diff --git a/api/ks-openapi-spec/swagger.json b/api/ks-openapi-spec/swagger.json index a5d7b7b20ef49f5d5a893eaecf8aaeaedd31274d..d34c5881a715575ef1ab4c4bc2ef9ede55de4740 100644 --- a/api/ks-openapi-spec/swagger.json +++ b/api/ks-openapi-spec/swagger.json @@ -3775,7 +3775,7 @@ "in": "body", "required": true, "schema": { - "$ref": "#/definitions/auth.LoginRequest" + "$ref": "#/definitions/oauth.LoginRequest" } } ], @@ -4524,7 +4524,7 @@ "in": "body", "required": true, "schema": { - "$ref": "#/definitions/iam.PasswordReset" + "$ref": "#/definitions/v1alpha2.PasswordReset" } }, { @@ -12627,7 +12627,7 @@ "in": "body", "required": true, "schema": { - "$ref": "#/definitions/auth.TokenReview" + "$ref": "#/definitions/oauth.TokenReview" } } ], @@ -12635,7 +12635,7 @@ "200": { "description": "ok", "schema": { - "$ref": "#/definitions/auth.TokenReview" + "$ref": "#/definitions/oauth.TokenReview" } } } @@ -13296,71 +13296,6 @@ } } }, - "auth.LoginRequest": { - "required": [ - "username", - "password" - ], - "properties": { - "password": { - "description": "password", - "type": "string" - }, - "username": { - "description": "username", - "type": "string" - } - } - }, - "auth.Spec": { - "required": [ - "token" - ], - "properties": { - "token": { - "description": "access token", - "type": "string" - } - } - }, - "auth.Status": { - "required": [ - "authenticated" - ], - "properties": { - "authenticated": { - "description": "is authenticated", - "type": "boolean" - }, - "user": { - "description": "user info", - "type": "object" - } - } - }, - "auth.TokenReview": { - "required": [ - "apiVersion", - "kind" - ], - "properties": { - "apiVersion": { - "description": "Kubernetes API version", - "type": "string" - }, - "kind": { - "description": "kind of the API object", - "type": "string" - }, - "spec": { - "$ref": "#/definitions/auth.Spec" - }, - "status": { - "description": "token review status", - "$ref": "#/definitions/auth.Status" - } - } - }, "big.Int": { "required": [ "neg", @@ -15275,20 +15210,6 @@ } } }, - "iam.PasswordReset": { - "required": [ - "currentPassword", - "password" - ], - "properties": { - "currentPassword": { - "type": "string" - }, - "password": { - "type": "string" - } - } - }, "inf.Dec": { "required": [ "unscaled", @@ -15674,6 +15595,48 @@ } } }, + "oauth.LoginRequest": { + "required": [ + "username", + "password" + ], + "properties": { + "password": { + "description": "password", + "type": "string" + }, + "username": { + "description": "username", + "type": "string" + } + } + }, + "oauth.Spec": { + "required": [ + "token" + ], + "properties": { + "token": { + "description": "access token", + "type": "string" + } + } + }, + "oauth.Status": { + "required": [ + "authenticated" + ], + "properties": { + "authenticated": { + "description": "is authenticated", + "type": "boolean" + }, + "user": { + "description": "user info", + "type": "object" + } + } + }, "oauth.Token": { "required": [ "access_token" @@ -15694,6 +15657,29 @@ } } }, + "oauth.TokenReview": { + "required": [ + "apiVersion", + "kind" + ], + "properties": { + "apiVersion": { + "description": "Kubernetes API version", + "type": "string" + }, + "kind": { + "description": "kind of the API object", + "type": "string" + }, + "spec": { + "$ref": "#/definitions/oauth.Spec" + }, + "status": { + "description": "token review status", + "$ref": "#/definitions/oauth.Status" + } + } + }, "openpitrix.App": { "required": [ "category_set" @@ -21672,6 +21658,20 @@ } } }, + "v1alpha2.PasswordReset": { + "required": [ + "currentPassword", + "password" + ], + "properties": { + "currentPassword": { + "type": "string" + }, + "password": { + "type": "string" + } + } + }, "v1alpha2.Row": { "required": [ "id", diff --git a/cmd/controller-manager/app/controllers.go b/cmd/controller-manager/app/controllers.go index 360f275fd57a1b3155c5964d56e2b311f47e74cd..77585ff4b4f7ee9f085abcc7f0d8ef69aeff5c56 100644 --- a/cmd/controller-manager/app/controllers.go +++ b/cmd/controller-manager/app/controllers.go @@ -34,6 +34,7 @@ import ( "kubesphere.io/kubesphere/pkg/controller/group" "kubesphere.io/kubesphere/pkg/controller/groupbinding" "kubesphere.io/kubesphere/pkg/controller/job" + "kubesphere.io/kubesphere/pkg/controller/loginrecord" "kubesphere.io/kubesphere/pkg/controller/network/ippool" "kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy" "kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy/provider" @@ -208,19 +209,19 @@ func addControllers( go fedWorkspaceRoleBindingCacheController.Run(stopCh) } - userController := user.NewUserController(client.Kubernetes(), client.KubeSphere(), - client.Config(), + userController := user.NewUserController(client.Kubernetes(), client.KubeSphere(), client.Config(), kubesphereInformer.Iam().V1alpha2().Users(), - fedUserCache, fedUserCacheController, kubesphereInformer.Iam().V1alpha2().LoginRecords(), + fedUserCache, fedUserCacheController, kubernetesInformer.Core().V1().ConfigMaps(), ldapClient, devopsClient, authenticationOptions, multiClusterEnabled) - loginRecordController := user.NewLoginRecordController( + loginRecordController := loginrecord.NewLoginRecordController( client.Kubernetes(), client.KubeSphere(), kubesphereInformer.Iam().V1alpha2().LoginRecords(), + kubesphereInformer.Iam().V1alpha2().Users(), authenticationOptions.LoginHistoryRetentionPeriod) csrController := certificatesigningrequest.NewController(client.Kubernetes(), diff --git a/config/crds/iam.kubesphere.io_groupbindings.yaml b/config/crds/iam.kubesphere.io_groupbindings.yaml index df2fdecf5e31098a948cd99980e4ae9560f20457..9b7f1832aba6657fb2ea17c92f1a23fafe965096 100644 --- a/config/crds/iam.kubesphere.io_groupbindings.yaml +++ b/config/crds/iam.kubesphere.io_groupbindings.yaml @@ -35,7 +35,7 @@ spec: internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string groupRef: - description: Ref defines the desired relation of GroupBinding + description: GroupRef defines the desired relation of GroupBinding properties: apiGroup: type: string diff --git a/config/crds/iam.kubesphere.io_users.yaml b/config/crds/iam.kubesphere.io_users.yaml index 07084d0ac781ac62c9350d5a4f5effda06096ec2..3078cbb7042080125d0f115ad7c2842eb727bb12 100644 --- a/config/crds/iam.kubesphere.io_users.yaml +++ b/config/crds/iam.kubesphere.io_users.yaml @@ -24,7 +24,8 @@ spec: plural: users singular: user scope: Cluster - subresources: {} + subresources: + status: {} validation: openAPIV3Schema: description: User is the Schema for the users API diff --git a/go.mod b/go.mod index 97a4bea9d0d3af246a5535483b52a998b98d1185..27929dbe44094d845256179302632db4c2c25a37 100644 --- a/go.mod +++ b/go.mod @@ -38,16 +38,16 @@ require ( github.com/gocraft/dbr v0.0.0-20180507214907-a0fd650918f6 github.com/golang/example v0.0.0-20170904185048-46695d81d1fa github.com/golang/mock v1.2.0 - github.com/golang/protobuf v1.4.3 + github.com/golang/protobuf v1.4.0 github.com/google/go-cmp v0.4.0 github.com/google/go-querystring v1.0.0 // indirect github.com/google/uuid v1.1.1 github.com/gorilla/mux v1.7.1 // indirect github.com/gorilla/websocket v1.4.1 github.com/hashicorp/go-version v1.2.0 // indirect - github.com/json-iterator/go v1.1.10 + github.com/json-iterator/go v1.1.9 github.com/kelseyhightower/envconfig v1.4.0 // indirect - github.com/kiali/kiali v1.26.0 + github.com/kiali/kiali v0.15.1-0.20201110082537-0c2b977257d4 github.com/kubernetes-csi/external-snapshotter/v2 v2.1.0 github.com/kubesphere/sonargo v0.0.2 github.com/lib/pq v1.2.0 // indirect @@ -62,9 +62,9 @@ require ( github.com/projectcalico/kube-controllers v3.8.8+incompatible github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce github.com/prometheus-community/prom-label-proxy v0.2.0 - github.com/prometheus/client_golang v1.8.0 - github.com/prometheus/common v0.14.0 - github.com/prometheus/prometheus v2.5.0+incompatible + github.com/prometheus/client_golang v1.5.1 + github.com/prometheus/common v0.9.1 + github.com/prometheus/prometheus v1.8.2-0.20200507164740-ecee9c8abfd1 github.com/sony/sonyflake v1.0.0 github.com/speps/go-hashids v2.0.0+incompatible github.com/spf13/cobra v0.0.5 @@ -73,13 +73,13 @@ require ( github.com/stretchr/testify v1.4.0 github.com/xanzy/ssh-agent v0.2.1 // indirect golang.org/x/crypto v0.0.0-20200422194213-44a606286825 - golang.org/x/net v0.0.0-20200625001655-4c5254603344 + golang.org/x/net v0.0.0-20200421231249-e086a090c8fd golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d google.golang.org/grpc v1.29.0 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect gopkg.in/src-d/go-billy.v4 v4.3.0 // indirect gopkg.in/src-d/go-git.v4 v4.11.0 - gopkg.in/yaml.v2 v2.3.0 + gopkg.in/yaml.v2 v2.2.8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c gotest.tools v2.2.0+incompatible istio.io/api v0.0.0-20191111210003-35e06ef8d838 @@ -107,15 +107,25 @@ require ( replace ( cloud.google.com/go => cloud.google.com/go v0.38.0 + cloud.google.com/go/bigquery => cloud.google.com/go/bigquery v1.3.0 + cloud.google.com/go/bigtable => cloud.google.com/go/bigtable v1.2.0 + cloud.google.com/go/pubsub => cloud.google.com/go/pubsub v1.1.0 + cloud.google.com/go/storage => cloud.google.com/go/storage v1.5.0 code.cloudfoundry.org/bytefmt => code.cloudfoundry.org/bytefmt v0.0.0-20190710193110-1eb035ffe2b6 + collectd.org => collectd.org v0.3.0 + github.com/Azure/azure-sdk-for-go => github.com/Azure/azure-sdk-for-go v41.3.0+incompatible github.com/Azure/go-ansiterm => github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 github.com/Azure/go-autorest/autorest => github.com/Azure/go-autorest/autorest v0.9.0 github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.5.0 github.com/Azure/go-autorest/autorest/date => github.com/Azure/go-autorest/autorest/date v0.1.0 github.com/Azure/go-autorest/autorest/mocks => github.com/Azure/go-autorest/autorest/mocks v0.2.0 + github.com/Azure/go-autorest/autorest/to => github.com/Azure/go-autorest/autorest/to v0.3.0 + github.com/Azure/go-autorest/autorest/validation => github.com/Azure/go-autorest/autorest/validation v0.2.0 github.com/Azure/go-autorest/logger => github.com/Azure/go-autorest/logger v0.1.0 github.com/Azure/go-autorest/tracing => github.com/Azure/go-autorest/tracing v0.5.0 github.com/BurntSushi/toml => github.com/BurntSushi/toml v0.3.1 + github.com/DATA-DOG/go-sqlmock => github.com/DATA-DOG/go-sqlmock v1.3.3 + github.com/DataDog/datadog-go => github.com/DataDog/datadog-go v3.2.0+incompatible github.com/MakeNowJust/heredoc => github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd github.com/Masterminds/goutils => github.com/Masterminds/goutils v1.1.0 github.com/Masterminds/semver => github.com/Masterminds/semver v1.5.0 @@ -135,10 +145,14 @@ replace ( github.com/alcortesm/tgz => github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 github.com/alecthomas/template => github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc github.com/alecthomas/units => github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf + github.com/andreyvit/diff => github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 github.com/andybalholm/cascadia => github.com/andybalholm/cascadia v1.0.0 github.com/anmitsu/go-shlex => github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 - github.com/appscode/jsonpatch => github.com/appscode/jsonpatch v0.0.0-20190108182946-7c0e3b262f30 + github.com/apache/arrow/go/arrow => github.com/apache/arrow/go/arrow v0.0.0-20191024131854-af6fa24be0db + github.com/armon/circbuf => github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e github.com/armon/consul-api => github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6 + github.com/armon/go-metrics => github.com/armon/go-metrics v0.3.3 + github.com/armon/go-radix => github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310 github.com/asaskevich/govalidator => github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a github.com/aws/aws-sdk-go => github.com/aws/aws-sdk-go v1.22.2 github.com/beevik/etree => github.com/beevik/etree v1.1.0 @@ -147,17 +161,25 @@ replace ( github.com/bitly/go-simplejson => github.com/bitly/go-simplejson v0.5.0 github.com/blang/semver => github.com/blang/semver v3.5.0+incompatible github.com/bmizerany/assert => github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 + github.com/bmizerany/pat => github.com/bmizerany/pat v0.0.0-20170815010413-6226ea591a40 + github.com/boltdb/bolt => github.com/boltdb/bolt v1.3.1 github.com/bshuster-repo/logrus-logstash-hook => github.com/bshuster-repo/logrus-logstash-hook v0.4.1 github.com/bugsnag/bugsnag-go => github.com/bugsnag/bugsnag-go v1.5.0 github.com/bugsnag/panicwrap => github.com/bugsnag/panicwrap v1.2.0 + github.com/c-bata/go-prompt => github.com/c-bata/go-prompt v0.2.2 + github.com/cenkalti/backoff => github.com/cenkalti/backoff v0.0.0-20181003080854-62661b46c409 github.com/cespare/xxhash => github.com/cespare/xxhash v1.1.0 + github.com/cespare/xxhash/v2 => github.com/cespare/xxhash/v2 v2.1.1 github.com/chai2010/gettext-go => github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 github.com/chai2010/jsonmap => github.com/chai2010/jsonmap v1.0.0 + github.com/circonus-labs/circonus-gometrics => github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible + github.com/circonus-labs/circonusllhist => github.com/circonus-labs/circonusllhist v0.1.3 github.com/client9/misspell => github.com/client9/misspell v0.3.4 github.com/cockroachdb/datadriven => github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa github.com/container-storage-interface/spec => github.com/container-storage-interface/spec v1.2.0 github.com/containerd/containerd => github.com/containerd/containerd v1.3.0 github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20181203112020-004b46473808 + github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.0 github.com/coreos/bbolt => github.com/coreos/bbolt v1.3.3 github.com/coreos/etcd => github.com/coreos/etcd v3.3.17+incompatible github.com/coreos/go-oidc => github.com/coreos/go-oidc v2.1.0+incompatible @@ -167,12 +189,15 @@ replace ( github.com/cpuguy83/go-md2man => github.com/cpuguy83/go-md2man v1.0.10 github.com/creack/pty => github.com/creack/pty v1.1.7 github.com/cyphar/filepath-securejoin => github.com/cyphar/filepath-securejoin v0.2.2 + github.com/dave/jennifer => github.com/dave/jennifer v1.2.0 github.com/davecgh/go-spew => github.com/davecgh/go-spew v1.1.1 github.com/daviddengcn/go-colortext => github.com/daviddengcn/go-colortext v0.0.0-20160507010035-511bcaf42ccd github.com/deckarep/golang-set => github.com/deckarep/golang-set v1.7.1 github.com/deislabs/oras => github.com/deislabs/oras v0.7.0 github.com/denisenkom/go-mssqldb => github.com/denisenkom/go-mssqldb v0.0.0-20190204142019-df6d76eb9289 github.com/dgrijalva/jwt-go => github.com/dgrijalva/jwt-go v3.2.0+incompatible + github.com/dgryski/go-bitstream => github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8 + github.com/dgryski/go-sip13 => github.com/dgryski/go-sip13 v0.0.0-20190329191031-25c5027a8c7b github.com/disintegration/imaging => github.com/disintegration/imaging v1.6.1 github.com/docker/cli => github.com/docker/cli v0.0.0-20190506213505-d88565df0c2d github.com/docker/distribution => github.com/docker/distribution v2.7.1+incompatible @@ -185,6 +210,8 @@ replace ( github.com/docker/spdystream => github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c github.com/docopt/docopt-go => github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815 github.com/dustin/go-humanize => github.com/dustin/go-humanize v1.0.0 + github.com/eclipse/paho.mqtt.golang => github.com/eclipse/paho.mqtt.golang v1.2.0 + github.com/edsrzf/mmap-go => github.com/edsrzf/mmap-go v1.0.0 github.com/elastic/go-elasticsearch/v5 => github.com/elastic/go-elasticsearch/v5 v5.6.1 github.com/elastic/go-elasticsearch/v6 => github.com/elastic/go-elasticsearch/v6 v6.8.2 github.com/elastic/go-elasticsearch/v7 => github.com/elastic/go-elasticsearch/v7 v7.3.0 @@ -207,6 +234,8 @@ replace ( github.com/gin-gonic/gin => github.com/gin-gonic/gin v1.4.0 github.com/gliderlabs/ssh => github.com/gliderlabs/ssh v0.1.1 github.com/globalsign/mgo => github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8 + github.com/glycerine/go-unsnap-stream => github.com/glycerine/go-unsnap-stream v0.0.0-20180323001048-9f0cb55181dd + github.com/glycerine/goconvey => github.com/glycerine/goconvey v0.0.0-20190410193231-58a59202ab31 github.com/go-kit/kit => github.com/go-kit/kit v0.8.0 github.com/go-ldap/ldap => github.com/go-ldap/ldap v3.0.3+incompatible github.com/go-logfmt/logfmt => github.com/go-logfmt/logfmt v0.4.0 @@ -228,13 +257,25 @@ replace ( github.com/go-redis/redis => github.com/go-redis/redis v6.15.2+incompatible github.com/go-sql-driver/mysql => github.com/go-sql-driver/mysql v1.4.1 github.com/go-stack/stack => github.com/go-stack/stack v1.8.0 + github.com/gobuffalo/attrs => github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd + github.com/gobuffalo/depgen => github.com/gobuffalo/depgen v0.1.0 + github.com/gobuffalo/envy => github.com/gobuffalo/envy v1.7.0 github.com/gobuffalo/flect => github.com/gobuffalo/flect v0.1.5 + github.com/gobuffalo/genny => github.com/gobuffalo/genny v0.1.1 + github.com/gobuffalo/gitgen => github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211 + github.com/gobuffalo/gogen => github.com/gobuffalo/gogen v0.1.1 + github.com/gobuffalo/logger => github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2 + github.com/gobuffalo/mapi => github.com/gobuffalo/mapi v1.0.2 + github.com/gobuffalo/packd => github.com/gobuffalo/packd v0.1.0 + github.com/gobuffalo/packr/v2 => github.com/gobuffalo/packr/v2 v2.2.0 + github.com/gobuffalo/syncx => github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754 github.com/gobwas/glob => github.com/gobwas/glob v0.2.3 github.com/gocraft/dbr => github.com/gocraft/dbr v0.0.0-20180507214907-a0fd650918f6 github.com/gofrs/flock => github.com/gofrs/flock v0.7.1 github.com/gofrs/uuid => github.com/gofrs/uuid v3.2.0+incompatible github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.0 github.com/golang/example => github.com/golang/example v0.0.0-20170904185048-46695d81d1fa + github.com/golang/geo => github.com/golang/geo v0.0.0-20190916061304-5b978397cfec github.com/golang/glog => github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/golang/groupcache => github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6 github.com/golang/mock => github.com/golang/mock v1.2.0 @@ -244,6 +285,7 @@ replace ( github.com/golangplus/fmt => github.com/golangplus/fmt v0.0.0-20150411045040-2a5d6d7d2995 github.com/golangplus/testing => github.com/golangplus/testing v0.0.0-20180327235837-af21d9c3145e github.com/google/btree => github.com/google/btree v1.0.0 + github.com/google/flatbuffers => github.com/google/flatbuffers v1.11.0 github.com/google/go-cmp => github.com/google/go-cmp v0.3.0 github.com/google/go-querystring => github.com/google/go-querystring v1.0.0 github.com/google/gofuzz => github.com/google/gofuzz v1.0.0 @@ -254,6 +296,7 @@ replace ( github.com/googleapis/gax-go/v2 => github.com/googleapis/gax-go/v2 v2.0.4 github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.3.1 github.com/gophercloud/gophercloud => github.com/gophercloud/gophercloud v0.3.0 + github.com/gopherjs/gopherjs => github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 github.com/gorilla/handlers => github.com/gorilla/handlers v1.4.0 github.com/gorilla/mux => github.com/gorilla/mux v1.7.1 github.com/gorilla/websocket => github.com/gorilla/websocket v1.4.0 @@ -262,30 +305,65 @@ replace ( github.com/grpc-ecosystem/go-grpc-middleware => github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 github.com/grpc-ecosystem/go-grpc-prometheus => github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/grpc-ecosystem/grpc-gateway => github.com/grpc-ecosystem/grpc-gateway v1.11.3 + github.com/hashicorp/consul/api => github.com/hashicorp/consul/api v1.4.0 + github.com/hashicorp/consul/sdk => github.com/hashicorp/consul/sdk v0.4.0 + github.com/hashicorp/errwrap => github.com/hashicorp/errwrap v1.0.0 + github.com/hashicorp/go-cleanhttp => github.com/hashicorp/go-cleanhttp v0.5.1 + github.com/hashicorp/go-hclog => github.com/hashicorp/go-hclog v0.12.2 + github.com/hashicorp/go-immutable-radix => github.com/hashicorp/go-immutable-radix v1.2.0 + github.com/hashicorp/go-msgpack => github.com/hashicorp/go-msgpack v0.5.3 + github.com/hashicorp/go-multierror => github.com/hashicorp/go-multierror v1.0.0 + github.com/hashicorp/go-retryablehttp => github.com/hashicorp/go-retryablehttp v0.5.3 + github.com/hashicorp/go-rootcerts => github.com/hashicorp/go-rootcerts v1.0.2 + github.com/hashicorp/go-sockaddr => github.com/hashicorp/go-sockaddr v1.0.2 + github.com/hashicorp/go-syslog => github.com/hashicorp/go-syslog v1.0.0 + github.com/hashicorp/go-uuid => github.com/hashicorp/go-uuid v1.0.1 github.com/hashicorp/go-version => github.com/hashicorp/go-version v1.2.0 github.com/hashicorp/golang-lru => github.com/hashicorp/golang-lru v0.5.3 github.com/hashicorp/hcl => github.com/hashicorp/hcl v1.0.0 + github.com/hashicorp/logutils => github.com/hashicorp/logutils v1.0.0 + github.com/hashicorp/mdns => github.com/hashicorp/mdns v1.0.1 + github.com/hashicorp/memberlist => github.com/hashicorp/memberlist v0.2.0 + github.com/hashicorp/serf => github.com/hashicorp/serf v0.9.0 github.com/hpcloud/tail => github.com/hpcloud/tail v1.0.0 github.com/huandu/xstrings => github.com/huandu/xstrings v1.2.0 github.com/imdario/mergo => github.com/imdario/mergo v0.3.7 github.com/inconshreveable/mousetrap => github.com/inconshreveable/mousetrap v1.0.0 + github.com/influxdata/flux => github.com/influxdata/flux v0.65.0 + github.com/influxdata/influxdb => github.com/influxdata/influxdb v1.8.0 + github.com/influxdata/influxql => github.com/influxdata/influxql v1.1.0 + github.com/influxdata/line-protocol => github.com/influxdata/line-protocol v0.0.0-20180522152040-32c6aa80de5e + github.com/influxdata/promql/v2 => github.com/influxdata/promql/v2 v2.12.0 + github.com/influxdata/roaring => github.com/influxdata/roaring v0.4.13-0.20180809181101-fc520f41fab6 + github.com/influxdata/tdigest => github.com/influxdata/tdigest v0.0.0-20181121200506-bf2b5ad3c0a9 + github.com/influxdata/usage-client => github.com/influxdata/usage-client v0.0.0-20160829180054-6d3895376368 github.com/jbenet/go-context => github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 github.com/jessevdk/go-flags => github.com/jessevdk/go-flags v1.4.0 github.com/jinzhu/gorm => github.com/jinzhu/gorm v1.9.2 github.com/jinzhu/inflection => github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a github.com/jinzhu/now => github.com/jinzhu/now v1.0.0 github.com/jmespath/go-jmespath => github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af + github.com/joho/godotenv => github.com/joho/godotenv v1.3.0 github.com/jonboulle/clockwork => github.com/jonboulle/clockwork v0.1.0 + github.com/jpillora/backoff => github.com/jpillora/backoff v1.0.0 github.com/json-iterator/go => github.com/json-iterator/go v1.1.8 github.com/jstemmer/go-junit-report => github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 + github.com/jsternberg/zap-logfmt => github.com/jsternberg/zap-logfmt v1.0.0 + github.com/jtolds/gls => github.com/jtolds/gls v4.20.0+incompatible github.com/julienschmidt/httprouter => github.com/julienschmidt/httprouter v1.2.0 + github.com/jwilder/encoding => github.com/jwilder/encoding v0.0.0-20170811194829-b4e1701a28ef github.com/kardianos/osext => github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1 + github.com/karrick/godirwalk => github.com/karrick/godirwalk v1.10.3 github.com/kelseyhightower/envconfig => github.com/kelseyhightower/envconfig v1.4.0 github.com/kevinburke/ssh_config => github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e github.com/keybase/go-ps => github.com/keybase/go-ps v0.0.0-20161005175911-668c8856d999 github.com/kiali/kiali => github.com/kubesphere/kiali v0.15.1-0.20201110082537-0c2b977257d4 github.com/kisielk/errcheck => github.com/kisielk/errcheck v1.2.0 github.com/kisielk/gotool => github.com/kisielk/gotool v1.0.0 + github.com/klauspost/compress => github.com/klauspost/compress v1.9.5 + github.com/klauspost/cpuid => github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5 + github.com/klauspost/crc32 => github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6 + github.com/klauspost/pgzip => github.com/klauspost/pgzip v1.0.2-0.20170402124221-0bf5dcad4ada github.com/koding/multiconfig => github.com/koding/multiconfig v0.0.0-20171124222453-69c27309b2d7 github.com/konsorten/go-windows-terminal-sequences => github.com/konsorten/go-windows-terminal-sequences v1.0.2 github.com/kr/logfmt => github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 @@ -296,31 +374,41 @@ replace ( github.com/kubernetes-csi/csi-test => github.com/kubernetes-csi/csi-test v2.0.0+incompatible github.com/kubernetes-csi/external-snapshotter/v2 => github.com/kubernetes-csi/external-snapshotter/v2 v2.1.0 github.com/kubesphere/sonargo => github.com/kubesphere/sonargo v0.0.2 + github.com/kylelemons/godebug => github.com/kylelemons/godebug v0.0.0-20160406211939-eadb3ce320cb github.com/leodido/go-urn => github.com/leodido/go-urn v1.1.0 github.com/lib/pq => github.com/lib/pq v1.2.0 github.com/liggitt/tabwriter => github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de github.com/lithammer/dedent => github.com/lithammer/dedent v1.1.0 github.com/magiconair/properties => github.com/magiconair/properties v1.8.0 github.com/mailru/easyjson => github.com/mailru/easyjson v0.7.0 + github.com/markbates/oncer => github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2 + github.com/markbates/safe => github.com/markbates/safe v1.0.1 github.com/mattn/go-colorable => github.com/mattn/go-colorable v0.1.2 github.com/mattn/go-isatty => github.com/mattn/go-isatty v0.0.8 github.com/mattn/go-runewidth => github.com/mattn/go-runewidth v0.0.0-20181025052659-b20a3daf6a39 github.com/mattn/go-shellwords => github.com/mattn/go-shellwords v1.0.5 github.com/mattn/go-sqlite3 => github.com/mattn/go-sqlite3 v1.11.0 + github.com/mattn/go-tty => github.com/mattn/go-tty v0.0.0-20180907095812-13ff1204f104 github.com/matttproud/golang_protobuf_extensions => github.com/matttproud/golang_protobuf_extensions v1.0.1 github.com/miekg/dns => github.com/miekg/dns v0.0.0-20181005163659-0d29b283ac0f + github.com/mitchellh/cli => github.com/mitchellh/cli v1.0.0 github.com/mitchellh/copystructure => github.com/mitchellh/copystructure v1.0.0 github.com/mitchellh/go-homedir => github.com/mitchellh/go-homedir v1.1.0 + github.com/mitchellh/go-testing-interface => github.com/mitchellh/go-testing-interface v1.0.0 github.com/mitchellh/go-wordwrap => github.com/mitchellh/go-wordwrap v1.0.0 github.com/mitchellh/mapstructure => github.com/mitchellh/mapstructure v1.1.2 github.com/mitchellh/reflectwalk => github.com/mitchellh/reflectwalk v1.0.0 github.com/mna/pigeon => github.com/mna/pigeon v0.0.0-20180808201053-bb0192cfc2ae github.com/modern-go/concurrent => github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd github.com/modern-go/reflect2 => github.com/modern-go/reflect2 v1.0.1 + github.com/montanaflynn/stats => github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe github.com/morikuni/aec => github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c + github.com/mschoch/smat => github.com/mschoch/smat v0.0.0-20160514031455-90eadee771ae github.com/munnerz/goautoneg => github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d github.com/mwitkow/go-conntrack => github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223 github.com/mxk/go-flowrate => github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f + github.com/oklog/run => github.com/oklog/run v1.1.0 + github.com/oklog/ulid => github.com/oklog/ulid v1.3.1 github.com/olekukonko/tablewriter => github.com/olekukonko/tablewriter v0.0.1 github.com/onsi/ginkgo => github.com/onsi/ginkgo v1.8.0 github.com/onsi/gomega => github.com/onsi/gomega v1.5.0 @@ -330,8 +418,11 @@ replace ( github.com/opencontainers/runc => github.com/opencontainers/runc v0.1.1 github.com/openshift/api => github.com/openshift/api v0.0.0-20180801171038-322a19404e37 github.com/openshift/generic-admission-server => github.com/openshift/generic-admission-server v1.14.0 + github.com/opentracing-contrib/go-stdlib => github.com/opentracing-contrib/go-stdlib v0.0.0-20190519235532-cf7a6c988dc9 github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0 + github.com/pascaldekloe/goe => github.com/pascaldekloe/goe v0.1.0 github.com/patrickmn/go-cache => github.com/patrickmn/go-cache v2.1.0+incompatible + github.com/paulbellamy/ratecounter => github.com/paulbellamy/ratecounter v0.2.0 github.com/pborman/uuid => github.com/pborman/uuid v1.2.0 github.com/pelletier/go-buffruneio => github.com/pelletier/go-buffruneio v0.2.0 github.com/pelletier/go-toml => github.com/pelletier/go-toml v1.2.0 @@ -339,8 +430,11 @@ replace ( github.com/peterh/liner => github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d github.com/phayes/freeport => github.com/phayes/freeport v0.0.0-20171002181615-b8543db493a5 github.com/philhofer/fwd => github.com/philhofer/fwd v1.0.0 + github.com/pierrec/lz4 => github.com/pierrec/lz4 v2.0.5+incompatible github.com/pkg/errors => github.com/pkg/errors v0.8.1 + github.com/pkg/term => github.com/pkg/term v0.0.0-20180730021639-bffc007b7fd5 github.com/pmezard/go-difflib => github.com/pmezard/go-difflib v1.0.0 + github.com/posener/complete => github.com/posener/complete v1.1.1 github.com/pquerna/cachecontrol => github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021 github.com/pquerna/ffjson => github.com/pquerna/ffjson v0.0.0-20190813045741-dac163c6c0a9 github.com/projectcalico/go-json => github.com/projectcalico/go-json v0.0.0-20161128004156-6219dc7339ba @@ -348,6 +442,8 @@ replace ( github.com/projectcalico/go-yaml-wrapper => github.com/projectcalico/go-yaml-wrapper v0.0.0-20161127220527-598e54215bee github.com/projectcalico/kube-controllers => github.com/projectcalico/kube-controllers v3.8.8+incompatible github.com/projectcalico/libcalico-go => github.com/projectcalico/libcalico-go v1.7.2-0.20191104213956-8f81e1e344ce + github.com/prometheus-community/prom-label-proxy => github.com/prometheus-community/prom-label-proxy v0.2.0 + github.com/prometheus/alertmanager => github.com/prometheus/alertmanager v0.20.0 github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.5.1 github.com/prometheus/client_model => github.com/prometheus/client_model v0.2.0 github.com/prometheus/common => github.com/prometheus/common v0.9.1 @@ -355,15 +451,26 @@ replace ( github.com/prometheus/prometheus => github.com/prometheus/prometheus v1.8.2-0.20200507164740-ecee9c8abfd1 github.com/rcrowley/go-metrics => github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a github.com/remyoudompheng/bigfft => github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446 + github.com/retailnext/hllpp => github.com/retailnext/hllpp v1.0.1-0.20180308014038-101a6d2f8b52 github.com/robfig/cron => github.com/robfig/cron v1.2.0 github.com/rogpeppe/fastuuid => github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af github.com/rogpeppe/go-charset => github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4 + github.com/rogpeppe/go-internal => github.com/rogpeppe/go-internal v1.3.0 + github.com/rs/cors => github.com/rs/cors v1.6.0 github.com/russross/blackfriday => github.com/russross/blackfriday v1.5.2 + github.com/ryanuber/columnize => github.com/ryanuber/columnize v2.1.0+incompatible + github.com/samuel/go-zookeeper => github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da github.com/satori/go.uuid => github.com/satori/go.uuid v1.2.0 + github.com/sean-/seed => github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 + github.com/segmentio/kafka-go => github.com/segmentio/kafka-go v0.2.0 github.com/sergi/go-diff => github.com/sergi/go-diff v1.0.0 github.com/shirou/gopsutil => github.com/shirou/gopsutil v0.0.0-20180427012116-c95755e4bcd7 github.com/shirou/w32 => github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 + github.com/shurcooL/httpfs => github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 + github.com/shurcooL/vfsgen => github.com/shurcooL/vfsgen v0.0.0-20181202132449-6a9ea43bcacd github.com/sirupsen/logrus => github.com/sirupsen/logrus v1.4.2 + github.com/smartystreets/assertions => github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d + github.com/smartystreets/goconvey => github.com/smartystreets/goconvey v1.6.4 github.com/soheilhy/cmux => github.com/soheilhy/cmux v0.1.4 github.com/sony/sonyflake => github.com/sony/sonyflake v0.0.0-20181109022403-6d5bd6181009 github.com/spaolacci/murmur3 => github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 @@ -377,13 +484,19 @@ replace ( github.com/src-d/gcfg => github.com/src-d/gcfg v1.4.0 github.com/stretchr/objx => github.com/stretchr/objx v0.2.0 github.com/stretchr/testify => github.com/stretchr/testify v1.4.0 - github.com/syndtr/goleveldb => github.com/syndtr/goleveldb v1.0.0 + github.com/tidwall/pretty => github.com/tidwall/pretty v1.0.0 github.com/tinylib/msgp => github.com/tinylib/msgp v1.1.0 github.com/tmc/grpc-websocket-proxy => github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 + github.com/tv42/httpunix => github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 + github.com/uber/jaeger-client-go => github.com/uber/jaeger-client-go v2.23.0+incompatible + github.com/uber/jaeger-lib => github.com/uber/jaeger-lib v2.2.0+incompatible github.com/ugorji/go => github.com/ugorji/go v1.1.4 github.com/ugorji/go/codec => github.com/ugorji/go/codec v0.0.0-20190128213124-ee1426cffec0 github.com/urfave/cli => github.com/urfave/cli v1.20.0 + github.com/willf/bitset => github.com/willf/bitset v1.1.3 github.com/xanzy/ssh-agent => github.com/xanzy/ssh-agent v0.2.1 + github.com/xdg/scram => github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c + github.com/xdg/stringprep => github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc github.com/xeipuuv/gojsonpointer => github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f github.com/xeipuuv/gojsonreference => github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 github.com/xeipuuv/gojsonschema => github.com/xeipuuv/gojsonschema v1.2.0 @@ -398,6 +511,7 @@ replace ( github.com/yvasiyarov/newrelic_platform_go => github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f go.etcd.io/bbolt => go.etcd.io/bbolt v1.3.3 go.etcd.io/etcd => go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738 + go.mongodb.org/mongo-driver => go.mongodb.org/mongo-driver v1.3.2 go.opencensus.io => go.opencensus.io v0.21.0 go.uber.org/atomic => go.uber.org/atomic v1.4.0 go.uber.org/multierr => go.uber.org/multierr v1.1.0 @@ -427,7 +541,9 @@ replace ( gopkg.in/asn1-ber.v1 => gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d gopkg.in/check.v1 => gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 gopkg.in/cheggaaa/pb.v1 => gopkg.in/cheggaaa/pb.v1 v1.0.25 + gopkg.in/errgo.v2 => gopkg.in/errgo.v2 v2.1.0 gopkg.in/fsnotify.v1 => gopkg.in/fsnotify.v1 v1.4.7 + gopkg.in/fsnotify/fsnotify.v1 => gopkg.in/fsnotify/fsnotify.v1 v1.4.7 gopkg.in/gemnasium/logrus-airbrake-hook.v2 => gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2 gopkg.in/go-playground/assert.v1 => gopkg.in/go-playground/assert.v1 v1.2.1 gopkg.in/go-playground/validator.v8 => gopkg.in/go-playground/validator.v8 v8.18.2 @@ -480,6 +596,7 @@ replace ( openpitrix.io/logger => openpitrix.io/logger v0.1.0 openpitrix.io/notification => openpitrix.io/notification v0.2.2 openpitrix.io/openpitrix => openpitrix.io/openpitrix v0.4.9-0.20200611125425-ae07f141e797 + rsc.io/binaryregexp => rsc.io/binaryregexp v0.2.0 rsc.io/goversion => rsc.io/goversion v1.0.0 rsc.io/letsencrypt => rsc.io/letsencrypt v0.0.1 sigs.k8s.io/application => kubesphere.io/application v1.0.0 diff --git a/go.sum b/go.sum index 8e0728cece1b72ed761f331a2ba40b1922d05319..667d7ef879ee334ca4b87f39db5ae02c00c6a49d 100644 --- a/go.sum +++ b/go.sum @@ -3,7 +3,6 @@ cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSR cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigtable v1.2.0/go.mod h1:JcVAOl45lrTmQfLj7T6TxyMzIN/3FGGcFm+2xVAli2o= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= code.cloudfoundry.org/bytefmt v0.0.0-20190710193110-1eb035ffe2b6 h1:tW+ztA4A9UT9xnco5wUjW1oNi35k22eUEn9tNpPYVwE= code.cloudfoundry.org/bytefmt v0.0.0-20190710193110-1eb035ffe2b6/go.mod h1:wN/zk7mhREp/oviagqUXY3EwuHhWyOvAdsn5Y4CzOrc= @@ -60,7 +59,6 @@ github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYU github.com/apache/arrow/go/arrow v0.0.0-20191024131854-af6fa24be0db/go.mod h1:VTxUBvSJ3s3eHAg65PNgrsn5BtqCRPdmyXh6rAfdxN0= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-metrics v0.3.3/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA= @@ -228,26 +226,16 @@ github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= -github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= -github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= github.com/gobuffalo/flect v0.1.5 h1:xpKq9ap8MbYfhuPCF0dBH854Gp9CxZjr/IocxELFflo= github.com/gobuffalo/flect v0.1.5/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80= -github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= -github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= -github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk= github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw= -github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360= -github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= -github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= -github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= -github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= @@ -309,35 +297,25 @@ github.com/grpc-ecosystem/grpc-gateway v1.11.3/go.mod h1:vNeuVxBJEsws4ogUvrchl83 github.com/hashicorp/consul/api v1.4.0/go.mod h1:xc8u05kyMa3Wjr9eEAsIAo3dg8+LywT5E/Cl7cNS5nU= github.com/hashicorp/consul/sdk v0.4.0/go.mod h1:fY08Y9z5SvJqevyZNy6WWPXiG3KwBPAvlcdx16zZ0fM= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= -github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.12.