func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.IdentityProvider) (authenticator.Password, error) { identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry) switch provider := identityProvider.Provider.Object.(type) { case (*configapi.AllowAllPasswordIdentityProvider): return allowanypassword.New(identityProvider.Name, identityMapper), nil case (*configapi.DenyAllPasswordIdentityProvider): return denypassword.New(), nil case (*configapi.LDAPPasswordIdentityProvider): url, err := ldaputil.ParseURL(provider.URL) if err != nil { return nil, fmt.Errorf("Error parsing LDAPPasswordIdentityProvider URL: %v", err) } clientConfig, err := ldaputil.NewLDAPClientConfig(provider.URL, provider.BindDN, provider.BindPassword, provider.CA, provider.Insecure) if err != nil { return nil, err } opts := ldappassword.Options{ URL: url, ClientConfig: clientConfig, UserAttributeDefiner: ldaputil.NewLDAPUserAttributeDefiner(provider.Attributes), } return ldappassword.New(identityProvider.Name, opts, identityMapper) case (*configapi.HTPasswdPasswordIdentityProvider): htpasswdFile := provider.File if len(htpasswdFile) == 0 { return nil, fmt.Errorf("HTPasswdFile is required to support htpasswd auth") } if htpasswordAuth, err := htpasswd.New(identityProvider.Name, htpasswdFile, identityMapper); err != nil { return nil, fmt.Errorf("Error loading htpasswd file %s: %v", htpasswdFile, err) } else { return htpasswordAuth, nil } case (*configapi.BasicAuthPasswordIdentityProvider): connectionInfo := provider.RemoteConnectionInfo if len(connectionInfo.URL) == 0 { return nil, fmt.Errorf("URL is required for BasicAuthPasswordIdentityProvider") } transport, err := cmdutil.TransportFor(connectionInfo.CA, connectionInfo.ClientCert.CertFile, connectionInfo.ClientCert.KeyFile) if err != nil { return nil, fmt.Errorf("Error building BasicAuthPasswordIdentityProvider client: %v", err) } return basicauthpassword.New(identityProvider.Name, connectionInfo.URL, transport, identityMapper), nil default: return nil, fmt.Errorf("No password auth found that matches %v. The OAuth server cannot start!", identityProvider) } }
// Run creates the GroupSyncer specified and runs it to sync groups // the arguments are only here because its the only way to get the printer we need func (o *PruneOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error { bindPassword, err := api.ResolveStringValue(o.Config.BindPassword) if err != nil { return err } clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, bindPassword, o.Config.CA, o.Config.Insecure) if err != nil { return fmt.Errorf("could not determine LDAP client configuration: %v", err) } pruneBuilder, err := buildPruneBuilder(clientConfig, o.Config) if err != nil { return err } // populate schema-independent pruner fields pruner := &syncgroups.LDAPGroupPruner{ Host: clientConfig.Host(), GroupClient: o.GroupInterface, DryRun: !o.Confirm, Out: o.Out, Err: os.Stderr, } listerMapper, err := getOpenShiftGroupListerMapper(clientConfig.Host(), o) if err != nil { return err } pruner.GroupLister = listerMapper pruner.GroupNameMapper = listerMapper pruner.GroupDetector, err = pruneBuilder.GetGroupDetector() if err != nil { return err } // Now we run the pruner and report any errors pruneErrors := pruner.Prune() return kerrs.NewAggregate(pruneErrors) }
// Run creates the GroupSyncer specified and runs it to sync groups // the arguments are only here because its the only way to get the printer we need func (o *SyncOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error { clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure) if err != nil { return fmt.Errorf("could not determine LDAP client configuration: %v", err) } errorHandler := o.CreateErrorHandler() syncBuilder, err := buildSyncBuilder(clientConfig, o.Config, errorHandler) if err != nil { return err } // populate schema-independent syncer fields syncer := &syncgroups.LDAPGroupSyncer{ Host: clientConfig.Host(), GroupClient: o.GroupInterface, DryRun: !o.Confirm, Out: o.Out, Err: os.Stderr, } switch o.Source { case GroupSyncSourceOpenShift: // when your source of ldapGroupUIDs is from an openshift group, the mapping of ldapGroupUID to openshift group name is logically // pinned by the existing mapping. listerMapper, err := getOpenShiftGroupListerMapper(clientConfig.Host(), o) if err != nil { return err } syncer.GroupLister = listerMapper syncer.GroupNameMapper = listerMapper case GroupSyncSourceLDAP: syncer.GroupLister, err = getLDAPGroupLister(syncBuilder, o) if