Пример #1
0
func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.IdentityProvider) (authenticator.Password, error) {
	identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry)

	switch provider := identityProvider.Provider.Object.(type) {
	case (*configapi.AllowAllPasswordIdentityProvider):
		return allowanypassword.New(identityProvider.Name, identityMapper), nil

	case (*configapi.DenyAllPasswordIdentityProvider):
		return denypassword.New(), nil

	case (*configapi.LDAPPasswordIdentityProvider):
		url, err := ldaputil.ParseURL(provider.URL)
		if err != nil {
			return nil, fmt.Errorf("Error parsing LDAPPasswordIdentityProvider URL: %v", err)
		}

		clientConfig, err := ldaputil.NewLDAPClientConfig(provider.URL,
			provider.BindDN,
			provider.BindPassword,
			provider.CA,
			provider.Insecure)
		if err != nil {
			return nil, err
		}

		opts := ldappassword.Options{
			URL:                  url,
			ClientConfig:         clientConfig,
			UserAttributeDefiner: ldaputil.NewLDAPUserAttributeDefiner(provider.Attributes),
		}
		return ldappassword.New(identityProvider.Name, opts, identityMapper)

	case (*configapi.HTPasswdPasswordIdentityProvider):
		htpasswdFile := provider.File
		if len(htpasswdFile) == 0 {
			return nil, fmt.Errorf("HTPasswdFile is required to support htpasswd auth")
		}
		if htpasswordAuth, err := htpasswd.New(identityProvider.Name, htpasswdFile, identityMapper); err != nil {
			return nil, fmt.Errorf("Error loading htpasswd file %s: %v", htpasswdFile, err)
		} else {
			return htpasswordAuth, nil
		}

	case (*configapi.BasicAuthPasswordIdentityProvider):
		connectionInfo := provider.RemoteConnectionInfo
		if len(connectionInfo.URL) == 0 {
			return nil, fmt.Errorf("URL is required for BasicAuthPasswordIdentityProvider")
		}
		transport, err := cmdutil.TransportFor(connectionInfo.CA, connectionInfo.ClientCert.CertFile, connectionInfo.ClientCert.KeyFile)
		if err != nil {
			return nil, fmt.Errorf("Error building BasicAuthPasswordIdentityProvider client: %v", err)
		}
		return basicauthpassword.New(identityProvider.Name, connectionInfo.URL, transport, identityMapper), nil

	default:
		return nil, fmt.Errorf("No password auth found that matches %v.  The OAuth server cannot start!", identityProvider)
	}

}
Пример #2
0
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *PruneOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
	bindPassword, err := api.ResolveStringValue(o.Config.BindPassword)
	if err != nil {
		return err
	}
	clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, bindPassword, o.Config.CA, o.Config.Insecure)
	if err != nil {
		return fmt.Errorf("could not determine LDAP client configuration: %v", err)
	}

	pruneBuilder, err := buildPruneBuilder(clientConfig, o.Config)
	if err != nil {
		return err
	}

	// populate schema-independent pruner fields
	pruner := &syncgroups.LDAPGroupPruner{
		Host:        clientConfig.Host(),
		GroupClient: o.GroupInterface,
		DryRun:      !o.Confirm,

		Out: o.Out,
		Err: os.Stderr,
	}

	listerMapper, err := getOpenShiftGroupListerMapper(clientConfig.Host(), o)
	if err != nil {
		return err
	}
	pruner.GroupLister = listerMapper
	pruner.GroupNameMapper = listerMapper

	pruner.GroupDetector, err = pruneBuilder.GetGroupDetector()
	if err != nil {
		return err
	}

	// Now we run the pruner and report any errors
	pruneErrors := pruner.Prune()
	return kerrs.NewAggregate(pruneErrors)

}
Пример #3
0
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *SyncOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
	clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure)
	if err != nil {
		return fmt.Errorf("could not determine LDAP client configuration: %v", err)
	}

	errorHandler := o.CreateErrorHandler()

	syncBuilder, err := buildSyncBuilder(clientConfig, o.Config, errorHandler)
	if err != nil {
		return err
	}

	// populate schema-independent syncer fields
	syncer := &syncgroups.LDAPGroupSyncer{
		Host:        clientConfig.Host(),
		GroupClient: o.GroupInterface,
		DryRun:      !o.Confirm,

		Out: o.Out,
		Err: os.Stderr,
	}

	switch o.Source {
	case GroupSyncSourceOpenShift:
		// when your source of ldapGroupUIDs is from an openshift group, the mapping of ldapGroupUID to openshift group name is logically
		// pinned by the existing mapping.
		listerMapper, err := getOpenShiftGroupListerMapper(clientConfig.Host(), o)
		if err != nil {
			return err
		}
		syncer.GroupLister = listerMapper
		syncer.GroupNameMapper = listerMapper

	case GroupSyncSourceLDAP:
		syncer.GroupLister, err = getLDAPGroupLister(syncBuilder, o)
		if err != nil {
			return err
		}
		syncer.GroupNameMapper, err = getGroupNameMapper(syncBuilder, o)
		if err != nil {
			return err
		}

	default:
		return fmt.Errorf("invalid group source: %v", o.Source)
	}

	syncer.GroupMemberExtractor, err = syncBuilder.GetGroupMemberExtractor()
	if err != nil {
		return err
	}

	syncer.UserNameMapper, err = syncBuilder.GetUserNameMapper()
	if err != nil {
		return err
	}

