func (c *AuthConfig) getOAuthProvider(identityProvider configapi.IdentityProvider) (external.Provider, error) {
switch provider := identityProvider.Provider.(type) {
case (*configapi.GitHubIdentityProvider):
return github.NewProvider(identityProvider.Name, provider.ClientID, provider.ClientSecret, provider.Organizations), nil
case (*configapi.GitLabIdentityProvider):
transport, err := cmdutil.TransportFor(provider.CA, "", "")
if err != nil {
return nil, err
}
return gitlab.NewProvider(identityProvider.Name, transport, provider.URL, provider.ClientID, provider.ClientSecret)
case (*configapi.GoogleIdentityProvider):
return google.NewProvider(identityProvider.Name, provider.ClientID, provider.ClientSecret, provider.HostedDomain)
case (*configapi.OpenIDIdentityProvider):
transport, err := cmdutil.TransportFor(provider.CA, "", "")
if err != nil {
return nil, err
}
// OpenID Connect requests MUST contain the openid scope value
// http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
scopes := sets.NewString("openid")
scopes.Insert(provider.ExtraScopes...)
config := openid.Config{
ClientID: provider.ClientID,
ClientSecret: provider.ClientSecret,
Scopes: scopes.List(),
ExtraAuthorizeParameters: provider.ExtraAuthorizeParameters,
AuthorizeURL: provider.URLs.Authorize,
TokenURL: provider.URLs.Token,
UserInfoURL: provider.URLs.UserInfo,
IDClaims: provider.Claims.ID,
PreferredUsernameClaims: provider.Claims.PreferredUsername,
EmailClaims: provider.Claims.Email,
NameClaims: provider.Claims.Name,
}
return openid.NewProvider(identityProvider.Name, transport, config)
default:
return nil, fmt.Errorf("No OAuth provider found that matches %v. The OAuth server cannot start!", identityProvider)
}
}
func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.IdentityProvider) (authenticator.Password, error) {
identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry)
switch provider := identityProvider.Provider.Object.(type) {
case (*configapi.AllowAllPasswordIdentityProvider):
return allowanypassword.New(identityProvider.Name, identityMapper), nil
case (*configapi.DenyAllPasswordIdentityProvider):
return denypassword.New(), nil
case (*configapi.LDAPPasswordIdentityProvider):
url, err := ldaputil.ParseURL(provider.URL)
if err != nil {
return nil, fmt.Errorf("Error parsing LDAPPasswordIdentityProvider URL: %v", err)
}
clientConfig, err := ldaputil.NewLDAPClientConfig(provider.URL,
provider.BindDN,
provider.BindPassword,
provider.CA,
provider.Insecure)
if err != nil {
return nil, err
}
opts := ldappassword.Options{
URL: url,
ClientConfig: clientConfig,
UserAttributeDefiner: ldaputil.NewLDAPUserAttributeDefiner(provider.Attributes),
}
return ldappassword.New(identityProvider.Name, opts, identityMapper)
case (*configapi.HTPasswdPasswordIdentityProvider):
htpasswdFile := provider.File
if len(htpasswdFile) == 0 {
return nil, fmt.Errorf("HTPasswdFile is required to support htpasswd auth")
}
if htpasswordAuth, err := htpasswd.New(identityProvider.Name, htpasswdFile, identityMapper); err != nil {
return nil, fmt.Errorf("Error loading htpasswd file %s: %v", htpasswdFile, err)
} else {
return htpasswordAuth, nil
}
case (*configapi.BasicAuthPasswordIdentityProvider):
connectionInfo := provider.RemoteConnectionInfo
if len(connectionInfo.URL) == 0 {
return nil, fmt.Errorf("URL is required for BasicAuthPasswordIdentityProvider")
}
transport, err := cmdutil.TransportFor(connectionInfo.CA, connectionInfo.ClientCert.CertFile, connectionInfo.ClientCert.KeyFile)
if err != nil {
return nil, fmt.Errorf("Error building BasicAuthPasswordIdentityProvider client: %v", err)
}
return basicauthpassword.New(identityProvider.Name, connectionInfo.URL, transport, identityMapper), nil
default:
return nil, fmt.Errorf("No password auth found that matches %v. The OAuth server cannot start!", identityProvider)
}
}
func masterHTTPClient(localConfig string) (*http.Client, error) {
caCert := filepath.Join(localConfig, "master", "ca.crt")
transport, err := cmdutil.TransportFor(caCert, "", "")
if err != nil {
return nil, err
}
return &http.Client{
Transport: transport,
Timeout: 10 * time.Second,
}, nil
}
func startProxy(dir string, sourceURL *url.URL, username, password string) (*url.URL, error) {
// Setup the targetURL of the proxy to be the host of the original URL
targetURL := &url.URL{
Scheme: sourceURL.Scheme,
Host: sourceURL.Host,
}
proxyHandler := httputil.NewSingleHostReverseProxy(targetURL)
// The baseTransport will either be the default transport or a
// transport with the appropriate TLSConfig if a ca.crt is present.
