30380339 |
package origin
import ( |
4457e6fd |
"crypto/md5" |
30380339 |
"crypto/x509"
"fmt" |
0466c3f6 |
"net/url" |
30380339 |
|
4457e6fd |
"code.google.com/p/go-uuid/uuid"
|
83c702b4 |
"k8s.io/kubernetes/pkg/storage" |
30380339 |
"github.com/openshift/origin/pkg/auth/server/session"
configapi "github.com/openshift/origin/pkg/cmd/server/api" |
4457e6fd |
"github.com/openshift/origin/pkg/cmd/server/api/latest" |
30380339 |
"github.com/openshift/origin/pkg/cmd/server/etcd" |
f69463d3 |
identityregistry "github.com/openshift/origin/pkg/user/registry/identity"
identityetcd "github.com/openshift/origin/pkg/user/registry/identity/etcd"
userregistry "github.com/openshift/origin/pkg/user/registry/user"
useretcd "github.com/openshift/origin/pkg/user/registry/user/etcd" |
30380339 |
)
type AuthConfig struct { |
130758bb |
Options configapi.OAuthConfig
|
5f3f5b85 |
// AssetPublicAddresses contains valid redirectURI prefixes to direct browsers to the web console |
30380339 |
AssetPublicAddresses []string
MasterRoots *x509.CertPool |
1a3e979b |
EtcdHelper storage.Interface |
30380339 |
|
f69463d3 |
UserRegistry userregistry.Registry
IdentityRegistry identityregistry.Registry
|
4457e6fd |
SessionAuth *session.Authenticator |
30380339 |
}
func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error) { |
6a7364d3 |
client, err := etcd.GetAndTestEtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
} |
1a3e979b |
etcdHelper, err := NewEtcdStorage(client, options.EtcdStorageConfig.OpenShiftStorageVersion, options.EtcdStorageConfig.OpenShiftStoragePrefix) |
30380339 |
if err != nil {
return nil, fmt.Errorf("Error setting up server storage: %v", err)
}
apiServerCAs, err := configapi.GetAPIServerCertCAPool(options)
if err != nil {
return nil, err
}
|
4457e6fd |
var sessionAuth *session.Authenticator
if options.OAuthConfig.SessionConfig != nil { |
0466c3f6 |
secure := isHTTPS(options.OAuthConfig.MasterPublicURL)
auth, err := BuildSessionAuth(secure, options.OAuthConfig.SessionConfig) |
4457e6fd |
if err != nil {
return nil, err
}
sessionAuth = auth
}
|
30380339 |
// Build the list of valid redirect_uri prefixes for a login using the openshift-web-console client to redirect to
// TODO: allow configuring this
// TODO: remove hard-coding of development UI server
assetPublicURLs := []string{options.OAuthConfig.AssetPublicURL, "http://localhost:9000", "https://localhost:9000"}
|
f69463d3 |
userStorage := useretcd.NewREST(etcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage := identityetcd.NewREST(etcdHelper)
identityRegistry := identityregistry.NewRegistry(identityStorage)
|
30380339 |
ret := &AuthConfig{ |
130758bb |
Options: *options.OAuthConfig,
|
30380339 |
AssetPublicAddresses: assetPublicURLs,
MasterRoots: apiServerCAs,
EtcdHelper: etcdHelper,
|
f69463d3 |
IdentityRegistry: identityRegistry,
UserRegistry: userRegistry, |
4457e6fd |
SessionAuth: sessionAuth, |
30380339 |
}
return ret, nil |
4457e6fd |
}
|
0466c3f6 |
func BuildSessionAuth(secure bool, config *configapi.SessionConfig) (*session.Authenticator, error) { |
4457e6fd |
secrets, err := getSessionSecrets(config.SessionSecretsFile)
if err != nil {
return nil, err
} |
0466c3f6 |
sessionStore := session.NewStore(secure, int(config.SessionMaxAgeSeconds), secrets...) |
4457e6fd |
return session.NewAuthenticator(sessionStore, config.SessionName), nil
}
func getSessionSecrets(filename string) ([]string, error) {
// Build secrets list
secrets := []string{}
if len(filename) != 0 {
sessionSecrets, err := latest.ReadSessionSecrets(filename)
if err != nil {
return nil, fmt.Errorf("error reading sessionSecretsFile %s: %v", filename, err)
}
if len(sessionSecrets.Secrets) == 0 {
return nil, fmt.Errorf("sessionSecretsFile %s contained no secrets", filename)
}
for _, s := range sessionSecrets.Secrets {
secrets = append(secrets, s.Authentication)
secrets = append(secrets, s.Encryption)
}
} else {
// Generate random signing and encryption secrets if none are specified in config
secrets = append(secrets, fmt.Sprintf("%x", md5.Sum([]byte(uuid.NewRandom().String()))))
secrets = append(secrets, fmt.Sprintf("%x", md5.Sum([]byte(uuid.NewRandom().String()))))
} |
30380339 |
|
4457e6fd |
return secrets, nil |
30380339 |
} |
0466c3f6 |
// isHTTPS returns true if the given URL is a valid https URL
func isHTTPS(u string) bool {
parsedURL, err := url.Parse(u)
return err == nil && parsedURL.Scheme == "https"
} |