allow users list their own access tokens

Makefile

@@ -38,6 +38,11 @@ verify:
 	hack/verify-generated-openapi.sh
 .PHONY: verify
 
-test-e2e:
-	$(warning FIXME: wire e2e tests here!)
+test-e2e: GO_TEST_PACKAGES :=./test/e2e/...
+test-e2e: GO_TEST_FLAGS += -v
+test-e2e: GO_TEST_FLAGS += -timeout 3h
+test-e2e: GO_TEST_FLAGS += -count 1
+test-e2e: GO_TEST_FLAGS += -p 1
+test-e2e: test-unit
 .PHONY: test-e2e
+

go.mod

@@ -10,20 +10,22 @@ require (
 	github.com/google/gofuzz v1.1.0
 	github.com/google/uuid v1.1.1
 	github.com/jteeuwen/go-bindata v3.0.8-0.20151023091102-a0ff2567cfb7+incompatible
-	github.com/openshift/api v0.0.0-20201019163320-c6a5ec25f267
+	github.com/openshift/api v0.0.0-20201120165435-072a4cd8ca42
 	github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab
-	github.com/openshift/client-go v0.0.0-20201020074620-f8fd44879f7c
+	github.com/openshift/client-go v0.0.0-20201120192246-6aaf557bace9
 	github.com/openshift/library-go v0.0.0-20201102091359-c4fa0f5b3a08
 	github.com/pkg/profile v1.4.0 // indirect
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/pflag v1.0.5
+	github.com/stretchr/testify v1.4.0
 	k8s.io/api v0.19.2
 	k8s.io/apiextensions-apiserver v0.19.2
 	k8s.io/apimachinery v0.19.2
 	k8s.io/apiserver v0.19.2
 	k8s.io/client-go v0.19.2
 	k8s.io/code-generator v0.19.2
 	k8s.io/component-base v0.19.2
+	k8s.io/klog/v2 v2.3.0
 	k8s.io/kube-aggregator v0.19.2
 	k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6
 	k8s.io/kubernetes v1.19.2

go.sum

@@ -463,12 +463,15 @@ github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/
 github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.5.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g=
 github.com/opencontainers/selinux v1.5.2/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g=
-github.com/openshift/api v0.0.0-20201019163320-c6a5ec25f267 h1:d6qOoblJz8DjQ44PRT0hYt3qLqJ/Lnvipk1vXr0gpfo=
 github.com/openshift/api v0.0.0-20201019163320-c6a5ec25f267/go.mod h1:RDvBcRQMGLa3aNuDuejVBbTEQj/2i14NXdpOLqbNBvM=
+github.com/openshift/api v0.0.0-20201120165435-072a4cd8ca42 h1:meFswbseUxIkrfb2+g91gHbPwh+16Kj/8E1AiR1jv6A=
+github.com/openshift/api v0.0.0-20201120165435-072a4cd8ca42/go.mod h1:RDvBcRQMGLa3aNuDuejVBbTEQj/2i14NXdpOLqbNBvM=
 github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab h1:lBrojddP6C9C2p67EMs2vcdpC8eF+H0DDom+fgI2IF0=
 github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20201020074620-f8fd44879f7c h1:NB9g4Y/aegId7fyNqYyGxEfyNOytYFT5dxWJtfOJFQs=
 github.com/openshift/client-go v0.0.0-20201020074620-f8fd44879f7c/go.mod h1:yZ3u8vgWC19I9gbDMRk8//9JwG/0Sth6v7C+m6R8HXs=
+github.com/openshift/client-go v0.0.0-20201120192246-6aaf557bace9 h1:jqa3ZnPt/jDKvKrkgNJfyDBChB8Qw3A2aXUSIzrgCXk=
+github.com/openshift/client-go v0.0.0-20201120192246-6aaf557bace9/go.mod h1:Zwzg4+Ye3sD5Df2SMB/XVU42TenqXLBF8T7F/wi7lGo=
 github.com/openshift/kubernetes-apiserver v0.0.0-20201118100029-304f639eba13 h1:vl8/Ex1dQNoWOc+YrHTeBfuD1Ap1sBGkmSIDu8mDXxA=
 github.com/openshift/kubernetes-apiserver v0.0.0-20201118100029-304f639eba13/go.mod h1:FreAq0bJ2vtZFj9Ago/X0oNGC51GfubKK/ViOKfVAOA=
 github.com/openshift/kubernetes-client-go v0.0.0-20201104094117-806c7d66cfea h1:MY3sLcj2kfsjN36hEs0736bcyNFdUAOQLHXNL9u3+bc=
@@ -885,7 +888,6 @@ k8s.io/heapster v1.2.0-beta.1/go.mod h1:h1uhptVXMwC8xtZBYsPXKVi8fpdlYkTs6k949Koz
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.3.0 h1:WmkrnW7fdrm0/DMClc+HIxtftvxVIPAhlVwMQo5yLco=
 k8s.io/klog/v2 v2.3.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