baseTransport := http.DefaultTransport
// Check whether a CA cert is available and use it if it is.
caCertFile := filepath.Join(dir, "ca.crt")
_, err := os.Stat(caCertFile)
if err == nil && sourceURL.Scheme == "https" {
baseTransport, err = cmdutil.TransportFor(caCertFile, "", "")
if err != nil {
return nil, err
}
}
// Build a basic auth RoundTripper for use by the proxy
authTransport := &basicAuthTransport{
username: username,
password: password,
transport: baseTransport,
}
proxyHandler.Transport = authTransport
// Start the proxy go-routine
go func() {
log.Fatal(http.ListenAndServe(proxyHost, proxyHandler))
}()
// The new URL will use the proxy endpoint
proxyURL := *sourceURL
proxyURL.User = nil
proxyURL.Host = proxyHost
proxyURL.Scheme = "http"
return &proxyURL, nil
}
func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.IdentityProvider) (authenticator.Password, error) {
identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry)
switch provider := identityProvider.Provider.Object.(type) {
case (*configapi.AllowAllPasswordIdentityProvider):
return allowanypassword.New(identityProvider.Name, identityMapper), nil
case (*configapi.DenyAllPasswordIdentityProvider):
return denypassword.New(), nil
case (*configapi.LDAPPasswordIdentityProvider):
url, err := ldappassword.ParseURL(provider.URL)
if err != nil {
return nil, fmt.Errorf("Error parsing LDAPPasswordIdentityProvider URL: %v", err)
}
tlsConfig := &tls.Config{}
if len(provider.CA) > 0 {
roots, err := util.CertPoolFromFile(provider.CA)
if err != nil {
return nil, fmt.Errorf("error loading cert pool from ca file %s: %v", provider.CA, err)
}
tlsConfig.RootCAs = roots
}
opts := ldappassword.Options{
URL: url,
Insecure: provider.Insecure,
TLSConfig: tlsConfig,
BindDN: provider.BindDN,
BindPassword: provider.BindPassword,
AttributeEmail: provider.Attributes.Email,
AttributeName: provider.Attributes.Name,
AttributeID: provider.Attributes.ID,
AttributePreferredUsername: provider.Attributes.PreferredUsername,
}
return ldappassword.New(identityProvider.Name, opts, identityMapper)
case (*configapi.HTPasswdPasswordIdentityProvider):
htpasswdFile := provider.File
if len(htpasswdFile) == 0 {
return nil, fmt.Errorf("HTPasswdFile is required to support htpasswd auth")
}
if htpasswordAuth, err := htpasswd.New(identityProvider.Name, htpasswdFile, identityMapper); err != nil {
return nil, fmt.Errorf("Error loading htpasswd file %s: %v", htpasswdFile, err)
} else {
return htpasswordAuth, nil
}
case (*configapi.BasicAuthPasswordIdentityProvider):
connectionInfo := provider.RemoteConnectionInfo
if len(connectionInfo.URL) == 0 {
return nil, fmt.Errorf("URL is required for BasicAuthPasswordIdentityProvider")
}
transport, err := cmdutil.TransportFor(connectionInfo.CA, connectionInfo.ClientCert.CertFile, connectionInfo.ClientCert.KeyFile)
if err != nil {
return nil, fmt.Errorf("Error building BasicAuthPasswordIdentityProvider client: %v", err)
}
return basicauthpassword.New(identityProvider.Name, connectionInfo.URL, transport, identityMapper), nil
default:
return nil, fmt.Errorf("No password auth found that matches %v. The OAuth server cannot start!", identityProvider)
}
}
