@@ -7,8 +7,10 @@ import (

 	"github.com/RangelReale/osin"

-	"github.com/openshift/origin/pkg/auth/api"

 	"k8s.io/kubernetes/pkg/auth/user"

+	"k8s.io/kubernetes/pkg/serviceaccount"

+

+	"github.com/openshift/origin/pkg/auth/api"

 )

 // GrantCheck implements osinserver.AuthorizeHandler to ensure requested scopes have been authorized

@@ -30,6 +32,7 @@ func NewGrantCheck(check GrantChecker, handler GrantHandler, errorHandler GrantE

 // If the response is written, true is returned.

 // If the response is not written, false is returned.

 func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+

 	// Requests must already be authorized before we will check grants

 	if !ar.Authorized {

 		return false, nil

@@ -122,3 +125,24 @@ func (g *redirectGrant) GrantNeeded(user user.Info, grant *api.Grant, w http.Res

 	http.Redirect(w, req, redirectURL.String(), http.StatusFound)

 	return false, true, nil

 }

+

+type serviceAccountAwareGrant struct {

+	standardGrantHandler GrantHandler

+	// saClientGrantHandler allows an autogrant handler to do something else when the client is a service account.

+	// TODO: I think this can be removed once we can set granthandler overrides per-client, but we need something for safety now.

+	saClientGrantHandler GrantHandler

+}

+

+// NewAutoGrant returns a grant handler that automatically approves client authorizations

+func NewServiceAccountAwareGrant(standardGrantHandler, saClientGrantHandler GrantHandler) GrantHandler {

+	return &serviceAccountAwareGrant{standardGrantHandler: standardGrantHandler, saClientGrantHandler: saClientGrantHandler}

+}

+

+// GrantNeeded implements the GrantHandler interface

+func (g *serviceAccountAwareGrant) GrantNeeded(user user.Info, grant *api.Grant, w http.ResponseWriter, req *http.Request) (bool, bool, error) {

+	if _, _, err := serviceaccount.SplitUsername(grant.Client.GetId()); err == nil {

+		return g.saClientGrantHandler.GrantNeeded(user, grant, w, req)

+	}

+

+	return g.standardGrantHandler.GrantNeeded(user, grant, w, req)

+}

@@ -889,6 +889,10 @@ type OpenIDClaims struct {

 type GrantConfig struct {

 	// Method: allow, deny, prompt

 	Method GrantHandlerType

+

+	// ServiceAccountMethod is used for determining client authorization for service account oauth client.

+	// It must be either: deny, prompt

+	ServiceAccountMethod GrantHandlerType

 }

 type GrantHandlerType string

@@ -903,6 +907,7 @@ const (

 )

 var ValidGrantHandlerTypes = sets.NewString(string(GrantHandlerAuto), string(GrantHandlerPrompt), string(GrantHandlerDeny))

+var ValidServiceAccountGrantHandlerTypes = sets.NewString(string(GrantHandlerPrompt), string(GrantHandlerDeny))

 type EtcdConfig struct {

 	// ServingInfo describes how to start serving the etcd master

@@ -164,6 +164,11 @@ func addDefaultingFuncs(scheme *runtime.Scheme) {

 				obj.MappingMethod = "claim"

 			}

 		},

+		func(obj *GrantConfig) {

+			if len(obj.ServiceAccountMethod) == 0 {

+				obj.ServiceAccountMethod = "prompt"

+			}

+		},

 	)

 	if err != nil {

 		// If one of the conversion functions is malformed, detect it immediately.

@@ -221,8 +221,9 @@ func (GoogleIdentityProvider) SwaggerDoc() map[string]string {

 }

 var map_GrantConfig = map[string]string{

-	"":       "GrantConfig holds the necessary configuration options for grant handlers",

-	"method": "Method: allow, deny, prompt",

+	"":                     "GrantConfig holds the necessary configuration options for grant handlers",

+	"method":               "Method: allow, deny, prompt",

+	"serviceAccountMethod": "ServiceAccountMethod is used for determining client authorization for service account oauth client. It must be either: deny, prompt",

 }

 func (GrantConfig) SwaggerDoc() map[string]string {

@@ -887,6 +887,10 @@ type OpenIDClaims struct {

 type GrantConfig struct {

 	// Method: allow, deny, prompt

 	Method GrantHandlerType `json:"method"`

+

+	// ServiceAccountMethod is used for determining client authorization for service account oauth client.