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.2.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= -github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= -github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.3 h1:YPkqC67at8FYaadspW/6uE0COsBxS2656RLEr8Bppgk= github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= -github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/memberlist v0.1.4/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/memberlist v0.2.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= -github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/serf v0.9.0/go.mod h1:YL0HO+FifKOW2u1ke99DGVu1zhcpZzNwrLIqBC7vbYU= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -374,7 +352,6 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/jwilder/encoding v0.0.0-20170811194829-b4e1701a28ef/go.mod h1:Ct9fl0F6iIOGgxJ5npU/IUOhOhqlVrGjyIZc8/MagT0= github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8= -github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= @@ -383,7 +360,6 @@ github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT github.com/keybase/go-ps v0.0.0-20161005175911-668c8856d999/go.mod h1:hY+WOq6m2FpbvyrI93sMaypsttvaIL5nhVR92dTMUcQ= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6/go.mod h1:+ZoRqAPRLkC4NPOvfYeR5KNOrY6TD+/sAC3HXPZgDYg= @@ -438,8 +414,6 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= -github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= -github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= @@ -457,7 +431,6 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= @@ -479,7 +452,6 @@ github.com/openshift/generic-admission-server v1.14.0/go.mod h1:GD9KN/W4KxqRQGVM github.com/opentracing-contrib/go-stdlib v0.0.0-20190519235532-cf7a6c988dc9/go.mod h1:PLldrQSroqzH70Xl+1DQcGnefIbqsKR7UDaiux3zV+w= github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= -github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= @@ -533,17 +505,13 @@ github.com/retailnext/hllpp v1.0.1-0.20180308014038-101a6d2f8b52/go.mod h1:RDpi1 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= -github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/segmentio/kafka-go v0.1.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= github.com/segmentio/kafka-go v0.2.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= diff --git a/pkg/api/auth/types.go b/pkg/api/auth/types.go deleted file mode 100644 index 258125ef3085e5c2e2f0eeec87cd1ba171f96cc6..0000000000000000000000000000000000000000 --- a/pkg/api/auth/types.go +++ /dev/null @@ -1,51 +0,0 @@ -/* -Copyright 2020 The KubeSphere Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package auth - -import "fmt" - -const ( - KindTokenReview = "TokenReview" -) - -type Spec struct { - Token string `json:"token" description:"access token"` -} - -type Status struct { - Authenticated bool `json:"authenticated" description:"is authenticated"` - User map[string]interface{} `json:"user,omitempty" description:"user info"` -} - -type TokenReview struct { - APIVersion string `json:"apiVersion" description:"Kubernetes API version"` - Kind string `json:"kind" description:"kind of the API object"` - Spec *Spec `json:"spec,omitempty"` - Status *Status `json:"status,omitempty" description:"token review status"` -} - -type LoginRequest struct { - Username string `json:"username" description:"username"` - Password string `json:"password" description:"password"` -} - -func (request *TokenReview) Validate() error { - if request.Spec == nil || request.Spec.Token == "" { - return fmt.Errorf("token must not be null") - } - return nil -} diff --git a/pkg/api/utils.go b/pkg/api/utils.go index 0df90901c2d3830ba7c182535212cad40ebb182a..6b4e6ffe19a86fae9b084c57ddfdbeeb86527f96 100644 --- a/pkg/api/utils.go +++ b/pkg/api/utils.go @@ -18,6 +18,7 @@ package api import ( "github.com/emicklei/go-restful" + "k8s.io/apimachinery/pkg/api/errors" "k8s.io/klog" "net/http" "runtime" @@ -28,32 +29,49 @@ import ( var sanitizer = strings.NewReplacer(`&`, "&", `<`, "<", `>`, ">") func HandleInternalError(response *restful.Response, req *restful.Request, err error) { - _, fn, line, _ := runtime.Caller(1) - klog.Errorf("%s:%d %v", fn, line, err) - http.Error(response, sanitizer.Replace(err.Error()), http.StatusInternalServerError) + handle(http.StatusInternalServerError, response, req, err) } // HandleBadRequest writes http.StatusBadRequest and log error func HandleBadRequest(response *restful.Response, req *restful.Request, err error) { - _, fn, line, _ := runtime.Caller(1) - klog.Errorf("%s:%d %v", fn, line, err) - http.Error(response, sanitizer.Replace(err.Error()), http.StatusBadRequest) + handle(http.StatusBadRequest, response, req, err) } func HandleNotFound(response *restful.Response, req *restful.Request, err error) { - _, fn, line, _ := runtime.Caller(1) - klog.Errorf("%s:%d %v", fn, line, err) - http.Error(response, sanitizer.Replace(err.Error()), http.StatusNotFound) + handle(http.StatusNotFound, response, req, err) } func HandleForbidden(response *restful.Response, req *restful.Request, err error) { - _, fn, line, _ := runtime.Caller(1) - klog.Errorf("%s:%d %v", fn, line, err) - http.Error(response, sanitizer.Replace(err.Error()), http.StatusForbidden) + handle(http.StatusForbidden, response, req, err) +} + +func HandleUnauthorized(response *restful.Response, req *restful.Request, err error) { + handle(http.StatusUnauthorized, response, req, err) +} + +func HandleTooManyRequests(response *restful.Response, req *restful.Request, err error) { + handle(http.StatusTooManyRequests, response, req, err) } func HandleConflict(response *restful.Response, req *restful.Request, err error) { - _, fn, line, _ := runtime.Caller(1) + handle(http.StatusConflict, response, req, err) +} + +func HandleError(response *restful.Response, req *restful.Request, err error) { + var statusCode int + switch t := err.(type) { + case errors.APIStatus: + statusCode = int(t.Status().Code) + case restful.ServiceError: + statusCode = t.Code + default: + statusCode = http.StatusInternalServerError + } + handle(statusCode, response, req, err) +} + +func handle(statusCode int, response *restful.Response, req *restful.Request, err error) { + _, fn, line, _ := runtime.Caller(2) klog.Errorf("%s:%d %v", fn, line, err) - http.Error(response, sanitizer.Replace(err.Error()), http.StatusConflict) + http.Error(response, sanitizer.Replace(err.Error()), statusCode) } diff --git a/pkg/apis/iam/v1alpha2/types.go b/pkg/apis/iam/v1alpha2/types.go index 62921a9dbf4c0109fe117addb8dc713d7380e667..403209c61ef6b6137e1ef7fd9c298038feef6c26 100644 --- a/pkg/apis/iam/v1alpha2/types.go +++ b/pkg/apis/iam/v1alpha2/types.go @@ -58,13 +58,20 @@ const ( GlobalRoleAnnotation = "iam.kubesphere.io/globalrole" WorkspaceRoleAnnotation = "iam.kubesphere.io/workspacerole" ClusterRoleAnnotation = "iam.kubesphere.io/clusterrole" + UninitializedAnnotation = "iam.kubesphere.io/uninitialized" RoleAnnotation = "iam.kubesphere.io/role" RoleTemplateLabel = "iam.kubesphere.io/role-template" ScopeLabelFormat = "scope.kubesphere.io/%s" UserReferenceLabel = "iam.kubesphere.io/user-ref" IdentifyProviderLabel = "iam.kubesphere.io/identify-provider" - PasswordEncryptedAnnotation = "iam.kubesphere.io/password-encrypted" + OriginUIDLabel = "iam.kubesphere.io/origin-uid" FieldEmail = "email" + ExtraEmail = FieldEmail + ExtraIdentityProvider = "idp" + ExtraUID = "uid" + ExtraUsername = "username" + ExtraDisplayName = "displayName" + ExtraUninitialized = "uninitialized" InGroup = "ingroup" NotInGroup = "notingroup" AggregateTo = "aggregateTo" @@ -76,6 +83,8 @@ const ( NamespaceAdmin = "admin" WorkspaceAdminFormat = "%s-admin" ClusterAdmin = "cluster-admin" + PreRegistrationUser = "system:pre-registration" + PreRegistrationUserGroup = "pre-registration" ) // +genclient @@ -87,6 +96,7 @@ const ( // +kubebuilder:printcolumn:name="Email",type="string",JSONPath=".spec.email" // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state" // +kubebuilder:resource:categories="iam",scope="Cluster" +// +kubebuilder:subresource:status type User struct { metav1.TypeMeta `json:",inline"` // Standard object's metadata. @@ -126,7 +136,7 @@ const ( UserActive UserState = "Active" // UserDisabled means the user is disabled. UserDisabled UserState = "Disabled" - // UserDisabled means the user is disabled. + // UserAuthLimitExceeded means restrict user login. UserAuthLimitExceeded UserState = "AuthLimitExceeded" AuthenticatedSuccessfully = "authenticated successfully" @@ -136,7 +146,7 @@ const ( type UserStatus struct { // The user status // +optional - State UserState `json:"state,omitempty"` + State *UserState `json:"state,omitempty"` // +optional Reason string `json:"reason,omitempty"` // +optional diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index 70a0e76fb6cc627ef8dc23afaa1a51ba37daf8e0..ab306fd878c193ed7e54d630ffd6ac1703479d02 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -20,6 +20,10 @@ import ( "bytes" "context" "fmt" + "kubesphere.io/kubesphere/pkg/apiserver/authorization/rbac" + "kubesphere.io/kubesphere/pkg/models/auth" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/loginrecord" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/user" "net/http" rt "runtime" "time" @@ -167,9 +171,15 @@ func (s *APIServer) PrepareRun(stopCh <-chan struct{}) error { // Installation happens before all informers start to cache objects, so // any attempt to list objects using listers will get empty results. func (s *APIServer) installKubeSphereAPIs() { - imOperator := im.NewOperator(s.KubernetesClient.KubeSphere(), s.InformerFactory, s.Config.AuthenticationOptions) - amOperator := am.NewOperator(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()) - rbacAuthorizer := authorizerfactory.NewRBACAuthorizer(amOperator) + imOperator := im.NewOperator(s.KubernetesClient.KubeSphere(), + user.New(s.InformerFactory.KubeSphereSharedInformerFactory(), + s.InformerFactory.KubernetesSharedInformerFactory()), + loginrecord.New(s.InformerFactory.KubeSphereSharedInformerFactory()), + s.Config.AuthenticationOptions) + amOperator := am.NewOperator(s.KubernetesClient.KubeSphere(), + s.KubernetesClient.Kubernetes(), + s.InformerFactory) + rbacAuthorizer := rbac.NewRBACAuthorizer(amOperator) urlruntime.Must(configv1alpha2.AddToContainer(s.container, s.Config)) urlruntime.Must(resourcev1alpha3.AddToContainer(s.container, s.InformerFactory)) @@ -187,20 +197,22 @@ func (s *APIServer) installKubeSphereAPIs() { s.Config.MultiClusterOptions.ProxyPublishService, s.Config.MultiClusterOptions.ProxyPublishAddress, s.Config.MultiClusterOptions.AgentImage)) - urlruntime.Must(iamapi.AddToContainer(s.container, imOperator, - am.NewOperator(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()), + urlruntime.Must(iamapi.AddToContainer(s.container, imOperator, amOperator, group.New(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()), - s.Config.AuthenticationOptions)) + rbacAuthorizer)) urlruntime.Must(oauth.AddToContainer(s.container, imOperator, - im.NewTokenOperator( + auth.NewTokenOperator( s.CacheClient, s.Config.AuthenticationOptions), - im.NewPasswordAuthenticator( + auth.NewPasswordAuthenticator( s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister(), s.Config.AuthenticationOptions), - im.NewLoginRecorder(s.KubernetesClient.KubeSphere()), + auth.NewOAuth2Authenticator(s.KubernetesClient.KubeSphere(), + s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister(), + s.Config.AuthenticationOptions), + auth.NewLoginRecorder(s.KubernetesClient.KubeSphere()), s.Config.AuthenticationOptions)) urlruntime.Must(servicemeshv1alpha2.AddToContainer(s.container)) urlruntime.Must(networkv1alpha2.AddToContainer(s.container, s.Config.NetworkOptions.WeaveScopeHost)) @@ -211,7 +223,7 @@ func (s *APIServer) installKubeSphereAPIs() { s.KubernetesClient.KubeSphere(), s.S3Client, s.Config.DevopsOptions.Host, - am.NewOperator(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()))) + amOperator)) urlruntime.Must(devopsv1alpha3.AddToContainer(s.container, s.DevopsClient, s.KubernetesClient.Kubernetes(), @@ -285,7 +297,7 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) { excludedPaths := []string{"/oauth/*", "/kapis/config.kubesphere.io/*", "/kapis/version"} pathAuthorizer, _ := path.NewAuthorizer(excludedPaths) amOperator := am.NewReadOnlyOperator(s.InformerFactory) - authorizers = unionauthorizer.New(pathAuthorizer, authorizerfactory.NewRBACAuthorizer(amOperator)) + authorizers = unionauthorizer.New(pathAuthorizer, rbac.NewRBACAuthorizer(amOperator)) } handler = filters.WithAuthorization(handler, authorizers) @@ -295,12 +307,16 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) { handler = filters.WithMultipleClusterDispatcher(handler, clusterDispatcher) } - loginRecorder := im.NewLoginRecorder(s.KubernetesClient.KubeSphere()) + loginRecorder := auth.NewLoginRecorder(s.KubernetesClient.KubeSphere()) // authenticators are unordered authn := unionauth.New(anonymous.NewAuthenticator(), - basictoken.New(basic.NewBasicAuthenticator(im.NewPasswordAuthenticator(s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister(), s.Config.AuthenticationOptions))), - bearertoken.New(jwttoken.NewTokenAuthenticator(im.NewTokenOperator(s.CacheClient, s.Config.AuthenticationOptions), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister()))) - handler = filters.WithAuthentication(handler, authn, loginRecorder) + basictoken.New(basic.NewBasicAuthenticator(auth.NewPasswordAuthenticator(s.KubernetesClient.KubeSphere(), + s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister(), + s.Config.AuthenticationOptions), loginRecorder)), + bearertoken.New(jwttoken.NewTokenAuthenticator(auth.NewTokenOperator(s.CacheClient, + s.Config.AuthenticationOptions), + s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister()))) + handler = filters.WithAuthentication(handler, authn) handler = filters.WithRequestInfo(handler, requestInfoResolver) s.Server.Handler = handler } diff --git a/pkg/apiserver/authentication/authenticators/basic/basic.go b/pkg/apiserver/authentication/authenticators/basic/basic.go index 7f40efc2d01dca9838a473e3e194d15928cc25d7..525daa31fa28bdea3501fe0ce4d304ce5c188cfd 100644 --- a/pkg/apiserver/authentication/authenticators/basic/basic.go +++ b/pkg/apiserver/authentication/authenticators/basic/basic.go @@ -18,10 +18,13 @@ package basic import ( "context" + "k8s.io/klog" + iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" + "kubesphere.io/kubesphere/pkg/apiserver/request" + "kubesphere.io/kubesphere/pkg/models/auth" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - "kubesphere.io/kubesphere/pkg/models/iam/im" ) // TokenAuthenticator implements kubernetes token authenticate interface with our custom logic. @@ -30,28 +33,36 @@ import ( // and group from user.AllUnauthenticated. This helps requests be passed along the handler chain, // because some resources are public accessible. type basicAuthenticator struct { - authenticator im.PasswordAuthenticator + authenticator auth.PasswordAuthenticator + loginRecorder auth.LoginRecorder } -func NewBasicAuthenticator(authenticator im.PasswordAuthenticator) authenticator.Password { +func NewBasicAuthenticator(authenticator auth.PasswordAuthenticator, loginRecorder auth.LoginRecorder) authenticator.Password { return &basicAuthenticator{ authenticator: authenticator, + loginRecorder: loginRecorder, } } func (t *basicAuthenticator) AuthenticatePassword(ctx context.Context, username, password string) (*authenticator.Response, bool, error) { - - providedUser, err := t.authenticator.Authenticate(username, password) - + authenticated, provider, err := t.authenticator.Authenticate(username, password) if err != nil { + if t.loginRecorder != nil && err == auth.IncorrectPasswordError { + var sourceIP, userAgent string + if requestInfo, ok := request.RequestInfoFrom(ctx); ok { + sourceIP = requestInfo.SourceIP + userAgent = requestInfo.UserAgent + } + if err := t.loginRecorder.RecordLogin(username, iamv1alpha2.BasicAuth, provider, sourceIP, userAgent, err); err != nil { + klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", username, err) + } + } return nil, false, err } - return &authenticator.Response{ User: &user.DefaultInfo{ - Name: providedUser.GetName(), - UID: providedUser.GetUID(), - Groups: append(providedUser.GetGroups(), user.AllAuthenticated), + Name: authenticated.GetName(), + Groups: append(authenticated.GetGroups(), user.AllAuthenticated), }, }, true, nil } diff --git a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go index 09c55cb13a77adc02128c1733f511ae13c590961..d4a9d55299c6d66cb12fc90f1cbf9194720568b3 100644 --- a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go +++ b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go @@ -18,13 +18,13 @@ package jwttoken import ( "context" - "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/klog" + iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" + "kubesphere.io/kubesphere/pkg/models/auth" iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" - "kubesphere.io/kubesphere/pkg/models/iam/im" ) // TokenAuthenticator implements kubernetes token authenticate interface with our custom logic. @@ -33,11 +33,11 @@ import ( // and group from user.AllUnauthenticated. This helps requests be passed along the handler chain, // because some resources are public accessible. type tokenAuthenticator struct { - tokenOperator im.TokenManagementInterface + tokenOperator auth.TokenManagementInterface userLister iamv1alpha2listers.UserLister } -func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token { +func NewTokenAuthenticator(tokenOperator auth.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token { return &tokenAuthenticator{ tokenOperator: tokenOperator, userLister: userLister, @@ -51,6 +51,16 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string return nil, false, err } + if providedUser.GetName() == iamv1alpha2.PreRegistrationUser { + return &authenticator.Response{ + User: &user.DefaultInfo{ + Name: providedUser.GetName(), + Extra: providedUser.GetExtra(), + Groups: providedUser.GetGroups(), + }, + }, true, nil + } + dbUser, err := t.userLister.Get(providedUser.GetName()) if err != nil { return nil, false, err @@ -58,8 +68,7 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string return &authenticator.Response{ User: &user.DefaultInfo{ - Name: providedUser.GetName(), - UID: providedUser.GetUID(), + Name: dbUser.GetName(), Groups: append(dbUser.Spec.Groups, user.AllAuthenticated), }, }, true, nil diff --git a/pkg/apiserver/authentication/identityprovider/aliyunidaas/idaas.go b/pkg/apiserver/authentication/identityprovider/aliyunidaas/idaas.go index 31468526d98738a7b709d72b41b93fb5ce75ab23..b7a7eab8a0b24d8bcac6335b86a6028895575cfd 100644 --- a/pkg/apiserver/authentication/identityprovider/aliyunidaas/idaas.go +++ b/pkg/apiserver/authentication/identityprovider/aliyunidaas/idaas.go @@ -20,15 +20,19 @@ import ( "context" "encoding/json" "errors" + "github.com/mitchellh/mapstructure" "io/ioutil" "golang.org/x/oauth2" - "gopkg.in/yaml.v3" "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider" "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" ) -type AliyunIDaaS struct { +func init() { + identityprovider.RegisterOAuthProvider(&idaasProviderFactory{}) +} + +type aliyunIDaaS struct { // ClientID is the application's ID. ClientID string `json:"clientID" yaml:"clientID"` @@ -39,7 +43,7 @@ type AliyunIDaaS struct { // URLs. These are constants specific to each server and are // often available via site-specific packages, such as // google.Endpoint or github.Endpoint. - Endpoint Endpoint `json:"endpoint" yaml:"endpoint"` + Endpoint endpoint `json:"endpoint" yaml:"endpoint"` // RedirectURL is the URL to redirect users going through // the OAuth flow, after the resource owner's URLs. @@ -49,15 +53,15 @@ type AliyunIDaaS struct { Scopes []string `json:"scopes" yaml:"scopes"` } -// Endpoint represents an OAuth 2.0 provider's authorization and token +// endpoint represents an OAuth 2.0 provider's authorization and token // endpoint URLs. -type Endpoint struct { +type endpoint struct { AuthURL string `json:"authURL" yaml:"authURL"` TokenURL string `json:"tokenURL" yaml:"tokenURL"` UserInfoURL string `json:"user_info_url" yaml:"userInfoUrl"` } -type IDaaSIdentity struct { +type idaasIdentity struct { Sub string `json:"sub"` OuID string `json:"ou_id"` Nickname string `json:"nickname"` @@ -67,72 +71,73 @@ type IDaaSIdentity struct { Username string `json:"username"` } -type UserInfoResp struct { +type userInfoResp struct { Success bool `json:"success"` Message string `json:"message"` Code string `json:"code"` - IDaaSIdentity IDaaSIdentity `json:"data"` + IDaaSIdentity idaasIdentity `json:"data"` } -func init() { - identityprovider.RegisterOAuthProvider(&AliyunIDaaS{}) +type idaasProviderFactory struct { } -func (a *AliyunIDaaS) Type() string { +func (g *idaasProviderFactory) Type() string { return "AliyunIDaasProvider" } -func (a *AliyunIDaaS) Setup(options *oauth.DynamicOptions) (identityprovider.OAuthProvider, error) { - data, err := yaml.Marshal(options) - if err != nil { - return nil, err - } - var provider AliyunIDaaS - err = yaml.Unmarshal(data, &provider) - if err != nil { +func (g *idaasProviderFactory) Create(options *oauth.DynamicOptions) (identityprovider.OAuthProvider, error) { + var idaas aliyunIDaaS + if err := mapstructure.Decode(options, &idaas); err != nil { return nil, err } - return &provider, nil + return &idaas, nil } -func (a IDaaSIdentity) GetName() string { +func (a idaasIdentity) GetUserID() string { + return a.Sub +} + +func (a idaasIdentity) GetUsername() string { return a.Username } -func (a IDaaSIdentity) GetEmail() string { +func (a idaasIdentity) GetEmail() string { return a.Email } -func (g *AliyunIDaaS) IdentityExchange(code string) (identityprovider.Identity, error) { +func (a idaasIdentity) GetDisplayName() string { + return a.Nickname +} + +func (a *aliyunIDaaS) IdentityExchange(code string) (identityprovider.Identity, error) { config := oauth2.Config{ - ClientID: g.ClientID, - ClientSecret: g.ClientSecret, + ClientID: a.ClientID, + ClientSecret: a.ClientSecret, Endpoint: oauth2.Endpoint{ - AuthURL: g.Endpoint.AuthURL, - TokenURL: g.Endpoint.TokenURL, + AuthURL: a.Endpoint.AuthURL, + TokenURL: a.Endpoint.TokenURL, AuthStyle: oauth2.AuthStyleAutoDetect, }, - RedirectURL: g.RedirectURL, - Scopes: g.Scopes, + RedirectURL: a.RedirectURL, + Scopes: a.Scopes, } token, err := config.Exchange(context.Background(), code) if err != nil { return nil, err } - resp, err := oauth2.NewClient(context.Background(), oauth2.StaticTokenSource(token)).Get(g.Endpoint.UserInfoURL) + resp, err := oauth2.NewClient(context.Background(), oauth2.StaticTokenSource(token)).Get(a.Endpoint.UserInfoURL) if err != nil { return nil, err } data, err := ioutil.ReadAll(resp.Body) - - defer resp.Body.Close() if err != nil { return nil, err } + defer resp.Body.Close() - var UserInfoResp UserInfoResp + var UserInfoResp userInfoResp err = json.Unmarshal(data, &UserInfoResp) if err != nil { return nil, err diff --git a/pkg/apiserver/authentication/identityprovider/generic_provider.go b/pkg/apiserver/authentication/identityprovider/generic_provider.go new file mode 100644 index 0000000000000000000000000000000000000000..d0a96cf65dbef59b08df18d876337b4671458c59 --- /dev/null +++ b/pkg/apiserver/authentication/identityprovider/generic_provider.go @@ -0,0 +1,48 @@ +/* +Copyright 2020 The KubeSphere Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package identityprovider + +import ( + "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" +) + +var ( + builtinGenericProviders = make(map[string]GenericProviderFactory) +) + +type GenericProvider interface { + // Authenticate from remote server + Authenticate(username string, password string) (Identity, error) +} + +type GenericProviderFactory interface { + // Type unique type of the provider + Type() string + // Apply the dynamic options from kubesphere-config + Create(options *oauth.DynamicOptions) (GenericProvider, error) +} + +func CreateGenericProvider(providerType string, options *oauth.DynamicOptions) (GenericProvider, error) { + if factory, ok := builtinGenericProviders[providerType]; ok { + return factory.Create(options) + } + return nil, identityProviderNotFound +} + +func RegisterGenericProvider(factory GenericProviderFactory) { + builtinGenericProviders[factory.Type()] = factory +} diff --git a/pkg/apiserver/authentication/identityprovider/github/github.go b/pkg/apiserver/authentication/identityprovider/github/github.go index f052cf1a3725e2eed82fe7d47598cbb82a069e79..5cf96c9cb2275e4d95302ce727691fac30e7bafa 100644 --- a/pkg/apiserver/authentication/identityprovider/github/github.go +++ b/pkg/apiserver/authentication/identityprovider/github/github.go @@ -19,8 +19,8 @@ package github import ( "context" "encoding/json" + "github.com/mitchellh/mapstructure" "golang.org/x/oauth2" - "gopkg.in/yaml.v3" "io/ioutil" "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider" "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" @@ -31,7 +31,11 @@ const ( UserInfoURL = "https://api.github.com/user" ) -type Github struct { +func init() { + identityprovider.RegisterOAuthProvider(&githubProviderFactory{}) +} + +type github struct { // ClientID is the application's ID. ClientID string `json:"clientID" yaml:"clientID"` @@ -41,8 +45,8 @@ type Github struct { // Endpoint contains the resource server's token endpoint // URLs. These are constants specific to each server and are // often available via site-specific packages, such as - // google.Endpoint or github.Endpoint. - Endpoint Endpoint `json:"endpoint" yaml:"endpoint"` + // google.Endpoint or github.endpoint. + Endpoint endpoint `json:"endpoint" yaml:"endpoint"` // RedirectURL is the URL to redirect users going through // the OAuth flow, after the resource owner's URLs. @@ -52,14 +56,14 @@ type Github struct { Scopes []string `json:"scopes" yaml:"scopes"` } -// Endpoint represents an OAuth 2.0 provider's authorization and token +// endpoint represents an OAuth 2.0 provider's authorization and token // endpoint URLs. -type Endpoint struct { +type endpoint struct { AuthURL string `json:"authURL" yaml:"authURL"` TokenURL string `json:"tokenURL" yaml:"tokenURL"` } -type GithubIdentity struct { +type githubIdentity struct { Login string `json:"login"` ID int `json:"id"` NodeID string `json:"node_id"` @@ -98,36 +102,38 @@ type GithubIdentity struct { Collaborators int `json:"collaborators"` } -func init() { - identityprovider.RegisterOAuthProvider(&Github{}) +type githubProviderFactory struct { } -func (g *Github) Type() string { +func (g *githubProviderFactory) Type() string { return "GitHubIdentityProvider" } -func (g *Github) Setup(options *oauth.DynamicOptions) (identityprovider.OAuthProvider, error) { - data, err := yaml.Marshal(options) - if err != nil { +func (g *githubProviderFactory) Create(options *oauth.DynamicOptions) (identityprovider.OAuthProvider, error) { + var github github + if err := mapstructure.Decode(options, &github); err != nil { return nil, err } - var provider Github - err = yaml.Unmarshal(data, &provider) - if err != nil { - return nil, err - } - return &provider, nil + return &github, nil } -func (g GithubIdentity) GetName() string { +func (g githubIdentity) GetUserID() string { return g.Login } -func (g GithubIdentity) GetEmail() string { +func (g githubIdentity) GetUsername() string { + return g.Login +} + +func (g githubIdentity) GetEmail() string { return g.Email } -func (g *Github) IdentityExchange(code string) (identityprovider.Identity, error) { +func (g githubIdentity) GetDisplayName() string { + return "" +} + +func (g *github) IdentityExchange(code string) (identityprovider.Identity, error) { config := oauth2.Config{ ClientID: g.ClientID, ClientSecret: g.ClientSecret, @@ -141,27 +147,23 @@ func (g *Github) IdentityExchange(code string) (identityprovider.Identity, error } token, err := config.Exchange(context.Background(), code) - if err != nil { return nil, err } resp, err := oauth2.NewClient(context.Background(), oauth2.StaticTokenSource(token)).Get(UserInfoURL) - if err != nil { return nil, err } data, err := ioutil.ReadAll(resp.Body) - defer resp.Body.Close() if err != nil { return nil, err } + defer resp.Body.Close() - var githubIdentity GithubIdentity - + var githubIdentity githubIdentity err = json.Unmarshal(data, &githubIdentity) - if err != nil { return nil, err } diff --git a/pkg/apiserver/authentication/identityprovider/identity_provider.go b/pkg/apiserver/authentication/identityprovider/identity.go similarity index 84% rename from pkg/apiserver/authentication/identityprovider/identity_provider.go rename to pkg/apiserver/authentication/identityprovider/identity.go index b0b13a36f2b079778653c64254c1091ea28dca63..858e1f357a72bc25d048caacb71dd5093c5d44c4 100644 --- a/pkg/apiserver/authentication/identityprovider/identity_provider.go +++ b/pkg/apiserver/authentication/identityprovider/identity.go @@ -17,6 +17,12 @@ limitations under the License. package identityprovider type Identity interface { - GetName() string + // required + GetUserID() string + // optional + GetUsername() string + // optional + GetDisplayName() string + // optional GetEmail() string } diff --git a/pkg/apiserver/authentication/identityprovider/ldap_provider.go b/pkg/apiserver/authentication/identityprovider/ldap/ldap_provider.go similarity index 55% rename from pkg/apiserver/authentication/identityprovider/ldap_provider.go rename to pkg/apiserver/authentication/identityprovider/ldap/ldap_provider.go index 1ab6e6aae676f9c25f0b340a324715011293e5ae..af13892c26d8c13b6c1721d2aa5e90aafc993b8a 100644 --- a/pkg/apiserver/authentication/identityprovider/ldap_provider.go +++ b/pkg/apiserver/authentication/identityprovider/ldap/ldap_provider.go @@ -1,22 +1,20 @@ /* +Copyright 2020 The KubeSphere Authors. - Copyright 2020 The KubeSphere Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */ -package identityprovider +package ldap import ( "crypto/tls" @@ -26,24 +24,23 @@ import ( "github.com/go-ldap/ldap" "github.com/mitchellh/mapstructure" "io/ioutil" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/errors" "k8s.io/klog" - iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" + "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider" "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" - "kubesphere.io/kubesphere/pkg/constants" "time" ) const ( - LdapIdentityProvider = "LDAPIdentityProvider" + ldapIdentityProvider = "LDAPIdentityProvider" defaultReadTimeout = 15000 ) -type LdapProvider interface { - Authenticate(username string, password string) (*iamv1alpha2.User, error) +func init() { + identityprovider.RegisterGenericProvider(&ldapProviderFactory{}) } -type ldapOptions struct { +type ldapProvider struct { // Host and optional port of the LDAP server in the form "host:port". // If the port is not supplied, 389 for insecure or StartTLS connections, 636 Host string `json:"host,omitempty" yaml:"managerDN"` @@ -73,105 +70,125 @@ type ldapOptions struct { UserMemberAttribute string `json:"userMemberAttribute,omitempty" yaml:"userMemberAttribute"` // Attribute on a group object storing the information for primary group membership. GroupMemberAttribute string `json:"groupMemberAttribute,omitempty" yaml:"groupMemberAttribute"` - // login attribute used for comparing user entries. // The following three fields are direct mappings of attributes on the user entry. + // login attribute used for comparing user entries. LoginAttribute string `json:"loginAttribute" yaml:"loginAttribute"` MailAttribute string `json:"mailAttribute" yaml:"mailAttribute"` DisplayNameAttribute string `json:"displayNameAttribute" yaml:"displayNameAttribute"` } -type ldapProvider struct { - options ldapOptions +type ldapProviderFactory struct { } -func NewLdapProvider(options *oauth.DynamicOptions) (LdapProvider, error) { - var ldapOptions ldapOptions - if err := mapstructure.Decode(options, &ldapOptions); err != nil { +func (l *ldapProviderFactory) Type() string { + return ldapIdentityProvider +} + +func (l *ldapProviderFactory) Create(options *oauth.DynamicOptions) (identityprovider.GenericProvider, error) { + var ldapProvider ldapProvider + if err := mapstructure.Decode(options, &ldapProvider); err != nil { return nil, err } - if ldapOptions.ReadTimeout <= 0 { - ldapOptions.ReadTimeout = defaultReadTimeout + if ldapProvider.ReadTimeout <= 0 { + ldapProvider.ReadTimeout = defaultReadTimeout } - return &ldapProvider{options: ldapOptions}, nil + return &ldapProvider, nil +} + +type ldapIdentity struct { + Username string + Email string + DisplayName string } -func (l ldapProvider) Authenticate(username string, password string) (*iamv1alpha2.User, error) { +func (l *ldapIdentity) GetUserID() string { + return l.Username +} + +func (l *ldapIdentity) GetUsername() string { + return l.Username +} + +func (l *ldapIdentity) GetEmail() string { + return l.Email +} + +func (l *ldapIdentity) GetDisplayName() string { + return l.DisplayName +} + +func (l ldapProvider) Authenticate(username string, password string) (identityprovider.Identity, error) { conn, err := l.newConn() if err != nil { klog.Error(err) return nil, err } - conn.SetTimeout(time.Duration(l.options.ReadTimeout) * time.Millisecond) + conn.SetTimeout(time.Duration(l.ReadTimeout) * time.Millisecond) defer conn.Close() - err = conn.Bind(l.options.ManagerDN, l.options.ManagerPassword) + err = conn.Bind(l.ManagerDN, l.ManagerPassword) if err != nil { klog.Error(err) return nil, err } - filter := fmt.Sprintf("(&(%s=%s)%s)", l.options.LoginAttribute, username, l.options.UserSearchFilter) + filter := fmt.Sprintf("(&(%s=%s)%s)", l.LoginAttribute, username, l.UserSearchFilter) result, err := conn.Search(&ldap.SearchRequest{ - BaseDN: l.options.UserSearchBase, + BaseDN: l.UserSearchBase, Scope: ldap.ScopeWholeSubtree, DerefAliases: ldap.NeverDerefAliases, SizeLimit: 1, TimeLimit: 0, TypesOnly: false, Filter: filter, - Attributes: []string{l.options.LoginAttribute, l.options.MailAttribute, l.options.DisplayNameAttribute}, + Attributes: []string{l.LoginAttribute, l.MailAttribute, l.DisplayNameAttribute}, }) if err != nil { klog.Error(err) return nil, err } - if len(result.Entries) == 1 { - entry := result.Entries[0] - err = conn.Bind(entry.DN, password) - if err != nil { - klog.Error(err) - return nil, err - } - email := entry.GetAttributeValue(l.options.MailAttribute) - displayName := entry.GetAttributeValue(l.options.DisplayNameAttribute) - return &iamv1alpha2.User{ - ObjectMeta: metav1.ObjectMeta{ - Name: username, - Annotations: map[string]string{ - constants.DisplayNameAnnotationKey: displayName, - }, - }, - Spec: iamv1alpha2.UserSpec{ - Email: email, - DisplayName: displayName, - }, - }, nil + if len(result.Entries) != 1 { + return nil, errors.NewUnauthorized("incorrect password") } - return nil, ldap.NewError(ldap.LDAPResultNoSuchObject, fmt.Errorf("could not find user %s in LDAP directory", username)) + entry := result.Entries[0] + if err = conn.Bind(entry.DN, password); err != nil { + klog.Error(err) + if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) { + return nil, errors.NewUnauthorized("incorrect password") + } + return nil, err + } + email := entry.GetAttributeValue(l.MailAttribute) + displayName := entry.GetAttributeValue(l.DisplayNameAttribute) + return &ldapIdentity{ + Username: username, + DisplayName: displayName, + Email: email, + }, nil } func (l *ldapProvider) newConn() (*ldap.Conn, error) { - if !l.options.StartTLS { - return ldap.Dial("tcp", l.options.Host) + if !l.StartTLS { + return ldap.Dial("tcp", l.Host) } tlsConfig := tls.Config{} - if l.options.InsecureSkipVerify { + if l.InsecureSkipVerify { tlsConfig.InsecureSkipVerify = true } tlsConfig.RootCAs = x509.NewCertPool() var caCert []byte var err error // Load CA cert - if l.options.RootCA != "" { - if caCert, err = ioutil.ReadFile(l.options.RootCA); err != nil { + if l.RootCA != "" { + if caCert, err = ioutil.ReadFile(l.RootCA); err != nil { klog.Error(err) return nil, err } } - if l.options.RootCAData != "" { - if caCert, err = base64.StdEncoding.DecodeString(l.options.RootCAData); err != nil { + if l.RootCAData != "" { + if caCert, err = base64.StdEncoding.DecodeString(l.RootCAData); err != nil { klog.Error(err) return nil, err } @@ -179,5 +196,5 @@ func (l *ldapProvider) newConn() (*ldap.Conn, error) { if caCert != nil { tlsConfig.RootCAs.AppendCertsFromPEM(caCert) } - return ldap.DialTLS("tcp", l.options.Host, &tlsConfig) + return ldap.DialTLS("tcp", l.Host, &tlsConfig) } diff --git a/pkg/apiserver/authentication/identityprovider/ldap_provider_test.go b/pkg/apiserver/authentication/identityprovider/ldap/ldap_provider_test.go similarity index 65% rename from pkg/apiserver/authentication/identityprovider/ldap_provider_test.go rename to pkg/apiserver/authentication/identityprovider/ldap/ldap_provider_test.go index c88fc79eeeb492b2435d7d7d219780261d9c890a..f32bae4da7f2d728c6fcaa568277bf4c6b597233 100644 --- a/pkg/apiserver/authentication/identityprovider/ldap_provider_test.go +++ b/pkg/apiserver/authentication/identityprovider/ldap/ldap_provider_test.go @@ -1,22 +1,20 @@ /* +Copyright 2020 The KubeSphere Authors. - Copyright 2020 The KubeSphere Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */ -package identityprovider +package ldap import ( "github.com/google/go-cmp/cmp" @@ -42,12 +40,11 @@ mailAttribute: mail if err != nil { t.Fatal(err) } - provider, err := NewLdapProvider(&dynamicOptions) + got, err := new(ldapProviderFactory).Create(&dynamicOptions) if err != nil { t.Fatal(err) } - got := provider.(*ldapProvider).options - expected := ldapOptions{ + expected := &ldapProvider{ Host: "test.sn.mynetname.net:389", StartTLS: false, InsecureSkipVerify: false, @@ -81,14 +78,14 @@ func TestLdapProvider_Authenticate(t *testing.T) { t.Fatal(err) } var dynamicOptions oauth.DynamicOptions - if err := yaml.Unmarshal(options, &dynamicOptions); err != nil { + if err = yaml.Unmarshal(options, &dynamicOptions); err != nil { t.Fatal(err) } - provider, err := NewLdapProvider(&dynamicOptions) + ldapProvider, err := new(ldapProviderFactory).Create(&dynamicOptions) if err != nil { t.Fatal(err) } - if _, err := provider.Authenticate("test", "test"); err != nil { + if _, err = ldapProvider.Authenticate("test", "test"); err != nil { t.Fatal(err) } } diff --git a/pkg/apiserver/authentication/identityprovider/oauth_provider.go b/pkg/apiserver/authentication/identityprovider/oauth_provider.go index f6384f332acc51bbc0f627b574faed2c33faf34a..eb7e051cd95a82ef96ddd3823e7ccf57334d6eb7 100644 --- a/pkg/apiserver/authentication/identityprovider/oauth_provider.go +++ b/pkg/apiserver/authentication/identityprovider/oauth_provider.go @@ -1,21 +1,18 @@ /* +Copyright 2020 The KubeSphere Authors. - Copyright 2020 The KubeSphere Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */ - package identityprovider import ( @@ -24,23 +21,29 @@ import ( ) var ( - oauthProviders = make(map[string]OAuthProvider, 0) - ErrorIdentityProviderNotFound = errors.New("the identity provider was not found") + builtinOAuthProviders = make(map[string]OAuthProviderFactory) + identityProviderNotFound = errors.New("identity provider not found") ) type OAuthProvider interface { - Type() string - Setup(options *oauth.DynamicOptions) (OAuthProvider, error) + // IdentityExchange exchange identity from remote server IdentityExchange(code string) (Identity, error) } -func GetOAuthProvider(providerType string, options *oauth.DynamicOptions) (OAuthProvider, error) { - if provider, ok := oauthProviders[providerType]; ok { - return provider.Setup(options) +type OAuthProviderFactory interface { + // Type unique type of the provider + Type() string + // Apply the dynamic options from kubesphere-config + Create(options *oauth.DynamicOptions) (OAuthProvider, error) +} + +func CreateOAuthProvider(providerType string, options *oauth.DynamicOptions) (OAuthProvider, error) { + if provider, ok := builtinOAuthProviders[providerType]; ok { + return provider.Create(options) } - return nil, ErrorIdentityProviderNotFound + return nil, identityProviderNotFound } -func RegisterOAuthProvider(provider OAuthProvider) { - oauthProviders[provider.Type()] = provider +func RegisterOAuthProvider(factory OAuthProviderFactory) { + builtinOAuthProviders[factory.Type()] = factory } diff --git a/pkg/apiserver/authentication/oauth/oauth_options.go b/pkg/apiserver/authentication/oauth/oauth_options.go index 878eb4a3f48443b7713203c97d2f6d7428cf58a1..73585e7a69b5445e5f6a6eb29e2582a6b305d2f3 100644 --- a/pkg/apiserver/authentication/oauth/oauth_options.go +++ b/pkg/apiserver/authentication/oauth/oauth_options.go @@ -35,12 +35,13 @@ const ( // GrantHandlerDeny auto-denies client authorization grant requests GrantHandlerDeny GrantHandlerType = "deny" // MappingMethodAuto The default value.The user will automatically create and mapping when login successful. - // Fails if a user with that user name is already mapped to another identity. + // Fails if a user with that username is already mapped to another identity. MappingMethodAuto MappingMethod = "auto" // MappingMethodLookup Looks up an existing identity, user identity mapping, and user, but does not automatically // provision users or identities. Using this method requires you to manually provision users. MappingMethodLookup MappingMethod = "lookup" // MappingMethodMixed A user entity can be mapped with multiple identifyProvider. + // not supported yet. MappingMethodMixed MappingMethod = "mixed" ) diff --git a/pkg/apiserver/authentication/options/authenticate_options.go b/pkg/apiserver/authentication/options/authenticate_options.go index 95633ad02d8c4ae6495b6308bb4cdd2e182f303c..5994b5a7803bf554c57ab3216e5c57769a7d6866 100644 --- a/pkg/apiserver/authentication/options/authenticate_options.go +++ b/pkg/apiserver/authentication/options/authenticate_options.go @@ -21,6 +21,7 @@ import ( "github.com/spf13/pflag" _ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/aliyunidaas" _ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/github" + _ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/ldap" "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" "time" ) @@ -66,7 +67,6 @@ func (options *AuthenticationOptions) Validate() []error { if len(options.JwtSecret) == 0 { errs = append(errs, fmt.Errorf("jwt secret is empty")) } - return errs } diff --git a/pkg/apiserver/authentication/token/jwt.go b/pkg/apiserver/authentication/token/jwt.go index 8251f5c0bb1801bb5aa233af7de2519f7afd141d..c6ce49f041fddc4d8c1f5612b7557333a2e04ee0 100644 --- a/pkg/apiserver/authentication/token/jwt.go +++ b/pkg/apiserver/authentication/token/jwt.go @@ -29,9 +29,10 @@ const ( ) type Claims struct { - Username string `json:"username"` - UID string `json:"uid"` - TokenType TokenType `json:"token_type"` + Username string `json:"username"` + Groups []string `json:"groups,omitempty"` + Extra map[string][]string `json:"extra,omitempty"` + TokenType TokenType `json:"token_type"` // Currently, we are not using any field in jwt.StandardClaims jwt.StandardClaims } @@ -51,7 +52,7 @@ func (s *jwtTokenIssuer) Verify(tokenString string) (user.Info, TokenType, error klog.Error(err) return nil, "", err } - return &user.DefaultInfo{Name: clm.Username, UID: clm.UID}, clm.TokenType, nil + return &user.DefaultInfo{Name: clm.Username, Groups: clm.Groups, Extra: clm.Extra}, clm.TokenType, nil } func (s *jwtTokenIssuer) IssueTo(user user.Info, tokenType TokenType, expiresIn time.Duration) (string, error) { @@ -59,7 +60,8 @@ func (s *jwtTokenIssuer) IssueTo(user user.Info, tokenType TokenType, expiresIn notBefore := issueAt clm := &Claims{ Username: user.GetName(), - UID: user.GetUID(), + Groups: user.GetGroups(), + Extra: user.GetExtra(), TokenType: tokenType, StandardClaims: jwt.StandardClaims{ IssuedAt: issueAt, diff --git a/pkg/api/rbac/v1/evaluation_helpers.go b/pkg/apiserver/authorization/rbac/evaluation_helpers.go similarity index 97% rename from pkg/api/rbac/v1/evaluation_helpers.go rename to pkg/apiserver/authorization/rbac/evaluation_helpers.go index 3707760bf5b8359d018280741e7182ae36fb7ddd..f24d8c26c371ed849feb8562d894fd16ccff5cd3 100644 --- a/pkg/api/rbac/v1/evaluation_helpers.go +++ b/pkg/apiserver/authorization/rbac/evaluation_helpers.go @@ -14,7 +14,9 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1 +// Following code copied from k8s.io/kubernetes/pkg/apis/rbac/v1 to avoid import collision + +package rbac import ( "fmt" diff --git a/pkg/apiserver/authorization/authorizerfactory/rbac.go b/pkg/apiserver/authorization/rbac/rbac.go similarity index 96% rename from pkg/apiserver/authorization/authorizerfactory/rbac.go rename to pkg/apiserver/authorization/rbac/rbac.go index b845136bbf5890146c67e24640d4ce81f28e27e5..f918e41d1fe836203052e7c4635d2fdcd8ebd01b 100644 --- a/pkg/apiserver/authorization/authorizerfactory/rbac.go +++ b/pkg/apiserver/authorization/rbac/rbac.go @@ -16,7 +16,7 @@ limitations under the License. // NOTE: This file is copied from k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac. -package authorizerfactory +package rbac import ( "bytes" @@ -36,7 +36,6 @@ import ( rbacv1 "k8s.io/api/rbac/v1" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/authentication/user" - rbacv1helpers "kubesphere.io/kubesphere/pkg/api/rbac/v1" ) const ( @@ -159,14 +158,14 @@ func ruleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule combinedResource = requestAttributes.GetResource() + "/" + requestAttributes.GetSubresource() } - return rbacv1helpers.VerbMatches(rule, requestAttributes.GetVerb()) && - rbacv1helpers.APIGroupMatches(rule, requestAttributes.GetAPIGroup()) && - rbacv1helpers.ResourceMatches(rule, combinedResource, requestAttributes.GetSubresource()) && - rbacv1helpers.ResourceNameMatches(rule, requestAttributes.GetName()) + return VerbMatches(rule, requestAttributes.GetVerb()) && + APIGroupMatches(rule, requestAttributes.GetAPIGroup()) && + ResourceMatches(rule, combinedResource, requestAttributes.GetSubresource()) && + ResourceNameMatches(rule, requestAttributes.GetName()) } - return rbacv1helpers.VerbMatches(rule, requestAttributes.GetVerb()) && - rbacv1helpers.NonResourceURLMatches(rule, requestAttributes.GetPath()) + return VerbMatches(rule, requestAttributes.GetVerb()) && + NonResourceURLMatches(rule, requestAttributes.GetPath()) } func regoPolicyAllows(requestAttributes authorizer.Attributes, regoPolicy string) bool { diff --git a/pkg/apiserver/authorization/authorizerfactory/rbac_test.go b/pkg/apiserver/authorization/rbac/rbac_test.go similarity index 97% rename from pkg/apiserver/authorization/authorizerfactory/rbac_test.go rename to pkg/apiserver/authorization/rbac/rbac_test.go index 4ae43111364b277cd6c7ca69e9f0eea5c37d4cfd..0b811b6684e0f019f9782109db57035488d80eb1 100644 --- a/pkg/apiserver/authorization/authorizerfactory/rbac_test.go +++ b/pkg/apiserver/authorization/rbac/rbac_test.go @@ -1,20 +1,22 @@ /* -Copyright 2016 The Kubernetes Authors. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at + Copyright 2020 The KubeSphere Authors. - http://www.apache.org/licenses/LICENSE-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. */ -package authorizerfactory +package rbac import ( "errors" diff --git a/pkg/apiserver/filters/authentication.go b/pkg/apiserver/filters/authentication.go index 41934c5d90bb8e190bedc7d57ab2f3617b99892f..473c2f5a2a3d99a24e0433535236941a0c9e0fd7 100644 --- a/pkg/apiserver/filters/authentication.go +++ b/pkg/apiserver/filters/authentication.go @@ -26,26 +26,23 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/klog" - iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" "kubesphere.io/kubesphere/pkg/apiserver/request" - "kubesphere.io/kubesphere/pkg/models/iam/im" "net/http" - "strings" ) // WithAuthentication installs authentication handler to handler chain. // The following part is a little bit ugly, WithAuthentication also logs user failed login attempt // if using basic auth. But only treats request with requestURI `/oauth/authorize` as login attempt -func WithAuthentication(handler http.Handler, auth authenticator.Request, loginRecorder im.LoginRecorder) http.Handler { - if auth == nil { +func WithAuthentication(handler http.Handler, authRequest authenticator.Request) http.Handler { + if authRequest == nil { klog.Warningf("Authentication is disabled") return handler } s := serializer.NewCodecFactory(runtime.NewScheme()).WithoutConversion() return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - resp, ok, err := auth.AuthenticateRequest(req) - username, _, usingBasicAuth := req.BasicAuth() + resp, ok, err := authRequest.AuthenticateRequest(req) + _, _, usingBasicAuth := req.BasicAuth() defer func() { // if we authenticated successfully, go ahead and remove the bearer token so that no one @@ -56,41 +53,17 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR }() if err != nil || !ok { - if err != nil { - klog.Errorf("Unable to authenticate the request due to error: %v", err) - if usingBasicAuth && err.Error() == im.AuthFailedIncorrectPassword.Error() { // log failed login attempts - go func(user string) { - if loginRecorder != nil && len(user) != 0 { - err = loginRecorder.RecordLogin(user, iamv1alpha2.BasicAuth, "", err, req) - klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", user, err) - } - }(username) - } - } - ctx := req.Context() requestInfo, found := request.RequestInfoFrom(ctx) if !found { responsewriters.InternalError(w, req, errors.New("no RequestInfo found in the context")) return } - gv := schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion} - if err != nil && err.Error() == im.AuthRateLimitExceeded.Error() { - responsewriters.ErrorNegotiated(apierrors.NewTooManyRequests(fmt.Sprintf("Unauthorized: %s", err), 60), s, gv, w, req) - } else { - responsewriters.ErrorNegotiated(apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)), s, gv, w, req) - } + responsewriters.ErrorNegotiated(apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)), s, gv, w, req) return } - go func() { - if loginRecorder != nil && usingBasicAuth && strings.HasPrefix(req.URL.Path, "/oauth/authorize") { - err = loginRecorder.RecordLogin(username, iamv1alpha2.BasicAuth, "", nil, req) - klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", username, err) - } - }() - req = req.WithContext(request.WithUser(req.Context(), resp.User)) handler.ServeHTTP(w, req) }) diff --git a/pkg/apiserver/request/requestinfo.go b/pkg/apiserver/request/requestinfo.go index 00f224014e0a83224b832a0cb34b4a8d903ac9c0..267d30c7e9007e00d22a46495278255a18cc7537 100644 --- a/pkg/apiserver/request/requestinfo.go +++ b/pkg/apiserver/request/requestinfo.go @@ -31,6 +31,7 @@ import ( "k8s.io/klog" "kubesphere.io/kubesphere/pkg/api" "kubesphere.io/kubesphere/pkg/constants" + netutils "kubesphere.io/kubesphere/pkg/utils/net" "net/http" "strings" @@ -74,6 +75,12 @@ type RequestInfo struct { // Scope of requested resource. ResourceScope string + + // Source IP + SourceIP string + + // User agent + UserAgent string } type RequestInfoFactory struct { @@ -119,6 +126,8 @@ func (r *RequestInfoFactory) NewRequestInfo(req *http.Request) (*RequestInfo, er }, Workspace: api.WorkspaceNone, Cluster: api.ClusterNone, + SourceIP: netutils.GetRequestIP(req), + UserAgent: req.UserAgent(), } defer func() { diff --git a/pkg/controller/loginrecord/loginrecord_controller.go b/pkg/controller/loginrecord/loginrecord_controller.go new file mode 100644 index 0000000000000000000000000000000000000000..d832f66e1de9795cc372f2f1921bf5676d8b5887 --- /dev/null +++ b/pkg/controller/loginrecord/loginrecord_controller.go @@ -0,0 +1,162 @@ +/* +Copyright 2020 The KubeSphere Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package loginrecord + +import ( + "fmt" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/scheme" + typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/tools/record" + "k8s.io/client-go/util/workqueue" + "k8s.io/klog" + iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" + kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" + iamv1alpha2informers "kubesphere.io/kubesphere/pkg/client/informers/externalversions/iam/v1alpha2" + iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" + "kubesphere.io/kubesphere/pkg/controller/utils/controller" + "time" +) + +const ( + // SuccessSynced is used as part of the Event 'reason' when a Foo is synced + successSynced = "Synced" + // is synced successfully + messageResourceSynced = "LoginRecord synced successfully" + controllerName = "loginrecord-controller" +) + +type loginRecordController struct { + controller.BaseController + k8sClient kubernetes.Interface + ksClient kubesphere.Interface + loginRecordLister iamv1alpha2listers.LoginRecordLister + loginRecordSynced cache.InformerSynced + userLister iamv1alpha2listers.UserLister + userSynced cache.InformerSynced + loginHistoryRetentionPeriod time.Duration + // recorder is an event recorder for recording Event resources to the + // Kubernetes API. + recorder record.EventRecorder +} + +func NewLoginRecordController(k8sClient kubernetes.Interface, + ksClient kubesphere.Interface, + loginRecordInformer iamv1alpha2informers.LoginRecordInformer, + userInformer iamv1alpha2informers.UserInformer, + loginHistoryRetentionPeriod time.Duration) *loginRecordController { + + klog.V(4).Info("Creating event broadcaster") + eventBroadcaster := record.NewBroadcaster() + eventBroadcaster.StartLogging(klog.Infof) + eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: k8sClient.CoreV1().Events("")}) + recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: controllerName}) + ctl := &loginRecordController{ + BaseController: controller.BaseController{ + Workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "LoginRecords"), + Synced: []cache.InformerSynced{loginRecordInformer.Informer().HasSynced, userInformer.Informer().HasSynced}, + Name: controllerName, + }, + k8sClient: k8sClient, + ksClient: ksClient, + loginRecordLister: loginRecordInformer.Lister(), + userLister: userInformer.Lister(), + loginHistoryRetentionPeriod: loginHistoryRetentionPeriod, + recorder: recorder, + } + ctl.Handler = ctl.reconcile + klog.Info("Setting up event handlers") + loginRecordInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: ctl.Enqueue, + UpdateFunc: func(old, new interface{}) { + ctl.Enqueue(new) + }, + DeleteFunc: ctl.Enqueue, + }) + return ctl +} + +func (c *loginRecordController) Start(stopCh <-chan struct{}) error { + return c.Run(5, stopCh) +} + +func (c *loginRecordController) reconcile(key string) error { + loginRecord, err := c.loginRecordLister.Get(key) + if err != nil { + if errors.IsNotFound(err) { + utilruntime.HandleError(fmt.Errorf("login record '%s' in work queue no longer exists", key)) + return nil + } + klog.Error(err) + return err + } + + if !loginRecord.ObjectMeta.DeletionTimestamp.IsZero() { + // The object is being deleted + // Our finalizer has finished, so the reconciler can do nothing. + return nil + } + + if err = c.updateUserLastLoginTime(loginRecord); err != nil { + return err + } + + now := time.Now() + // login record beyonds retention period + if loginRecord.CreationTimestamp.Add(c.loginHistoryRetentionPeriod).Before(now) { + if err = c.ksClient.IamV1alpha2().LoginRecords().Delete(loginRecord.Name, metav1.NewDeleteOptions(0)); err != nil { + klog.Error(err) + return err + } + } else { // put item back into the queue + c.Workqueue.AddAfter(key, loginRecord.CreationTimestamp.Add(c.loginHistoryRetentionPeriod).Sub(now)) + } + c.recorder.Event(loginRecord, corev1.EventTypeNormal, successSynced, messageResourceSynced) + return nil +} + +// updateUserLastLoginTime accepts a login object and set user lastLoginTime field +func (c *loginRecordController) updateUserLastLoginTime(loginRecord *iamv1alpha2.LoginRecord) error { + username, ok := loginRecord.Labels[iamv1alpha2.UserReferenceLabel] + if !ok || len(username) == 0 { + klog.V(4).Info("login doesn't belong to any user") + return nil + } + user, err := c.userLister.Get(username) + if err != nil { + // ignore not found error + if errors.IsNotFound(err) { + klog.V(4).Infof("user %s doesn't exist any more, login record will be deleted later", username) + return nil + } + klog.Error(err) + return err + } + // update lastLoginTime + if user.DeletionTimestamp.IsZero() && + (user.Status.LastLoginTime == nil || user.Status.LastLoginTime.Before(&loginRecord.CreationTimestamp)) { + user.Status.LastLoginTime = &loginRecord.CreationTimestamp + user, err = c.ksClient.IamV1alpha2().Users().UpdateStatus(user) + return err + } + return nil +} diff --git a/pkg/controller/loginrecord/loginrecord_controller_test.go b/pkg/controller/loginrecord/loginrecord_controller_test.go new file mode 100644 index 0000000000000000000000000000000000000000..2c8d5768525284976241002d7891030f4b744a6c --- /dev/null +++ b/pkg/controller/loginrecord/loginrecord_controller_test.go @@ -0,0 +1,265 @@ +/* +Copyright 2020 The KubeSphere Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package loginrecord + +import ( + "fmt" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/diff" + kubeinformers "k8s.io/client-go/informers" + k8sfake "k8s.io/client-go/kubernetes/fake" + core "k8s.io/client-go/testing" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/tools/record" + iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" + "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake" + ksinformers "kubesphere.io/kubesphere/pkg/client/informers/externalversions" + "reflect" + "testing" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +var ( + alwaysReady = func() bool { return true } + noResyncPeriodFunc = func() time.Duration { return 0 } +) + +type fixture struct { + t *testing.T + + ksclient *fake.Clientset + k8sclient *k8sfake.Clientset + // Objects to put in the store. + user *iamv1alpha2.User + loginRecord *iamv1alpha2.LoginRecord + // Actions expected to happen on the client. + kubeactions []core.Action + actions []core.Action + // Objects from here preloaded into NewSimpleFake. + kubeobjects []runtime.Object + objects []runtime.Object +} + +func newFixture(t *testing.T) *fixture { + f := &fixture{} + f.t = t + f.objects = []runtime.Object{} + f.kubeobjects = []runtime.Object{} + return f +} + +func newUser(name string) *iamv1alpha2.User { + return &iamv1alpha2.User{ + TypeMeta: metav1.TypeMeta{APIVersion: iamv1alpha2.SchemeGroupVersion.String()}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Spec: iamv1alpha2.UserSpec{ + Email: fmt.Sprintf("%s@kubesphere.io", name), + Lang: "zh-CN", + Description: "fake user", + }, + } +} + +func newLoginRecord(username string) *iamv1alpha2.LoginRecord { + return &iamv1alpha2.LoginRecord{ + TypeMeta: metav1.TypeMeta{APIVersion: iamv1alpha2.SchemeGroupVersion.String()}, + ObjectMeta: metav1.ObjectMeta{ + Name: username, + CreationTimestamp: metav1.Now(), + Labels: map[string]string{iamv1alpha2.UserReferenceLabel: username}, + }, + Spec: iamv1alpha2.LoginRecordSpec{ + Type: iamv1alpha2.Token, + Success: true, + Reason: "", + }, + } +} + +func (f *fixture) newController() (*loginRecordController, ksinformers.SharedInformerFactory, kubeinformers.SharedInformerFactory) { + f.ksclient = fake.NewSimpleClientset(f.objects...) + f.k8sclient = k8sfake.NewSimpleClientset(f.kubeobjects...) + + ksInformers := ksinformers.NewSharedInformerFactory(f.ksclient, noResyncPeriodFunc()) + k8sInformers := kubeinformers.NewSharedInformerFactory(f.k8sclient, noResyncPeriodFunc()) + if err := ksInformers.Iam().V1alpha2().Users().Informer().GetIndexer().Add(f.user); err != nil { + f.t.Errorf("add user:%s", err) + } + if err := ksInformers.Iam().V1alpha2().LoginRecords().Informer().GetIndexer().Add(f.loginRecord); err != nil { + f.t.Errorf("add login record:%s", err) + } + + c := NewLoginRecordController(f.k8sclient, f.ksclient, + ksInformers.Iam().V1alpha2().LoginRecords(), + ksInformers.Iam().V1alpha2().Users(), + time.Minute*5) + c.userSynced = alwaysReady + c.loginRecordSynced = alwaysReady + c.recorder = &record.FakeRecorder{} + + return c, ksInformers, k8sInformers +} + +func (f *fixture) run(userName string) { + f.runController(userName, true, false) +} + +func (f *fixture) runExpectError(userName string) { + f.runController(userName, true, true) +} + +func (f *fixture) runController(user string, startInformers bool, expectError bool) { + c, i, k8sI := f.newController() + if startInformers { + stopCh := make(chan struct{}) + defer close(stopCh) + i.Start(stopCh) + k8sI.Start(stopCh) + } + + err := c.reconcile(user) + if !expectError && err != nil { + f.t.Errorf("error syncing user: %v", err) + } else if expectError && err == nil { + f.t.Error("expected error syncing user, got nil") + } + + actions := filterInformerActions(f.ksclient.Actions()) + for j, action := range actions { + if len(f.actions) < j+1 { + f.t.Errorf("%d unexpected actions: %+v", len(actions)-len(f.actions), actions[j:]) + break + } + + expectedAction := f.actions[j] + checkAction(expectedAction, action, f.t) + } + + if len(f.actions) > len(actions) { + f.t.Errorf("%d additional expected actions:%+v", len(f.actions)-len(actions), f.actions[len(actions):]) + } + + k8sActions := filterInformerActions(f.k8sclient.Actions()) + for k, action := range k8sActions { + if len(f.kubeactions) < k+1 { + f.t.Errorf("%d unexpected actions: %+v", len(k8sActions)-len(f.kubeactions), k8sActions[k:]) + break + } + + expectedAction := f.kubeactions[k] + checkAction(expectedAction, action, f.t) + } + + if len(f.kubeactions) > len(k8sActions) { + f.t.Errorf("%d additional expected actions:%+v", len(f.kubeactions)-len(k8sActions), f.kubeactions[len(k8sActions):]) + } +} + +// checkAction verifies that expected and actual actions are equal and both have +// same attached resources +func checkAction(expected, actual core.Action, t *testing.T) { + if !(expected.Matches(actual.GetVerb(), actual.GetResource().Resource) && actual.GetSubresource() == expected.GetSubresource()) { + t.Errorf("Expected\n\t%#v\ngot\n\t%#v", expected, actual) + return + } + + if reflect.TypeOf(actual) != reflect.TypeOf(expected) { + t.Errorf("Action has wrong type. Expected: %t. Got: %t", expected, actual) + return + } + + switch a := actual.(type) { + case core.CreateActionImpl: + e, _ := expected.(core.CreateActionImpl) + expObject := e.GetObject() + object := a.GetObject() + if !reflect.DeepEqual(expObject, object) { + t.Errorf("Action %s %s has wrong object\nDiff:\n %s", + a.GetVerb(), a.GetResource().Resource, diff.ObjectGoPrintSideBySide(expObject, object)) + } + case core.UpdateActionImpl: + e, _ := expected.(core.UpdateActionImpl) + expObject := e.GetObject() + object := a.GetObject() + expUser := expObject.(*iamv1alpha2.User) + user := object.(*iamv1alpha2.User) + expUser.Status.LastTransitionTime = nil + user.Status.LastTransitionTime = nil + if !reflect.DeepEqual(expUser, user) { + t.Errorf("Action %s %s has wrong object\nDiff:\n %s", + a.GetVerb(), a.GetResource().Resource, diff.ObjectGoPrintSideBySide(expObject, object)) + } + case core.PatchActionImpl: + e, _ := expected.(core.PatchActionImpl) + expPatch := e.GetPatch() + patch := a.GetPatch() + if !reflect.DeepEqual(expPatch, patch) { + t.Errorf("Action %s %s has wrong patch\nDiff:\n %s", + a.GetVerb(), a.GetResource().Resource, diff.ObjectGoPrintSideBySide(expPatch, patch)) + } + default: + t.Errorf("Uncaptured Action %s %s, you should explicitly add a case to capture it", + actual.GetVerb(), actual.GetResource().Resource) + } +} + +// filterInformerActions filters list and watch actions for testing resources. +// Since list and watch don't change resource state we can filter it to lower +// nose level in our tests. +func filterInformerActions(actions []core.Action) []core.Action { + var ret []core.Action + for _, action := range actions { + ret = append(ret, action) + } + + return ret +} + +func (f *fixture) expectUpdateUserStatusAction(user *iamv1alpha2.User) { + expect := user.DeepCopy() + action := core.NewUpdateAction(schema.GroupVersionResource{Resource: "users"}, "", expect) + action.Subresource = "status" + expect.Status.LastLoginTime = &f.loginRecord.CreationTimestamp + f.actions = append(f.actions, action) +} + +func getKey(user *iamv1alpha2.User, t *testing.T) string { + key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(user) + if err != nil { + t.Errorf("Unexpected error getting key for user %v: %v", user.Name, err) + return "" + } + return key +} + +func TestDoNothing(t *testing.T) { + f := newFixture(t) + user := newUser("test") + loginRecord := newLoginRecord("test") + + f.user = user + f.loginRecord = loginRecord + f.objects = append(f.objects, user, loginRecord) + + f.expectUpdateUserStatusAction(user) + f.run(getKey(user, t)) +} diff --git a/pkg/controller/user/loginrecord_controller.go b/pkg/controller/user/loginrecord_controller.go deleted file mode 100644 index 437a3cfa71eace0f6a8356029664744787760342..0000000000000000000000000000000000000000 --- a/pkg/controller/user/loginrecord_controller.go +++ /dev/null @@ -1,224 +0,0 @@ -/* - * - * Copyright 2020 The KubeSphere Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * / - */ - -package user - -import ( - "fmt" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/kubernetes/scheme" - typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1" - "k8s.io/client-go/tools/cache" - "k8s.io/client-go/tools/record" - "k8s.io/client-go/util/workqueue" - "k8s.io/klog" - kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" - iamv1alpha2informers "kubesphere.io/kubesphere/pkg/client/informers/externalversions/iam/v1alpha2" - iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" - "time" -) - -type LoginRecordController struct { - k8sClient kubernetes.Interface - ksClient kubesphere.Interface - loginRecordInformer iamv1alpha2informers.LoginRecordInformer - loginRecordLister iamv1alpha2listers.LoginRecordLister - loginRecordSynced cache.InformerSynced - // workqueue is a rate limited work queue. This is used to queue work to be - // processed instead of performing it as soon as a change happens. This - // means we can ensure we only process a fixed amount of resources at a - // time, and makes it easy to ensure we are never processing the same item - // simultaneously in two different workers. - workqueue workqueue.RateLimitingInterface - // recorder is an event recorder for recording Event resources to the - // Kubernetes API. - recorder record.EventRecorder - loginHistoryRetentionPeriod time.Duration -} - -func NewLoginRecordController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface, - loginRecordInformer iamv1alpha2informers.LoginRecordInformer, - loginHistoryRetentionPeriod time.Duration) *LoginRecordController { - - klog.V(4).Info("Creating event broadcaster") - eventBroadcaster := record.NewBroadcaster() - eventBroadcaster.StartLogging(klog.Infof) - eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: k8sClient.CoreV1().Events("")}) - recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: "loginrecord-controller"}) - ctl := &LoginRecordController{ - k8sClient: k8sClient, - ksClient: ksClient, - loginRecordInformer: loginRecordInformer, - loginRecordLister: loginRecordInformer.Lister(), - loginRecordSynced: loginRecordInformer.Informer().HasSynced, - loginHistoryRetentionPeriod: loginHistoryRetentionPeriod, - workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "loginrecord"), - recorder: recorder, - } - return ctl -} - -func (c *LoginRecordController) Run(threadiness int, stopCh <-chan struct{}) error { - defer utilruntime.HandleCrash() - defer c.workqueue.ShutDown() - - // Start the informer factories to begin populating the informer caches - klog.Info("Starting LoginRecord controller") - - // Wait for the caches to be synced before starting workers - klog.Info("Waiting for informer caches to sync") - - if ok := cache.WaitForCacheSync(stopCh, c.loginRecordSynced); !ok { - return fmt.Errorf("failed to wait for caches to sync") - } - - klog.Info("Starting workers") - // Launch two workers to process Foo resources - for i := 0; i < threadiness; i++ { - go wait.Until(c.runWorker, time.Second, stopCh) - } - - go wait.Until(func() { - if err := c.sync(); err != nil { - klog.Errorf("Error periodically sync user status, %v", err) - } - }, time.Hour, stopCh) - - klog.Info("Started workers") - <-stopCh - klog.Info("Shutting down workers") - return nil -} - -func (c *LoginRecordController) enqueueLoginRecord(obj interface{}) { - var key string - var err error - if key, err = cache.MetaNamespaceKeyFunc(obj); err != nil { - utilruntime.HandleError(err) - return - } - c.workqueue.Add(key) -} - -func (c *LoginRecordController) runWorker() { - for c.processNextWorkItem() { - } -} - -func (c *LoginRecordController) processNextWorkItem() bool { - obj, shutdown := c.workqueue.Get() - - if shutdown { - return false - } - - // We wrap this block in a func so we can defer c.workqueue.Done. - err := func(obj interface{}) error { - // We call Done here so the workqueue knows we have finished - // processing this item. We also must remember to call Forget if we - // do not want this work item being re-queued. For example, we do - // not call Forget if a transient error occurs, instead the item is - // put back on the workqueue and attempted again after a back-off - // period. - defer c.workqueue.Done(obj) - var key string - var ok bool - // We expect strings to come off the workqueue. These are of the - // form namespace/name. We do this as the delayed nature of the - // workqueue means the items in the informer cache may actually be - // more up to date that when the item was initially put onto the - // workqueue. - if key, ok = obj.