator in guice container. + * + * @author Igor Vinokur + */ +@DynaModule +public class OpenShiftModule extends AbstractModule { + @Override + protected void configure() { + Multibinder oAuthAuthenticators = + Multibinder.newSetBinder(binder(), OAuthAuthenticator.class); + oAuthAuthenticators.addBinding().to(OpenShiftOAuthAuthenticator.class); + } +} diff --git a/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java new file mode 100644 index 00000000000..133f3711727 --- /dev/null +++ b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java @@ -0,0 +1,97 @@ +/* + * Copyright (c) 2012-2018 Red Hat, Inc. + * This program and the accompanying materials are made + * available under the terms of the Eclipse Public License 2.0 + * which is available at https://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + * + * Contributors: + * Red Hat, Inc. - initial API and implementation + */ +package org.eclipse.che.security.oauth; + +import static com.google.common.base.Strings.isNullOrEmpty; + +import com.google.api.client.util.store.MemoryDataStoreFactory; +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.URL; +import javax.inject.Inject; +import javax.inject.Named; +import javax.inject.Singleton; +import org.eclipse.che.api.auth.shared.dto.OAuthToken; +import org.eclipse.che.commons.annotation.Nullable; +import org.eclipse.che.security.oauth.shared.User; + +/** + * OAuth authentication for OpenShift. + * + * @author Igor Vinokur + */ +@Singleton +public class OpenShiftOAuthAuthenticator extends OAuthAuthenticator { + private final String openshiftEndpoint; + + @Inject + public OpenShiftOAuthAuthenticator( + @Nullable @Named("che.oauth.openshift.clientid") String clientId, + @Nullable @Named("che.oauth.openshift.clientsecret") String clientSecret, + @Nullable @Named("che.oauth.openshift.endpoint") String openshiftEndpoint, + @Named("che.api") String apiEndpoint) + throws IOException { + openshiftEndpoint = + openshiftEndpoint.endsWith("/") ? openshiftEndpoint : openshiftEndpoint + "/"; + this.openshiftEndpoint = openshiftEndpoint; + String[] redirectUrl = {apiEndpoint + "/oauth/callback"}; + if (!isNullOrEmpty(clientId) + && !isNullOrEmpty(clientSecret) + && !isNullOrEmpty(openshiftEndpoint)) { + configure( + clientId, + clientSecret, + redirectUrl, + openshiftEndpoint + "oauth/authorize", + openshiftEndpoint + "oauth/token", + new MemoryDataStoreFactory()); + } + } + + @Override + public User getUser(OAuthToken accessToken) throws OAuthAuthenticationException { + throw new OAuthAuthenticationException("not supported"); + } + + @Override + public final String getOAuthProvider() { + return "openshift"; + } + + @Override + public OAuthToken getToken(String userId) throws IOException { + final OAuthToken token = super.getToken(userId); + // Check if the token is valid for requests. + if (!(token == null || token.getToken() == null || token.getToken().isEmpty())) { + String tokenVerifyUrl = this.openshiftEndpoint + "oapi/v1/projects"; + HttpURLConnection http = null; + try { + http = (HttpURLConnection) new URL(tokenVerifyUrl).openConnection(); + http.setInstanceFollowRedirects(false); + http.setRequestMethod("GET"); + http.setRequestProperty("Authorization", "Bearer " + token.getToken()); + http.setRequestProperty("Accept", "application/json"); + + if (http.getResponseCode() == 401) { + return null; + } + } finally { + if (http != null) { + http.disconnect(); + } + } + + return token; + } + return null; + } +} diff --git a/wsmaster/pom.xml b/wsmaster/pom.xml index