err != nil { return err } syncer.GroupNameMapper, err = getGroupNameMapper(syncBuilder, o) if err != nil { return err } default: return fmt.Errorf("invalid group source: %v", o.Source) } syncer.GroupMemberExtractor, err = syncBuilder.GetGroupMemberExtractor() if err != nil { return err } syncer.UserNameMapper, err = syncBuilder.GetUserNameMapper() if err != nil { return err } // Now we run the Syncer and report any errors openshiftGroups, syncErrors := syncer.Sync() if o.Confirm { return kerrs.NewAggregate(syncErrors) } list := &kapi.List{} for _, item := range openshiftGroups { list.Items = append(list.Items, item) } list.Items, err = ocmdutil.ConvertItemsForDisplayFromDefaultCommand(cmd, list.Items) if err != nil { return err } if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil { return err } return kerrs.NewAggregate(syncErrors) }
// Run creates the GroupSyncer specified and runs it to sync groups // the arguments are only here because its the only way to get the printer we need func (o *SyncGroupsOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error { clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure) if err != nil { return fmt.Errorf("could not determine LDAP client configuration: %v", err) } var syncBuilder SyncBuilder switch { case o.Config.RFC2307Config != nil: syncBuilder = &RFC2307SyncBuilder{ClientConfig: clientConfig, Config: o.Config.RFC2307Config} case o.Config.ActiveDirectoryConfig != nil: syncBuilder = &ADSyncBuilder{ClientConfig: clientConfig, Config: o.Config.ActiveDirectoryConfig} case o.Config.AugmentedActiveDirectoryConfig != nil: syncBuilder = &AugmentedADSyncBuilder{ClientConfig: clientConfig, Config: o.Config.AugmentedActiveDirectoryConfig} default: return fmt.Errorf("invalid sync config type: %v", o.Config) } // populate schema-independent syncer fields syncer := &syncgroups.LDAPGroupSyncer{ Host: clientConfig.Host, GroupClient: o.GroupInterface, DryRun: !o.Confirm, Out: o.Out, Err: os.Stderr, } syncer.GroupLister, err = o.GetGroupLister(syncBuilder, clientConfig) if err != nil { return err } syncer.GroupMemberExtractor, err = syncBuilder.GetGroupMemberExtractor() if err != nil { return err } syncer.UserNameMapper, err = syncBuilder.GetUserNameMapper() if err != nil { return err } syncer.GroupNameMapper, err = o.GetGroupNameMapper(syncBuilder) if err != nil { return err } // Now we run the Syncer and report any errors openshiftGroups, syncErrors := syncer.Sync() if o.Confirm { return kerrs.NewAggregate(syncErrors) } list := &kapi.List{} for _, item := range openshiftGroups { list.Items = append(list.Items, item) } if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil { return err } return kerrs.NewAggregate(syncErrors) }
// Run creates the GroupSyncer specified and runs it to sync groups // the arguments are only here because its the only way to get the printer we need func (o *SyncGroupsOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error { // In order to create the GroupSyncer, we need to build its' parts: // interpret user-provided configuration clientConfig, err := ldaputil.NewLDAPClientConfig( o.Config.URL, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure) if err != nil { return fmt.Errorf("could not determine LDAP client configuration: %v", err) } // populate schema-independent syncer fields syncer := LDAPGroupSyncer{ Host: clientConfig.Host, GroupClient: o.GroupInterface, SyncExisting: o.SyncExisting, } if len(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping) > 0 { syncer.GroupNameMapper = NewUserDefinedGroupNameMapper(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping) } switch { case o.Config.RFC2307Config != nil: syncer.UserNameMapper = NewUserNameMapper(o.Config.RFC2307Config.UserNameAttributes) // config values are internalized groupQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.AllGroupsQuery, o.Config.RFC2307Config.GroupUIDAttribute) if err != nil { return err } userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.AllUsersQuery, o.Config.RFC2307Config.UserUIDAttribute) if err != nil { return err } // the schema-specific ldapInterface is built from the config ldapInterface := rfc2307.NewLDAPInterface(clientConfig, groupQuery, o.Config.RFC2307Config.GroupNameAttributes, o.Config.RFC2307Config.GroupMembershipAttributes, userQuery, o.Config.RFC2307Config.UserNameAttributes) // The LDAPInterface knows how to extract group members syncer.GroupMemberExtractor = &ldapInterface // In order