feat: support password grant

tkestack · yadzhang · Apr 10, 2020 · Apr 10, 2020 · Apr 10, 2020 · bdc7beeb9d7c76f87c0454bdd4cbc88aa6058aed
commit bdc7beeb9d7c76f87c0454bdd4cbc88aa6058aed
@@ -155,7 +155,7 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  }
  setupAuthorization(genericAPIServerConfig, aggregateAuthz)
 
- dexConfig, err := setupDexConfig(opts.ETCD, authClient, opts.Auth.AssetsPath, opts.Auth.IDTokenTimeout, opts.Generic.ExternalHost, opts.Generic.ExternalPort)
+ dexConfig, err := setupDexConfig(opts.ETCD, authClient, opts.Auth.AssetsPath, opts.Auth.IDTokenTimeout, opts.Generic.ExternalHost, opts.Generic.ExternalPort, opts.Auth.PasswordGrantConnID)
  if err != nil {
  return nil, err
  }
@@ -236,7 +236,7 @@ func setupAuthorization(genericAPIServerConfig *genericapiserver.Config, authori
  genericAPIServerConfig.Authorization.Authorizer = authorizer
 }
 
-func setupDexConfig(etcdOpts *storageoptions.ETCDStorageOptions, authClient authinternalclient.AuthInterface, templatePath string, tokenTimeout time.Duration, host string, port int) (*dexserver.Config, error) {
+func setupDexConfig(etcdOpts *storageoptions.ETCDStorageOptions, authClient authinternalclient.AuthInterface, templatePath string, tokenTimeout time.Duration, host string, port int, passwordConnID string) (*dexserver.Config, error) {
  logger := dex.NewLogger(log.ZapLogger())
  issuer := issuer(host, port)
  namespace := etcdOpts.Prefix
@@ -272,6 +272,7 @@ func setupDexConfig(etcdOpts *storageoptions.ETCDStorageOptions, authClient auth
  SkipApprovalScreen: true,
 
  PrometheusRegistry: prometheus.NewRegistry(),
+ PasswordConnector: passwordConnID,
  }
 
  return &dexConfig, nil

@@ -39,6 +39,7 @@ const (
  flagAuthInitClientID = "init-client-id"
  flagAuthInitClientSecret = "init-client-secret"
  flagAuthInitClientRedirectUris = "init-client-redirect-uris"
+ flagAuthPasswordGrantConnID = "password-grant-conn-id"
 )
 
 const (
@@ -51,6 +52,7 @@ const (
  configAuthInitClientID = "auth.init_client_id"
  configAuthInitClientSecret = "auth.init_client_secret"
  configAuthInitClientRedirectUris = "auth.init_client_redirect_uris"
+ configAuthPasswordGrantConnID = "auth.password_grant_conn_id"
 )
 
 // AuthOptions contains configuration items related to auth attributes.
@@ -64,6 +66,7 @@ type AuthOptions struct {
  InitClientID string
  InitClientSecret string
  InitClientRedirectUris []string
+ PasswordGrantConnID string
 }
 
 // NewAuthOptions creates a AuthOptions object with default parameters.
@@ -113,6 +116,10 @@ func (o *AuthOptions) AddFlags(fs *pflag.FlagSet) {
  fs.StringSlice(flagAuthInitClientRedirectUris, o.InitClientRedirectUris,
  "Default client redirect uris will be created when started.")
  _ = viper.BindPFlag(configAuthInitClientRedirectUris, fs.Lookup(flagAuthInitClientRedirectUris))
+
+ fs.String(flagAuthPasswordGrantConnID, o.PasswordGrantConnID,
+ "Default connector that can be used for password grant.")
+ _ = viper.BindPFlag(configAuthPasswordGrantConnID, fs.Lookup(flagAuthPasswordGrantConnID))
 }
 
 // ApplyFlags parsing parameters from the command line or configuration file
@@ -147,5 +154,9 @@ func (o *AuthOptions) ApplyFlags() []error {
  }
  o.InitClientRedirectUris = viper.GetStringSlice(configAuthInitClientRedirectUris)
 
+ if len(o.PasswordGrantConnID) == 0 {
+ o.PasswordGrantConnID = o.InitTenantID
+ }
+
  return errs
 }
@@ -23,7 +23,7 @@ require (
  github.com/coreos/go-oidc v2.2.1+incompatible
  github.com/coreos/prometheus-operator v0.34.0
  github.com/deislabs/oras v0.8.0 // indirect
- github.com/dexidp/dex v0.0.0-20200319150056-3693b74791f4
+ github.com/dexidp/dex v0.0.0-20200408064242-83d8853fd969
  github.com/dgrijalva/jwt-go v3.2.0+incompatible
  github.com/docker/distribution v2.7.1+incompatible
  github.com/docker/go-metrics v0.0.1 // indirect

