diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java index 6a80fd23ee..af78fdf737 100644 --- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java +++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java @@ -44,15 +44,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.devfile.KubernetesDev import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment; import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironmentFactory; import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.RemoveNamespaceOnWorkspaceRemove; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.CredentialsSecretConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.GitconfigUserDataConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.NamespaceConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.PreferencesConfigMapConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.SshKeysConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPermissionConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPreferencesConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserProfileConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.WorkspaceServiceAccountConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.*; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.GatewayTlsProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.IngressTlsProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.KubernetesCheApiExternalEnvVarProvider; @@ -101,6 +93,7 @@ public class KubernetesInfraModule extends AbstractModule { Multibinder.newSetBinder(binder(), NamespaceConfigurator.class); namespaceConfigurators.addBinding().to(UserPermissionConfigurator.class); namespaceConfigurators.addBinding().to(CredentialsSecretConfigurator.class); + namespaceConfigurators.addBinding().to(OAuthTokenSecretsConfigurator.class); namespaceConfigurators.addBinding().to(PreferencesConfigMapConfigurator.class); namespaceConfigurators.addBinding().to(WorkspaceServiceAccountConfigurator.class); namespaceConfigurators.addBinding().to(UserProfileConfigurator.class); diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/OAuthTokenSecretsConfigurator.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/OAuthTokenSecretsConfigurator.java new file mode 100644 index 0000000000..d68978ccbd --- /dev/null +++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/OAuthTokenSecretsConfigurator.java @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2012-2023 Red Hat, Inc. + * This program and the accompanying materials are made + * available under the terms of the Eclipse Public License 2.0 + * which is available at https://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + * + * Contributors: + * Red Hat, Inc. - initial API and implementation + */ +package org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator; + +import com.google.common.collect.ImmutableMap; +import java.util.Map; +import javax.inject.Inject; +import javax.inject.Singleton; +import org.eclipse.che.api.factory.server.scm.PersonalAccessTokenFetcher; +import org.eclipse.che.api.factory.server.scm.PersonalAccessTokenManager; +import org.eclipse.che.api.factory.server.scm.exception.ScmCommunicationException; +import org.eclipse.che.api.factory.server.scm.exception.ScmConfigurationPersistenceException; +import org.eclipse.che.api.factory.server.scm.exception.ScmUnauthorizedException; +import org.eclipse.che.api.workspace.server.spi.InfrastructureException; +import org.eclipse.che.api.workspace.server.spi.NamespaceResolutionContext; +import org.eclipse.che.commons.env.EnvironmentContext; +import org.eclipse.che.commons.subject.Subject; +import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory; + +/** + * Ensures that OAuth token that are represented by Kubernetes Secrets are valid. + * + * @author Anatolii Bazko + */ +@Singleton +public class OAuthTokenSecretsConfigurator implements NamespaceConfigurator { + + private final CheServerKubernetesClientFactory cheServerKubernetesClientFactory; + private final PersonalAccessTokenManager personalAccessTokenManager; + + private static final String ANNOTATION_SCM_URL = "che.eclipse.org/scm-url"; + private static final String ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_NAME = + "che.eclipse.org/scm-personal-access-token-name"; + + private static final Map SEARCH_LABELS = + ImmutableMap.of( + "app.kubernetes.io/part-of", "che.eclipse.org", + "app.kubernetes.io/component", "scm-personal-access-token"); + + @Inject + public OAuthTokenSecretsConfigurator( + CheServerKubernetesClientFactory cheServerKubernetesClientFactory, + PersonalAccessTokenManager personalAccessTokenManager) { + this.cheServerKubernetesClientFactory = cheServerKubernetesClientFactory; + this.personalAccessTokenManager = personalAccessTokenManager; + } + + @Override + public void configure(NamespaceResolutionContext namespaceResolutionContext, String namespaceName) + throws InfrastructureException { + var client = cheServerKubernetesClientFactory.create(); + client.secrets().inNamespace(namespaceName).withLabels(SEARCH_LABELS).list().getItems().stream() + .filter( + s -> + s.getMetadata().getAnnotations() != null + && s.getMetadata().getAnnotations().containsKey(ANNOTATION_SCM_URL) + && s.getMetadata() + .getAnnotations() + .containsKey(ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_NAME) + && s.getMetadata() + .getAnnotations() + .get(ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_NAME) + .startsWith(PersonalAccessTokenFetcher.OAUTH_2_PREFIX)) + .forEach( + s -> { + try { + Subject cheSubject = EnvironmentContext.getCurrent().getSubject(); + personalAccessTokenManager.get( + cheSubject, s.getMetadata().getAnnotations().get(ANNOTATION_SCM_URL)); + } catch (ScmCommunicationException + | ScmConfigurationPersistenceException + | ScmUnauthorizedException e) { + throw new RuntimeException(e); + } + }); + } +} diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java index df397b481e..1678d1ba58 100644 --- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java +++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java @@ -48,14 +48,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.devfile.KubernetesDev import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment; import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironmentFactory; import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.KubernetesNamespaceFactory; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.CredentialsSecretConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.GitconfigUserDataConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.NamespaceConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.PreferencesConfigMapConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.SshKeysConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPermissionConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPreferencesConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserProfileConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.*; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.GatewayTlsProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.KubernetesCheApiExternalEnvVarProvider; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.KubernetesCheApiInternalEnvVarProvider; @@ -110,6 +103,7 @@ public class OpenShiftInfraModule extends AbstractModule { namespaceConfigurators.addBinding().to(UserProfileConfigurator.class); namespaceConfigurators.addBinding().to(UserPreferencesConfigurator.class); namespaceConfigurators.addBinding().to(CredentialsSecretConfigurator.class); + namespaceConfigurators.addBinding().to(OAuthTokenSecretsConfigurator.class); namespaceConfigurators.addBinding().to(PreferencesConfigMapConfigurator.class); namespaceConfigurators.addBinding().to(OpenShiftWorkspaceServiceAccountConfigurator.class); namespaceConfigurators.addBinding().to(OpenShiftStopWorkspaceRoleConfigurator.class);