func TestCLIGetToken(t *testing.T) {
testutil.DeleteAllEtcdKeys()
// setup
etcdClient := testutil.NewEtcdClient()
etcdHelper, _ := master.NewEtcdHelper(etcdClient, latest.Version, etcdtest.PathPrefix())
accessTokenStorage := accesstokenetcd.NewREST(etcdHelper)
accessTokenRegistry := accesstokenregistry.NewRegistry(accessTokenStorage)
authorizeTokenStorage := authorizetokenetcd.NewREST(etcdHelper)
authorizeTokenRegistry := authorizetokenregistry.NewRegistry(authorizeTokenStorage)
clientStorage := clientetcd.NewREST(etcdHelper)
clientRegistry := clientregistry.NewRegistry(clientStorage)
clientAuthStorage := clientauthetcd.NewREST(etcdHelper)
clientAuthRegistry := clientauthregistry.NewRegistry(clientAuthStorage)
userStorage := useretcd.NewREST(etcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage := identityetcd.NewREST(etcdHelper)
identityRegistry := identityregistry.NewRegistry(identityStorage)
identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(identityRegistry, userRegistry)
authRequestHandler := basicauthrequest.NewBasicAuthAuthentication(allowanypassword.New("get-token-test", identityMapper), true)
authHandler := oauthhandlers.NewUnionAuthenticationHandler(
map[string]oauthhandlers.AuthenticationChallenger{"login": passwordchallenger.NewBasicAuthChallenger("openshift")}, nil, nil)
storage := registrystorage.New(accessTokenRegistry, authorizeTokenRegistry, clientRegistry, oauthregistry.NewUserConversion())
config := osinserver.NewDefaultServerConfig()
grantChecker := oauthregistry.NewClientAuthorizationGrantChecker(clientAuthRegistry)
grantHandler := oauthhandlers.NewAutoGrant()
server := osinserver.New(
config,
storage,
osinserver.AuthorizeHandlers{
oauthhandlers.NewAuthorizeAuthenticator(
authRequestHandler,
authHandler,
oauthhandlers.EmptyError{},
),
oauthhandlers.NewGrantCheck(
grantChecker,
grantHandler,
oauthhandlers.EmptyError{},
),
},
osinserver.AccessHandlers{
oauthhandlers.NewDenyAccessAuthenticator(),
},
osinserver.NewDefaultErrorHandler(),
)
mux := http.NewServeMux()
server.Install(mux, origin.OpenShiftOAuthAPIPrefix)
oauthServer := httptest.NewServer(http.Handler(mux))
defer oauthServer.Close()
t.Logf("oauth server is on %v\n", oauthServer.URL)
// create the default oauth clients with redirects to our server
origin.CreateOrUpdateDefaultOAuthClients(oauthServer.URL, []string{oauthServer.URL}, clientRegistry)
flags := pflag.NewFlagSet("test-flags", pflag.ContinueOnError)
clientCfg := clientcmd.NewConfig()
clientCfg.Bind(flags)
flags.Parse(strings.Split("--master="+oauthServer.URL, " "))
reader := bytes.NewBufferString("user\npass")
accessToken, err := tokencmd.RequestToken(clientCfg.OpenShiftConfig(), reader, "", "")
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Error("Expected accessToken, but did not get one")
}
// lets see if this access token is any good
token, err := accessTokenRegistry.GetAccessToken(kapi.NewContext(), accessToken)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if token.UserName != "user" {
t.Errorf("Expected token for \"user\", but got: %#v", token)
}
}
func TestHandler(t *testing.T) {
_ = handlers.NewUnionAuthenticationHandler(nil, map[string]handlers.AuthenticationRedirector{"handler": &Handler{}}, nil)
}
func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler handlers.AuthenticationErrorHandler) (handlers.AuthenticationHandler, error) {
challengers := map[string]handlers.AuthenticationChallenger{}
redirectors := map[string]handlers.AuthenticationRedirector{}
for _, identityProvider := range c.Options.IdentityProviders {
identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry)
if configapi.IsPasswordAuthenticator(identityProvider) {
if identityProvider.UseAsLogin {
if c.OpenshiftEnabled {
passwordAuth, err := c.getPasswordAuthenticator(identityProvider)
if err != nil {
return nil, err
}
//map[string]handlers.AuthenticationRedirector
// Password auth requires:
// 1. a session success handler (to remember you logged in)
// 2. a redirectSuccessHandler (to go back to the "then" param)
if c.SessionAuth == nil {
return nil, errors.New("SessionAuth is required for password-based login")
}
passwordSuccessHandler := handlers.AuthenticationSuccessHandlers{c.SessionAuth, redirectSuccessHandler{}}
redirectors["login"] = &redirector{RedirectURL: OpenShiftLoginPrefix, ThenParam: "then"}
login := login.NewLogin(c.getCSRF(), &callbackPasswordAuthenticator{passwordAuth, passwordSuccessHandler}, login.DefaultLoginFormRenderer)
login.Install(mux, OpenShiftLoginPrefix)
}
}
if identityProvider.UseAsChallenger {
challengers["login"] = passwordchallenger.NewBasicAuthChallenger("openshift")
}
} else if configapi.IsOAuthIdentityProvider(identityProvider) {
oauthProvider, err := c.getOAuthProvider(identityProvider)
if err != nil {
return nil, err
}
// Default state builder, combining CSRF and return URL handling
state := external.CSRFRedirectingState(c.getCSRF())
// OAuth auth requires
// 1. a session success handler (to remember you logged in)
// 2. a state success handler (to go back to the URL encoded in the state)
if c.SessionAuth == nil {
return nil, errors.New("SessionAuth is required for OAuth-based login")
}
oauthSuccessHandler := handlers.AuthenticationSuccessHandlers{c.SessionAuth, state}
// If the specified errorHandler doesn't handle the login error, let the state error handler attempt to propagate specific errors back to the token requester
oauthErrorHandler := handlers.AuthenticationErrorHandlers{errorHandler, state}
callbackPath := path.Join(OpenShiftOAuthCallbackPrefix, identityProvider.Name)
oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.Options.MasterPublicURL+callbackPath, oauthSuccessHandler, oauthErrorHandler, identityMapper)
if err != nil {
return nil, fmt.Errorf("unexpected error: %v", err)
}
mux.Handle(callbackPath, oauthHandler)
if identityProvider.UseAsLogin {
redirectors[identityProvider.Name] = oauthHandler
}
if identityProvider.UseAsChallenger {
return nil, errors.New("oauth identity providers cannot issue challenges")
}
}
}
if len(redirectors) > 0 && len(challengers) == 0 {
// Add a default challenger that will warn and give a link to the web browser token-granting location
challengers["placeholder"] = placeholderchallenger.New(OpenShiftOAuthTokenRequestURL(c.Options.MasterPublicURL))
}
authHandler := handlers.NewUnionAuthenticationHandler(challengers, redirectors, errorHandler)
return authHandler, nil
}
