rh-che #541: Login to user project using oc CLI in workspace containers

openshift/rh-che.app.yaml

@@ -183,6 +183,11 @@ objects:
               configMapKeyRef:
                 key: che-openshift-precreate-subpaths
                 name: che
+          - name: CHE_KEYCLOAK_OSO_ENDPOINT
+            valueFrom:
+              configMapKeyRef:
+                key: keycloak-oso-endpoint
+                name: che
           - name: CHE_KEYCLOAK_GITHUB_ENDPOINT
             valueFrom:
               configMapKeyRef:

openshift/rh-che.config.yaml

@@ -22,6 +22,7 @@ data:
   workspaces-memory-limit: "2400Mi"
   workspaces-memory-request: "1100Mi"
   enable-workspaces-autostart: "false"
+  keycloak-oso-endpoint: "https://sso.openshift.io/auth/realms/fabric8/broker/openshift-v3/token"
   keycloak-github-endpoint: "https://auth.openshift.io/api/token?for=https://github.com"
   che-server-java-opts: "-XX:+UseParallelGC -XX:MinHeapFreeRatio=25 -XX:MaxHeapFreeRatio=40 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Xms50m -Xmx180m -Dfile.encoding=UTF8"
   che-workspaces-java-opts: "-XX:+UseG1GC -XX:+UseStringDeduplication -XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=40 -XX:MaxRAM=1200m -Xms256m"

plugins/fabric8-multi-tenant-manager/pom.xml

@@ -70,6 +70,10 @@
             <groupId>org.eclipse.che.core</groupId>
             <artifactId>che-core-commons-inject</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.eclipse.che.multiuser</groupId>
+            <artifactId>che-multiuser-keycloak-token-provider</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.eclipse.che.plugin</groupId>
             <artifactId>che-plugin-docker-client</artifactId>

plugins/fabric8-multi-tenant-manager/src/main/java/com/redhat/che/multitenant/Fabric8WorkspaceEnvironmentProvider.java

@@ -10,36 +10,18 @@
  */
 package com.redhat.che.multitenant;
 
-import com.google.common.cache.CacheBuilder;
-import com.google.common.cache.CacheLoader;
-import com.google.common.cache.LoadingCache;
-import com.google.gson.JsonArray;
-import com.google.gson.JsonElement;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonParser;
-import com.redhat.che.multitenant.multicluster.MultiClusterOpenShiftProxy;
-import com.redhat.che.multitenant.toggle.CheServiceAccountTokenToggle;
 import io.fabric8.kubernetes.client.Config;
 import io.fabric8.kubernetes.client.ConfigBuilder;
-import java.io.IOException;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.TimeUnit;
-import javax.inject.Inject;
-import javax.inject.Named;
-import javax.inject.Singleton;
 import okhttp3.FormBody;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.RequestBody;
 import okhttp3.Response;
-import org.eclipse.che.api.core.BadRequestException;
-import org.eclipse.che.api.core.ConflictException;
-import org.eclipse.che.api.core.ForbiddenException;
-import org.eclipse.che.api.core.NotFoundException;
-import org.eclipse.che.api.core.ServerException;
-import org.eclipse.che.api.core.UnauthorizedException;
-import org.eclipse.che.api.core.rest.HttpJsonRequestFactory;
-import org.eclipse.che.api.core.rest.HttpJsonResponse;
+
+import com.google.gson.JsonParser;
+import com.redhat.che.multitenant.multicluster.MultiClusterOpenShiftProxy;
+import com.redhat.che.multitenant.toggle.CheServiceAccountTokenToggle;
+
 import org.eclipse.che.commons.annotation.Nullable;
 import org.eclipse.che.commons.env.EnvironmentContext;
 import org.eclipse.che.commons.subject.Subject;
@@ -48,49 +30,37 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+import java.io.IOException;
+
 @Singleton
 public class Fabric8WorkspaceEnvironmentProvider extends OpenshiftWorkspaceEnvironmentProvider {
 
   private static final Logger LOG =
       LoggerFactory.getLogger(Fabric8WorkspaceEnvironmentProvider.class);
 
-  private static final int CACHE_TIMEOUT_MINUTES = 10;
-  private static final int CONCURRENT_USERS = 500;
-
-  private MultiClusterOpenShiftProxy multiClusterOpenShiftProxy;
-  private CheServiceAccountTokenToggle cheServiceAccountTokenToggle;
-  private HttpJsonRequestFactory httpJsonRequestFactory;
-
-  private LoadingCache<String, UserCheTenantData> tenantDataCache;
-
-  private boolean fabric8CheMultitenant;
-
-  private String fabric8UserServiceEndpoint;
+  private final MultiClusterOpenShiftProxy   multiClusterOpenShiftProxy;
+  private final CheServiceAccountTokenToggle cheServiceAccountTokenToggle;
+  private final TenantDataProvider           tenantDataProvider;
+  private final boolean                      fabric8CheMultitenant;
 
   private String cheToken;
 
   @Inject
   public Fabric8WorkspaceEnvironmentProvider(
-      @Named("che.openshift.project") String openShiftCheProjectName,
-      @Named("che.fabric8.multitenant") boolean fabric8CheMultitenant,
-      @Named("che.fabric8.user_service.endpoint") String fabric8UserServiceEndpoint,
-      MultiClusterOpenShiftProxy multiClusterOpenShiftProxy,
-      CheServiceAccountTokenToggle cheServiceAccountTokenToggle,
-      HttpJsonRequestFactory httpJsonRequestFactory) {
+          @Named("che.openshift.project") String openShiftCheProjectName,
+          @Named("che.fabric8.multitenant") boolean fabric8CheMultitenant,
+          MultiClusterOpenShiftProxy multiClusterOpenShiftProxy,
+          CheServiceAccountTokenToggle cheServiceAccountTokenToggle,
+          TenantDataProvider tenantDataProvider) {
     super(openShiftCheProjectName);
+    this.tenantDataProvider = tenantDataProvider;
     LOG.info("fabric8CheMultitenant = {}", fabric8CheMultitenant);
-    LOG.info("fabric8UserServiceEndpoint = {}", fabric8UserServiceEndpoint);
     this.fabric8CheMultitenant = fabric8CheMultitenant;
-    this.fabric8UserServiceEndpoint = fabric8UserServiceEndpoint;
     this.multiClusterOpenShiftProxy = multiClusterOpenShiftProxy;
     this.cheServiceAccountTokenToggle = cheServiceAccountTokenToggle;
-    this.httpJsonRequestFactory = httpJsonRequestFactory;
-
-    this.tenantDataCache =
-        CacheBuilder.newBuilder()
-            .maximumSize(CONCURRENT_USERS)
-            .expireAfterWrite(CACHE_TIMEOUT_MINUTES, TimeUnit.MINUTES)
-            .build(CacheLoader.from(this::loadUserCheTenantData));
   }
 
   @Inject
@@ -151,12 +121,7 @@ public Config getWorkspacesOpenshiftConfig(Subject subject) throws OpenShiftExce
 
     checkSubject(subject);
 
-    UserCheTenantData cheTenantData;
-    cheTenantData = getUserCheTenantData(subject);
-    if (cheTenantData == null) {
-      throw new OpenShiftException(
-          "User tenant data not found for user: " + getUserDescription(subject));
-    }
+    UserCheTenantData cheTenantData = getUserCheTenantData(subject);
 
     String osoProxyUrl = multiClusterOpenShiftProxy.getUrl();
     LOG.info("OSO proxy URL - {}", osoProxyUrl);
@@ -176,86 +141,10 @@ public Config getWorkspacesOpenshiftConfig(Subject subject) throws OpenShiftExce
         .build();
   }
 
