Ensure CLI and web console clients are public OAuth clients, pass tok…

…en url to web console
openshift · Sep 12, 2016 · f4fdc8c · f4fdc8c
1 parent 84a8c52
commit f4fdc8c
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 11 deletions.
diff --git a/pkg/assets/handlers.go b/pkg/assets/handlers.go
@@ -188,6 +188,7 @@ window.OPENSHIFT_CONFIG = {
   },
   auth: {
   	oauth_authorize_uri: "{{ .OAuthAuthorizeURI | js}}",
+	oauth_token_uri: "{{ .OAuthTokenURI | js}}",
   	oauth_redirect_base: "{{ .OAuthRedirectBase | js}}",
   	oauth_client_id: "{{ .OAuthClientID | js}}",
   	logout_uri: "{{ .LogoutURI | js}}"
@@ -224,6 +225,8 @@ type WebConsoleConfig struct {
 	KubernetesResources []string
 	// OAuthAuthorizeURI is the OAuth2 endpoint to use to request an API token. It must support request_type=token.
 	OAuthAuthorizeURI string
+	// OAuthTokenURI is the OAuth2 endpoint to use to request an API token. If set, the OAuthClientID must support a client_secret of "".
+	OAuthTokenURI string
 	// OAuthRedirectBase is the base URI of the web console. It must be a valid redirect_uri for the OAuthClientID
 	OAuthRedirectBase string
 	// OAuthClientID is the OAuth2 client_id to use to request an API token. It must be authorized to redirect to the web console URL.

diff --git a/pkg/cmd/server/origin/asset.go b/pkg/cmd/server/origin/asset.go
@@ -220,6 +220,7 @@ func (c *AssetConfig) addHandlers(mux *http.ServeMux) error {
 		KubernetesPrefix:      KubernetesAPIPrefix,
 		KubernetesResources:   k8sResources.List(),
 		OAuthAuthorizeURI:     OpenShiftOAuthAuthorizeURL(masterURL.String()),
+		OAuthTokenURI:         OpenShiftOAuthTokenURL(masterURL.String()),
 		OAuthRedirectBase:     c.Options.PublicURL,
 		OAuthClientID:         OpenShiftWebConsoleClientID,
 		LogoutURI:             c.Options.LogoutURL,

diff --git a/pkg/cmd/server/origin/auth.go b/pkg/cmd/server/origin/auth.go
@@ -240,7 +240,7 @@ func OpenShiftOAuthTokenRequestURL(masterAddr string) string {
 	return masterAddr + path.Join(OpenShiftOAuthAPIPrefix, tokenrequest.RequestTokenEndpoint)
 }
 
-func ensureOAuthClient(client oauthapi.OAuthClient, clientRegistry clientregistry.Registry, preserveExistingRedirects bool) error {
+func ensureOAuthClient(client oauthapi.OAuthClient, clientRegistry clientregistry.Registry, preserveExistingRedirects, preserveExistingSecret bool) error {
 	ctx := kapi.NewContext()
 	_, err := clientRegistry.CreateClient(ctx, &client)
 	if err == nil || !kerrs.IsAlreadyExists(err) {
@@ -256,7 +256,7 @@ func ensureOAuthClient(client oauthapi.OAuthClient, clientRegistry clientregistr
 		// Ensure the correct challenge setting
 		existing.RespondWithChallenges = client.RespondWithChallenges
 		// Preserve an existing client secret
-		if len(existing.Secret) == 0 {
+		if !preserveExistingSecret || len(existing.Secret) == 0 {
 			existing.Secret = client.Secret
 		}
 
@@ -290,12 +290,12 @@ func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddre
 	{
 		webConsoleClient := oauthapi.OAuthClient{
 			ObjectMeta:            kapi.ObjectMeta{Name: OpenShiftWebConsoleClientID},
-			Secret:                uuid.New(),
+			Secret:                "",
 			RespondWithChallenges: false,
 			RedirectURIs:          assetPublicAddresses,
 			GrantMethod:           oauthapi.GrantHandlerAuto,
 		}
-		if err := ensureOAuthClient(webConsoleClient, clientRegistry, true); err != nil {
+		if err := ensureOAuthClient(webConsoleClient, clientRegistry, true, false); err != nil {
 			return err
 		}
 	}
@@ -308,20 +308,20 @@ func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddre
 			RedirectURIs:          []string{masterPublicAddr + path.Join(OpenShiftOAuthAPIPrefix, tokenrequest.DisplayTokenEndpoint)},
 			GrantMethod:           oauthapi.GrantHandlerAuto,
 		}
-		if err := ensureOAuthClient(browserClient, clientRegistry, true); err != nil {
+		if err := ensureOAuthClient(browserClient, clientRegistry, true, true); err != nil {
 			return err
 		}
 	}
 
 	{
 		cliClient := oauthapi.OAuthClient{
 			ObjectMeta:            kapi.ObjectMeta{Name: OpenShiftCLIClientID},
-			Secret:                uuid.New(),
+			Secret:                "",
 			RespondWithChallenges: true,
 			RedirectURIs:          []string{masterPublicAddr + path.Join(OpenShiftOAuthAPIPrefix, tokenrequest.ImplicitTokenEndpoint)},
 			GrantMethod:           oauthapi.GrantHandlerAuto,
 		}
-		if err := ensureOAuthClient(cliClient, clientRegistry, false); err != nil {
+		if err := ensureOAuthClient(cliClient, clientRegistry, false, false); err != nil {
 			return err
 		}
 	}

diff --git a/pkg/cmd/server/origin/auth_config.go b/pkg/cmd/server/origin/auth_config.go
@@ -83,11 +83,9 @@ func BuildAuthConfig(masterConfig *MasterConfig) (*AuthConfig, error) {
 	}
 
 	// Build the list of valid redirect_uri prefixes for a login using the openshift-web-console client to redirect to
-	// TODO: allow configuring this
-	// TODO: remove hard-coding of development UI server
 	assetPublicURLs := []string{}
 	if !options.DisabledFeatures.Has(configapi.FeatureWebConsole) {
-		assetPublicURLs = []string{options.OAuthConfig.AssetPublicURL, "http://localhost:9000", "https://localhost:9000"}
+		assetPublicURLs = []string{options.OAuthConfig.AssetPublicURL}
 	}
 
 	userStorage, err := useretcd.NewREST(masterConfig.RESTOptionsGetter)

diff --git a/pkg/oauth/api/v1/types.go b/pkg/oauth/api/v1/types.go
@@ -84,7 +84,7 @@ type OAuthClient struct {
 	RespondWithChallenges bool `json:"respondWithChallenges,omitempty" protobuf:"varint,4,opt,name=respondWithChallenges"`
 
 	// RedirectURIs is the valid redirection URIs associated with a client
-	RedirectURIs []string `json:"redirectURIs,omitempty" protobuf:"bytes,5,rep,name=redirectURIs"`
+	RedirectURIs []string `json:"redirectURIs,omitempty" patchStrategy:"merge" protobuf:"bytes,5,rep,name=redirectURIs"`
 
 	// GrantMethod determines how to handle grants for this client. If no method is provided, the
 	// cluster default grant handling method will be used. Valid grant handling methods are: