func configure(logger lager.Logger) (*ssh.ServerConfig, error) {
cf_http.Initialize(*communicationTimeout)
if *diegoAPIURL == "" {
err := errors.New("diegoAPIURL is required")
logger.Fatal("diego-api-url-required", err)
}
url, err := url.Parse(*diegoAPIURL)
if err != nil {
logger.Fatal("failed-to-parse-diego-api-url", err)
}
_, err = url.Parse(*ccAPIURL)
if *ccAPIURL != "" && err != nil {
logger.Fatal("failed-to-parse-cc-api-url", err)
}
var diegoCreds string
if url.User != nil {
diegoCreds = url.User.String()
}
receptorClient := receptor.NewClient(*diegoAPIURL)
authenticatorMap := map[string]authenticators.PasswordAuthenticator{}
if *enableDiegoAuth {
diegoAuthenticator := authenticators.NewDiegoProxyAuthenticator(logger, receptorClient, []byte(diegoCreds))
authenticatorMap[diegoAuthenticator.Realm()] = diegoAuthenticator
}
if *ccAPIURL != "" && *enableCFAuth {
ccClient := cf_http.NewClient()
cfAuthenticator := authenticators.NewCFAuthenticator(logger, ccClient, *ccAPIURL, receptorClient)
authenticatorMap[cfAuthenticator.Realm()] = cfAuthenticator
}
authenticator := authenticators.NewCompositeAuthenticator(authenticatorMap)
sshConfig := &ssh.ServerConfig{
PasswordCallback: authenticator.Authenticate,
AuthLogCallback: func(cmd ssh.ConnMetadata, method string, err error) {
logger.Error("authentication-failed", err, lager.Data{"user": cmd.User()})
},
}
if *hostKey == "" {
err := errors.New("hostKey is required")
logger.Fatal("host-key-required", err)
}
key, err := parsePrivateKey(logger, *hostKey)
if err != nil {
logger.Fatal("failed-to-parse-host-key", err)
}
sshConfig.AddHostKey(key)
return sshConfig, err
}
fakeCC = ghttp.NewServer()
ccURL = fakeCC.URL()
fakeUAA = ghttp.NewServer()
u, err := url.Parse(fakeUAA.URL())
Expect(err).NotTo(HaveOccurred())
uaaUsername = "******"
uaaPassword = "******"^&'"
u.Path = "/oauth/token"
uaaTokenURL = u.String()
})
JustBeforeEach(func() {
authenticator = authenticators.NewCFAuthenticator(logger, httpClient, ccURL, uaaTokenURL, uaaUsername, uaaPassword, permissionsBuilder)
permissions, authenErr = authenticator.Authenticate(metadata, password)
})
Describe("UserRegexp", func() {
var regexp *regexp.Regexp
BeforeEach(func() {
regexp = authenticator.UserRegexp()
})
It("matches diego patterns", func() {
Expect(regexp.MatchString("cf:guid/0")).To(BeTrue())
Expect(regexp.MatchString("cf:123-abc-def/00")).To(BeTrue())
Expect(regexp.MatchString("cf:guid/99")).To(BeTrue())
})
func configureProxy(logger lager.Logger) (*ssh.ServerConfig, error) {
if *bbsAddress == "" {
err := errors.New("bbsAddress is required")
logger.Fatal("bbs-address-required", err)
}
url, err := url.Parse(*bbsAddress)
if err != nil {
logger.Fatal("failed-to-parse-bbs-address", err)
}
bbsClient := initializeBBSClient(logger)
permissionsBuilder := authenticators.NewPermissionsBuiler(bbsClient)
authens := []authenticators.PasswordAuthenticator{}
if *enableDiegoAuth {
diegoAuthenticator := authenticators.NewDiegoProxyAuthenticator(logger, []byte(*diegoCredentials), permissionsBuilder)
authens = append(authens, diegoAuthenticator)
}
if *enableCFAuth {
if *ccAPIURL == "" {
return nil, errors.New("ccAPIURL is required for Cloud Foundry authentication")
}
_, err = url.Parse(*ccAPIURL)
if *ccAPIURL != "" && err != nil {
return nil, err
}
if *uaaPassword == "" {
return nil, errors.New("UAA password is required for Cloud Foundry authentication")
}
if *uaaUsername == "" {
return nil, errors.New("UAA username is required for Cloud Foundry authentication")
}
if *uaaTokenURL == "" {
return nil, errors.New("uaaTokenURL is required for Cloud Foundry authentication")
}
_, err = url.Parse(*uaaTokenURL)
if *uaaTokenURL != "" && err != nil {
return nil, err
}
client := NewHttpClient()
cfAuthenticator := authenticators.NewCFAuthenticator(
logger,
client,
*ccAPIURL,
*uaaTokenURL,
*uaaUsername,
*uaaPassword,
permissionsBuilder,
)
authens = append(authens, cfAuthenticator)
}
authenticator := authenticators.NewCompositeAuthenticator(authens...)