	// Now we run the Syncer and report any errors
	openshiftGroups, syncErrors := syncer.Sync()
	if o.Confirm {
		return kerrs.NewAggregate(syncErrors)
	}

	list := &kapi.List{}
	for _, item := range openshiftGroups {
		list.Items = append(list.Items, item)
	}
	list.Items, err = ocmdutil.ConvertItemsForDisplayFromDefaultCommand(cmd, list.Items)
	if err != nil {
		return err
	}

	if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil {
		return err
	}

	return kerrs.NewAggregate(syncErrors)
}
Пример #4
0
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *SyncGroupsOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
	clientConfig, err := ldaputil.NewLDAPClientConfig(o.Config.URL, o.Config.BindDN, o.Config.BindPassword, o.Config.CA, o.Config.Insecure)
	if err != nil {
		return fmt.Errorf("could not determine LDAP client configuration: %v", err)
	}

	var syncBuilder SyncBuilder
	switch {
	case o.Config.RFC2307Config != nil:
		syncBuilder = &RFC2307SyncBuilder{ClientConfig: clientConfig, Config: o.Config.RFC2307Config}

	case o.Config.ActiveDirectoryConfig != nil:
		syncBuilder = &ADSyncBuilder{ClientConfig: clientConfig, Config: o.Config.ActiveDirectoryConfig}

	case o.Config.AugmentedActiveDirectoryConfig != nil:
		syncBuilder = &AugmentedADSyncBuilder{ClientConfig: clientConfig, Config: o.Config.AugmentedActiveDirectoryConfig}

	default:
		return fmt.Errorf("invalid sync config type: %v", o.Config)
	}

	// populate schema-independent syncer fields
	syncer := &syncgroups.LDAPGroupSyncer{
		Host:        clientConfig.Host,
		GroupClient: o.GroupInterface,
		DryRun:      !o.Confirm,

		Out: o.Out,
		Err: os.Stderr,
	}

	syncer.GroupLister, err = o.GetGroupLister(syncBuilder, clientConfig)
	if err != nil {
		return err
	}

	syncer.GroupMemberExtractor, err = syncBuilder.GetGroupMemberExtractor()
	if err != nil {
		return err
	}

	syncer.UserNameMapper, err = syncBuilder.GetUserNameMapper()
	if err != nil {
		return err
	}

	syncer.GroupNameMapper, err = o.GetGroupNameMapper(syncBuilder)
	if err != nil {
		return err
	}

	// Now we run the Syncer and report any errors
	openshiftGroups, syncErrors := syncer.Sync()
	if o.Confirm {
		return kerrs.NewAggregate(syncErrors)
	}

	list := &kapi.List{}
	for _, item := range openshiftGroups {
		list.Items = append(list.Items, item)
	}
	if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil {
		return err
	}

	return kerrs.NewAggregate(syncErrors)

}
Пример #5
0
// Run creates the GroupSyncer specified and runs it to sync groups
// the arguments are only here because its the only way to get the printer we need
func (o *SyncGroupsOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
	// In order to create the GroupSyncer, we need to build its' parts:
	// interpret user-provided configuration
	clientConfig, err := ldaputil.NewLDAPClientConfig(
		o.Config.URL,
		o.Config.BindDN,
		o.Config.BindPassword,
		o.Config.CA,
		o.Config.Insecure)
	if err != nil {
		return fmt.Errorf("could not determine LDAP client configuration: %v", err)
	}

	// populate schema-independent syncer fields
	syncer := LDAPGroupSyncer{
		Host:         clientConfig.Host,
		GroupClient:  o.GroupInterface,
		SyncExisting: o.SyncExisting,
	}

	if len(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping) > 0 {
		syncer.GroupNameMapper = NewUserDefinedGroupNameMapper(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping)
	}

	switch {
	case o.Config.RFC2307Config != nil:
		syncer.UserNameMapper = NewUserNameMapper(o.Config.RFC2307Config.UserNameAttributes)

		// config values are internalized
		groupQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.AllGroupsQuery, o.Config.RFC2307Config.GroupUIDAttribute)
		if err != nil {
			return err
		}

		userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.AllUsersQuery, o.Config.RFC2307Config.UserUIDAttribute)
		if err != nil {
			return err
		}

		// the schema-specific ldapInterface is built from the config
		ldapInterface := rfc2307.NewLDAPInterface(clientConfig,
			groupQuery,
			o.Config.RFC2307Config.GroupNameAttributes,
			o.Config.RFC2307Config.GroupMembershipAttributes,
			userQuery,
			o.Config.RFC2307Config.UserNameAttributes)

		// The LDAPInterface knows how to extract group members
		syncer.GroupMemberExtractor = &ldapInterface

