support oauth2 with auth params (streamnative#876)

freeznet · nodece · web-flow · commit 1e7d7b368fd4 · 2022-11-07T17:37:13.000+08:00
* support oauth2 with auth params

* goimport

* fix style

* fix style

* Update pkg/auth/oauth2.go

Co-authored-by: Zixuan Liu &lt;nodeces@gmail.com&gt;

* Update pkg/auth/oauth2.go

Co-authored-by: Zixuan Liu &lt;nodeces@gmail.com&gt;

* Update pkg/auth/oauth2.go

Co-authored-by: Zixuan Liu &lt;nodeces@gmail.com&gt;

* Update pkg/auth/oauth2.go

Co-authored-by: Zixuan Liu &lt;nodeces@gmail.com&gt;

Co-authored-by: Zixuan Liu &lt;nodeces@gmail.com&gt;
diff --git a/pkg/auth/auth_provider.go b/pkg/auth/auth_provider.go
@@ -52,6 +52,10 @@ func GetAuthProvider(config *common.Config) (Provider, error) {
 		fallthrough
 	case TokePluginShortName:
 		provider, err = NewAuthenticationTokenFromAuthParams(config.AuthParams, defaultTransport)
+	case OAuth2PluginName:
+		fallthrough
+	case OAuth2PluginShortName:
+		provider, err = NewAuthenticationOAuth2FromAuthParams(config.AuthParams, defaultTransport)
 	default:
 		switch {
 		case len(config.TLSCertFile) > 0 && len(config.TLSKeyFile) > 0:
diff --git a/pkg/auth/oauth2.go b/pkg/auth/oauth2.go
@@ -18,6 +18,7 @@
 package auth
 
 import (
+	"encoding/json"
 	"net/http"
 	"path/filepath"
 
@@ -32,6 +33,19 @@ import (
 	xoauth2 "golang.org/x/oauth2"
 )
 
+const (
+	OAuth2PluginName      = "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
+	OAuth2PluginShortName = "oauth2"
+)
+
+type OAuth2ClientCredentials struct {
+	IssuerURL  string `json:"issuerUrl,omitempty"`
+	Audience   string `json:"audience,omitempty"`
+	Scope      string `json:"scope,omitempty"`
+	PrivateKey string `json:"privateKey,omitempty"`
+	ClientID   string `json:"clientId,omitempty"`
+}
+
 type OAuth2Provider struct {
 	clock            clock2.RealClock
 	issuer           oauth2.Issuer
@@ -85,6 +99,18 @@ func NewAuthenticationOAuth2WithDefaultFlow(issuer oauth2.Issuer, keyFile string
 	return p, p.loadGrant()
 }
 
+func NewAuthenticationOAuth2FromAuthParams(encodedAuthParam string,
+	transport http.RoundTripper) (*OAuth2Provider, error) {
+
+	var paramsJSON OAuth2ClientCredentials
+	err := json.Unmarshal([]byte(encodedAuthParam), &paramsJSON)
+	if err != nil {
+		return nil, err
+	}
+	return NewAuthenticationOAuth2WithParams(paramsJSON.IssuerURL, paramsJSON.ClientID, paramsJSON.Audience,
+		paramsJSON.Scope, transport)
+}
+
 func NewAuthenticationOAuth2WithParams(
 	issuerEndpoint,
 	clientID,
diff --git a/pkg/oauth2/active.go b/pkg/oauth2/active.go
@@ -62,11 +62,22 @@ func activateCmd(vc *cmdutils.VerbCmd) {
 			"The path to the private key file")
 		set.StringVar(&c.Scope, "scope", c.Scope,
 			"The OAuth 2.0 scope(s) to request")
+		set.StringVar(
+			&c.AuthParams,
+			"auth-params",
+			c.AuthParams,
+			"Authentication parameters are used to configure the OAuth 2.0 provider.\n"+
+				" OAuth2 example: \"{\"audience\":\"test\",\"issuerUrl\":\"https://sample\","+
+				"\"privateKey\":\"/mnt/secrets/auth.json\",\"scope\":\"api://default/\"}\"\n")
 	})
 	vc.EnableOutputFlagSet()
 }
 
 func doActivate(vc *cmdutils.VerbCmd, config *cmdutils.ClusterConfig) error {
+	config, err := applyClientCredentialsToConfig(config)
+	if err != nil {
+		return err
+	}
 	if config.KeyFile == "" {
 		return errors.New("required: key-file")
 	}
diff --git a/pkg/oauth2/login.go b/pkg/oauth2/login.go
@@ -63,11 +63,22 @@ func loginCmd(vc *cmdutils.VerbCmd) {
 			"The OAuth 2.0 client identifier for pulsarctl")
 		set.StringVar(&c.Scope, "scope", c.Scope,
 			"The OAuth 2.0 scope(s) to request")
+		set.StringVar(
+			&c.AuthParams,
+			"auth-params",
+			c.AuthParams,
+			"Authentication parameters are used to configure the OAuth 2.0 provider.\n"+
+				" OAuth2 example: \"{\"audience\":\"test\",\"issuerUrl\":\"https://sample\","+
+				"\"privateKey\":\"/mnt/secrets/auth.json\",\"scope\":\"api://default/\"}\"\n")
 	})
 	vc.EnableOutputFlagSet()
 }
 
 func doLogin(vc *cmdutils.VerbCmd, config *cmdutils.ClusterConfig, noRefresh bool) error {
+	config, err := applyClientCredentialsToConfig(config)
+	if err != nil {
+		return err
+	}
 	if config.IssuerEndpoint == "" {
 		return errors.New("required: issuer-endpoint")
 	}
diff --git a/pkg/oauth2/oauth2.go b/pkg/oauth2/oauth2.go
@@ -18,10 +18,20 @@
 package oauth2
 
 import (
+	"encoding/json"
+
 	"github.com/spf13/cobra"
 	"github.com/streamnative/pulsarctl/pkg/cmdutils"
 )
 
+type ClientCredentials struct {
+	IssuerURL  string `json:"issuerUrl,omitempty"`
+	Audience   string `json:"audience,omitempty"`
+	Scope      string `json:"scope,omitempty"`
+	PrivateKey string `json:"privateKey,omitempty"`
+	ClientID   string `json:"clientId,omitempty"`
+}
+
 func Command(grouping *cmdutils.FlagGrouping) *cobra.Command {
 	resourceCmd := cmdutils.NewResourceCmd(
 		"oauth2",
@@ -34,3 +44,19 @@ func Command(grouping *cmdutils.FlagGrouping) *cobra.Command {
 
 	return resourceCmd
 }
+
+func applyClientCredentialsToConfig(config *cmdutils.ClusterConfig) (*cmdutils.ClusterConfig, error) {
+	if config.AuthParams != "" && config.KeyFile == "" &&
+		config.IssuerEndpoint == "" && config.Audience == "" && config.Scope == "" {
+		var paramsJSON ClientCredentials
+		err := json.Unmarshal([]byte(config.AuthParams), &paramsJSON)
+		if err != nil {
+			return config, err
+		}
+		config.IssuerEndpoint = paramsJSON.IssuerURL
+		config.Audience = paramsJSON.Audience
+		config.Scope = paramsJSON.Scope
+		config.KeyFile = paramsJSON.PrivateKey
+	}
+	return config, nil
+}