(string); !ok { - // As the item in the workqueue is actually invalid, we call - // Forget here else we'd go into a loop of attempting to - // process a work item that is invalid. - c.workqueue.Forget(obj) - utilruntime.HandleError(fmt.Errorf("expected string in workqueue but got %#v", obj)) - return nil - } - // Run the reconcile, passing it the namespace/name string of the - // Foo resource to be synced. - if err := c.reconcile(key); err != nil { - // Put the item back on the workqueue to handle any transient errors. - c.workqueue.AddRateLimited(key) - return fmt.Errorf("error syncing '%s': %s, requeuing", key, err.Error()) - } - // Finally, if no error occurs we Forget this item so it does not - // get queued again until another change happens. - c.workqueue.Forget(obj) - klog.Infof("Successfully synced %s:%s", "key", key) - return nil - }(obj) - - if err != nil { - utilruntime.HandleError(err) - return true - } - - return true -} - -func (c *LoginRecordController) reconcile(key string) error { - loginRecord, err := c.loginRecordLister.Get(key) - if err != nil { - if errors.IsNotFound(err) { - utilruntime.HandleError(fmt.Errorf("login record '%s' in work queue no longer exists", key)) - return nil - } - klog.Error(err) - return err - } - - now := time.Now() - if loginRecord.CreationTimestamp.Add(c.loginHistoryRetentionPeriod).Before(now) { // login record beyonds retention period - if err = c.ksClient.IamV1alpha2().LoginRecords().Delete(loginRecord.Name, metav1.NewDeleteOptions(0)); err != nil { - klog.Error(err) - return err - } - } else { // put item back into the queue - c.workqueue.AddAfter(key, loginRecord.CreationTimestamp.Add(c.loginHistoryRetentionPeriod).Sub(now)) - } - c.recorder.Event(loginRecord, corev1.EventTypeNormal, successSynced, messageResourceSynced) - return nil -} - -func (c *LoginRecordController) Start(stopCh <-chan struct{}) error { - return c.Run(4, stopCh) -} - -func (c *LoginRecordController) sync() error { - records, err := c.loginRecordLister.List(labels.Everything()) - if err != nil { - return err - } - - for _, record := range records { - key, err := cache.MetaNamespaceKeyFunc(record) - if err != nil { - return err - } - c.workqueue.AddRateLimited(key) - } - return nil -} diff --git a/pkg/controller/user/user_controller.go b/pkg/controller/user/user_controller.go index 59638a4479e681176e0b2589f9813246dd4e661f..e128d71c0657c271562481382716c50e28f21e89 100644 --- a/pkg/controller/user/user_controller.go +++ b/pkg/controller/user/user_controller.go @@ -19,8 +19,8 @@ package user import ( "encoding/json" "fmt" + "kubesphere.io/kubesphere/pkg/controller/utils/controller" "reflect" - "strconv" "time" "golang.org/x/crypto/bcrypt" @@ -31,7 +31,6 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/apimachinery/pkg/util/wait" corev1informers "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" @@ -62,46 +61,36 @@ const ( // is synced successfully messageResourceSynced = "User synced successfully" controllerName = "user-controller" - // user finalizer finalizer = "finalizers.kubesphere.io/users" ) -type Controller struct { - k8sClient kubernetes.Interface - ksClient kubesphere.Interface - kubeconfig kubeconfig.Interface - userLister iamv1alpha2listers.UserLister - userSynced cache.InformerSynced - loginRecordLister iamv1alpha2listers.LoginRecordLister - loginRecordSynced cache.InformerSynced - cmSynced cache.InformerSynced - fedUserCache cache.Store - fedUserController cache.Controller - ldapClient ldapclient.Interface - devopsClient devops.Interface - // workqueue is a rate limited work queue. This is used to queue work to be - // processed instead of performing it as soon as a change happens. This - // means we can ensure we only process a fixed amount of resources at a - // time, and makes it easy to ensure we are never processing the same item - // simultaneously in two different workers. - workqueue workqueue.RateLimitingInterface - // recorder is an event recorder for recording Event resources to the - // Kubernetes API. - recorder record.EventRecorder +type userController struct { + controller.BaseController + k8sClient kubernetes.Interface + ksClient kubesphere.Interface + kubeconfig kubeconfig.Interface + userLister iamv1alpha2listers.UserLister + loginRecordLister iamv1alpha2listers.LoginRecordLister + fedUserCache cache.Store + ldapClient ldapclient.Interface + devopsClient devops.Interface authenticationOptions *authoptions.AuthenticationOptions multiClusterEnabled bool + // recorder is an event recorder for recording Event resources to the + // Kubernetes API. + recorder record.EventRecorder } -func NewUserController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface, - config *rest.Config, userInformer iamv1alpha2informers.UserInformer, - fedUserCache cache.Store, fedUserController cache.Controller, +func NewUserController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface, config *rest.Config, + userInformer iamv1alpha2informers.UserInformer, loginRecordInformer iamv1alpha2informers.LoginRecordInformer, + fedUserCache cache.Store, fedUserController cache.Controller, configMapInformer corev1informers.ConfigMapInformer, ldapClient ldapclient.Interface, devopsClient devops.Interface, authenticationOptions *authoptions.AuthenticationOptions, - multiClusterEnabled bool) *Controller { + multiClusterEnabled bool) *userController { utilruntime.Must(kubespherescheme.AddToScheme(scheme.Scheme)) @@ -113,152 +102,48 @@ func NewUserController(k8sClient kubernetes.Interface, ksClient kubesphere.Inter if config != nil { kubeconfigOperator = kubeconfig.NewOperator(k8sClient, configMapInformer, config) } - ctl := &Controller{ + ctl := &userController{ + BaseController: controller.BaseController{ + Workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "User"), + Synced: []cache.InformerSynced{ + userInformer.Informer().HasSynced, + configMapInformer.Informer().HasSynced, + loginRecordInformer.Informer().HasSynced, + }, + Name: controllerName, + }, k8sClient: k8sClient, ksClient: ksClient, kubeconfig: kubeconfigOperator, userLister: userInformer.Lister(), - userSynced: userInformer.Informer().HasSynced, loginRecordLister: loginRecordInformer.Lister(), - loginRecordSynced: loginRecordInformer.Informer().HasSynced, - cmSynced: configMapInformer.Informer().HasSynced, fedUserCache: fedUserCache, - fedUserController: fedUserController, ldapClient: ldapClient, devopsClient: devopsClient, - workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "Users"), recorder: recorder, multiClusterEnabled: multiClusterEnabled, authenticationOptions: authenticationOptions, } - + if multiClusterEnabled { + ctl.Synced = append(ctl.Synced, fedUserController.HasSynced) + } + ctl.Handler = ctl.reconcile klog.Info("Setting up event handlers") userInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ - AddFunc: ctl.enqueueUser, + AddFunc: ctl.Enqueue, UpdateFunc: func(old, new interface{}) { - ctl.enqueueUser(new) - }, - DeleteFunc: ctl.enqueueUser, - }) - - loginRecordInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ - AddFunc: func(new interface{}) { - if err := ctl.enqueueLogin(new); err != nil { - klog.Errorf("Failed to enqueue login object, error: %v", err) - } + ctl.Enqueue(new) }, + DeleteFunc: ctl.Enqueue, }) return ctl } -func (c *Controller) Run(threadiness int, stopCh <-chan struct{}) error { - defer utilruntime.HandleCrash() - defer c.workqueue.ShutDown() - - // Start the informer factories to begin populating the informer caches - klog.Info("Starting User controller") - - // Wait for the caches to be synced before starting workers - klog.Info("Waiting for informer caches to sync") - - synced := make([]cache.InformerSynced, 0) - synced = append(synced, c.userSynced, c.loginRecordSynced, c.cmSynced) - if c.multiClusterEnabled { - synced = append(synced, c.fedUserController.HasSynced) - } - - if ok := cache.WaitForCacheSync(stopCh, synced...); !ok { - return fmt.Errorf("failed to wait for caches to sync") - } - - klog.Info("Starting workers") - // Launch two workers to process Foo resources - for i := 0; i < threadiness; i++ { - go wait.Until(c.runWorker, time.Second, stopCh) - } - - klog.Info("Started workers") - <-stopCh - klog.Info("Shutting down workers") - return nil -} - -func (c *Controller) enqueueUser(obj interface{}) { - var key string - var err error - if key, err = cache.MetaNamespaceKeyFunc(obj); err != nil { - utilruntime.HandleError(err) - return - } - c.workqueue.Add(key) -} - -func (c *Controller) runWorker() { - for c.processNextWorkItem() { - } -} - -func (c *Controller) processNextWorkItem() bool { - obj, shutdown := c.workqueue.Get() - - if shutdown { - return false - } - - err := func(obj interface{}) error { - defer c.workqueue.Done(obj) - var key string - var ok bool - if key, ok = obj.(string); !ok { - c.workqueue.Forget(obj) - utilruntime.HandleError(fmt.Errorf("expected string in workqueue but got %#v", obj)) - return nil - } - if err := c.reconcile(key); err != nil { - c.workqueue.AddRateLimited(key) - return fmt.Errorf("error syncing '%s': %s, requeuing", key, err.Error()) - } - c.workqueue.Forget(obj) - klog.Infof("Successfully synced %s:%s", "key", key) - return nil - }(obj) - - if err != nil { - utilruntime.HandleError(err) - return true - } - - return true -} - -// enqueueLogin accepts a login object and set user lastLoginTime field -func (c *Controller) enqueueLogin(object interface{}) error { - login := object.(*iamv1alpha2.LoginRecord) - username, ok := login.Labels[iamv1alpha2.UserReferenceLabel] - - if !ok || len(username) == 0 { - return fmt.Errorf("login doesn't belong to any user") - } - - user, err := c.userLister.Get(username) - if err != nil { - if errors.IsNotFound(err) { - return fmt.Errorf("user %s doesn't exist any more, login record will be deleted later", username) - } - return err - } - - if user.Status.LastLoginTime == nil || user.Status.LastLoginTime.Before(&login.CreationTimestamp) { - user.Status.LastLoginTime = &login.CreationTimestamp - user, err = c.ksClient.IamV1alpha2().Users().Update(user) - return err - } - - return nil +func (c *userController) Start(stopCh <-chan struct{}) error { + return c.Run(5, stopCh) } -func (c *Controller) reconcile(key string) error { - +func (c *userController) reconcile(key string) error { // Get the user with this name user, err := c.userLister.Get(key) if err != nil { @@ -307,7 +192,7 @@ func (c *Controller) reconcile(key string) error { if c.devopsClient != nil { // unassign jenkins role, unassign multiple times is allowed - if err := c.unassignDevOpsAdminRole(user); err != nil { + if err = c.unassignDevOpsAdminRole(user); err != nil { klog.Error(err) return err } @@ -340,7 +225,7 @@ func (c *Controller) reconcile(key string) error { } } - if user, err = c.ensurePasswordIsEncrypted(user); err != nil { + if user, err = c.encryptPassword(user); err != nil { klog.Error(err) return err } @@ -361,7 +246,7 @@ func (c *Controller) reconcile(key string) error { if c.devopsClient != nil { // assign jenkins role after user create, assign multiple times is allowed // used as logged-in users can do anything - if err := c.assignDevOpsAdminRole(user); err != nil { + if err = c.assignDevOpsAdminRole(user); err != nil { klog.Error(err) return err } @@ -379,14 +264,9 @@ func (c *Controller) reconcile(key string) error { return nil } -func (c *Controller) Start(stopCh <-chan struct{}) error { - return c.Run(5, stopCh) -} - -func (c *Controller) ensurePasswordIsEncrypted(user *iamv1alpha2.User) (*iamv1alpha2.User, error) { - encrypted := user.Annotations[iamv1alpha2.PasswordEncryptedAnnotation] == "true" - // password is not encrypted - if !encrypted { +func (c *userController) encryptPassword(user *iamv1alpha2.User) (*iamv1alpha2.User, error) { + // password is not empty and not encrypted + if user.Spec.EncryptedPassword != "" && !isEncrypted(user.Spec.EncryptedPassword) { password, err := encrypt(user.Spec.EncryptedPassword) if err != nil { klog.Error(err) @@ -395,22 +275,16 @@ func (c *Controller) ensurePasswordIsEncrypted(user *iamv1alpha2.User) (*iamv1al user = user.DeepCopy() user.Spec.EncryptedPassword = password if user.Annotations == nil { - user.Annotations = make(map[string]string, 0) + user.Annotations = make(map[string]string) } // ensure plain text password won't be kept anywhere delete(user.Annotations, corev1.LastAppliedConfigAnnotation) - user.Annotations[iamv1alpha2.PasswordEncryptedAnnotation] = "true" - user.Status = iamv1alpha2.UserStatus{ - State: iamv1alpha2.UserActive, - LastTransitionTime: &metav1.Time{Time: time.Now()}, - } return c.ksClient.IamV1alpha2().Users().Update(user) } - return user, nil } -func (c *Controller) ensureNotControlledByKubefed(user *iamv1alpha2.User) error { +func (c *userController) ensureNotControlledByKubefed(user *iamv1alpha2.User) error { if user.Labels[constants.KubefedManagedLabel] != "false" { if user.Labels == nil { user.Labels = make(map[string]string, 0) @@ -425,7 +299,7 @@ func (c *Controller) ensureNotControlledByKubefed(user *iamv1alpha2.User) error return nil } -func (c *Controller) multiClusterSync(user *iamv1alpha2.User) error { +func (c *userController) multiClusterSync(user *iamv1alpha2.User) error { if err := c.ensureNotControlledByKubefed(user); err != nil { klog.Error(err) @@ -458,7 +332,7 @@ func (c *Controller) multiClusterSync(user *iamv1alpha2.User) error { return nil } -func (c *Controller) createFederatedUser(user *iamv1alpha2.User) error { +func (c *userController) createFederatedUser(user *iamv1alpha2.User) error { federatedUser := &iamv1alpha2.FederatedUser{ TypeMeta: metav1.TypeMeta{ Kind: iamv1alpha2.FedUserKind, @@ -506,14 +380,13 @@ func (c *Controller) createFederatedUser(user *iamv1alpha2.User) error { return nil } -func (c *Controller) updateFederatedUser(fedUser *iamv1alpha2.FederatedUser) error { +func (c *userController) updateFederatedUser(fedUser *iamv1alpha2.FederatedUser) error { data, err := json.Marshal(fedUser) if err != nil { return err } cli := c.k8sClient.(*kubernetes.Clientset) - err = cli.RESTClient().Put(). AbsPath(fmt.Sprintf("/apis/%s/%s/%s/%s", iamv1alpha2.FedUserResource.Group, iamv1alpha2.FedUserResource.Version, iamv1alpha2.FedUserResource.Name, fedUser.Name)). @@ -529,7 +402,7 @@ func (c *Controller) updateFederatedUser(fedUser *iamv1alpha2.FederatedUser) err return nil } -func (c *Controller) assignDevOpsAdminRole(user *iamv1alpha2.User) error { +func (c *userController) assignDevOpsAdminRole(user *iamv1alpha2.User) error { if err := c.devopsClient.AssignGlobalRole(modelsdevops.JenkinsAdminRoleName, user.Name); err != nil { klog.Errorf("%+v", err) return err @@ -537,7 +410,7 @@ func (c *Controller) assignDevOpsAdminRole(user *iamv1alpha2.User) error { return nil } -func (c *Controller) unassignDevOpsAdminRole(user *iamv1alpha2.User) error { +func (c *userController) unassignDevOpsAdminRole(user *iamv1alpha2.User) error { if err := c.devopsClient.UnAssignGlobalRole(modelsdevops.JenkinsAdminRoleName, user.Name); err != nil { klog.Errorf("%+v", err) return err @@ -545,9 +418,8 @@ func (c *Controller) unassignDevOpsAdminRole(user *iamv1alpha2.User) error { return nil } -func (c *Controller) ldapSync(user *iamv1alpha2.User) error { - encrypted, _ := strconv.ParseBool(user.Annotations[iamv1alpha2.PasswordEncryptedAnnotation]) - if encrypted { +func (c *userController) ldapSync(user *iamv1alpha2.User) error { + if isEncrypted(user.Spec.EncryptedPassword) { return nil } _, err := c.ldapClient.Get(user.Name) @@ -564,14 +436,12 @@ func (c *Controller) ldapSync(user *iamv1alpha2.User) error { } } -func (c *Controller) deleteGroupBindings(user *iamv1alpha2.User) error { - +func (c *userController) deleteGroupBindings(user *iamv1alpha2.User) error { // Groupbindings that created by kubeshpere will be deleted directly. listOptions := metav1.ListOptions{ LabelSelector: labels.SelectorFromSet(labels.Set{iamv1alpha2.UserReferenceLabel: user.Name}).String(), } deleteOptions := metav1.NewDeleteOptions(0) - if err := c.ksClient.IamV1alpha2().GroupBindings(). DeleteCollection(deleteOptions, listOptions); err != nil { klog.Error(err) @@ -580,12 +450,11 @@ func (c *Controller) deleteGroupBindings(user *iamv1alpha2.User) error { return nil } -func (c *Controller) deleteRoleBindings(user *iamv1alpha2.User) error { +func (c *userController) deleteRoleBindings(user *iamv1alpha2.User) error { listOptions := metav1.ListOptions{ LabelSelector: labels.SelectorFromSet(labels.Set{iamv1alpha2.UserReferenceLabel: user.Name}).String(), } deleteOptions := metav1.NewDeleteOptions(0) - if err := c.ksClient.IamV1alpha2().GlobalRoleBindings(). DeleteCollection(deleteOptions, listOptions); err != nil { klog.Error(err) @@ -619,7 +488,7 @@ func (c *Controller) deleteRoleBindings(user *iamv1alpha2.User) error { return nil } -func (c *Controller) deleteLoginRecords(user *iamv1alpha2.User) error { +func (c *userController) deleteLoginRecords(user *iamv1alpha2.User) error { listOptions := metav1.ListOptions{ LabelSelector: labels.SelectorFromSet(labels.Set{iamv1alpha2.UserReferenceLabel: user.Name}).String(), } @@ -634,28 +503,60 @@ func (c *Controller) deleteLoginRecords(user *iamv1alpha2.User) error { } // syncUserStatus will reconcile user state based on user login records -func (c *Controller) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User, error) { +func (c *userController) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User, error) { // disabled user, nothing to do - if user == nil || (user.Status.State == iamv1alpha2.UserDisabled) { + if user.Status.State != nil && *user.Status.State == iamv1alpha2.UserDisabled { return user, nil } + // mapped user from other identity provider always active until disabled + if user.Spec.EncryptedPassword == "" && + user.Labels[iamv1alpha2.IdentifyProviderLabel] != "" && + (user.Status.State == nil || *user.Status.State != iamv1alpha2.UserActive) { + expected := user.DeepCopy() + active := iamv1alpha2.UserActive + expected.Status = iamv1alpha2.UserStatus{ + State: &active, + LastTransitionTime: &metav1.Time{Time: time.Now()}, + } + return c.ksClient.IamV1alpha2().Users().UpdateStatus(expected) + } + + // becomes inactive after setting a blank password + if user.Spec.EncryptedPassword == "" && + user.Labels[iamv1alpha2.IdentifyProviderLabel] == "" { + expected := user.DeepCopy() + expected.Status = iamv1alpha2.UserStatus{ + State: nil, + LastTransitionTime: &metav1.Time{Time: time.Now()}, + } + return c.ksClient.IamV1alpha2().Users().UpdateStatus(expected) + } + + // becomes active after password encrypted + if isEncrypted(user.Spec.EncryptedPassword) && + user.Status.State == nil { + expected := user.DeepCopy() + active := iamv1alpha2.UserActive + expected.Status = iamv1alpha2.UserStatus{ + State: &active, + LastTransitionTime: &metav1.Time{Time: time.Now()}, + } + return c.ksClient.IamV1alpha2().Users().UpdateStatus(expected) + } + // blocked user, check if need to unblock user - if user.Status.State == iamv1alpha2.UserAuthLimitExceeded { + if user.Status.State != nil && *user.Status.State == iamv1alpha2.UserAuthLimitExceeded { if user.Status.LastTransitionTime != nil && user.Status.LastTransitionTime.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).Before(time.Now()) { expected := user.DeepCopy() // unblock user - if user.Annotations[iamv1alpha2.PasswordEncryptedAnnotation] == "true" { - expected.Status = iamv1alpha2.UserStatus{ - State: iamv1alpha2.UserActive, - LastTransitionTime: &metav1.Time{Time: time.Now()}, - } - } - - if !reflect.DeepEqual(expected.Status, user.Status) { - return c.ksClient.IamV1alpha2().Users().Update(expected) + active := iamv1alpha2.UserActive + expected.Status = iamv1alpha2.UserStatus{ + State: &active, + LastTransitionTime: &metav1.Time{Time: time.Now()}, } + return c.ksClient.IamV1alpha2().Users().UpdateStatus(expected) } } @@ -670,7 +571,8 @@ func (c *Controller) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User, now := time.Now() failedLoginAttempts := 0 for _, loginRecord := range records { - if !loginRecord.Spec.Success && loginRecord.CreationTimestamp.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).After(now) { + if !loginRecord.Spec.Success && + loginRecord.CreationTimestamp.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).After(now) { failedLoginAttempts++ } } @@ -678,26 +580,29 @@ func (c *Controller) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User, // block user if failed login attempts exceeds maximum tries setting if failedLoginAttempts >= c.authenticationOptions.AuthenticateRateLimiterMaxTries { expect := user.DeepCopy() + limitExceed := iamv1alpha2.UserAuthLimitExceeded expect.Status = iamv1alpha2.UserStatus{ - State: iamv1alpha2.UserAuthLimitExceeded, + State: &limitExceed, Reason: fmt.Sprintf("Failed login attempts exceed %d in last %s", failedLoginAttempts, c.authenticationOptions.AuthenticateRateLimiterDuration), LastTransitionTime: &metav1.Time{Time: time.Now()}, } - // block user for AuthenticateRateLimiterDuration duration, after that put it back to the queue to unblock - c.workqueue.AddAfter(user.Name, c.authenticationOptions.AuthenticateRateLimiterDuration) - - return c.ksClient.IamV1alpha2().Users().Update(expect) + c.Workqueue.AddAfter(user.Name, c.authenticationOptions.AuthenticateRateLimiterDuration) + return c.ksClient.IamV1alpha2().Users().UpdateStatus(expect) } + return user, nil } func encrypt(password string) (string, error) { - // when user is already mapped to another identity, password is empty by default - // unable to log in directly until password reset - if password == "" { - return "", nil - } bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) return string(bytes), err } + +// isEncrypted returns whether the given password is encrypted +func isEncrypted(password string) bool { + // bcrypt.Cost returns the hashing cost used to create the given hashed + cost, _ := bcrypt.Cost([]byte(password)) + // cost > 0 means the password has been encrypted + return cost > 0 +} diff --git a/pkg/controller/user/user_controller_test.go b/pkg/controller/user/user_controller_test.go index cb42a093e1a9216c0f68bf9797144ccb0c8dd9d9..95d7ada3d6b211024b8cbc87336e9b0afb542e84 100644 --- a/pkg/controller/user/user_controller_test.go +++ b/pkg/controller/user/user_controller_test.go @@ -80,32 +80,32 @@ func newUser(name string) *iamv1alpha2.User { } } -func (f *fixture) newController() (*Controller, ksinformers.SharedInformerFactory, kubeinformers.SharedInformerFactory) { +func (f *fixture) newController() (*userController, ksinformers.SharedInformerFactory, kubeinformers.SharedInformerFactory) { f.ksclient = fake.NewSimpleClientset(f.objects...) f.k8sclient = k8sfake.NewSimpleClientset(f.kubeobjects...) ldapClient := ldapclient.NewSimpleLdap() - ksinformers := ksinformers.NewSharedInformerFactory(f.ksclient, noResyncPeriodFunc()) - k8sinformers := kubeinformers.NewSharedInformerFactory(f.k8sclient, noResyncPeriodFunc()) + ksInformers := ksinformers.NewSharedInformerFactory(f.ksclient, noResyncPeriodFunc()) + k8sInformers := kubeinformers.NewSharedInformerFactory(f.k8sclient, noResyncPeriodFunc()) for _, user := range f.userLister { - err := ksinformers.Iam().V1alpha2().Users().Informer().GetIndexer().Add(user) + err := ksInformers.Iam().V1alpha2().Users().Informer().GetIndexer().Add(user) if err != nil { f.t.Errorf("add user:%s", err) } } c := NewUserController(f.k8sclient, f.ksclient, nil, - ksinformers.Iam().V1alpha2().Users(), + ksInformers.Iam().V1alpha2().Users(), + ksInformers.Iam().V1alpha2().LoginRecords(), nil, nil, - ksinformers.Iam().V1alpha2().LoginRecords(), - k8sinformers.Core().V1().ConfigMaps(), + k8sInformers.Core().V1().ConfigMaps(), ldapClient, nil, options.NewAuthenticateOptions(), false) - c.userSynced = alwaysReady + c.Synced = []cache.InformerSynced{alwaysReady} c.recorder = &record.FakeRecorder{} - return c, ksinformers, k8sinformers + return c, ksInformers, k8sInformers } func (f *fixture) run(userName string) { @@ -230,14 +230,14 @@ func filterInformerActions(actions []core.Action) []core.Action { func (f *fixture) expectUpdateUserStatusAction(user *iamv1alpha2.User) { expect := user.DeepCopy() + //expect.Status.State = iamv1alpha2.UserActive expect.Finalizers = []string{"finalizers.kubesphere.io/users"} action := core.NewUpdateAction(schema.GroupVersionResource{Resource: "users"}, "", expect) f.actions = append(f.actions, action) expect = expect.DeepCopy() - expect.Status.State = iamv1alpha2.UserActive - expect.Annotations = map[string]string{iamv1alpha2.PasswordEncryptedAnnotation: "true"} action = core.NewUpdateAction(schema.GroupVersionResource{Resource: "users"}, "", expect) + action.Subresource = "status" f.actions = append(f.actions, action) } diff --git a/pkg/controller/user/user_webhook.go b/pkg/controller/user/user_webhook.go index bb519906479968821a80963a87fe4afc28524c60..4325ad840d5b862a24ae62a3adf7824c2100c4b8 100644 --- a/pkg/controller/user/user_webhook.go +++ b/pkg/controller/user/user_webhook.go @@ -39,10 +39,7 @@ func (a *EmailValidator) Handle(ctx context.Context, req admission.Request) admi } allUsers := v1alpha2.UserList{} - - err = a.Client.List(ctx, &allUsers, &client.ListOptions{}) - - if err != nil { + if err = a.Client.List(ctx, &allUsers, &client.ListOptions{}); err != nil { return admission.Errored(http.StatusInternalServerError, err) } @@ -51,7 +48,6 @@ func (a *EmailValidator) Handle(ctx context.Context, req admission.Request) admi } alreadyExist := emailAlreadyExist(allUsers, user) - if alreadyExist { return admission.Errored(http.StatusConflict, fmt.Errorf("user email: %s already exists", user.Spec.Email)) } diff --git a/pkg/kapis/iam/v1alpha2/handler.go b/pkg/kapis/iam/v1alpha2/handler.go index df428a7523d5420b2c4a8afea76cc94c2881fbcd..0461198d7058659fc7003094248cb86e2af8997b 100644 --- a/pkg/kapis/iam/v1alpha2/handler.go +++ b/pkg/kapis/iam/v1alpha2/handler.go @@ -18,19 +18,18 @@ package v1alpha2 import ( "fmt" + authuser "k8s.io/apiserver/pkg/authentication/user" + "kubesphere.io/kubesphere/pkg/apiserver/request" + "kubesphere.io/kubesphere/pkg/models/auth" "strings" "github.com/emicklei/go-restful" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apiserver/pkg/authentication/user" "k8s.io/klog" "kubesphere.io/kubesphere/pkg/api" - "kubesphere.io/kubesphere/pkg/api/iam" iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" - authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer" - "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory" "kubesphere.io/kubesphere/pkg/apiserver/query" apirequest "kubesphere.io/kubesphere/pkg/apiserver/request" "kubesphere.io/kubesphere/pkg/models/iam/am" @@ -39,6 +38,21 @@ import ( servererr "kubesphere.io/kubesphere/pkg/server/errors" ) +type Member struct { + Username string `json:"username"` + RoleRef string `json:"roleRef"` +} + +type GroupMember struct { + UserName string `json:"userName"` + GroupName string `json:"groupName"` +} + +type PasswordReset struct { + CurrentPassword string `json:"currentPassword"` + Password string `json:"password"` +} + type iamHandler struct { am am.AccessManagementInterface im im.IdentityManagementInterface @@ -46,25 +60,15 @@ type iamHandler struct { authorizer authorizer.Authorizer } -func newIAMHandler(im im.IdentityManagementInterface, am am.AccessManagementInterface, group group.GroupOperator, options *authoptions.AuthenticationOptions) *iamHandler { +func newIAMHandler(im im.IdentityManagementInterface, am am.AccessManagementInterface, group group.GroupOperator, authorizer authorizer.Authorizer) *iamHandler { return &iamHandler{ am: am, im: im, group: group, - authorizer: authorizerfactory.NewRBACAuthorizer(am), + authorizer: authorizer, } } -type Member struct { - Username string `json:"username"` - RoleRef string `json:"roleRef"` -} - -type GroupMember struct { - UserName string `json:"userName"` - GroupName string `json:"groupName"` -} - func (h *iamHandler) DescribeUser(request *restful.Request, response *restful.Response) { username := request.PathParameter("user") @@ -75,11 +79,11 @@ func (h *iamHandler) DescribeUser(request *restful.Request, response *restful.Re } globalRole, err := h.am.GetGlobalRoleOfUser(username) + // ignore not found error if err != nil && !errors.IsNotFound(err) { api.HandleInternalError(response, request, err) return } - if globalRole != nil { user = appendGlobalRoleAnnotation(user, globalRole.Name) } @@ -109,7 +113,6 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo Ascending: false, Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(globalRole.Name)}, }) - if err != nil { api.HandleInternalError(response, request, err) return @@ -176,7 +179,6 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo Ascending: false, Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)}, }) - if err != nil { api.HandleInternalError(response, request, err) return @@ -264,13 +266,11 @@ func (h *iamHandler) ListUsers(request *restful.Request, response *restful.Respo user := item.(*iamv1alpha2.User) user = user.DeepCopy() globalRole, err := h.am.GetGlobalRoleOfUser(user.Name) - + // ignore not found error if err != nil && !errors.IsNotFound(err) { - klog.Error(err) api.HandleInternalError(response, request, err) return } - if globalRole != nil { user = appendGlobalRoleAnnotation(user, globalRole.Name) } @@ -290,8 +290,7 @@ func appendGlobalRoleAnnotation(user *iamv1alpha2.User, globalRole string) *iamv func (h *iamHandler) ListRoles(request *restful.Request, response *restful.Response) { namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -329,8 +328,7 @@ func (h *iamHandler) ListNamespaceMembers(request *restful.Request, response *re namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -348,8 +346,7 @@ func (h *iamHandler) DescribeNamespaceMember(request *restful.Request, response username := request.PathParameter("member") namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -377,7 +374,6 @@ func (h *iamHandler) ListWorkspaceRoles(request *restful.Request, response *rest workspace := request.PathParameter("workspace") queryParam.Filters[iamv1alpha2.ScopeWorkspace] = query.Value(workspace) - // shared workspace role template if string(queryParam.Filters[query.FieldLabel]) == fmt.Sprintf("%s=%s", iamv1alpha2.RoleTemplateLabel, "true") || queryParam.Filters[iamv1alpha2.AggregateTo] != "" { @@ -437,22 +433,19 @@ func (h *iamHandler) UpdateWorkspaceRole(request *restful.Request, response *res var workspaceRole iamv1alpha2.WorkspaceRole err := request.ReadEntity(&workspaceRole) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } if workspaceRoleName != workspaceRole.Name { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", workspaceRole.Name, workspaceRoleName) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } updated, err := h.am.CreateOrUpdateWorkspaceRole(workspace, &workspaceRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -465,15 +458,13 @@ func (h *iamHandler) CreateWorkspaceRole(request *restful.Request, response *res var workspaceRole iamv1alpha2.WorkspaceRole err := request.ReadEntity(&workspaceRole) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } created, err := h.am.CreateOrUpdateWorkspaceRole(workspace, &workspaceRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -486,46 +477,56 @@ func (h *iamHandler) DeleteWorkspaceRole(request *restful.Request, response *res err := h.am.DeleteWorkspaceRole(workspace, workspaceRoleName) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } response.WriteEntity(servererr.None) } -func (h *iamHandler) CreateUser(request *restful.Request, response *restful.Response) { +func (h *iamHandler) CreateUser(req *restful.Request, resp *restful.Response) { var user iamv1alpha2.User - err := request.ReadEntity(&user) - + err := req.ReadEntity(&user) if err != nil { - klog.Error(err) - api.HandleBadRequest(response, request, err) + api.HandleBadRequest(resp, req, err) return } + operator, ok := request.UserFrom(req.Request.Context()) + if ok && operator.GetName() == iamv1alpha2.PreRegistrationUser { + extra := operator.GetExtra() + // The token used for registration must contain additional information + if len(extra[iamv1alpha2.ExtraIdentityProvider]) != 1 || len(extra[iamv1alpha2.ExtraUID]) != 1 { + err = errors.NewBadRequest("invalid registration token") + api.HandleBadRequest(resp, req, err) + return + } + if user.Labels == nil { + user.Labels = make(map[string]string) + } + user.Labels[iamv1alpha2.IdentifyProviderLabel] = extra[iamv1alpha2.ExtraIdentityProvider][0] + user.Labels[iamv1alpha2.OriginUIDLabel] = extra[iamv1alpha2.ExtraUID][0] + // default role + delete(user.Annotations, iamv1alpha2.GlobalRoleAnnotation) + } globalRole := user.Annotations[iamv1alpha2.GlobalRoleAnnotation] - delete(user.Annotations, iamv1alpha2.RoleAnnotation) - + delete(user.Annotations, iamv1alpha2.GlobalRoleAnnotation) if globalRole != "" { if _, err = h.am.GetGlobalRole(globalRole); err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(resp, req, err) return } } created, err := h.im.CreateUser(&user) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(resp, req, err) return } if globalRole != "" { if err := h.am.CreateGlobalRoleBinding(user.Name, globalRole); err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(resp, req, err) return } } @@ -533,7 +534,7 @@ func (h *iamHandler) CreateUser(request *restful.Request, response *restful.Resp // ensure encrypted password will not be output created.Spec.EncryptedPassword = "" - response.WriteEntity(created) + resp.WriteEntity(created) } func (h *iamHandler) UpdateUser(request *restful.Request, response *restful.Response) { @@ -544,14 +545,12 @@ func (h *iamHandler) UpdateUser(request *restful.Request, response *restful.Resp err := request.ReadEntity(&user) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } if username != user.Name { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", user.Name, username) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } @@ -561,8 +560,7 @@ func (h *iamHandler) UpdateUser(request *restful.Request, response *restful.Resp updated, err := h.im.UpdateUser(&user) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -571,8 +569,7 @@ func (h *iamHandler) UpdateUser(request *restful.Request, response *restful.Resp if globalRole != "" && ok { err = h.updateGlobalRoleBinding(operator, updated, globalRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } updated = appendGlobalRoleAnnotation(updated, globalRole) @@ -583,11 +580,9 @@ func (h *iamHandler) UpdateUser(request *restful.Request, response *restful.Resp func (h *iamHandler) ModifyPassword(request *restful.Request, response *restful.Response) { username := request.PathParameter("user") - - var passwordReset iam.PasswordReset + var passwordReset PasswordReset err := request.ReadEntity(&passwordReset) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -596,7 +591,6 @@ func (h *iamHandler) ModifyPassword(request *restful.Request, response *restful. if !ok { err = errors.NewInternalError(fmt.Errorf("cannot obtain user info")) - klog.Error(err) api.HandleInternalError(response, request, err) return } @@ -611,7 +605,6 @@ func (h *iamHandler) ModifyPassword(request *restful.Request, response *restful. decision, _, err := h.authorizer.Authorize(userManagement) if err != nil { - klog.Error(err) api.HandleInternalError(response, request, err) return } @@ -620,19 +613,17 @@ func (h *iamHandler) ModifyPassword(request *restful.Request, response *restful. // if old password is defined must be verified if decision != authorizer.DecisionAllow || passwordReset.CurrentPassword != "" { if err = h.im.PasswordVerify(username, passwordReset.CurrentPassword); err != nil { - if err == im.AuthFailedIncorrectPassword { + if err == auth.IncorrectPasswordError { err = errors.NewBadRequest("incorrect old password") } - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } } err = h.im.ModifyPassword(username, passwordReset.Password) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -644,8 +635,7 @@ func (h *iamHandler) DeleteUser(request *restful.Request, response *restful.Resp err := h.im.DeleteUser(username) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -655,18 +645,15 @@ func (h *iamHandler) DeleteUser(request *restful.Request, response *restful.Resp func (h *iamHandler) CreateGlobalRole(request *restful.Request, response *restful.Response) { var globalRole iamv1alpha2.GlobalRole - err := request.ReadEntity(&globalRole) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } created, err := h.am.CreateOrUpdateGlobalRole(&globalRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -675,11 +662,9 @@ func (h *iamHandler) CreateGlobalRole(request *restful.Request, response *restfu func (h *iamHandler) DeleteGlobalRole(request *restful.Request, response *restful.Response) { globalRole := request.PathParameter("globalrole") - err := h.am.DeleteGlobalRole(globalRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -690,25 +675,21 @@ func (h *iamHandler) UpdateGlobalRole(request *restful.Request, response *restfu globalRoleName := request.PathParameter("globalrole") var globalRole iamv1alpha2.GlobalRole - err := request.ReadEntity(&globalRole) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } if globalRoleName != globalRole.Name { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", globalRole.Name, globalRoleName) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } updated, err := h.am.CreateOrUpdateGlobalRole(&globalRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -719,8 +700,7 @@ func (h *iamHandler) DescribeGlobalRole(request *restful.Request, response *rest globalRoleName := request.PathParameter("globalrole") globalRole, err := h.am.GetGlobalRole(globalRoleName) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } response.WriteEntity(globalRole) @@ -730,15 +710,13 @@ func (h *iamHandler) CreateClusterRole(request *restful.Request, response *restf var clusterRole rbacv1.ClusterRole err := request.ReadEntity(&clusterRole) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } created, err := h.am.CreateOrUpdateClusterRole(&clusterRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -750,8 +728,7 @@ func (h *iamHandler) DeleteClusterRole(request *restful.Request, response *restf err := h.am.DeleteClusterRole(clusterrole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -765,22 +742,19 @@ func (h *iamHandler) UpdateClusterRole(request *restful.Request, response *restf err := request.ReadEntity(&clusterRole) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } if clusterRoleName != clusterRole.Name { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", clusterRole.Name, clusterRoleName) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } updated, err := h.am.CreateOrUpdateClusterRole(&clusterRole) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -791,8 +765,7 @@ func (h *iamHandler) DescribeClusterRole(request *restful.Request, response *res clusterRoleName := request.PathParameter("clusterrole") clusterRole, err := h.am.GetClusterRole(clusterRoleName) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } response.WriteEntity(clusterRole) @@ -803,8 +776,7 @@ func (h *iamHandler) DescribeWorkspaceRole(request *restful.Request, response *r workspaceRoleName := request.PathParameter("workspacerole") workspaceRole, err := h.am.GetWorkspaceRole(workspace, workspaceRoleName) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } response.WriteEntity(workspaceRole) @@ -814,23 +786,20 @@ func (h *iamHandler) CreateNamespaceRole(request *restful.Request, response *res namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } var role rbacv1.Role err = request.ReadEntity(&role) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } created, err := h.am.CreateOrUpdateNamespaceRole(namespace, &role) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -842,15 +811,13 @@ func (h *iamHandler) DeleteNamespaceRole(request *restful.Request, response *res namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } err = h.am.DeleteNamespaceRole(namespace, role) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -859,33 +826,28 @@ func (h *iamHandler) DeleteNamespaceRole(request *restful.Request, response *res func (h *iamHandler) UpdateNamespaceRole(request *restful.Request, response *restful.Response) { roleName := request.PathParameter("role") - namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } var role rbacv1.Role err = request.ReadEntity(&role) if err != nil { - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } if roleName != role.Name { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", role.Name, roleName) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } updated, err := h.am.CreateOrUpdateNamespaceRole(namespace, &role) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -898,7 +860,6 @@ func (h *iamHandler) CreateWorkspaceMembers(request *restful.Request, response * var members []Member err := request.ReadEntity(&members) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -906,8 +867,7 @@ func (h *iamHandler) CreateWorkspaceMembers(request *restful.Request, response * for _, member := range members { err := h.am.CreateUserWorkspaceRoleBinding(member.Username, workspace, member.RoleRef) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } } @@ -921,8 +881,7 @@ func (h *iamHandler) RemoveWorkspaceMember(request *restful.Request, response *r err := h.am.RemoveUserFromWorkspace(username, workspace) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -936,22 +895,19 @@ func (h *iamHandler) UpdateWorkspaceMember(request *restful.Request, response *r var member Member err := request.ReadEntity(&member) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } if username != member.Username { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", member.Username, username) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } err = h.am.CreateUserWorkspaceRoleBinding(member.Username, workspace, member.RoleRef) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -962,15 +918,13 @@ func (h *iamHandler) CreateNamespaceMembers(request *restful.Request, response * namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } var members []Member err = request.ReadEntity(&members) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -978,8 +932,7 @@ func (h *iamHandler) CreateNamespaceMembers(request *restful.Request, response * for _, member := range members { err := h.am.CreateNamespaceRoleBinding(member.Username, namespace, member.RoleRef) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } } @@ -989,33 +942,28 @@ func (h *iamHandler) CreateNamespaceMembers(request *restful.Request, response * func (h *iamHandler) UpdateNamespaceMember(request *restful.Request, response *restful.Response) { username := request.PathParameter("member") - namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } var member Member err = request.ReadEntity(&member) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } if username != member.Username { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", member.Username, username) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } err = h.am.CreateNamespaceRoleBinding(member.Username, namespace, member.RoleRef) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1024,18 +972,15 @@ func (h *iamHandler) UpdateNamespaceMember(request *restful.Request, response *r func (h *iamHandler) RemoveNamespaceMember(request *restful.Request, response *restful.Response) { username := request.PathParameter("member") - namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } err = h.am.RemoveUserFromNamespace(username, namespace) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1044,10 +989,8 @@ func (h *iamHandler) RemoveNamespaceMember(request *restful.Request, response *r func (h *iamHandler) CreateClusterMembers(request *restful.Request, response *restful.Response) { var members []Member - err := request.ReadEntity(&members) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -1055,8 +998,7 @@ func (h *iamHandler) CreateClusterMembers(request *restful.Request, response *re for _, member := range members { err := h.am.CreateClusterRoleBinding(member.Username, member.RoleRef) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } } @@ -1069,8 +1011,7 @@ func (h *iamHandler) RemoveClusterMember(request *restful.Request, response *res err := h.am.RemoveUserFromCluster(username) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1083,22 +1024,19 @@ func (h *iamHandler) UpdateClusterMember(request *restful.Request, response *res var member Member err := request.ReadEntity(&member) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } if username != member.Username { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", member.Username, username) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } err = h.am.CreateClusterRoleBinding(member.Username, member.RoleRef) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1144,15 +1082,13 @@ func (h *iamHandler) DescribeNamespaceRole(request *restful.Request, response *r roleName := request.PathParameter("role") namespace, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } role, err := h.am.GetNamespaceRole(namespace, roleName) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1174,7 +1110,6 @@ func (h *iamHandler) PatchWorkspaceRole(request *restful.Request, response *rest var workspaceRole iamv1alpha2.WorkspaceRole err := request.ReadEntity(&workspaceRole) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -1182,7 +1117,7 @@ func (h *iamHandler) PatchWorkspaceRole(request *restful.Request, response *rest workspaceRole.Name = workspaceRoleName patched, err := h.am.PatchWorkspaceRole(workspaceName, &workspaceRole) if err != nil { - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1195,7 +1130,6 @@ func (h *iamHandler) PatchGlobalRole(request *restful.Request, response *restful var globalRole iamv1alpha2.GlobalRole err := request.ReadEntity(&globalRole) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -1203,7 +1137,7 @@ func (h *iamHandler) PatchGlobalRole(request *restful.Request, response *restful globalRole.Name = globalRoleName patched, err := h.am.PatchGlobalRole(&globalRole) if err != nil { - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1214,15 +1148,13 @@ func (h *iamHandler) PatchNamespaceRole(request *restful.Request, response *rest roleName := request.PathParameter("role") namespaceName, err := h.resolveNamespace(request.PathParameter("namespace"), request.PathParameter("devops")) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } var role rbacv1.Role err = request.ReadEntity(&role) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -1230,7 +1162,7 @@ func (h *iamHandler) PatchNamespaceRole(request *restful.Request, response *rest role.Name = roleName patched, err := h.am.PatchNamespaceRole(namespaceName, &role) if err != nil { - handleError(request, response, err) + api.HandleError(response, request, err) return } @@ -1243,7 +1175,6 @@ func (h *iamHandler) PatchClusterRole(request *restful.Request, response *restfu var clusterRole rbacv1.ClusterRole err := request.ReadEntity(&clusterRole) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } @@ -1251,14 +1182,14 @@ func (h *iamHandler) PatchClusterRole(request *restful.Request, response *restfu clusterRole.Name = clusterRoleName patched, err := h.am.PatchClusterRole(&clusterRole) if err != nil { - handleError(request, response, err) + api.HandleError(response, request, err) return } response.WriteEntity(patched) } -func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alpha2.User, globalRole string) error { +func (h *iamHandler) updateGlobalRoleBinding(operator authuser.Info, user *iamv1alpha2.User, globalRole string) error { oldGlobalRole, err := h.am.GetGlobalRoleOfUser(user.Name) if err != nil && !errors.IsNotFound(err) { @@ -1298,44 +1229,21 @@ func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alph func (h *iamHandler) ListUserLoginRecords(request *restful.Request, response *restful.Response) { username := request.PathParameter("user") queryParam := query.ParseQueryParameter(request) - queryParam.Filters[query.FieldLabel] = query.Value(fmt.Sprintf("%s=%s", iamv1alpha2.UserReferenceLabel, username)) - result, err := h.im.ListLoginRecords(queryParam) + result, err := h.im.ListLoginRecords(username, queryParam) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } response.WriteEntity(result) } -func handleError(request *restful.Request, response *restful.Response, err error) { - if errors.IsBadRequest(err) || errors.IsInvalid(err) { - api.HandleBadRequest(response, request, err) - } else if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - } else if errors.IsAlreadyExists(err) { - api.HandleConflict(response, request, err) - } else if errors.IsForbidden(err) { - api.HandleForbidden(response, request, err) - } else if errors.IsResourceExpired(err) { - api.HandleConflict(response, request, err) - } else { - api.HandleInternalError(response, request, err) - } -} - func (h *iamHandler) ListWorkspaceGroups(request *restful.Request, response *restful.Response) { workspaceName := request.PathParameter("workspace") queryParam := query.ParseQueryParameter(request) result, err := h.group.ListGroups(workspaceName, queryParam) if err != nil { - klog.Error(err) - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1347,22 +1255,14 @@ func (h *iamHandler) CreateGroup(request *restful.Request, response *restful.Res var group iamv1alpha2.Group err := request.ReadEntity(&group) - if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } created, err := h.group.CreateGroup(workspace, &group) - if err != nil { - klog.Error(err) - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleBadRequest(response, request, err) + api.HandleError(response, request, err) return } @@ -1375,11 +1275,7 @@ func (h *iamHandler) DescribeGroup(request *restful.Request, response *restful.R ns, err := h.group.DescribeGroup(workspaceName, groupName) if err != nil { - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1391,13 +1287,8 @@ func (h *iamHandler) DeleteGroup(request *restful.Request, response *restful.Res groupName := request.PathParameter("group") err := h.group.DeleteGroup(workspaceName, groupName) - if err != nil { - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1411,31 +1302,19 @@ func (h *iamHandler) UpdateGroup(request *restful.Request, response *restful.Res var group iamv1alpha2.Group err := request.ReadEntity(&group) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } if groupName != group.Name { err := fmt.Errorf("the name of the object (%s) does not match the name on the URL (%s)", group.Name, groupName) - klog.Errorf("%+v", err) api.HandleBadRequest(response, request, err) return } updated, err := h.group.UpdateGroup(workspaceName, &group) - if err != nil { - klog.Error(err) - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - if errors.IsBadRequest(err) { - api.HandleBadRequest(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1449,26 +1328,14 @@ func (h *iamHandler) PatchGroup(request *restful.Request, response *restful.Resp var group iamv1alpha2.Group err := request.ReadEntity(&group) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } group.Name = groupName - patched, err := h.group.PatchGroup(workspaceName, &group) - if err != nil { - klog.Error(err) - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - if errors.IsBadRequest(err) { - api.HandleBadRequest(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1480,14 +1347,8 @@ func (h *iamHandler) ListGroupBindings(request *restful.Request, response *restf groupName := request.PathParameter("group") queryParam := query.ParseQueryParameter(request) result, err := h.group.ListGroupBindings(workspaceName, groupName, queryParam) - if err != nil { - klog.Error(err) - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1498,9 +1359,7 @@ func (h *iamHandler) ListGroupRoleBindings(request *restful.Request, response *r workspaceName := request.PathParameter("workspace") groupName := request.PathParameter("group") result, err := h.am.ListGroupRoleBindings(workspaceName, groupName) - if err != nil { - klog.Error(err) api.HandleInternalError(response, request, err) return } @@ -1512,9 +1371,7 @@ func (h *iamHandler) ListGroupDevOpsRoleBindings(request *restful.Request, respo workspaceName := request.PathParameter("workspace") groupName := request.PathParameter("group") result, err := h.am.ListGroupDevOpsRoleBindings(workspaceName, groupName) - if err != nil { - klog.Error(err) api.HandleInternalError(response, request, err) return } @@ -1527,17 +1384,15 @@ func (h *iamHandler) CreateRoleBinding(request *restful.Request, response *restf var roleBindings []rbacv1.RoleBinding err := request.ReadEntity(&roleBindings) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } - results := []rbacv1.RoleBinding{} + var results []rbacv1.RoleBinding for _, item := range roleBindings { r, err := h.am.CreateRoleBinding(namespace, &item) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } results = append(results, *r) @@ -1551,13 +1406,8 @@ func (h *iamHandler) DeleteRoleBinding(request *restful.Request, response *restf namespace := request.PathParameter("namespace") err := h.am.DeleteRoleBinding(namespace, name) - if err != nil { - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1568,9 +1418,7 @@ func (h *iamHandler) ListGroupWorkspaceRoleBindings(request *restful.Request, re workspaceName := request.PathParameter("workspace") groupName := request.PathParameter("group") result, err := h.am.ListGroupWorkspaceRoleBindings(workspaceName, groupName) - if err != nil { - klog.Error(err) api.HandleInternalError(response, request, err) return } @@ -1584,17 +1432,15 @@ func (h *iamHandler) CreateWorkspaceRoleBinding(request *restful.Request, respon var roleBindings []iamv1alpha2.WorkspaceRoleBinding err := request.ReadEntity(&roleBindings) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } - results := []iamv1alpha2.WorkspaceRoleBinding{} + var results []iamv1alpha2.WorkspaceRoleBinding for _, item := range roleBindings { r, err := h.am.CreateWorkspaceRoleBinding(workspaceName, &item) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } results = append(results, *r) @@ -1608,13 +1454,8 @@ func (h *iamHandler) DeleteWorkspaceRoleBinding(request *restful.Request, respon name := request.PathParameter("rolebinding") err := h.am.DeleteWorkspaceRoleBinding(workspaceName, name) - if err != nil { - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } @@ -1628,18 +1469,15 @@ func (h *iamHandler) CreateGroupBinding(request *restful.Request, response *rest var members []GroupMember err := request.ReadEntity(&members) if err != nil { - klog.Error(err) api.HandleBadRequest(response, request, err) return } - results := []iamv1alpha2.GroupBinding{} - + var results []iamv1alpha2.GroupBinding for _, item := range members { b, err := h.group.CreateGroupBinding(workspace, item.GroupName, item.UserName) if err != nil { - klog.Error(err) - handleError(request, response, err) + api.HandleError(response, request, err) return } results = append(results, *b) @@ -1653,13 +1491,8 @@ func (h *iamHandler) DeleteGroupBinding(request *restful.Request, response *rest name := request.PathParameter("groupbinding") err := h.group.DeleteGroupBinding(workspaceName, name) - if err != nil { - if errors.IsNotFound(err) { - api.HandleNotFound(response, request, err) - return - } - api.HandleInternalError(response, request, err) + api.HandleError(response, request, err) return } diff --git a/pkg/kapis/iam/v1alpha2/register.go b/pkg/kapis/iam/v1alpha2/register.go index 2f62ee71729b9385a7a37b31ac9399768070e7c0..6643cefcb0ed3b94913445749aeb61fe05b58ad1 100644 --- a/pkg/kapis/iam/v1alpha2/register.go +++ b/pkg/kapis/iam/v1alpha2/register.go @@ -17,6 +17,7 @@ limitations under the License. package v1alpha2 import ( + "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer" "net/http" "github.com/emicklei/go-restful" @@ -25,9 +26,7 @@ import ( v1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/runtime/schema" "kubesphere.io/kubesphere/pkg/api" - "kubesphere.io/kubesphere/pkg/api/iam" iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" - authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" "kubesphere.io/kubesphere/pkg/apiserver/runtime" "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/models/iam/am" @@ -42,9 +41,9 @@ const ( var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"} -func AddToContainer(container *restful.Container, im im.IdentityManagementInterface, am am.AccessManagementInterface, group group.GroupOperator, options *authoptions.AuthenticationOptions) error { +func AddToContainer(container *restful.Container, im im.IdentityManagementInterface, am am.AccessManagementInterface, group group.GroupOperator, authorizer authorizer.Authorizer) error { ws := runtime.NewWebService(GroupVersion) - handler := newIAMHandler(im, am, group, options) + handler := newIAMHandler(im, am, group, authorizer) // users ws.Route(ws.POST("/users"). @@ -69,7 +68,7 @@ func AddToContainer(container *restful.Container, im im.IdentityManagementInterf ws.Route(ws.PUT("/users/{user}/password"). To(handler.ModifyPassword). Doc("Reset password of the specified user."). - Reads(iam.PasswordReset{}). + Reads(PasswordReset{}). Param(ws.PathParameter("user", "username")). Returns(http.StatusOK, api.StatusOK, errors.None). Metadata(restfulspec.KeyOpenAPITags, []string{constants.UserTag})) diff --git a/pkg/kapis/oauth/handler.go b/pkg/kapis/oauth/handler.go index 97cbd2193f826536132e8dc6dd19773d07fd4d17..48a2b241e3c5989947f16fee903f4806655787b7 100644 --- a/pkg/kapis/oauth/handler.go +++ b/pkg/kapis/oauth/handler.go @@ -20,62 +20,101 @@ import ( "fmt" "github.com/emicklei/go-restful" apierrors "k8s.io/apimachinery/pkg/api/errors" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/klog" "kubesphere.io/kubesphere/pkg/api" - "kubesphere.io/kubesphere/pkg/api/auth" iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" - "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider" - "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" + "kubesphere.io/kubesphere/pkg/apiserver/query" "kubesphere.io/kubesphere/pkg/apiserver/request" + "kubesphere.io/kubesphere/pkg/models/auth" "kubesphere.io/kubesphere/pkg/models/iam/im" "net/http" ) +const ( + KindTokenReview = "TokenReview" + passwordGrantType = "password" + refreshTokenGrantType = "refresh_token" +) + +type Spec struct { + Token string `json:"token" description:"access token"` +} + +type Status struct { + Authenticated bool `json:"authenticated" description:"is authenticated"` + User map[string]interface{} `json:"user,omitempty" description:"user info"` +} + +type TokenReview struct { + APIVersion string `json:"apiVersion" description:"Kubernetes API version"` + Kind string `json:"kind" description:"kind of the API object"` + Spec *Spec `json:"spec,omitempty"` + Status *Status `json:"status,omitempty" description:"token review status"` +} + +type LoginRequest struct { + Username string `json:"username" description:"username"` + Password string `json:"password" description:"password"` +} + +func (request *TokenReview) Validate() error { + if request.Spec == nil || request.Spec.Token == "" { + return fmt.Errorf("token must not be null") + } + return nil +} + type handler struct { - im im.IdentityManagementInterface - options *authoptions.AuthenticationOptions - tokenOperator im.TokenManagementInterface - authenticator im.PasswordAuthenticator - loginRecorder im.LoginRecorder + im im.IdentityManagementInterface + options *authoptions.AuthenticationOptions + tokenOperator auth.TokenManagementInterface + passwordAuthenticator auth.PasswordAuthenticator + oauth2Authenticator auth.OAuth2Authenticator + loginRecorder auth.LoginRecorder } -func newHandler(im im.IdentityManagementInterface, tokenOperator im.TokenManagementInterface, authenticator im.PasswordAuthenticator, loginRecorder im.LoginRecorder, options *authoptions.AuthenticationOptions) *handler { - return &handler{im: im, tokenOperator: tokenOperator, authenticator: authenticator, loginRecorder: loginRecorder, options: options} +func newHandler(im im.IdentityManagementInterface, + tokenOperator auth.TokenManagementInterface, + passwordAuthenticator auth.PasswordAuthenticator, + oauth2Authenticator auth.OAuth2Authenticator, + loginRecorder auth.LoginRecorder, + options *authoptions.AuthenticationOptions) *handler { + return &handler{im: im, + tokenOperator: tokenOperator, + passwordAuthenticator: passwordAuthenticator, + oauth2Authenticator: oauth2Authenticator, + loginRecorder: loginRecorder, + options: options} } // Implement webhook authentication interface // https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication func (h *handler) TokenReview(req *restful.Request, resp *restful.Response) { - var tokenReview auth.TokenReview + var tokenReview TokenReview err := req.ReadEntity(&tokenReview) - if err != nil { - klog.Error(err) api.HandleBadRequest(resp, req, err) return } if err = tokenReview.Validate(); err != nil { - klog.Error(err) api.HandleBadRequest(resp, req, err) return } authenticated, err := h.tokenOperator.Verify(tokenReview.Spec.Token) - if err != nil { - klog.Errorln(err) api.HandleInternalError(resp, req, err) return } - success := auth.TokenReview{APIVersion: tokenReview.APIVersion, - Kind: auth.KindTokenReview, - Status: &auth.Status{ + success := TokenReview{APIVersion: tokenReview.APIVersion, + Kind: KindTokenReview, + Status: &Status{ Authenticated: true, User: map[string]interface{}{"username": authenticated.GetName(), "uid": authenticated.GetUID()}, }, @@ -93,34 +132,33 @@ func (h *handler) Authorize(req *restful.Request, resp *restful.Response) { conf, err := h.options.OAuthOptions.OAuthClient(clientId) if err != nil { err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - resp.WriteError(http.StatusUnauthorized, err) + api.HandleError(resp, req, err) return } if responseType != "token" { err := apierrors.NewBadRequest(fmt.Sprintf("Response type %s is not supported", responseType)) - resp.WriteError(http.StatusUnauthorized, err) + api.HandleError(resp, req, err) return } if !ok { err := apierrors.NewUnauthorized("Unauthorized") - resp.WriteError(http.StatusUnauthorized, err) + api.HandleError(resp, req, err) return } token, err := h.tokenOperator.IssueTo(authenticated) if err != nil { err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - resp.WriteError(http.StatusUnauthorized, err) + api.HandleError(resp, req, err) return } redirectURL, err := conf.ResolveRedirectURL(redirectURI) - if err != nil { err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - resp.WriteError(http.StatusUnauthorized, err) + api.HandleError(resp, req, err) return } @@ -133,105 +171,41 @@ func (h *handler) Authorize(req *restful.Request, resp *restful.Response) { http.Redirect(resp, req.Request, redirectURL, http.StatusFound) } -func (h *handler) oAuthCallBack(req *restful.Request, resp *restful.Response) { - +func (h *handler) oauthCallBack(req *restful.Request, resp *restful.Response) { code := req.QueryParameter("code") - name := req.PathParameter("callback") + provider := req.PathParameter("callback") if code == "" { err := apierrors.NewUnauthorized("Unauthorized: missing code") - resp.WriteError(http.StatusUnauthorized, err) - } - - providerOptions, err := h.options.OAuthOptions.IdentityProviderOptions(name) - - if err != nil { - err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - resp.WriteError(http.StatusUnauthorized, err) - } - - oauthIdentityProvider, err := identityprovider.GetOAuthProvider(providerOptions.Type, providerOptions.Provider) - - if err != nil { - err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - resp.WriteError(http.StatusUnauthorized, err) + api.HandleError(resp, req, err) return } - identity, err := oauthIdentityProvider.IdentityExchange(code) - + authenticated, provider, err := h.oauth2Authenticator.Authenticate(provider, code) if err != nil { - err = apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - resp.WriteError(http.StatusUnauthorized, err) + api.HandleUnauthorized(resp, req, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))) return } - authenticated, err := h.im.DescribeUser(identity.GetName()) - if err != nil { - // create user if not exist - if (oauth.MappingMethodAuto == providerOptions.MappingMethod || - oauth.MappingMethodMixed == providerOptions.MappingMethod) && - apierrors.IsNotFound(err) { - create := &iamv1alpha2.User{ - ObjectMeta: v1.ObjectMeta{Name: identity.GetName(), - Annotations: map[string]string{iamv1alpha2.IdentifyProviderLabel: providerOptions.Name}}, - Spec: iamv1alpha2.UserSpec{Email: identity.GetEmail()}, - } - if authenticated, err = h.im.CreateUser(create); err != nil { - klog.Error(err) - api.HandleInternalError(resp, req, err) - return - } - } else { - klog.Error(err) - api.HandleInternalError(resp, req, err) - return - } - } - - if oauth.MappingMethodLookup == providerOptions.MappingMethod && - authenticated == nil { - err := apierrors.NewUnauthorized(fmt.Sprintf("user %s cannot bound to this identify provider", identity.GetName())) - klog.Error(err) - resp.WriteError(http.StatusUnauthorized, err) - return - } - - // oauth.MappingMethodAuto - // Fails if a user with that user name is already mapped to another identity. - if providerOptions.MappingMethod == oauth.MappingMethodAuto && authenticated.Annotations[iamv1alpha2.IdentifyProviderLabel] != providerOptions.Name { - err := apierrors.NewUnauthorized(fmt.Sprintf("user %s is already bound to other identify provider", identity.GetName())) - klog.Error(err) - resp.WriteError(http.StatusUnauthorized, err) - return - } - - result, err := h.tokenOperator.IssueTo(&user.DefaultInfo{ - Name: authenticated.Name, - UID: string(authenticated.UID), - }) - + result, err := h.tokenOperator.IssueTo(authenticated) if err != nil { - err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - resp.WriteError(http.StatusUnauthorized, err) + api.HandleInternalError(resp, req, apierrors.NewInternalError(err)) return } - if err = h.loginRecorder.RecordLogin(authenticated.Name, iamv1alpha2.OAuth, providerOptions.Name, nil, req.Request); err != nil { - klog.Error(err) - err := apierrors.NewInternalError(err) - resp.WriteError(http.StatusInternalServerError, err) - return + requestInfo, _ := request.RequestInfoFrom(req.Request.Context()) + if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Token, provider, requestInfo.SourceIP, requestInfo.UserAgent, nil); err != nil { + klog.Errorf("Failed to record successful login for user %s, error: %v", authenticated.GetName(), err) } resp.WriteEntity(result) } func (h *handler) Login(request *restful.Request, response *restful.Response) { - var loginRequest auth.LoginRequest + var loginRequest LoginRequest err := request.ReadEntity(&loginRequest) - if err != nil || loginRequest.Username == "" || loginRequest.Password == "" { - response.WriteHeaderAndEntity(http.StatusUnauthorized, fmt.Errorf("empty username or password")) + if err != nil { + api.HandleBadRequest(response, request, err) return } h.passwordGrant(loginRequest.Username, loginRequest.Password, request, response) @@ -240,71 +214,53 @@ func (h *handler) Login(request *restful.Request, response *restful.Response) { func (h *handler) Token(req *restful.Request, response *restful.Response) { grantType, err := req.BodyParameter("grant_type") if err != nil { - klog.Error(err) api.HandleBadRequest(response, req, err) return } switch grantType { - case "password": - username, err := req.BodyParameter("username") - if err != nil { - klog.Error(err) - api.HandleBadRequest(response, req, err) - return - } - password, err := req.BodyParameter("password") - if err != nil { - klog.Error(err) - api.HandleBadRequest(response, req, err) - return - } + case passwordGrantType: + username, _ := req.BodyParameter("username") + password, _ := req.BodyParameter("password") h.passwordGrant(username, password, req, response) break - case "refresh_token": + case refreshTokenGrantType: h.refreshTokenGrant(req, response) break default: err := apierrors.NewBadRequest(fmt.Sprintf("Grant type %s is not supported", grantType)) - response.WriteError(http.StatusBadRequest, err) + api.HandleBadRequest(response, req, err) } } func (h *handler) passwordGrant(username string, password string, req *restful.Request, response *restful.Response) { - authenticated, err := h.authenticator.Authenticate(username, password) + authenticated, provider, err := h.passwordAuthenticator.Authenticate(username, password) if err != nil { - klog.Error(err) switch err { - case im.AuthFailedIncorrectPassword: - if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, "", err, req.Request); err != nil { - klog.Error(err) - response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) - return + case auth.IncorrectPasswordError: + requestInfo, _ := request.RequestInfoFrom(req.Request.Context()) + if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, provider, requestInfo.SourceIP, requestInfo.UserAgent, err); err != nil { + klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", username, err) } - response.WriteError(http.StatusUnauthorized, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))) - return - case im.AuthFailedIdentityMappingNotMatch: - response.WriteError(http.StatusUnauthorized, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))) + api.HandleUnauthorized(response, req, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))) return - case im.AuthRateLimitExceeded: - response.WriteError(http.StatusTooManyRequests, apierrors.NewTooManyRequests(fmt.Sprintf("Unauthorized: %s", err), 60)) + case auth.RateLimitExceededError: + api.HandleTooManyRequests(response, req, apierrors.NewTooManyRequestsError(fmt.Sprintf("Unauthorized: %s", err))) return default: - response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) + api.HandleInternalError(response, req, apierrors.NewInternalError(err)) return } } result, err := h.tokenOperator.IssueTo(authenticated) if err != nil { - klog.Error(err) - response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) + api.HandleInternalError(response, req, apierrors.NewInternalError(err)) return } - if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Token, "", nil, req.Request); err != nil { - klog.Error(err) - response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) - return + requestInfo, _ := request.RequestInfoFrom(req.Request.Context()) + if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Token, provider, requestInfo.SourceIP, requestInfo.UserAgent, nil); err != nil { + klog.Errorf("Failed to record successful login for user %s, error: %v", username, err) } response.WriteEntity(result) @@ -313,22 +269,46 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R func (h *handler) refreshTokenGrant(req *restful.Request, response *restful.Response) { refreshToken, err := req.BodyParameter("refresh_token") if err != nil { - klog.Error(err) - api.HandleBadRequest(response, req, err) + api.HandleBadRequest(response, req, apierrors.NewBadRequest(err.Error())) return } authenticated, err := h.tokenOperator.Verify(refreshToken) if err != nil { err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - response.WriteError(http.StatusUnauthorized, err) + api.HandleUnauthorized(response, req, apierrors.NewUnauthorized(err.Error())) return } + // update token after registration + if authenticated.GetName() == iamv1alpha2.PreRegistrationUser && + authenticated.GetExtra() != nil && + len(authenticated.GetExtra()[iamv1alpha2.ExtraIdentityProvider]) > 0 && + len(authenticated.GetExtra()[iamv1alpha2.ExtraUID]) > 0 { + + idp := authenticated.GetExtra()[iamv1alpha2.ExtraIdentityProvider][0] + uid := authenticated.GetExtra()[iamv1alpha2.ExtraUID][0] + queryParam := query.New() + queryParam.LabelSelector = labels.SelectorFromSet(labels.Set{ + iamv1alpha2.IdentifyProviderLabel: idp, + iamv1alpha2.OriginUIDLabel: uid}).String() + result, err := h.im.ListUsers(queryParam) + if err != nil { + api.HandleInternalError(response, req, apierrors.NewInternalError(err)) + return + } + if len(result.Items) != 1 { + err := apierrors.NewUnauthorized("authenticated user does not exist") + api.HandleUnauthorized(response, req, apierrors.NewUnauthorized(err.Error())) + return + } + authenticated = &user.DefaultInfo{Name: result.Items[0].(*iamv1alpha2.User).Name} + } + result, err := h.tokenOperator.IssueTo(authenticated) if err != nil { err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - response.WriteError(http.StatusUnauthorized, err) + api.HandleUnauthorized(response, req, apierrors.NewUnauthorized(err.Error())) return } diff --git a/pkg/kapis/oauth/register.go b/pkg/kapis/oauth/register.go index a647326c6e716187ca51d5934f9252e53289b6d9..23d0ab6bcec4cabf356e30dbf11c63dc91b3c16b 100644 --- a/pkg/kapis/oauth/register.go +++ b/pkg/kapis/oauth/register.go @@ -20,10 +20,10 @@ import ( "github.com/emicklei/go-restful" restfulspec "github.com/emicklei/go-restful-openapi" "kubesphere.io/kubesphere/pkg/api" - "kubesphere.io/kubesphere/pkg/api/auth" "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" "kubesphere.io/kubesphere/pkg/constants" + "kubesphere.io/kubesphere/pkg/models/auth" "kubesphere.io/kubesphere/pkg/models/iam/im" "net/http" ) @@ -34,22 +34,28 @@ import ( // Most authentication integrations place an authenticating proxy in front of this endpoint, or configure ks-apiserver // to validate credentials against a backing identity provider. // Requests to /oauth/authorize can come from user-agents that cannot display interactive login pages, such as the CLI. -func AddToContainer(c *restful.Container, im im.IdentityManagementInterface, tokenOperator im.TokenManagementInterface, authenticator im.PasswordAuthenticator, loginRecorder im.LoginRecorder, options *authoptions.AuthenticationOptions) error { +func AddToContainer(c *restful.Container, im im.IdentityManagementInterface, + tokenOperator auth.TokenManagementInterface, + passwordAuthenticator auth.PasswordAuthenticator, + oauth2Authenticator auth.OAuth2Authenticator, + loginRecorder auth.LoginRecorder, + options *authoptions.AuthenticationOptions) error { + ws := &restful.WebService{} ws.Path("/oauth"). Consumes(restful.MIME_JSON). Produces(restful.MIME_JSON) - handler := newHandler(im, tokenOperator, authenticator, loginRecorder, options) + handler := newHandler(im, tokenOperator, passwordAuthenticator, oauth2Authenticator, loginRecorder, options) // Implement webhook authentication interface // https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication ws.Route(ws.POST("/authenticate"). Doc("TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be "+ "cached by the webhook token authenticator plugin in the kube-apiserver."). - Reads(auth.TokenReview{}). + Reads(TokenReview{}). To(handler.TokenReview). - Returns(http.StatusOK, api.StatusOK, auth.TokenReview{}). + Returns(http.StatusOK, api.StatusOK, TokenReview{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.AuthenticationTag})) // Only support implicit grant flow @@ -98,7 +104,7 @@ func AddToContainer(c *restful.Container, im im.IdentityManagementInterface, tok "otherwise, REQUIRED. The scope of the access token as described by [RFC6479] Section 3.3.").Required(false)). Param(ws.QueryParameter("state", "if the \"state\" parameter was present in the client authorization request."