serviceprovider

package
v0.2023.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 22, 2023 License: Apache-2.0 Imports: 25 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// RequestCountMetric is the metric that collects the request counts for all service providers.
	// We allow for the unbounded "hostname" label with the assumption that the real number of service providers will be
	// limited to only a couple in practice.
	//
	// The `operation` label signifies the operation being performed in the controller for which we need to contact the
	// service provider.
	//
	// Note that while this metric may seem similar to the automatic _count of ResponseTimeMetric histogram, it is different
	// because it counts the request attempts, which should also include requests for which it was not possible to obtain
	// the response (which have the "failure" label set to true).
	//
	// Preferably, use the CommonRequestMetricsConfig function to use this metric and register it using the RegisterCommonMetrics
	// function.
	RequestCountMetric = prometheus.NewCounterVec(prometheus.CounterOpts{
		Namespace: config.MetricsNamespace,
		Subsystem: config.MetricsSubsystem,
		Name:      "service_provider_request_count_total",
		Help:      "The request counts to service providers categorized by service provider type, hostname and HTTP method",
	}, []string{"sp", "hostname", "method", "failure", "operation"})

	// ResponseTimeMetric is the metric that collects the request response times for all service providers.
	// We allow for the unbounded "hostname" label with the assumption that the real number of service providers will be
	// limited to only a couple in practice.
	//
	// The `operation` label signifies the operation being performed in the controller for which we need to contact the
	// service provider.
	//
	// Preferably, use the CommonRequestMetricsConfig function to use this metric and register it using the RegisterCommonMetrics
	// function.
	ResponseTimeMetric = prometheus.NewHistogramVec(prometheus.HistogramOpts{
		Namespace: config.MetricsNamespace,
		Subsystem: config.MetricsSubsystem,
		Name:      "service_provider_response_time_seconds",
		Help:      "The response time of service provider requests categorized by service provider hostname, HTTP method and status code",
	}, []string{"sp", "hostname", "method", "status", "operation"})
)

Functions

func AuthenticatingHttpClient added in v0.4.1 

func AuthenticatingHttpClient(cl *http.Client) *http.Client

func CommonRequestMetricsConfig added in v0.8.3 

func CommonRequestMetricsConfig(spType config.ServiceProviderType, operation string) *httptransport.HttpMetricCollectionConfig

CommonRequestMetricsConfig returns the metrics collection configuration for collecting the RequestCountMetric and ResponseTimeMetric for the provided service provider type with given operation.

The returned configuration can be used with httptransport.ContextWithMetrics to configure what metrics should be collected in the http requests.

func GetAllScopes 

func GetAllScopes(convertToScopes func(permission api.Permission) []string, perms *api.Permissions) []string

GetAllScopes is a helper method to translate all the provided permissions into a list of service-provided-specific scopes.

func LookupConcreteToken added in v0.2023.21 

func LookupConcreteToken(tokenPointer **api.SPIAccessToken) func(ctx context.Context, cl client.Client, binding *api.SPIAccessTokenBinding) ([]api.SPIAccessToken, error)

LookupConcreteToken returns a function that can be used as the TestServiceProvider.LookupTokenImpl that just returns a freshly loaded version of the provided token. The token is a pointer to a pointer to the token so that this can also support lazily initialized tokens.

func PersistConcreteMetadata added in v0.2023.21 

func PersistConcreteMetadata(metadata *api.TokenMetadata) func(context.Context, client.Client, *api.SPIAccessToken) error

PersistConcreteMetadata returns a function that can be used as the TestServiceProvider.PersistMetadataImpl that stores the provided metadata to any token.

func RegisterCommonMetrics added in v0.8.3 

func RegisterCommonMetrics(registerer prometheus.Registerer) error

RegisterCommonMetrics registers the RequestCountMetric and ResponseTimeMetric with the provided registerer. This must be called exactly once.

func RepoHostFromSchemelessUrl added in v0.6.5 

func RepoHostFromSchemelessUrl(repoUrl string) (string, error)

func RepoHostFromUrl added in v0.5.5 

func RepoHostFromUrl(repoUrl string) (string, error)

Types

type AccessTokenMapper added in v0.5.5 

type AccessTokenMapper struct {
	Name                    string   `json:"name"`
	Token                   string   `json:"token"`
	ServiceProviderUrl      string   `json:"serviceProviderUrl"` // We assume ServiceProviderUrl contains scheme, otherwise we can't parse the host properly.
	ServiceProviderUserName string   `json:"serviceProviderUserName"`
	ServiceProviderUserId   string   `json:"serviceProviderUserId"`
	UserId                  string   `json:"userId"`
	ExpiredAfter            *uint64  `json:"expiredAfter"`
	Scopes                  []string `json:"scopes"`
}

AccessTokenMapper is a helper to convert token (together with its metadata) into maps suitable for storing in secrets according to the secret type.

func DefaultMapToken added in v0.5.5 

func DefaultMapToken(tokenObject *api.SPIAccessToken, tokenData *api.Token) AccessTokenMapper

func (AccessTokenMapper) ToSecretType added in v0.5.5 

func (at AccessTokenMapper) ToSecretType(bindingSpec *api.SPIAccessTokenBindingSpec) (map[string]string, error)

ToSecretType converts the data in the mapper to a map with fields corresponding to the provided secret type.

type Constructor added in v0.2.1 

type Constructor interface {
	// Construct creates a new instance of service provider
	Construct(factory *Factory, spConfig *config.ServiceProviderConfiguration) (ServiceProvider, error)
}

Constructor is able to produce a new service provider instance using data from the provided Factory and the base URL of the service provider.

type ConstructorFunc added in v0.2.1 

type ConstructorFunc func(factory *Factory, spConfig *config.ServiceProviderConfiguration) (ServiceProvider, error)

ConstructorFunc converts a compatible function into the Constructor interface

func (ConstructorFunc) Construct added in v0.2.1 

func (c ConstructorFunc) Construct(factory *Factory, spConfig *config.ServiceProviderConfiguration) (ServiceProvider, error)

type DefaultOAuthCapability added in v0.2023.21 

type DefaultOAuthCapability struct {
	BaseUrl string
}

func (*DefaultOAuthCapability) GetOAuthEndpoint added in v0.2023.21 

func (o *DefaultOAuthCapability) GetOAuthEndpoint() string

type DownloadFileCapability added in v0.8.3 

type DownloadFileCapability interface {
	DownloadFile(ctx context.Context, repoUrl, filepath, ref string, token *api.SPIAccessToken, maxFileSizeLimit int) (string, error)
}

DownloadFileCapability indicates an ability of given SCM provider to download files from repository.

type Factory 

type Factory struct {
	Configuration    *opconfig.OperatorConfiguration
	KubernetesClient client.Client
	HttpClient       *http.Client
	Initializers     *Initializers
	TokenStorage     tokenstorage.TokenStorage
}

Factory is able to construct service providers from repository URLs.

func (*Factory) FromRepoUrl 

func (f *Factory) FromRepoUrl(ctx context.Context, repoUrl string, namespace string) (ServiceProvider, error)

FromRepoUrl returns the service provider instance able to talk to the repository on the provided URL.

func (*Factory) NewCacheWithExpirationPolicy added in v0.2023.21 

func (f *Factory) NewCacheWithExpirationPolicy(policy MetadataExpirationPolicy) MetadataCache

NewCacheWithExpirationPolicy returns a new metadata cache instance configured using this factory and the supplied expiration policy

type FileDownloadNotSupportedError added in v0.8.3 

type FileDownloadNotSupportedError struct {
}

func (FileDownloadNotSupportedError) Error added in v0.8.3 

func (f FileDownloadNotSupportedError) Error() string

type GenericLookup added in v0.3.0 

type GenericLookup struct {
	// ServiceProviderType is just the type of the provider we're dealing with. It is used to limit the number of
	// results the filter function needs to sift through.
	ServiceProviderType api.ServiceProviderType
	// TokenFilter is the filter function that decides whether a token matches the requirements of a binding, given
	// the token's service-provider-specific state
	TokenFilter TokenFilter
	// MetadataProvider is used to figure out metadata of a token in the service provider useful for token lookup
	MetadataProvider MetadataProvider
	// MetadataCache is an abstraction used for storing/fetching the metadata of tokens
	MetadataCache *MetadataCache
	// RepoHostParser is a function that extracts the host from the repoUrl
	RepoHostParser RepoHostParser
}

