Merge pull request #10878 from enj/enj/f/oauth_pod_flow_redirect

Merged by openshift-bot

pkg/api/validation/register.go

@@ -1,8 +1,6 @@
 package validation
 
 import (
-	_ "github.com/openshift/origin/pkg/api/install"
-
 	authorizationvalidation "github.com/openshift/origin/pkg/authorization/api/validation"
 	buildvalidation "github.com/openshift/origin/pkg/build/api/validation"
 	deployvalidation "github.com/openshift/origin/pkg/deploy/api/validation"
@@ -79,6 +77,7 @@ func registerAll() {
 	Validator.MustRegister(&oauthapi.OAuthAuthorizeToken{}, oauthvalidation.ValidateAuthorizeToken, oauthvalidation.ValidateAuthorizeTokenUpdate)
 	Validator.MustRegister(&oauthapi.OAuthClient{}, oauthvalidation.ValidateClient, oauthvalidation.ValidateClientUpdate)
 	Validator.MustRegister(&oauthapi.OAuthClientAuthorization{}, oauthvalidation.ValidateClientAuthorization, oauthvalidation.ValidateClientAuthorizationUpdate)
+	Validator.MustRegister(&oauthapi.OAuthRedirectReference{}, oauthvalidation.ValidateOAuthRedirectReference, nil)
 
 	Validator.MustRegister(&projectapi.Project{}, projectvalidation.ValidateProject, projectvalidation.ValidateProjectUpdate)
 	Validator.MustRegister(&projectapi.ProjectRequest{}, projectvalidation.ValidateProjectRequest, nil)

pkg/cmd/cli/describe/describer_test.go

@@ -74,6 +74,7 @@ var DescriberCoverageExceptions = []reflect.Type{
 	reflect.TypeOf(&securityapi.PodSecurityPolicySubjectReview{}),
 	reflect.TypeOf(&securityapi.PodSecurityPolicySelfSubjectReview{}),
 	reflect.TypeOf(&securityapi.PodSecurityPolicyReview{}),
+	reflect.TypeOf(&oauthapi.OAuthRedirectReference{}),
 }
 
 // MissingDescriberCoverageExceptions is the list of types that were missing describer methods when I started
@@ -111,7 +112,7 @@ main:
 
 		_, ok := DescriberFor(api.SchemeGroupVersion.WithKind(apiType.Name()).GroupKind(), c, &ktestclient.Fake{}, "")
 		if !ok {
-			t.Errorf("missing printer for %v.  Check pkg/cmd/cli/describe/describer.go", apiType)
+			t.Errorf("missing describer for %v.  Check pkg/cmd/cli/describe/describer.go", apiType)
 		}
 	}
 }

pkg/cmd/cli/describe/printer_test.go

@@ -18,6 +18,7 @@ import (
 	buildapi "github.com/openshift/origin/pkg/build/api"
 	deployapi "github.com/openshift/origin/pkg/deploy/api"
 	imageapi "github.com/openshift/origin/pkg/image/api"
+	oauthapi "github.com/openshift/origin/pkg/oauth/api"
 	projectapi "github.com/openshift/origin/pkg/project/api"
 	securityapi "github.com/openshift/origin/pkg/security/api"
 )
@@ -51,6 +52,7 @@ var PrinterCoverageExceptions = []reflect.Type{
 	reflect.TypeOf(&securityapi.PodSecurityPolicySubjectReview{}),
 	reflect.TypeOf(&securityapi.PodSecurityPolicySelfSubjectReview{}),
 	reflect.TypeOf(&securityapi.PodSecurityPolicyReview{}),
+	reflect.TypeOf(&oauthapi.OAuthRedirectReference{}),
 }
 
 // MissingPrinterCoverageExceptions is the list of types that were missing printer methods when I started

pkg/cmd/server/origin/auth.go

@@ -89,7 +89,7 @@ func (c *AuthConfig) InstallAPI(container *restful.Container) ([]string, error)
 		return nil, err
 	}
 	clientRegistry := clientregistry.NewRegistry(clientStorage)
-	combinedOAuthClientGetter := saoauth.NewServiceAccountOAuthClientGetter(c.KubeClient, c.KubeClient, clientRegistry, oauthapi.GrantHandlerType(c.Options.GrantConfig.ServiceAccountMethod))
+	combinedOAuthClientGetter := saoauth.NewServiceAccountOAuthClientGetter(c.KubeClient, c.KubeClient, c.OpenShiftClient, clientRegistry, oauthapi.GrantHandlerType(c.Options.GrantConfig.ServiceAccountMethod))
 
 	accessTokenStorage, err := accesstokenetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter, c.EtcdBackends...)
 	if err != nil {

pkg/cmd/server/origin/auth_config.go

@@ -11,6 +11,7 @@ import (
 	"k8s.io/kubernetes/pkg/storage"
 
