Respect authorisation request opt-out on workspace start (#576)

If user rejects an scm provider authorisation request while creating or starting existed workspace store the name of the scm provider in the workspace-preferences config-map. The workspace create/start step must proceed without token fetch step. If user creates another workspace or starts existed workspace from an scm provider which name is stored in the config-map, do not ask the authorisation as it was already rejected once.
eclipse-che · Oct 12, 2023 · 148415c · 148415c
1 parent 386f849
commit 148415c
Show file tree

Hide file tree

Showing 34 changed files with 886 additions and 203 deletions.
diff --git a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java
@@ -51,7 +51,6 @@
 import org.eclipse.che.api.factory.server.github.GithubScmFileResolver;
 import org.eclipse.che.api.factory.server.gitlab.GitlabFactoryParametersResolver;
 import org.eclipse.che.api.factory.server.gitlab.GitlabScmFileResolver;
-import org.eclipse.che.api.factory.server.scm.OAuthTokenFetcher;
 import org.eclipse.che.api.metrics.WsMasterMetricsModule;
 import org.eclipse.che.api.system.server.ServiceTermination;
 import org.eclipse.che.api.system.server.SystemModule;
@@ -413,7 +412,6 @@ private void configureMultiUserMode(
       bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
       bind(ProfileDao.class).to(JpaProfileDao.class);
       bind(OAuthAPI.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
-      bind(OAuthTokenFetcher.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
     }
 
     bind(AdminPermissionInitializer.class).asEagerSingleton();

diff --git a/infrastructures/infrastructure-factory/pom.xml b/infrastructures/infrastructure-factory/pom.xml
@@ -23,6 +23,10 @@
     <packaging>jar</packaging>
     <name>Infrastructure :: Factory components</name>
     <dependencies>
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
@@ -43,6 +47,14 @@
             <groupId>jakarta.inject</groupId>
             <artifactId>jakarta.inject-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>jakarta.ws.rs</groupId>
+            <artifactId>jakarta.ws.rs-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.che.core</groupId>
+            <artifactId>che-core-api-auth</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.eclipse.che.core</groupId>
             <artifactId>che-core-api-core</artifactId>

diff --git a/...ure-factory/src/main/java/org/eclipse/che/api/factory/server/scm/KubernetesScmModule.java b/...ure-factory/src/main/java/org/eclipse/che/api/factory/server/scm/KubernetesScmModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2023 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -12,13 +12,16 @@
 package org.eclipse.che.api.factory.server.scm;
 
 import com.google.inject.AbstractModule;
+import org.eclipse.che.api.factory.server.scm.kubernetes.KubernetesAuthorisationRequestManager;
 import org.eclipse.che.api.factory.server.scm.kubernetes.KubernetesGitCredentialManager;
 import org.eclipse.che.api.factory.server.scm.kubernetes.KubernetesPersonalAccessTokenManager;
+import org.eclipse.che.security.oauth.AuthorisationRequestManager;
 
 public class KubernetesScmModule extends AbstractModule {
   @Override
   protected void configure() {
     bind(GitCredentialManager.class).to(KubernetesGitCredentialManager.class);
     bind(PersonalAccessTokenManager.class).to(KubernetesPersonalAccessTokenManager.class);
+    bind(AuthorisationRequestManager.class).to(KubernetesAuthorisationRequestManager.class);
   }
 }
diff --git a/.../eclipse/che/api/factory/server/scm/kubernetes/KubernetesAuthorisationRequestManager.java b/.../eclipse/che/api/factory/server/scm/kubernetes/KubernetesAuthorisationRequestManager.java
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 2012-2023 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.che.api.factory.server.scm.kubernetes;
+
+import static com.google.common.base.Strings.isNullOrEmpty;
+import static org.eclipse.che.commons.lang.UrlUtils.getParameter;
+import static org.eclipse.che.commons.lang.UrlUtils.getQueryParametersFromState;
+import static org.eclipse.che.commons.lang.UrlUtils.getRequestUrl;
+import static org.eclipse.che.commons.lang.UrlUtils.getState;
+import static org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.PREFERENCES_CONFIGMAP_NAME;
+
+import com.google.gson.Gson;
+import io.fabric8.kubernetes.api.model.ConfigMap;
+import io.fabric8.kubernetes.client.KubernetesClient;
+import jakarta.ws.rs.core.UriInfo;
+import java.net.URL;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import org.eclipse.che.api.factory.server.scm.exception.ScmConfigurationPersistenceException;
+import org.eclipse.che.api.factory.server.scm.exception.UnsatisfiedScmPreconditionException;
+import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
+import org.eclipse.che.security.oauth.AuthorisationRequestManager;
+import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
+import org.eclipse.che.workspace.infrastructure.kubernetes.api.shared.KubernetesNamespaceMeta;
+import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.KubernetesNamespaceFactory;
+
+/** Store and retrieve rejected authorisation requests in the Kubernetes ConfigMap. */
+@Singleton
+public class KubernetesAuthorisationRequestManager implements AuthorisationRequestManager {
+  private final KubernetesNamespaceFactory namespaceFactory;
+  private final CheServerKubernetesClientFactory cheServerKubernetesClientFactory;
+  private static final String SKIP_AUTHORISATION_MAP_KEY = "skip-authorisation";
+
+  @Inject
+  public KubernetesAuthorisationRequestManager(
+      KubernetesNamespaceFactory namespaceFactory,
+      CheServerKubernetesClientFactory cheServerKubernetesClientFactory) {
+    this.namespaceFactory = namespaceFactory;
+    this.cheServerKubernetesClientFactory = cheServerKubernetesClientFactory;
+  }
+
+  @Override
+  public void store(String scmProviderName) {
+    if (isStored(scmProviderName)) {
+      return;
+    }
+    ConfigMap configMap = getConfigMap();
+    HashSet<String> fromJson = getSkipAuthorisationValues();
+    fromJson.add(scmProviderName);
+
+    configMap.setData(Map.of(SKIP_AUTHORISATION_MAP_KEY, fromJson.toString()));
+
+    patchConfigMap(configMap);
+  }
+
+  @Override
+  public void remove(String scmProviderName) {
+    if (!isStored(scmProviderName)) {
+      return;
+    }
+    ConfigMap configMap = getConfigMap();
+    HashSet<String> fromJson = getSkipAuthorisationValues();
+    fromJson.remove(scmProviderName);
+
+    configMap.setData(Map.of(SKIP_AUTHORISATION_MAP_KEY, fromJson.toString()));
+
+    patchConfigMap(configMap);
+  }
+
+  @Override
+  public boolean isStored(String scmProviderName) {
+    return getSkipAuthorisationValues().contains(scmProviderName);
+  }
+
+  @Override
+  public void callback(UriInfo uriInfo, List<String> errorValues) {
+    URL requestUrl = getRequestUrl(uriInfo);
+    Map<String, List<String>> params = getQueryParametersFromState(getState(requestUrl));
+    errorValues = errorValues == null ? uriInfo.getQueryParameters().get("error") : errorValues;
+    if (errorValues != null && errorValues.contains("access_denied")) {
+      store(getParameter(params, "oauth_provider"));
+    }
+  }
+
+  private ConfigMap getConfigMap() {
+    try (KubernetesClient kubernetesClient = cheServerKubernetesClientFactory.create()) {
+      String namespace = getFirstNamespace();
+      return kubernetesClient
+          .configMaps()
+          .inNamespace(namespace)
+          .withName(PREFERENCES_CONFIGMAP_NAME)
+          .get();
+    } catch (UnsatisfiedScmPreconditionException
+        | ScmConfigurationPersistenceException
+        | InfrastructureException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private void patchConfigMap(ConfigMap configMap) {
+    try (KubernetesClient kubernetesClient = cheServerKubernetesClientFactory.create()) {
+      kubernetesClient
+          .configMaps()
+          .inNamespace(getFirstNamespace())
+          .withName(PREFERENCES_CONFIGMAP_NAME)
+          .patch(configMap);
+    } catch (UnsatisfiedScmPreconditionException
+        | ScmConfigurationPersistenceException
+        | InfrastructureException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private HashSet<String> getSkipAuthorisationValues() {
+    String data = getConfigMap().getData().get(SKIP_AUTHORISATION_MAP_KEY);
+    return new Gson().fromJson(isNullOrEmpty(data) ? "[]" : data, HashSet.class);
+  }
+
+  private String getFirstNamespace()
+      throws UnsatisfiedScmPreconditionException, ScmConfigurationPersistenceException {
+    try {
+      return namespaceFactory.list().stream()
+          .map(KubernetesNamespaceMeta::getName)
+          .findFirst()
+          .orElseThrow(
+              () ->
+                  new UnsatisfiedScmPreconditionException(
+                      "No user namespace found. Cannot read SCM credentials."));
+    } catch (InfrastructureException e) {
+      throw new ScmConfigurationPersistenceException(e.getMessage(), e);
+    }
+  }
+}