		// In order to build the GroupNameMapper, we need to know if the user defined a hard mapping
		// or one based on LDAP group entry attributes
		if syncer.GroupNameMapper == nil {
			if o.Config.RFC2307Config.GroupNameAttributes == nil {
				return errors.New("not enough information to build a group name mapper")
			}
			syncer.GroupNameMapper = NewEntryAttributeGroupNameMapper(o.Config.RFC2307Config.GroupNameAttributes, &ldapInterface)
		}

		// In order to build the groupLister, we need to know about the group sync scope and source:
		syncer.GroupLister = getGroupLister(o.Scope,
			o.Source,
			o.WhitelistContents,
			o.GroupInterface,
			clientConfig.Host,
			&ldapInterface)

	case o.Config.ActiveDirectoryConfig != nil:
		syncer.UserNameMapper = NewUserNameMapper(o.Config.ActiveDirectoryConfig.UserNameAttributes)

		// config values are internalized

		userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.ActiveDirectoryConfig.AllUsersQuery, "dn")
		if err != nil {
			return err
		}

		// the schema-specific ldapInterface is built from the config
		ldapInterface := ad.NewLDAPInterface(clientConfig,
			userQuery,
			o.Config.ActiveDirectoryConfig.GroupMembershipAttributes,
			o.Config.ActiveDirectoryConfig.UserNameAttributes)

		// The LDAPInterface knows how to extract group members
		syncer.GroupMemberExtractor = &ldapInterface

		// In order to build the GroupNameMapper, we need to know if the user defined a hard mapping
		// or one based on LDAP group entry attributes
		if syncer.GroupNameMapper == nil {
			syncer.GroupNameMapper = &DNLDAPGroupNameMapper{}
		}

		// In order to build the groupLister, we need to know about the group sync scope and source:
		syncer.GroupLister = getGroupLister(o.Scope,
			o.Source,
			o.WhitelistContents,
			o.GroupInterface,
			clientConfig.Host,
			&ldapInterface)

	case o.Config.AugmentedActiveDirectoryConfig != nil:
		fallthrough
	default:
		return fmt.Errorf("invalid schema-specific query template type: %v", o.Config.RFC2307Config)
	}

	// Now we run the Syncer and report any errors
	if o.Confirm {
		syncErrors := syncer.Sync()
		return kerrs.NewAggregate(syncErrors)
	}

	openshiftGroups, errors := syncer.GetResultingGroups()
	list := &kapi.List{}
	for _, item := range openshiftGroups {
		list.Items = append(list.Items, item)
	}
	if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil {
		return err
	}

	return kerrs.NewAggregate(errors)

}
Пример #6
0
// Run creates the GroupSyncer specified and runs it to sync groups
func (o *SyncGroupsOptions) Run() error {
	// In order to create the GroupSyncer, we need to build its' parts:
	// interpret user-provided configuration
	clientConfig, err := ldaputil.NewLDAPClientConfig(
		o.Config.Host,
		o.Config.BindDN,
		o.Config.BindPassword,
		o.Config.CA,
		o.Config.Insecure)
	if err != nil {
		return fmt.Errorf("could not determine LDAP client configuration: %v", err)
	}

	// populate schema-independent syncer fields
	syncer := LDAPGroupSyncer{
		Host:         clientConfig.Host,
		GroupClient:  o.GroupInterface,
		SyncExisting: o.SyncExisting,
	}

	switch {
	case o.Config.RFC2307Config != nil:
		syncer.UserNameMapper = NewUserNameMapper(o.Config.RFC2307Config.UserNameAttributes)

		// config values are internalized
		groupQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.GroupQuery)
		if err != nil {
			return err
		}

		userQuery, err := ldaputil.NewLDAPQueryOnAttribute(o.Config.RFC2307Config.UserQuery)
		if err != nil {
			return err
		}

		// the schema-specific ldapInterface is built from the config
		ldapInterface := rfc2307.NewLDAPInterface(clientConfig,
			groupQuery,
			o.Config.RFC2307Config.GroupNameAttributes,
			o.Config.RFC2307Config.GroupMembershipAttributes,
			userQuery,
			o.Config.RFC2307Config.UserNameAttributes)

		// The LDAPInterface knows how to extract group members
		syncer.GroupMemberExtractor = &ldapInterface

		// In order to build the GroupNameMapper, we need to know if the user defined a hard mapping
		// or one based on LDAP group entry attributes
		syncer.GroupNameMapper = getGroupNameMapper(o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping,
			o.Config.RFC2307Config.GroupNameAttributes,
			&ldapInterface)

		// In order to build the groupLister, we need to know about the group sync scope and source:
		syncer.GroupLister = getGroupLister(o.Scope,
			o.Source,
			o.WhitelistContents,
			o.GroupInterface,
			clientConfig.Host,
			&ldapInterface)

	case o.Config.ActiveDirectoryConfig != nil:
		fallthrough
	case o.Config.AugmentedActiveDirectoryConfig != nil:
		fallthrough
	default:
		return fmt.Errorf("invalid schema-specific query template type: %v", o.Config.RFC2307Config)
	}

	// Now we run the Syncer and report any errors
	syncErrors := syncer.Sync()
	return kerrs.NewAggregate(syncErrors)
}