зеркало из https://github.com/Azure/ARO-RP.git
Merge pull request #1287 from nilsanderselde/govcloud-continued-2
govcloud enablement, continued
This commit is contained in:
Jim Minter
GitHub
Коммит
a998cf66a5
|
|
@ -141,7 +141,7 @@ func portal(ctx context.Context, log *logrus.Entry) error {
|
|||
}
|
||||
|
||||
clientID := os.Getenv("AZURE_PORTAL_CLIENT_ID")
|
||||
verifier, err := middleware.NewVerifier(ctx, _env.TenantID(), clientID)
|
||||
verifier, err := middleware.NewVerifier(ctx, _env, clientID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ type Deployer interface {
|
|||
|
||||
type deployer struct {
|
||||
log *logrus.Entry
|
||||
env env.Core
|
||||
|
||||
globaldeployments features.DeploymentsClient
|
||||
globalgroups features.ResourceGroupsClient
|
||||
|
|
@ -81,6 +82,7 @@ func New(ctx context.Context, log *logrus.Entry, env env.Core, config *RPConfig,
|
|||
|
||||
return &deployer{
|
||||
log: log,
|
||||
env: env,
|
||||
|
||||
globaldeployments: features.NewDeploymentsClient(env.Environment(), *config.Configuration.GlobalSubscriptionID, authorizer),
|
||||
globalgroups: features.NewResourceGroupsClient(env.Environment(), *config.Configuration.GlobalSubscriptionID, authorizer),
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ import (
|
|||
mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
|
||||
mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-04-01/storage"
|
||||
azstorage "github.com/Azure/azure-sdk-for-go/storage"
|
||||
"github.com/Azure/go-autorest/autorest/azure"
|
||||
"github.com/Azure/go-autorest/autorest/date"
|
||||
"github.com/Azure/go-autorest/autorest/to"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
|
|
@ -132,7 +131,7 @@ func (d *deployer) saveRPVersion(ctx context.Context) error {
|
|||
}
|
||||
|
||||
blobClient := azstorage.NewAccountSASClient(
|
||||
*d.config.Configuration.RPVersionStorageAccountName, v, azure.PublicCloud).GetBlobService()
|
||||
*d.config.Configuration.RPVersionStorageAccountName, v, *d.env.Environment()).GetBlobService()
|
||||
|
||||
containerRef := blobClient.GetContainerReference("rpversion")
|
||||
|
||||
|
|
|
|||
|
|
@ -131,7 +131,7 @@ func newProd(ctx context.Context, log *logrus.Entry) (*prod, error) {
|
|||
}
|
||||
p.acrDomain = acrResource.ResourceName + "." + p.Environment().ContainerRegistryDNSSuffix
|
||||
} else {
|
||||
p.acrDomain = "arointsvc" + "." + p.Environment().ContainerRegistryDNSSuffix
|
||||
p.acrDomain = "arointsvc" + "." + azure.PublicCloud.ContainerRegistryDNSSuffix // TODO: make cloud aware once this is set up for US Gov Cloud
|
||||
}
|
||||
|
||||
return p, nil
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/Azure/go-autorest/autorest/adal"
|
||||
"github.com/Azure/go-autorest/autorest/azure"
|
||||
"github.com/coreos/go-oidc"
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/gorilla/sessions"
|
||||
|
|
@ -24,6 +23,7 @@ import (
|
|||
"golang.org/x/oauth2"
|
||||
"golang.org/x/oauth2/microsoft"
|
||||
|
||||
"github.com/Azure/ARO-RP/pkg/env"
|
||||
"github.com/Azure/ARO-RP/pkg/util/deployment"
|
||||
"github.com/Azure/ARO-RP/pkg/util/roundtripper"
|
||||
)
|
||||
|
|
@ -69,8 +69,8 @@ type oidctoken interface {
|
|||
Claims(interface{}) error
|
||||
}
|
||||
|
||||
func NewVerifier(ctx context.Context, tenantID, clientID string) (Verifier, error) {
|
||||
provider, err := oidc.NewProvider(ctx, "https://login.microsoftonline.com/"+tenantID+"/v2.0")
|
||||
func NewVerifier(ctx context.Context, env env.Core, clientID string) (Verifier, error) {
