add localhost:9000 as a redirect URL

[juanvallejo]

Depends on: #10819
Fixes: #10885

This patch adds https://localhost:9000 as a default redirect URI to
the webconsole oauthclient. This is done as a new oc cluster up
startup task.

$ oc cluster up

...
-- Finding server IP ...
   Using <IP> as the server IP
-- Starting OpenShift container ...
   Creating initial OpenShift configuration
   Starting OpenShift using container 'origin'
   Waiting for API server to start listening
   OpenShift server started
-- Adding default OAuthClient redirect URIs ... OK
-- Installing registry ... OK
-- Installing router ... OK
-- Importing image streams ... OK
-- Importing templates ... OK
-- Login to server ... OK
-- Creating initial project "myproject" ... OK
...

$ oc login -u system:admin
$ oc get oauthclients

NAME                              WWW-CHALLENGE   REDIRECT URIS
openshift-web-console             FALSE           https://localhost:9000

cc @fabianofranz @jwforres @csrwng

[juanvallejo]

@fabianofranz
Although I could use the const OpenShiftWebConsoleClientID defined in pkg/cmd/server/origin/auth.go, I did not want to import server packages, but WDYT?

[fabianofranz]

Hrm, yeah, that could result in bringing to oc packages that don't belong here (master.go for example imports a lot of server-side stuff).

[jwforres]

cc @liggitt

[csrwng]

@juanvallejo we currently update the config here:
https://github.com/openshift/origin/blob/master/pkg/bootstrap/docker/openshift/helper.go#L446

My preference would be to change it there rather than executing a separate patch command.

[liggitt]

It's not a server config update, it's an update of the API object

[csrwng]

ahh got it, thx @liggitt. @juanvallejo please ignore me and carry on :)

[juanvallejo]

:) Thanks for the feedback!

[juanvallejo]

[test]

[liggitt]

raises eyebrow... this should really be built by json-serializing a struct

[csrwng]

actually, why not use the go client to make the call?

[juanvallejo]

@csrwng

actually, why not use the go client to make the call?

Hm, I am not sure what you mean. I thought NewCmdPatch was already using the client to make the remote call?

[csrwng]

@juanvallejo i mean not invoking the command, simply doing a client get and then an update call with your change.

[juanvallejo]

@csrwng Okay, updated to not using NewCmdPatch, PTAL

[csrwng]

@juanvallejo actually that's not what I had in mind :)
I was thinking of something like:

client, _, err := c.Clients()
webConsoleOAuth, err := client.OAuthClients().Get("openshift-web-console")
// not shown here... check first and don't add it if it's already there
webConsoleOAuth.RedirectURIs = append(webConsoleOAuth.RedirectURIs, "http://localhost:9000")  
err = client.OAuthClients().Update(webConsoleOAuth)

However, I realized that there's no Update method on the client for OAuthClients (you could add one of course)... @liggitt was that left out on purpose?

[liggitt]

@liggitt was that left out on purpose?

nope

[juanvallejo]

@csrwng Thanks for the feedback!

However, I realized that there's no Update method on the client for OAuthClients (you could add one of course)

I have gone ahead and added an Update method to the OAuthClientInterface that receives an *oauthapi.OAuthClient and then makes a Patch request to the server, however the body of the request must contain the patch data ({"redirectURIs": ["https://localhost:9000"]}) as a json object. I was wondering if there is a way to obtain this from the OAuthClient that is passed, or would I just have to Marshal a json struct like I was doing before, and pass that as []bytes to the new Update method? Thanks!

[liggitt]

I have gone ahead and added an Update method to the OAuthClientInterface that receives an *oauthapi.OAuthClient and then makes a Patch request to the server

no, make Update do an update. look at the other Update client methods and model after that.

just Get, add the redirectURI, and Update

[csrwng]

@juanvallejo All you need to do for the update implementation is to do a put. For examples, you can see how other object updates are implemented:
https://github.com/openshift/origin/blob/master/pkg/client/oauthclientauthorization.go#L41
https://github.com/openshift/origin/blob/master/pkg/client/clusteresourcequota.go#L56

[liggitt]

need to update fake_oauthclient.go to implement this as well

[juanvallejo]

will do, thanks!

[csrwng]

LGTM after a squash

[juanvallejo]

re[test]

[juanvallejo]

conformance test flaked on #9548 re[test]

[liggitt]

a couple nits on names and messages. once updated, this can go ahead and merge... it doesn't need to wait for #10819

[liggitt]

nit: this isn't the default redirect URI, it's an additional allowed one... more a "developmentRedirectURI"

[liggitt]

if the web console OAuth client doesn't exist, I would exit early, rather than error

[liggitt]

if NotFound, return nil, otherwise, return err

[juanvallejo]

@liggitt Thanks for clarifying! Updated to check if err is kerrors.IsNotFound

[liggitt]

"unable to add development redirect URI to the openshift-web-console OAuthClient..."

[juanvallejo]

@liggitt Addressed review comments, PTAL

[liggitt]

if we tolerate an update failure (below), we should probably tolerate a fetch failure as well (not return the error), and print out the same suggestion

[juanvallejo]

@liggitt Sounds good, it no longer returns the err but rather prints a slightly updated suggestion and returns nil

[liggitt]

LGTM

[juanvallejo]

[test]

[openshift-bot]

Evaluated for origin test up to b183604

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9324/)

[liggitt]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9324/) (Image: devenv-rhel7_5084)

[openshift-bot]

Evaluated for origin merge up to b183604

[smarterclayton]

Maybe I missed this - why is "localhost" the correct value?

[smarterclayton]

Won't localhost be wrong if my docker daemon isn't running on my system?

[liggitt]

this is enabling web console development (cd $webconsole && grunt serve) out of the box against a cluster up server

[smarterclayton]

Can you add some Godoc to this, because nothing in here makes it obvious why it's localhost:9000, and so it's really for a very specific audience, so that usually requires some justification in the code so other people don't remove it.

[juanvallejo]

@smarterclayton I was not sure if making a new pull request was the way I should do this, but please take a look: #11123