GenericLookup implements a token lookup in a generic way such that the users only need to provide a function to provide a service-provider-specific "state" of the token and a "filter" function that uses the token and its state to match it against a binding

func (GenericLookup) Lookup added in v0.3.0 

func (l GenericLookup) Lookup(ctx context.Context, cl client.Client, matchable Matchable) ([]api.SPIAccessToken, error)

func (GenericLookup) PersistMetadata added in v0.3.0 

func (l GenericLookup) PersistMetadata(ctx context.Context, token *api.SPIAccessToken) error

type Initializer added in v0.2.1 

type Initializer struct {
	Probe       Probe
	Constructor Constructor
}

Initializer is struct that contains all necessary data to initialize a service provider instance from a URL using a Factory.

type Initializers added in v0.2023.21 

type Initializers struct {
	// contains filtered or unexported fields
}

func NewInitializers added in v0.2023.21 

func NewInitializers() *Initializers

func (*Initializers) AddKnownInitializer added in v0.2023.21 

func (i *Initializers) AddKnownInitializer(serviceprovider config.ServiceProviderType, initializer Initializer) *Initializers

func (*Initializers) GetInitializer added in v0.2023.21 

func (i *Initializers) GetInitializer(spType config.ServiceProviderType) (*Initializer, error)

GetInitializer returns initializer for given service provider type or error in case there is no initializer for such service provider. Initializers are listed in 'knownInitializers' map. Test 'TestAllServiceProvidersHaveInitializer' at 'known_test.go' verifies that all supported service providers has initializer.

NOTE: This is pulled out of the serviceprovider package to avoid a circular dependency between it and the implementation packages.

type Matchable added in v0.5.1 

type Matchable interface {
	Validated
	RepoUrl() string
	ObjNamespace() string
}

type MetadataCache added in v0.3.0 

type MetadataCache struct {
	// Client is the Kubernetes client to use for persisting the fetched metadata
	Client           client.Client
	ExpirationPolicy MetadataExpirationPolicy
	// CacheServiceProviderState specifies whether to fetch and cache the full state, including the service provider
	// state or just the basic info (like username and/or userid).
	CacheServiceProviderState bool
}

MetadataCache acts like a cache of metadata of tokens. On top of just CRUDing the token metadata, this struct handles the refreshes of the data when it is determined stale.

func (*MetadataCache) Ensure added in v0.3.0 

func (c *MetadataCache) Ensure(ctx context.Context, token *api.SPIAccessToken, ser MetadataProvider) error

Ensure makes sure that the metadata of the token is either still valid or has been refreshed using the MetadataProvider. This method calls Persist if needed.

func (*MetadataCache) Persist added in v0.3.0 

func (c *MetadataCache) Persist(ctx context.Context, token *api.SPIAccessToken) error

Persist assigns the last refresh time of the token metadata and updates the token

type MetadataExpirationPolicy added in v0.5.5 

type MetadataExpirationPolicy interface {
	// IsExpired returns true if the metadata of the supplied token should be refreshed, false otherwise.
	// The implementation can assume that `token.Status.TokenMetadata` is not nil.
	IsExpired(token *api.SPIAccessToken) bool
}

MetadataExpirationPolicy is responsible for the decision whether the metadata of a token should be refreshed or whether they are still considered valid.

type MetadataExpirationPolicyFunc added in v0.5.5 

type MetadataExpirationPolicyFunc func(token *api.SPIAccessToken) bool

MetadataExpirationPolicyFunc an adaptor for making a function an implementation of MetadataExpirationPolicy interface.