|
||||
provider, err := oidc.NewProvider(ctx, env.Environment().ActiveDirectoryEndpoint+env.TenantID()+"/v2.0")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -90,6 +90,7 @@ type claims struct {
|
|||
type aad struct {
|
||||
deploymentMode deployment.Mode
|
||||
log *logrus.Entry
|
||||
env env.Core
|
||||
now func() time.Time
|
||||
rt http.RoundTripper
|
||||
|
||||
|
|
@ -106,12 +107,11 @@ type aad struct {
|
|||
sessionTimeout time.Duration
|
||||
}
|
||||
|
||||
func NewAAD(deploymentMode deployment.Mode,
|
||||
log *logrus.Entry,
|
||||
func NewAAD(log *logrus.Entry,
|
||||
env env.Core,
|
||||
baseAccessLog *logrus.Entry,
|
||||
hostname string,
|
||||
sessionKey []byte,
|
||||
tenantID string,
|
||||
clientID string,
|
||||
clientKey *rsa.PrivateKey,
|
||||
clientCerts []*x509.Certificate,
|
||||
|
|
@ -123,19 +123,20 @@ func NewAAD(deploymentMode deployment.Mode,
|
|||
}
|
||||
|
||||
a := &aad{
|
||||
deploymentMode: deploymentMode,
|
||||
deploymentMode: env.DeploymentMode(),
|
||||
log: log,
|
||||
env: env,
|
||||
now: time.Now,
|
||||
rt: http.DefaultTransport,
|
||||
|
||||
tenantID: tenantID,
|
||||
tenantID: env.TenantID(),
|
||||
clientID: clientID,
|
||||
clientKey: clientKey,
|
||||
clientCerts: clientCerts,
|
||||
store: sessions.NewCookieStore(sessionKey),
|
||||
oauther: &oauth2.Config{
|
||||
ClientID: clientID,
|
||||
Endpoint: microsoft.AzureADEndpoint(tenantID),
|
||||
Endpoint: microsoft.AzureADEndpoint(env.TenantID()),
|
||||
RedirectURL: "https://" + hostname + "/callback",
|
||||
Scopes: []string{
|
||||
"openid",
|
||||
|
|
@ -344,7 +345,7 @@ func (a *aad) callback(w http.ResponseWriter, r *http.Request) {
|
|||
// Treating this as a RoundTripper is more hackery -- this is because the
|
||||
// underlying oauth2 library is a little unextensible.
|
||||
func (a *aad) clientAssertion(req *http.Request) (*http.Response, error) {
|
||||
oauthConfig, err := adal.NewOAuthConfig(azure.PublicCloud.ActiveDirectoryEndpoint, a.tenantID)
|
||||
oauthConfig, err := adal.NewOAuthConfig(a.env.Environment().ActiveDirectoryEndpoint, a.tenantID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,9 @@ import (
|
|||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/Azure/go-autorest/autorest/azure"
|
||||
"github.com/form3tech-oss/jwt-go"
|
||||
"github.com/golang/mock/gomock"
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/gorilla/securecookie"
|
||||
uuid "github.com/satori/go.uuid"
|
||||
|
|
@ -25,6 +27,7 @@ import (
|
|||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/Azure/ARO-RP/pkg/util/deployment"
|
||||
mock_env "github.com/Azure/ARO-RP/pkg/util/mocks/env"
|
||||
"github.com/Azure/ARO-RP/pkg/util/roundtripper"
|
||||
utiltls "github.com/Azure/ARO-RP/pkg/util/tls"
|
||||
)
|
||||
|
|
@ -79,7 +82,7 @@ func (c noopClaims) Claims(v interface{}) error {
|
|||
}
|
||||
|
||||
func TestNewAAD(t *testing.T) {
|
||||
_, err := NewAAD(deployment.Production, nil, nil, "", nil, "", "", nil, nil, nil, nil, nil)
|
||||
_, err := NewAAD(nil, nil, nil, "", nil, "", nil, nil, nil, nil, nil)
|
||||
if err.Error() != "invalid sessionKey" {
|
||||
t.Error(err)
|
||||
}
|
||||
|
|
@ -154,7 +157,13 @@ func TestAAD(t *testing.T) {
|
|||
},
|
||||
} {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", "", nil, nil, nil, mux.NewRouter(), nil)
|
||||
controller := gomock.NewController(t)
|
||||
defer controller.Finish()
|
||||
env := mock_env.NewMockInterface(controller)
