36 Star 415 Fork 76


加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
github_provider.go 10.69 KB
一键复制 编辑 原始数据 按行查看 历史
Max Korp 提交于 6年前 . Auth provider refresh
package github
import (
corev1 "github.com/rancher/types/apis/core/v1"
publicclient "github.com/rancher/types/client/management/v3public"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
const (
Name = "github"
type ghProvider struct {
ctx context.Context
authConfigs v3.AuthConfigInterface
secrets corev1.SecretInterface
githubClient *GClient
userMGR user.Manager
tokenMGR *tokens.Manager
func Configure(ctx context.Context, mgmtCtx *config.ScaledContext, userMGR user.Manager, tokenMGR *tokens.Manager) common.AuthProvider {
githubClient := &GClient{
httpClient: &http.Client{},
return &ghProvider{
ctx: ctx,
authConfigs: mgmtCtx.Management.AuthConfigs(""),
secrets: mgmtCtx.Core.Secrets(""),
githubClient: githubClient,
userMGR: userMGR,
tokenMGR: tokenMGR,
func (g *ghProvider) GetName() string {
return Name
func (g *ghProvider) CustomizeSchema(schema *types.Schema) {
schema.ActionHandler = g.actionHandler
schema.Formatter = g.formatter
func (g *ghProvider) TransformToAuthProvider(authConfig map[string]interface{}) map[string]interface{} {
p := common.TransformToAuthProvider(authConfig)
p[publicclient.GithubProviderFieldRedirectURL] = formGithubRedirectURLFromMap(authConfig)
return p
func (g *ghProvider) getGithubConfigCR() (*v3.GithubConfig, error) {
authConfigObj, err := g.authConfigs.ObjectClient().UnstructuredClient().Get(Name, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("failed to retrieve GithubConfig, error: %v", err)
u, ok := authConfigObj.(runtime.Unstructured)
if !ok {
return nil, fmt.Errorf("failed to retrieve GithubConfig, cannot read k8s Unstructured data")
storedGithubConfigMap := u.UnstructuredContent()
storedGithubConfig := &v3.GithubConfig{}
mapstructure.Decode(storedGithubConfigMap, storedGithubConfig)
metadataMap, ok := storedGithubConfigMap["metadata"].(map[string]interface{})
if !ok {
return nil, fmt.Errorf("failed to retrieve GithubConfig metadata, cannot read k8s Unstructured data")
typemeta := &metav1.ObjectMeta{}
mapstructure.Decode(metadataMap, typemeta)
storedGithubConfig.ObjectMeta = *typemeta
if storedGithubConfig.ClientSecret != "" {
value, err := common.ReadFromSecret(g.secrets, storedGithubConfig.ClientSecret, strings.ToLower(auth.TypeToField[client.GithubConfigType]))
if err != nil {
return nil, err
storedGithubConfig.ClientSecret = value
return storedGithubConfig, nil
func (g *ghProvider) saveGithubConfig(config *v3.GithubConfig) error {
storedGithubConfig, err := g.getGithubConfigCR()
if err != nil {
return err
config.APIVersion = "management.cattle.io/v3"
config.Kind = v3.AuthConfigGroupVersionKind.Kind
config.Type = client.GithubConfigType
config.ObjectMeta = storedGithubConfig.ObjectMeta
secretInfo := convert.ToString(config.ClientSecret)
field := strings.ToLower(auth.TypeToField[config.Type])
if err := common.CreateOrUpdateSecrets(g.secrets, secretInfo, field, strings.ToLower(config.Type)); err != nil {
return err
config.ClientSecret = common.GetName(config.Type, field)
_, err = g.authConfigs.ObjectClient().Update(config.ObjectMeta.Name, config)
if err != nil {
return err
return nil
func (g *ghProvider) AuthenticateUser(input interface{}) (v3.Principal, []v3.Principal, string, error) {
login, ok := input.(*v3public.GithubLogin)
if !ok {
return v3.Principal{}, nil, "", errors.New("unexpected input type")
return g.LoginUser(login, nil, false)
func (g *ghProvider) LoginUser(githubCredential *v3public.GithubLogin, config *v3.GithubConfig, test bool) (v3.Principal, []v3.Principal, string, error) {
var groupPrincipals []v3.Principal
var userPrincipal v3.Principal
var err error
if config == nil {
config, err = g.getGithubConfigCR()
if err != nil {
return v3.Principal{}, nil, "", err
securityCode := githubCredential.Code
accessToken, err := g.githubClient.getAccessToken(securityCode, config)
if err != nil {
logrus.Infof("Error generating accessToken from github %v", err)
return v3.Principal{}, nil, "", err
user, err := g.githubClient.getUser(accessToken, config)
if err != nil {
return v3.Principal{}, nil, "", err
userPrincipal = g.toPrincipal(userType, user, nil)
userPrincipal.Me = true
orgAccts, err := g.githubClient.getOrgs(accessToken, config)
if err != nil {
return v3.Principal{}, nil, "", err
for _, orgAcct := range orgAccts {
groupPrincipal := g.toPrincipal(orgType, orgAcct, nil)
groupPrincipal.MemberOf = true
groupPrincipals = append(groupPrincipals, groupPrincipal)
teamAccts, err := g.githubClient.getTeams(accessToken, config)
if err != nil {
return v3.Principal{}, nil, "", err
for _, teamAcct := range teamAccts {
groupPrincipal := g.toPrincipal(teamType, teamAcct, nil)
groupPrincipal.MemberOf = true
groupPrincipals = append(groupPrincipals, groupPrincipal)
testAllowedPrincipals := config.AllowedPrincipalIDs
if test && config.AccessMode == "restricted" {
testAllowedPrincipals = append(testAllowedPrincipals, userPrincipal.Name)
allowed, err := g.userMGR.CheckAccess(config.AccessMode, testAllowedPrincipals, userPrincipal.Name, groupPrincipals)
if err != nil {
return v3.Principal{}, nil, "", err
if !allowed {
return v3.Principal{}, nil, "", httperror.NewAPIError(httperror.Unauthorized, "unauthorized")
return userPrincipal, groupPrincipals, accessToken, nil
func (g *ghProvider) RefetchGroupPrincipals(principalID string, secret string) ([]v3.Principal, error) {
var groupPrincipals []v3.Principal
var err error
var config *v3.GithubConfig
if config == nil {
config, err = g.getGithubConfigCR()
if err != nil {
return nil, err
orgAccts, err := g.githubClient.getOrgs(secret, config)
if err != nil {
return nil, err
for _, orgAcct := range orgAccts {
groupPrincipal := g.toPrincipal(orgType, orgAcct, nil)
groupPrincipal.MemberOf = true
groupPrincipals = append(groupPrincipals, groupPrincipal)
teamAccts, err := g.githubClient.getTeams(secret, config)
if err != nil {
return nil, err
for _, teamAcct := range teamAccts {
groupPrincipal := g.toPrincipal(teamType, teamAcct, nil)
groupPrincipal.MemberOf = true
groupPrincipals = append(groupPrincipals, groupPrincipal)
return groupPrincipals, nil
func (g *ghProvider) SearchPrincipals(searchKey, principalType string, token v3.Token) ([]v3.Principal, error) {
var principals []v3.Principal
var err error
config, err := g.getGithubConfigCR()
if err != nil {
return principals, err
accessToken, err := g.tokenMGR.GetSecret(token.UserID, token.AuthProvider, []*v3.Token{&token})
if err != nil {
if !apierrors.IsNotFound(err) {
return nil, err
accessToken = token.ProviderInfo["access_token"]
accts, err := g.githubClient.searchUsers(searchKey, principalType, accessToken, config)
if err != nil {
logrus.Errorf("problem searching github: %v", err)
for _, acct := range accts {
pType := strings.ToLower(acct.Type)
if pType == "organization" {
pType = orgType
p := g.toPrincipal(pType, acct, &token)
principals = append(principals, p)
return principals, nil
const (
userType = "user"
teamType = "team"
orgType = "org"
func (g *ghProvider) GetPrincipal(principalID string, token v3.Token) (v3.Principal, error) {
config, err := g.getGithubConfigCR()
if err != nil {
return v3.Principal{}, err
accessToken, err := g.tokenMGR.GetSecret(token.UserID, token.AuthProvider, []*v3.Token{&token})
if err != nil {
if !apierrors.IsNotFound(err) {
return v3.Principal{}, err
accessToken = token.ProviderInfo["access_token"]
// parsing id to get the external id and type. id looks like github_[user|org|team]://12345
var externalID string
parts := strings.SplitN(principalID, ":", 2)
if len(parts) != 2 {
return v3.Principal{}, errors.Errorf("invalid id %v", principalID)
externalID = strings.TrimPrefix(parts[1], "//")
parts = strings.SplitN(parts[0], "_", 2)
if len(parts) != 2 {
return v3.Principal{}, errors.Errorf("invalid id %v", principalID)
principalType := parts[1]
var acct Account
switch principalType {
case userType:
case orgType:
acct, err = g.githubClient.getUserOrgByID(externalID, accessToken, config)
if err != nil {
return v3.Principal{}, err
case teamType:
acct, err = g.githubClient.getTeamByID(externalID, accessToken, config)
if err != nil {
return v3.Principal{}, err
return v3.Principal{}, fmt.Errorf("Cannot get the github account due to invalid externalIDType %v", principalType)
princ := g.toPrincipal(principalType, acct, &token)
return princ, nil
func (g *ghProvider) toPrincipal(principalType string, acct Account, token *v3.Token) v3.Principal {
displayName := acct.Name
if displayName == "" {
displayName = acct.Login
princ := v3.Principal{
ObjectMeta: metav1.ObjectMeta{Name: Name + "_" + principalType + "://" + strconv.Itoa(acct.ID)},
DisplayName: displayName,
LoginName: acct.Login,
Provider: Name,
Me: false,
ProfilePicture: acct.AvatarURL,
if principalType == userType {
princ.PrincipalType = "user"
if token != nil {
princ.Me = g.isThisUserMe(token.UserPrincipal, princ)
} else {
princ.PrincipalType = "group"
if token != nil {
princ.MemberOf = g.tokenMGR.IsMemberOf(*token, princ)
return princ
func (g *ghProvider) isThisUserMe(me v3.Principal, other v3.Principal) bool {
if me.ObjectMeta.Name == other.ObjectMeta.Name && me.LoginName == other.LoginName && me.PrincipalType == other.PrincipalType {
return true
return false
func (g *ghProvider) CanAccessWithGroupProviders(userPrincipalID string, groupPrincipals []v3.Principal) (bool, error) {
config, err := g.getGithubConfigCR()
if err != nil {
logrus.Errorf("Error fetching github config: %v", err)
return false, err
allowed, err := g.userMGR.CheckAccess(config.AccessMode, config.AllowedPrincipalIDs, userPrincipalID, groupPrincipals)
if err != nil {
return false, err
return allowed, nil
马建仓 AI 助手