hack/openapi-violation.list

@@ -95,6 +95,7 @@ API rule violation: list_type_missing,github.com/openshift/api/oauth/v1,OAuthCli
 API rule violation: list_type_missing,github.com/openshift/api/oauth/v1,OAuthClient,ScopeRestrictions
 API rule violation: list_type_missing,github.com/openshift/api/oauth/v1,OAuthClientAuthorization,Scopes
 API rule violation: list_type_missing,github.com/openshift/api/oauth/v1,ScopeRestriction,ExactValues
+API rule violation: list_type_missing,github.com/openshift/api/oauth/v1,UserOAuthAccessToken,Scopes
 API rule violation: list_type_missing,github.com/openshift/api/openshiftcontrolplane/v1,BuildDefaultsConfig,Env
 API rule violation: list_type_missing,github.com/openshift/api/openshiftcontrolplane/v1,BuildDefaultsConfig,ImageLabels
 API rule violation: list_type_missing,github.com/openshift/api/openshiftcontrolplane/v1,BuildOverridesConfig,ImageLabels
@@ -126,6 +127,8 @@ API rule violation: list_type_missing,github.com/openshift/api/osin/v1,RequestHe
 API rule violation: list_type_missing,github.com/openshift/api/osin/v1,RequestHeaderIdentityProvider,NameHeaders
 API rule violation: list_type_missing,github.com/openshift/api/osin/v1,RequestHeaderIdentityProvider,PreferredUsernameHeaders
 API rule violation: list_type_missing,github.com/openshift/api/osin/v1,SessionSecrets,Secrets
+API rule violation: list_type_missing,github.com/openshift/api/project/v1,ProjectSpec,Finalizers
+API rule violation: list_type_missing,github.com/openshift/api/project/v1,ProjectStatus,Conditions
 API rule violation: list_type_missing,github.com/openshift/api/route/v1,RouteIngress,Conditions
 API rule violation: list_type_missing,github.com/openshift/api/route/v1,RouteSpec,AlternateBackends
 API rule violation: list_type_missing,github.com/openshift/api/route/v1,RouteStatus,Ingress

pkg/oauth/apis/oauth/register.go

@@ -39,6 +39,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&OAuthClientAuthorization{},
 		&OAuthClientAuthorizationList{},
 		&OAuthRedirectReference{},
+		&UserOAuthAccessToken{},
+		&UserOAuthAccessTokenList{},
 	)
 	return nil
 }

pkg/oauth/apis/oauth/types.go

@@ -224,3 +224,16 @@ type RedirectReference struct {
 	Kind  string
 	Name  string
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type UserOAuthAccessToken OAuthAccessToken
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type UserOAuthAccessTokenList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []UserOAuthAccessToken
+}

pkg/oauth/apis/oauth/v1/conversion.go

@@ -16,6 +16,9 @@ func addFieldSelectorKeyConversions(scheme *runtime.Scheme) error {
 	if err := scheme.AddFieldLabelConversionFunc(v1.GroupVersion.WithKind("OAuthClientAuthorization"), oauthClientAuthorizationFieldSelectorKeyConversionFunc); err != nil {
 		return err
 	}
+	if err := scheme.AddFieldLabelConversionFunc(v1.GroupVersion.WithKind("UserOAuthAccessToken"), userOAuthClientAuthorizationFieldSelectorKeyConversionFunc); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -55,3 +58,12 @@ func oauthClientAuthorizationFieldSelectorKeyConversionFunc(label, value string)
 		return runtime.DefaultMetaV1FieldSelectorConversion(label, value)
 	}
 }
+
+func userOAuthClientAuthorizationFieldSelectorKeyConversionFunc(label, value string) (internalLabel, internalValue string, err error) {
+	switch label {
+	case "clientName":
+		return label, value, nil
+	default:
+		return runtime.DefaultMetaV1FieldSelectorConversion(label, value)
+	}
+}

pkg/oauth/apiserver/apiserver.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"sync"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -13,13 +14,13 @@ import (
 	oauthclient "github.com/openshift/client-go/oauth/clientset/versioned/typed/oauth/v1"
 	routeclient "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1"
 	"github.com/openshift/library-go/pkg/oauth/oauthserviceaccountclient"
+
 	accesstokenetcd "github.com/openshift/oauth-apiserver/pkg/oauth/apiserver/registry/oauthaccesstoken/etcd"
 	authorizetokenetcd "github.com/openshift/oauth-apiserver/pkg/oauth/apiserver/registry/oauthauthorizetoken/etcd"
 	clientetcd "github.com/openshift/oauth-apiserver/pkg/oauth/apiserver/registry/oauthclient/etcd"
 	clientauthetcd "github.com/openshift/oauth-apiserver/pkg/oauth/apiserver/registry/oauthclientauthorization/etcd"
+	useroauthaccesstokensdelegate "github.com/openshift/oauth-apiserver/pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate"
 	"github.com/openshift/oauth-apiserver/pkg/serverscheme"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 type ExtraConfig struct {
@@ -139,11 +140,16 @@ func (c *completedConfig) newV1RESTStorage() (map[string]rest.Storage, error) {
 	if err != nil {
 		return nil, fmt.Errorf("error building REST storage: %v", err)
 	}
+	userOAuthAccessTokensDelegate, err := useroauthaccesstokensdelegate.NewREST(accessTokenStorage)
+	if err != nil {
+		return nil, fmt.Errorf("error building REST storage: %v", err)
+	}
 
 	v1Storage := map[string]rest.Storage{}
 	v1Storage["oAuthAuthorizeTokens"] = authorizeTokenStorage
 	v1Storage["oAuthAccessTokens"] = accessTokenStorage
 	v1Storage["oAuthClients"] = clientStorage
 	v1Storage["oAuthClientAuthorizations"] = clientAuthorizationStorage
+	v1Storage["userOAuthAccessTokens"] = userOAuthAccessTokensDelegate
 	return v1Storage, nil
 }