c6f8d0844d5..ffd4fa99e5e 100644 --- a/wsmaster/pom.xml +++ b/wsmaster/pom.xml @@ -28,6 +28,7 @@ che-core-api-auth-shared che-core-api-auth che-core-api-auth-github + che-core-api-auth-openshift che-core-api-workspace-shared che-core-api-workspace che-core-api-workspace-activity From 73670cf97bae474f44fe9326d05647599e2e4e2e Mon Sep 17 00:00:00 2001 From: Igor Vinokur Date: Mon, 10 Feb 2020 13:12:46 +0200 Subject: [PATCH 2/7] fixup! Apply OpenShift OAuth provider --- .../src/main/webapp/WEB-INF/classes/che/che.properties | 2 -- 1 file changed, 2 deletions(-) diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index 68f12b9133b..7d1d169b75e 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -161,8 +161,6 @@ che.oauth.github.authuri= https://github.com/login/oauth/authorize che.oauth.github.tokenuri= https://github.com/login/oauth/access_token che.oauth.github.redirecturis= http://localhost:${CHE_PORT}/api/oauth/callback -# You can setup GitHub OAuth to automate authentication to remote repositories. -# You need to first register this application with GitHub OAuth. che.oauth.openshift.clientid=NULL che.oauth.openshift.clientsecret=NULL che.oauth.openshift.endpoint= NULL From 22a05d8ed3867a681e6342a7f0000dea0d35662c Mon Sep 17 00:00:00 2001 From: Igor Vinokur Date: Mon, 10 Feb 2020 13:16:56 +0200 Subject: [PATCH 3/7] fixup! Apply OpenShift OAuth provider --- assembly/assembly-wsmaster-war/pom.xml | 1 - .../main/java/org/eclipse/che/api/deploy/WsMasterModule.java | 3 +++ deploy/kubernetes/helm/che/values.yaml | 3 +-- wsmaster/che-core-api-auth-openshift/pom.xml | 4 ---- .../oauth/{OpenShiftModule.java => OpenShiftOAuthModule.java} | 4 +--- 5 files changed, 5 insertions(+), 10 deletions(-) rename wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/{OpenShiftModule.java => OpenShiftOAuthModule.java} (88%) diff --git a/assembly/assembly-wsmaster-war/pom.xml b/assembly/assembly-wsmaster-war/pom.xml index 355a38a0432..f33d49e50f9 100644 --- a/assembly/assembly-wsmaster-war/pom.xml +++ b/assembly/assembly-wsmaster-war/pom.xml @@ -430,7 +430,6 @@ com.h2database:h2 org.eclipse.che.core:che-core-db-vendor-mysql org.eclipse.che.core:che-core-sql-schema - org.eclipse.che.core:che-core-api-auth-openshift org.eclipse.che.core:che-core-api-ssh-shared org.eclipse.che.multiuser:che-multiuser-sql-schema org.jgroups:jgroups diff --git a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java index a5d5af727ac..b4c37739acf 100644 --- a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java +++ b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java @@ -88,6 +88,7 @@ import org.eclipse.che.security.PasswordEncryptor; import org.eclipse.che.security.oauth.EmbeddedOAuthAPI; import org.eclipse.che.security.oauth.OAuthAPI; +import org.eclipse.che.security.oauth.OpenShiftOAuthModule; import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfraModule; import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure; import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment; @@ -264,6 +265,8 @@ protected void configure() { install(new TracingMetricsModule()); } install(new ExecutorWrapperModule()); + + install(new OpenShiftOAuthModule()); } private void configureSingleUserMode(Map persistenceProperties) { diff --git a/deploy/kubernetes/helm/che/values.yaml b/deploy/kubernetes/helm/che/values.yaml index ffb098e72a4..0f9331cfe16 100644 --- a/deploy/kubernetes/helm/che/values.yaml +++ b/deploy/kubernetes/helm/che/values.yaml @@ -61,8 +61,7 @@ global: gitHubClientSecret: "" openShiftClientID: "" openShiftClientSecret: "" - openShiftAuthUri: "" - openShiftTokenUri: "" + openShiftEndpoint: "" # Possible values: common, per-workspace, unique cheWorkspacesPVCStrategy: "common" pvcClaim: "1Gi" diff --git a/wsmaster/che-core-api-auth-openshift/pom.xml b/wsmaster/che-core-api-auth-openshift/pom.xml index 932862e462c..d086610f294 100644 --- a/wsmaster/che-core-api-auth-openshift/pom.xml +++ b/wsmaster/che-core-api-auth-openshift/pom.xml @@ -51,9 +51,5 @@ org.eclipse.che.core che-core-commons-annotations - - org.eclipse.che.core - che-core-commons-inject - diff --git a/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftModule.java b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthModule.java similarity index 88% rename from wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftModule.java rename to wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthModule.java index acc28996c9c..eb95fcf0206 100644 --- a/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftModule.java +++ b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthModule.java @@ -13,15 +13,13 @@ import com.google.inject.AbstractModule; import com.google.inject.multibindings.Multibinder; -import org.eclipse.che.inject.DynaModule; /** * Setup OpenShiftOAuthAuthenticator in guice container. * * @author Igor Vinokur */ -@DynaModule -public class OpenShiftModule extends AbstractModule { +public class OpenShiftOAuthModule extends AbstractModule { @Override protected void configure() { Multibinder oAuthAuthenticators = From 8a59daee4cc50a226d08ff6e3857d140969a286c Mon Sep 17 00:00:00 2001 From: Igor Vinokur Date: Mon, 10 Feb 2020 13:21:25 +0200 Subject: [PATCH 4/7] fixup! Apply OpenShift OAuth provider --- .../src/main/webapp/WEB-INF/classes/che/che.properties | 2 ++ 1 file changed, 2 insertions(+) diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index 7d1d169b75e..e1258d98112 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -161,6 +161,8 @@ che.oauth.github.authuri= https://github.com/login/oauth/authorize che.oauth.github.tokenuri= https://github.com/login/oauth/access_token che.oauth.github.redirecturis= http://localhost:${CHE_PORT}/api/oauth/callback +# You can setup openShift OAuth to be able to get the OpenShift token. +# First you need to create OpenShift OAuthClient. che.oauth.openshift.clientid=NULL che.oauth.openshift.clientsecret=NULL che.oauth.openshift.endpoint= NULL From bf6e3082df29e5cec75cb5c0f3035ec75db2c951 Mon Sep 17 00:00:00 2001 From: Igor Vinokur Date: Mon, 10 Feb 2020 14:16:25 +0200 Subject: [PATCH 5/7] fixup! Apply OpenShift OAuth provider --- .../src/main/webapp/WEB-INF/classes/che/che.properties | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index e1258d98112..631dd3f4a15 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -161,8 +161,7 @@ che.oauth.github.authuri= https://github.com/login/oauth/authorize che.oauth.github.tokenuri= https://github.com/login/oauth/access_token che.oauth.github.redirecturis= http://localhost:${CHE_PORT}/api/oauth/callback -# You can setup openShift OAuth to be able to get the OpenShift token. -# First you need to create OpenShift OAuthClient. +# Configuration of OpenShift OAuth client. Used to obtain OpenShift OAuth token. che.oauth.openshift.clientid=NULL che.oauth.openshift.clientsecret=NULL che.oauth.openshift.endpoint= NULL From ea925ab58c7c366845374c00c5a832140182772b Mon Sep 17 00:00:00 2001 From: Igor Vinokur Date: Tue, 11 Feb 2020 15:35:23 +0200 Subject: [PATCH 6/7] fixup! Apply OpenShift OAuth