Add securityDefinitions to the generated OpenAPI spec #14745
Conversation
| } | ||
| } | ||
| if configapi.UseTLS(config.ServingInfo.ServingInfo) { | ||
| // TODO: How is this represented ? |
There was a problem hiding this comment.
So based on http://swagger.io/specification/#securityDefinitionsObject I would have to say there is no way to assert our use of x509 😞
There was a problem hiding this comment.
Not supported indeed:
OAI/OpenAPI-Specification#1004
| @@ -642,7 +642,22 @@ func BuildKubernetesMasterConfig( | |||
| return kmaster, nil | |||
| } | |||
|
|
|||
| func DefaultOpenAPIConfig() *openapicommon.Config { | |||
| func DefaultOpenAPIConfig(config configapi.MasterConfig) *openapicommon.Config { | |||
| securityDefinitions := spec.SecurityDefinitions{} | |||
There was a problem hiding this comment.
Based on http://swagger.io/specification/#securityDefinitionsObject we should include OAuth2 info here using logic similar to https://github.com/openshift/origin/blob/master/pkg/cmd/server/origin/nonapiserver.go#L91-L93
There was a problem hiding this comment.
I am not sure where to source the right info, for example about flow type and scopes, and no other code in the origin repo uses the oauth2 type yet, it seem any outh based on any kind of token is defined just as an apikey bearer token...
| SecuritySchemeProps: spec.SecuritySchemeProps{ | ||
| Type: "oauth2", | ||
| Flow: "accessCode", | ||
| AuthorizationURL: config.OAuthConfig.MasterURL + "/oauth/authorize", |
There was a problem hiding this comment.
Not sure I want to use config.OAuthConfig.MasterURL here because then it is easy for generated code to not line up between local env and Jenkins.
There was a problem hiding this comment.
what should we use ?
Initially I have MasterPublicURL, but it seems you object to use these variables completely ?
There was a problem hiding this comment.
Something like this would work (hopefully there is not an import cycle):
...
AuthorizationURL: OpenShiftOAuthAuthorizeURL("https://localhost:8443"),
TokenURL: OpenShiftOAuthTokenURL("https://localhost:8443"),
...There was a problem hiding this comment.
Actually I thought about this some more and we should be able to use the variables. We just need to make sure that the Swagger generation script always starts a server on localhost.
There was a problem hiding this comment.
Why the script should start a server ?
There was a problem hiding this comment.
We end up in an import cycle if I try to import pkg/cmd/server/origin in order to access auth.OpenShiftOAuthAuthorizeURL ...
There was a problem hiding this comment.
Why the script should start a server ?
hack/update-generated-swagger-spec.sh must build the swagger spec from a running server (there is no other way to get its final runtime state). The script already uses 127.0.0.1 so you are good to use the variables.
| @@ -654,6 +654,16 @@ func DefaultOpenAPIConfig(config configapi.MasterConfig) *openapicommon.Config { | |||
| }, | |||
| } | |||
| } | |||
| if config.OAuthConfig != nil { | |||
| securityDefinitions["Oauth2AccessToken"] = &spec.SecurityScheme{ | |||
There was a problem hiding this comment.
I would expect to see all flows from #10845 (comment):
root@test:/# curl -k https://openshift.default.svc/.well-known/oauth-authorization-server
{
"issuer": "https://10.13.129.56:8443",
"authorization_endpoint": "https://10.13.129.56:8443/oauth/authorize",
"token_endpoint": "https://10.13.129.56:8443/oauth/token",
"scopes_supported": [
"user:full",
"user:info",
"user:check-access",
"user:list-scoped-projects",
"user:list-projects"
],
"response_types_supported": [
"code",
"token"
],
"grant_types_supported": [
"authorization_code",
"implicit"
],
"code_challenge_methods_supported": [
"plain",
"S256"
]
}
There was a problem hiding this comment.
I do not see any flows defined in that PR ?
There was a problem hiding this comment.
implicit and accessCode (each with the scopes and URLs).
pkg/cmd/util/oauth.go
Outdated
| @@ -0,0 +1,22 @@ | |||
| package util | |||
There was a problem hiding this comment.
Move to pkg/oauth/util/util.go or maybe combine with pkg/oauth/discovery/discovery.go.
| } | ||
| if configapi.UseTLS(config.ServingInfo.ServingInfo) { | ||
| // No support in Swagger's OpenAPI sepc v.2 ¯\_(ツ)_/¯ | ||
| // TODO: Add x509 specification once available |
There was a problem hiding this comment.
We should have a separate GitHub issue to track this.
There was a problem hiding this comment.
@simo5 tag the issue you opened here.
| @@ -135,6 +135,16 @@ const ( | |||
| UserFull = UserIndicator + "full" | |||
| ) | |||
|
|
|||
| func DefaultSupportedScopes() []string { | |||
| return []string{ | |||
There was a problem hiding this comment.
Make this list a private var and have this function return it (convention we use everywhere).
| for _, s := range scope.DefaultSupportedScopes() { | ||
| defScopes[s] = "" | ||
| } | ||
| securityDefinitions["Oauth2Immediate"] = &spec.SecurityScheme{ |
There was a problem hiding this comment.
Where did Immediate come from?
There was a problem hiding this comment.
Word salads from my brain
| UserFull: `Full read/write access with all of your permissions`, | ||
| } | ||
|
|
||
| func DefaultSupportedScopes() []string { |
There was a problem hiding this comment.
We need this to have a consistent order so use return sets.StringKeySet(defaultSupportedScopesMap).List() (you can store this as a variable if you want to).
sets = "k8s.io/apimachinery/pkg/util/sets"
| @@ -154,15 +176,15 @@ func (userEvaluator) Validate(scope string) error { | |||
| func (userEvaluator) Describe(scope string) (string, string, error) { | |||
| switch scope { | |||
| case UserInfo: | |||
| return "Read-only access to your user information (including username, identities, and group membership)", "", nil | |||
| return defaultSupportedScopesMap[UserInfo], "", nil | |||
There was a problem hiding this comment.