to build the GroupNameMapper, we need to know if the user defined a hard mapping // or one based on LDAP group entry attributes if syncer.GroupNameMapper == nil { if o.Config.RFC2307Config.GroupNameAttributes == nil { return errors.New("not enough information to build a group name mapper") } syncer.GroupNameMapper = NewEntryAttributeGroupNameMapper(o.Config.RFC2307Config.GroupNameAttributes, &ldapInterface) } // In order to build the groupLister, we need to know about the group sync scope and source: syncer.GroupLister = getGroupLister(o.Scope, o.Source, o.WhitelistContents, o.GroupInterface, clientConfig.Host, &ldapInterface) case o.Config.ActiveDirectoryConfig != nil: syncer.UserNameMapper = NewUserNameMapper(o.Config.ActiveDirectoryConfig.UserNameAttributes) // config values are internalized userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.ActiveDirectoryConfig.AllUsersQuery, "dn") if err != nil { return err } // the schema-specific ldapInterface is built from the config ldapInterface := ad.NewLDAPInterface(clientConfig, userQuery, o.Config.ActiveDirectoryConfig.GroupMembershipAttributes, o.Config.ActiveDirectoryConfig.UserNameAttributes) // The LDAPInterface knows how to extract group members syncer.GroupMemberExtractor = &ldapInterface // In order to build the GroupNameMapper, we need to know if the user defined a hard mapping // or one based on LDAP group entry attributes if syncer.GroupNameMapper == nil { syncer.GroupNameMapper = &DNLDAPGroupNameMapper{} } // In order to build the groupLister, we need to know about the group sync scope and source: syncer.GroupLister = getGroupLister(o.Scope, o.Source, o.WhitelistContents, o.GroupInterface, clientConfig.Host, &ldapInterface) case o.Config.AugmentedActiveDirectoryConfig != nil: fallthrough default: return fmt.Errorf("invalid schema-specific query template type: %v", o.Config.RFC2307Config) } // Now we run the Syncer and report any errors if o.Confirm { syncErrors := syncer.Sync() return kerrs.NewAggregate(syncErrors) } openshiftGroups, errors := syncer.GetResultingGroups() list := &kapi.List{} for _, item := range openshiftGroups { list.Items = append(list.Items, item) } if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil { return err } return kerrs.NewAggregate(errors) }
// Run creates the GroupSyncer specified and runs it to sync groups func (o *SyncGroupsOptions) Run() error { // In order to create the GroupSyncer, we need to build its' parts: // interpret user-provided configuration clientConfig, err := ldaputil.NewLDAPClientConfig( o.Config.Host, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure) if err != nil { return fmt.Errorf("could not determine LDAP client configuration: %v", err) } // populate schema-independent syncer fields syncer := LDAPGroupSyncer{ Host: clientConfig.Host, GroupClient: o.GroupInterface, SyncExisting: o.SyncExisting, } switch { case o.Config.RFC2307Config != nil: syncer.UserNameMapper = NewUserNameMapper(o.Config.RFC2307Config.UserNameAttributes) // config values are internalized groupQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.GroupQuery) if err != nil { return err } userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.UserQuery) if err != nil { return err } // the schema-specific ldapInterface is built from the config ldapInterface := rfc2307.NewLDAPInterface(clientConfig, groupQuery, o.Config.RFC2307Config.GroupNameAttributes, o.Config.RFC2307Config.GroupMembershipAttributes, userQuery, o.Config.RFC2307Config.UserNameAttributes) // The LDAPInterface knows how to extract group members syncer.GroupMemberExtractor = &ldapInterface // In order to build the GroupNameMapper, we need to know if the user defined a hard mapping // or one based on LDAP group entry attributes syncer.GroupNameMapper = getGroupNameMapper(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping, o.Config.RFC2307Config.GroupNameAttributes, &ldapInterface) // In order to build the groupLister, we need to know about the group sync scope and source: syncer.GroupLister = getGroupLister(o.Scope, o.Source, o.WhitelistContents, o.GroupInterface, clientConfig.Host, &ldapInterface) case o.Config.ActiveDirectoryConfig != nil: fallthrough case o.Config.AugmentedActiveDirectoryConfig != nil: fallthrough default: return fmt.Errorf("invalid schema-specific query template type: %v", o.Config.RFC2307Config) } // Now we run the Syncer and report any errors syncErrors := syncer.Sync() return kerrs.NewAggregate(syncErrors) }