Provides direct access to the kubernetes API (eclipse-che#18367)

Fixes eclipse-che#18326 - Provides direct access to the kubernetes API on /api/unsupported/k8s.
Restricted to OpenShift with OpenShift OAuth.

Signed-off-by: Lukas Krejci <lkrejci@redhat.com>

assembly/assembly-wsmaster-war/pom.xml

@@ -135,6 +135,10 @@
             <groupId>org.eclipse.che.core</groupId>
             <artifactId>che-core-api-factory-github</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.eclipse.che.core</groupId>
+            <artifactId>che-core-api-infraproxy</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.eclipse.che.core</groupId>
             <artifactId>che-core-api-logger</artifactId>

assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java

@@ -34,6 +34,7 @@
 import org.eclipse.che.api.factory.server.FactoryEditValidator;
 import org.eclipse.che.api.factory.server.FactoryParametersResolver;
 import org.eclipse.che.api.factory.server.github.GithubFactoryParametersResolver;
+import org.eclipse.che.api.infraproxy.server.InfraProxyModule;
 import org.eclipse.che.api.metrics.WsMasterMetricsModule;
 import org.eclipse.che.api.system.server.ServiceTermination;
 import org.eclipse.che.api.system.server.SystemModule;
@@ -409,6 +410,10 @@ private void configureMultiUserMode(
     bind(PermissionChecker.class).to(PermissionCheckerImpl.class);
 
     bindConstant().annotatedWith(Names.named("che.agents.auth_enabled")).to(true);
+
+    if (OpenShiftInfrastructure.NAME.equals(infrastructure)) {
+      install(new InfraProxyModule());
+    }
   }
 
   private void configureJwtProxySecureProvisioner(String infrastructure) {

infrastructures/kubernetes/pom.xml

@@ -69,6 +69,10 @@
             <groupId>com.squareup.okhttp3</groupId>
             <artifactId>okhttp</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.squareup.okio</groupId>
+            <artifactId>okio</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.fabric8</groupId>
             <artifactId>kubernetes-client</artifactId>
@@ -247,6 +251,11 @@
             <artifactId>mockito-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-testng</artifactId>

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/DirectKubernetesAPIAccessHelper.java

@@ -0,0 +1,178 @@
+/*
+ * Copyright (c) 2012-2018 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.che.workspace.infrastructure.kubernetes;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+import java.util.Map;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Response;
+import okhttp3.Call;
+import okhttp3.Headers;
+import okhttp3.MediaType;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.ResponseBody;
+import okio.BufferedSink;
+import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
+import org.eclipse.che.commons.annotation.Nullable;
+
+public class DirectKubernetesAPIAccessHelper {
+  private static final String DEFAULT_MEDIA_TYPE =
+      javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE
+          .withCharset(StandardCharsets.UTF_8.name())
+          .toString();
+
+  private DirectKubernetesAPIAccessHelper() {}
+
+  /**
+   * This method just performs an HTTP request of given {@code httpMethod} on an URL composed of the
+   * {@code masterUrl} and {@code relativeUri} using the provided {@code httpClient}, optionally
+   * sending the provided {@code body}.
+   *
+   * @param masterUrl the base of the final URL
+   * @param httpClient the HTTP client to perform the request with
+   * @param httpMethod the HTTP method of the request
+   * @param relativeUri the relative URI that should be appended ot the {@code masterUrl}
+   * @param body the body to send with the request, if any
+   * @return the HTTP response received
+   * @throws InfrastructureException on failure to validate or perform the request
+   */
+  public static Response call(
+      String masterUrl,
+      OkHttpClient httpClient,
+      String httpMethod,
+      URI relativeUri,
+      @Nullable HttpHeaders headers,
+      @Nullable InputStream body)
+      throws InfrastructureException {
+    if (relativeUri.isAbsolute() || relativeUri.isOpaque()) {
+      throw new InfrastructureException(
+          "The direct infrastructure URL must be relative and not opaque.");
+    }
+
+    try {
+      URL fullUrl = new URI(masterUrl).resolve(relativeUri).toURL();
+      okhttp3.Response response = callApi(httpClient, fullUrl, httpMethod, headers, body);
+      return convertResponse(response);
+    } catch (URISyntaxException | MalformedURLException e) {
+      throw new InfrastructureException("Could not compose the direct URI.", e);
+    } catch (IOException e) {
+      throw new InfrastructureException("Error sending the direct infrastructure request.", e);
+    }
+  }
+
+  private static okhttp3.Response callApi(
+      OkHttpClient httpClient,
+      URL url,
+      String httpMethod,
+      @Nullable HttpHeaders headers,
+      @Nullable InputStream body)
+      throws IOException {
+    String mediaType = inputMediaType(headers);
+
+    RequestBody requestBody =
+        body == null ? null : new InputStreamBasedRequestBody(body, mediaType);
+
+    Call httpCall =
+        httpClient.newCall(prepareRequest(url, httpMethod, requestBody, toOkHttpHeaders(headers)));
+
+    return httpCall.execute();
+  }
+
+  private static Request prepareRequest(
+      URL url, String httpMethod, RequestBody requestBody, Headers headers) {
+    return new Request.Builder().url(url).method(httpMethod, requestBody).headers(headers).build();
+  }
+
+  private static Response convertResponse(okhttp3.Response response) {
+    Response.ResponseBuilder responseBuilder = Response.status(response.code());
+
+    convertResponseHeaders(responseBuilder, response);
+    convertResponseBody(responseBuilder, response);
+
+    return responseBuilder.build();
+  }
+
+  private static void convertResponseHeaders(
+      Response.ResponseBuilder responseBuilder, okhttp3.Response response) {
+    for (int i = 0; i < response.headers().size(); ++i) {
+      String name = response.headers().name(i);
+      String value = response.headers().value(i);
+      responseBuilder.header(name, value);
+    }
+  }
+
+  private static void convertResponseBody(
+      Response.ResponseBuilder responseBuilder, okhttp3.Response response) {
+    ResponseBody responseBody = response.body();
+    if (responseBody != null) {
+      responseBuilder.entity(responseBody.byteStream());
+      MediaType contentType = responseBody.contentType();
+      if (contentType != null) {
+        responseBuilder.type(contentType.toString());
+      }
+    }
+  }
+
+  private static String inputMediaType(@Nullable HttpHeaders headers) {
+    javax.ws.rs.core.MediaType mediaTypeHeader = headers == null ? null : headers.getMediaType();
+    return mediaTypeHeader == null ? DEFAULT_MEDIA_TYPE : mediaTypeHeader.toString();
+  }
+
+  private static Headers toOkHttpHeaders(HttpHeaders headers) {
+    Headers.Builder headersBuilder = new Headers.Builder();
+
+    if (headers != null) {
+      for (Map.Entry<String, List<String>> e : headers.getRequestHeaders().entrySet()) {
+        String name = e.getKey();
+        List<String> values = e.getValue();
+        for (String value : values) {
+          headersBuilder.add(name, value);
+        }
+      }
+    }
+
+    return headersBuilder.build();
+  }
+
+  private static final class InputStreamBasedRequestBody extends RequestBody {
+    private final InputStream inputStream;
+    private final MediaType mediaType;
+
+    private InputStreamBasedRequestBody(InputStream is, String contentType) {
+      this.inputStream = is;
+      this.mediaType = contentType == null ? null : MediaType.parse(contentType);
+    }
+
+    @Override
+    public MediaType contentType() {
+      return mediaType;
+    }
+
+    @Override
+    public void writeTo(BufferedSink sink) throws IOException {
+      byte[] buffer = new byte[1024];
+      int cnt;
+      while ((cnt = inputStream.read(buffer)) != -1) {
+        sink.write(buffer, 0, cnt);
+      }
+    }
+  }
+}

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesClientFactory.java

@@ -45,7 +45,7 @@
 public class KubernetesClientFactory {
 
   /** {@link OkHttpClient} instance shared by all Kubernetes clients. */
-  private OkHttpClient httpClient;
+  private final OkHttpClient httpClient;
 
   /**
    * Default Kubernetes {@link Config} that will be the base configuration to create per-workspace
@@ -129,11 +129,28 @@ protected OkHttpClient getHttpClient() {
     return httpClient;
   }
 
+  /**
+   * Unlike {@link #getHttpClient()} method, this method always returns an HTTP client that contains
+   * interceptors that augment the request with authentication information available in the global
+   * context.
+   *
+   * <p>Unlike {@link #getHttpClient()}, this method creates a new HTTP client instance each time it
+   * is called.
+   *
+   * @return HTTP client with authorization set up
+   * @throws InfrastructureException if it is not possible to build the client with authentication
+   *     infromation
+   */
+  public OkHttpClient getAuthenticatedHttpClient() throws InfrastructureException {
+    throw new InfrastructureException(
+        "Impersonating the current user is not supported in the Kubernetes Client.");
+  }
+
   /**
    * Retrieves the default Kubernetes {@link Config} that will be the base configuration to create
    * per-workspace configurations.
    */
-  protected Config getDefaultConfig() {
+  public Config getDefaultConfig() {
     return defaultConfig;
   }
 

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfrastructure.java

@@ -14,9 +14,13 @@
 import static java.lang.String.format;
 
 import com.google.common.collect.ImmutableSet;
+import java.io.InputStream;
+import java.net.URI;
 import java.util.Set;
 import javax.inject.Inject;
 import javax.inject.Singleton;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Response;
 import org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity;
 import org.eclipse.che.api.core.notification.EventService;
 import org.eclipse.che.api.workspace.server.NoEnvironmentFactory.NoEnvInternalEnvironment;
@@ -27,6 +31,7 @@
 import org.eclipse.che.api.workspace.server.spi.environment.InternalEnvironment;
 import org.eclipse.che.api.workspace.server.spi.provision.InternalEnvironmentProvisioner;
 import org.eclipse.che.api.workspace.shared.Constants;
+import org.eclipse.che.commons.annotation.Nullable;
 import org.eclipse.che.workspace.infrastructure.kubernetes.cache.KubernetesRuntimeStateCache;
 import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment;
 import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.KubernetesNamespaceFactory;
@@ -41,14 +46,16 @@ public class KubernetesInfrastructure extends RuntimeInfrastructure {
   private final KubernetesRuntimeContextFactory runtimeContextFactory;
   private final KubernetesRuntimeStateCache runtimeStatusesCache;
   private final KubernetesNamespaceFactory namespaceFactory;
+  private final KubernetesClientFactory kubernetesClientFactory;
 
   @Inject
   public KubernetesInfrastructure(
       EventService eventService,
       KubernetesRuntimeContextFactory runtimeContextFactory,
       Set<InternalEnvironmentProvisioner> internalEnvProvisioners,
       KubernetesRuntimeStateCache runtimeStatusesCache,
-      KubernetesNamespaceFactory namespaceFactory) {
+      KubernetesNamespaceFactory namespaceFactory,
+      KubernetesClientFactory kubernetesClientFactory) {
     super(
         NAME,
         ImmutableSet.of(KubernetesEnvironment.TYPE, Constants.NO_ENVIRONMENT_RECIPE_TYPE),
@@ -57,6 +64,7 @@ public KubernetesInfrastructure(
     this.runtimeContextFactory = runtimeContextFactory;
     this.runtimeStatusesCache = runtimeStatusesCache;
     this.namespaceFactory = namespaceFactory;
+    this.kubernetesClientFactory = kubernetesClientFactory;
   }
 
   @Override
@@ -81,6 +89,19 @@ public boolean isNamespaceValid(String name) {
     return NamespaceNameValidator.isValid(name);
   }
 
+  @Override
+  public Response sendDirectInfrastructureRequest(
+      String httpMethod, URI relativeUri, @Nullable HttpHeaders headers, @Nullable InputStream body)
+      throws InfrastructureException {
+    return DirectKubernetesAPIAccessHelper.call(
+        kubernetesClientFactory.getDefaultConfig().getMasterUrl(),
+        kubernetesClientFactory.getAuthenticatedHttpClient(),
+        httpMethod,
+        relativeUri,
+        headers,
+        body);
+  }
+
   @Override
   protected KubernetesRuntimeContext internalPrepare(
       RuntimeIdentity id, InternalEnvironment environment) throws InfrastructureException {