Collapse the first four cases since they are the same and use defaultSupportedScopesMap[scope] for all cases.
There was a problem hiding this comment.
pushed a commit for this
pkg/oauth/discovery/discovery.go
Outdated
| scope.UserListAllProjects, | ||
| }, | ||
| // Note: this list is incomplete, which is allowed per the draft spec | ||
| ScopesSupported: scope.DefaultSupportedScopes(), |
There was a problem hiding this comment.
You will have to update the unit test if the order of the scopes changes.
| } | ||
| } | ||
| }, | ||
| "security": [ |
There was a problem hiding this comment.
I am curious what this is trying to convey...
|
combined pkg/oauth/util/util.go and pkg/oauth/discovery/discovery.go under a new pkg/oauth/util including a url.go and a discovery.go files |
| @@ -154,15 +177,15 @@ func (userEvaluator) Validate(scope string) error { | |||
| func (userEvaluator) Describe(scope string) (string, string, error) { | |||
| switch scope { | |||
| case UserInfo: | |||
| return "Read-only access to your user information (including username, identities, and group membership)", "", nil | |||
| fallthrough | |||
There was a problem hiding this comment.
case UserFull, UserAccessCheck, ...: (no fallthrough please)
| return sets.StringKeySet(defaultSupportedScopesMap).List() | ||
| // scopes := make([]string, len(defaultSupportedScopesMap)) | ||
| // i := 0 | ||
| // for k := range defaultSupportedScopesMap { |
pkg/oauth/util/discovery.go
Outdated
| @@ -38,19 +38,14 @@ type OauthAuthorizationServerMetadata struct { | |||
| CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` | |||
| } | |||
|
|
|||
| func Get(masterPublicURL, authorizeURL, tokenURL string) OauthAuthorizationServerMetadata { | |||
| func GetOauthMetadata(masterPublicURL, authorizeURL, tokenURL string) OauthAuthorizationServerMetadata { | |||
There was a problem hiding this comment.
Change to just take masterPublicURL and use the helpers inside.
| @@ -11,7 +11,7 @@ import ( | |||
|
|
|||
| "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" | |||
| "github.com/openshift/origin/pkg/cmd/util/plug" | |||
| "github.com/openshift/origin/pkg/oauth/discovery" | |||
| "github.com/openshift/origin/pkg/oauth/util" | |||
There was a problem hiding this comment.
Call it oauthutil like the rest of the imports.
simo5
force-pushed
the
issue/14268
branch
2 times, most recently
from
4260fd6
to
266ab70
Compare
|
With this latest push/rebase I thikn I have addressed all the concerns. |
|
[test] |
pkg/oauth/util/discovery_test.go
Outdated
| @@ -8,7 +8,7 @@ import ( | |||
| ) | |||
|
|
|||
| func TestGet(t *testing.T) { | |||
| actual := Get("https://localhost:8443", "https://localhost:8443/oauth/authorize", "https://localhost:8443/oauth/token") | |||
| actual := GetOauthMetadata("https://localhost:8443") | |||
There was a problem hiding this comment.
Capitalize the A in OAuth: GetOauthMetadata -> GetOAuthMetadata (sorry I missed this earlier)
There was a problem hiding this comment.
nvm, this is consistent with the containing file and the whole code base is really inconsistent on this anyway.
enj
changed the title
|
@simo5 please fix the failing test: |
|
cc @liggitt in case you want to take a look as well. |
simo5
force-pushed
the
issue/14268
branch
2 times, most recently
from
dc07994
to
8a01a78
Compare
|
@caseyfw are you able to test this? cc @openshift/security |
|
@simo5 master is open again so I can tag this if you fix the conflicts. |
openshift-bot
added
the
needs-rebase
|
Rebased |
openshift-bot
added
needs-rebase
enj
removed
the
needs-rebase
|
@simo5 you will have to rebase on top of master again and then regenerate again since the spec changed for other reasons. |
Also add helper function to return scope:description map used in a later commit Signed-off-by: Simo Sorce <simo@redhat.com>
In preparation of future patches where we need to access these helpers without causing an import cycle Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|
Rebased once again, let's hope this time it will stick |
|
FWIW: for some reason I had to git clean -f -x -d -f and then make again, only then the swagger update script generated some changes ... |
|
Evaluated for origin test up to b088faa |
|
[merge] failures are unrelated flakes. @simo5 please tag the flakes so we can track them. |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2746/) (Base Commit: 6bbad88) (PR Branch Commit: b088faa) |
|
flaked on #14878 |
|
flaked on #14043 |
|
merge flaked on #14897 |
|
re[merge] flaked on #14897 |
|
Evaluated for origin merge up to b088faa |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/1189/) (Base Commit: 7004e83) (PR Branch Commit: b088faa) (Image: devenv-rhel7_6416) |
|
@simo5 congrats \o/ |
| @@ -27,6 +27,7 @@ import ( | |||
| configapi "github.com/openshift/origin/pkg/cmd/server/api" | |||
| "github.com/openshift/origin/pkg/cmd/server/crypto" | |||
| cmdutil "github.com/openshift/origin/pkg/cmd/util" | |||
| oauthutil "github.com/openshift/origin/pkg/oauth/util" | |||
There was a problem hiding this comment.
This package dependency was previously excluded intentionally. The asset server should not depend on the oauth package at all. The two are logically independent.
|
FYI @simo5 we just merged |
|
@mrogers950 or @enj can you take a look ? |
Fixes #14268