Skip to content

Add auth support for UAA IDP #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 30, 2024
Merged

Add auth support for UAA IDP #802

merged 2 commits into from
Aug 30, 2024

Conversation

vuil
Copy link
Contributor

@vuil vuil commented Aug 28, 2024
edited
Loading

A fair bit of code refactoring to support multiple IDPs, include new support for UAA.

IDP used in CLI context creation is stored in the Context's additionalMetadata map.

context get-token is updated to refresh token based on the IDP associated with said context

tanzu context create / tanzu login
are updated to use UAA IDP unless the CLI recognizes the endpoint as a public Tanzu Platform service endpoint or if CSP idp is explicitly requested with the --force-csp hidden flag.

What this PR does / why we need it

Which issue(s) this PR fixes

Fixes #

Describe testing done for PR

  • Ran unit tests

  • manual testings of following commands:

1.  > tanzu login --staging --endpoint https://xx--tanzu-hub-endpoint https://yyy

2  > tanzu login 

3. > tanzu login --endpoint https://local-uaa-based-endpoint

4. > ./bin/tanzu context create mytanzuUAA5 -t tanzu --endpoint https://www.alternate.endpoint.com
  [i] Opening the browser window to complete the login
  Log in by visiting this link:

      https://www.alternate.endpoint.com/auth/oauth/authorize?client_id=tp_cli_app&code_challenge=dKfHWRO5hsIVCDFUCDq1g9SjfasXPAeA1rzim7DSDt0&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A57080%2Fcallback&response_type=code&state=575286858256d936f902d73cfe53af31

      Optionally, paste your authorization code: [...]


  [ok] Successfully logged in to 'https://www.alternate.endpoint.com' and created a tanzu context
  > tanzu context current
    Name:            mytanzuUAA5
    Type:            tanzu
    Organization:     ()
    Project:         none set
    Kube Config:     /Users/johndoe/.config/tanzu/kube/config
    Kube Context:    tanzu-cli-mytanzuUAA5

  > ./bin/tanzu login --endpoint https://www.alternate.endpoint.com
  [i] Opening the browser window to complete the login
  Log in by visiting this link:

      https://www.alternate.endpoint.com/auth/oauth/authorize?client_id=tp_cli_app&code_challenge=Zk567ZHRL21Kkp0RpBRbz7QnGaSw9TlD7szg27sHAr4&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A57333%2Fcallback&response_type=code&state=74259704d8911cc27469cb10127f5b29

      Optionally, paste your authorization code: [...]


  [ok] Successfully logged in to 'https://www.alternate.endpoint.com' and created a tanzu context

  > tanzu context current
    Name:            tpsm-c297cb71
    Type:            tanzu
    Project:         none set
    Kube Config:     /Users/johndoe/.config/tanzu/kube/config
    Kube Context:    tanzu-cli-tpsm-c297cb71

5. > tanzu login --endpoint https://dev-csp-based-endpoint --force-csp

6. > tanzu context get-token context_name (for both CSP and UAA-based contexts)

Release note

Add support for using UAA as IDP. After this change, endpoint URIs provided when creating a 'tanzu' context not recognized as public Tanzu SaaS endpoint will default to use UAA as IDP. Use --force-csp boolean flag to override behavior for custom endpoints that still requires CSP.

Additional information

Special notes for your reviewer

@vuil vuil requested a review from a team as a code owner August 28, 2024 22:58
prkalle
prkalle reviewed Aug 29, 2024
View reviewed changes
Copy link
Contributor

@prkalle prkalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice refactoring @vuil !
I am still continuing the review, but sharing few comments i have so far. Thanks

@vuil vuil changed the title Add auth support for UAA IDP (Draft) Add auth support for UAA IDP Aug 29, 2024
@vuil vuil force-pushed the auth4 branch 3 times, most recently from 5d333dd to 8b7729a Compare August 29, 2024 17:09
@vuil vuil changed the title (Draft) Add auth support for UAA IDP Add auth support for UAA IDP Aug 29, 2024
@vuil vuil force-pushed the auth4 branch 2 times, most recently from f048304 to 963d20c Compare August 29, 2024 19:01
prkalle
prkalle reviewed Aug 29, 2024
View reviewed changes
prkalle
prkalle reviewed Aug 29, 2024
View reviewed changes
Copy link
Contributor

@prkalle prkalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM, just couple more comments and then good to go.

@vuil
Add auth support for UAA IDP
dabac86 
A fair bit of code refactoring to support multiple IDPs,
include new support for UAA.

IDP used in CLI context creation is stored in the Context's
additionalMetadata map.

`context get-token` is updated to refreshed token based on the
IDP associated with said context

tanzu context create / tanzu login
are update to use UAA IDP unless the CLI recognizes the endpoint
as a public Tanzu Platform service endpoint or if CSP idp is explicitly
requested with the --force-csp hidden flag.
anujc25
anujc25 reviewed Aug 29, 2024
View reviewed changes
pkg/command/context.go
}

// UAA-based authentication does not provide org id or name yet
orgName := ""
Copy link
Contributor

@anujc25 anujc25 Aug 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OrgName which gets configured in the context as part of additionalMetadata is used by all the plugins to show log messages. Keeping this empty might make the log message incomplete. Does it make sense to configure dummy value as part of additionalMetadata? like SelfManaged or something like that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can do this as part of follow up as well.

@vuil @anujc25
Update central config reader to use defaults
c2f13cf 
Co-Authored-by: Anuj Chaudhari <[email protected]>
Signed-off-by: Vui Lam <[email protected]>
prkalle
prkalle approved these changes Aug 30, 2024
View reviewed changes
Copy link
Contributor

@prkalle prkalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@vuil vuil merged commit d46034e into vmware-tanzu:main Aug 30, 2024
7 checks passed
@marckhouzam marckhouzam added this to the v1.5.0 milestone Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anujc25 anujc25 anujc25 approved these changes

@prkalle prkalle prkalle approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.
5 participants
@vuil @anujc25 @prkalle @marckhouzam @vmwclabot