func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.IdentityProvider) (authenticator.Password, error) {
identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry)
switch provider := identityProvider.Provider.Object.(type) {
case (*configapi.AllowAllPasswordIdentityProvider):
return allowanypassword.New(identityProvider.Name, identityMapper), nil
case (*configapi.DenyAllPasswordIdentityProvider):
return denypassword.New(), nil
case (*configapi.LDAPPasswordIdentityProvider):
url, err := ldaputil.ParseURL(provider.URL)
if err != nil {
return nil, fmt.Errorf("Error parsing LDAPPasswordIdentityProvider URL: %v", err)
}
clientConfig, err := ldaputil.NewLDAPClientConfig(provider.URL,
provider.BindDN,
provider.BindPassword,
provider.CA,
provider.Insecure)
if err != nil {
return nil, err
}
opts := ldappassword.Options{
URL: url,
ClientConfig: clientConfig,
UserAttributeDefiner: ldaputil.NewLDAPUserAttributeDefiner(provider.Attributes),
}
return ldappassword.New(identityProvider.Name, opts, identityMapper)
case (*configapi.HTPasswdPasswordIdentityProvider):
htpasswdFile := provider.File
if len(htpasswdFile) == 0 {
return nil, fmt.Errorf("HTPasswdFile is required to support htpasswd auth")
}
if htpasswordAuth, err := htpasswd.New(identityProvider.Name, htpasswdFile, identityMapper); err != nil {
return nil, fmt.Errorf("Error loading htpasswd file %s: %v", htpasswdFile, err)
} else {
return htpasswordAuth, nil
}
case (*configapi.BasicAuthPasswordIdentityProvider):
connectionInfo := provider.RemoteConnectionInfo
if len(connectionInfo.URL) == 0 {
return nil, fmt.Errorf("URL is required for BasicAuthPasswordIdentityProvider")
}
transport, err := cmdutil.TransportFor(connectionInfo.CA, connectionInfo.ClientCert.CertFile, connectionInfo.ClientCert.KeyFile)
if err != nil {
return nil, fmt.Errorf("Error building BasicAuthPasswordIdentityProvider client: %v", err)
}
return basicauthpassword.New(identityProvider.Name, connectionInfo.URL, transport, identityMapper), nil
default:
return nil, fmt.Errorf("No password auth found that matches %v. The OAuth server cannot start!", identityProvider)
}
}
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *PruneOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
bindPassword, err := api.ResolveStringValue(o.Config.BindPassword)
if err != nil {
return err
}
clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, bindPassword, o.Config.CA, o.Config.Insecure)
if err != nil {
return fmt.Errorf("could not determine LDAP client configuration: %v", err)
}
pruneBuilder, err := buildPruneBuilder(clientConfig, o.Config)
if err != nil {
return err
}
// populate schema-independent pruner fields
pruner := &syncgroups.LDAPGroupPruner{
Host: clientConfig.Host(),
GroupClient: o.GroupInterface,
DryRun: !o.Confirm,
Out: o.Out,
Err: os.Stderr,
}
listerMapper, err := getOpenShiftGroupListerMapper(clientConfig.Host(), o)
if err != nil {
return err
}
pruner.GroupLister = listerMapper
pruner.GroupNameMapper = listerMapper
pruner.GroupDetector, err = pruneBuilder.GetGroupDetector()
if err != nil {
return err
}
// Now we run the pruner and report any errors
pruneErrors := pruner.Prune()
return kerrs.NewAggregate(pruneErrors)
}
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *SyncOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure)
if err != nil {
return fmt.Errorf("could not determine LDAP client configuration: %v", err)
}
errorHandler := o.CreateErrorHandler()
syncBuilder, err := buildSyncBuilder(clientConfig, o.Config, errorHandler)
if err != nil {
return err
}
// populate schema-independent syncer fields
syncer := &syncgroups.LDAPGroupSyncer{
Host: clientConfig.Host(),
GroupClient: o.GroupInterface,
DryRun: !o.Confirm,
Out: o.Out,
Err: os.Stderr,
}
switch o.Source {
case GroupSyncSourceOpenShift:
// when your source of ldapGroupUIDs is from an openshift group, the mapping of ldapGroupUID to openshift group name is logically
// pinned by the existing mapping.