|
||||
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
|
||||
env.EXPECT().TenantID().AnyTimes().Return("")
|
||||
|
||||
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", nil, nil, nil, mux.NewRouter(), nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -244,7 +253,13 @@ func TestRedirect(t *testing.T) {
|
|||
},
|
||||
} {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", "", nil, nil, nil, mux.NewRouter(), nil)
|
||||
controller := gomock.NewController(t)
|
||||
defer controller.Finish()
|
||||
env := mock_env.NewMockInterface(controller)
|
||||
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
|
||||
env.EXPECT().TenantID().AnyTimes().Return("")
|
||||
|
||||
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", nil, nil, nil, mux.NewRouter(), nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -354,7 +369,13 @@ func TestLogout(t *testing.T) {
|
|||
},
|
||||
} {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", "", nil, nil, nil, mux.NewRouter(), nil)
|
||||
controller := gomock.NewController(t)
|
||||
defer controller.Finish()
|
||||
env := mock_env.NewMockInterface(controller)
|
||||
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
|
||||
env.EXPECT().TenantID().AnyTimes().Return("")
|
||||
|
||||
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", nil, nil, nil, mux.NewRouter(), nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -702,7 +723,13 @@ func TestCallback(t *testing.T) {
|
|||
},
|
||||
} {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", clientID, clientkey, clientcerts, groups, mux.NewRouter(), tt.verifier)
|
||||
controller := gomock.NewController(t)
|
||||
defer controller.Finish()
|
||||
env := mock_env.NewMockInterface(controller)
|
||||
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
|
||||
env.EXPECT().TenantID().AnyTimes().Return("")
|
||||
|
||||
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), clientID, clientkey, clientcerts, groups, mux.NewRouter(), tt.verifier)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -812,9 +839,16 @@ func TestCallback(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestClientAssertion(t *testing.T) {
|
||||
controller := gomock.NewController(t)
|
||||
defer controller.Finish()
|
||||
env := mock_env.NewMockInterface(controller)
|
||||
env.EXPECT().Environment().AnyTimes().Return(&azure.PublicCloud)
|
||||
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
|
||||
env.EXPECT().TenantID().AnyTimes().Return("")
|
||||
|
||||
clientID := "00000000-0000-0000-0000-000000000000"
|
||||
|
||||
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", clientID, clientkey, clientcerts, nil, mux.NewRouter(), nil)
|
||||
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), clientID, clientkey, clientcerts, nil, mux.NewRouter(), nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -160,7 +160,7 @@ func (p *portal) Run(ctx context.Context) error {
|
|||
allGroups := append([]string{}, p.groupIDs...)
|
||||
allGroups = append(allGroups, p.elevatedGroupIDs...)
|
||||
|
||||
p.aad, err = middleware.NewAAD(p.env.DeploymentMode(), p.log, p.baseAccessLog, p.hostname, p.sessionKey, p.env.TenantID(), p.clientID, p.clientKey, p.clientCerts, allGroups, unauthenticatedRouter, p.verifier)
|
||||
p.aad, err = middleware.NewAAD(p.log, p.env, p.baseAccessLog, p.hostname, p.sessionKey, p.clientID, p.clientKey, p.clientCerts, allGroups, unauthenticatedRouter, p.verifier)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче