Beispiel #1
0
func setupAdmissionTest(t *testing.T, setupConfig func(*configapi.MasterConfig)) (*kclient.Client, *client.Client) {
	masterConfig, err := testserver.DefaultMasterOptions()
	if err != nil {
		t.Fatalf("error creating config: %v", err)
	}
	setupConfig(masterConfig)
	kubeConfigFile, err := testserver.StartConfiguredMasterAPI(masterConfig)
	if err != nil {
		t.Fatalf("error starting server: %v", err)
	}
	kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
	if err != nil {
		t.Fatalf("error getting client: %v", err)
	}
	openshiftClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
	if err != nil {
		t.Fatalf("error getting openshift client: %v", err)
	}
	return kubeClient, openshiftClient
}
Beispiel #2
0
func setupAuditTest(t *testing.T) (*kclient.Client, *client.Client) {
	testutil.RequireEtcd(t)
	masterConfig, err := testserver.DefaultMasterOptions()
	if err != nil {
		t.Fatalf("error creating config: %v", err)
	}
	masterConfig.AuditConfig.Enabled = true
	kubeConfigFile, err := testserver.StartConfiguredMasterAPI(masterConfig)
	if err != nil {
		t.Fatalf("error starting server: %v", err)
	}
	kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
	if err != nil {
		t.Fatalf("error getting client: %v", err)
	}
	openshiftClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
	if err != nil {
		t.Fatalf("error getting openshift client: %v", err)
	}
	return kubeClient, openshiftClient

}
Beispiel #3
0
func TestAuthProxyOnAuthorize(t *testing.T) {
	idp := configapi.IdentityProvider{}
	idp.Name = "front-proxy"
	idp.Provider = runtime.EmbeddedObject{&configapi.RequestHeaderIdentityProvider{Headers: []string{"X-Remote-User"}}}
	idp.MappingMethod = "claim"

	masterConfig, err := testserver.DefaultMasterOptions()
	checkErr(t, err)
	masterConfig.OAuthConfig.IdentityProviders = []configapi.IdentityProvider{idp}

	clusterAdminKubeConfig, err := testserver.StartConfiguredMasterAPI(masterConfig)
	checkErr(t, err)
	clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
	checkErr(t, err)
	clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
	checkErr(t, err)

	// set up a front proxy guarding the oauth server
	proxyHTTPHandler := NewBasicAuthChallenger("TestRegistryAndServer", validUsers, NewXRemoteUserProxyingHandler(clusterAdminClientConfig.Host))
	proxyServer := httptest.NewServer(proxyHTTPHandler)
	defer proxyServer.Close()
	t.Logf("proxy server is on %v\n", proxyServer.URL)

	// need to prime clients so that we can get back a code.  the client must be valid
	result := clusterAdminClient.RESTClient.Post().Resource("oAuthClients").Body(&oauthapi.OAuthClient{ObjectMeta: kapi.ObjectMeta{Name: "test"}, Secret: "secret", RedirectURIs: []string{clusterAdminClientConfig.Host}}).Do()
	checkErr(t, result.Error())

	// our simple URL to get back a code.  We want to go through the front proxy
	rawAuthorizeRequest := proxyServer.URL + origin.OpenShiftOAuthAPIPrefix + "/authorize?response_type=code&client_id=test"

	// the first request we make to the front proxy should challenge us for authentication info
	shouldBeAChallengeResponse, err := http.Get(rawAuthorizeRequest)
	if err != nil {
		t.Errorf("Unexpected error: %v", err)
	}
	if shouldBeAChallengeResponse.StatusCode != http.StatusUnauthorized {
		t.Errorf("Expected Unauthorized, but got %v", shouldBeAChallengeResponse.StatusCode)
	}

	// create an http.Client to make our next request.  We need a custom Transport to authenticate us through our front proxy
	// and a custom CheckRedirect so that we can keep track of the redirect responses we're getting
	// OAuth requests a few redirects that we don't really care about checking, so this simpler than using a round tripper
	// and manually handling redirects and setting our auth information every time for the front proxy
	redirectedUrls := make([]url.URL, 10)
	httpClient := http.Client{
		CheckRedirect: getRedirectMethod(t, &redirectedUrls),
		Transport:     ktransport.NewBasicAuthRoundTripper("sanefarmer", "who?", insecureTransport()),
	}

