Merge branch 'main' into unify-ee-oss-asset-serving

cmd/gitops/check/cmd.go

@@ -3,19 +3,27 @@ package check
 import (
 	"fmt"
 
+	"github.com/weaveworks/weave-gitops/cmd/gitops/check/oidcconfig"
+	"github.com/weaveworks/weave-gitops/cmd/gitops/config"
 	"github.com/weaveworks/weave-gitops/pkg/services/check"
 
 	"github.com/spf13/cobra"
 )
 
-var Cmd = &cobra.Command{
-	Use:   "check",
-	Short: "Validates flux compatibility",
-	Example: `
+func GetCommand(opts *config.Options) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "check",
+		Short: "Validates flux compatibility",
+		Example: `
 # Validate flux and kubernetes compatibility
 gitops check
 `,
-	RunE: runCmd,
+		RunE: runCmd,
+	}
+
+	cmd.AddCommand(oidcconfig.OIDCConfigCommand(opts))
+
+	return cmd
 }
 
 func runCmd(_ *cobra.Command, _ []string) error {

cmd/gitops/check/oidcconfig/cmd.go

@@ -0,0 +1,129 @@
+package oidcconfig
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+
+	"github.com/weaveworks/weave-gitops/cmd/gitops/cmderrors"
+	"github.com/weaveworks/weave-gitops/cmd/gitops/config"
+	"github.com/weaveworks/weave-gitops/pkg/logger"
+	"github.com/weaveworks/weave-gitops/pkg/oidc/check"
+	"github.com/weaveworks/weave-gitops/pkg/run"
+	"github.com/weaveworks/weave-gitops/pkg/server/auth"
+)
+
+// OIDCConfigCommand returns the cobra command for running `oidc-config`.
+func OIDCConfigCommand(opts *config.Options) *cobra.Command {
+	var (
+		kubeConfigArgs    *genericclioptions.ConfigFlags
+		fromSecretFlag    string
+		skipSecretFlag    bool
+		clientIDFlag      string
+		clientSecretFlag  string
+		scopesFlag        []string
+		claimUsernameFlag string
+		claimGroupsFlag   string
+		issuerURLFlag     string
+	)
+
+	cmd := &cobra.Command{
+		Use:   "oidc-config",
+		Short: "Check an OIDC configuration for proper functionality.",
+		Long: `This command will send the user through an OIDC authorization code flow using the given OIDC configuration. This is helpful for verifying that a given configuration will work properly with Weave GitOps or for debugging issues. Without any provided flags it will read the configuration from a Secret on the cluster.
+
+NOTE: Make sure to configure your OIDC provider so that it accepts "http://localhost:9876" as redirect URI.`,
+		Example: `
+# Check the OIDC configuration stored in the flux-system/oidc-auth Secret
+gitops check oidc-config
+
+# Check a different set of scopes
+gitops check oidc-config --scopes=openid,groups
+
+# Check a different username cliam
+gitops check oidc-config --claim-username=sub
+
+# Check configuration without fetching a Secret from the cluster
+gitops check oidc-config --skip-secret --client-id=CID --client-secret=SEC --issuer-url=https://example.org
+		`,
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if skipSecretFlag {
+				fromSecretFlag = "" // the skip flag overrides this one.
+			}
+
+			cfg, err := kubeConfigArgs.ToRESTConfig()
+			if err != nil {
+				return err
+			}
+
+			if fromSecretFlag == "" {
+				if clientIDFlag == "" ||
+					clientSecretFlag == "" ||
+					issuerURLFlag == "" {
+					return fmt.Errorf("when not reading OIDC configuration from a Secret, you need to provide " +
+						"client ID, client secret and issuer URL using the respective command-line flags")
+				}
+			}
+
+			log := logger.NewCLILogger(os.Stdout)
+			kubeClient, err := run.GetKubeClient(log, *kubeConfigArgs.Context, cfg, nil)
+			if err != nil {
+				return cmderrors.ErrGetKubeClient
+			}
+
+			ns, err := cmd.Flags().GetString("namespace")
+			if err != nil {
+				return fmt.Errorf("failed getting namespace flag: %w", err)
+			}
+
+			ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+			defer cancel()
+			claims, err := check.GetPrincipal(ctx, check.Options{
+				ClientID:        clientIDFlag,
+				ClientSecret:    clientSecretFlag,
+				IssuerURL:       issuerURLFlag,
+				SecretName:      fromSecretFlag,
+				SecretNamespace: ns,
+				Scopes:          scopesFlag,
+				ClaimUsername:   claimUsernameFlag,
+				ClaimGroups:     claimGroupsFlag,
+			}, log, kubeClient)
+
+			if err != nil {
+				return fmt.Errorf("failed getting claims: %w", err)
+			}
+
+			log.Println("user: %s", claims.ID)
+			if len(claims.Groups) != 0 {
+				log.Println("groups: %s", strings.Join(claims.Groups, ", "))
+			} else {
+				log.Println("no groups claim")
+			}
+
+			return nil
+		},
+		DisableAutoGenTag: true,
+	}
+
+	kubeConfigArgs = run.GetKubeConfigArgs()
+	kubeConfigArgs.AddFlags(cmd.Flags())
+
+	cmd.Flags().StringVar(&clientIDFlag, "client-id", "", "OIDC client ID")
+	cmd.Flags().StringVar(&clientSecretFlag, "client-secret", "", "OIDC client secret")
+	cmd.Flags().StringVar(&issuerURLFlag, "issuer-url", "", "OIDC issuer URL")
+	cmd.Flags().StringVar(&fromSecretFlag, "from-secret", "oidc-auth", "Get OIDC configuration from the given Secret resource")
+	cmd.Flags().BoolVar(&skipSecretFlag, "skip-secret", false,
+		"Do not read OIDC configuration from a Kubernetes Secret but rely solely on the values from the given flags.")
+	cmd.Flags().StringVar(&claimUsernameFlag, "username-claim", "", "ID token claim to use for the user name.")
+	cmd.Flags().StringVar(&claimGroupsFlag, "groups-claim", "", "ID token claim to use for the groups.")
+	cmd.Flags().StringSliceVar(&scopesFlag, "scopes", nil, fmt.Sprintf("OIDC scopes to request (default [%s])", strings.Join(auth.DefaultScopes, ",")))
+
+	return cmd
+}

cmd/gitops/root/cmd.go

@@ -153,7 +153,7 @@ func RootCmd() *cobra.Command {
 	rootCmd.AddCommand(get.GetCommand(options))
 	rootCmd.AddCommand(set.SetCommand(options))
 	rootCmd.AddCommand(docs.Cmd)
-	rootCmd.AddCommand(check.Cmd)
+	rootCmd.AddCommand(check.GetCommand(options))
 	rootCmd.AddCommand(create.GetCommand(options))
 	rootCmd.AddCommand(deletepkg.GetCommand(options))
 	rootCmd.AddCommand(logs.GetCommand(options))

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alexedwards/scs/v2 v2.5.1
 	github.com/cheshir/ttlcache v1.0.1-0.20220504185148-8ceeff21b789
-	github.com/coreos/go-oidc/v3 v3.1.0
+	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/fluxcd/go-git-providers v0.16.0
 	github.com/fluxcd/helm-controller/api v0.35.0
 	github.com/fluxcd/image-automation-controller/api v0.33.1
@@ -46,10 +46,10 @@ require (
 	github.com/yannh/kubeconform v0.5.0
 	go.uber.org/zap v1.25.0
 	golang.org/x/crypto v0.14.0
-	golang.org/x/oauth2 v0.7.0
+	golang.org/x/oauth2 v0.13.0
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
 	google.golang.org/grpc v1.56.3
-	google.golang.org/protobuf v1.30.0
+	google.golang.org/protobuf v1.31.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools v2.2.0+incompatible
@@ -196,7 +196,7 @@ require (
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.9.3 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect