Skip to content

Commit

Permalink
Revert "Always register the metadata endpoint (#392)" (#403)
Browse files Browse the repository at this point in the history
This reverts commit f04414e.
  • Loading branch information
Katrina Rogan authored Apr 12, 2022
1 parent 3d092c7 commit 33dd675
Show file tree
Hide file tree
Showing 9 changed files with 26 additions and 54 deletions.
13 changes: 4 additions & 9 deletions auth/authzserver/metadata_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ import (
"net/url"
"strings"

"github.com/flyteorg/flyteadmin/pkg/config"

"github.com/flyteorg/flyteadmin/auth"

authConfig "github.com/flyteorg/flyteadmin/auth/config"
Expand All @@ -17,11 +15,10 @@ import (
)

type OAuth2MetadataProvider struct {
cfg *authConfig.Config
serverCfg *config.ServerConfig
cfg *authConfig.Config
}

// AuthFuncOverride overrides auth func to enforce anonymous access on the implemented APIs
// Override auth func to enforce anonymous access on the implemented APIs
// Ref: https://github.com/grpc-ecosystem/go-grpc-middleware/blob/master/auth/auth.go#L31
func (s OAuth2MetadataProvider) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error) {
return ctx, nil
Expand Down Expand Up @@ -93,13 +90,11 @@ func (s OAuth2MetadataProvider) GetPublicClientConfig(context.Context, *service.
RedirectUri: s.cfg.AppAuth.ThirdParty.FlyteClientConfig.RedirectURI,
Scopes: s.cfg.AppAuth.ThirdParty.FlyteClientConfig.Scopes,
AuthorizationMetadataKey: s.cfg.GrpcAuthorizationHeader,
ServiceHttpEndpoint: s.serverCfg.ServiceHTTPEndpoint.String(),
}, nil
}

func NewService(serverCfg *config.ServerConfig, config *authConfig.Config) OAuth2MetadataProvider {
func NewService(config *authConfig.Config) OAuth2MetadataProvider {
return OAuth2MetadataProvider{
cfg: config,
serverCfg: serverCfg,
cfg: config,
}
}
23 changes: 11 additions & 12 deletions auth/authzserver/metadata_provider_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,16 @@ import (
"strings"
"testing"

"github.com/flyteorg/flyteadmin/pkg/config"

stdConfig "github.com/flyteorg/flytestdlib/config"
config2 "github.com/flyteorg/flytestdlib/config"

"github.com/flyteorg/flyteadmin/auth/config"
authConfig "github.com/flyteorg/flyteadmin/auth/config"
"github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/service"
"github.com/stretchr/testify/assert"
)

func TestOAuth2MetadataProvider_FlyteClient(t *testing.T) {
provider := NewService(&config.ServerConfig{}, &authConfig.Config{
provider := NewService(&authConfig.Config{
AppAuth: authConfig.OAuth2Options{
ThirdParty: authConfig.ThirdPartyConfigOptions{
FlyteClientConfig: authConfig.FlyteClientConfig{
Expand All @@ -40,8 +39,8 @@ func TestOAuth2MetadataProvider_FlyteClient(t *testing.T) {

func TestOAuth2MetadataProvider_OAuth2Metadata(t *testing.T) {
t.Run("Self AuthServer", func(t *testing.T) {
provider := NewService(&config.ServerConfig{}, &authConfig.Config{
AuthorizedURIs: []stdConfig.URL{{URL: *authConfig.MustParseURL("https://issuer/")}},
provider := NewService(&authConfig.Config{
AuthorizedURIs: []config2.URL{{URL: *config.MustParseURL("https://issuer/")}},
})

ctx := context.Background()
Expand Down Expand Up @@ -75,12 +74,12 @@ func TestOAuth2MetadataProvider_OAuth2Metadata(t *testing.T) {
http.DefaultClient = s.Client()

t.Run("External AuthServer", func(t *testing.T) {
provider := NewService(&config.ServerConfig{}, &authConfig.Config{
AuthorizedURIs: []stdConfig.URL{{URL: *authConfig.MustParseURL("https://issuer/")}},
provider := NewService(&authConfig.Config{
AuthorizedURIs: []config2.URL{{URL: *config.MustParseURL("https://issuer/")}},
AppAuth: authConfig.OAuth2Options{
AuthServerType: authConfig.AuthorizationServerTypeExternal,
ExternalAuthServer: authConfig.ExternalAuthorizationServer{
BaseURL: stdConfig.URL{URL: *authConfig.MustParseURL(s.URL)},
BaseURL: config2.URL{URL: *config.MustParseURL(s.URL)},
},
},
})
Expand All @@ -92,14 +91,14 @@ func TestOAuth2MetadataProvider_OAuth2Metadata(t *testing.T) {
})

t.Run("External AuthServer fallback url", func(t *testing.T) {
provider := NewService(&config.ServerConfig{}, &authConfig.Config{
AuthorizedURIs: []stdConfig.URL{{URL: *authConfig.MustParseURL("https://issuer/")}},
provider := NewService(&authConfig.Config{
AuthorizedURIs: []config2.URL{{URL: *config.MustParseURL("https://issuer/")}},
AppAuth: authConfig.OAuth2Options{
AuthServerType: authConfig.AuthorizationServerTypeExternal,
},
UserAuth: authConfig.UserAuthConfig{
OpenID: authConfig.OpenIDOptions{
BaseURL: stdConfig.URL{URL: *authConfig.MustParseURL(s.URL)},
BaseURL: config2.URL{URL: *config.MustParseURL(s.URL)},
},
},
})
Expand Down
5 changes: 2 additions & 3 deletions auth/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,8 @@ func RegisterHandlers(ctx context.Context, handler interfaces.HandlerRegisterer,
handler.HandleFunc("/logout", GetLogoutEndpointHandler(ctx, authCtx))
}

// RefreshTokensIfExists looks for access token and refresh token, if both are present and the access token is expired,
// then attempt to refresh. Otherwise do nothing and proceed to the next handler. If successfully refreshed, proceed to
// the landing page.
// Look for access token and refresh token, if both are present and the access token is expired, then attempt to
// refresh. Otherwise do nothing and proceed to the next handler. If successfully refreshed, proceed to the landing page.
func RefreshTokensIfExists(ctx context.Context, authCtx interfaces.AuthenticationContext, authHandler http.HandlerFunc) http.HandlerFunc {

return func(writer http.ResponseWriter, request *http.Request) {
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ require (
github.com/cloudevents/sdk-go/v2 v2.8.0
github.com/coreos/go-oidc v2.2.1+incompatible
github.com/evanphx/json-patch v4.9.0+incompatible
github.com/flyteorg/flyteidl v0.24.18
github.com/flyteorg/flyteidl v0.24.17
github.com/flyteorg/flyteplugins v0.10.16
github.com/flyteorg/flytepropeller v0.16.36
github.com/flyteorg/flytestdlib v0.4.23
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -369,8 +369,8 @@ github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8S
github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/flyteorg/flyteidl v0.23.0/go.mod h1:576W2ViEyjTpT+kEVHAGbrTP3HARNUZ/eCwrNPmdx9U=
github.com/flyteorg/flyteidl v0.24.0/go.mod h1:576W2ViEyjTpT+kEVHAGbrTP3HARNUZ/eCwrNPmdx9U=
github.com/flyteorg/flyteidl v0.24.18 h1:5HMlc11OcSzRHR5VRRAac2gH6yO2XFcQ3fWlcl9tj+k=
github.com/flyteorg/flyteidl v0.24.18/go.mod h1:vHSugApgS3hRITIafzQDU8DZD/W8wFRfFcgaFU35Dww=
github.com/flyteorg/flyteidl v0.24.17 h1:Xx70bJbuQGyvS8uAyU4AN74rot6KnzJ9r/L9gcCdEsU=
github.com/flyteorg/flyteidl v0.24.17/go.mod h1:vHSugApgS3hRITIafzQDU8DZD/W8wFRfFcgaFU35Dww=
github.com/flyteorg/flyteplugins v0.10.16 h1:rwNI2MACPbcST2O6CEUsNW6bccz7ZLni0GiY3orevfw=
github.com/flyteorg/flyteplugins v0.10.16/go.mod h1:YBWV8QnFakDJfLyua8pYddiWqszAqseBKIJPNMERlos=
github.com/flyteorg/flytepropeller v0.16.36 h1:5uE8JsutrPVyLVrRJ8BgvhZUOmTBFkEkn5xmIOo21nU=
Expand Down
6 changes: 0 additions & 6 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,6 @@ type ServerConfig struct {
DeprecatedThirdPartyConfig authConfig.ThirdPartyConfigOptions `json:"thirdPartyConfig" pflag:",Deprecated please use auth.appAuth.thirdPartyConfig instead."`

DataProxy DataProxyConfig `json:"dataProxy" pflag:",Defines data proxy configuration."`

