Merge pull request #1532 from liggitt/unnest_idp_usage

Merged by openshift-bot

Author: OpenShift Bot

pkg/cmd/server/api/register.go

@@ -11,7 +11,6 @@ func init() {
 		&MasterConfig{},
 		&NodeConfig{},
 
-		&IdentityProviderUsage{},
 		&IdentityProvider{},
 		&BasicAuthPasswordIdentityProvider{},
 		&AllowAllPasswordIdentityProvider{},
@@ -25,7 +24,6 @@ func init() {
 	)
 }
 
-func (*IdentityProviderUsage) IsAnAPIObject()             {}
 func (*IdentityProvider) IsAnAPIObject()                  {}
 func (*BasicAuthPasswordIdentityProvider) IsAnAPIObject() {}
 func (*AllowAllPasswordIdentityProvider) IsAnAPIObject()  {}

pkg/cmd/server/api/types.go

@@ -146,9 +146,9 @@ type AssetConfig struct {
 	// PublicURL is where you can find the asset server (TODO do we really need this?)
 	PublicURL string
 
-	// LogoutURI is an optional, absolute URI to redirect web browsers to after logging out of the web console.
+	// LogoutURL is an optional, absolute URL to redirect web browsers to after logging out of the web console.
 	// If not specified, the built-in logout page is shown.
-	LogoutURI string
+	LogoutURL string
 
 	// MasterPublicURL is how the web console can access the OpenShift api server
 	MasterPublicURL string
@@ -159,7 +159,7 @@ type AssetConfig struct {
 }
 
 type OAuthConfig struct {
-	// MasterURL is used for building valid client redirect URLs for external access
+	// MasterURL is used for building valid client redirect URLs for internal access
 	MasterURL string
 
 	// MasterPublicURL is used for building valid client redirect URLs for external access
@@ -196,20 +196,13 @@ type SessionConfig struct {
 	SessionName string
 }
 
-type IdentityProviderUsage struct {
-	// ProviderName is used to qualify the identities returned by this provider
-	ProviderName string
-
+type IdentityProvider struct {
+	// Name is used to qualify the identities returned by this provider
+	Name string
 	// UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider
 	UseAsChallenger bool
 	// UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against
 	UseAsLogin bool
-}
-
-type IdentityProvider struct {
-	// Usage contains metadata about how to use this provider
-	Usage IdentityProviderUsage
-
 	// Provider contains the information about how to set up a specific identity provider
 	Provider runtime.EmbeddedObject
 }
@@ -242,7 +235,7 @@ type RequestHeaderIdentityProvider struct {
 	// ClientCA is a file with the trusted signer certs.  If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.
 	ClientCA string
 	// Headers is the set of headers to check for identity information
-	Headers util.StringSet
+	Headers []string
 }
 
 type OAuthRedirectingIdentityProvider struct {

pkg/cmd/server/api/v1/conversions.go

@@ -2,7 +2,6 @@ package v1
 
 import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/conversion"
-	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
 	newer "github.com/openshift/origin/pkg/cmd/server/api"
 )
 
@@ -22,6 +21,20 @@ func init() {
 			out.KeyFile = in.ServerCert.KeyFile
 			return nil
 		},
+		func(in *RemoteConnectionInfo, out *newer.RemoteConnectionInfo, s conversion.Scope) error {
+			out.URL = in.URL
+			out.CA = in.CA
+			out.ClientCert.CertFile = in.CertFile
+			out.ClientCert.KeyFile = in.KeyFile
+			return nil
+		},
+		func(in *newer.RemoteConnectionInfo, out *RemoteConnectionInfo, s conversion.Scope) error {
+			out.URL = in.URL
+			out.CA = in.CA
+			out.CertFile = in.ClientCert.CertFile
+			out.KeyFile = in.ClientCert.KeyFile
+			return nil
+		},
 		func(in *EtcdConnectionInfo, out *newer.EtcdConnectionInfo, s conversion.Scope) error {
 			out.URLs = in.URLs
 			out.CA = in.CA
@@ -50,20 +63,6 @@ func init() {
 			out.KeyFile = in.ClientCert.KeyFile
 			return nil
 		},
-		func(in *RequestHeaderIdentityProvider, out *newer.RequestHeaderIdentityProvider, s conversion.Scope) error {
-			if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-				return err
-			}
-			out.Headers = util.NewStringSet(in.HeadersSlice...)
-			return nil
-		},
-		func(in *newer.RequestHeaderIdentityProvider, out *RequestHeaderIdentityProvider, s conversion.Scope) error {
-			if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-				return err
-			}
-			out.HeadersSlice = in.Headers.List()
-			return nil
-		},
 	)
 	if err != nil {
 		// If one of the conversion functions is malformed, detect it immediately.

pkg/cmd/server/api/v1/register.go

@@ -12,7 +12,6 @@ func init() {
 		&MasterConfig{},
 		&NodeConfig{},
 
-		&IdentityProviderUsage{},
 		&IdentityProvider{},
 		&BasicAuthPasswordIdentityProvider{},
 		&AllowAllPasswordIdentityProvider{},
@@ -26,7 +25,6 @@ func init() {
 	)
 }
 
-func (*IdentityProviderUsage) IsAnAPIObject()             {}
 func (*IdentityProvider) IsAnAPIObject()                  {}
 func (*BasicAuthPasswordIdentityProvider) IsAnAPIObject() {}
 func (*AllowAllPasswordIdentityProvider) IsAnAPIObject()  {}

pkg/cmd/server/api/v1/types.go

@@ -145,9 +145,9 @@ type AssetConfig struct {
 	// PublicURL is where you can find the asset server (TODO do we really need this?)
 	PublicURL string `json:"publicURL"`
 
-	// LogoutURI is an optional, absolute URI to redirect web browsers to after logging out of the web console.
+	// LogoutURL is an optional, absolute URL to redirect web browsers to after logging out of the web console.
 	// If not specified, the built-in logout page is shown.
-	LogoutURI string `json:"logoutURI"`
+	LogoutURL string `json:"logoutURL"`
 
 	// MasterPublicURL is how the web console can access the OpenShift v1beta3 server
 	MasterPublicURL string `json:"masterPublicURL"`
@@ -192,16 +192,14 @@ type SessionConfig struct {
 	SessionName string `json:"sessionName"`
 }
 
-type IdentityProviderUsage struct {
-	ProviderName string `json:"providerName"`
-
-	UseAsChallenger bool `json:"challenge"`
-	UseAsLogin      bool `json:"login"`
-}
-
 type IdentityProvider struct {
-	Usage IdentityProviderUsage `json:"usage"`
-
+	// Name is used to qualify the identities returned by this provider
+	Name string `json:"name"`
+	// UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider
+	UseAsChallenger bool `json:"challenge"`
+	// UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against
+	UseAsLogin bool `json:"login"`
+	// Provider contains the information about how to set up a specific identity provider
 	Provider runtime.RawExtension `json:"provider"`
 }
 
@@ -228,8 +226,8 @@ type HTPasswdPasswordIdentityProvider struct {
 type RequestHeaderIdentityProvider struct {
 	v1beta3.TypeMeta `json:",inline"`
 
-	ClientCA     string   `json:"clientCA"`
-	HeadersSlice []string `json:"headers"`
+	ClientCA string   `json:"clientCA"`
+	Headers  []string `json:"headers"`
 }
 
 type OAuthRedirectingIdentityProvider struct {

pkg/cmd/server/api/validation/master.go

@@ -83,6 +83,13 @@ func ValidateAssetConfig(config *api.AssetConfig) fielderrors.ValidationErrorLis
 
 	allErrs = append(allErrs, ValidateServingInfo(config.ServingInfo).Prefix("servingInfo")...)
 
+	if len(config.LogoutURL) > 0 {
+		_, urlErrs := ValidateURL(config.LogoutURL, "logoutURL")
+		if len(urlErrs) > 0 {
+			allErrs = append(allErrs, urlErrs...)
+		}
+	}
+
 	urlObj, urlErrs := ValidateURL(config.PublicURL, "publicURL")
 	if len(urlErrs) > 0 {
 		allErrs = append(allErrs, urlErrs...)

pkg/cmd/server/api/validation/oauth.go

@@ -3,6 +3,7 @@ package validation
 import (
 	"fmt"
 
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util/fielderrors"
 	"github.com/openshift/origin/pkg/cmd/server/api"
 )
@@ -28,10 +29,11 @@ func ValidateOAuthConfig(config *api.OAuthConfig) fielderrors.ValidationErrorLis
 
 	allErrs = append(allErrs, ValidateGrantConfig(config.GrantConfig).Prefix("grantConfig")...)
 
-	redirectingIdentityProviders := []int{}
+	providerNames := util.NewStringSet()
+	redirectingIdentityProviders := []string{}
 	for i, identityProvider := range config.IdentityProviders {
-		if identityProvider.Usage.UseAsLogin {
-			redirectingIdentityProviders = append(redirectingIdentityProviders, i)
+		if identityProvider.UseAsLogin {
+			redirectingIdentityProviders = append(redirectingIdentityProviders, identityProvider.Name)
 
 			if api.IsPasswordAuthenticator(identityProvider) {
 				if config.SessionConfig == nil {
@@ -41,6 +43,13 @@ func ValidateOAuthConfig(config *api.OAuthConfig) fielderrors.ValidationErrorLis
 		}
 
 		allErrs = append(allErrs, ValidateIdentityProvider(identityProvider).Prefix(fmt.Sprintf("identityProvider[%d]", i))...)
+
+		if len(identityProvider.Name) > 0 {
+			if providerNames.Has(identityProvider.Name) {
+				allErrs = append(allErrs, fielderrors.NewFieldInvalid(fmt.Sprintf("identityProvider[%d].name", i), identityProvider.Name, "must have a unique name"))
+			}
+			providerNames.Insert(identityProvider.Name)
+		}
 	}
 
 	if len(redirectingIdentityProviders) > 1 {
@@ -53,8 +62,8 @@ func ValidateOAuthConfig(config *api.OAuthConfig) fielderrors.ValidationErrorLis
 func ValidateIdentityProvider(identityProvider api.IdentityProvider) fielderrors.ValidationErrorList {
 	allErrs := fielderrors.ValidationErrorList{}
 
-	if len(identityProvider.Usage.ProviderName) == 0 {
-		allErrs = append(allErrs, fielderrors.NewFieldRequired("usage.providerName"))
+	if len(identityProvider.Name) == 0 {
+		allErrs = append(allErrs, fielderrors.NewFieldRequired("name"))
 	}
 
 	if !api.IsIdentityProviderType(identityProvider.Provider) {
@@ -68,11 +77,11 @@ func ValidateIdentityProvider(identityProvider api.IdentityProvider) fielderrors
 			if len(provider.Headers) == 0 {
 				allErrs = append(allErrs, fielderrors.NewFieldRequired("provider.headers"))
 			}
-			if identityProvider.Usage.UseAsChallenger {
-				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.useAsChallenger", identityProvider.Usage.UseAsChallenger, "request header providers cannot be used for challenges"))
+			if identityProvider.UseAsChallenger {
+				allErrs = append(allErrs, fielderrors.NewFieldInvalid("challenge", identityProvider.UseAsChallenger, "request header providers cannot be used for challenges"))
 			}
-			if identityProvider.Usage.UseAsLogin {
-				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.useAsLogin", identityProvider.Usage.UseAsChallenger, "request header providers cannot be used for browser login"))
+			if identityProvider.UseAsLogin {
+				allErrs = append(allErrs, fielderrors.NewFieldInvalid("login", identityProvider.UseAsChallenger, "request header providers cannot be used for browser login"))
 			}
 
 		case (*api.BasicAuthPasswordIdentityProvider):
@@ -91,8 +100,8 @@ func ValidateIdentityProvider(identityProvider api.IdentityProvider) fielderrors
 			if !api.IsOAuthProviderType(provider.Provider) {
 				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.provider", provider.Provider, fmt.Sprintf("%v is invalid in this context", identityProvider.Provider)))
 			}
-			if identityProvider.Usage.UseAsChallenger {
-				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.useAsChallenger", identityProvider.Usage.UseAsChallenger, "oauth providers cannot be used for challenges"))
+			if identityProvider.UseAsChallenger {
+				allErrs = append(allErrs, fielderrors.NewFieldInvalid("challenge", identityProvider.UseAsChallenger, "oauth providers cannot be used for challenges"))
 			}
 		}
 

pkg/cmd/server/api/validation/validation.go

@@ -79,6 +79,9 @@ func ValidateRemoteConnectionInfo(remoteConnectionInfo api.RemoteConnectionInfo)
 
 	if len(remoteConnectionInfo.URL) == 0 {
 		allErrs = append(allErrs, fielderrors.NewFieldRequired("url"))
+	} else {
+		_, urlErrs := ValidateURL(remoteConnectionInfo.URL, "url")
+		allErrs = append(allErrs, urlErrs...)
 	}
 
 	if len(remoteConnectionInfo.CA) > 0 {

pkg/cmd/server/origin/asset.go

@@ -114,7 +114,7 @@ func (c *AssetConfig) buildHandler() (http.Handler, error) {
 		OAuthAuthorizeURI: OpenShiftOAuthAuthorizeURL(masterURL.String()),
 		OAuthRedirectBase: c.Options.PublicURL,
 		OAuthClientID:     OpenShiftWebConsoleClientID,
-		LogoutURI:         c.Options.LogoutURI,
+		LogoutURI:         c.Options.LogoutURL,
 	}
 
 	handler := http.FileServer(

pkg/cmd/server/origin/auth.go

@@ -307,12 +307,12 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand
 				return nil, err
 			}
 
-			if identityProvider.Usage.UseAsLogin {
+			if identityProvider.UseAsLogin {
 				redirectors["login"] = &redirector{RedirectURL: OpenShiftLoginPrefix, ThenParam: "then"}
 				login := login.NewLogin(getCSRF(), &callbackPasswordAuthenticator{passwordAuth, successHandler}, login.DefaultLoginFormRenderer)
 				login.Install(mux, OpenShiftLoginPrefix)
 			}
-			if identityProvider.Usage.UseAsChallenger {
+			if identityProvider.UseAsChallenger {
 				challengers["login"] = passwordchallenger.NewBasicAuthChallenger("openshift")
 			}
 
@@ -324,10 +324,10 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand
 				switch provider.Provider.Object.(type) {
 				case (*configapi.GoogleOAuthProvider):
 					callbackPath = path.Join(OpenShiftOAuthCallbackPrefix, "google")
-					oauthProvider = google.NewProvider(identityProvider.Usage.ProviderName, provider.ClientID, provider.ClientSecret)
+					oauthProvider = google.NewProvider(identityProvider.Name, provider.ClientID, provider.ClientSecret)
 				case (*configapi.GitHubOAuthProvider):
 					callbackPath = path.Join(OpenShiftOAuthCallbackPrefix, "github")
-					oauthProvider = github.NewProvider(identityProvider.Usage.ProviderName, provider.ClientID, provider.ClientSecret)
+					oauthProvider = github.NewProvider(identityProvider.Name, provider.ClientID, provider.ClientSecret)
 				default:
 					return nil, fmt.Errorf("unexpected oauth provider %#v", provider)
 				}
@@ -339,10 +339,10 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand
 				}
 
 				mux.Handle(callbackPath, oauthHandler)
-				if identityProvider.Usage.UseAsLogin {
-					redirectors[identityProvider.Usage.ProviderName] = oauthHandler
+				if identityProvider.UseAsLogin {
+					redirectors[identityProvider.Name] = oauthHandler
 				}
-				if identityProvider.Usage.UseAsChallenger {
+				if identityProvider.UseAsChallenger {
 					return nil, errors.New("oauth identity providers cannot issue challenges")
 				}
 			}
@@ -358,7 +358,7 @@ func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.Identit
 
 	switch provider := identityProvider.Provider.Object.(type) {
 	case (*configapi.AllowAllPasswordIdentityProvider):
-		return allowanypassword.New(identityProvider.Usage.ProviderName, identityMapper), nil
+		return allowanypassword.New(identityProvider.Name, identityMapper), nil
 
 	case (*configapi.DenyAllPasswordIdentityProvider):
 		return denypassword.New(), nil
@@ -368,7 +368,7 @@ func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.Identit
 		if len(htpasswdFile) == 0 {
 			return nil, fmt.Errorf("HTPasswdFile is required to support htpasswd auth")
 		}
-		if htpasswordAuth, err := htpasswd.New(identityProvider.Usage.ProviderName, htpasswdFile, identityMapper); err != nil {
+		if htpasswordAuth, err := htpasswd.New(identityProvider.Name, htpasswdFile, identityMapper); err != nil {
 			return nil, fmt.Errorf("Error loading htpasswd file %s: %v", htpasswdFile, err)
 		} else {
 			return htpasswordAuth, nil
@@ -379,7 +379,7 @@ func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.Identit
 		if len(basicAuthURL) == 0 {
 			return nil, fmt.Errorf("BasicAuthURL is required to support basic password auth")
 		}
-		return basicauthpassword.New(identityProvider.Usage.ProviderName, basicAuthURL, identityMapper), nil
+		return basicauthpassword.New(identityProvider.Name, basicAuthURL, identityMapper), nil
 
 	default:
 		return nil, fmt.Errorf("No password auth found that matches %v.  The oauth server cannot start!", identityProvider)
@@ -396,7 +396,7 @@ func (c *AuthConfig) getAuthenticationSuccessHandler() handlers.AuthenticationSu
 
 	addedRedirectSuccessHandler := false
 	for _, identityProvider := range c.Options.IdentityProviders {
-		if !identityProvider.Usage.UseAsLogin {
+		if !identityProvider.UseAsLogin {
 			continue
 		}
 
@@ -437,9 +437,9 @@ func (c *AuthConfig) getAuthenticationRequestHandler() (authenticator.Request, e
 				var authRequestHandler authenticator.Request
 
 				authRequestConfig := &headerrequest.Config{
-					UserNameHeaders: provider.Headers.List(),
+					UserNameHeaders: provider.Headers,
 				}
-				authRequestHandler = headerrequest.NewAuthenticator(identityProvider.Usage.ProviderName, authRequestConfig, identityMapper)
+				authRequestHandler = headerrequest.NewAuthenticator(identityProvider.Name, authRequestConfig, identityMapper)
 
 				// Wrap with an x509 verifier
 				if len(provider.ClientCA) > 0 {