	// make our authorize request again, but this time our transport has properly set the auth info for the front proxy
	req, err := http.NewRequest("GET", rawAuthorizeRequest, nil)
	_, err = httpClient.Do(req)
	if err != nil {
		t.Errorf("Unexpected error: %v", err)
	}

	// check the last redirect and see if we got a code
	foundCode := ""
	if len(redirectedUrls) > 0 {
		foundCode = redirectedUrls[len(redirectedUrls)-1].Query().Get("code")
	}

	if len(foundCode) == 0 {
		t.Errorf("Did not find code in any redirect: %v", redirectedUrls)
	} else {
		t.Logf("Found code %v\n", foundCode)
	}
}
func TestCachingDiscoveryClient(t *testing.T) {
	testutil.RequireEtcd(t)
	defer testutil.DumpEtcdOnFailure(t)
	_, originKubeConfig, err := testserver.StartTestMasterAPI()
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	originClient, err := testutil.GetClusterAdminClient(originKubeConfig)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}

	resourceType := "buildconfigs"

	originDiscoveryClient := client.NewDiscoveryClient(originClient.RESTClient)
	originUncachedMapper := clientcmd.NewShortcutExpander(originDiscoveryClient, nil)
	if !sets.NewString(originUncachedMapper.All...).Has(resourceType) {
		t.Errorf("expected %v, got: %v", resourceType, originUncachedMapper.All)
	}

	cacheDir, err := ioutil.TempDir("", "TestCachingDiscoveryClient")
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	defer func() {
		if !t.Failed() {
			os.RemoveAll(cacheDir)
		}
	}()
	// this client should prime the cache
	originCachedDiscoveryClient := clientcmd.NewCachedDiscoveryClient(originDiscoveryClient, cacheDir, time.Duration(10*time.Minute))
	originCachedMapper := clientcmd.NewShortcutExpander(originCachedDiscoveryClient, nil)
	if !sets.NewString(originCachedMapper.All...).Has(resourceType) {
		t.Errorf("expected %v, got: %v", resourceType, originCachedMapper.All)
	}

	// this client will fail if the cache fails
	unbackedDiscoveryClient := clientcmd.NewCachedDiscoveryClient(nil, cacheDir, time.Duration(10*time.Minute))
	unbackedOriginCachedMapper := clientcmd.NewShortcutExpander(unbackedDiscoveryClient, nil)
	if !sets.NewString(unbackedOriginCachedMapper.All...).Has(resourceType) {
		t.Errorf("expected %v, got: %v", resourceType, unbackedOriginCachedMapper.All)
	}

	atomicConfig, err := testserver.DefaultMasterOptions()
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	atomicConfig.DisabledFeatures = configapi.AtomicDisabledFeatures
	atomicConfig.DNSConfig = nil
	atomicKubeConfig, err := testserver.StartConfiguredMasterAPI(atomicConfig)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	atomicClient, err := testutil.GetClusterAdminClient(atomicKubeConfig)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}

	atomicDiscoveryClient := client.NewDiscoveryClient(atomicClient.RESTClient)
	atomicUncachedMapper := clientcmd.NewShortcutExpander(atomicDiscoveryClient, nil)
	if sets.NewString(atomicUncachedMapper.All...).Has(resourceType) {
		t.Errorf("expected no %v, got: %v", resourceType, atomicUncachedMapper.All)
	}

	// this client will give different results if the cache fails
	conflictingDiscoveryClient := clientcmd.NewCachedDiscoveryClient(atomicDiscoveryClient, cacheDir, time.Duration(10*time.Minute))
	conflictingCachedMapper := clientcmd.NewShortcutExpander(conflictingDiscoveryClient, nil)
	if !sets.NewString(conflictingCachedMapper.All...).Has(resourceType) {
		t.Errorf("expected %v, got: %v", resourceType, conflictingCachedMapper.All)
	}

	// this client should give different results as result of a live lookup
	expiredDiscoveryClient := clientcmd.NewCachedDiscoveryClient(atomicDiscoveryClient, cacheDir, time.Duration(-1*time.Second))
	expiredAtomicCachedMapper := clientcmd.NewShortcutExpander(expiredDiscoveryClient, nil)
	if sets.NewString(expiredAtomicCachedMapper.All...).Has(resourceType) {
		t.Errorf("expected no %v, got: %v", resourceType, expiredAtomicCachedMapper.All)
	}

}