@@ -228,6 +228,8 @@ github.com/dexidp/dex v0.0.0-20200303100508-d820fd45d80c h1:rwimutyvV0/97FXbBtkO
 github.com/dexidp/dex v0.0.0-20200303100508-d820fd45d80c/go.mod h1:7ic4FXokPpBxUHngMrp5MZQv4j6ixPoqF+1zC6QRlhw=
 github.com/dexidp/dex v0.0.0-20200319150056-3693b74791f4 h1:f5pMr7VGOyj3tkMV7ryl96KFWVGSns/mDezZCVVkmXk=
 github.com/dexidp/dex v0.0.0-20200319150056-3693b74791f4/go.mod h1:7ic4FXokPpBxUHngMrp5MZQv4j6ixPoqF+1zC6QRlhw=
+github.com/dexidp/dex v0.0.0-20200408064242-83d8853fd969 h1:drMoVJ6/vWbEq9Ldxps8T9hvSqo1Nab6+Rx0Xv7ei0E=
+github.com/dexidp/dex v0.0.0-20200408064242-83d8853fd969/go.mod h1:7ic4FXokPpBxUHngMrp5MZQv4j6ixPoqF+1zC6QRlhw=
 github.com/dexidp/dex v2.13.0+incompatible h1:EQPpzCi51omkwBe0KYpRGaV3rk6CVvjcqeMGCe3Q00w=
 github.com/dexidp/dex v2.13.0+incompatible/go.mod h1:cRGkPWqKhDD1FMCICe2JbYDdVR2xGLa38F6iuH/jNAs=
 github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=

@@ -46,6 +46,15 @@ func registerTokenRoute(container *restful.Container, oauthConfig *oauth2.Config
  ws := new(restful.WebService)
  ws.Path(fmt.Sprintf("/apis/%s/%s/tokens", GroupName, Version))
 
+ ws.Route(ws.
+ POST("/").
+ Doc("generate token by username and password").
+ Operation("createPasswordToken").
+ Produces(restful.MIME_JSON).
+ Returns(http.StatusCreated, "Created", v1.Status{}).
+ Returns(http.StatusInternalServerError, "InternalError", v1.Status{}).
+ Returns(http.StatusUnauthorized, "Unauthorized", v1.Status{}).
+ To(handleTokenGenerateFunc(oauthConfig, oidcHTTPClient)))
  ws.Route(ws.
  GET("info").
  Doc("obtain the user information corresponding to the token").
@@ -78,6 +87,33 @@ func registerTokenRoute(container *restful.Container, oauthConfig *oauth2.Config
  container.Add(ws)
 }
 
+func handleTokenGenerateFunc(oauthConfig *oauth2.Config, httpClient *http.Client) func(*restful.Request, *restful.Response) {
+ return func(request *restful.Request, response *restful.Response) {
+ username, password, err := retrievePassword(request.Request)
+ if err != nil {
+ responsewriters.WriteRawJSON(http.StatusUnauthorized, errors.NewUnauthorized(err.Error()), response.ResponseWriter)
+ return
+ }
+
+ ctx := gooidc.ClientContext(context.Background(), httpClient)
+ t, err := oauthConfig.PasswordCredentialsToken(ctx, username, password)
+ if err != nil {
+ responsewriters.WriteRawJSON(http.StatusUnauthorized, errors.NewUnauthorized(err.Error()), response.ResponseWriter)
+ return
+ }
+
+ if err := token.ResponseToken(t, response.ResponseWriter); err != nil {
+ responsewriters.WriteRawJSON(http.StatusInternalServerError, errors.NewInternalError(err), response.ResponseWriter)
+ return
+ }
+
+ responsewriters.WriteRawJSON(http.StatusCreated, v1.Status{
+ Status: v1.StatusSuccess,
+ Code: http.StatusCreated,
+ }, response.ResponseWriter)
+ }
+}
+
 func handleTokenInfo(oidcAuthenticator *oidc.Authenticator) func(*restful.Request, *restful.Response) {
  return func(request *restful.Request, response *restful.Response) {
  t, err := token.RetrieveToken(request.Request)