+	// It must be either: deny, prompt

+	ServiceAccountMethod GrantHandlerType `json:"serviceAccountMethod"`

 }

 type GrantHandlerType string

@@ -203,6 +203,7 @@ oauthConfig:

   assetPublicURL: ""

   grantConfig:

     method: ""

+    serviceAccountMethod: ""

   identityProviders:

   - challenge: false

     login: false

@@ -387,7 +387,10 @@ func validateGrantConfig(config api.GrantConfig, fldPath *field.Path) field.Erro

 	allErrs := field.ErrorList{}

 	if !api.ValidGrantHandlerTypes.Has(string(config.Method)) {

-		allErrs = append(allErrs, field.Invalid(fldPath.Child("method"), config.Method, fmt.Sprintf("must be one of: %v", api.ValidGrantHandlerTypes.List())))

+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("method"), config.Method, api.ValidGrantHandlerTypes.List()))

+	}

+	if !api.ValidServiceAccountGrantHandlerTypes.Has(string(config.ServiceAccountMethod)) {

+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("serviceAccountMethod"), config.ServiceAccountMethod, api.ValidServiceAccountGrantHandlerTypes.List()))

 	}

 	return allErrs

@@ -333,23 +333,38 @@ func (c *AuthConfig) getAuthorizeAuthenticationHandlers(mux cmdutil.Mux, errorHa

 // getGrantHandler returns the object that handles approving or rejecting grant requests

 func (c *AuthConfig) getGrantHandler(mux cmdutil.Mux, auth authenticator.Request, clientregistry clientregistry.Getter, authregistry clientauthregistry.Registry) handlers.GrantHandler {

-	switch c.Options.GrantConfig.Method {

+	startGrantServer := false

+

+	var saGrantHandler handlers.GrantHandler

+	switch c.Options.GrantConfig.ServiceAccountMethod {

 	case configapi.GrantHandlerDeny:

-		return handlers.NewEmptyGrant()

+		saGrantHandler = handlers.NewEmptyGrant()

+	case configapi.GrantHandlerPrompt:

+		startGrantServer = true

+		saGrantHandler = handlers.NewRedirectGrant(OpenShiftApprovePrefix)

+	default:

+		glog.Fatalf("No grant handler found that matches %v.  The oauth server cannot start!", c.Options.GrantConfig.ServiceAccountMethod)

+	}

+	var standardGrantHandler handlers.GrantHandler

+	switch c.Options.GrantConfig.Method {

+	case configapi.GrantHandlerDeny:

+		standardGrantHandler = handlers.NewEmptyGrant()

 	case configapi.GrantHandlerAuto:

-		return handlers.NewAutoGrant()

-

+		standardGrantHandler = handlers.NewAutoGrant()

 	case configapi.GrantHandlerPrompt:

-		grantServer := grant.NewGrant(c.getCSRF(), auth, grant.DefaultFormRenderer, clientregistry, authregistry)

-		grantServer.Install(mux, OpenShiftApprovePrefix)

-		return handlers.NewRedirectGrant(OpenShiftApprovePrefix)

-

+		startGrantServer = true

+		standardGrantHandler = handlers.NewRedirectGrant(OpenShiftApprovePrefix)

 	default:

 		glog.Fatalf("No grant handler found that matches %v.  The oauth server cannot start!", c.Options.GrantConfig.Method)

 	}

-	return nil

+	if startGrantServer {

+		grantServer := grant.NewGrant(c.getCSRF(), auth, grant.DefaultFormRenderer, clientregistry, authregistry)

+		grantServer.Install(mux, OpenShiftApprovePrefix)

+	}

+

+	return handlers.NewServiceAccountAwareGrant(standardGrantHandler, saGrantHandler)

 }

 // getAuthenticationFinalizer returns an authentication finalizer which is called just prior to writing a response to an authorization request

@@ -5,9 +5,13 @@ package integration

 import (

 	"crypto/tls"

 	"encoding/base64"

+	"io/ioutil"

 	"net/http"

 	"net/http/httptest"

 	"net/http/httputil"

+	"net/url"

+	"regexp"

+	"strings"

 	"testing"

 	"time"

@@ -19,6 +23,7 @@ import (

 	"k8s.io/kubernetes/pkg/serviceaccount"

 	"github.com/openshift/origin/pkg/client"

