Azure
/
ARO-RP
зеркало из https://github.com/Azure/ARO-RP.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #1287 from nilsanderselde/govcloud-continued-2 

govcloud enablement, continued
This commit is contained in:
Jim Minter 2021-02-10 12:03:49 -06:00 коммит произвёл GitHub
Родитель a346070797 70ef1bef53
Коммит a998cf66a5
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
7 изменённых файлов: 57 добавлений и 21 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
cmd/aro/portal.go
Просмотреть файл

@ -141,7 +141,7 @@ func portal(ctx context.Context, log *logrus.Entry) error {
} }
clientID := os.Getenv("AZURE_PORTAL_CLIENT_ID") clientID := os.Getenv("AZURE_PORTAL_CLIENT_ID")
verifier, err := middleware.NewVerifier(ctx, _env.TenantID(), clientID) verifier, err := middleware.NewVerifier(ctx, _env, clientID)
if err != nil { if err != nil {
return err return err
} }

2
pkg/deploy/deploy.go
Просмотреть файл

@ -39,6 +39,7 @@ type Deployer interface {
type deployer struct { type deployer struct {
log *logrus.Entry log *logrus.Entry
env env.Core
globaldeployments features.DeploymentsClient globaldeployments features.DeploymentsClient
globalgroups features.ResourceGroupsClient globalgroups features.ResourceGroupsClient
@ -81,6 +82,7 @@ func New(ctx context.Context, log *logrus.Entry, env env.Core, config *RPConfig,
return &deployer{ return &deployer{
log: log, log: log,
env: env,
globaldeployments: features.NewDeploymentsClient(env.Environment(), *config.Configuration.GlobalSubscriptionID, authorizer), globaldeployments: features.NewDeploymentsClient(env.Environment(), *config.Configuration.GlobalSubscriptionID, authorizer),
globalgroups: features.NewResourceGroupsClient(env.Environment(), *config.Configuration.GlobalSubscriptionID, authorizer), globalgroups: features.NewResourceGroupsClient(env.Environment(), *config.Configuration.GlobalSubscriptionID, authorizer),

3
pkg/deploy/upgrade.go
Просмотреть файл

@ -12,7 +12,6 @@ import (
mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute" mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-04-01/storage" mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-04-01/storage"
azstorage "github.com/Azure/azure-sdk-for-go/storage" azstorage "github.com/Azure/azure-sdk-for-go/storage"
"github.com/Azure/go-autorest/autorest/azure"
"github.com/Azure/go-autorest/autorest/date" "github.com/Azure/go-autorest/autorest/date"
"github.com/Azure/go-autorest/autorest/to" "github.com/Azure/go-autorest/autorest/to"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
@ -132,7 +131,7 @@ func (d *deployer) saveRPVersion(ctx context.Context) error {
} }
blobClient := azstorage.NewAccountSASClient( blobClient := azstorage.NewAccountSASClient(
*d.config.Configuration.RPVersionStorageAccountName, v, azure.PublicCloud).GetBlobService() *d.config.Configuration.RPVersionStorageAccountName, v, *d.env.Environment()).GetBlobService()
containerRef := blobClient.GetContainerReference("rpversion") containerRef := blobClient.GetContainerReference("rpversion")

2
pkg/env/prod.go поставляемый
Просмотреть файл

@ -131,7 +131,7 @@ func newProd(ctx context.Context, log *logrus.Entry) (*prod, error) {
} }
p.acrDomain = acrResource.ResourceName + "." + p.Environment().ContainerRegistryDNSSuffix p.acrDomain = acrResource.ResourceName + "." + p.Environment().ContainerRegistryDNSSuffix
} else { } else {
p.acrDomain = "arointsvc" + "." + p.Environment().ContainerRegistryDNSSuffix p.acrDomain = "arointsvc" + "." + azure.PublicCloud.ContainerRegistryDNSSuffix // TODO: make cloud aware once this is set up for US Gov Cloud
} }
return p, nil return p, nil