listerMapper, err := getOpenShiftGroupListerMapper(clientConfig.Host(), o)
if err != nil {
return err
}
syncer.GroupLister = listerMapper
syncer.GroupNameMapper = listerMapper
case GroupSyncSourceLDAP:
syncer.GroupLister, err = getLDAPGroupLister(syncBuilder, o)
if err != nil {
return err
}
syncer.GroupNameMapper, err = getGroupNameMapper(syncBuilder, o)
if err != nil {
return err
}
default:
return fmt.Errorf("invalid group source: %v", o.Source)
}
syncer.GroupMemberExtractor, err = syncBuilder.GetGroupMemberExtractor()
if err != nil {
return err
}
syncer.UserNameMapper, err = syncBuilder.GetUserNameMapper()
if err != nil {
return err
}
// Now we run the Syncer and report any errors
openshiftGroups, syncErrors := syncer.Sync()
if o.Confirm {
return kerrs.NewAggregate(syncErrors)
}
list := &kapi.List{}
for _, item := range openshiftGroups {
list.Items = append(list.Items, item)
}
list.Items, err = ocmdutil.ConvertItemsForDisplayFromDefaultCommand(cmd, list.Items)
if err != nil {
return err
}
if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil {
return err
}
return kerrs.NewAggregate(syncErrors)
}
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *SyncGroupsOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure)
if err != nil {
return fmt.Errorf("could not determine LDAP client configuration: %v", err)
}
var syncBuilder SyncBuilder
switch {
case o.Config.RFC2307Config != nil:
syncBuilder = &RFC2307SyncBuilder{ClientConfig: clientConfig, Config: o.Config.RFC2307Config}
case o.Config.ActiveDirectoryConfig != nil:
syncBuilder = &ADSyncBuilder{ClientConfig: clientConfig, Config: o.Config.ActiveDirectoryConfig}
case o.Config.AugmentedActiveDirectoryConfig != nil:
syncBuilder = &AugmentedADSyncBuilder{ClientConfig: clientConfig, Config: o.Config.AugmentedActiveDirectoryConfig}
default:
return fmt.Errorf("invalid sync config type: %v", o.Config)
}
// populate schema-independent syncer fields
syncer := &syncgroups.LDAPGroupSyncer{
Host: clientConfig.Host,
GroupClient: o.GroupInterface,
DryRun: !o.Confirm,
Out: o.Out,
Err: os.Stderr,
}
syncer.GroupLister, err = o.GetGroupLister(syncBuilder, clientConfig)
if err != nil {
return err
}
syncer.GroupMemberExtractor, err = syncBuilder.GetGroupMemberExtractor()
if err != nil {
return err
}
syncer.UserNameMapper, err = syncBuilder.GetUserNameMapper()
if err != nil {
return err
}
syncer.GroupNameMapper, err = o.GetGroupNameMapper(syncBuilder)
if err != nil {
return err
}
// Now we run the Syncer and report any errors
openshiftGroups, syncErrors := syncer.Sync()
if o.Confirm {
return kerrs.NewAggregate(syncErrors)
}
list := &kapi.List{}
for _, item := range openshiftGroups {
list.Items = append(list.Items, item)
}
if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil {
return err
}
return kerrs.NewAggregate(syncErrors)
}
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *SyncGroupsOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
// In order to create the GroupSyncer, we need to build its' parts:
// interpret user-provided configuration
clientConfig, err := ldaputil.NewLDAPClientConfig(
o.Config.URL,
o.Config.BindDN,
o.Config.BindPassword,
o.Config.CA,
o.Config.Insecure)
if err != nil {
return fmt.Errorf("could not determine LDAP client configuration: %v", err)
}
// populate schema-independent syncer fields
syncer := LDAPGroupSyncer{
Host: clientConfig.Host,
GroupClient: o.GroupInterface,
SyncExisting: o.SyncExisting,
}
if len(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping) > 0 {
syncer.GroupNameMapper = NewUserDefinedGroupNameMapper(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping)
}
switch {
case o.Config.RFC2307Config != nil:
syncer.UserNameMapper = NewUserNameMapper(o.Config.RFC2307Config.UserNameAttributes)
// config values are internalized
groupQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.AllGroupsQuery, o.Config.RFC2307Config.GroupUIDAttribute)
if err != nil {
return err
}
userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.AllUsersQuery, o.Config.RFC2307Config.UserUIDAttribute)
if err != nil {
return err
}
// the schema-specific ldapInterface is built from the config
ldapInterface := rfc2307.NewLDAPInterface(clientConfig,
groupQuery,
o.Config.RFC2307Config.GroupNameAttributes,
o.Config.RFC2307Config.GroupMembershipAttributes,
userQuery,
o.Config.RFC2307Config.UserNameAttributes)
// The LDAPInterface knows how to extract group members
syncer.GroupMemberExtractor = &ldapInterface
// In order to build the GroupNameMapper, we need to know if the user defined a hard mapping
// or one based on LDAP group entry attributes
if syncer.GroupNameMapper == nil {
if o.Config.RFC2307Config.GroupNameAttributes == nil {
return errors.New("not enough information to build a group name mapper")
}
syncer.GroupNameMapper = NewEntryAttributeGroupNameMapper(o.Config.RFC2307Config.GroupNameAttributes, &ldapInterface)
}
// In order to build the groupLister, we need to know about the group sync scope and source:
syncer.GroupLister = getGroupLister(o.Scope,
o.Source,
o.WhitelistContents,
o.GroupInterface,
clientConfig.Host,
&ldapInterface)
case o.Config.ActiveDirectoryConfig != nil:
syncer.UserNameMapper = NewUserNameMapper(o.Config.ActiveDirectoryConfig.UserNameAttributes)
// config values are internalized
userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.ActiveDirectoryConfig.AllUsersQuery, "dn")
if err != nil {
return err
}
// the schema-specific ldapInterface is built from the config
ldapInterface := ad.NewLDAPInterface(clientConfig,
userQuery,
o.Config.ActiveDirectoryConfig.GroupMembershipAttributes,
o.Config.ActiveDirectoryConfig.UserNameAttributes)
// The LDAPInterface knows how to extract group members
syncer.GroupMemberExtractor = &ldapInterface
// In order to build the GroupNameMapper, we need to know if the user defined a hard mapping
// or one based on LDAP group entry attributes
if syncer.GroupNameMapper == nil {
syncer.GroupNameMapper = &DNLDAPGroupNameMapper{}
}
// In order to build the groupLister, we need to know about the group sync scope and source:
syncer.GroupLister = getGroupLister(o.Scope,
o.Source,
o.WhitelistContents,
o.GroupInterface,
clientConfig.Host,
&ldapInterface)
case o.Config.AugmentedActiveDirectoryConfig != nil:
fallthrough
default:
return fmt.Errorf("invalid schema-specific query template type: %v", o.Config.RFC2307Config)
}
// Now we run the Syncer and report any errors
if o.Confirm {
syncErrors := syncer.Sync()
return kerrs.NewAggregate(syncErrors)
}
openshiftGroups, errors := syncer.GetResultingGroups()
list := &kapi.List{}
for _, item := range openshiftGroups {
list.Items = append(list.Items, item)
}
if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil {
return err
}
return kerrs.NewAggregate(errors)
}
// Run creates the GroupSyncer specified and runs it to sync groups
func (o *SyncGroupsOptions) Run() error {
// In order to create the GroupSyncer, we need to build its' parts:
// interpret user-provided configuration
clientConfig, err := ldaputil.NewLDAPClientConfig(
o.Config.Host,
o.Config.BindDN,
o.Config.BindPassword,
o.Config.CA,
o.Config.Insecure)
if err != nil {
return fmt.Errorf("could not determine LDAP client configuration: %v", err)
}
// populate schema-independent syncer fields
syncer := LDAPGroupSyncer{
Host: clientConfig.Host,
GroupClient: o.GroupInterface,
SyncExisting: o.SyncExisting,
}
switch {
case o.Config.RFC2307Config != nil:
syncer.UserNameMapper = NewUserNameMapper(o.Config.RFC2307Config.UserNameAttributes)
// config values are internalized
groupQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.GroupQuery)
if err != nil {
return err
}
userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.UserQuery)
if err != nil {
return err
}
// the schema-specific ldapInterface is built from the config
ldapInterface := rfc2307.NewLDAPInterface(clientConfig,
groupQuery,
o.Config.RFC2307Config.GroupNameAttributes,
o.Config.RFC2307Config.GroupMembershipAttributes,
userQuery,
o.Config.RFC2307Config.UserNameAttributes)
// The LDAPInterface knows how to extract group members
syncer.GroupMemberExtractor = &ldapInterface
// In order to build the GroupNameMapper, we need to know if the user defined a hard mapping
// or one based on LDAP group entry attributes
syncer.GroupNameMapper = getGroupNameMapper(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping,
o.Config.RFC2307Config.GroupNameAttributes,
&ldapInterface)
// In order to build the groupLister, we need to know about the group sync scope and source:
syncer.GroupLister = getGroupLister(o.Scope,
o.Source,
o.WhitelistContents,
o.GroupInterface,
clientConfig.Host,
&ldapInterface)
case o.Config.ActiveDirectoryConfig != nil:
fallthrough
case o.Config.AugmentedActiveDirectoryConfig != nil:
fallthrough
default:
return fmt.Errorf("invalid schema-specific query template type: %v", o.Config.RFC2307Config)
}
// Now we run the Syncer and report any errors
syncErrors := syncer.Sync()
return kerrs.NewAggregate(syncErrors)
}