sshConfig := &ssh.ServerConfig{
PasswordCallback: authenticator.Authenticate,
AuthLogCallback: func(cmd ssh.ConnMetadata, method string, err error) {
logger.Error("authentication-failed", err, lager.Data{"user": cmd.User()})
},
}
if *hostKey == "" {
err := errors.New("hostKey is required")
logger.Fatal("host-key-required", err)
}
key, err := parsePrivateKey(logger, *hostKey)
if err != nil {
logger.Fatal("failed-to-parse-host-key", err)
}
sshConfig.AddHostKey(key)
return sshConfig, err
}
metadata = &fake_ssh.FakeConnMetadata{}
fakeCC = ghttp.NewServer()
ccURL = fakeCC.URL()
fakeUAA = ghttp.NewServer()
u, err := url.Parse(fakeUAA.URL())
Expect(err).NotTo(HaveOccurred())
u.User = url.UserPassword("diego-ssh", "diego-ssh-secret")
u.Path = "/oauth/token"
uaaTokenURL = u.String()
})
JustBeforeEach(func() {
authenticator = authenticators.NewCFAuthenticator(logger, httpClient, ccURL, uaaTokenURL, permissionsBuilder)
permissions, authenErr = authenticator.Authenticate(metadata, password)
})
Describe("UserRegexp", func() {
var regexp *regexp.Regexp
BeforeEach(func() {
regexp = authenticator.UserRegexp()
})
It("matches diego patterns", func() {
Expect(regexp.MatchString("cf:guid/0")).To(BeTrue())
Expect(regexp.MatchString("cf:123-abc-def/00")).To(BeTrue())
Expect(regexp.MatchString("cf:guid/99")).To(BeTrue())
})
actualLRPResponse = receptor.ActualLRPResponse{
ProcessGuid: "app-guid-app-version",
Index: 0,
InstanceGuid: "some-instance-guid",
Address: "1.2.3.4",
Ports: []receptor.PortMapping{
{ContainerPort: 1111, HostPort: 3333},
},
}
receptorClient.ActualLRPByProcessGuidAndIndexReturns(actualLRPResponse, nil)
receptorClient.GetDesiredLRPReturns(desiredLRPResponse, nil)
})
JustBeforeEach(func() {
authenticator = authenticators.NewCFAuthenticator(logger, ccClient, ccURL, receptorClient)
permissions, err = authenticator.Authenticate(metadata, password)
})
Context("when a client has inavlid username or password", func() {
Context("and the guid is malformed", func() {
BeforeEach(func() {
metadata.UserReturns("cf:%X%FF/1")
})
It("fails to authenticate", func() {
Expect(err).To(Equal(authenticators.InvalidRequestErr))
Expect(fakeCC.ReceivedRequests()).To(HaveLen(0))
})
})