 	"github.com/openshift/origin/pkg/auth/server/session"
+	osclient "github.com/openshift/origin/pkg/client"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	"github.com/openshift/origin/pkg/cmd/server/api/latest"
 	identityregistry "github.com/openshift/origin/pkg/user/registry/identity"
@@ -29,6 +30,9 @@ type AuthConfig struct {
 	// KubeClient is kubeclient with enough permission for the auth API
 	KubeClient kclient.Interface
 
+	// OpenShiftClient is osclient with enough permission for the auth API
+	OpenShiftClient osclient.Interface
+
 	// RESTOptionsGetter provides storage and RESTOption lookup
 	RESTOptionsGetter restoptions.Getter
 
@@ -47,7 +51,7 @@ type AuthConfig struct {
 
 func BuildAuthConfig(masterConfig *MasterConfig) (*AuthConfig, error) {
 	options := masterConfig.Options
-	kubeClient := masterConfig.KubeClient()
+	osClient, kubeClient := masterConfig.OAuthServerClients()
 
 	var sessionAuth *session.Authenticator
 	var sessionHandlerWrapper handlerWrapper
@@ -84,6 +88,8 @@ func BuildAuthConfig(masterConfig *MasterConfig) (*AuthConfig, error) {
 
 		KubeClient: kubeClient,
 
+		OpenShiftClient: osClient,
+
 		AssetPublicAddresses: assetPublicURLs,
 		RESTOptionsGetter:    masterConfig.RESTOptionsGetter,
 

pkg/cmd/server/origin/master.go

@@ -691,7 +691,8 @@ func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
 		saAccountGrantMethod = oauthapi.GrantHandlerType(c.Options.OAuthConfig.GrantConfig.ServiceAccountMethod)
 	}
 
-	combinedOAuthClientGetter := saoauth.NewServiceAccountOAuthClientGetter(c.KubeClient(), c.KubeClient(), clientRegistry, saAccountGrantMethod)
+	osClient, kubeClient := c.OAuthServerClients()
+	combinedOAuthClientGetter := saoauth.NewServiceAccountOAuthClientGetter(kubeClient, kubeClient, osClient, clientRegistry, saAccountGrantMethod)
 	authorizeTokenStorage, err := authorizetokenetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)
 	checkStorageErr(err)
 	accessTokenStorage, err := accesstokenetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)

pkg/cmd/server/origin/master_config.go

@@ -819,6 +819,12 @@ func (c *MasterConfig) KubeClient() *kclient.Client {
 	return c.PrivilegedLoopbackKubernetesClient
 }
 
+// OAuthServerClients returns the openshift and kubernetes OAuth server client objects
+// The returned clients are privileged
+func (c *MasterConfig) OAuthServerClients() (*osclient.Client, *kclient.Client) {
+	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
+}
+
 // PolicyClient returns the policy client object
 // It must have the following capabilities:
 //  list, watch all policyBindings in all namespaces

pkg/oauth/api/register.go

@@ -37,6 +37,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&OAuthClientList{},
 		&OAuthClientAuthorization{},
 		&OAuthClientAuthorizationList{},
+		&OAuthRedirectReference{},
 	)
 	return nil
 }
@@ -49,3 +50,4 @@ func (obj *OAuthAuthorizeTokenList) GetObjectKind() unversioned.ObjectKind
 func (obj *OAuthAuthorizeToken) GetObjectKind() unversioned.ObjectKind          { return &obj.TypeMeta }
 func (obj *OAuthAccessTokenList) GetObjectKind() unversioned.ObjectKind         { return &obj.TypeMeta }
 func (obj *OAuthAccessToken) GetObjectKind() unversioned.ObjectKind             { return &obj.TypeMeta }
+func (obj *OAuthRedirectReference) GetObjectKind() unversioned.ObjectKind       { return &obj.TypeMeta }

pkg/oauth/api/types.go

@@ -167,3 +167,15 @@ type OAuthClientAuthorizationList struct {
 	unversioned.ListMeta
 	Items []OAuthClientAuthorization
 }
+
+type OAuthRedirectReference struct {
+	unversioned.TypeMeta
+	kapi.ObjectMeta
+	Reference RedirectReference
+}
+
+type RedirectReference struct {
+	Group string
+	Kind  string
+	Name  string
+}