-  private String getUserDescription(Subject subject) {
-    return subject.getUserName() + "(" + subject.getUserId() + ")";
-  }
-
-  private UserCheTenantData loadUserCheTenantData(String keycloakToken) {
-    LOG.info("Retrieving user Che tenant data");
-
-    String responseBody;
-    try {
-      responseBody = getResponseBody(fabric8UserServiceEndpoint, keycloakToken);
-    } catch (ServerException
-        | UnauthorizedException
-        | ForbiddenException
-        | NotFoundException
-        | ConflictException
-        | BadRequestException
-        | IOException e) {
-      throw new RuntimeException("Exception during the user tenant data retrieval", e);
-    }
-    try {
-      final JsonArray namespaces =
-          new JsonParser()
-              .parse(responseBody)
-              .getAsJsonObject()
-              .get("data")
-              .getAsJsonObject()
-              .get("attributes")
-              .getAsJsonObject()
-              .get("namespaces")
-              .getAsJsonArray();
-      for (JsonElement e : namespaces) {
-        JsonObject namespace = e.getAsJsonObject();
-        if ("che".equals(namespace.get("type").getAsString())) {
-          String name = namespace.get("name").getAsString();
-          String suffix = namespace.get("cluster-app-domain").getAsString();
-          String osoProxyUrl = multiClusterOpenShiftProxy.getUrl();
-
-          UserCheTenantData cheTenantData = new UserCheTenantData(name, osoProxyUrl, suffix);
-          UserCheTenantDataValidator.validate(cheTenantData);
-          LOG.info("cheTenantData = {}", cheTenantData);
-          return cheTenantData;
-        }
-      }
-    } catch (NullPointerException | IllegalStateException e) {
-      throw new RuntimeException("Invalid response from Fabric8 user services:" + responseBody, e);
-    }
-    throw new RuntimeException("No che namespace was found in the user tenant");
-  }
-
-  public UserCheTenantData getUserCheTenantData(Subject subject) throws OpenShiftException {
-    checkSubject(subject);
-
-    String keycloakToken = subject.getToken();
-    if (keycloakToken == null) {
-      throw new OpenShiftException("User tenant data is needed but there is no current user");
-    }
-    try {
-      return tenantDataCache.get(keycloakToken);
-    } catch (ExecutionException e) {
-      throw new OpenShiftException(
-          "Exception during the user tenant data retrieval or parsing", e.getCause());
-    }
-  }
-
   public UserCheTenantData getUserCheTenantData() throws OpenShiftException {
     return getUserCheTenantData(EnvironmentContext.getCurrent().getSubject());
   }
 
-  private String getResponseBody(final String endpoint, final String keycloakToken)
-      throws ServerException, UnauthorizedException, ForbiddenException, NotFoundException,
-          ConflictException, BadRequestException, IOException {
-    HttpJsonResponse response =
-        httpJsonRequestFactory
-            .fromUrl(endpoint)
-            .setMethod("GET")
-            .setAuthorizationHeader("Bearer " + keycloakToken)
-            .request();
-    return response.asString();
-  }
-
   @Override
   public String getWorkspacesOpenshiftNamespace(Subject subject) throws OpenShiftException {
     if (!fabric8CheMultitenant) {
@@ -264,16 +153,17 @@ public String getWorkspacesOpenshiftNamespace(Subject subject) throws OpenShiftE
 
     checkSubject(subject);
 
-    UserCheTenantData cheTenantData = getUserCheTenantData(subject);
-    if (cheTenantData == null) {
-      throw new OpenShiftException(
-          "User tenant data not found for user: " + getUserDescription(subject));
-    }
-    return cheTenantData.getNamespace();
+    return getUserCheTenantData(subject).getNamespace();
   }
 
   @Override
   public Boolean areWorkspacesExternal() {
     return fabric8CheMultitenant;
   }
+
+  private UserCheTenantData getUserCheTenantData(Subject subject) throws OpenShiftException {
+    UserCheTenantData tenantData = tenantDataProvider.getUserCheTenantData(subject, "che");
+    return new UserCheTenantData(tenantData.getNamespace(), multiClusterOpenShiftProxy.getUrl(),
+                                 tenantData.getRouteBaseSuffix());
+  }
 }

plugins/fabric8-multi-tenant-manager/src/main/java/com/redhat/che/multitenant/OpenshiftUserTokenProvider.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2012-2017 Red Hat, Inc.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package com.redhat.che.multitenant;
+
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+
+import org.eclipse.che.api.core.BadRequestException;
+import org.eclipse.che.api.core.ConflictException;
+import org.eclipse.che.api.core.ForbiddenException;
+import org.eclipse.che.api.core.NotFoundException;
+import org.eclipse.che.api.core.ServerException;
+import org.eclipse.che.api.core.UnauthorizedException;
+import org.eclipse.che.commons.annotation.Nullable;
+import org.eclipse.che.commons.subject.Subject;
+import org.eclipse.che.multiuser.keycloak.token.provider.service.KeycloakTokenProvider;
+import org.eclipse.che.plugin.openshift.client.exception.OpenShiftException;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Retrieves Openshift user token by keycloak token from {@link Subject}.
+ *
+ * @author Oleksandr Garagatyi
+ */
+@Singleton
+public class OpenshiftUserTokenProvider {
+    private static final int CACHE_TIMEOUT_MINUTES = 10;
+    private static final int CONCURRENT_USERS      = 500;
+
+    private KeycloakTokenProvider        keycloakTokenProvider;
+    private LoadingCache<String, String> tokenCache;
+
+    @Inject
+    public OpenshiftUserTokenProvider(KeycloakTokenProvider keycloakTokenProvider) {
+        this.keycloakTokenProvider = keycloakTokenProvider;
+        this.tokenCache =
+                CacheBuilder.newBuilder()
+                            .maximumSize(CONCURRENT_USERS)
+                            .expireAfterWrite(CACHE_TIMEOUT_MINUTES, TimeUnit.MINUTES)
+                            .build(CacheLoader.from(this::loadOpenShiftTokenForUser));
+    }
+
+    /**
+     * Returns Openshift token corresponding to a keycloak token retrieved from provided {@link Subject}
+     *
+     * @param subject
+     *         subject with user's keycloak token
+     * @return Openshift user token
+     * @throws OpenShiftException
+     *         when there is no keycloak token in subject or OSO token retrieval failed
+     */
+    public String getToken(Subject subject) throws OpenShiftException {
+        checkSubject(subject);
+
+        String keycloakToken = subject.getToken();
+        if (keycloakToken == null) {
+            throw new OpenShiftException(
+                    "User Openshift token is needed but cannot be retrieved since there is no Keycloak token for user: "
+                    + getUserDescription(subject));
+        }
+        try {
+            return tokenCache.get(keycloakToken);
+        } catch (ExecutionException e) {
+            throw new OpenShiftException(
+                    "Could not retrieve OSO token from Keycloak token for user: "
+                    + getUserDescription(subject),
+                    e.getCause());
+        }
+    }
+
+    private void checkSubject(Subject subject) throws OpenShiftException {
+        if (subject == null) {
+            throw new OpenShiftException("No Subject is found to perform this action");
+        }
+        if (subject == Subject.ANONYMOUS) {
+            throw new OpenShiftException(
+                    "The anonymous subject is used, and won't be able to perform this action");
+        }
+    }
+
+    private String getUserDescription(Subject subject) {
+        return subject.getUserName() + "(" + subject.getUserId() + ")";
+    }
+
+    @Nullable
+    private String loadOpenShiftTokenForUser(String keycloakToken) {
+        try {
+            return keycloakTokenProvider.obtainOsoToken("Bearer " + keycloakToken);
+        } catch (ServerException
+                | UnauthorizedException
+                | ForbiddenException
+                | NotFoundException
+                | ConflictException
+                | BadRequestException
+                | IOException e) {
+            throw new RuntimeException("Could not retrieve OSO token from Keycloak token", e);
+        }
+    }
+}