This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 63
/
metadata_provider.go
111 lines (93 loc) · 3.55 KB
/
metadata_provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package authzserver
import (
"context"
"io/ioutil"
"net/http"
"net/url"
"strings"
"github.com/flyteorg/flyteadmin/auth"
authConfig "github.com/flyteorg/flyteadmin/auth/config"
"github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/service"
)
type OAuth2MetadataProvider struct {
cfg *authConfig.Config
}
// Override auth func to enforce anonymous access on the implemented APIs
// Ref: https://github.com/grpc-ecosystem/go-grpc-middleware/blob/master/auth/auth.go#L31
func (s OAuth2MetadataProvider) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error) {
return ctx, nil
}
func (s OAuth2MetadataProvider) GetOAuth2Metadata(ctx context.Context, r *service.OAuth2MetadataRequest) (*service.OAuth2MetadataResponse, error) {
switch s.cfg.AppAuth.AuthServerType {
case authConfig.AuthorizationServerTypeSelf:
u := auth.GetPublicURL(ctx, nil, s.cfg)
doc := &service.OAuth2MetadataResponse{
Issuer: GetIssuer(ctx, nil, s.cfg),
AuthorizationEndpoint: u.ResolveReference(authorizeRelativeURL).String(),
TokenEndpoint: u.ResolveReference(tokenRelativeURL).String(),
JwksUri: u.ResolveReference(jsonWebKeysURL).String(),
CodeChallengeMethodsSupported: []string{"S256"},
ResponseTypesSupported: []string{
"code",
"token",
"code token",
},
GrantTypesSupported: supportedGrantTypes,
ScopesSupported: []string{auth.ScopeAll},
TokenEndpointAuthMethodsSupported: []string{
"client_secret_basic",
},
}
return doc, nil
default:
baseURL := s.cfg.UserAuth.OpenID.BaseURL
if len(s.cfg.AppAuth.ExternalAuthServer.BaseURL.String()) > 0 {
baseURL = s.cfg.AppAuth.ExternalAuthServer.BaseURL
}
// issuer urls, conventionally, do not end with a '/', however, metadata urls are usually relative of those.
// This adds a '/' to ensure ResolveReference behaves intuitively.
baseURL.Path = strings.TrimSuffix(baseURL.Path, "/") + "/"
var externalMetadataURL *url.URL
if len(s.cfg.AppAuth.ExternalAuthServer.MetadataEndpointURL.String()) > 0 {
externalMetadataURL = baseURL.ResolveReference(&s.cfg.AppAuth.ExternalAuthServer.MetadataEndpointURL.URL)
} else {
externalMetadataURL = baseURL.ResolveReference(oauth2MetadataEndpoint)
}
httpClient := &http.Client{}
if len(s.cfg.HTTPProxyURL.String()) > 0 {
// create a transport that uses the proxy
transport := &http.Transport{
Proxy: http.ProxyURL(&s.cfg.HTTPProxyURL.URL),
}
httpClient.Transport = transport
}
response, err := httpClient.Get(externalMetadataURL.String())
if err != nil {
return nil, err
}
raw, err := ioutil.ReadAll(response.Body)
if err != nil {
return nil, err
}
resp := &service.OAuth2MetadataResponse{}
err = unmarshalResp(response, raw, resp)
if err != nil {
return nil, err
}
return resp, nil
}
}
func (s OAuth2MetadataProvider) GetPublicClientConfig(context.Context, *service.PublicClientAuthConfigRequest) (*service.PublicClientAuthConfigResponse, error) {
return &service.PublicClientAuthConfigResponse{
ClientId: s.cfg.AppAuth.ThirdParty.FlyteClientConfig.ClientID,
RedirectUri: s.cfg.AppAuth.ThirdParty.FlyteClientConfig.RedirectURI,
Scopes: s.cfg.AppAuth.ThirdParty.FlyteClientConfig.Scopes,
AuthorizationMetadataKey: s.cfg.GrpcAuthorizationHeader,
Audience: s.cfg.AppAuth.ThirdParty.FlyteClientConfig.Audience,
}, nil
}
func NewService(config *authConfig.Config) OAuth2MetadataProvider {
return OAuth2MetadataProvider{
cfg: config,
}
}