provider --- .../webapp/WEB-INF/classes/che/che.properties | 3 ++- .../helm/che/templates/configmap.yaml | 3 ++- deploy/kubernetes/helm/che/values.yaml | 3 ++- .../templates/che-server-template.yaml | 16 +++++++++----- .../oauth/OpenShiftOAuthAuthenticator.java | 21 ++++++++----------- 5 files changed, 26 insertions(+), 20 deletions(-) diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index 631dd3f4a15..db699f8e0c4 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -164,7 +164,8 @@ che.oauth.github.redirecturis= http://localhost:${CHE_PORT}/api/oauth/callback # Configuration of OpenShift OAuth client. Used to obtain OpenShift OAuth token. che.oauth.openshift.clientid=NULL che.oauth.openshift.clientsecret=NULL -che.oauth.openshift.endpoint= NULL +che.oauth.openshift.oauth_endpoint= NULL +che.oauth.openshift.verify_token_url= NULL ### Internal diff --git a/deploy/kubernetes/helm/che/templates/configmap.yaml b/deploy/kubernetes/helm/che/templates/configmap.yaml index d52775c0d4c..cf856d5e5f1 100644 --- a/deploy/kubernetes/helm/che/templates/configmap.yaml +++ b/deploy/kubernetes/helm/che/templates/configmap.yaml @@ -70,7 +70,8 @@ data: CHE_OAUTH_GITHUB_CLIENTSECRET: {{ .Values.global.gitHubClientSecret | quote}} CHE_OAUTH_OPENSHIFT_CLIENTID: {{ .Values.global.openShiftClientID | quote}} CHE_OAUTH_OPENSHIFT_CLIENTSECRET: {{ .Values.global.openShiftClientSecret | quote}} - CHE_OAUTH_OPENSHIFT_ENDPOINT: {{ .Values.global.openShiftEndpoint | quote}} + CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT: {{ .Values.global.openShiftOAuthEndpoint | quote}} + CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL: {{ .Values.global.openShiftVerifyTokenUrl | quote}} JAVA_OPTS: "-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Xms20m " CHE_WORKSPACE_AUTO_START: "false" {{- if .Values.global.tls.enabled }} diff --git a/deploy/kubernetes/helm/che/values.yaml b/deploy/kubernetes/helm/che/values.yaml index 0f9331cfe16..d2052f14b8b 100644 --- a/deploy/kubernetes/helm/che/values.yaml +++ b/deploy/kubernetes/helm/che/values.yaml @@ -61,7 +61,8 @@ global: gitHubClientSecret: "" openShiftClientID: "" openShiftClientSecret: "" - openShiftEndpoint: "" + openShiftOAuthEndpoint: "" + openShiftVerifyTokenUrl: "" # Possible values: common, per-workspace, unique cheWorkspacesPVCStrategy: "common" pvcClaim: "1Gi" diff --git a/deploy/openshift/templates/che-server-template.yaml b/deploy/openshift/templates/che-server-template.yaml index 0e6ec6a17fc..eb8925dfe80 100644 --- a/deploy/openshift/templates/che-server-template.yaml +++ b/deploy/openshift/templates/che-server-template.yaml @@ -144,8 +144,10 @@ objects: value: "${CHE_OAUTH_OPENSHIFT_CLIENTID}" - name: CHE_OAUTH_OPENSHIFT_CLIENTSECRET value: "${CHE_OAUTH_OPENSHIFT_CLIENTSECRET}" - - name: CHE_OAUTH_OPENSHIFT_ENDPOINT - value: "${CHE_OAUTH_OPENSHIFT_ENDPOINT}" + - name: CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT + value: "${CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT}" + - name: CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL + value: "${CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL}" - name: JAVA_OPTS value: "-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 @@ -357,9 +359,13 @@ parameters: displayName: OpenShift Client Secret description: OpenShift OAuth app client secret. Applicable to Che single user only! value: '' -- name: CHE_OAUTH_OPENSHIFT_ENDPOINT - displayName: OpenShift endpoint - description: OpenShift endpoint. Applicable to Che single user only! +- name: CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT + displayName: OpenShift oauth endpoint + description: OpenShift oauth endpoint. Applicable to Che single user only! + value: '' +- name: CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL + displayName: OpenShift verify token url + description: A url that requests some OpenShift resource. Is used to verify the OpenShift token. Applicable to Che single user only! value: '' - name: CHE_WORKSPACE_PLUGIN__REGISTRY__URL displayName: Eclipse Che plugin registry URL diff --git a/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java index 133f3711727..a940ec24cd3 100644 --- a/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java +++ b/wsmaster/che-core-api-auth-openshift/src/main/java/org/eclipse/che/security/oauth/OpenShiftOAuthAuthenticator.java @@ -31,28 +31,26 @@ */ @Singleton public class OpenShiftOAuthAuthenticator extends OAuthAuthenticator { - private final String openshiftEndpoint; + private final String verifyTokenUrl; @Inject public OpenShiftOAuthAuthenticator( @Nullable @Named("che.oauth.openshift.clientid") String clientId, @Nullable @Named("che.oauth.openshift.clientsecret") String clientSecret, - @Nullable @Named("che.oauth.openshift.endpoint") String openshiftEndpoint, + @Nullable @Named("che.oauth.openshift.oauth_endpoint") String oauthEndpoint, + @Nullable @Named("che.oauth.openshift.verify_token_url") String verifyTokenUrl, @Named("che.api") String apiEndpoint) throws IOException { - openshiftEndpoint = - openshiftEndpoint.endsWith("/") ? openshiftEndpoint : openshiftEndpoint + "/"; - this.openshiftEndpoint = openshiftEndpoint; + this.verifyTokenUrl = verifyTokenUrl; String[] redirectUrl = {apiEndpoint + "/oauth/callback"}; - if (!isNullOrEmpty(clientId) - && !isNullOrEmpty(clientSecret) - && !isNullOrEmpty(openshiftEndpoint)) { + if (!isNullOrEmpty(clientId) && !isNullOrEmpty(clientSecret) && !isNullOrEmpty(oauthEndpoint)) { + oauthEndpoint = oauthEndpoint.endsWith("/") ? oauthEndpoint : oauthEndpoint + "/"; configure( clientId, clientSecret, redirectUrl, - openshiftEndpoint + "oauth/authorize", - openshiftEndpoint + "oauth/token", + oauthEndpoint + "oauth/authorize", + oauthEndpoint + "oauth/token", new MemoryDataStoreFactory()); } } @@ -72,10 +70,9 @@ public OAuthToken getToken(String userId) throws IOException { final OAuthToken token = super.getToken(userId); // Check if the token is valid for requests. if (!(token == null || token.getToken() == null || token.getToken().isEmpty())) { - String tokenVerifyUrl = this.openshiftEndpoint + "oapi/v1/projects"; HttpURLConnection http = null; try { - http = (HttpURLConnection) new URL(tokenVerifyUrl).openConnection(); + http = (HttpURLConnection) new URL(verifyTokenUrl).openConnection(); http.setInstanceFollowRedirects(false); http.setRequestMethod("GET"); http.setRequestProperty("Authorization", "Bearer " + token.getToken()); From d1f459b04bd51994e2452c2115fecfb04492d0f3 Mon Sep 17 00:00:00 2001 From: Igor Vinokur Date: Tue, 25 Feb 2020 14:03:53 +0200 Subject: [PATCH 7/7] fixup! Apply OpenShift OAuth provider --- wsmaster/che-core-api-auth-openshift/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wsmaster/che-core-api-auth-openshift/pom.xml b/wsmaster/che-core-api-auth-openshift/pom.xml index d086610f294..6feebbea022 100644 --- a/wsmaster/che-core-api-auth-openshift/pom.xml +++ b/wsmaster/che-core-api-auth-openshift/pom.xml @@ -17,7 +17,7 @@ che-master-parent org.eclipse.che.core - 7.9.0-SNAPSHOT + 7.10.0-SNAPSHOT che-core-api-auth-openshift jar