// ServiceHTTPEndpoint allows specifying the http endpoint this admin instance is accessible on. This is useful
// for when there is no ingress setup or when the service is serving http and grpc over two different ports.
// Setting it here allows gRPC clients to retrieve the http endpoint to be able to present it to end-users (e.g.
// open up the browser to the workflow overview page)
ServiceHTTPEndpoint config.URL `json:"serviceHttpEndpoint" pflag:",Defines the http endpoint the service is accessible at."`
}

type DataProxyConfig struct {
Expand Down
1 change: 0 additions & 1 deletion pkg/config/serverconfig_flags.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 0 additions & 14 deletions pkg/config/serverconfig_flags_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 6 additions & 6 deletions pkg/server/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ func blanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnarySer

// Creates a new gRPC Server with all the configuration
func newGRPCServer(ctx context.Context, pluginRegistry *plugins.Registry, cfg *config.ServerConfig,
storageCfg *storage.Config, authCfg *authConfig.Config, authCtx interfaces.AuthenticationContext,
storageCfg *storage.Config, authCtx interfaces.AuthenticationContext,
scope promutils.Scope, opts ...grpc.ServerOption) (*grpc.Server, error) {
// Not yet implemented for streaming
var chainedUnaryInterceptors grpc.UnaryServerInterceptor
Expand Down Expand Up @@ -107,8 +107,8 @@ func newGRPCServer(ctx context.Context, pluginRegistry *plugins.Registry, cfg *c

configuration := runtime2.NewConfigurationProvider()
service.RegisterAdminServiceServer(grpcServer, adminservice.NewAdminServer(ctx, pluginRegistry, configuration, cfg.KubeConfig, cfg.Master, dataStorageClient, scope.NewSubScope("admin")))
service.RegisterAuthMetadataServiceServer(grpcServer, authzserver.NewService(cfg, authCfg))
if cfg.Security.UseAuth {
service.RegisterAuthMetadataServiceServer(grpcServer, authCtx.AuthMetadataService())
service.RegisterIdentityServiceServer(grpcServer, authCtx.IdentityService())
}

Expand Down Expand Up @@ -243,7 +243,7 @@ func serveGatewayInsecure(ctx context.Context, pluginRegistry *plugins.Registry,
}
}

oauth2MetadataProvider := authzserver.NewService(cfg, authCfg)
oauth2MetadataProvider := authzserver.NewService(authCfg)
oidcUserInfoProvider := auth.NewUserInfoProvider()

authCtx, err = auth.NewAuthenticationContext(ctx, sm, oauth2Provider, oauth2ResourceServer, oauth2MetadataProvider, oidcUserInfoProvider, authCfg)
Expand All @@ -253,7 +253,7 @@ func serveGatewayInsecure(ctx context.Context, pluginRegistry *plugins.Registry,
}
}

grpcServer, err := newGRPCServer(ctx, pluginRegistry, cfg, storageConfig, authCfg, authCtx, scope)
grpcServer, err := newGRPCServer(ctx, pluginRegistry, cfg, storageConfig, authCtx, scope)
if err != nil {
return fmt.Errorf("failed to create a newGRPCServer. Error: %w", err)
}
Expand Down Expand Up @@ -346,7 +346,7 @@ func serveGatewaySecure(ctx context.Context, pluginRegistry *plugins.Registry, c
}
}

oauth2MetadataProvider := authzserver.NewService(cfg, authCfg)
oauth2MetadataProvider := authzserver.NewService(authCfg)
oidcUserInfoProvider := auth.NewUserInfoProvider()

authCtx, err = auth.NewAuthenticationContext(ctx, sm, oauth2Provider, oauth2ResourceServer, oauth2MetadataProvider, oidcUserInfoProvider, authCfg)
Expand All @@ -356,7 +356,7 @@ func serveGatewaySecure(ctx context.Context, pluginRegistry *plugins.Registry, c
}
}

grpcServer, err := newGRPCServer(ctx, pluginRegistry, cfg, storageCfg, authCfg, authCtx, scope, grpc.Creds(credentials.NewServerTLSFromCert(cert)))
grpcServer, err := newGRPCServer(ctx, pluginRegistry, cfg, storageCfg, authCtx, scope, grpc.Creds(credentials.NewServerTLSFromCert(cert)))
if err != nil {
return fmt.Errorf("failed to create a newGRPCServer. Error: %w", err)
}
Expand Down

0 comments on commit 33dd675

Please sign in to comment.