1. origin
  2. Blame
pkg/cmd/server/origin/auth_config.go
30380339 
 package origin
 
 import (
4457e6fd 
 	"crypto/md5"
30380339 
 	"crypto/x509"
 	"fmt"
0466c3f6 
 	"net/url"
30380339
4457e6fd 
 	"code.google.com/p/go-uuid/uuid"
83c702b4 
 	"k8s.io/kubernetes/pkg/storage"
30380339 
 
 	"github.com/openshift/origin/pkg/auth/server/session"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
4457e6fd 
 	"github.com/openshift/origin/pkg/cmd/server/api/latest"
30380339 
 	"github.com/openshift/origin/pkg/cmd/server/etcd"
f69463d3 
 	identityregistry "github.com/openshift/origin/pkg/user/registry/identity"
 	identityetcd "github.com/openshift/origin/pkg/user/registry/identity/etcd"
 	userregistry "github.com/openshift/origin/pkg/user/registry/user"
 	useretcd "github.com/openshift/origin/pkg/user/registry/user/etcd"
30380339 
 )
 
 type AuthConfig struct {
130758bb 
 	Options configapi.OAuthConfig
5f3f5b85 
 	// AssetPublicAddresses contains valid redirectURI prefixes to direct browsers to the web console
30380339 
 	AssetPublicAddresses []string
 	MasterRoots          *x509.CertPool
1a3e979b 
 	EtcdHelper           storage.Interface
30380339
f69463d3 
 	UserRegistry     userregistry.Registry
 	IdentityRegistry identityregistry.Registry
4457e6fd 
 	SessionAuth *session.Authenticator
30380339 
 }
 
 func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error) {
6a7364d3 
 	client, err := etcd.GetAndTestEtcdClient(options.EtcdClientInfo)
 	if err != nil {
 		return nil, err
 	}
1a3e979b 
 	etcdHelper, err := NewEtcdStorage(client, options.EtcdStorageConfig.OpenShiftStorageVersion, options.EtcdStorageConfig.OpenShiftStoragePrefix)
30380339 
 	if err != nil {
 		return nil, fmt.Errorf("Error setting up server storage: %v", err)
 	}
 
 	apiServerCAs, err := configapi.GetAPIServerCertCAPool(options)
 	if err != nil {
 		return nil, err
 	}
4457e6fd 
 	var sessionAuth *session.Authenticator
 	if options.OAuthConfig.SessionConfig != nil {
0466c3f6 
 		secure := isHTTPS(options.OAuthConfig.MasterPublicURL)
 		auth, err := BuildSessionAuth(secure, options.OAuthConfig.SessionConfig)
4457e6fd 
 		if err != nil {
 			return nil, err
 		}
 		sessionAuth = auth
 	}
30380339 
 	// Build the list of valid redirect_uri prefixes for a login using the openshift-web-console client to redirect to
 	// TODO: allow configuring this
 	// TODO: remove hard-coding of development UI server
 	assetPublicURLs := []string{options.OAuthConfig.AssetPublicURL, "http://localhost:9000", "https://localhost:9000"}
f69463d3 
 	userStorage := useretcd.NewREST(etcdHelper)
 	userRegistry := userregistry.NewRegistry(userStorage)
 	identityStorage := identityetcd.NewREST(etcdHelper)
 	identityRegistry := identityregistry.NewRegistry(identityStorage)
30380339 
 	ret := &AuthConfig{
130758bb 
 		Options: *options.OAuthConfig,
30380339 
 		AssetPublicAddresses: assetPublicURLs,
 		MasterRoots:          apiServerCAs,
 		EtcdHelper:           etcdHelper,
f69463d3 
 		IdentityRegistry: identityRegistry,
 		UserRegistry:     userRegistry,
4457e6fd 
 
 		SessionAuth: sessionAuth,
30380339 
 	}
 
 	return ret, nil
4457e6fd 
 }
0466c3f6 
 func BuildSessionAuth(secure bool, config *configapi.SessionConfig) (*session.Authenticator, error) {
4457e6fd 
 	secrets, err := getSessionSecrets(config.SessionSecretsFile)
 	if err != nil {
 		return nil, err
 	}
0466c3f6 
 	sessionStore := session.NewStore(secure, int(config.SessionMaxAgeSeconds), secrets...)
4457e6fd 
 	return session.NewAuthenticator(sessionStore, config.SessionName), nil
 }
 
 func getSessionSecrets(filename string) ([]string, error) {
 	// Build secrets list
 	secrets := []string{}
 
 	if len(filename) != 0 {
 		sessionSecrets, err := latest.ReadSessionSecrets(filename)
 		if err != nil {
 			return nil, fmt.Errorf("error reading sessionSecretsFile %s: %v", filename, err)
 		}
 
 		if len(sessionSecrets.Secrets) == 0 {
 			return nil, fmt.Errorf("sessionSecretsFile %s contained no secrets", filename)
 		}
 
 		for _, s := range sessionSecrets.Secrets {
 			secrets = append(secrets, s.Authentication)
 			secrets = append(secrets, s.Encryption)
 		}
 	} else {
 		// Generate random signing and encryption secrets if none are specified in config
 		secrets = append(secrets, fmt.Sprintf("%x", md5.Sum([]byte(uuid.NewRandom().String()))))
 		secrets = append(secrets, fmt.Sprintf("%x", md5.Sum([]byte(uuid.NewRandom().String()))))
 	}
30380339
4457e6fd 
 	return secrets, nil
30380339 
 }
0466c3f6 
 
 // isHTTPS returns true if the given URL is a valid https URL
 func isHTTPS(u string) bool {
 	parsedURL, err := url.Parse(u)
 	return err == nil && parsedURL.Scheme == "https"
 }