21
pkg/portal/middleware/aad.go
Просмотреть файл

@ -15,7 +15,6 @@ import (
"time" "time"
"github.com/Azure/go-autorest/autorest/adal" "github.com/Azure/go-autorest/autorest/adal"
"github.com/Azure/go-autorest/autorest/azure"
"github.com/coreos/go-oidc" "github.com/coreos/go-oidc"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/gorilla/sessions" "github.com/gorilla/sessions"
@ -24,6 +23,7 @@ import (
"golang.org/x/oauth2" "golang.org/x/oauth2"
"golang.org/x/oauth2/microsoft" "golang.org/x/oauth2/microsoft"
"github.com/Azure/ARO-RP/pkg/env"
"github.com/Azure/ARO-RP/pkg/util/deployment" "github.com/Azure/ARO-RP/pkg/util/deployment"
"github.com/Azure/ARO-RP/pkg/util/roundtripper" "github.com/Azure/ARO-RP/pkg/util/roundtripper"
) )
@ -69,8 +69,8 @@ type oidctoken interface {
Claims(interface{}) error Claims(interface{}) error
} }
func NewVerifier(ctx context.Context, tenantID, clientID string) (Verifier, error) { func NewVerifier(ctx context.Context, env env.Core, clientID string) (Verifier, error) {
provider, err := oidc.NewProvider(ctx, "https://login.microsoftonline.com/"+tenantID+"/v2.0") provider, err := oidc.NewProvider(ctx, env.Environment().ActiveDirectoryEndpoint+env.TenantID()+"/v2.0")
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -90,6 +90,7 @@ type claims struct {
type aad struct { type aad struct {
deploymentMode deployment.Mode deploymentMode deployment.Mode
log *logrus.Entry log *logrus.Entry
env env.Core
now func() time.Time now func() time.Time
rt http.RoundTripper rt http.RoundTripper
@ -106,12 +107,11 @@ type aad struct {
sessionTimeout time.Duration sessionTimeout time.Duration
} }
func NewAAD(deploymentMode deployment.Mode, func NewAAD(log *logrus.Entry,
log *logrus.Entry, env env.Core,
baseAccessLog *logrus.Entry, baseAccessLog *logrus.Entry,
hostname string, hostname string,
sessionKey []byte, sessionKey []byte,
tenantID string,
clientID string, clientID string,
clientKey *rsa.PrivateKey, clientKey *rsa.PrivateKey,
clientCerts []*x509.Certificate, clientCerts []*x509.Certificate,
@ -123,19 +123,20 @@ func NewAAD(deploymentMode deployment.Mode,
} }
a := &aad{ a := &aad{
deploymentMode: deploymentMode, deploymentMode: env.DeploymentMode(),
log: log, log: log,
env: env,
now: time.Now, now: time.Now,
rt: http.DefaultTransport, rt: http.DefaultTransport,
tenantID: tenantID, tenantID: env.TenantID(),
clientID: clientID, clientID: clientID,
clientKey: clientKey, clientKey: clientKey,
clientCerts: clientCerts, clientCerts: clientCerts,
store: sessions.NewCookieStore(sessionKey), store: sessions.NewCookieStore(sessionKey),
oauther: &oauth2.Config{ oauther: &oauth2.Config{
ClientID: clientID, ClientID: clientID,
Endpoint: microsoft.AzureADEndpoint(tenantID), Endpoint: microsoft.AzureADEndpoint(env.TenantID()),
RedirectURL: "https://" + hostname + "/callback", RedirectURL: "https://" + hostname + "/callback",
Scopes: []string{ Scopes: []string{
"openid", "openid",
@ -344,7 +345,7 @@ func (a *aad) callback(w http.ResponseWriter, r *http.Request) {
// Treating this as a RoundTripper is more hackery -- this is because the // Treating this as a RoundTripper is more hackery -- this is because the
// underlying oauth2 library is a little unextensible. // underlying oauth2 library is a little unextensible.
func (a *aad) clientAssertion(req *http.Request) (*http.Response, error) { func (a *aad) clientAssertion(req *http.Request) (*http.Response, error) {
oauthConfig, err := adal.NewOAuthConfig(azure.PublicCloud.ActiveDirectoryEndpoint, a.tenantID) oauthConfig, err := adal.NewOAuthConfig(a.env.Environment().ActiveDirectoryEndpoint, a.tenantID)
if err != nil { if err != nil {
return nil, err return nil, err
} }

46
pkg/portal/middleware/aad_test.go
Просмотреть файл

@ -17,7 +17,9 @@ import (
"testing" "testing"
"time" "time"
"github.com/Azure/go-autorest/autorest/azure"
"github.com/form3tech-oss/jwt-go" "github.com/form3tech-oss/jwt-go"
"github.com/golang/mock/gomock"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/gorilla/securecookie" "github.com/gorilla/securecookie"
uuid "github.com/satori/go.uuid" uuid "github.com/satori/go.uuid"
@ -25,6 +27,7 @@ import (
"golang.org/x/oauth2" "golang.org/x/oauth2"
"github.com/Azure/ARO-RP/pkg/util/deployment" "github.com/Azure/ARO-RP/pkg/util/deployment"
mock_env "github.com/Azure/ARO-RP/pkg/util/mocks/env"
"github.com/Azure/ARO-RP/pkg/util/roundtripper" "github.com/Azure/ARO-RP/pkg/util/roundtripper"
utiltls "github.com/Azure/ARO-RP/pkg/util/tls" utiltls "github.com/Azure/ARO-RP/pkg/util/tls"
) )
@ -79,7 +82,7 @@ func (c noopClaims) Claims(v interface{}) error {
} }
func TestNewAAD(t *testing.T) { func TestNewAAD(t *testing.T) {
_, err := NewAAD(deployment.Production, nil, nil, "", nil, "", "", nil, nil, nil, nil, nil) _, err := NewAAD(nil, nil, nil, "", nil, "", nil, nil, nil, nil, nil)
if err.Error() != "invalid sessionKey" { if err.Error() != "invalid sessionKey" {
t.Error(err) t.Error(err)
} }
@ -154,7 +157,13 @@ func TestAAD(t *testing.T) {
}, },
} { } {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", "", nil, nil, nil, mux.NewRouter(), nil) controller := gomock.NewController(t)
defer controller.Finish()
env := mock_env.NewMockInterface(controller)
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
env.EXPECT().TenantID().AnyTimes().Return("")
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", nil, nil, nil, mux.NewRouter(), nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -244,7 +253,13 @@ func TestRedirect(t *testing.T) {
}, },
} { } {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", "", nil, nil, nil, mux.NewRouter(), nil) controller := gomock.NewController(t)
defer controller.Finish()
env := mock_env.NewMockInterface(controller)
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
env.EXPECT().TenantID().AnyTimes().Return("")
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", nil, nil, nil, mux.NewRouter(), nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -354,7 +369,13 @@ func TestLogout(t *testing.T) {
}, },
} { } {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", "", nil, nil, nil, mux.NewRouter(), nil) controller := gomock.NewController(t)
defer controller.Finish()
env := mock_env.NewMockInterface(controller)
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
env.EXPECT().TenantID().AnyTimes().Return("")
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", nil, nil, nil, mux.NewRouter(), nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -702,7 +723,13 @@ func TestCallback(t *testing.T) {
}, },
} { } {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", clientID, clientkey, clientcerts, groups, mux.NewRouter(), tt.verifier) controller := gomock.NewController(t)
defer controller.Finish()
env := mock_env.NewMockInterface(controller)
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
env.EXPECT().TenantID().AnyTimes().Return("")
a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), clientID, clientkey, clientcerts, groups, mux.NewRouter(), tt.verifier)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -812,9 +839,16 @@ func TestCallback(t *testing.T) {
} }
func TestClientAssertion(t *testing.T) { func TestClientAssertion(t *testing.T) {
controller := gomock.NewController(t)
defer controller.Finish()
env := mock_env.NewMockInterface(controller)
env.EXPECT().Environment().AnyTimes().Return(&azure.PublicCloud)
env.EXPECT().DeploymentMode().AnyTimes().Return(deployment.Production)
env.EXPECT().TenantID().AnyTimes().Return("")
clientID := "00000000-0000-0000-0000-000000000000" clientID := "00000000-0000-0000-0000-000000000000"
a, err := NewAAD(deployment.Production, logrus.NewEntry(logrus.StandardLogger()), logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), "", clientID, clientkey, clientcerts, nil, mux.NewRouter(), nil) a, err := NewAAD(logrus.NewEntry(logrus.StandardLogger()), env, logrus.NewEntry(logrus.StandardLogger()), "", make([]byte, 32), clientID, clientkey, clientcerts, nil, mux.NewRouter(), nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

2
pkg/portal/portal.go
Просмотреть файл

@ -160,7 +160,7 @@ func (p *portal) Run(ctx context.Context) error {
allGroups := append([]string{}, p.groupIDs...) allGroups := append([]string{}, p.groupIDs...)
allGroups = append(allGroups, p.elevatedGroupIDs...) allGroups = append(allGroups, p.elevatedGroupIDs...)
p.aad, err = middleware.NewAAD(p.env.DeploymentMode(), p.log, p.baseAccessLog, p.hostname, p.sessionKey, p.env.TenantID(), p.clientID, p.clientKey, p.clientCerts, allGroups, unauthenticatedRouter, p.verifier) p.aad, err = middleware.NewAAD(p.log, p.env, p.baseAccessLog, p.hostname, p.sessionKey, p.clientID, p.clientKey, p.clientCerts, allGroups, unauthenticatedRouter, p.verifier)
if err != nil { if err != nil {
return err return err
} }