+	"github.com/openshift/origin/pkg/cmd/server/origin"

 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

 	"github.com/openshift/origin/pkg/oauth/scope"

 	saoauth "github.com/openshift/origin/pkg/serviceaccounts/oauthclient"

@@ -109,7 +114,8 @@ func TestSAAsOAuthClient(t *testing.T) {

 		Scope:        scope.Join([]string{"user:info", "role:edit:" + projectName}),

 		SendClientSecretInParams: true,

 	}

-	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, false, true)

+	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true)

+	clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

 	oauthClientConfig = &osincli.ClientConfig{

 		ClientId:     serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),

@@ -120,7 +126,8 @@ func TestSAAsOAuthClient(t *testing.T) {

 		Scope:        scope.Join([]string{"user:info", "role:edit:other-ns"}),

 		SendClientSecretInParams: true,

 	}

-	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, false)

+	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, false, false)

+	clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

 	oauthClientConfig = &osincli.ClientConfig{

 		ClientId:     serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),

@@ -131,11 +138,14 @@ func TestSAAsOAuthClient(t *testing.T) {

 		Scope:        scope.Join([]string{"user:info"}),

 		SendClientSecretInParams: true,

 	}

-	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, false, false)

-

+	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, false)

+	clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

 }

-func runOAuthFlow(t *testing.T, clusterAdminClientConfig *restclient.Config, projectName string, oauthClientConfig *osincli.ClientConfig, authorizationCodes, authorizationErrors chan string, expectAuthCodeError, expectBuildSuccess bool) {

+var grantCSRFRegex = regexp.MustCompile(`input type="hidden" name="csrf" value="([^"]*)"`)

+var grantThenRegex = regexp.MustCompile(`input type="hidden" name="then" value="([^"]*)"`)

+

+func runOAuthFlow(t *testing.T, clusterAdminClientConfig *restclient.Config, projectName string, oauthClientConfig *osincli.ClientConfig, authorizationCodes, authorizationErrors chan string, expectGrantSuccess, expectBuildSuccess bool) {

 	oauthRuntimeClient, err := osincli.NewClient(oauthClientConfig)

 	if err != nil {

 		t.Fatalf("unexpected error: %v", err)

@@ -171,10 +181,99 @@ func runOAuthFlow(t *testing.T, clusterAdminClientConfig *restclient.Config, pro

 		t.Fatalf("didn't get an unauthorized:\n %v", string(response))

 	}

-	authenticatedAuthorizeHTTPRequest, err := http.NewRequest("GET", authorizeURL.String(), nil)

-	authenticatedAuthorizeHTTPRequest.Header.Add("X-CSRF-Token", "csrf-01")

-	authenticatedAuthorizeHTTPRequest.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

-	authentictedAuthorizeResponse, err := directHTTPClient.Do(authenticatedAuthorizeHTTPRequest)

+	// first we should get a redirect to a grant flow

+	authenticatedAuthorizeHTTPRequest1, err := http.NewRequest("GET", authorizeURL.String(), nil)

+	authenticatedAuthorizeHTTPRequest1.Header.Add("X-CSRF-Token", "csrf-01")

+	authenticatedAuthorizeHTTPRequest1.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

+	authentictedAuthorizeResponse1, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest1)

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	if authentictedAuthorizeResponse1.StatusCode != http.StatusFound {

+		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse1, true)

+		t.Fatalf("unexpected status :\n %v", string(response))

+	}

+

+	// second we get a webpage with a prompt.  Yeah, this next bit gets nasty

+	authenticatedAuthorizeHTTPRequest2, err := http.NewRequest("GET", clusterAdminClientConfig.Host+authentictedAuthorizeResponse1.Header.Get("Location"), nil)

+	authenticatedAuthorizeHTTPRequest2.Header.Add("X-CSRF-Token", "csrf-01")

+	authenticatedAuthorizeHTTPRequest2.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

+	authentictedAuthorizeResponse2, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest2)

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	if authentictedAuthorizeResponse2.StatusCode != http.StatusOK {

+		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse2, true)

+		t.Fatalf("unexpected status :\n %v", string(response))

+	}

+	// have to parse the page to get the csrf value.  Yeah, that's nasty, I can't think of another way to do it without creating a new grant handler

+	body, err := ioutil.ReadAll(authentictedAuthorizeResponse2.Body)

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	if !expectGrantSuccess {

+		if !strings.Contains(string(body), "requested illegal scopes") {

+			t.Fatalf("missing expected message: %v", string(body))

+		}

+		return

+	}

+	csrfMatches := grantCSRFRegex.FindStringSubmatch(string(body))

+	if len(csrfMatches) != 2 {

+		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse2, false)

+		t.Fatalf("unexpected body :\n %v\n%v", string(response), string(body))

+	}

+	thenMatches := grantThenRegex.FindStringSubmatch(string(body))

+	if len(thenMatches) != 2 {

+		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse2, false)

+		t.Fatalf("unexpected body :\n %v\n%v", string(response), string(body))

+	}

+	t.Logf("CSRF is %v", csrfMatches)

+	t.Logf("then is %v", thenMatches)

+

+	// third we respond and approve the grant, then let the transport follow redirects and give us the code

+	postBody := strings.NewReader(url.Values(map[string][]string{

+		"then":         {thenMatches[1]},

+		"csrf":         {csrfMatches[1]},

+		"client_id":    {oauthClientConfig.ClientId},

+		"user_name":    {"harold"},

+		"scopes":       {oauthClientConfig.Scope},

+		"redirect_uri": {clusterAdminClientConfig.Host},

+		"approve":      {"true"},

+	}).Encode())

+	authenticatedAuthorizeHTTPRequest3, err := http.NewRequest("POST", clusterAdminClientConfig.Host+origin.OpenShiftApprovePrefix, postBody)

+	authenticatedAuthorizeHTTPRequest3.Header.Set("Content-Type", "application/x-www-form-urlencoded")

+	authenticatedAuthorizeHTTPRequest3.Header.Add("X-CSRF-Token", csrfMatches[1])

+	authenticatedAuthorizeHTTPRequest3.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

+	for i := range authentictedAuthorizeResponse2.Cookies() {

+		cookie := authentictedAuthorizeResponse2.Cookies()[i]

+		authenticatedAuthorizeHTTPRequest3.AddCookie(cookie)

+	}

+	authentictedAuthorizeResponse3, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest3)

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	if authentictedAuthorizeResponse3.StatusCode != http.StatusFound {

+		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse3, true)

+		t.Fatalf("unexpected status :\n %v", string(response))

+	}

+

+	// fourth, the grant redirects us again to have us send the code to the server

+	authenticatedAuthorizeHTTPRequest4, err := http.NewRequest("GET", clusterAdminClientConfig.Host+authentictedAuthorizeResponse3.Header.Get("Location"), nil)

+	authenticatedAuthorizeHTTPRequest4.Header.Add("X-CSRF-Token", "csrf-01")

+	authenticatedAuthorizeHTTPRequest4.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

+	authentictedAuthorizeResponse4, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest4)

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	if authentictedAuthorizeResponse4.StatusCode != http.StatusFound {

+		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse4, true)

+		t.Fatalf("unexpected status :\n %v", string(response))

+	}

+

+	authenticatedAuthorizeHTTPRequest5, err := http.NewRequest("GET", authentictedAuthorizeResponse4.Header.Get("Location"), nil)

+	authenticatedAuthorizeHTTPRequest5.Header.Add("X-CSRF-Token", "csrf-01")

+	authenticatedAuthorizeHTTPRequest5.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

+	authentictedAuthorizeResponse5, err := directHTTPClient.Do(authenticatedAuthorizeHTTPRequest5)

 	if err != nil {

 		t.Fatalf("unexpected error: %v", err)

 	}

@@ -182,18 +281,8 @@ func runOAuthFlow(t *testing.T, clusterAdminClientConfig *restclient.Config, pro

 	authorizationCode := ""

 	select {

 	case authorizationCode = <-authorizationCodes:

-		if expectAuthCodeError {

-			response, _ := httputil.DumpResponse(authentictedAuthorizeResponse, true)

-			t.Fatalf("got a code:\n %v", string(response))

-		}

-	case <-authorizationErrors:

-		if !expectAuthCodeError {

-			response, _ := httputil.DumpResponse(authentictedAuthorizeResponse, true)

-			t.Fatalf("unexpected error:\n %v", string(response))

-		}

-		return

 	case <-time.After(10 * time.Second):

-		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse, true)

+		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse5, true)

 		t.Fatalf("didn't get a code:\n %v", string(response))

 	}