func TestLogin(t *testing.T) {
clientcmd.DefaultCluster = clientcmdapi.Cluster{Server: ""}
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
username := "******"
password := "******"
project := "the-singularity-is-near"
server := clusterAdminClientConfig.Host
loginOptions := newLoginOptions(server, username, password, true)
if err := loginOptions.GatherInfo(); err != nil {
t.Fatalf("Error trying to determine server info: %v", err)
}
if loginOptions.Username != username {
t.Fatalf("Unexpected user after authentication: %#v", loginOptions)
}
newProjectOptions := &newproject.NewProjectOptions{
Client: clusterAdminClient,
ProjectName: project,
AdminRole: bootstrappolicy.AdminRoleName,
AdminUser: username,
}
if err := newProjectOptions.Run(false); err != nil {
t.Fatalf("unexpected error, a project is required to continue: %v", err)
}
oClient, _ := client.New(loginOptions.Config)
p, err := oClient.Projects().Get(project)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if p.Name != project {
t.Fatalf("unexpected project: %#v", p)
}
// TODO Commented because of incorrectly hitting cache when listing projects.
// Should be enabled again when cache eviction is properly fixed.
// err = loginOptions.GatherProjectInfo()
// if err != nil {
// t.Fatalf("unexpected error: %v", err)
// }
// if loginOptions.Project != project {
// t.Fatalf("Expected project %v but got %v", project, loginOptions.Project)
// }
// configFile, err := ioutil.TempFile("", "openshiftconfig")
// if err != nil {
// t.Fatalf("unexpected error: %v", err)
// }
// defer os.Remove(configFile.Name())
// if _, err = loginOptions.SaveConfig(configFile.Name()); err != nil {
// t.Fatalf("unexpected error: %v", err)
// }
userWhoamiOptions := cmd.WhoAmIOptions{UserInterface: oClient.Users(), Out: ioutil.Discard}
retrievedUser, err := userWhoamiOptions.WhoAmI()
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if retrievedUser.Name != username {
t.Errorf("expected %v, got %v", retrievedUser.Name, username)
}
adminWhoamiOptions := cmd.WhoAmIOptions{UserInterface: clusterAdminClient.Users(), Out: ioutil.Discard}
retrievedAdmin, err := adminWhoamiOptions.WhoAmI()
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if retrievedAdmin.Name != "system:admin" {
t.Errorf("expected %v, got %v", retrievedAdmin.Name, "system:admin")
}
}
// TestOAuthOIDC checks CLI password login against an OIDC provider
func TestOAuthOIDC(t *testing.T) {
tokenCalled := false
userinfoCalled := false
expectedTokenPost := url.Values{
"grant_type": []string{"password"},
"client_id": []string{"myclient"},
"client_secret": []string{"mysecret"},
"username": []string{"mylogin"},
"password": []string{"mypassword"},
"scope": []string{"openid scope1 scope2"},
}
// id_token made at https://jwt.io/
// {
// "sub": "mysub",
// "name": "John Doe",
// "myidclaim": "myid",
// "myemailclaim":"myemail",
// }
tokenResponse := `{
"token_type": "bearer",
"access_token": "12345",
"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJteXN1YiIsIm5hbWUiOiJKb2huIERvZSIsIm15aWRjbGFpbSI6Im15aWQiLCJteWVtYWlsY2xhaW0iOiJteWVtYWlsIn0.yMx2ZQw8Su641H_kO8ec_tFaysrFEc9uFUFm4ZbLGHw"
}`
// Additional claims in userInfo (sub claim must match)
userinfoResponse := `{
"sub": "mysub",
"mynameclaim":"myname",
"myusernameclaim":"myusername"
}`
// Write cert we're going to use to verify OIDC server requests
caFile, err := ioutil.TempFile("", "test.crt")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(caFile.Name())
if err := ioutil.WriteFile(caFile.Name(), oidcLocalhostCert, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Get master config
testutil.RequireEtcd(t)
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Set up a dummy OIDC server
oidcServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.URL.String() {
case "/token":
if r.Method != "POST" {
t.Fatalf("Expected POST to /token, got %s", r.Method)
}
if err := r.ParseForm(); err != nil {
t.Fatalf("Error parsing form POSTed to /token: %v", err)
}
if !reflect.DeepEqual(r.PostForm, expectedTokenPost) {
t.Fatalf("Expected\n%#v\ngot\n%#v", expectedTokenPost, r.PostForm)
}
w.Write([]byte(tokenResponse))
tokenCalled = true
case "/userinfo":
if r.Header.Get("Authorization") != "Bearer 12345" {
t.Fatalf("Expected authorization header, got %#v", r.Header)
}
w.Write([]byte(userinfoResponse))
userinfoCalled = true
default:
t.Fatalf("Unexpected OIDC request: %v", r.URL.String())
}
}))
cert, err := tls.X509KeyPair(oidcLocalhostCert, oidcLocalhostKey)
oidcServer.TLS = &tls.Config{
Certificates: []tls.Certificate{cert},
}
oidcServer.StartTLS()
defer oidcServer.Close()
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "oidc",
UseAsChallenger: true,
UseAsLogin: true,
MappingMethod: "claim",
Provider: &configapi.OpenIDIdentityProvider{
CA: caFile.Name(),
ClientID: "myclient",
ClientSecret: configapi.StringSource{StringSourceSpec: configapi.StringSourceSpec{Value: "mysecret"}},
ExtraScopes: []string{"scope1", "scope2"},
URLs: configapi.OpenIDURLs{
Authorize: oidcServer.URL + "/authorize",
Token: oidcServer.URL + "/token",
UserInfo: oidcServer.URL + "/userinfo",
},
Claims: configapi.OpenIDClaims{
ID: []string{"myidclaim"},
Email: []string{"myemailclaim"},
Name: []string{"mynameclaim"},
PreferredUsername: []string{"myusernameclaim"},
},
},
}
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Get the master CA data for the login command
masterCAFile := clientConfig.CAFile
if masterCAFile == "" {
// Write master ca data
tmpFile, err := ioutil.TempFile("", "ca.crt")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(tmpFile.Name())
if err := ioutil.WriteFile(tmpFile.Name(), clientConfig.CAData, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterCAFile = tmpFile.Name()
}
// Attempt a login using a redirecting auth proxy
loginOutput := &bytes.Buffer{}
loginOptions := &cmd.LoginOptions{
Server: clientConfig.Host,
CAFile: masterCAFile,
StartingKubeConfig: &clientcmdapi.Config{},
Reader: bytes.NewBufferString("mylogin\nmypassword\n"),
Out: loginOutput,
}
if err := loginOptions.GatherInfo(); err != nil {
t.Fatalf("Error logging in: %v\n%v", err, loginOutput.String())
}
if loginOptions.Username != "myusername" {
t.Fatalf("Unexpected user after authentication: %#v", loginOptions)
}
if len(loginOptions.Config.BearerToken) == 0 {
t.Fatalf("Expected token after authentication: %#v", loginOptions.Config)
}
// Ex
userConfig := &restclient.Config{
Host: clientConfig.Host,
TLSClientConfig: restclient.TLSClientConfig{
CAFile: clientConfig.CAFile,
CAData: clientConfig.CAData,
},
BearerToken: loginOptions.Config.BearerToken,
}
userClient, err := client.New(userConfig)
userWhoamiOptions := cmd.WhoAmIOptions{UserInterface: userClient.Users(), Out: ioutil.Discard}
retrievedUser, err := userWhoamiOptions.WhoAmI()
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if retrievedUser.Name != "myusername" {
t.Errorf("expected username %v, got %v", "myusername", retrievedUser.Name)
}
if retrievedUser.FullName != "myname" {
t.Errorf("expected display name %v, got %v", "myname", retrievedUser.FullName)
}
if !reflect.DeepEqual([]string{"oidc:myid"}, retrievedUser.Identities) {
t.Errorf("expected only oidc:myid identity, got %v", retrievedUser.Identities)
}
}
