Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

snip dependencies in a future library-go package #19750

Merged
merged 1 commit into from
May 17, 2018
Merged

snip dependencies in a future library-go package #19750

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
74 changes: 54 additions & 20 deletions pkg/serviceaccounts/oauthclient/oauthclientregistry.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,20 +12,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apimachinery/pkg/util/sets"
apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
kcoreclient "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/tools/record"
"k8s.io/kubernetes/pkg/api/legacyscheme"
kapi "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/serviceaccount"

oauthapi "github.com/openshift/api/oauth/v1"
routeapi "github.com/openshift/api/route/v1"
routeclient "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1"
scopeauthorizer "github.com/openshift/origin/pkg/authorization/authorizer/scope"
"github.com/openshift/origin/pkg/oauth/registry/oauthclient"
)

const (
Expand All @@ -43,9 +40,24 @@ const (
// IngressKind = "Ingress"
)

var modelPrefixes = []string{
OAuthRedirectModelAnnotationURIPrefix,
OAuthRedirectModelAnnotationReferencePrefix,
var (
modelPrefixes = []string{
OAuthRedirectModelAnnotationURIPrefix,
OAuthRedirectModelAnnotationReferencePrefix,
}

emptyGroupKind = schema.GroupKind{} // Used with static redirect URIs
routeGroupKind = routeapi.SchemeGroupVersion.WithKind(routeKind).GroupKind()
legacyRouteGroupKind = routeapi.LegacySchemeGroupVersion.WithKind(routeKind).GroupKind() // to support redirect reference with old group

scheme = runtime.NewScheme()
codecFactory = serializer.NewCodecFactory(scheme)
)

func init() {
corev1.AddToScheme(scheme)
oauthapi.AddToScheme(scheme)
oauthapi.AddToSchemeInCoreGroup(scheme)
}

// namesToObjMapperFunc is linked to a given GroupKind.
Expand All @@ -54,13 +66,15 @@ var modelPrefixes = []string{
// These values can be overridden by user specified data. Errors returned are informative and non-fatal.
type namesToObjMapperFunc func(namespace string, names sets.String) (map[string]redirectURIList, []error)

var emptyGroupKind = schema.GroupKind{} // Used with static redirect URIs
var routeGroupKind = routeapi.SchemeGroupVersion.WithKind(routeKind).GroupKind()
var legacyRouteGroupKind = routeapi.LegacySchemeGroupVersion.WithKind(routeKind).GroupKind() // to support redirect reference with old group

// TODO add ingress support
// var ingressGroupKind = routeapi.SchemeGroupVersion.WithKind(IngressKind).GroupKind()

// OAuthClientGetter exposes a way to get a specific client. This is useful for other registries to get scope limitations
// on particular clients. This interface will make its easier to write a future cache on it
type OAuthClientGetter interface {
Get(name string, options metav1.GetOptions) (*oauthapi.OAuthClient, error)
}

type saOAuthClientAdapter struct {
saClient kcoreclient.ServiceAccountsGetter
secretClient kcoreclient.SecretsGetter
Expand All @@ -69,7 +83,7 @@ type saOAuthClientAdapter struct {
// TODO add ingress support
//ingressClient ??

delegate oauthclient.Getter
delegate OAuthClientGetter
grantMethod oauthapi.GrantHandlerType

decoder runtime.Decoder
Expand Down Expand Up @@ -189,27 +203,27 @@ func (uri *redirectURI) merge(m *model) {
}
}

var _ oauthclient.Getter = &saOAuthClientAdapter{}
var _ OAuthClientGetter = &saOAuthClientAdapter{}

func NewServiceAccountOAuthClientGetter(
saClient kcoreclient.ServiceAccountsGetter,
secretClient kcoreclient.SecretsGetter,
eventClient kcoreclient.EventInterface,
routeClient routeclient.RoutesGetter,
delegate oauthclient.Getter,
delegate OAuthClientGetter,
grantMethod oauthapi.GrantHandlerType,
) oauthclient.Getter {
) OAuthClientGetter {
eventBroadcaster := record.NewBroadcaster()
eventBroadcaster.StartRecordingToSink(&kcoreclient.EventSinkImpl{Interface: eventClient})
recorder := eventBroadcaster.NewRecorder(legacyscheme.Scheme, clientv1.EventSource{Component: "service-account-oauth-client-getter"})
recorder := eventBroadcaster.NewRecorder(scheme, clientv1.EventSource{Component: "service-account-oauth-client-getter"})
return &saOAuthClientAdapter{
saClient: saClient,
secretClient: secretClient,
eventRecorder: recorder,
routeClient: routeClient,
delegate: delegate,
grantMethod: grantMethod,
decoder: legacyscheme.Codecs.UniversalDecoder(),
decoder: codecFactory.UniversalDecoder(),
}
}

Expand All @@ -230,7 +244,7 @@ func (a *saOAuthClientAdapter) Get(name string, options metav1.GetOptions) (*oau
// Create a warning event combining the collected annotation errors upon failure.
defer func() {
if err != nil && len(saErrors) > 0 && len(failReason) > 0 {
a.eventRecorder.Event(sa, kapi.EventTypeWarning, failReason, utilerrors.NewAggregate(saErrors).Error())
a.eventRecorder.Event(sa, corev1.EventTypeWarning, failReason, utilerrors.NewAggregate(saErrors).Error())
}
}()

Expand Down Expand Up @@ -459,9 +473,29 @@ func (a *saOAuthClientAdapter) getServiceAccountTokens(sa *corev1.ServiceAccount
tokens := []string{}
for i := range allSecrets.Items {
secret := &allSecrets.Items[i]
if serviceaccount.IsServiceAccountToken(secret, sa) {
tokens = append(tokens, string(secret.Data[kapi.ServiceAccountTokenKey]))
if IsServiceAccountToken(secret, sa) {
tokens = append(tokens, string(secret.Data[corev1.ServiceAccountTokenKey]))
}
}
return tokens, nil
}

// IsServiceAccountToken returns true if the secret is a valid api token for the service account
func IsServiceAccountToken(secret *corev1.Secret, sa *corev1.ServiceAccount) bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why we need to make this function public ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why we need to make this function public ?

Not at the present time. It is a copy from upstream kube/kube.

if secret.Type != corev1.SecretTypeServiceAccountToken {
return false
}

name := secret.Annotations[corev1.ServiceAccountNameKey]
uid := secret.Annotations[corev1.ServiceAccountUIDKey]
if name != sa.Name {
// Name must match
return false
}
if len(uid) > 0 && uid != string(sa.UID) {
// If UID is specified, it must match
return false
}

return true
}
12 changes: 5 additions & 7 deletions pkg/serviceaccounts/oauthclient/oauthclientregistry_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"testing"

corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/equality"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
Expand All @@ -14,18 +15,15 @@ import (
"k8s.io/client-go/kubernetes/fake"
clientgotesting "k8s.io/client-go/testing"
"k8s.io/client-go/tools/record"
"k8s.io/kubernetes/pkg/api/legacyscheme"
kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"

oauthapiv1 "github.com/openshift/api/oauth/v1"
routeapi "github.com/openshift/api/route/v1"
routefake "github.com/openshift/client-go/route/clientset/versioned/fake"
_ "github.com/openshift/origin/pkg/oauth/apis/oauth/install"
)

var (
encoder = legacyscheme.Codecs.LegacyCodec(oauthapiv1.SchemeGroupVersion)
decoder = legacyscheme.Codecs.UniversalDecoder()
encoder = codecFactory.LegacyCodec(oauthapiv1.SchemeGroupVersion)
decoder = codecFactory.UniversalDecoder()
serviceAccountsResource = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "serviceaccounts"}
secretsResource = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}
secretKind = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Secret"}
Expand Down Expand Up @@ -578,7 +576,7 @@ func TestGetClient(t *testing.T) {
routeClient: tc.routeClient.Route(),
delegate: delegate,
grantMethod: oauthapiv1.GrantHandlerPrompt,
decoder: legacyscheme.Codecs.UniversalDecoder(),
decoder: codecFactory.UniversalDecoder(),
}
client, err := getter.Get(tc.clientName, metav1.GetOptions{})
switch {
Expand All @@ -595,7 +593,7 @@ func TestGetClient(t *testing.T) {
continue
}

if !kapihelper.Semantic.DeepEqual(tc.expectedClient, client) {
if !equality.Semantic.DeepEqual(tc.expectedClient, client) {
t.Errorf("%s: expected %#v, got %#v", tc.name, tc.expectedClient, client)
continue
}
Expand Down