func (MetadataExpirationPolicyFunc) IsExpired added in v0.5.5 

func (f MetadataExpirationPolicyFunc) IsExpired(token *api.SPIAccessToken) bool

type MetadataProvider added in v0.3.0 

type MetadataProvider interface {
	// Fetch tries to fetch the token metadata and assign it in the token. Note that the metadata of the token may or
	// may not be nil and this method shouldn't change it unless there is data to assign.
	// Implementors should make sure to return some errors.ServiceProviderError if the failure to fetch the metadata is
	// caused by the token or service provider itself and not other environmental reasons.
	//
	// The `includeState` governs the initialization of the `api.TokenMetadata.ServiceProviderState` field.
	// If it is false, the provider can leave it out, leading to reduced time needed to initialize the metadata.
	// This field is assumed to not be needed if the token match policy is set to "any" (which is currently the default).
	Fetch(ctx context.Context, token *api.SPIAccessToken, includeState bool) (*api.TokenMetadata, error)
}

MetadataProvider is a function that converts a fills in the metadata in the token's status with service-provider-specific information used for token matching.

type MetadataProviderFunc added in v0.3.0 

type MetadataProviderFunc func(ctx context.Context, token *api.SPIAccessToken, includeState bool) (*api.TokenMetadata, error)

func (MetadataProviderFunc) Fetch added in v0.3.0 

func (f MetadataProviderFunc) Fetch(ctx context.Context, token *api.SPIAccessToken, includeState bool) (*api.TokenMetadata, error)

type NeverMetadataExpirationPolicy added in v0.5.5 

type NeverMetadataExpirationPolicy struct{}

NeverMetadataExpirationPolicy is a MetadataExpirationPolicy that makes the metadata to never expire.

func (NeverMetadataExpirationPolicy) IsExpired added in v0.5.5 

func (t NeverMetadataExpirationPolicy) IsExpired(_ *api.SPIAccessToken) bool

type OAuthCapability added in v0.2023.21 

type OAuthCapability interface {
	// GetOAuthEndpoint returns the URL of the OAuth initiation. This must point to the SPI oauth service, NOT
	//the service provider itself.
	GetOAuthEndpoint() string

	// OAuthScopesFor translates all the permissions into a list of service-provider-specific scopes. This method
	// is used to compose the OAuth flow URL. There is a generic helper, GetAllScopes, that can be used if all that is
	// needed is just a translation of permissions into scopes.
	OAuthScopesFor(permissions *api.Permissions) []string
}

type Probe added in v0.2.1 

type Probe interface {
	// Examine returns the base url of the service provider, if the provided URL can be handled by that provider or
	// an empty string if it cannot. The provided http client can be used to perform requests against the URL if needed.
	Examine(cl *http.Client, url string) (string, error)
}

Probe is a simple function that can determine whether a URL can be handled by a certain service provider.

type ProbeFunc added in v0.2.1 

type ProbeFunc func(*http.Client, string) (string, error)

ProbeFunc provides the Probe implementation for compatible functions

func (ProbeFunc) Examine added in v0.2.1 

func (p ProbeFunc) Examine(cl *http.Client, url string) (string, error)

type RefreshTokenCapability added in v0.2023.21 

type RefreshTokenCapability interface {
	// RefreshToken requests new access token from the service provider using refresh token as authorization.
	// This invalidates the old access token and refresh token
	RefreshToken(ctx context.Context, token *api.Token, config *oauth2.Config) (*api.Token, error)
}

RefreshTokenCapability indicates an ability of given SCM provider to refresh issued OAuth access tokens.

type RefreshTokenNotSupportedError added in v0.2023.21 

type RefreshTokenNotSupportedError struct {
}

func (RefreshTokenNotSupportedError) Error added in v0.2023.21 

func (f RefreshTokenNotSupportedError) Error() string

type RepoHostParser added in v0.5.5 

type RepoHostParser func(url string) (string, error)

type ServiceProvider 

type ServiceProvider interface {
	// LookupTokens tries to match an SPIAccessToken object with the requirements expressed in the provided binding.
	// This usually searches kubernetes (using the provided client) and the service provider itself (using some specific
	// mechanism (usually an http client)).
	LookupTokens(ctx context.Context, cl client.Client, binding *api.SPIAccessTokenBinding) ([]api.SPIAccessToken, error)

	// PersistMetadata tries to use the OAuth access token associated with the provided token (if any) and persists any
	// state and metadata required for the token lookup. The metadata must be stored in the Status.TokenMetadata field
	// of the provided token.
	// Implementors should make sure that this method returns InvalidAccessTokenError if the reason for the failure is
	// an invalid token. This is important to distinguish between environmental errors and errors in the data itself.
	PersistMetadata(ctx context.Context, cl client.Client, token *api.SPIAccessToken) error

	// GetBaseUrl returns the base URL of the service provider this instance talks to. This info is saved with the
	// SPIAccessTokens so that later on, the OAuth service can use it to construct the OAuth flow URLs.
	GetBaseUrl() string

	// GetType merely returns the type of the service provider this instance talks to.
	GetType() config.ServiceProviderType

	CheckRepositoryAccess(ctx context.Context, cl client.Client, accessCheck *api.SPIAccessCheck) (*api.SPIAccessCheckStatus, error)

	// GetDownloadFileCapability returns capability object for the providers which are able to download files from the repository
	// or nil for those which are not
	GetDownloadFileCapability() DownloadFileCapability

	// GetRefreshTokenCapability returns capability object for the providers which are able to refresh OAuth access tokens.
	// or nil
	GetRefreshTokenCapability() RefreshTokenCapability

	// GetOAuthCapability returns oauth capability of the service provider.
	// It can be null in case service provider don't support OAuth or it is not configured.
	GetOAuthCapability() OAuthCapability

	// MapToken creates an access token mapper for given binding and token using the service-provider specific data.
	// The implementations can use the DefaultMapToken method if they don't use any custom logic.
	MapToken(ctx context.Context, binding *api.SPIAccessTokenBinding, token *api.SPIAccessToken, tokenData *api.Token) (AccessTokenMapper, error)

	// Validate checks that the provided object (token or binding) is valid in this service provider
	Validate(ctx context.Context, validated Validated) (ValidationResult, error)
}

ServiceProvider abstracts the interaction with some service provider

type TestCapabilities added in v0.2023.21 

type TestCapabilities struct {
	DownloadFileImpl     func(context.Context, string, string, string, *api.SPIAccessToken, int) (string, error)
	GetOAuthEndpointImpl func() string
	OAuthScopesForImpl   func(permission *api.Permissions) []string
	RefreshTokenImpl     func(ctx context.Context, token *api.Token, config *oauth2.Config) (*api.Token, error)
}

TestCapabilities is a test implementation for capabilities that Service Provider can have. Currently, it aggregates DownloadFileCapability and OAuthCapability. All of these have valid results (i.e. do not result in any errors).

func (*TestCapabilities) DownloadFile added in v0.2023.21 

func (t *TestCapabilities) DownloadFile(ctx context.Context, repoUrl, filepath, ref string, token *api.SPIAccessToken, maxFileSizeLimit int) (string, error)

func (*TestCapabilities) GetOAuthEndpoint added in v0.2023.21 

func (t *TestCapabilities) GetOAuthEndpoint() string

func (*TestCapabilities) OAuthScopesFor added in v0.2023.21 

func (t *TestCapabilities) OAuthScopesFor(permissions *api.Permissions) []string

func (*TestCapabilities) RefreshToken added in v0.2023.21 

func (t *TestCapabilities) RefreshToken(ctx context.Context, token *api.Token, config *oauth2.Config) (*api.Token, error)

type TestServiceProvider added in v0.2023.21 

type TestServiceProvider struct {
	LookupTokensImpl          func(context.Context, client.Client, *api.SPIAccessTokenBinding) ([]api.SPIAccessToken, error)
	PersistMetadataImpl       func(context.Context, client.Client, *api.SPIAccessToken) error
	GetBaseUrlImpl            func() string
	GetTypeImpl               func() config.ServiceProviderType
	CheckRepositoryAccessImpl func(context.Context, client.Client, *api.SPIAccessCheck) (*api.SPIAccessCheckStatus, error)
	MapTokenImpl              func(context.Context, *api.SPIAccessTokenBinding, *api.SPIAccessToken, *api.Token) (AccessTokenMapper, error)
	ValidateImpl              func(context.Context, Validated) (ValidationResult, error)
	CustomizeReset            func(provider *TestServiceProvider)
	DownloadFileCapability    func() DownloadFileCapability
	RefreshTokenCapability    func() RefreshTokenCapability
	OAuthCapability           func() OAuthCapability
}

TestServiceProvider is an implementation of the serviceprovider.ServiceProvider interface that can be modified by supplying custom implementations of each of the interface methods. It provides dummy implementations of them, too, so that no null pointer dereferences should occur under normal operation.

func (TestServiceProvider) CheckRepositoryAccess added in v0.2023.21 

func (t TestServiceProvider) CheckRepositoryAccess(ctx context.Context, cl client.Client, accessCheck *api.SPIAccessCheck) (*api.SPIAccessCheckStatus, error)

func (TestServiceProvider) GetBaseUrl added in v0.2023.21 

func (t TestServiceProvider) GetBaseUrl() string

func (TestServiceProvider) GetDownloadFileCapability added in v0.2023.21 

func (t TestServiceProvider) GetDownloadFileCapability() DownloadFileCapability

func (TestServiceProvider) GetOAuthCapability added in v0.2023.21 

func (t TestServiceProvider) GetOAuthCapability() OAuthCapability

func (TestServiceProvider) GetRefreshTokenCapability added in v0.2023.21 

func (t TestServiceProvider) GetRefreshTokenCapability() RefreshTokenCapability

func (TestServiceProvider) GetType added in v0.2023.21 

func (t TestServiceProvider) GetType() config.ServiceProviderType

func (TestServiceProvider) LookupTokens added in v0.2023.21 

func (t TestServiceProvider) LookupTokens(ctx context.Context, cl client.Client, binding *api.SPIAccessTokenBinding) ([]api.SPIAccessToken, error)

func (TestServiceProvider) MapToken added in v0.2023.21 

func (t TestServiceProvider) MapToken(ctx context.Context, binding *api.SPIAccessTokenBinding, token *api.SPIAccessToken, tokenData *api.Token) (AccessTokenMapper, error)

func (TestServiceProvider) PersistMetadata added in v0.2023.21 

func (t TestServiceProvider) PersistMetadata(ctx context.Context, cl client.Client, token *api.SPIAccessToken) error

func (*TestServiceProvider) Reset added in v0.2023.21 

func (t *TestServiceProvider) Reset()

func (TestServiceProvider) Validate added in v0.2023.21 

func (t TestServiceProvider) Validate(ctx context.Context, validated Validated) (ValidationResult, error)

type TokenFilter added in v0.3.0 

type TokenFilter interface {
	Matches(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)
}

TokenFilter is a helper interface to implement the ServiceProvider.LookupToken method using the GenericLookup struct. 

var MatchAllTokenFilter TokenFilter = TokenFilterFunc(func(ctx context.Context, binding Matchable, token *api.SPIAccessToken) (bool, error) {
	debugLog := log.FromContext(ctx).V(logs.DebugLevel)
	debugLog.Info("Unconditional token match", "token", token)
	return true, nil
})

MatchAllTokenFilter is a TokenFilter that match any token

func NewFilter added in v0.7.3 

func NewFilter(policy config.TokenPolicy, exactTokenFilter TokenFilter) TokenFilter

type TokenFilterFunc added in v0.3.0 

type TokenFilterFunc func(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)

TokenFilterFunc converts a function into the implementation of the TokenFilter interface

func (TokenFilterFunc) Matches added in v0.3.0 

func (f TokenFilterFunc) Matches(ctx context.Context, matchable Matchable, token *api.SPIAccessToken) (bool, error)

type TtlMetadataExpirationPolicy added in v0.5.5 

type TtlMetadataExpirationPolicy struct {
	Ttl time.Duration
}

TtlMetadataExpirationPolicy is a MetadataExpirationPolicy implementation that checks whether the metadata of the token is older than the configured TTL (time to live).

func (TtlMetadataExpirationPolicy) IsExpired added in v0.5.5 

func (t TtlMetadataExpirationPolicy) IsExpired(token *api.SPIAccessToken) bool

type Validated added in v0.5.5 

type Validated interface {
	Permissions() *api.Permissions
}

type ValidationResult added in v0.5.5 

type ValidationResult struct {
	// ScopeValidation is the reasons for the scopes and permissions to be invalid
	ScopeValidation []error
}

ValidationResult represents the results of the ServiceProvider.Validate method.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.