+ "The exact value received from the client.").Required(true)). - To(handler.oAuthCallBack). + To(handler.oauthCallBack). Returns(http.StatusOK, api.StatusOK, oauth.Token{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.AuthenticationTag})) @@ -113,7 +119,7 @@ func AddToContainer(c *restful.Container, im im.IdentityManagementInterface, tok To(handler.Login). Deprecate(). Doc("KubeSphere APIs support token-based authentication via the Authtoken request header. The POST Login API is used to retrieve the authentication token. After the authentication token is obtained, it must be inserted into the Authtoken header for all requests."). - Reads(auth.LoginRequest{}). + Reads(LoginRequest{}). Returns(http.StatusOK, api.StatusOK, oauth.Token{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.AuthenticationTag})) diff --git a/pkg/kapis/resources/v1alpha3/handler.go b/pkg/kapis/resources/v1alpha3/handler.go index 058157833811a9c90a23264f1e9a625a6c5fd3f1..75473c32dc234f697f2b29e2d29eb28b2cf5fdae 100644 --- a/pkg/kapis/resources/v1alpha3/handler.go +++ b/pkg/kapis/resources/v1alpha3/handler.go @@ -21,26 +21,25 @@ import ( "k8s.io/klog" "kubesphere.io/kubesphere/pkg/api" "kubesphere.io/kubesphere/pkg/apiserver/query" - "kubesphere.io/kubesphere/pkg/informers" "kubesphere.io/kubesphere/pkg/models/components" "kubesphere.io/kubesphere/pkg/models/resources/v1alpha2" resourcev1alpha2 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha2/resource" - "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" + resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" "kubesphere.io/kubesphere/pkg/server/params" "strings" ) type Handler struct { - resourceGetterV1alpha3 *resource.ResourceGetter + resourceGetterV1alpha3 *resourcev1alpha3.ResourceGetter resourcesGetterV1alpha2 *resourcev1alpha2.ResourceGetter componentsGetter components.ComponentsGetter } -func New(factory informers.InformerFactory) *Handler { +func New(resourceGetterV1alpha3 *resourcev1alpha3.ResourceGetter, resourcesGetterV1alpha2 *resourcev1alpha2.ResourceGetter, componentsGetter components.ComponentsGetter) *Handler { return &Handler{ - resourceGetterV1alpha3: resource.NewResourceGetter(factory), - resourcesGetterV1alpha2: resourcev1alpha2.NewResourceGetter(factory), - componentsGetter: components.NewComponentsGetter(factory.KubernetesSharedInformerFactory()), + resourceGetterV1alpha3: resourceGetterV1alpha3, + resourcesGetterV1alpha2: resourcesGetterV1alpha2, + componentsGetter: componentsGetter, } } @@ -55,7 +54,7 @@ func (h *Handler) handleGetResources(request *restful.Request, response *restful return } - if err != resource.ErrResourceNotSupported { + if err != resourcev1alpha3.ErrResourceNotSupported { klog.Error(err, resourceType) api.HandleInternalError(response, nil, err) return @@ -87,7 +86,7 @@ func (h *Handler) handleListResources(request *restful.Request, response *restfu return } - if err != resource.ErrResourceNotSupported { + if err != resourcev1alpha3.ErrResourceNotSupported { klog.Error(err, resourceType) api.HandleInternalError(response, nil, err) return diff --git a/pkg/kapis/resources/v1alpha3/handler_test.go b/pkg/kapis/resources/v1alpha3/handler_test.go index 0586a7768e7117af4cb55075b58aa41db59f4051..68f6ce1325bdcb050fce3637ee27d908f333a34c 100644 --- a/pkg/kapis/resources/v1alpha3/handler_test.go +++ b/pkg/kapis/resources/v1alpha3/handler_test.go @@ -29,7 +29,10 @@ import ( "kubesphere.io/kubesphere/pkg/apiserver/query" fakeks "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake" "kubesphere.io/kubesphere/pkg/informers" + "kubesphere.io/kubesphere/pkg/models/components" + resourcev1alpha2 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha2/resource" "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" + resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" fakeapp "sigs.k8s.io/application/pkg/client/clientset/versioned/fake" "testing" ) @@ -88,7 +91,9 @@ func TestResourceV1alpha2Fallback(t *testing.T) { t.Fatal(err) } - handler := New(factory) + handler := New(resourcev1alpha3.NewResourceGetter(factory), + resourcev1alpha2.NewResourceGetter(factory), + components.NewComponentsGetter(factory.KubernetesSharedInformerFactory())) for _, test := range tests { got, err := listResources(test.namespace, test.resource, test.query, handler) diff --git a/pkg/kapis/resources/v1alpha3/register.go b/pkg/kapis/resources/v1alpha3/register.go index ada7efeb243f14538bf44fab6f7bb2df0da77b36..c563114c83d354d7c740e786640220af33d362f8 100644 --- a/pkg/kapis/resources/v1alpha3/register.go +++ b/pkg/kapis/resources/v1alpha3/register.go @@ -25,6 +25,9 @@ import ( "kubesphere.io/kubesphere/pkg/apiserver/query" "kubesphere.io/kubesphere/pkg/apiserver/runtime" "kubesphere.io/kubesphere/pkg/informers" + "kubesphere.io/kubesphere/pkg/models/components" + resourcev1alpha2 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha2/resource" + resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" "net/http" ) @@ -47,7 +50,9 @@ func Resource(resource string) schema.GroupResource { func AddToContainer(c *restful.Container, informerFactory informers.InformerFactory) error { webservice := runtime.NewWebService(GroupVersion) - handler := New(informerFactory) + handler := New(resourcev1alpha3.NewResourceGetter(informerFactory), + resourcev1alpha2.NewResourceGetter(informerFactory), + components.NewComponentsGetter(informerFactory.KubernetesSharedInformerFactory())) webservice.Route(webservice.GET("/{resources}"). To(handler.handleListResources). diff --git a/pkg/models/auth/authenticator.go b/pkg/models/auth/authenticator.go new file mode 100644 index 0000000000000000000000000000000000000000..82e0eb9420925391d2167fbf2f01b43c580be7c0 --- /dev/null +++ b/pkg/models/auth/authenticator.go @@ -0,0 +1,259 @@ +/* + + Copyright 2020 The KubeSphere Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/ + +package auth + +import ( + "fmt" + "golang.org/x/crypto/bcrypt" + "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider" + "kubesphere.io/kubesphere/pkg/constants" + "net/mail" + + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + authuser "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/klog" + iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" + "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" + authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" + kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" + iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" +) + +var ( + RateLimitExceededError = fmt.Errorf("auth rate limit exceeded") + IncorrectPasswordError = fmt.Errorf("incorrect password") + AccountIsNotActiveError = fmt.Errorf("account is not active") +) + +type PasswordAuthenticator interface { + Authenticate(username, password string) (authuser.Info, string, error) +} + +type OAuth2Authenticator interface { + Authenticate(provider, code string) (authuser.Info, string, error) +} + +type passwordAuthenticator struct { + ksClient kubesphere.Interface + userGetter *userGetter + authOptions *authoptions.AuthenticationOptions +} + +type oauth2Authenticator struct { + ksClient kubesphere.Interface + userGetter *userGetter + authOptions *authoptions.AuthenticationOptions +} + +type userGetter struct { + userLister iamv1alpha2listers.UserLister +} + +func NewPasswordAuthenticator(ksClient kubesphere.Interface, + userLister iamv1alpha2listers.UserLister, + options *authoptions.AuthenticationOptions) PasswordAuthenticator { + passwordAuthenticator := &passwordAuthenticator{ + ksClient: ksClient, + userGetter: &userGetter{userLister: userLister}, + authOptions: options, + } + return passwordAuthenticator +} + +func NewOAuth2Authenticator(ksClient kubesphere.Interface, + userLister iamv1alpha2listers.UserLister, + options *authoptions.AuthenticationOptions) OAuth2Authenticator { + oauth2Authenticator := &oauth2Authenticator{ + ksClient: ksClient, + userGetter: &userGetter{userLister: userLister}, + authOptions: options, + } + return oauth2Authenticator +} + +func (p *passwordAuthenticator) Authenticate(username, password string) (authuser.Info, string, error) { + // empty username or password are not allowed + if username == "" || password == "" { + return nil, "", IncorrectPasswordError + } + // generic identity provider has higher priority + for _, providerOptions := range p.authOptions.OAuthOptions.IdentityProviders { + // the admin account in kubesphere has the highest priority + if username == constants.AdminUserName { + break + } + if genericProvider, _ := identityprovider.CreateGenericProvider(providerOptions.Type, providerOptions.Provider); genericProvider != nil { + authenticated, err := genericProvider.Authenticate(username, password) + if err != nil { + if errors.IsUnauthorized(err) { + continue + } + return nil, providerOptions.Name, err + } + linkedAccount, err := p.userGetter.findLinkedAccount(providerOptions.Name, authenticated.GetUserID()) + // using this method requires you to manually provision users. + if providerOptions.MappingMethod == oauth.MappingMethodLookup && linkedAccount == nil { + continue + } + if linkedAccount != nil { + return &authuser.DefaultInfo{Name: linkedAccount.GetName()}, providerOptions.Name, nil + } + // the user will automatically create and mapping when login successful. + if providerOptions.MappingMethod == oauth.MappingMethodAuto { + return preRegistrationUser(providerOptions.Name, authenticated), providerOptions.Name, nil + } + } + } + + // kubesphere account + user, err := p.userGetter.findUser(username) + if err != nil { + // ignore not found error + if !errors.IsNotFound(err) { + klog.Error(err) + return nil, "", err + } + } + + // check user status + if user != nil && (user.Status.State == nil || *user.Status.State != iamv1alpha2.UserActive) { + if user.Status.State != nil && *user.Status.State == iamv1alpha2.UserAuthLimitExceeded { + klog.Errorf("%s, username: %s", RateLimitExceededError, username) + return nil, "", RateLimitExceededError + } else { + // state not active + klog.Errorf("%s, username: %s", AccountIsNotActiveError, username) + return nil, "", AccountIsNotActiveError + } + } + + // if the password is not empty, means that the password has been reset, even if the user was mapping from IDP + if user != nil && user.Spec.EncryptedPassword != "" { + if err = PasswordVerify(user.Spec.EncryptedPassword, password); err != nil { + klog.Error(err) + return nil, "", err + } + u := &authuser.DefaultInfo{ + Name: user.Name, + } + // check if the password is initialized + if uninitialized := user.Annotations[iamv1alpha2.UninitializedAnnotation]; uninitialized != "" { + u.Extra = map[string][]string{ + iamv1alpha2.ExtraUninitialized: {uninitialized}, + } + } + return u, "", nil + } + + return nil, "", IncorrectPasswordError +} + +func preRegistrationUser(idp string, identity identityprovider.Identity) authuser.Info { + return &authuser.DefaultInfo{ + Name: iamv1alpha2.PreRegistrationUser, + Extra: map[string][]string{ + iamv1alpha2.ExtraIdentityProvider: {idp}, + iamv1alpha2.ExtraUID: {identity.GetUserID()}, + iamv1alpha2.ExtraUsername: {identity.GetUsername()}, + iamv1alpha2.ExtraEmail: {identity.GetEmail()}, + iamv1alpha2.ExtraDisplayName: {identity.GetDisplayName()}, + }, + Groups: []string{iamv1alpha2.PreRegistrationUserGroup}, + } +} + +func (o oauth2Authenticator) Authenticate(provider, code string) (authuser.Info, string, error) { + providerOptions, err := o.authOptions.OAuthOptions.IdentityProviderOptions(provider) + // identity provider not registered + if err != nil { + klog.Error(err) + return nil, "", err + } + oauthIdentityProvider, err := identityprovider.CreateOAuthProvider(providerOptions.Type, providerOptions.Provider) + if err != nil { + klog.Error(err) + return nil, "", err + } + authenticated, err := oauthIdentityProvider.IdentityExchange(code) + if err != nil { + klog.Error(err) + return nil, "", err + } + + user, err := o.userGetter.findLinkedAccount(providerOptions.Name, authenticated.GetUserID()) + if user == nil && providerOptions.MappingMethod == oauth.MappingMethodLookup { + klog.Error(err) + return nil, "", err + } + // the user will automatically create and mapping when login successful. + if user == nil && providerOptions.MappingMethod == oauth.MappingMethodAuto { + return preRegistrationUser(providerOptions.Name, authenticated), providerOptions.Name, nil + } + if user != nil { + return &authuser.DefaultInfo{Name: user.GetName()}, providerOptions.Name, nil + } + + return nil, "", errors.NewNotFound(iamv1alpha2.Resource("user"), authenticated.GetUsername()) +} + +func PasswordVerify(encryptedPassword, password string) error { + if err := bcrypt.CompareHashAndPassword([]byte(encryptedPassword), []byte(password)); err != nil { + return IncorrectPasswordError + } + return nil +} + +// findUser +func (u *userGetter) findUser(username string) (*iamv1alpha2.User, error) { + if _, err := mail.ParseAddress(username); err != nil { + return u.userLister.Get(username) + } else { + users, err := u.userLister.List(labels.Everything()) + if err != nil { + klog.Error(err) + return nil, err + } + for _, find := range users { + if find.Spec.Email == username { + return find, nil + } + } + } + + return nil, errors.NewNotFound(iamv1alpha2.Resource("user"), username) +} + +func (u *userGetter) findLinkedAccount(idp, uid string) (*iamv1alpha2.User, error) { + selector := labels.SelectorFromSet(labels.Set{ + iamv1alpha2.IdentifyProviderLabel: idp, + iamv1alpha2.OriginUIDLabel: uid, + }) + + users, err := u.userLister.List(selector) + if err != nil { + klog.Error(err) + return nil, err + } + if len(users) != 1 { + return nil, errors.NewNotFound(iamv1alpha2.Resource("user"), uid) + } + + return users[0], err +} diff --git a/pkg/models/auth/authenticator_test.go b/pkg/models/auth/authenticator_test.go new file mode 100644 index 0000000000000000000000000000000000000000..894df4235d16a7a761ab61d907a90811ec162023 --- /dev/null +++ b/pkg/models/auth/authenticator_test.go @@ -0,0 +1,40 @@ +/* + + Copyright 2020 The KubeSphere Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/ + +package auth + +import ( + "golang.org/x/crypto/bcrypt" + "testing" +) + +func TestEncryptPassword(t *testing.T) { + password := "P@88w0rd" + encryptedPassword, err := hashPassword(password) + if err != nil { + t.Fatal(err) + } + if err = PasswordVerify(encryptedPassword, password); err != nil { + t.Fatal(err) + } +} + +func hashPassword(password string) (string, error) { + bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) + return string(bytes), err +} diff --git a/pkg/models/iam/im/login_recoder.go b/pkg/models/auth/login_recoder.go similarity index 60% rename from pkg/models/iam/im/login_recoder.go rename to pkg/models/auth/login_recoder.go index 7470ff46bbaca290336c8f42c0d12b6b9b6545ff..e6f9bc9d3f6ecd01505513534b166e0d8dc719df 100644 --- a/pkg/models/iam/im/login_recoder.go +++ b/pkg/models/auth/login_recoder.go @@ -1,22 +1,20 @@ /* - * - * Copyright 2020 The KubeSphere Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * / - */ +Copyright 2020 KubeSphere Authors -package im +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth import ( "fmt" @@ -24,13 +22,11 @@ import ( "k8s.io/klog" iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" - "kubesphere.io/kubesphere/pkg/utils/net" - "net/http" "strings" ) type LoginRecorder interface { - RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, authErr error, req *http.Request) error + RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, sourceIP string, userAgent string, authErr error) error } type loginRecorder struct { @@ -43,7 +39,7 @@ func NewLoginRecorder(ksClient kubesphere.Interface) LoginRecorder { } } -func (l *loginRecorder) RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, authErr error, req *http.Request) error { +func (l *loginRecorder) RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, sourceIP string, userAgent string, authErr error) error { // This is a temporary solution in case of user login with email, // '@' is not allowed in Kubernetes object name. username = strings.Replace(username, "@", "-", -1) @@ -60,8 +56,8 @@ func (l *loginRecorder) RecordLogin(username string, loginType iamv1alpha2.Login Provider: provider, Success: true, Reason: iamv1alpha2.AuthenticatedSuccessfully, - SourceIP: net.GetRequestIP(req), - UserAgent: req.UserAgent(), + SourceIP: sourceIP, + UserAgent: userAgent, }, } diff --git a/pkg/models/iam/im/token.go b/pkg/models/auth/token.go similarity index 99% rename from pkg/models/iam/im/token.go rename to pkg/models/auth/token.go index 15ce97d34c9bc4eab587940c4822bc52671c099e..307fc07745fd84d2e8865a44fcec639bf82136d4 100644 --- a/pkg/models/iam/im/token.go +++ b/pkg/models/auth/token.go @@ -16,7 +16,7 @@ */ -package im +package auth import ( "fmt" diff --git a/pkg/models/iam/am/am.go b/pkg/models/iam/am/am.go index a3e6ad28dbee49ec5511aea1a97619207be38f8e..76524d83795f69e57756c9e98823900d9ff8a73c 100644 --- a/pkg/models/iam/am/am.go +++ b/pkg/models/iam/am/am.go @@ -18,22 +18,30 @@ package am import ( "encoding/json" "fmt" - - corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes" + listersv1 "k8s.io/client-go/listers/core/v1" "k8s.io/klog" "kubesphere.io/kubesphere/pkg/api" - devopsv1alpha3 "kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3" iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1" "kubesphere.io/kubesphere/pkg/apiserver/query" kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" + devopslisters "kubesphere.io/kubesphere/pkg/client/listers/devops/v1alpha3" "kubesphere.io/kubesphere/pkg/informers" - resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" + resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/clusterrole" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/clusterrolebinding" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/globalrole" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/globalrolebinding" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/role" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/rolebinding" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/workspacerole" + "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/workspacerolebinding" "kubesphere.io/kubesphere/pkg/utils/sliceutil" ) @@ -87,45 +95,55 @@ type AccessManagementInterface interface { } type amOperator struct { - resourceGetter *resourcev1alpha3.ResourceGetter - ksclient kubesphere.Interface - k8sclient kubernetes.Interface + globalRoleBindingGetter resourcev1alpha3.Interface + workspaceRoleBindingGetter resourcev1alpha3.Interface + clusterRoleBindingGetter resourcev1alpha3.Interface + roleBindingGetter resourcev1alpha3.Interface + globalRoleGetter resourcev1alpha3.Interface + workspaceRoleGetter resourcev1alpha3.Interface + clusterRoleGetter resourcev1alpha3.Interface + roleGetter resourcev1alpha3.Interface + devopsProjectLister devopslisters.DevOpsProjectLister + namespaceLister listersv1.NamespaceLister + ksclient kubesphere.Interface + k8sclient kubernetes.Interface } func NewReadOnlyOperator(factory informers.InformerFactory) AccessManagementInterface { return &amOperator{ - resourceGetter: resourcev1alpha3.NewResourceGetter(factory), + globalRoleBindingGetter: globalrolebinding.New(factory.KubeSphereSharedInformerFactory()), + workspaceRoleBindingGetter: workspacerolebinding.New(factory.KubeSphereSharedInformerFactory()), + clusterRoleBindingGetter: clusterrolebinding.New(factory.KubernetesSharedInformerFactory()), + roleBindingGetter: rolebinding.New(factory.KubernetesSharedInformerFactory()), + globalRoleGetter: globalrole.New(factory.KubeSphereSharedInformerFactory()), + workspaceRoleGetter: workspacerole.New(factory.KubeSphereSharedInformerFactory()), + clusterRoleGetter: clusterrole.New(factory.KubernetesSharedInformerFactory()), + roleGetter: role.New(factory.KubernetesSharedInformerFactory()), + devopsProjectLister: factory.KubeSphereSharedInformerFactory().Devops().V1alpha3().DevOpsProjects().Lister(), + namespaceLister: factory.KubernetesSharedInformerFactory().Core().V1().Namespaces().Lister(), } } -func NewOperator(factory informers.InformerFactory, ksclient kubesphere.Interface, k8sclient kubernetes.Interface) AccessManagementInterface { - return &amOperator{ - resourceGetter: resourcev1alpha3.NewResourceGetter(factory), - ksclient: ksclient, - k8sclient: k8sclient, - } +func NewOperator(ksClient kubesphere.Interface, k8sClient kubernetes.Interface, factory informers.InformerFactory) AccessManagementInterface { + amOperator := NewReadOnlyOperator(factory).(*amOperator) + amOperator.ksclient = ksClient + amOperator.k8sclient = k8sClient + return amOperator } func (am *amOperator) GetGlobalRoleOfUser(username string) (*iamv1alpha2.GlobalRole, error) { - - userRoleBindings, err := am.ListGlobalRoleBindings(username) - - if len(userRoleBindings) > 0 { - role, err := am.GetGlobalRole(userRoleBindings[0].RoleRef.Name) + globalRoleBindings, err := am.ListGlobalRoleBindings(username) + if len(globalRoleBindings) > 0 { + // Usually, only one globalRoleBinding will be found which is created from ks-console. + if len(globalRoleBindings) > 1 { + klog.Warningf("conflict global role binding, username: %s", username) + } + globalRole, err := am.GetGlobalRole(globalRoleBindings[0].RoleRef.Name) if err != nil { klog.Error(err) return nil, err } - if len(userRoleBindings) > 1 { - klog.Warningf("conflict global role binding, username: %s", username) - } - - out := role.DeepCopy() - if out.Annotations == nil { - out.Annotations = make(map[string]string, 0) - } - out.Annotations[iamv1alpha2.GlobalRoleAnnotation] = role.Name - return out, nil + return globalRole, nil } err = errors.NewNotFound(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularGlobalRoleBinding), username) @@ -244,7 +262,7 @@ func (am *amOperator) GetClusterRoleOfUser(username string) (*rbacv1.ClusterRole } func (am *amOperator) ListWorkspaceRoleBindings(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) { - roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralWorkspaceRoleBinding, "", query.New()) + roleBindings, err := am.workspaceRoleBindingGetter.List("", query.New()) if err != nil { return nil, err @@ -265,8 +283,7 @@ func (am *amOperator) ListWorkspaceRoleBindings(username string, groups []string func (am *amOperator) ListClusterRoleBindings(username string) ([]*rbacv1.ClusterRoleBinding, error) { - roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralClusterRoleBinding, "", query.New()) - + roleBindings, err := am.clusterRoleBindingGetter.List("", query.New()) if err != nil { return nil, err } @@ -283,14 +300,12 @@ func (am *amOperator) ListClusterRoleBindings(username string) ([]*rbacv1.Cluste } func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.GlobalRoleBinding, error) { - roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralGlobalRoleBinding, "", query.New()) - + roleBindings, err := am.globalRoleBindingGetter.List("", query.New()) if err != nil { return nil, err } result := make([]*iamv1alpha2.GlobalRoleBinding, 0) - for _, obj := range roleBindings.Items { roleBinding := obj.(*iamv1alpha2.GlobalRoleBinding) if contains(roleBinding.Subjects, username, nil) { @@ -302,7 +317,7 @@ func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.Gl } func (am *amOperator) ListRoleBindings(username string, groups []string, namespace string) ([]*rbacv1.RoleBinding, error) { - roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralRoleBinding, namespace, query.New()) + roleBindings, err := am.roleBindingGetter.List(namespace, query.New()) if err != nil { klog.Error(err) return nil, err @@ -335,23 +350,23 @@ func contains(subjects []rbacv1.Subject, username string, groups []string) bool } func (am *amOperator) ListRoles(namespace string, query *query.Query) (*api.ListResult, error) { - return am.resourceGetter.List(iamv1alpha2.ResourcesPluralRole, namespace, query) + return am.roleGetter.List(namespace, query) } func (am *amOperator) ListClusterRoles(query *query.Query) (*api.ListResult, error) { - return am.resourceGetter.List(iamv1alpha2.ResourcesPluralClusterRole, "", query) + return am.clusterRoleGetter.List("", query) } func (am *amOperator) ListWorkspaceRoles(queryParam *query.Query) (*api.ListResult, error) { - return am.resourceGetter.List(iamv1alpha2.ResourcesPluralWorkspaceRole, "", queryParam) + return am.workspaceRoleGetter.List("", queryParam) } func (am *amOperator) ListGlobalRoles(query *query.Query) (*api.ListResult, error) { - return am.resourceGetter.List(iamv1alpha2.ResourcesPluralGlobalRole, "", query) + return am.globalRoleGetter.List("", query) } func (am *amOperator) GetGlobalRole(globalRole string) (*iamv1alpha2.GlobalRole, error) { - obj, err := am.resourceGetter.Get(iamv1alpha2.ResourcesPluralGlobalRole, "", globalRole) + obj, err := am.globalRoleGetter.Get("", globalRole) if err != nil { klog.Error(err) return nil, err @@ -938,7 +953,7 @@ func (am *amOperator) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace st } func (am *amOperator) GetWorkspaceRole(workspace string, name string) (*iamv1alpha2.WorkspaceRole, error) { - obj, err := am.resourceGetter.Get(iamv1alpha2.ResourcesPluralWorkspaceRole, "", name) + obj, err := am.workspaceRoleGetter.Get("", name) if err != nil { klog.Error(err) return nil, err @@ -956,7 +971,7 @@ func (am *amOperator) GetWorkspaceRole(workspace string, name string) (*iamv1alp } func (am *amOperator) GetNamespaceRole(namespace string, name string) (*rbacv1.Role, error) { - obj, err := am.resourceGetter.Get(iamv1alpha2.ResourcesPluralRole, namespace, name) + obj, err := am.roleGetter.Get(namespace, name) if err != nil { klog.Error(err) return nil, err @@ -965,7 +980,7 @@ func (am *amOperator) GetNamespaceRole(namespace string, name string) (*rbacv1.R } func (am *amOperator) GetClusterRole(name string) (*rbacv1.ClusterRole, error) { - obj, err := am.resourceGetter.Get(iamv1alpha2.ResourcesPluralClusterRole, "", name) + obj, err := am.clusterRoleGetter.Get("", name) if err != nil { klog.Error(err) return nil, err @@ -973,28 +988,25 @@ func (am *amOperator) GetClusterRole(name string) (*rbacv1.ClusterRole, error) { return obj.(*rbacv1.ClusterRole), nil } func (am *amOperator) GetDevOpsRelatedNamespace(devops string) (string, error) { - obj, err := am.resourceGetter.Get(devopsv1alpha3.ResourcePluralDevOpsProject, "", devops) + devopsProject, err := am.devopsProjectLister.Get(devops) if err != nil { klog.Error(err) return "", err } - devopsProject := obj.(*devopsv1alpha3.DevOpsProject) - return devopsProject.Status.AdminNamespace, nil } func (am *amOperator) GetDevOpsControlledWorkspace(devops string) (string, error) { - obj, err := am.resourceGetter.Get(devopsv1alpha3.ResourcePluralDevOpsProject, "", devops) + devopsProject, err := am.devopsProjectLister.Get(devops) if err != nil { klog.Error(err) return "", err } - devopsProject := obj.(*devopsv1alpha3.DevOpsProject) return devopsProject.Labels[tenantv1alpha1.WorkspaceLabel], nil } func (am *amOperator) GetNamespaceControlledWorkspace(namespace string) (string, error) { - obj, err := am.resourceGetter.Get("namespaces", "", namespace) + ns, err := am.namespaceLister.Get(namespace) if err != nil { if errors.IsNotFound(err) { return "", nil @@ -1002,24 +1014,22 @@ func (am *amOperator) GetNamespaceControlledWorkspace(namespace string) (string, klog.Error(err) return "", err } - ns := obj.(*corev1.Namespace) return ns.Labels[tenantv1alpha1.WorkspaceLabel], nil } func (am *amOperator) ListGroupWorkspaceRoleBindings(workspace, group string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) { - q := workspaceQuery(workspace) - roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralWorkspaceRoleBinding, "", q) - + queryParam := query.New() + queryParam.LabelSelector = labels.FormatLabels(map[string]string{tenantv1alpha1.WorkspaceLabel: workspace}) + roleBindings, err := am.workspaceRoleBindingGetter.List("", queryParam) if err != nil { return nil, err } result := make([]*iamv1alpha2.WorkspaceRoleBinding, 0) - for _, obj := range roleBindings.Items { roleBinding := obj.(*iamv1alpha2.WorkspaceRoleBinding) inSpecifiedWorkspace := workspace == "" || roleBinding.Labels[tenantv1alpha1.WorkspaceLabel] == workspace - if containsgroup(roleBinding.Subjects, group) && inSpecifiedWorkspace { + if containsGroup(roleBinding.Subjects, group) && inSpecifiedWorkspace { result = append(result, roleBinding) } } @@ -1062,15 +1072,13 @@ func (am *amOperator) DeleteWorkspaceRoleBinding(workspaceName, name string) err } func (am *amOperator) ListGroupRoleBindings(workspace, group string) ([]*rbacv1.RoleBinding, error) { - q := workspaceQuery(workspace) - namespaces, err := am.resourceGetter.List("namespaces", "", q) + namespaces, err := am.namespaceLister.List(labels.SelectorFromSet(labels.Set{tenantv1alpha1.WorkspaceLabel: workspace})) if err != nil { return nil, err } result := make([]*rbacv1.RoleBinding, 0) - for _, ns := range namespaces.Items { - namespace := ns.(*corev1.Namespace) - roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralRoleBinding, namespace.Name, query.New()) + for _, namespace := range namespaces { + roleBindings, err := am.roleBindingGetter.List(namespace.Name, query.New()) if err != nil { klog.Error(err) return nil, err @@ -1078,7 +1086,7 @@ func (am *amOperator) ListGroupRoleBindings(workspace, group string) ([]*rbacv1. for _, obj := range roleBindings.Items { roleBinding := obj.(*rbacv1.RoleBinding) - if containsgroup(roleBinding.Subjects, group) { + if containsGroup(roleBinding.Subjects, group) { result = append(result, roleBinding) } } @@ -1087,23 +1095,20 @@ func (am *amOperator) ListGroupRoleBindings(workspace, group string) ([]*rbacv1. } func (am *amOperator) ListGroupDevOpsRoleBindings(workspace, group string) ([]*rbacv1.RoleBinding, error) { - q := workspaceQuery(workspace) - namespaces, err := am.resourceGetter.List(devopsv1alpha3.ResourcePluralDevOpsProject, "", q) + devOpsProjects, err := am.devopsProjectLister.List(labels.SelectorFromSet(labels.Set{tenantv1alpha1.WorkspaceLabel: workspace})) if err != nil { return nil, err } result := make([]*rbacv1.RoleBinding, 0) - for _, ns := range namespaces.Items { - namespace := ns.(*devopsv1alpha3.DevOpsProject) - roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralRoleBinding, namespace.Name, query.New()) + for _, devOpsProject := range devOpsProjects { + roleBindings, err := am.roleBindingGetter.List(devOpsProject.Name, query.New()) if err != nil { klog.Error(err) return nil, err } - for _, obj := range roleBindings.Items { roleBinding := obj.(*rbacv1.RoleBinding) - if containsgroup(roleBinding.Subjects, group) { + if containsGroup(roleBinding.Subjects, group) { result = append(result, roleBinding) } } @@ -1143,7 +1148,7 @@ func (am *amOperator) DeleteRoleBinding(namespace, name string) error { return am.k8sclient.RbacV1().RoleBindings(namespace).Delete(name, metav1.NewDeleteOptions(0)) } -func containsgroup(subjects []rbacv1.Subject, group string) bool { +func containsGroup(subjects []rbacv1.Subject, group string) bool { for _, subject := range subjects { if subject.Kind == rbacv1.GroupKind && subject.Name == group { return true @@ -1151,9 +1156,3 @@ func containsgroup(subjects []rbacv1.Subject, group string) bool { } return false } - -func workspaceQuery(workspace string) *query.Query { - q := query.New() - q.Filters[query.FieldLabel] = query.Value(fmt.Sprintf("%s=%s", tenantv1alpha1.WorkspaceLabel, workspace)) - return q -} diff --git a/pkg/models/iam/im/authenticator.go b/pkg/models/iam/im/authenticator.go deleted file mode 100644 index f528bb02bc3d7a7ef42782664da7a63c4a3b947c..0000000000000000000000000000000000000000 --- a/pkg/models/iam/im/authenticator.go +++ /dev/null @@ -1,175 +0,0 @@ -/* - - Copyright 2020 The KubeSphere Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/ - -package im - -import ( - "fmt" - "net/mail" - - "github.com/go-ldap/ldap" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - authuser "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/klog" - iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" - "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider" - "kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth" - authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" - kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" - iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" - "kubesphere.io/kubesphere/pkg/constants" -) - -var ( - AuthRateLimitExceeded = fmt.Errorf("auth rate limit exceeded") - AuthFailedIncorrectPassword = fmt.Errorf("incorrect password") - AuthFailedAccountIsNotActive = fmt.Errorf("account is not active") - AuthFailedIdentityMappingNotMatch = fmt.Errorf("identity mapping not match") -) - -type PasswordAuthenticator interface { - Authenticate(username, password string) (authuser.Info, error) -} - -type passwordAuthenticator struct { - ksClient kubesphere.Interface - userLister iamv1alpha2listers.UserLister - options *authoptions.AuthenticationOptions -} - -func NewPasswordAuthenticator(ksClient kubesphere.Interface, - userLister iamv1alpha2listers.UserLister, - options *authoptions.AuthenticationOptions) PasswordAuthenticator { - return &passwordAuthenticator{ - ksClient: ksClient, - userLister: userLister, - options: options} -} - -func (im *passwordAuthenticator) Authenticate(username, password string) (authuser.Info, error) { - - user, err := im.searchUser(username) - if err != nil { - // internal error - if !errors.IsNotFound(err) { - klog.Error(err) - return nil, err - } - } - - providerOptions, ldapProvider := im.getLdapProvider() - - // no identity provider - // even auth failed, still return username to record login attempt - if user == nil && (providerOptions == nil || providerOptions.MappingMethod != oauth.MappingMethodAuto) { - return nil, AuthFailedIncorrectPassword - } - - if user != nil && user.Status.State != iamv1alpha2.UserActive { - if user.Status.State == iamv1alpha2.UserAuthLimitExceeded { - klog.Errorf("%s, username: %s", AuthRateLimitExceeded, username) - return nil, AuthRateLimitExceeded - } else { - klog.Errorf("%s, username: %s", AuthFailedAccountIsNotActive, username) - return nil, AuthFailedAccountIsNotActive - } - } - - // able to login using the locally principal admin account and password in case of a disruption of LDAP services. - if ldapProvider != nil && username != constants.AdminUserName { - if providerOptions.MappingMethod == oauth.MappingMethodLookup && - (user == nil || user.Labels[iamv1alpha2.IdentifyProviderLabel] != providerOptions.Name) { - klog.Error(AuthFailedIdentityMappingNotMatch) - return nil, AuthFailedIdentityMappingNotMatch - } - if providerOptions.MappingMethod == oauth.MappingMethodAuto && - user != nil && user.Labels[iamv1alpha2.IdentifyProviderLabel] != providerOptions.Name { - klog.Error(AuthFailedIdentityMappingNotMatch) - return nil, AuthFailedIdentityMappingNotMatch - } - - authenticated, err := ldapProvider.Authenticate(username, password) - if err != nil { - klog.Error(err) - if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) || ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) { - return nil, AuthFailedIncorrectPassword - } else { - return nil, err - } - } - - if authenticated != nil && user == nil { - authenticated.Labels = map[string]string{iamv1alpha2.IdentifyProviderLabel: providerOptions.Name} - if authenticated, err = im.ksClient.IamV1alpha2().Users().Create(authenticated); err != nil { - klog.Error(err) - return nil, err - } - } - - if authenticated != nil { - return &authuser.DefaultInfo{ - Name: authenticated.Name, - UID: string(authenticated.UID), - }, nil - } - } - - if checkPasswordHash(password, user.Spec.EncryptedPassword) { - return &authuser.DefaultInfo{ - Name: user.Name, - UID: string(user.UID), - Groups: user.Spec.Groups, - }, nil - } - - return nil, AuthFailedIncorrectPassword -} - -func (im *passwordAuthenticator) searchUser(username string) (*iamv1alpha2.User, error) { - - if _, err := mail.ParseAddress(username); err != nil { - return im.userLister.Get(username) - } else { - users, err := im.userLister.List(labels.Everything()) - if err != nil { - klog.Error(err) - return nil, err - } - for _, find := range users { - if find.Spec.Email == username { - return find, nil - } - } - } - - return nil, errors.NewNotFound(iamv1alpha2.Resource("user"), username) -} - -func (im *passwordAuthenticator) getLdapProvider() (*oauth.IdentityProviderOptions, identityprovider.LdapProvider) { - for _, options := range im.options.OAuthOptions.IdentityProviders { - if options.Type == identityprovider.LdapIdentityProvider { - if provider, err := identityprovider.NewLdapProvider(options.Provider); err != nil { - klog.Error(err) - } else { - return &options, provider - } - } - } - return nil, nil -} diff --git a/pkg/models/iam/im/im.go b/pkg/models/iam/im/im.go index c6ead98997b81e9aab11e0c1bcb159dafe69fd3d..ba0a40f5856668eed7a40fd460f2c1c2ed6040a6 100644 --- a/pkg/models/iam/im/im.go +++ b/pkg/models/iam/im/im.go @@ -16,7 +16,7 @@ limitations under the License. package im import ( - "golang.org/x/crypto/bcrypt" + "fmt" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/klog" "kubesphere.io/kubesphere/pkg/api" @@ -24,8 +24,8 @@ import ( authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" "kubesphere.io/kubesphere/pkg/apiserver/query" kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" - "kubesphere.io/kubesphere/pkg/informers" - resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" + "kubesphere.io/kubesphere/pkg/models/auth" + resources "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3" ) type IdentityManagementInterface interface { @@ -35,41 +35,40 @@ type IdentityManagementInterface interface { UpdateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) DescribeUser(username string) (*iamv1alpha2.User, error) ModifyPassword(username string, password string) error - ListLoginRecords(query *query.Query) (*api.ListResult, error) + ListLoginRecords(username string, query *query.Query) (*api.ListResult, error) PasswordVerify(username string, password string) error } -func NewOperator(ksClient kubesphere.Interface, factory informers.InformerFactory, options *authoptions.AuthenticationOptions) IdentityManagementInterface { - im := &defaultIMOperator{ - ksClient: ksClient, - resourceGetter: resourcev1alpha3.NewResourceGetter(factory), - options: options, +func NewOperator(ksClient kubesphere.Interface, userGetter resources.Interface, loginRecordGetter resources.Interface, options *authoptions.AuthenticationOptions) IdentityManagementInterface { + im := &imOperator{ + ksClient: ksClient, + userGetter: userGetter, + loginRecordGetter: loginRecordGetter, + options: options, } return im } -type defaultIMOperator struct { - ksClient kubesphere.Interface - resourceGetter *resourcev1alpha3.ResourceGetter - options *authoptions.AuthenticationOptions +type imOperator struct { + ksClient kubesphere.Interface + userGetter resources.Interface + loginRecordGetter resources.Interface + options *authoptions.AuthenticationOptions } -func (im *defaultIMOperator) UpdateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) { - obj, err := im.resourceGetter.Get(iamv1alpha2.ResourcesPluralUser, "", user.Name) +// UpdateUser returns user information after update. +func (im *imOperator) UpdateUser(new *iamv1alpha2.User) (*iamv1alpha2.User, error) { + old, err := im.fetch(new.Name) if err != nil { klog.Error(err) return nil, err } - - old := obj.(*iamv1alpha2.User).DeepCopy() - if user.Annotations == nil { - user.Annotations = make(map[string]string, 0) + if old.Annotations == nil { + old.Annotations = make(map[string]string, 0) } - user.Annotations[iamv1alpha2.PasswordEncryptedAnnotation] = old.Annotations[iamv1alpha2.PasswordEncryptedAnnotation] - user.Spec.EncryptedPassword = old.Spec.EncryptedPassword - user.Status = old.Status - - updated, err := im.ksClient.IamV1alpha2().Users().Update(user) + // keep encrypted password + new.Spec.EncryptedPassword = old.Spec.EncryptedPassword + updated, err := im.ksClient.IamV1alpha2().Users().Update(old) if err != nil { klog.Error(err) return nil, err @@ -77,18 +76,23 @@ func (im *defaultIMOperator) UpdateUser(user *iamv1alpha2.User) (*iamv1alpha2.Us return ensurePasswordNotOutput(updated), nil } -func (im *defaultIMOperator) ModifyPassword(username string, password string) error { - obj, err := im.resourceGetter.Get(iamv1alpha2.ResourcesPluralUser, "", username) +func (im *imOperator) fetch(username string) (*iamv1alpha2.User, error) { + obj, err := im.userGetter.Get("", username) + if err != nil { + klog.Error(err) + return nil, err + } + user := obj.(*iamv1alpha2.User).DeepCopy() + return user, nil +} +func (im *imOperator) ModifyPassword(username string, password string) error { + user, err := im.fetch(username) if err != nil { klog.Error(err) return err } - - user := obj.(*iamv1alpha2.User).DeepCopy() - delete(user.Annotations, iamv1alpha2.PasswordEncryptedAnnotation) user.Spec.EncryptedPassword = password - _, err = im.ksClient.IamV1alpha2().Users().Update(user) if err != nil { klog.Error(err) @@ -97,13 +101,12 @@ func (im *defaultIMOperator) ModifyPassword(username string, password string) er return nil } -func (im *defaultIMOperator) ListUsers(query *query.Query) (result *api.ListResult, err error) { - result, err = im.resourceGetter.List(iamv1alpha2.ResourcesPluralUser, "", query) +func (im *imOperator) ListUsers(query *query.Query) (result *api.ListResult, err error) { + result, err = im.userGetter.List("", query) if err != nil { klog.Error(err) return nil, err } - items := make([]interface{}, 0) for _, item := range result.Items { user := item.(*iamv1alpha2.User) @@ -114,40 +117,34 @@ func (im *defaultIMOperator) ListUsers(query *query.Query) (result *api.ListResu return result, nil } -func (im *defaultIMOperator) PasswordVerify(username string, password string) error { - obj, err := im.resourceGetter.Get(iamv1alpha2.ResourcesPluralUser, "", username) +func (im *imOperator) PasswordVerify(username string, password string) error { + obj, err := im.userGetter.Get("", username) if err != nil { klog.Error(err) return err } user := obj.(*iamv1alpha2.User) - if checkPasswordHash(password, user.Spec.EncryptedPassword) { - return nil + if err = auth.PasswordVerify(user.Spec.EncryptedPassword, password); err != nil { + return err } - return AuthFailedIncorrectPassword -} - -func checkPasswordHash(password, hash string) bool { - err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) - return err == nil + return nil } -func (im *defaultIMOperator) DescribeUser(username string) (*iamv1alpha2.User, error) { - obj, err := im.resourceGetter.Get(iamv1alpha2.ResourcesPluralUser, "", username) +func (im *imOperator) DescribeUser(username string) (*iamv1alpha2.User, error) { + obj, err := im.userGetter.Get("", username) if err != nil { klog.Error(err) return nil, err } - user := obj.(*iamv1alpha2.User) return ensurePasswordNotOutput(user), nil } -func (im *defaultIMOperator) DeleteUser(username string) error { +func (im *imOperator) DeleteUser(username string) error { return im.ksClient.IamV1alpha2().Users().Delete(username, metav1.NewDeleteOptions(0)) } -func (im *defaultIMOperator) CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) { +func (im *imOperator) CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) { user, err := im.ksClient.IamV1alpha2().Users().Create(user) if err != nil { klog.Error(err) @@ -156,8 +153,9 @@ func (im *defaultIMOperator) CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.Us return user, nil } -func (im *defaultIMOperator) ListLoginRecords(query *query.Query) (*api.ListResult, error) { - result, err := im.resourceGetter.List(iamv1alpha2.ResourcesPluralLoginRecord, "", query) +func (im *imOperator) ListLoginRecords(username string, q *query.Query) (*api.ListResult, error) { + q.Filters[query.FieldLabel] = query.Value(fmt.Sprintf("%s=%s", iamv1alpha2.UserReferenceLabel, username)) + result, err := im.loginRecordGetter.List("", q) if err != nil { klog.Error(err) return nil, err diff --git a/pkg/models/iam/im/im_test.go b/pkg/models/iam/im/im_test.go index a069a4571ce33ad633f744040a50db6f50a1e13b..70a6f07467b1aa9b7ef4da5e5db30894aa13c219 100644 --- a/pkg/models/iam/im/im_test.go +++ b/pkg/models/iam/im/im_test.go @@ -15,25 +15,3 @@ limitations under the License. */ package im - -import ( - "golang.org/x/crypto/bcrypt" - "testing" -) - -func TestEncryptPassword(t *testing.T) { - password := "P@88w0rd" - encryptedPassword, err := hashPassword(password) - if err != nil { - t.Fatal(err) - } - if !checkPasswordHash(password, encryptedPassword) { - t.Fatal(err) - } - t.Log(encryptedPassword) -} - -func hashPassword(password string) (string, error) { - bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) - return string(bytes), err -} diff --git a/pkg/models/resources/v1alpha3/resource/resource.go b/pkg/models/resources/v1alpha3/resource/resource.go index 83c8b7d6a65a5a7baee3caf1efc6dcbeb2c1b94c..b3d5e25c8e9c6ba32138904521c8be8b54bec71d 100644 --- a/pkg/models/resources/v1alpha3/resource/resource.go +++ b/pkg/models/resources/v1alpha3/resource/resource.go @@ -133,9 +133,9 @@ func NewResourceGetter(factory informers.InformerFactory) *ResourceGetter { } } -// tryResource will retrieve a getter with resource name, it doesn't guarantee find resource with correct group version +// TryResource will retrieve a getter with resource name, it doesn't guarantee find resource with correct group version // need to refactor this use schema.GroupVersionResource -func (r *ResourceGetter) tryResource(resource string) v1alpha3.Interface { +func (r *ResourceGetter) TryResource(resource string) v1alpha3.Interface { for k, v := range r.getters { if k.Resource == resource { return v @@ -145,7 +145,7 @@ func (r *ResourceGetter) tryResource(resource string) v1alpha3.Interface { } func (r *ResourceGetter) Get(resource, namespace, name string) (runtime.Object, error) { - getter := r.tryResource(resource) + getter := r.TryResource(resource) if getter == nil { return nil, ErrResourceNotSupported } @@ -153,7 +153,7 @@ func (r *ResourceGetter) Get(resource, namespace, name string) (runtime.Object, } func (r *ResourceGetter) List(resource, namespace string, query *query.Query) (*api.ListResult, error) { - getter := r.tryResource(resource) + getter := r.TryResource(resource) if getter == nil { return nil, ErrResourceNotSupported } diff --git a/pkg/models/tenant/tenent_test.go b/pkg/models/tenant/tenent_test.go index cbfda2f2a8a1ebfe5bbc68fc7905d431e931181e..a19c15bbab2744e8c9a42fe2c873cae89764c15b 100644 --- a/pkg/models/tenant/tenent_test.go +++ b/pkg/models/tenant/tenent_test.go @@ -30,7 +30,7 @@ import ( iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1" tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2" - "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory" + "kubesphere.io/kubesphere/pkg/apiserver/authorization/rbac" "kubesphere.io/kubesphere/pkg/apiserver/query" fakeks "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake" "kubesphere.io/kubesphere/pkg/informers" @@ -540,8 +540,8 @@ func prepare() Interface { RoleBindings().Informer().GetIndexer().Add(roleBinding) } - amOperator := am.NewOperator(fakeInformerFactory, ksClient, k8sClient) - authorizer := authorizerfactory.NewRBACAuthorizer(amOperator) + amOperator := am.NewOperator(ksClient, k8sClient, fakeInformerFactory) + authorizer := rbac.NewRBACAuthorizer(amOperator) return New(fakeInformerFactory, k8sClient, ksClient, nil, nil, nil, amOperator, authorizer) } diff --git a/tools/cmd/doc-gen/main.go b/tools/cmd/doc-gen/main.go index 52138cbcc43c6b4dc8f491195ca51652c9a30316..3a45aad7d9ae651761506726eb7c5d8c0abf73b5 100644 --- a/tools/cmd/doc-gen/main.go +++ b/tools/cmd/doc-gen/main.go @@ -33,7 +33,6 @@ import ( "github.com/pkg/errors" urlruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/klog" - authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options" "kubesphere.io/kubesphere/pkg/apiserver/runtime" "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/informers" @@ -51,9 +50,7 @@ import ( metricsv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/servicemesh/metrics/v1alpha2" tenantv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/tenant/v1alpha2" terminalv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/terminal/v1alpha2" - "kubesphere.io/kubesphere/pkg/models/iam/am" "kubesphere.io/kubesphere/pkg/models/iam/group" - "kubesphere.io/kubesphere/pkg/models/iam/im" fakedevops "kubesphere.io/kubesphere/pkg/simple/client/devops/fake" "kubesphere.io/kubesphere/pkg/simple/client/k8s" "kubesphere.io/kubesphere/pkg/simple/client/openpitrix" @@ -116,12 +113,12 @@ func generateSwaggerJson() []byte { informerFactory := informers.NewNullInformerFactory() - urlruntime.Must(oauth.AddToContainer(container, nil, nil, nil, nil, nil)) + urlruntime.Must(oauth.AddToContainer(container, nil, nil, nil, nil, nil, nil)) urlruntime.Must(clusterkapisv1alpha1.AddToContainer(container, informerFactory.KubernetesSharedInformerFactory(), informerFactory.KubeSphereSharedInformerFactory(), "", "", "")) - urlruntime.Must(devopsv1alpha2.AddToContainer(container, informerFactory.KubeSphereSharedInformerFactory(), &fakedevops.Devops{}, nil, clientsets.KubeSphere(), fakes3.NewFakeS3(), "", am.NewReadOnlyOperator(informerFactory))) + urlruntime.Must(devopsv1alpha2.AddToContainer(container, informerFactory.KubeSphereSharedInformerFactory(), &fakedevops.Devops{}, nil, clientsets.KubeSphere(), fakes3.NewFakeS3(), "", nil)) urlruntime.Must(devopsv1alpha3.AddToContainer(container, &fakedevops.Devops{}, clientsets.Kubernetes(), clientsets.KubeSphere(), informerFactory.KubeSphereSharedInformerFactory(), informerFactory.KubernetesSharedInformerFactory())) - urlruntime.Must(iamv1alpha2.AddToContainer(container, im.NewOperator(clientsets.KubeSphere(), informerFactory, nil), am.NewReadOnlyOperator(informerFactory), group.New(informerFactory, clientsets.KubeSphere(), clientsets.Kubernetes()), authoptions.NewAuthenticateOptions())) + urlruntime.Must(iamv1alpha2.AddToContainer(container, nil, nil, group.New(informerFactory, clientsets.KubeSphere(), clientsets.Kubernetes()), nil)) urlruntime.Must(monitoringv1alpha3.AddToContainer(container, clientsets.Kubernetes(), nil, informerFactory, nil)) urlruntime.Must(openpitrixv1.AddToContainer(container, informerFactory, openpitrix.NewMockClient(nil))) urlruntime.Must(operationsv1alpha2.AddToContainer(container, clientsets.Kubernetes())) diff --git a/pkg/api/iam/types.go b/vendor/gotest.tools/LICENSE similarity index 74% rename from pkg/api/iam/types.go rename to vendor/gotest.tools/LICENSE index e331c0658ac424bcb6e07e6a154d77768178870c..aeaa2fac3dcb30fcf6c59b5e6d05fb52db9ada1f 100644 --- a/pkg/api/iam/types.go +++ b/vendor/gotest.tools/LICENSE @@ -1,5 +1,4 @@ -/* -Copyright 2020 The KubeSphere Authors. +Copyright 2018 gotest.tools authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -12,11 +11,3 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -*/ - -package iam - -type PasswordReset struct { - CurrentPassword string `json:"currentPassword"` - Password string `json:"password"` -} diff --git a/vendor/gotest.tools/assert/assert.go b/vendor/gotest.tools/assert/assert.go new file mode 100644 index 0000000000000000000000000000000000000000..05d6635436f7841fa59bfdb1c8bc535e340a9da8 --- /dev/null +++ b/vendor/gotest.tools/assert/assert.go @@ -0,0 +1,311 @@ +/*Package assert provides assertions for comparing expected values to actual +values. When an assertion fails a helpful error message is printed. + +Assert and Check + +Assert() and Check() both accept a Comparison, and fail the test when the +comparison fails. The one difference is that Assert() will end the test execution +immediately (using t.FailNow()) whereas Check() will fail the test (using t.Fail()), +return the value of the comparison, then proceed with the rest of the test case. + +Example usage + +The example below shows assert used with some common types. + + + import ( + "testing" + + "gotest.tools/assert" + is "gotest.tools/assert/cmp" + ) + + func TestEverything(t *testing.T) { + // booleans + assert.Assert(t, ok) + assert.Assert(t, !missing) + + // primitives + assert.Equal(t, count, 1) + assert.Equal(t, msg, "the message") + assert.Assert(t, total != 10) // NotEqual + + // errors + assert.NilError(t, closer.Close()) + assert.Error(t, err, "the exact error message") + assert.ErrorContains(t, err, "includes this") + assert.ErrorType(t, err, os.IsNotExist) + + // complex types + assert.DeepEqual(t, result, myStruct{Name: "title"}) + assert.Assert(t, is.Len(items, 3)) + assert.Assert(t, len(sequence) != 0) // NotEmpty + assert.Assert(t, is.Contains(mapping, "key")) + + // pointers and interface + assert.Assert(t, is.Nil(ref)) + assert.Assert(t, ref != nil) // NotNil + } + +Comparisons + +Package https://godoc.org/gotest.tools/assert/cmp provides +many common comparisons. Additional comparisons can be written to compare +values in other ways. See the example Assert (CustomComparison). + +Automated migration from testify + +gty-migrate-from-testify is a binary which can update source code which uses +testify assertions to use the assertions provided by this package. + +See http://bit.do/cmd-gty-migrate-from-testify. + + +*/ +package assert // import "gotest.tools/assert" + +import ( + "fmt" + "go/ast" + "go/token" + + gocmp "github.com/google/go-cmp/cmp" + "gotest.tools/assert/cmp" + "gotest.tools/internal/format" + "gotest.tools/internal/source" +) + +// BoolOrComparison can be a bool, or cmp.Comparison. See Assert() for usage. +type BoolOrComparison interface{} + +// TestingT is the subset of testing.T used by the assert package. +type TestingT interface { + FailNow() + Fail() + Log(args ...interface{}) +} + +type helperT interface { + Helper() +} + +const failureMessage = "assertion failed: " + +// nolint: gocyclo +func assert( + t TestingT, + failer func(), + argSelector argSelector, + comparison BoolOrComparison, + msgAndArgs ...interface{}, +) bool { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + var success bool + switch check := comparison.(type) { + case bool: + if check { + return true + } + logFailureFromBool(t, msgAndArgs...) + + // Undocumented legacy comparison without Result type + case func() (success bool, message string): + success = runCompareFunc(t, check, msgAndArgs...) + + case nil: + return true + + case error: + msg := "error is not nil: " + t.Log(format.WithCustomMessage(failureMessage+msg+check.Error(), msgAndArgs...)) + + case cmp.Comparison: + success = runComparison(t, argSelector, check, msgAndArgs...) + + case func() cmp.Result: + success = runComparison(t, argSelector, check, msgAndArgs...) + + default: + t.Log(fmt.Sprintf("invalid Comparison: %v (%T)", check, check)) + } + + if success { + return true + } + failer() + return false +} + +func runCompareFunc( + t TestingT, + f func() (success bool, message string), + msgAndArgs ...interface{}, +) bool { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + if success, message := f(); !success { + t.Log(format.WithCustomMessage(failureMessage+message, msgAndArgs...)) + return false + } + return true +} + +func logFailureFromBool(t TestingT, msgAndArgs ...interface{}) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + const stackIndex = 3 // Assert()/Check(), assert(), formatFailureFromBool() + const comparisonArgPos = 1 + args, err := source.CallExprArgs(stackIndex) + if err != nil { + t.Log(err.Error()) + return + } + + msg, err := boolFailureMessage(args[comparisonArgPos]) + if err != nil { + t.Log(err.Error()) + msg = "expression is false" + } + + t.Log(format.WithCustomMessage(failureMessage+msg, msgAndArgs...)) +} + +func boolFailureMessage(expr ast.Expr) (string, error) { + if binaryExpr, ok := expr.(*ast.BinaryExpr); ok && binaryExpr.Op == token.NEQ { + x, err := source.FormatNode(binaryExpr.X) + if err != nil { + return "", err + } + y, err := source.FormatNode(binaryExpr.Y) + if err != nil { + return "", err + } + return x + " is " + y, nil + } + + if unaryExpr, ok := expr.(*ast.UnaryExpr); ok && unaryExpr.Op == token.NOT { + x, err := source.FormatNode(unaryExpr.X) + if err != nil { + return "", err + } + return x + " is true", nil + } + + formatted, err := source.FormatNode(expr) + if err != nil { + return "", err + } + return "expression is false: " + formatted, nil +} + +// Assert performs a comparison. If the comparison fails the test is marked as +// failed, a failure message is logged, and execution is stopped immediately. +// +// The comparison argument may be one of three types: bool, cmp.Comparison or +// error. +// When called with a bool the failure message will contain the literal source +// code of the expression. +// When called with a cmp.Comparison the comparison is responsible for producing +// a helpful failure message. +// When called with an error a nil value is considered success. A non-nil error +// is a failure, and Error() is used as the failure message. +func Assert(t TestingT, comparison BoolOrComparison, msgAndArgs ...interface{}) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + assert(t, t.FailNow, argsFromComparisonCall, comparison, msgAndArgs...) +} + +// Check performs a comparison. If the comparison fails the test is marked as +// failed, a failure message is logged, and Check returns false. Otherwise returns +// true. +// +// See Assert for details about the comparison arg and failure messages. +func Check(t TestingT, comparison BoolOrComparison, msgAndArgs ...interface{}) bool { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + return assert(t, t.Fail, argsFromComparisonCall, comparison, msgAndArgs...) +} + +// NilError fails the test immediately if err is not nil. +// This is equivalent to Assert(t, err) +func NilError(t TestingT, err error, msgAndArgs ...interface{}) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + assert(t, t.FailNow, argsAfterT, err, msgAndArgs...) +} + +// Equal uses the == operator to assert two values are equal and fails the test +// if they are not equal. +// +// If the comparison fails Equal will use the variable names for x and y as part +// of the failure message to identify the actual and expected values. +// +// If either x or y are a multi-line string the failure message will include a +// unified diff of the two values. If the values only differ by whitespace +// the unified diff will be augmented by replacing whitespace characters with +// visible characters to identify the whitespace difference. +// +// This is equivalent to Assert(t, cmp.Equal(x, y)). +func Equal(t TestingT, x, y interface{}, msgAndArgs ...interface{}) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + assert(t, t.FailNow, argsAfterT, cmp.Equal(x, y), msgAndArgs...) +} + +// DeepEqual uses google/go-cmp (http://bit.do/go-cmp) to assert two values are +// equal and fails the test if they are not equal. +// +// Package https://godoc.org/gotest.tools/assert/opt provides some additional +// commonly used Options. +// +// This is equivalent to Assert(t, cmp.DeepEqual(x, y)). +func DeepEqual(t TestingT, x, y interface{}, opts ...gocmp.Option) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + assert(t, t.FailNow, argsAfterT, cmp.DeepEqual(x, y, opts...)) +} + +// Error fails the test if err is nil, or the error message is not the expected +// message. +// Equivalent to Assert(t, cmp.Error(err, message)). +func Error(t TestingT, err error, message string, msgAndArgs ...interface{}) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + assert(t, t.FailNow, argsAfterT, cmp.Error(err, message), msgAndArgs...) +} + +// ErrorContains fails the test if err is nil, or the error message does not +// contain the expected substring. +// Equivalent to Assert(t, cmp.ErrorContains(err, substring)). +func ErrorContains(t TestingT, err error, substring string, msgAndArgs ...interface{}) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + assert(t, t.FailNow, argsAfterT, cmp.ErrorContains(err, substring), msgAndArgs...) +} + +// ErrorType fails the test if err is nil, or err is not the expected type. +// +// Expected can be one of: +// a func(error) bool which returns true if the error is the expected type, +// an instance of (or a pointer to) a struct of the expected type, +// a pointer to an interface the error is expected to implement, +// a reflect.Type of the expected struct or interface. +// +// Equivalent to Assert(t, cmp.ErrorType(err, expected)). +func ErrorType(t TestingT, err error, expected interface{}, msgAndArgs ...interface{}) { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + assert(t, t.FailNow, argsAfterT, cmp.ErrorType(err, expected), msgAndArgs...) +} diff --git a/vendor/gotest.tools/assert/cmp/compare.go b/vendor/gotest.tools/assert/cmp/compare.go new file mode 100644 index 0000000000000000000000000000000000000000..cf48d887acea88257a6a6fe2f8e04cb4dfc2fe26 --- /dev/null +++ b/vendor/gotest.tools/assert/cmp/compare.go @@ -0,0 +1,356 @@ +/*Package cmp provides Comparisons for Assert and Check*/ +package cmp // import "gotest.tools/assert/cmp" + +import ( + "fmt" + "reflect" + "regexp" + "strings" + + "github.com/google/go-cmp/cmp" + "gotest.tools/internal/format" +) + +// Comparison is a function which compares values and returns ResultSuccess if +// the actual value matches the expected value. If the values do not match the +// Result will contain a message about why it failed. +type Comparison func() Result + +// DeepEqual compares two values using google/go-cmp (http://bit.do/go-cmp) +// and succeeds if the values are equal. +// +// The comparison can be customized using comparison Options. +// Package https://godoc.org/gotest.tools/assert/opt provides some additional +// commonly used Options. +func DeepEqual(x, y interface{}, opts ...cmp.Option) Comparison { + return func() (result Result) { + defer func() { + if panicmsg, handled := handleCmpPanic(recover()); handled { + result = ResultFailure(panicmsg) + } + }() + diff := cmp.Diff(x, y, opts...) + if diff == "" { + return ResultSuccess + } + return multiLineDiffResult(diff) + } +} + +func handleCmpPanic(r interface{}) (string, bool) { + if r == nil { + return "", false + } + panicmsg, ok := r.(string) + if !ok { + panic(r) + } + switch { + case strings.HasPrefix(panicmsg, "cannot handle unexported field"): + return panicmsg, true + } + panic(r) +} + +func toResult(success bool, msg string) Result { + if success { + return ResultSuccess + } + return ResultFailure(msg) +} + +// RegexOrPattern may be either a *regexp.Regexp or a string that is a valid +// regexp pattern. +type RegexOrPattern interface{} + +// Regexp succeeds if value v matches regular expression re. +// +// Example: +// assert.Assert(t, cmp.Regexp("^[0-9a-f]{32}$", str)) +// r := regexp.MustCompile("^[0-9a-f]{32}$") +// assert.Assert(t, cmp.Regexp(r, str)) +func Regexp(re RegexOrPattern, v string) Comparison { + match := func(re *regexp.Regexp) Result { + return toResult( + re.MatchString(v), + fmt.Sprintf("value %q does not match regexp %q", v, re.String())) + } + + return func() Result { + switch regex := re.(type) { + case *regexp.Regexp: + return match(regex) + case string: + re, err := regexp.Compile(regex) + if err != nil { + return ResultFailure(err.Error()) + } + return match(re) + default: + return ResultFailure(fmt.Sprintf("invalid type %T for regex pattern", regex)) + } + } +} + +// Equal succeeds if x == y. See assert.Equal for full documentation. +func Equal(x, y interface{}) Comparison { + return func() Result { + switch { + case x == y: + return ResultSuccess + case isMultiLineStringCompare(x, y): + diff := format.UnifiedDiff(format.DiffConfig{A: x.(string), B: y.(string)}) + return multiLineDiffResult(diff) + } + return ResultFailureTemplate(` + {{- .Data.x}} ( + {{- with callArg 0 }}{{ formatNode . }} {{end -}} + {{- printf "%T" .Data.x -}} + ) != {{ .Data.y}} ( + {{- with callArg 1 }}{{ formatNode . }} {{end -}} + {{- printf "%T" .Data.y -}} + )`, + map[string]interface{}{"x": x, "y": y}) + } +} + +func isMultiLineStringCompare(x, y interface{}) bool { + strX, ok := x.(string) + if !ok { + return false + } + strY, ok := y.(string) + if !ok { + return false + } + return strings.Contains(strX, "\n") || strings.Contains(strY, "\n") +} + +func multiLineDiffResult(diff string) Result { + return ResultFailureTemplate(` +--- {{ with callArg 0 }}{{ formatNode . }}{{else}}←{{end}} ++++ {{ with callArg 1 }}{{ formatNode . }}{{else}}→{{end}} +{{ .Data.diff }}`, + map[string]interface{}{"diff": diff}) +} + +// Len succeeds if the sequence has the expected length. +func Len(seq interface{}, expected int) Comparison { + return func() (result Result) { + defer func() { + if e := recover(); e != nil { + result = ResultFailure(fmt.Sprintf("type %T does not have a length", seq)) + } + }() + value := reflect.ValueOf(seq) + length := value.Len() + if length == expected { + return ResultSuccess + } + msg := fmt.Sprintf("expected %s (length %d) to have length %d", seq, length, expected) + return ResultFailure(msg) + } +} + +// Contains succeeds if item is in collection. Collection may be a string, map, +// slice, or array. +// +// If collection is a string, item must also be a string, and is compared using +// strings.Contains(). +// If collection is a Map, contains will succeed if item is a key in the map. +// If collection is a slice or array, item is compared to each item in the +// sequence using reflect.DeepEqual(). +func Contains(collection interface{}, item interface{}) Comparison { + return func() Result { + colValue := reflect.ValueOf(collection) + if !colValue.IsValid() { + return ResultFailure(fmt.Sprintf("nil does not contain items")) + } + msg := fmt.Sprintf("%v does not contain %v", collection, item) + + itemValue := reflect.ValueOf(item) + switch colValue.Type().Kind() { + case reflect.String: + if itemValue.Type().Kind() != reflect.String { + return ResultFailure("string may only contain strings") + } + return toResult( + strings.Contains(colValue.String(), itemValue.String()), + fmt.Sprintf("string %q does not contain %q", collection, item)) + + case reflect.Map: + if itemValue.Type() != colValue.Type().Key() { + return ResultFailure(fmt.Sprintf( + "%v can not contain a %v key", colValue.Type(), itemValue.Type())) + } + return toResult(colValue.MapIndex(itemValue).IsValid(), msg) + + case reflect.Slice, reflect.Array: + for i := 0; i < colValue.Len(); i++ { + if reflect.DeepEqual(colValue.Index(i).Interface(), item) { + return ResultSuccess + } + } + return ResultFailure(msg) + default: + return ResultFailure(fmt.Sprintf("type %T does not contain items", collection)) + } + } +} + +// Panics succeeds if f() panics. +func Panics(f func()) Comparison { + return func() (result Result) { + defer func() { + if err := recover(); err != nil { + result = ResultSuccess + } + }() + f() + return ResultFailure("did not panic") + } +} + +// Error succeeds if err is a non-nil error, and the error message equals the +// expected message. +func Error(err error, message string) Comparison { + return func() Result { + switch { + case err == nil: + return ResultFailure("expected an error, got nil") + case err.Error() != message: + return ResultFailure(fmt.Sprintf( + "expected error %q, got %s", message, formatErrorMessage(err))) + } + return ResultSuccess + } +} + +// ErrorContains succeeds if err is a non-nil error, and the error message contains +// the expected substring. +func ErrorContains(err error, substring string) Comparison { + return func() Result { + switch { + case err == nil: + return ResultFailure("expected an error, got nil") + case !strings.Contains(err.Error(), substring): + return ResultFailure(fmt.Sprintf( + "expected error to contain %q, got %s", substring, formatErrorMessage(err))) + } + return ResultSuccess + } +} + +func formatErrorMessage(err error) string { + if _, ok := err.(interface { + Cause() error + }); ok { + return fmt.Sprintf("%q\n%+v", err, err) + } + // This error was not wrapped with github.com/pkg/errors + return fmt.Sprintf("%q", err) +} + +// Nil succeeds if obj is a nil interface, pointer, or function. +// +// Use NilError() for comparing errors. Use Len(obj, 0) for comparing slices, +// maps, and channels. +func Nil(obj interface{}) Comparison { + msgFunc := func(value reflect.Value) string { + return fmt.Sprintf("%v (type %s) is not nil", reflect.Indirect(value), value.Type()) + } + return isNil(obj, msgFunc) +} + +func isNil(obj interface{}, msgFunc func(reflect.Value) string) Comparison { + return func() Result { + if obj == nil { + return ResultSuccess + } + value := reflect.ValueOf(obj) + kind := value.Type().Kind() + if kind >= reflect.Chan && kind <= reflect.Slice { + if value.IsNil() { + return ResultSuccess + } + return ResultFailure(msgFunc(value)) + } + + return ResultFailure(fmt.Sprintf("%v (type %s) can not be nil", value, value.Type())) + } +} + +// ErrorType succeeds if err is not nil and is of the expected type. +// +// Expected can be one of: +// a func(error) bool which returns true if the error is the expected type, +// an instance of (or a pointer to) a struct of the expected type, +// a pointer to an interface the error is expected to implement, +// a reflect.Type of the expected struct or interface. +func ErrorType(err error, expected interface{}) Comparison { + return func() Result { + switch expectedType := expected.(type) { + case func(error) bool: + return cmpErrorTypeFunc(err, expectedType) + case reflect.Type: + if expectedType.Kind() == reflect.Interface { + return cmpErrorTypeImplementsType(err, expectedType) + } + return cmpErrorTypeEqualType(err, expectedType) + case nil: + return ResultFailure(fmt.Sprintf("invalid type for expected: nil")) + } + + expectedType := reflect.TypeOf(expected) + switch { + case expectedType.Kind() == reflect.Struct, isPtrToStruct(expectedType): + return cmpErrorTypeEqualType(err, expectedType) + case isPtrToInterface(expectedType): + return cmpErrorTypeImplementsType(err, expectedType.Elem()) + } + return ResultFailure(fmt.Sprintf("invalid type for expected: %T", expected)) + } +} + +func cmpErrorTypeFunc(err error, f func(error) bool) Result { + if f(err) { + return ResultSuccess + } + actual := "nil" + if err != nil { + actual = fmt.Sprintf("%s (%T)", err, err) + } + return ResultFailureTemplate(`error is {{ .Data.actual }} + {{- with callArg 1 }}, not {{ formatNode . }}{{end -}}`, + map[string]interface{}{"actual": actual}) +} + +func cmpErrorTypeEqualType(err error, expectedType reflect.Type) Result { + if err == nil { + return ResultFailure(fmt.Sprintf("error is nil, not %s", expectedType)) + } + errValue := reflect.ValueOf(err) + if errValue.Type() == expectedType { + return ResultSuccess + } + return ResultFailure(fmt.Sprintf("error is %s (%T), not %s", err, err, expectedType)) +} + +func cmpErrorTypeImplementsType(err error, expectedType reflect.Type) Result { + if err == nil { + return ResultFailure(fmt.Sprintf("error is nil, not %s", expectedType)) + } + errValue := reflect.ValueOf(err) + if errValue.Type().Implements(expectedType) { + return ResultSuccess + } + return ResultFailure(fmt.Sprintf("error is %s (%T), not %s", err, err, expectedType)) +} + +func isPtrToInterface(typ reflect.Type) bool { + return typ.Kind() == reflect.Ptr && typ.Elem().Kind() == reflect.Interface +} + +func isPtrToStruct(typ reflect.Type) bool { + return typ.Kind() == reflect.Ptr && typ.Elem().Kind() == reflect.Struct +} diff --git a/vendor/gotest.tools/assert/cmp/result.go b/vendor/gotest.tools/assert/cmp/result.go new file mode 100644 index 0000000000000000000000000000000000000000..7c3c37dd721a7e88ae0e088afb17f2af7671665c --- /dev/null +++ b/vendor/gotest.tools/assert/cmp/result.go @@ -0,0 +1,94 @@ +package cmp + +import ( + "bytes" + "fmt" + "go/ast" + "text/template" + + "gotest.tools/internal/source" +) + +// Result of a Comparison. +type Result interface { + Success() bool +} + +type result struct { + success bool + message string +} + +func (r result) Success() bool { + return r.success +} + +func (r result) FailureMessage() string { + return r.message +} + +// ResultSuccess is a constant which is returned by a ComparisonWithResult to +// indicate success. +var ResultSuccess = result{success: true} + +// ResultFailure returns a failed Result with a failure message. +func ResultFailure(message string) Result { + return result{message: message} +} + +// ResultFromError returns ResultSuccess if err is nil. Otherwise ResultFailure +// is returned with the error message as the failure message. +func ResultFromError(err error) Result { + if err == nil { + return ResultSuccess + } + return ResultFailure(err.Error()) +} + +type templatedResult struct { + success bool + template string + data map[string]interface{} +} + +func (r templatedResult) Success() bool { + return r.success +} + +func (r templatedResult) FailureMessage(args []ast.Expr) string { + msg, err := renderMessage(r, args) + if err != nil { + return fmt.Sprintf("failed to render failure message: %s", err) + } + return msg +} + +// ResultFailureTemplate returns a Result with a template string and data which +// can be used to format a failure message. The template may access data from .Data, +// the comparison args with the callArg function, and the formatNode function may +// be used to format the call args. +func ResultFailureTemplate(template string, data map[string]interface{}) Result { + return templatedResult{template: template, data: data} +} + +func renderMessage(result templatedResult, args []ast.Expr) (string, error) { + tmpl := template.New("failure").Funcs(template.FuncMap{ + "formatNode": source.FormatNode, + "callArg": func(index int) ast.Expr { + if index >= len(args) { + return nil + } + return args[index] + }, + }) + var err error + tmpl, err = tmpl.Parse(result.template) + if err != nil { + return "", err + } + buf := new(bytes.Buffer) + err = tmpl.Execute(buf, map[string]interface{}{ + "Data": result.data, + }) + return buf.String(), err +} diff --git a/vendor/gotest.tools/assert/result.go b/vendor/gotest.tools/assert/result.go new file mode 100644 index 0000000000000000000000000000000000000000..949d93961990961c57b3b09dae00fddd411c6b5f --- /dev/null +++ b/vendor/gotest.tools/assert/result.go @@ -0,0 +1,106 @@ +package assert + +import ( + "fmt" + "go/ast" + + "gotest.tools/assert/cmp" + "gotest.tools/internal/format" + "gotest.tools/internal/source" +) + +func runComparison( + t TestingT, + argSelector argSelector, + f cmp.Comparison, + msgAndArgs ...interface{}, +) bool { + if ht, ok := t.