Use SSO account to configure sandbox in one click

Uses a POC ['feat: use sso account to configure sandbox in one click redhat-developer#4232'](redhat-developer#4232) by @dgolovin.

Allows logging in to the DevSandbox using a SSO account if Service Account pipeline token is configured,
otherwise a token from the Clipboard is to be used.

Co-authored-by: Denis Golovin <dgolovin@redhat.com>
Signed-off-by: Victor Rubezhny <vrubezhny@redhat.com>

Author: vrubezhny

src/openshift/cluster.ts

@@ -3,7 +3,7 @@
  *  Licensed under the MIT License. See LICENSE file in the project root for license information.
  *-----------------------------------------------------------------------------------------------*/
 
-import { KubernetesObject } from '@kubernetes/client-node';
+import { CoreV1Api, KubeConfig, KubernetesObject, V1Secret, V1ServiceAccount } from '@kubernetes/client-node';
 import { Cluster as KcuCluster, Context as KcuContext } from '@kubernetes/client-node/dist/config_types';
 import * as https from 'https';
 import { ExtensionContext, QuickInputButtons, QuickPickItem, QuickPickItemButtonEvent, ThemeIcon, Uri, commands, env, window, workspace } from 'vscode';
@@ -1070,4 +1070,82 @@ export class Cluster extends OpenShiftItem {
         const asUrl = new URL(url);
         return asUrl.hostname.endsWith('openshiftapps.com');
     }
+
+    static prepareSSOInKubeConfig(proxy: string, username: string, accessToken: string): KubeConfig {
+        const kcu = new KubeConfig();
+        const clusterProxy = {
+            name: 'sandbox-proxy',
+            server: proxy,
+        };
+        const user = {
+            name: 'sso-user',
+            token: accessToken,
+        };
+        const context = {
+            cluster: clusterProxy.name,
+            name: 'sandbox-proxy-context',
+            user: user.name,
+            namespace: `${username}-dev`,
+        };
+        kcu.addCluster(clusterProxy);
+        kcu.addUser(user)
+        kcu.addContext(context);
+        kcu.setCurrentContext(context.name);
+        return kcu;
+    }
+
+    static async installPipelineSecretToken(k8sApi: CoreV1Api, pipelineServiceAccount: V1ServiceAccount, username: string): Promise<V1Secret> {
+        const v1Secret = {
+            apiVersion: 'v1',
+            kind: 'Secret',
+            metadata: {
+                name: `pipeline-secret-${username}-dev`,
+                annotations: {
+                    'kubernetes.io/service-account.name': pipelineServiceAccount.metadata.name,
+                    'kubernetes.io/service-account.uid': pipelineServiceAccount.metadata.uid
+                }
+            },
+            type: 'kubernetes.io/service-account-token'
+        } as V1Secret
+
+        try {
+            await k8sApi.createNamespacedSecret(`${username}-dev`, v1Secret);
+        } catch {
+            // Ignore
+        }
+        const newSecrets = await k8sApi.listNamespacedSecret(`${username}-dev`);
+        return newSecrets?.body.items.find((secret) => secret.metadata.name === `pipeline-secret-${username}-dev`);
+    }
+
+    static async getPipelineServiceAccountToken(k8sApi: CoreV1Api, username: string): Promise<string> {
+        try {
+            const serviceAccounts = await k8sApi.listNamespacedServiceAccount(`${username}-dev`);
+            const pipelineServiceAccount = serviceAccounts.body.items.find(serviceAccount => serviceAccount.metadata.name === 'pipeline');
+            if (!pipelineServiceAccount) {
+                return;
+            }
+
+            const secrets = await k8sApi.listNamespacedSecret(`${username}-dev`);
+            let pipelineTokenSecret = secrets?.body.items.find((secret) => secret.metadata.name === `pipeline-secret-${username}-dev`);
+            if (!pipelineTokenSecret) {
+                pipelineTokenSecret = await Cluster.installPipelineSecretToken(k8sApi, pipelineServiceAccount, username);
+                if (!pipelineTokenSecret) {
+                    return;
+                }
+            }
+            return Buffer.from(pipelineTokenSecret.data.token, 'base64').toString();
+         } catch {
+            // Ignore
+        }
+    }
+
+    static async loginUsingPipelineServiceAccountToken(server: string, proxy: string, username: string, accessToken: string): Promise<string> {
+        const kcu = Cluster.prepareSSOInKubeConfig(proxy, username, accessToken);
+        const k8sApi = kcu.makeApiClient(CoreV1Api);
+        const pipelineToken =  await this.getPipelineServiceAccountToken(k8sApi, username);
+        if (!pipelineToken) {
+            return;
+        }
+        return Cluster.tokenLogin(server, true, pipelineToken);
+    }
 }

src/openshift/sandbox.ts

@@ -28,6 +28,7 @@ export interface SBSignupResponse {
   givenName: string;
   status: SBStatus;
   username: string;
+  proxyURL: string;
 }
 
 export interface SBResponseData {

src/webview/cluster/app/sandboxView.tsx

@@ -56,8 +56,10 @@ export default function addSandboxView(): JSX.Element {
     const [currentState, setCurrentState] = React.useState({
         action: 'sandboxPageDetectAuthSession',
         statusInfo: '',
+        usePipelineToken: false,
         consoleDashboard: '',
         apiEndpoint: '',
+        apiEndpointProxy: '',
         oauthTokenEndpoint: '',
         errorCode: undefined
     });
@@ -149,7 +151,9 @@ export default function addSandboxView(): JSX.Element {
                 action: currentState.action,
                 consoleDashboard: currentState.consoleDashboard,
                 statusInfo: currentState.statusInfo,
+                usePipelineToken: false,
                 apiEndpoint: '',
+                apiEndpointProxy: '',
                 oauthTokenEndpoint: '',
                 errorCode: undefined
             });
@@ -299,8 +303,10 @@ export default function addSandboxView(): JSX.Element {
             setCurrentState({
                 action: 'sandboxPageRequestVerificationCode',
                 statusInfo: '',
+                usePipelineToken: false,
                 consoleDashboard: '',
                 apiEndpoint: '',
+                apiEndpointProxy: '',
                 oauthTokenEndpoint: '',
                 errorCode: undefined
             });
@@ -379,11 +385,27 @@ export default function addSandboxView(): JSX.Element {
     const Provisioned = () => {
 
         const handleLoginButton = () => {
-            postMessage('sandboxLoginUsingDataInClipboard', {apiEndpointUrl: currentState.apiEndpoint, oauthRequestTokenUrl: `${currentState.oauthTokenEndpoint}/request`});
+            if (!currentState.usePipelineToken) { // Try loging in using a token from the Clipboard
+                postMessage('sandboxLoginUsingDataInClipboard', {
+                        apiEndpointUrl: currentState.apiEndpoint,
+                        oauthRequestTokenUrl: `${currentState.oauthTokenEndpoint}/request`
+                    });
+            } else { // Try loging in using a Pipeline Token
+                postMessage('sandboxLoginUsingPipelineToken', {
+                    apiEndpointUrl: currentState.apiEndpoint,
+                    oauthRequestTokenUrl: `${currentState.oauthTokenEndpoint}/request`,
+                    username: currentState.statusInfo,
+                    apiEndpointProxy: currentState.apiEndpointProxy,
+                });
+            }
         };
 
         const invalidToken = currentState.errorCode === 'invalidToken';
-        const loginSandboxTitle = !invalidToken ? 'Login to DevSandbox OpenShift cluster with token from clipboard' : 'Token in clipboard is invalid. Select the Get Token option and copy to clipboard';
+        const loginSandboxTitle = !invalidToken ?
+                currentState.usePipelineToken ?
+                    'Login to DevSandbox OpenShift cluster using a service account provided token' :
+                    'Login to DevSandbox OpenShift cluster with token from clipboard' :
+                'Token in clipboard is invalid. Select the Get Token option and copy to clipboard';
 
         return (
             <>
@@ -403,19 +425,29 @@ export default function addSandboxView(): JSX.Element {
                                 </Tooltip>
                             Your sandbox account has been provisioned and is ready to use.
                         </Typography>
-                        <Typography variant='caption' color='inherit' display='block' style={{ textAlign:'left', margin: '20px 70px' }}>
-                            Next steps to connect with Developer Sandbox:<br></br>
-                            1. Click on <strong>Get token</strong> button. In the browser, login using <strong>DevSandbox</strong> button.<br></br>
-                            2. Click on <strong>Display token</strong> link and copy token to clipboard.<br></br>
-                            3. Switch back to IDE and press <strong>'Login To DevSandbox'</strong> button. This will login you to DevSandbox with token from clipboard.<br></br>
-                            4. Once successfully logged in, start creating applications and deploy on cluster.
-                        </Typography>
+                        {( !currentState.usePipelineToken ) ? (
+                            <Typography variant='caption' color='inherit' display='block' style={{ textAlign:'left', margin: '20px 70px' }}>
+                                Next steps to connect with Developer Sandbox:<br></br>
+                                1. Click on <strong>Get token</strong> button. In the browser, login using <strong>DevSandbox</strong> button.<br></br>
+                                2. Click on <strong>Display token</strong> link and copy token to clipboard.<br></br>
+                                3. Switch back to IDE and press <strong>'Login To DevSandbox'</strong> button. This will login you to DevSandbox with token from clipboard.<br></br>
+                                4. Once successfully logged in, start creating applications and deploy on cluster.
+                            </Typography>
+                        ) : (
+                            <Typography variant='caption' color='inherit' display='block' style={{ textAlign:'left', margin: '20px 70px' }}>
+                                Next steps to connect with Developer Sandbox:<br></br>
+                                1. Press <strong>'Login To DevSandbox'</strong> button. This will login you to DevSandbox using a service account provided token.<br></br>
+                                2. Once successfully logged in, start creating applications and deploy on cluster.
+                            </Typography>
+                        )}
                         <Tooltip title='Launch your DevSandbox console in browser' placement='bottom'>
                             <Button variant='contained' className='button' href={currentState.consoleDashboard}>Open Dashboard</Button>
                         </Tooltip>
-                        <Tooltip title='Open the DevSandbox console page and copy the login token' placement='bottom'>
-                            <Button variant='contained' className='button' href={`${currentState.oauthTokenEndpoint}/request`}>Get token</Button>
-                        </Tooltip>
+                        {( !currentState.usePipelineToken ) && (
+                            <Tooltip title='Open the DevSandbox console page and copy the login token' placement='bottom'>
+                                <Button variant='contained' className='button' href={`${currentState.oauthTokenEndpoint}/request`}>Get token</Button>
+                            </Tooltip>
+                        )}
                         <Tooltip title={loginSandboxTitle} placement='bottom'>
                             <div style={{ display: 'inline-block', margin: '8px 0px 8px 0px' }}><Button variant='contained' className='buttonRed' disabled={invalidToken} onClick={handleLoginButton}>Login to DevSandbox</Button></div>
                         </Tooltip>

src/webview/cluster/clusterViewLoader.ts

@@ -2,6 +2,7 @@
  *  Copyright (c) Red Hat, Inc. All rights reserved.
  *  Licensed under the MIT License. See LICENSE file in the project root for license information.
  *-----------------------------------------------------------------------------------------------*/
+import { CoreV1Api } from '@kubernetes/client-node';
 import { ChildProcess, spawn } from 'child_process';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -116,12 +117,36 @@ async function clusterEditorMessageListener (event: any ): Promise<any> {
                 } else {
                     if (signupStatus.status.ready) {
                         const oauthInfo = await sandboxAPI.getOauthServerInfo(signupStatus.apiEndpoint);
+
+                        const makeCoreV1ApiClient = ((server: string, proxy: string, username: string, accessToken: string): CoreV1Api => {
+                            const kcu = Cluster.prepareSSOInKubeConfig(proxy, username, accessToken);
+                            const apiClient = new CoreV1Api(proxy);
+                                apiClient.setDefaultAuthentication(kcu);
+                                return apiClient;
+                            });
+                        const pipelineAccountToken = await Cluster.getPipelineServiceAccountToken(
+                                makeCoreV1ApiClient(signupStatus.apiEndpoint, signupStatus.proxyURL,
+                                    signupStatus.compliantUsername, (sessionCheck as any).idToken),
+                                signupStatus.compliantUsername);
                         let errCode = '';
-                        if (!Cluster.validateLoginToken((await vscode.env.clipboard.readText()).trim())) {
-                            errCode = 'invalidToken';
+                        if (!pipelineAccountToken) { // Try loging in using a token from the Clipboard
+                            if (!Cluster.validateLoginToken((await vscode.env.clipboard.readText()).trim())) {
+                                errCode = 'invalidToken';
+                            }
+                        }
+                        await panel.webview.postMessage({
+                            action: 'sandboxPageProvisioned',
+                            statusInfo: signupStatus.compliantUsername,
+                            usePipelineToken: (pipelineAccountToken),
+                            consoleDashboard: signupStatus.consoleURL,
+                            apiEndpoint: signupStatus.apiEndpoint,
+                            apiEndpointProxy: signupStatus.proxyURL,
+                            oauthTokenEndpoint: oauthInfo.token_endpoint,
+                            errorCode: errCode
+                        });
+                        if (!pipelineAccountToken) { // Try loging in using a token from the Clipboard
+                            await pollClipboard(signupStatus);
                         }
-                        await panel.webview.postMessage({ action: 'sandboxPageProvisioned', statusInfo: signupStatus.username, consoleDashboard: signupStatus.consoleURL, apiEndpoint: signupStatus.apiEndpoint, oauthTokenEndpoint: oauthInfo.token_endpoint, errorCode: errCode });
-                        await pollClipboard(signupStatus);
                     } else {
                         // cluster is not ready and the reason is
                         if (signupStatus.status.verificationRequired) {
@@ -211,6 +236,23 @@ async function clusterEditorMessageListener (event: any ): Promise<any> {
             }
             break;
         }
+        case 'sandboxLoginUsingPipelineToken': {
+            const telemetryEventLoginToSandbox = new ExtCommandTelemetryEvent('openshift.explorer.addCluster.sandboxLoginUsingPipelineToken');
+            try {
+                const result = await Cluster.loginUsingPipelineServiceAccountToken(
+                    event.payload.apiEndpointUrl,
+                    event.payload.apiEndpointProxy,
+                    event.payload.username,
+                    (sessionCheck as any).idToken
+                );
+                if (result) void vscode.window.showInformationMessage(`${result}`);
+                telemetryEventLoginToSandbox.send();
+            } catch (err) {
+                void vscode.window.showErrorMessage(err.message);
+                telemetryEventLoginToSandbox.sendError('Login into Sandbox Cluster failed.');
+            }
+            break;
+        }
         default:
             void vscode.window.showErrorMessage(`Unexpected message from webview: '${event.action}'`);
             break;
@@ -219,16 +261,27 @@ async function clusterEditorMessageListener (event: any ): Promise<any> {
 
 async function pollClipboard(signupStatus) {
     const oauthInfo = await sandboxAPI.getOauthServerInfo(signupStatus.apiEndpoint);
+    let firstPoll = true;
     while (panel) {
         const previousContent = (await vscode.env.clipboard.readText()).trim();
         await new Promise(r => setTimeout(r, 500));
         const currentContent = (await vscode.env.clipboard.readText()).trim();
-        if (previousContent && previousContent !== currentContent) {
+        if (firstPoll || (previousContent && previousContent !== currentContent)) {
+            firstPoll = false;
             let errCode = '';
             if (!Cluster.validateLoginToken(currentContent)){
                 errCode = 'invalidToken';
             }
-            void panel.webview.postMessage({action: 'sandboxPageProvisioned', statusInfo: signupStatus.username, consoleDashboard: signupStatus.consoleURL, apiEndpoint: signupStatus.apiEndpoint, oauthTokenEndpoint: oauthInfo.token_endpoint, errorCode: errCode});
+            void panel.webview.postMessage({
+                    action: 'sandboxPageProvisioned',
+                    statusInfo: signupStatus.username,
+                    usePipelineToken: false,
+                    consoleDashboard: signupStatus.consoleURL,
+                    apiEndpoint: signupStatus.apiEndpoint,
+                    apiEndpointProxy: signupStatus.proxyURL,
+                    oauthTokenEndpoint: oauthInfo.token_endpoint,
+                    errorCode: errCode
+                });
         }
     }
 }