(helperT); ok { + ht.Helper() + } + result := f() + if result.Success() { + return true + } + + var message string + switch typed := result.(type) { + case resultWithComparisonArgs: + const stackIndex = 3 // Assert/Check, assert, runComparison + args, err := source.CallExprArgs(stackIndex) + if err != nil { + t.Log(err.Error()) + } + message = typed.FailureMessage(filterPrintableExpr(argSelector(args))) + case resultBasic: + message = typed.FailureMessage() + default: + message = fmt.Sprintf("comparison returned invalid Result type: %T", result) + } + + t.Log(format.WithCustomMessage(failureMessage+message, msgAndArgs...)) + return false +} + +type resultWithComparisonArgs interface { + FailureMessage(args []ast.Expr) string +} + +type resultBasic interface { + FailureMessage() string +} + +// filterPrintableExpr filters the ast.Expr slice to only include Expr that are +// easy to read when printed and contain relevant information to an assertion. +// +// Ident and SelectorExpr are included because they print nicely and the variable +// names may provide additional context to their values. +// BasicLit and CompositeLit are excluded because their source is equivalent to +// their value, which is already available. +// Other types are ignored for now, but could be added if they are relevant. +func filterPrintableExpr(args []ast.Expr) []ast.Expr { + result := make([]ast.Expr, len(args)) + for i, arg := range args { + if isShortPrintableExpr(arg) { + result[i] = arg + continue + } + + if starExpr, ok := arg.(*ast.StarExpr); ok { + result[i] = starExpr.X + continue + } + } + return result +} + +func isShortPrintableExpr(expr ast.Expr) bool { + switch expr.(type) { + case *ast.Ident, *ast.SelectorExpr, *ast.IndexExpr, *ast.SliceExpr: + return true + case *ast.BinaryExpr, *ast.UnaryExpr: + return true + default: + // CallExpr, ParenExpr, TypeAssertExpr, KeyValueExpr, StarExpr + return false + } +} + +type argSelector func([]ast.Expr) []ast.Expr + +func argsAfterT(args []ast.Expr) []ast.Expr { + if len(args) < 1 { + return nil + } + return args[1:] +} + +func argsFromComparisonCall(args []ast.Expr) []ast.Expr { + if len(args) < 1 { + return nil + } + if callExpr, ok := args[1].(*ast.CallExpr); ok { + return callExpr.Args + } + return nil +} diff --git a/vendor/gotest.tools/internal/difflib/LICENSE b/vendor/gotest.tools/internal/difflib/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..c67dad612a3dfca2b84599c640798d7be7d46728 --- /dev/null +++ b/vendor/gotest.tools/internal/difflib/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2013, Patrick Mezard +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + The names of its contributors may not be used to endorse or promote +products derived from this software without specific prior written +permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/gotest.tools/internal/difflib/difflib.go b/vendor/gotest.tools/internal/difflib/difflib.go new file mode 100644 index 0000000000000000000000000000000000000000..b6f486b9c90ea1ca6f47c0a7a9e3697f20deb308 --- /dev/null +++ b/vendor/gotest.tools/internal/difflib/difflib.go @@ -0,0 +1,423 @@ +/*Package difflib is a partial port of Python difflib module. + +Original source: https://github.com/pmezard/go-difflib + +This file is trimmed to only the parts used by this repository. +*/ +package difflib // import "gotest.tools/internal/difflib" + +func min(a, b int) int { + if a < b { + return a + } + return b +} + +func max(a, b int) int { + if a > b { + return a + } + return b +} + +// Match stores line numbers of size of match +type Match struct { + A int + B int + Size int +} + +// OpCode identifies the type of diff +type OpCode struct { + Tag byte + I1 int + I2 int + J1 int + J2 int +} + +// SequenceMatcher compares sequence of strings. The basic +// algorithm predates, and is a little fancier than, an algorithm +// published in the late 1980's by Ratcliff and Obershelp under the +// hyperbolic name "gestalt pattern matching". The basic idea is to find +// the longest contiguous matching subsequence that contains no "junk" +// elements (R-O doesn't address junk). The same idea is then applied +// recursively to the pieces of the sequences to the left and to the right +// of the matching subsequence. This does not yield minimal edit +// sequences, but does tend to yield matches that "look right" to people. +// +// SequenceMatcher tries to compute a "human-friendly diff" between two +// sequences. Unlike e.g. UNIX(tm) diff, the fundamental notion is the +// longest *contiguous* & junk-free matching subsequence. That's what +// catches peoples' eyes. The Windows(tm) windiff has another interesting +// notion, pairing up elements that appear uniquely in each sequence. +// That, and the method here, appear to yield more intuitive difference +// reports than does diff. This method appears to be the least vulnerable +// to synching up on blocks of "junk lines", though (like blank lines in +// ordinary text files, or maybe "

" lines in HTML files). That may be +// because this is the only method of the 3 that has a *concept* of +// "junk" . +// +// Timing: Basic R-O is cubic time worst case and quadratic time expected +// case. SequenceMatcher is quadratic time for the worst case and has +// expected-case behavior dependent in a complicated way on how many +// elements the sequences have in common; best case time is linear. +type SequenceMatcher struct { + a []string + b []string + b2j map[string][]int + IsJunk func(string) bool + autoJunk bool + bJunk map[string]struct{} + matchingBlocks []Match + fullBCount map[string]int + bPopular map[string]struct{} + opCodes []OpCode +} + +// NewMatcher returns a new SequenceMatcher +func NewMatcher(a, b []string) *SequenceMatcher { + m := SequenceMatcher{autoJunk: true} + m.SetSeqs(a, b) + return &m +} + +// SetSeqs sets two sequences to be compared. +func (m *SequenceMatcher) SetSeqs(a, b []string) { + m.SetSeq1(a) + m.SetSeq2(b) +} + +// SetSeq1 sets the first sequence to be compared. The second sequence to be compared is +// not changed. +// +// SequenceMatcher computes and caches detailed information about the second +// sequence, so if you want to compare one sequence S against many sequences, +// use .SetSeq2(s) once and call .SetSeq1(x) repeatedly for each of the other +// sequences. +// +// See also SetSeqs() and SetSeq2(). +func (m *SequenceMatcher) SetSeq1(a []string) { + if &a == &m.a { + return + } + m.a = a + m.matchingBlocks = nil + m.opCodes = nil +} + +// SetSeq2 sets the second sequence to be compared. The first sequence to be compared is +// not changed. +func (m *SequenceMatcher) SetSeq2(b []string) { + if &b == &m.b { + return + } + m.b = b + m.matchingBlocks = nil + m.opCodes = nil + m.fullBCount = nil + m.chainB() +} + +func (m *SequenceMatcher) chainB() { + // Populate line -> index mapping + b2j := map[string][]int{} + for i, s := range m.b { + indices := b2j[s] + indices = append(indices, i) + b2j[s] = indices + } + + // Purge junk elements + m.bJunk = map[string]struct{}{} + if m.IsJunk != nil { + junk := m.bJunk + for s := range b2j { + if m.IsJunk(s) { + junk[s] = struct{}{} + } + } + for s := range junk { + delete(b2j, s) + } + } + + // Purge remaining popular elements + popular := map[string]struct{}{} + n := len(m.b) + if m.autoJunk && n >= 200 { + ntest := n/100 + 1 + for s, indices := range b2j { + if len(indices) > ntest { + popular[s] = struct{}{} + } + } + for s := range popular { + delete(b2j, s) + } + } + m.bPopular = popular + m.b2j = b2j +} + +func (m *SequenceMatcher) isBJunk(s string) bool { + _, ok := m.bJunk[s] + return ok +} + +// Find longest matching block in a[alo:ahi] and b[blo:bhi]. +// +// If IsJunk is not defined: +// +// Return (i,j,k) such that a[i:i+k] is equal to b[j:j+k], where +// alo <= i <= i+k <= ahi +// blo <= j <= j+k <= bhi +// and for all (i',j',k') meeting those conditions, +// k >= k' +// i <= i' +// and if i == i', j <= j' +// +// In other words, of all maximal matching blocks, return one that +// starts earliest in a, and of all those maximal matching blocks that +// start earliest in a, return the one that starts earliest in b. +// +// If IsJunk is defined, first the longest matching block is +// determined as above, but with the additional restriction that no +// junk element appears in the block. Then that block is extended as +// far as possible by matching (only) junk elements on both sides. So +// the resulting block never matches on junk except as identical junk +// happens to be adjacent to an "interesting" match. +// +// If no blocks match, return (alo, blo, 0). +func (m *SequenceMatcher) findLongestMatch(alo, ahi, blo, bhi int) Match { + // CAUTION: stripping common prefix or suffix would be incorrect. + // E.g., + // ab + // acab + // Longest matching block is "ab", but if common prefix is + // stripped, it's "a" (tied with "b"). UNIX(tm) diff does so + // strip, so ends up claiming that ab is changed to acab by + // inserting "ca" in the middle. That's minimal but unintuitive: + // "it's obvious" that someone inserted "ac" at the front. + // Windiff ends up at the same place as diff, but by pairing up + // the unique 'b's and then matching the first two 'a's. + besti, bestj, bestsize := alo, blo, 0 + + // find longest junk-free match + // during an iteration of the loop, j2len[j] = length of longest + // junk-free match ending with a[i-1] and b[j] + j2len := map[int]int{} + for i := alo; i != ahi; i++ { + // look at all instances of a[i] in b; note that because + // b2j has no junk keys, the loop is skipped if a[i] is junk + newj2len := map[int]int{} + for _, j := range m.b2j[m.a[i]] { + // a[i] matches b[j] + if j < blo { + continue + } + if j >= bhi { + break + } + k := j2len[j-1] + 1 + newj2len[j] = k + if k > bestsize { + besti, bestj, bestsize = i-k+1, j-k+1, k + } + } + j2len = newj2len + } + + // Extend the best by non-junk elements on each end. In particular, + // "popular" non-junk elements aren't in b2j, which greatly speeds + // the inner loop above, but also means "the best" match so far + // doesn't contain any junk *or* popular non-junk elements. + for besti > alo && bestj > blo && !m.isBJunk(m.b[bestj-1]) && + m.a[besti-1] == m.b[bestj-1] { + besti, bestj, bestsize = besti-1, bestj-1, bestsize+1 + } + for besti+bestsize < ahi && bestj+bestsize < bhi && + !m.isBJunk(m.b[bestj+bestsize]) && + m.a[besti+bestsize] == m.b[bestj+bestsize] { + bestsize += 1 + } + + // Now that we have a wholly interesting match (albeit possibly + // empty!), we may as well suck up the matching junk on each + // side of it too. Can't think of a good reason not to, and it + // saves post-processing the (possibly considerable) expense of + // figuring out what to do with it. In the case of an empty + // interesting match, this is clearly the right thing to do, + // because no other kind of match is possible in the regions. + for besti > alo && bestj > blo && m.isBJunk(m.b[bestj-1]) && + m.a[besti-1] == m.b[bestj-1] { + besti, bestj, bestsize = besti-1, bestj-1, bestsize+1 + } + for besti+bestsize < ahi && bestj+bestsize < bhi && + m.isBJunk(m.b[bestj+bestsize]) && + m.a[besti+bestsize] == m.b[bestj+bestsize] { + bestsize += 1 + } + + return Match{A: besti, B: bestj, Size: bestsize} +} + +// GetMatchingBlocks returns a list of triples describing matching subsequences. +// +// Each triple is of the form (i, j, n), and means that +// a[i:i+n] == b[j:j+n]. The triples are monotonically increasing in +// i and in j. It's also guaranteed that if (i, j, n) and (i', j', n') are +// adjacent triples in the list, and the second is not the last triple in the +// list, then i+n != i' or j+n != j'. IOW, adjacent triples never describe +// adjacent equal blocks. +// +// The last triple is a dummy, (len(a), len(b), 0), and is the only +// triple with n==0. +func (m *SequenceMatcher) GetMatchingBlocks() []Match { + if m.matchingBlocks != nil { + return m.matchingBlocks + } + + var matchBlocks func(alo, ahi, blo, bhi int, matched []Match) []Match + matchBlocks = func(alo, ahi, blo, bhi int, matched []Match) []Match { + match := m.findLongestMatch(alo, ahi, blo, bhi) + i, j, k := match.A, match.B, match.Size + if match.Size > 0 { + if alo < i && blo < j { + matched = matchBlocks(alo, i, blo, j, matched) + } + matched = append(matched, match) + if i+k < ahi && j+k < bhi { + matched = matchBlocks(i+k, ahi, j+k, bhi, matched) + } + } + return matched + } + matched := matchBlocks(0, len(m.a), 0, len(m.b), nil) + + // It's possible that we have adjacent equal blocks in the + // matching_blocks list now. + nonAdjacent := []Match{} + i1, j1, k1 := 0, 0, 0 + for _, b := range matched { + // Is this block adjacent to i1, j1, k1? + i2, j2, k2 := b.A, b.B, b.Size + if i1+k1 == i2 && j1+k1 == j2 { + // Yes, so collapse them -- this just increases the length of + // the first block by the length of the second, and the first + // block so lengthened remains the block to compare against. + k1 += k2 + } else { + // Not adjacent. Remember the first block (k1==0 means it's + // the dummy we started with), and make the second block the + // new block to compare against. + if k1 > 0 { + nonAdjacent = append(nonAdjacent, Match{i1, j1, k1}) + } + i1, j1, k1 = i2, j2, k2 + } + } + if k1 > 0 { + nonAdjacent = append(nonAdjacent, Match{i1, j1, k1}) + } + + nonAdjacent = append(nonAdjacent, Match{len(m.a), len(m.b), 0}) + m.matchingBlocks = nonAdjacent + return m.matchingBlocks +} + +// GetOpCodes returns a list of 5-tuples describing how to turn a into b. +// +// Each tuple is of the form (tag, i1, i2, j1, j2). The first tuple +// has i1 == j1 == 0, and remaining tuples have i1 == the i2 from the +// tuple preceding it, and likewise for j1 == the previous j2. +// +// The tags are characters, with these meanings: +// +// 'r' (replace): a[i1:i2] should be replaced by b[j1:j2] +// +// 'd' (delete): a[i1:i2] should be deleted, j1==j2 in this case. +// +// 'i' (insert): b[j1:j2] should be inserted at a[i1:i1], i1==i2 in this case. +// +// 'e' (equal): a[i1:i2] == b[j1:j2] +func (m *SequenceMatcher) GetOpCodes() []OpCode { + if m.opCodes != nil { + return m.opCodes + } + i, j := 0, 0 + matching := m.GetMatchingBlocks() + opCodes := make([]OpCode, 0, len(matching)) + for _, m := range matching { + // invariant: we've pumped out correct diffs to change + // a[:i] into b[:j], and the next matching block is + // a[ai:ai+size] == b[bj:bj+size]. So we need to pump + // out a diff to change a[i:ai] into b[j:bj], pump out + // the matching block, and move (i,j) beyond the match + ai, bj, size := m.A, m.B, m.Size + tag := byte(0) + if i < ai && j < bj { + tag = 'r' + } else if i < ai { + tag = 'd' + } else if j < bj { + tag = 'i' + } + if tag > 0 { + opCodes = append(opCodes, OpCode{tag, i, ai, j, bj}) + } + i, j = ai+size, bj+size + // the list of matching blocks is terminated by a + // sentinel with size 0 + if size > 0 { + opCodes = append(opCodes, OpCode{'e', ai, i, bj, j}) + } + } + m.opCodes = opCodes + return m.opCodes +} + +// GetGroupedOpCodes isolates change clusters by eliminating ranges with no changes. +// +// Return a generator of groups with up to n lines of context. +// Each group is in the same format as returned by GetOpCodes(). +func (m *SequenceMatcher) GetGroupedOpCodes(n int) [][]OpCode { + if n < 0 { + n = 3 + } + codes := m.GetOpCodes() + if len(codes) == 0 { + codes = []OpCode{{'e', 0, 1, 0, 1}} + } + // Fixup leading and trailing groups if they show no changes. + if codes[0].Tag == 'e' { + c := codes[0] + i1, i2, j1, j2 := c.I1, c.I2, c.J1, c.J2 + codes[0] = OpCode{c.Tag, max(i1, i2-n), i2, max(j1, j2-n), j2} + } + if codes[len(codes)-1].Tag == 'e' { + c := codes[len(codes)-1] + i1, i2, j1, j2 := c.I1, c.I2, c.J1, c.J2 + codes[len(codes)-1] = OpCode{c.Tag, i1, min(i2, i1+n), j1, min(j2, j1+n)} + } + nn := n + n + groups := [][]OpCode{} + group := []OpCode{} + for _, c := range codes { + i1, i2, j1, j2 := c.I1, c.I2, c.J1, c.J2 + // End the current group and start a new one whenever + // there is a large range with no changes. + if c.Tag == 'e' && i2-i1 > nn { + group = append(group, OpCode{c.Tag, i1, min(i2, i1+n), + j1, min(j2, j1+n)}) + groups = append(groups, group) + group = []OpCode{} + i1, j1 = max(i1, i2-n), max(j1, j2-n) + } + group = append(group, OpCode{c.Tag, i1, i2, j1, j2}) + } + if len(group) > 0 && !(len(group) == 1 && group[0].Tag == 'e') { + groups = append(groups, group) + } + return groups +} diff --git a/vendor/gotest.tools/internal/format/diff.go b/vendor/gotest.tools/internal/format/diff.go new file mode 100644 index 0000000000000000000000000000000000000000..c938c97bec147c1e6532117a8254cc51ab813944 --- /dev/null +++ b/vendor/gotest.tools/internal/format/diff.go @@ -0,0 +1,161 @@ +package format + +import ( + "bytes" + "fmt" + "strings" + "unicode" + + "gotest.tools/internal/difflib" +) + +const ( + contextLines = 2 +) + +// DiffConfig for a unified diff +type DiffConfig struct { + A string + B string + From string + To string +} + +// UnifiedDiff is a modified version of difflib.WriteUnifiedDiff with better +// support for showing the whitespace differences. +func UnifiedDiff(conf DiffConfig) string { + a := strings.SplitAfter(conf.A, "\n") + b := strings.SplitAfter(conf.B, "\n") + groups := difflib.NewMatcher(a, b).GetGroupedOpCodes(contextLines) + if len(groups) == 0 { + return "" + } + + buf := new(bytes.Buffer) + writeFormat := func(format string, args ...interface{}) { + buf.WriteString(fmt.Sprintf(format, args...)) + } + writeLine := func(prefix string, s string) { + buf.WriteString(prefix + s) + } + if hasWhitespaceDiffLines(groups, a, b) { + writeLine = visibleWhitespaceLine(writeLine) + } + formatHeader(writeFormat, conf) + for _, group := range groups { + formatRangeLine(writeFormat, group) + for _, opCode := range group { + in, out := a[opCode.I1:opCode.I2], b[opCode.J1:opCode.J2] + switch opCode.Tag { + case 'e': + formatLines(writeLine, " ", in) + case 'r': + formatLines(writeLine, "-", in) + formatLines(writeLine, "+", out) + case 'd': + formatLines(writeLine, "-", in) + case 'i': + formatLines(writeLine, "+", out) + } + } + } + return buf.String() +} + +// hasWhitespaceDiffLines returns true if any diff groups is only different +// because of whitespace characters. +func hasWhitespaceDiffLines(groups [][]difflib.OpCode, a, b []string) bool { + for _, group := range groups { + in, out := new(bytes.Buffer), new(bytes.Buffer) + for _, opCode := range group { + if opCode.Tag == 'e' { + continue + } + for _, line := range a[opCode.I1:opCode.I2] { + in.WriteString(line) + } + for _, line := range b[opCode.J1:opCode.J2] { + out.WriteString(line) + } + } + if removeWhitespace(in.String()) == removeWhitespace(out.String()) { + return true + } + } + return false +} + +func removeWhitespace(s string) string { + var result []rune + for _, r := range s { + if !unicode.IsSpace(r) { + result = append(result, r) + } + } + return string(result) +} + +func visibleWhitespaceLine(ws func(string, string)) func(string, string) { + mapToVisibleSpace := func(r rune) rune { + switch r { + case '\n': + case ' ': + return '·' + case '\t': + return '▷' + case '\v': + return '▽' + case '\r': + return '↵' + case '\f': + return '↓' + default: + if unicode.IsSpace(r) { + return '�' + } + } + return r + } + return func(prefix, s string) { + ws(prefix, strings.Map(mapToVisibleSpace, s)) + } +} + +func formatHeader(wf func(string, ...interface{}), conf DiffConfig) { + if conf.From != "" || conf.To != "" { + wf("--- %s\n", conf.From) + wf("+++ %s\n", conf.To) + } +} + +func formatRangeLine(wf func(string, ...interface{}), group []difflib.OpCode) { + first, last := group[0], group[len(group)-1] + range1 := formatRangeUnified(first.I1, last.I2) + range2 := formatRangeUnified(first.J1, last.J2) + wf("@@ -%s +%s @@\n", range1, range2) +} + +// Convert range to the "ed" format +func formatRangeUnified(start, stop int) string { + // Per the diff spec at http://www.unix.org/single_unix_specification/ + beginning := start + 1 // lines start numbering with one + length := stop - start + if length == 1 { + return fmt.Sprintf("%d", beginning) + } + if length == 0 { + beginning-- // empty ranges begin at line just before the range + } + return fmt.Sprintf("%d,%d", beginning, length) +} + +func formatLines(writeLine func(string, string), prefix string, lines []string) { + for _, line := range lines { + writeLine(prefix, line) + } + // Add a newline if the last line is missing one so that the diff displays + // properly. + if !strings.HasSuffix(lines[len(lines)-1], "\n") { + writeLine("", "\n") + } +} diff --git a/vendor/gotest.tools/internal/format/format.go b/vendor/gotest.tools/internal/format/format.go new file mode 100644 index 0000000000000000000000000000000000000000..8f6494f99421d5565b910bacb2c6f16005b72de6 --- /dev/null +++ b/vendor/gotest.tools/internal/format/format.go @@ -0,0 +1,27 @@ +package format // import "gotest.tools/internal/format" + +import "fmt" + +// Message accepts a msgAndArgs varargs and formats it using fmt.Sprintf +func Message(msgAndArgs ...interface{}) string { + switch len(msgAndArgs) { + case 0: + return "" + case 1: + return fmt.Sprintf("%v", msgAndArgs[0]) + default: + return fmt.Sprintf(msgAndArgs[0].(string), msgAndArgs[1:]...) + } +} + +// WithCustomMessage accepts one or two messages and formats them appropriately +func WithCustomMessage(source string, msgAndArgs ...interface{}) string { + custom := Message(msgAndArgs...) + switch { + case custom == "": + return source + case source == "": + return custom + } + return fmt.Sprintf("%s: %s", source, custom) +} diff --git a/vendor/gotest.tools/internal/source/defers.go b/vendor/gotest.tools/internal/source/defers.go new file mode 100644 index 0000000000000000000000000000000000000000..66cfafbb648ac731f139495e936ab7f4580a96c0 --- /dev/null +++ b/vendor/gotest.tools/internal/source/defers.go @@ -0,0 +1,53 @@ +package source + +import ( + "go/ast" + "go/token" + + "github.com/pkg/errors" +) + +func scanToDeferLine(fileset *token.FileSet, node ast.Node, lineNum int) ast.Node { + var matchedNode ast.Node + ast.Inspect(node, func(node ast.Node) bool { + switch { + case node == nil || matchedNode != nil: + return false + case fileset.Position(node.End()).Line == lineNum: + if funcLit, ok := node.(*ast.FuncLit); ok { + matchedNode = funcLit + return false + } + } + return true + }) + debug("defer line node: %s", debugFormatNode{matchedNode}) + return matchedNode +} + +func guessDefer(node ast.Node) (ast.Node, error) { + defers := collectDefers(node) + switch len(defers) { + case 0: + return nil, errors.New("failed to expression in defer") + case 1: + return defers[0].Call, nil + default: + return nil, errors.Errorf( + "ambiguous call expression: multiple (%d) defers in call block", + len(defers)) + } +} + +func collectDefers(node ast.Node) []*ast.DeferStmt { + var defers []*ast.DeferStmt + ast.Inspect(node, func(node ast.Node) bool { + if d, ok := node.(*ast.DeferStmt); ok { + defers = append(defers, d) + debug("defer: %s", debugFormatNode{d}) + return false + } + return true + }) + return defers +} diff --git a/vendor/gotest.tools/internal/source/source.go b/vendor/gotest.tools/internal/source/source.go new file mode 100644 index 0000000000000000000000000000000000000000..8a5d0e8d35b413436a1f860fc7a83d0501827c64 --- /dev/null +++ b/vendor/gotest.tools/internal/source/source.go @@ -0,0 +1,166 @@ +package source // import "gotest.tools/internal/source" + +import ( + "bytes" + "fmt" + "go/ast" + "go/format" + "go/parser" + "go/token" + "os" + "runtime" + "strconv" + "strings" + + "github.com/pkg/errors" +) + +const baseStackIndex = 1 + +// FormattedCallExprArg returns the argument from an ast.CallExpr at the +// index in the call stack. The argument is formatted using FormatNode. +func FormattedCallExprArg(stackIndex int, argPos int) (string, error) { + args, err := CallExprArgs(stackIndex + 1) + if err != nil { + return "", err + } + if argPos >= len(args) { + return "", errors.New("failed to find expression") + } + return FormatNode(args[argPos]) +} + +// CallExprArgs returns the ast.Expr slice for the args of an ast.CallExpr at +// the index in the call stack. +func CallExprArgs(stackIndex int) ([]ast.Expr, error) { + _, filename, lineNum, ok := runtime.Caller(baseStackIndex + stackIndex) + if !ok { + return nil, errors.New("failed to get call stack") + } + debug("call stack position: %s:%d", filename, lineNum) + + node, err := getNodeAtLine(filename, lineNum) + if err != nil { + return nil, err + } + debug("found node: %s", debugFormatNode{node}) + + return getCallExprArgs(node) +} + +func getNodeAtLine(filename string, lineNum int) (ast.Node, error) { + fileset := token.NewFileSet() + astFile, err := parser.ParseFile(fileset, filename, nil, parser.AllErrors) + if err != nil { + return nil, errors.Wrapf(err, "failed to parse source file: %s", filename) + } + + if node := scanToLine(fileset, astFile, lineNum); node != nil { + return node, nil + } + if node := scanToDeferLine(fileset, astFile, lineNum); node != nil { + node, err := guessDefer(node) + if err != nil || node != nil { + return node, err + } + } + return nil, errors.Errorf( + "failed to find an expression on line %d in %s", lineNum, filename) +} + +func scanToLine(fileset *token.FileSet, node ast.Node, lineNum int) ast.Node { + var matchedNode ast.Node + ast.Inspect(node, func(node ast.Node) bool { + switch { + case node == nil || matchedNode != nil: + return false + case nodePosition(fileset, node).Line == lineNum: + matchedNode = node + return false + } + return true + }) + return matchedNode +} + +// In golang 1.9 the line number changed from being the line where the statement +// ended to the line where the statement began. +func nodePosition(fileset *token.FileSet, node ast.Node) token.Position { + if goVersionBefore19 { + return fileset.Position(node.End()) + } + return fileset.Position(node.Pos()) +} + +var goVersionBefore19 = func() bool { + version := runtime.Version() + // not a release version + if !strings.HasPrefix(version, "go") { + return false + } + version = strings.TrimPrefix(version, "go") + parts := strings.Split(version, ".") + if len(parts) < 2 { + return false + } + minor, err := strconv.ParseInt(parts[1], 10, 32) + return err == nil && parts[0] == "1" && minor < 9 +}() + +func getCallExprArgs(node ast.Node) ([]ast.Expr, error) { + visitor := &callExprVisitor{} + ast.Walk(visitor, node) + if visitor.expr == nil { + return nil, errors.New("failed to find call expression") + } + debug("callExpr: %s", debugFormatNode{visitor.expr}) + return visitor.expr.Args, nil +} + +type callExprVisitor struct { + expr *ast.CallExpr +} + +func (v *callExprVisitor) Visit(node ast.Node) ast.Visitor { + if v.expr != nil || node == nil { + return nil + } + debug("visit: %s", debugFormatNode{node}) + + switch typed := node.(type) { + case *ast.CallExpr: + v.expr = typed + return nil + case *ast.DeferStmt: + ast.Walk(v, typed.Call.Fun) + return nil + } + return v +} + +// FormatNode using go/format.Node and return the result as a string +func FormatNode(node ast.Node) (string, error) { + buf := new(bytes.Buffer) + err := format.Node(buf, token.NewFileSet(), node) + return buf.String(), err +} + +var debugEnabled = os.Getenv("GOTESTTOOLS_DEBUG") != "" + +func debug(format string, args ...interface{}) { + if debugEnabled { + fmt.Fprintf(os.Stderr, "DEBUG: "+format+"\n", args...) + } +} + +type debugFormatNode struct { + ast.Node +} + +func (n debugFormatNode) String() string { + out, err := FormatNode(n.Node) + if err != nil { + return fmt.Sprintf("failed to format %s: %s", n.Node, err) + } + return fmt.Sprintf("(%T) %s", n.Node, out) +} diff --git a/vendor/modules.txt b/vendor/modules.txt index ef48d349d6910aeeaf53696eceaa83acee401a95..01b3d70c46f6835b0528023b65201d844576055e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -73,11 +73,11 @@ github.com/beorn7/perks/quantile github.com/blang/semver # github.com/cespare/xxhash v1.1.0 => github.com/cespare/xxhash v1.1.0 github.com/cespare/xxhash -# github.com/cespare/xxhash/v2 v2.1.1 +# github.com/cespare/xxhash/v2 v2.1.1 => github.com/cespare/xxhash/v2 v2.1.1 github.com/cespare/xxhash/v2 # github.com/container-storage-interface/spec v1.2.0 => github.com/container-storage-interface/spec v1.2.0 github.com/container-storage-interface/spec/lib/go/csi -# github.com/containernetworking/cni v0.8.0 +# github.com/containernetworking/cni v0.8.0 => github.com/containernetworking/cni v0.8.0 github.com/containernetworking/cni/pkg/types github.com/containernetworking/cni/pkg/types/020 github.com/containernetworking/cni/pkg/types/current @@ -144,9 +144,9 @@ github.com/elastic/go-elasticsearch/v7/estransport github.com/elastic/go-elasticsearch/v7/internal/version # github.com/emicklei/go-restful v2.14.3+incompatible => github.com/emicklei/go-restful v2.14.3+incompatible github.com/emicklei/go-restful -github.com/emicklei/go-restful/log # github.com/emicklei/go-restful-openapi v1.4.1 => github.com/emicklei/go-restful-openapi v1.4.1 github.com/emicklei/go-restful-openapi +github.com/emicklei/go-restful/log # github.com/emirpasic/gods v1.12.0 => github.com/emirpasic/gods v1.12.0 github.com/emirpasic/gods/containers github.com/emirpasic/gods/lists @@ -245,7 +245,7 @@ github.com/golang/glog github.com/golang/groupcache/lru # github.com/golang/mock v1.2.0 => github.com/golang/mock v1.2.0 github.com/golang/mock/gomock -# github.com/golang/protobuf v1.4.3 => github.com/golang/protobuf v1.3.2 +# github.com/golang/protobuf v1.4.0 => github.com/golang/protobuf v1.3.2 github.com/golang/protobuf/descriptor github.com/golang/protobuf/jsonpb github.com/golang/protobuf/proto @@ -318,11 +318,11 @@ github.com/inconshreveable/mousetrap github.com/jbenet/go-context/io # github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af => github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af github.com/jmespath/go-jmespath -# github.com/json-iterator/go v1.1.10 => github.com/json-iterator/go v1.1.8 +# github.com/json-iterator/go v1.1.9 => github.com/json-iterator/go v1.1.8 github.com/json-iterator/go # github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e => github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e github.com/kevinburke/ssh_config -# github.com/kiali/kiali v1.26.0 => github.com/kubesphere/kiali v0.15.1-0.20201110082537-0c2b977257d4 +# github.com/kiali/kiali v0.15.1-0.20201110082537-0c2b977257d4 => github.com/kubesphere/kiali v0.15.1-0.20201110082537-0c2b977257d4 github.com/kiali/kiali/business github.com/kiali/kiali/business/checkers github.com/kiali/kiali/business/checkers/destinationrules @@ -498,9 +498,9 @@ github.com/projectcalico/libcalico-go/lib/selector github.com/projectcalico/libcalico-go/lib/selector/parser github.com/projectcalico/libcalico-go/lib/selector/tokenizer github.com/projectcalico/libcalico-go/lib/set -# github.com/prometheus-community/prom-label-proxy v0.2.0 +# github.com/prometheus-community/prom-label-proxy v0.2.0 => github.com/prometheus-community/prom-label-proxy v0.2.0 github.com/prometheus-community/prom-label-proxy/injectproxy -# github.com/prometheus/alertmanager v0.20.0 +# github.com/prometheus/alertmanager v0.20.0 => github.com/prometheus/alertmanager v0.20.0 github.com/prometheus/alertmanager/api/v2/client github.com/prometheus/alertmanager/api/v2/client/alert github.com/prometheus/alertmanager/api/v2/client/alertgroup @@ -509,7 +509,7 @@ github.com/prometheus/alertmanager/api/v2/client/receiver github.com/prometheus/alertmanager/api/v2/client/silence github.com/prometheus/alertmanager/api/v2/models github.com/prometheus/alertmanager/pkg/labels -# github.com/prometheus/client_golang v1.8.0 => github.com/prometheus/client_golang v1.5.1 +# github.com/prometheus/client_golang v1.5.1 => github.com/prometheus/client_golang v1.5.1 github.com/prometheus/client_golang/api github.com/prometheus/client_golang/api/prometheus/v1 github.com/prometheus/client_golang/prometheus @@ -517,7 +517,7 @@ github.com/prometheus/client_golang/prometheus/internal github.com/prometheus/client_golang/prometheus/promhttp # github.com/prometheus/client_model v0.2.0 => github.com/prometheus/client_model v0.2.0 github.com/prometheus/client_model/go -# github.com/prometheus/common v0.14.0 => github.com/prometheus/common v0.9.1 +# github.com/prometheus/common v0.9.1 => github.com/prometheus/common v0.9.1 github.com/prometheus/common/expfmt github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg github.com/prometheus/common/log @@ -526,7 +526,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/prometheus/prometheus v2.5.0+incompatible => github.com/prometheus/prometheus v1.8.2-0.20200507164740-ecee9c8abfd1 +# github.com/prometheus/prometheus v1.8.2-0.20200507164740-ecee9c8abfd1 => github.com/prometheus/prometheus v1.8.2-0.20200507164740-ecee9c8abfd1 github.com/prometheus/prometheus/pkg/labels github.com/prometheus/prometheus/pkg/value github.com/prometheus/prometheus/promql/parser @@ -632,7 +632,7 @@ golang.org/x/crypto/ssh golang.org/x/crypto/ssh/agent golang.org/x/crypto/ssh/knownhosts golang.org/x/crypto/ssh/terminal -# golang.org/x/net v0.0.0-20200625001655-4c5254603344 => golang.org/x/net v0.0.0-20190620200207-3b0461eec859 +# golang.org/x/net v0.0.0-20200421231249-e086a090c8fd => golang.org/x/net v0.0.0-20190620200207-3b0461eec859 golang.org/x/net/context golang.org/x/net/context/ctxhttp golang.org/x/net/html @@ -807,10 +807,16 @@ gopkg.in/src-d/go-git.v4/utils/merkletrie/noder gopkg.in/tomb.v1 # gopkg.in/warnings.v0 v0.1.2 => gopkg.in/warnings.v0 v0.1.2 gopkg.in/warnings.v0 -# gopkg.in/yaml.v2 v2.3.0 => gopkg.in/yaml.v2 v2.2.8 +# gopkg.in/yaml.v2 v2.2.8 => gopkg.in/yaml.v2 v2.2.8 gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c => gopkg.in/yaml.v3 v3.0.0-20190905181640-827449938966 gopkg.in/yaml.v3 +# gotest.tools v2.2.0+incompatible => gotest.tools v2.2.0+incompatible +gotest.tools/assert +gotest.tools/assert/cmp +gotest.tools/internal/difflib +gotest.tools/internal/format +gotest.tools/internal/source # istio.io/api v0.0.0-20191111210003-35e06ef8d838 => istio.io/api v0.0.0-20191111210003-35e06ef8d838 istio.io/api/authentication/v1alpha1 istio.io/api/mixer/v1