// dialToServer takes the Server URL from the given clientConfig and dials to
// make sure the server is reachable. Note the config received is not mutated.
func dialToServer(clientConfig restclient.Config) error {
// take a RoundTripper based on the config we already have (TLS, proxies, etc)
rt, err := restclient.TransportFor(&clientConfig)
if err != nil {
return err
}
parsedURL, err := url.Parse(clientConfig.Host)
if err != nil {
return err
}
// Do a HEAD request to serverPathToDial to make sure the server is alive.
// We don't care about the response, any err != nil is valid for the sake of reachability.
serverURLToDial := (&url.URL{Scheme: parsedURL.Scheme, Host: parsedURL.Host, Path: "/"}).String()
req, err := http.NewRequest("HEAD", serverURLToDial, nil)
if err != nil {
return err
}
res, err := rt.RoundTrip(req)
if err != nil {
return err
}
defer res.Body.Close()
return nil
}
// NewProxyServer creates and installs a new ProxyServer.
// It automatically registers the created ProxyServer to http.DefaultServeMux.
// 'filter', if non-nil, protects requests to the api only.
func NewProxyServer(filebase string, apiProxyPrefix string, staticPrefix string, filter *FilterServer, cfg *restclient.Config) (*ProxyServer, error) {
host := cfg.Host
if !strings.HasSuffix(host, "/") {
host = host + "/"
}
target, err := url.Parse(host)
if err != nil {
return nil, err
}
proxy := newProxy(target)
if proxy.Transport, err = restclient.TransportFor(cfg); err != nil {
return nil, err
}
proxyServer := http.Handler(proxy)
if filter != nil {
proxyServer = filter.HandlerFor(proxyServer)
}
if !strings.HasPrefix(apiProxyPrefix, "/api") {
proxyServer = stripLeaveSlash(apiProxyPrefix, proxyServer)
}
mux := http.NewServeMux()
mux.Handle(apiProxyPrefix, proxyServer)
if filebase != "" {
// Require user to explicitly request this behavior rather than
// serving their working directory by default.
mux.Handle(staticPrefix, newFileHandler(staticPrefix, filebase))
}
return &ProxyServer{handler: mux}, nil
}
func init() {
cache, err := newDigestToRepositoryCache(1024)
if err != nil {
panic(err)
}
cachedLayers = cache
// load the client when the middleware is initialized, which allows test code to change
// DefaultRegistryClient before starting a registry.
repomw.Register("openshift",
func(ctx context.Context, repo distribution.Repository, options map[string]interface{}) (distribution.Repository, error) {
registryClient, quotaClient, err := DefaultRegistryClient.Clients()
if err != nil {
return nil, err
}
return newRepositoryWithClient(registryClient, quotaClient, ctx, repo, options)
},
)
secureTransport = http.DefaultTransport
insecureTransport, err = restclient.TransportFor(&restclient.Config{Insecure: true})
if err != nil {
panic(fmt.Sprintf("Unable to configure a default transport for importing insecure images: %v", err))
}
}
// RunStartBuildWebHook tries to trigger the provided webhook. It will attempt to utilize the current client
// configuration if the webhook has the same URL.
func (o *StartBuildOptions) RunStartBuildWebHook() error {
repo := o.Git
hook, err := url.Parse(o.FromWebhook)
if err != nil {
return err
}
event, err := hookEventFromPostReceive(repo, o.GitRepository, o.GitPostReceive)
if err != nil {
return err
}
// TODO: should be a versioned struct
var data []byte
if event != nil {
data, err = json.Marshal(event)
if err != nil {
return err
}
}
httpClient := http.DefaultClient
// when using HTTPS, try to reuse the local config transport if possible to get a client cert
// TODO: search all configs
if hook.Scheme == "https" {
config, err := o.ClientConfig.ClientConfig()
if err == nil {
if url, _, err := restclient.DefaultServerURL(config.Host, "", unversioned.GroupVersion{}, true); err == nil {
if netutil.CanonicalAddr(url) == netutil.CanonicalAddr(hook) && url.Scheme == hook.Scheme {
if rt, err := restclient.TransportFor(config); err == nil {
httpClient = &http.Client{Transport: rt}
}
}
}
}
}
glog.V(4).Infof("Triggering hook %s\n%s", hook, string(data))
resp, err := httpClient.Post(hook.String(), "application/json", bytes.NewBuffer(data))
if err != nil {
return err
}
defer resp.Body.Close()
switch {
case resp.StatusCode == 301 || resp.StatusCode == 302:
// TODO: follow redirect and display output
case resp.StatusCode < 200 || resp.StatusCode >= 300:
body, _ := ioutil.ReadAll(resp.Body)
return fmt.Errorf("server rejected our request %d\nremote: %s", resp.StatusCode, string(body))
}
return nil
}
// NewUpgradeAwareSingleHostReverseProxy creates a new UpgradeAwareSingleHostReverseProxy.
func NewUpgradeAwareSingleHostReverseProxy(clientConfig *restclient.Config, backendAddr *url.URL) (*UpgradeAwareSingleHostReverseProxy, error) {
transport, err := restclient.TransportFor(clientConfig)
if err != nil {
return nil, err
}
reverseProxy := httputil.NewSingleHostReverseProxy(backendAddr)
reverseProxy.FlushInterval = 200 * time.Millisecond
p := &UpgradeAwareSingleHostReverseProxy{
clientConfig: clientConfig,
backendAddr: backendAddr,
transport: transport,
reverseProxy: reverseProxy,
}
p.reverseProxy.Transport = p
return p, nil
}
func (r *proxyHandler) updateAPIService(apiService *apiregistrationapi.APIService) {
r.lock.Lock()
defer r.lock.Unlock()
r.transportBuildingError = nil
r.proxyRoundTripper = nil
r.destinationHost = apiService.Spec.Service.Name + "." + apiService.Spec.Service.Namespace + ".svc"
r.restConfig = &restclient.Config{
Insecure: apiService.Spec.InsecureSkipTLSVerify,
TLSClientConfig: restclient.TLSClientConfig{
CertData: r.proxyClientCert,
KeyData: r.proxyClientKey,
CAData: apiService.Spec.CABundle,
},
}
r.proxyRoundTripper, r.transportBuildingError = restclient.TransportFor(r.restConfig)
}
func init() {
cache, err := newDigestToRepositoryCache(defaultDigestToRepositoryCacheSize)
if err != nil {
panic(err)
}
cachedLayers = cache
// load the client when the middleware is initialized, which allows test code to change
// DefaultRegistryClient before starting a registry.
repomw.Register("openshift",
func(ctx context.Context, repo distribution.Repository, options map[string]interface{}) (distribution.Repository, error) {
if dockerRegistry == nil {
panic(fmt.Sprintf("Configuration error: OpenShift registry middleware not activated"))
}
if dockerStorageDriver == nil {
panic(fmt.Sprintf("Configuration error: OpenShift storage driver middleware not activated"))
}
registryOSClient, kClient, errClients := DefaultRegistryClient.Clients()
if errClients != nil {
return nil, errClients
}
if quotaEnforcing == nil {
quotaEnforcing = newQuotaEnforcingConfig(ctx, os.Getenv(EnforceQuotaEnvVar), os.Getenv(ProjectCacheTTLEnvVar), options)
}
return newRepositoryWithClient(registryOSClient, kClient, kClient, ctx, repo, options)
},
)
secureTransport = http.DefaultTransport
insecureTransport, err = restclient.TransportFor(&restclient.Config{Insecure: true})
if err != nil {
panic(fmt.Sprintf("Unable to configure a default transport for importing insecure images: %v", err))
}
}
func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
kubeletClient, err := kubeletclient.NewStaticKubeletClient(c.KubeletClientConfig)
if err != nil {
glog.Fatalf("Unable to configure Kubelet client: %v", err)
}
// TODO: allow the system CAs and the local CAs to be joined together.
importTransport, err := restclient.TransportFor(&restclient.Config{})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
insecureImportTransport, err := restclient.TransportFor(&restclient.Config{Insecure: true})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
buildStorage, buildDetailsStorage, err := buildetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage, err := buildconfigetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
deployConfigStorage, deployConfigStatusStorage, deployConfigScaleStorage, err := deployconfigetcd.NewREST(c.RESTOptionsGetter)
dcInstantiateOriginClient, dcInstantiateKubeClient := c.DeploymentConfigInstantiateClients()
dcInstantiateStorage := deployconfiginstantiate.NewREST(
*deployConfigStorage.Store,
dcInstantiateOriginClient,
dcInstantiateKubeClient,
c.ExternalVersionCodec,
c.AdmissionControl,
)
checkStorageErr(err)
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
routeAllocator := c.RouteAllocator()
routeStorage, routeStatusStorage, err := routeetcd.NewREST(c.RESTOptionsGetter, routeAllocator)
checkStorageErr(err)
hostSubnetStorage, err := hostsubnetetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
netNamespaceStorage, err := netnamespaceetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
clusterNetworkStorage, err := clusternetworketcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
egressNetworkPolicyStorage, err := egressnetworkpolicyetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
userStorage, err := useretcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage, err := identityetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
identityRegistry := identityregistry.NewRegistry(identityStorage)
userIdentityMappingStorage := useridentitymapping.NewREST(userRegistry, identityRegistry)
groupStorage, err := groupetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
policyStorage, err := policyetcd.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicystorage.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingstorage.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
selfSubjectRulesReviewStorage := selfsubjectrulesreview.NewREST(c.RuleResolver, c.Informers.ClusterPolicies().Lister().ClusterPolicies())
subjectRulesReviewStorage := subjectrulesreview.NewREST(c.RuleResolver, c.Informers.ClusterPolicies().Lister().ClusterPolicies())
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, c.RuleResolver)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, c.RuleResolver)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.Authorizer)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
podSecurityPolicyReviewStorage := podsecuritypolicyreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
podSecurityPolicySubjectStorage := podsecuritypolicysubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
podSecurityPolicySelfSubjectReviewStorage := podsecuritypolicyselfsubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
imageStorage, err := imageetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
imageRegistry := image.NewRegistry(imageStorage)
imageSignatureStorage := imagesignature.NewREST(c.PrivilegedLoopbackOpenShiftClient.Images())
imageStreamSecretsStorage := imagesecret.NewREST(c.ImageStreamSecretClient())
imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage, err := imagestreametcd.NewREST(c.RESTOptionsGetter, c.RegistryNameFn, subjectAccessReviewRegistry, c.LimitVerifier)
checkStorageErr(err)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage)
imageStreamMappingStorage := imagestreammapping.NewREST(imageRegistry, imageStreamRegistry, c.RegistryNameFn)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
importerFn := func(r importer.RepositoryRetriever) imageimporter.Interface {
return imageimporter.NewImageStreamImporter(r, c.Options.ImagePolicyConfig.MaxImagesBulkImportedPerRepository, flowcontrol.NewTokenBucketRateLimiter(2.0, 3))
}
importerDockerClientFn := func() dockerregistry.Client {
return dockerregistry.NewClient(20*time.Second, false)
}
imageStreamImportStorage := imagestreamimport.NewREST(importerFn, imageStreamRegistry, internalImageStreamStorage, imageStorage, c.ImageStreamImportSecretClient(), importTransport, insecureImportTransport, importerDockerClientFn)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
buildGenerator := &buildgenerator.BuildGenerator{
Client: buildgenerator.Client{
GetBuildConfigFunc: buildConfigRegistry.GetBuildConfig,
UpdateBuildConfigFunc: buildConfigRegistry.UpdateBuildConfig,
GetBuildFunc: buildRegistry.GetBuild,
CreateBuildFunc: buildRegistry.CreateBuild,
GetImageStreamFunc: imageStreamRegistry.GetImageStream,
GetImageStreamImageFunc: imageStreamImageRegistry.GetImageStreamImage,
GetImageStreamTagFunc: imageStreamTagRegistry.GetImageStreamTag,
},
ServiceAccounts: c.KubeClient(),
Secrets: c.KubeClient(),
}
// TODO: with sharding, this needs to be changed
deployConfigGenerator := &deployconfiggenerator.DeploymentConfigGenerator{
Client: deployconfiggenerator.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
ISFn: imageStreamRegistry.GetImageStream,
LISFn2: imageStreamRegistry.ListImageStreams,
},
}
configClient, kclient := c.DeploymentConfigClients()
deployRollbackClient := deployrollback.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
RCFn: clientDeploymentInterface{kclient}.GetDeployment,
GRFn: deployrollback.NewRollbackGenerator().GenerateRollback,
}
deployConfigRollbackStorage := deployrollback.NewREST(configClient, kclient, c.ExternalVersionCodec)
projectStorage := projectproxy.NewREST(c.PrivilegedLoopbackKubernetesClient.Namespaces(), c.ProjectAuthorizationCache, c.ProjectAuthorizationCache, c.ProjectCache)
namespace, templateName, err := configapi.ParseNamespaceAndName(c.Options.ProjectConfig.ProjectRequestTemplate)
if err != nil {
glog.Errorf("Error parsing project request template value: %v", err)
// we can continue on, the storage that gets created will be valid, it simply won't work properly. There's no reason to kill the master
}
projectRequestStorage := projectrequeststorage.NewREST(c.Options.ProjectConfig.ProjectRequestMessage, namespace, templateName, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient, c.Informers.PolicyBindings().Lister())
bcClient := c.BuildConfigWebHookClient()
buildConfigWebHooks := buildconfigregistry.NewWebHookREST(
buildConfigRegistry,
buildclient.NewOSClientBuildConfigInstantiatorClient(bcClient),
map[string]webhook.Plugin{
"generic": generic.New(),
"github": github.New(),
},
)
clientStorage, err := clientetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
clientRegistry := clientregistry.NewRegistry(clientStorage)
// If OAuth is disabled, set the strategy to Deny
saAccountGrantMethod := oauthapi.GrantHandlerDeny
if c.Options.OAuthConfig != nil {
// Otherwise, take the value provided in master-config.yaml
saAccountGrantMethod = oauthapi.GrantHandlerType(c.Options.OAuthConfig.GrantConfig.ServiceAccountMethod)
}
combinedOAuthClientGetter := saoauth.NewServiceAccountOAuthClientGetter(c.KubeClient(), c.KubeClient(), clientRegistry, saAccountGrantMethod)
authorizeTokenStorage, err := authorizetokenetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)
checkStorageErr(err)
accessTokenStorage, err := accesstokenetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)
checkStorageErr(err)
clientAuthorizationStorage, err := clientauthetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)
checkStorageErr(err)
templateStorage, err := templateetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
storage := map[string]rest.Storage{
"images": imageStorage,
"imagesignatures": imageSignatureStorage,
"imageStreams/secrets": imageStreamSecretsStorage,
"imageStreams": imageStreamStorage,
"imageStreams/status": imageStreamStatusStorage,
"imageStreamImports": imageStreamImportStorage,
"imageStreamImages": imageStreamImageStorage,
"imageStreamMappings": imageStreamMappingStorage,
"imageStreamTags": imageStreamTagStorage,
"deploymentConfigs": deployConfigStorage,
"deploymentConfigs/scale": deployConfigScaleStorage,
"deploymentConfigs/status": deployConfigStatusStorage,
"deploymentConfigs/rollback": deployConfigRollbackStorage,
"deploymentConfigs/log": deploylogregistry.NewREST(configClient, kclient, c.DeploymentLogClient(), kubeletClient),
"deploymentConfigs/instantiate": dcInstantiateStorage,
// TODO: Deprecate these
"generateDeploymentConfigs": deployconfiggenerator.NewREST(deployConfigGenerator, c.ExternalVersionCodec),
"deploymentConfigRollbacks": deployrollback.NewDeprecatedREST(deployRollbackClient, c.ExternalVersionCodec),
"processedTemplates": templateregistry.NewREST(),
"templates": templateStorage,
"routes": routeStorage,
"routes/status": routeStatusStorage,
"projects": projectStorage,
"projectRequests": projectRequestStorage,
"hostSubnets": hostSubnetStorage,
"netNamespaces": netNamespaceStorage,
"clusterNetworks": clusterNetworkStorage,
"egressNetworkPolicies": egressNetworkPolicyStorage,
"users": userStorage,
"groups": groupStorage,
"identities": identityStorage,
"userIdentityMappings": userIdentityMappingStorage,
"oAuthAuthorizeTokens": authorizeTokenStorage,
"oAuthAccessTokens": accessTokenStorage,
"oAuthClients": clientStorage,
"oAuthClientAuthorizations": clientAuthorizationStorage,
"resourceAccessReviews": resourceAccessReviewStorage,
"subjectAccessReviews": subjectAccessReviewStorage,
"localSubjectAccessReviews": localSubjectAccessReviewStorage,
"localResourceAccessReviews": localResourceAccessReviewStorage,
"selfSubjectRulesReviews": selfSubjectRulesReviewStorage,
"subjectRulesReviews": subjectRulesReviewStorage,
"podSecurityPolicyReviews": podSecurityPolicyReviewStorage,
"podSecurityPolicySubjectReviews": podSecurityPolicySubjectStorage,
"podSecurityPolicySelfSubjectReviews": podSecurityPolicySelfSubjectReviewStorage,
"policies": policyStorage,
"policyBindings": policyBindingStorage,
"roles": roleStorage,
"roleBindings": roleBindingStorage,
"clusterPolicies": clusterPolicyStorage,
"clusterPolicyBindings": clusterPolicyBindingStorage,
"clusterRoleBindings": clusterRoleBindingStorage,
"clusterRoles": clusterRoleStorage,
"clusterResourceQuotas": restInPeace(clusterresourcequotaregistry.NewStorage(c.RESTOptionsGetter)),
"clusterResourceQuotas/status": updateInPeace(clusterresourcequotaregistry.NewStatusStorage(c.RESTOptionsGetter)),
"appliedClusterResourceQuotas": appliedclusterresourcequotaregistry.NewREST(
c.ClusterQuotaMappingController.GetClusterQuotaMapper(), c.Informers.ClusterResourceQuotas().Lister(), c.Informers.Namespaces().Lister()),
}
if configapi.IsBuildEnabled(&c.Options) {
storage["builds"] = buildStorage
storage["buildConfigs"] = buildConfigStorage
storage["buildConfigs/webhooks"] = buildConfigWebHooks
storage["builds/clone"] = buildclone.NewStorage(buildGenerator)
storage["buildConfigs/instantiate"] = buildconfiginstantiate.NewStorage(buildGenerator)
storage["buildConfigs/instantiatebinary"] = buildconfiginstantiate.NewBinaryStorage(buildGenerator, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/log"] = buildlogregistry.NewREST(buildStorage, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/details"] = buildDetailsStorage
}
return storage
}
// RequestToken uses the cmd arguments to locate an openshift oauth server and attempts to authenticate
// it returns the access token if it gets one. An error if it does not
func RequestToken(clientCfg *restclient.Config, reader io.Reader, defaultUsername string, defaultPassword string) (string, error) {
challengeHandler := &BasicChallengeHandler{
Host: clientCfg.Host,
Reader: reader,
Username: defaultUsername,
Password: defaultPassword,
}
rt, err := restclient.TransportFor(clientCfg)
if err != nil {
return "", err
}
// requestURL holds the current URL to make requests to. This can change if the server responds with a redirect
requestURL := clientCfg.Host + "/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
// requestHeaders holds additional headers to add to the request. This can be changed by challengeHandlers
requestHeaders := http.Header{}
// requestedURLSet/requestedURLList hold the URLs we have requested, to prevent redirect loops. Gets reset when a challenge is handled.
requestedURLSet := sets.NewString()
requestedURLList := []string{}
for {
// Make the request
resp, err := request(rt, requestURL, requestHeaders)
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusUnauthorized {
if resp.Header.Get("WWW-Authenticate") != "" {
if !challengeHandler.CanHandle(resp.Header) {
return "", apierrs.NewUnauthorized("unhandled challenge")
}
// Handle a challenge
newRequestHeaders, shouldRetry, err := challengeHandler.HandleChallenge(resp.Header)
if err != nil {
return "", err
}
if !shouldRetry {
return "", apierrs.NewUnauthorized("challenger chose not to retry the request")
}
// Reset request set/list. Since we're setting different headers, it is legitimate to request the same urls
requestedURLSet = sets.NewString()
requestedURLList = []string{}
// Use the response to the challenge as the new headers
requestHeaders = newRequestHeaders
continue
}
// Unauthorized with no challenge
unauthorizedError := apierrs.NewUnauthorized("")
// Attempt to read body content and include as an error detail
if details, err := ioutil.ReadAll(resp.Body); err == nil && len(details) > 0 {
unauthorizedError.ErrStatus.Details = &unversioned.StatusDetails{
Causes: []unversioned.StatusCause{
{Message: string(details)},
},
}
}
return "", unauthorizedError
}
if resp.StatusCode == http.StatusFound {
redirectURL := resp.Header.Get("Location")
// OAuth response case (access_token or error parameter)
accessToken, err := oauthAuthorizeResult(redirectURL)
if err != nil {
return "", err
}
if len(accessToken) > 0 {
return accessToken, err
}
// Non-OAuth response, just follow the URL
// add to our list of redirects
requestedURLList = append(requestedURLList, redirectURL)
// detect loops
if !requestedURLSet.Has(redirectURL) {
requestedURLSet.Insert(redirectURL)
requestURL = redirectURL
continue
}
return "", apierrs.NewInternalError(fmt.Errorf("redirect loop: %s", strings.Join(requestedURLList, " -> ")))
}
// Unknown response
return "", apierrs.NewInternalError(fmt.Errorf("unexpected response: %d", resp.StatusCode))
}
}
func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
issuer := cfg[cfgIssuerUrl]
if issuer == "" {
return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
}
clientID := cfg[cfgClientID]
if clientID == "" {
return nil, fmt.Errorf("Must provide %s", cfgClientID)
}
clientSecret := cfg[cfgClientSecret]
if clientSecret == "" {
return nil, fmt.Errorf("Must provide %s", cfgClientSecret)
}
// Check cache for existing provider.
if provider, ok := cache.getClient(issuer, clientID, clientSecret); ok {
return provider, nil
}
var certAuthData []byte
var err error
if cfg[cfgCertificateAuthorityData] != "" {
certAuthData, err = base64.StdEncoding.DecodeString(cfg[cfgCertificateAuthorityData])
if err != nil {
return nil, err
}
}
clientConfig := restclient.Config{
TLSClientConfig: restclient.TLSClientConfig{
CAFile: cfg[cfgCertificateAuthority],
CAData: certAuthData,
},
}
trans, err := restclient.TransportFor(&clientConfig)
if err != nil {
return nil, err
}
hc := &http.Client{Transport: trans}
providerCfg, err := oidc.FetchProviderConfig(hc, issuer)
if err != nil {
return nil, fmt.Errorf("error fetching provider config: %v", err)
}
scopes := strings.Split(cfg[cfgExtraScopes], ",")
oidcCfg := oidc.ClientConfig{
HTTPClient: hc,
Credentials: oidc.ClientCredentials{
ID: clientID,
Secret: clientSecret,
},
ProviderConfig: providerCfg,
Scope: append(scopes, oidc.DefaultScope...),
}
client, err := oidc.NewClient(oidcCfg)
if err != nil {
return nil, fmt.Errorf("error creating OIDC Client: %v", err)
}
provider := &oidcAuthProvider{
client: &oidcClient{client},
cfg: cfg,
persister: persister,
now: time.Now,
}
return cache.setClient(issuer, clientID, clientSecret, provider), nil
}
func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
defaultRegistry := env("OPENSHIFT_DEFAULT_REGISTRY", "${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT}")
svcCache := service.NewServiceResolverCache(c.KubeClient().Services(kapi.NamespaceDefault).Get)
defaultRegistryFunc, err := svcCache.Defer(defaultRegistry)
if err != nil {
glog.Fatalf("OPENSHIFT_DEFAULT_REGISTRY variable is invalid %q: %v", defaultRegistry, err)
}
kubeletClient, err := kubeletclient.NewStaticKubeletClient(c.KubeletClientConfig)
if err != nil {
glog.Fatalf("Unable to configure Kubelet client: %v", err)
}
// TODO: allow the system CAs and the local CAs to be joined together.
importTransport, err := restclient.TransportFor(&restclient.Config{})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
insecureImportTransport, err := restclient.TransportFor(&restclient.Config{Insecure: true})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
applicationStorage := application.NewREST(c.EtcdHelper, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient)
serviceBrokerStorage := servicebroker.NewREST(c.EtcdHelper, c.BackingServiceInstanceControllerClients())
backingServiceStorage := backingservice.NewREST(c.EtcdHelper, c.BackingServiceInstanceControllerClients())
buildStorage, buildDetailsStorage := buildetcd.NewREST(c.EtcdHelper)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage := buildconfigetcd.NewREST(c.EtcdHelper)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
deployConfigStorage, deployConfigScaleStorage := deployconfigetcd.NewREST(c.EtcdHelper, c.DeploymentConfigScaleClient())
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
routeAllocator := c.RouteAllocator()
routeStorage, routeStatusStorage := routeetcd.NewREST(c.EtcdHelper, routeAllocator)
hostSubnetStorage := hostsubnetetcd.NewREST(c.EtcdHelper)
netNamespaceStorage := netnamespaceetcd.NewREST(c.EtcdHelper)
clusterNetworkStorage := clusternetworketcd.NewREST(c.EtcdHelper)
userStorage := useretcd.NewREST(c.EtcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage := identityetcd.NewREST(c.EtcdHelper)
identityRegistry := identityregistry.NewRegistry(identityStorage)
userIdentityMappingStorage := useridentitymapping.NewREST(userRegistry, identityRegistry)
policyStorage := policyetcd.NewStorage(c.EtcdHelper)
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage := policybindingetcd.NewStorage(c.EtcdHelper)
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage := clusterpolicystorage.NewStorage(c.EtcdHelper)
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage := clusterpolicybindingstorage.NewStorage(c.EtcdHelper)
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
policyRegistry,
policyBindingRegistry,
clusterPolicyRegistry,
clusterPolicyBindingRegistry,
)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, ruleResolver)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, ruleResolver)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.Authorizer)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
imageStorage := imageetcd.NewREST(c.EtcdHelper)
imageRegistry := image.NewRegistry(imageStorage)
imageStreamSecretsStorage := imagesecret.NewREST(c.ImageStreamSecretClient())
imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage := imagestreametcd.NewREST(c.EtcdHelper, imagestream.DefaultRegistryFunc(defaultRegistryFunc), subjectAccessReviewRegistry)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage)
imageStreamMappingStorage := imagestreammapping.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
importerFn := func(r importer.RepositoryRetriever) imageimporter.Interface {
return imageimporter.NewImageStreamImporter(r, c.Options.ImagePolicyConfig.MaxImagesBulkImportedPerRepository, util.NewTokenBucketRateLimiter(2.0, 3))
}
importerDockerClientFn := func() dockerregistry.Client {
return dockerregistry.NewClient(20*time.Second, false)
}
imageStreamImportStorage := imagestreamimport.NewREST(importerFn, imageStreamRegistry, internalImageStreamStorage, imageStorage, c.ImageStreamImportSecretClient(), importTransport, insecureImportTransport, importerDockerClientFn)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
backingServiceInstanceEtcd := backingserviceinstanceetcd.NewREST(c.EtcdHelper)
backingServiceInstanceRegistry := backingserviceinstanceregistry.NewRegistry(backingServiceInstanceEtcd)
backingServiceInstanceBindingEtcd := backingserviceinstanceetcd.NewBindingREST(backingServiceInstanceRegistry, deployConfigRegistry)
buildGenerator := &buildgenerator.BuildGenerator{
Client: buildgenerator.Client{
GetBuildConfigFunc: buildConfigRegistry.GetBuildConfig,
UpdateBuildConfigFunc: buildConfigRegistry.UpdateBuildConfig,
GetBuildFunc: buildRegistry.GetBuild,
CreateBuildFunc: buildRegistry.CreateBuild,
GetImageStreamFunc: imageStreamRegistry.GetImageStream,
GetImageStreamImageFunc: imageStreamImageRegistry.GetImageStreamImage,
GetImageStreamTagFunc: imageStreamTagRegistry.GetImageStreamTag,
},
ServiceAccounts: c.KubeClient(),
Secrets: c.KubeClient(),
}
// TODO: with sharding, this needs to be changed
deployConfigGenerator := &deployconfiggenerator.DeploymentConfigGenerator{
Client: deployconfiggenerator.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
ISFn: imageStreamRegistry.GetImageStream,
LISFn2: imageStreamRegistry.ListImageStreams,
},
}
configClient, kclient := c.DeploymentConfigClients()
deployRollback := &deployrollback.RollbackGenerator{}
deployRollbackClient := deployrollback.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
RCFn: clientDeploymentInterface{kclient}.GetDeployment,
GRFn: deployRollback.GenerateRollback,
}
projectStorage := projectproxy.NewREST(kclient.Namespaces(), c.ProjectAuthorizationCache)
namespace, templateName, err := configapi.ParseNamespaceAndName(c.Options.ProjectConfig.ProjectRequestTemplate)
if err != nil {
glog.Errorf("Error parsing project request template value: %v", err)
// we can continue on, the storage that gets created will be valid, it simply won't work properly. There's no reason to kill the master
}
projectRequestStorage := projectrequeststorage.NewREST(c.Options.ProjectConfig.ProjectRequestMessage, namespace, templateName, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient)
bcClient := c.BuildConfigWebHookClient()
buildConfigWebHooks := buildconfigregistry.NewWebHookREST(
buildConfigRegistry,
buildclient.NewOSClientBuildConfigInstantiatorClient(bcClient),
map[string]webhook.Plugin{
"generic": generic.New(),
"github": github.New(),
},
)
storage := map[string]rest.Storage{
"images": imageStorage,
"imageStreams/secrets": imageStreamSecretsStorage,
"imageStreams": imageStreamStorage,
"imageStreams/status": imageStreamStatusStorage,
"imageStreamImports": imageStreamImportStorage,
"imageStreamImages": imageStreamImageStorage,
"imageStreamMappings": imageStreamMappingStorage,
"imageStreamTags": imageStreamTagStorage,
"applications": applicationStorage,
"serviceBrokers": serviceBrokerStorage,
"backingServices": backingServiceStorage,
"backingServiceInstances": backingServiceInstanceEtcd,
"backingServiceInstances/binding": backingServiceInstanceBindingEtcd,
"deploymentConfigs": deployConfigStorage,
"deploymentConfigs/scale": deployConfigScaleStorage,
"generateDeploymentConfigs": deployconfiggenerator.NewREST(deployConfigGenerator, c.EtcdHelper.Codec()),
"deploymentConfigRollbacks": deployrollback.NewREST(deployRollbackClient, c.EtcdHelper.Codec()),
"deploymentConfigs/log": deploylogregistry.NewREST(configClient, kclient, c.DeploymentLogClient(), kubeletClient),
"processedTemplates": templateregistry.NewREST(),
"templates": templateetcd.NewREST(c.EtcdHelper),
"routes": routeStorage,
"routes/status": routeStatusStorage,
"projects": projectStorage,
"projectRequests": projectRequestStorage,
"hostSubnets": hostSubnetStorage,
"netNamespaces": netNamespaceStorage,
"clusterNetworks": clusterNetworkStorage,
"users": userStorage,
"groups": groupetcd.NewREST(c.EtcdHelper),
"identities": identityStorage,
"userIdentityMappings": userIdentityMappingStorage,
"oAuthAuthorizeTokens": authorizetokenetcd.NewREST(c.EtcdHelper),
"oAuthAccessTokens": accesstokenetcd.NewREST(c.EtcdHelper),
"oAuthClients": clientetcd.NewREST(c.EtcdHelper),
"oAuthClientAuthorizations": clientauthetcd.NewREST(c.EtcdHelper),
"resourceAccessReviews": resourceAccessReviewStorage,
"subjectAccessReviews": subjectAccessReviewStorage,
"localSubjectAccessReviews": localSubjectAccessReviewStorage,
"localResourceAccessReviews": localResourceAccessReviewStorage,
"policies": policyStorage,
"policyBindings": policyBindingStorage,
"roles": roleStorage,
"roleBindings": roleBindingStorage,
"clusterPolicies": clusterPolicyStorage,
"clusterPolicyBindings": clusterPolicyBindingStorage,
"clusterRoleBindings": clusterRoleBindingStorage,
"clusterRoles": clusterRoleStorage,
}
if configapi.IsBuildEnabled(&c.Options) {
storage["builds"] = buildStorage
storage["buildConfigs"] = buildConfigStorage
storage["buildConfigs/webhooks"] = buildConfigWebHooks
storage["builds/clone"] = buildclone.NewStorage(buildGenerator)
storage["buildConfigs/instantiate"] = buildconfiginstantiate.NewStorage(buildGenerator)
storage["buildConfigs/instantiatebinary"] = buildconfiginstantiate.NewBinaryStorage(buildGenerator, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/log"] = buildlogregistry.NewREST(buildStorage, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/details"] = buildDetailsStorage
}
return storage
}
func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
issuer := cfg[cfgIssuerUrl]
if issuer == "" {
return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
}
clientID := cfg[cfgClientID]
if clientID == "" {
return nil, fmt.Errorf("Must provide %s", cfgClientID)
}
clientSecret := cfg[cfgClientSecret]
if clientSecret == "" {
return nil, fmt.Errorf("Must provide %s", cfgClientSecret)
}
var certAuthData []byte
var err error
if cfg[cfgCertificateAuthorityData] != "" {
certAuthData, err = base64.StdEncoding.DecodeString(cfg[cfgCertificateAuthorityData])
if err != nil {
return nil, err
}
}
clientConfig := restclient.Config{
TLSClientConfig: restclient.TLSClientConfig{
CAFile: cfg[cfgCertificateAuthority],
CAData: certAuthData,
},
}
trans, err := restclient.TransportFor(&clientConfig)
if err != nil {
return nil, err
}
hc := &http.Client{Transport: trans}
providerCfg, err := oidc.FetchProviderConfig(hc, strings.TrimSuffix(issuer, "/"))
if err != nil {
return nil, fmt.Errorf("error fetching provider config: %v", err)
}
scopes := strings.Split(cfg[cfgExtraScopes], ",")
oidcCfg := oidc.ClientConfig{
HTTPClient: hc,
Credentials: oidc.ClientCredentials{
ID: clientID,
Secret: clientSecret,
},
ProviderConfig: providerCfg,
Scope: append(scopes, oidc.DefaultScope...),
}
client, err := oidc.NewClient(oidcCfg)
if err != nil {
return nil, fmt.Errorf("error creating OIDC Client: %v", err)
}
oClient := &oidcClient{client}
var initialIDToken jose.JWT
if cfg[cfgIDToken] != "" {
initialIDToken, err = jose.ParseJWT(cfg[cfgIDToken])
if err != nil {
return nil, err
}
}
return &oidcAuthProvider{
initialIDToken: initialIDToken,
refresher: &idTokenRefresher{
client: oClient,
cfg: cfg,
persister: persister,
},
}, nil
}
// RequestToken locates an openshift oauth server and attempts to authenticate.
// It returns the access token if it gets one, or an error if it does not.
// It should only be invoked once on a given RequestTokenOptions instance.
// The Handler held by the options is released as part of this call.
func (o *RequestTokenOptions) RequestToken() (string, error) {
defer func() {
// Always release the handler
if err := o.Handler.Release(); err != nil {
// Release errors shouldn't fail the token request, just log
glog.V(4).Infof("error releasing handler: %v", err)
}
}()
rt, err := restclient.TransportFor(o.ClientConfig)
if err != nil {
return "", err
}
// requestURL holds the current URL to make requests to. This can change if the server responds with a redirect
requestURL := o.ClientConfig.Host + "/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
// requestHeaders holds additional headers to add to the request. This can be changed by o.Handlers
requestHeaders := http.Header{}
// requestedURLSet/requestedURLList hold the URLs we have requested, to prevent redirect loops. Gets reset when a challenge is handled.
requestedURLSet := sets.NewString()
requestedURLList := []string{}
handledChallenge := false
for {
// Make the request
resp, err := request(rt, requestURL, requestHeaders)
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusUnauthorized {
if resp.Header.Get("WWW-Authenticate") != "" {
if !o.Handler.CanHandle(resp.Header) {
return "", apierrs.NewUnauthorized("unhandled challenge")
}
// Handle the challenge
newRequestHeaders, shouldRetry, err := o.Handler.HandleChallenge(requestURL, resp.Header)
if err != nil {
return "", err
}
if !shouldRetry {
return "", apierrs.NewUnauthorized("challenger chose not to retry the request")
}
// Remember if we've ever handled a challenge
handledChallenge = true
// Reset request set/list. Since we're setting different headers, it is legitimate to request the same urls
requestedURLSet = sets.NewString()
requestedURLList = []string{}
// Use the response to the challenge as the new headers
requestHeaders = newRequestHeaders
continue
}
// Unauthorized with no challenge
unauthorizedError := apierrs.NewUnauthorized("")
// Attempt to read body content and include as an error detail
if details, err := ioutil.ReadAll(resp.Body); err == nil && len(details) > 0 {
unauthorizedError.ErrStatus.Details = &unversioned.StatusDetails{
Causes: []unversioned.StatusCause{
{Message: string(details)},
},
}
}
return "", unauthorizedError
}
// if we've ever handled a challenge, see if the handler also considers the interaction complete.
// this is required for negotiate flows with mutual authentication.
if handledChallenge {
if err := o.Handler.CompleteChallenge(requestURL, resp.Header); err != nil {
return "", err
}
}
if resp.StatusCode == http.StatusFound {
redirectURL := resp.Header.Get("Location")
// OAuth response case (access_token or error parameter)
accessToken, err := oauthAuthorizeResult(redirectURL)
if err != nil {
return "", err
}
if len(accessToken) > 0 {
return accessToken, err
}
// Non-OAuth response, just follow the URL
// add to our list of redirects
requestedURLList = append(requestedURLList, redirectURL)
// detect loops
if !requestedURLSet.Has(redirectURL) {
requestedURLSet.Insert(redirectURL)
requestURL = redirectURL
continue
}
return "", apierrs.NewInternalError(fmt.Errorf("redirect loop: %s", strings.Join(requestedURLList, " -> ")))
}
// Unknown response
return "", apierrs.NewInternalError(fmt.Errorf("unexpected response: %d", resp.StatusCode))
}
}
func TestRootAPIPaths(t *testing.T) {
testutil.RequireEtcd(t)
masterConfig, adminConfigFile, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error starting test master: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(adminConfigFile)
if err != nil {
t.Fatalf("unexpected error getting cluster admin client config: %v", err)
}
transport, err := restclient.TransportFor(clientConfig)
if err != nil {
t.Fatalf("unexpected error getting transport for client config: %v", err)
}
rootRequest, err := http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL+"/", nil)
rootRequest.Header.Set("Accept", "*/*")
rootResponse, err := transport.RoundTrip(rootRequest)
if err != nil {
t.Fatalf("unexpected error issuing GET to root path: %v", err)
}
var broadcastRootPaths unversioned.RootPaths
if err := json.NewDecoder(rootResponse.Body).Decode(&broadcastRootPaths); err != nil {
t.Fatalf("unexpected error decoding root path response: %v", err)
}
defer rootResponse.Body.Close()
// We need to make sure that any APILevels specified in the config are present in the RootPaths, and that
// any not specified are not
expectedOpenShiftAPILevels := sets.NewString(masterConfig.APILevels...)
expectedKubeAPILevels := sets.NewString(configapi.GetEnabledAPIVersionsForGroup(*masterConfig.KubernetesMasterConfig, kapi.GroupName)...)
actualOpenShiftAPILevels := sets.String{}
actualKubeAPILevels := sets.String{}
for _, route := range broadcastRootPaths.Paths {
if strings.HasPrefix(route, "/oapi/") {
actualOpenShiftAPILevels.Insert(route[6:])
}
if strings.HasPrefix(route, "/api/") {
actualKubeAPILevels.Insert(route[5:])
}
}
if !expectedOpenShiftAPILevels.Equal(actualOpenShiftAPILevels) {
t.Errorf("actual OpenShift API levels served don't match expected levels:\n\texpected:\n\t%s\n\tgot:\n\t%s", expectedOpenShiftAPILevels.List(), actualOpenShiftAPILevels.List())
}
if !expectedKubeAPILevels.Equal(actualKubeAPILevels) {
t.Errorf("actual Kube API levels served don't match expected levels:\n\texpected:\n\t%s\n\tgot:\n\t%s", expectedKubeAPILevels.List(), actualKubeAPILevels.List())
}
// Send a GET to every advertised address and check that we get the correct response
for _, route := range broadcastRootPaths.Paths {
req, err := http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL+route, nil)
req.Header.Set("Accept", "*/*")
resp, err := transport.RoundTrip(req)
if err != nil {
t.Errorf("unexpected error issuing GET for path %q: %v", route, err)
continue
}
expectedCode := http.StatusOK
if resp.StatusCode != expectedCode {
t.Errorf("incorrect status code for %s endpoint: expected %d, got %d", route, expectedCode, resp.StatusCode)
}
}
}
// TestOAuthRequestHeader checks the following scenarios:
// * request containing remote user header is ignored if it doesn't have client cert auth
// * request containing remote user header is honored if it has client cert auth
// * unauthenticated requests are redirected to an auth proxy
// * login command succeeds against a request-header identity provider via redirection to an auth proxy
func TestOAuthRequestHeader(t *testing.T) {
// Test data used by auth proxy
users := map[string]string{
"myusername": "******",
}
// Write cert we're going to use to verify OAuth requestheader requests
caFile, err := ioutil.TempFile("", "test.crt")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(caFile.Name())
if err := ioutil.WriteFile(caFile.Name(), rootCACert, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Get master config
testutil.RequireEtcd(t)
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterURL, _ := url.Parse(masterOptions.OAuthConfig.MasterPublicURL)
// Set up an auth proxy
var proxyTransport http.RoundTripper
proxyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Decide whether to challenge
username, password, hasBasicAuth := r.BasicAuth()
if correctPassword, hasUser := users[username]; !hasBasicAuth || !hasUser || password != correctPassword {
w.Header().Set("WWW-Authenticate", "Basic realm=Protected Area")
w.WriteHeader(401)
return
}
// Swap the scheme and host to the master, keeping path and params the same
proxyURL := r.URL
proxyURL.Scheme = masterURL.Scheme
proxyURL.Host = masterURL.Host
// Build a request, copying the original method, body, and headers, overriding the remote user headers
proxyRequest, _ := http.NewRequest(r.Method, proxyURL.String(), r.Body)
proxyRequest.Header = r.Header
proxyRequest.Header.Set("My-Remote-User", username)
proxyRequest.Header.Set("SSO-User", "")
// Round trip to the back end
response, err := proxyTransport.RoundTrip(r)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
defer response.Body.Close()
// Copy response back to originator
for k, v := range response.Header {
w.Header()[k] = v
}
w.WriteHeader(response.StatusCode)
if _, err := io.Copy(w, response.Body); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
}))
defer proxyServer.Close()
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "requestheader",
UseAsChallenger: true,
UseAsLogin: true,
MappingMethod: "claim",
Provider: &configapi.RequestHeaderIdentityProvider{
ChallengeURL: proxyServer.URL + "/oauth/authorize?${query}",
LoginURL: "http://www.example.com/login?then=${url}",
ClientCA: caFile.Name(),
Headers: []string{"My-Remote-User", "SSO-User"},
},
}
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info, but no client cert info
anonConfig := restclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
anonTransport, err := restclient.TransportFor(&anonConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info, with cert info
proxyConfig := anonConfig
proxyConfig.CertData = clientCert
proxyConfig.KeyData = clientKey
proxyTransport, err = restclient.TransportFor(&proxyConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Build the authorize request, spoofing a remote user header
authorizeURL := clientConfig.Host + "/oauth/authorize?client_id=openshift-challenging-client&response_type=token"
req, err := http.NewRequest("GET", authorizeURL, nil)
req.Header.Set("My-Remote-User", "myuser")
// Make the request without cert auth
resp, err := anonTransport.RoundTrip(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
proxyRedirect, err := resp.Location()
if err != nil {
t.Fatalf("expected spoofed remote user header to get 302 redirect, got error: %v", err)
}
if proxyRedirect.String() != proxyServer.URL+"/oauth/authorize?client_id=openshift-challenging-client&response_type=token" {
t.Fatalf("expected redirect to proxy endpoint, got redirected to %v", proxyRedirect.String())
}
// Request the redirected URL, which should cause the proxy to make the same request with cert auth
req, err = http.NewRequest("GET", proxyRedirect.String(), nil)
req.Header.Set("My-Remote-User", "myuser")
req.SetBasicAuth("myusername", "mypassword")
resp, err = proxyTransport.RoundTrip(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
tokenRedirect, err := resp.Location()
if err != nil {
t.Fatalf("expected 302 redirect, got error: %v", err)
}
if tokenRedirect.Query().Get("error") != "" {
t.Fatalf("expected successful token request, got error %v", tokenRedirect.String())
}
// Extract the access_token
// group #0 is everything. #1 #2 #3
accessTokenRedirectRegex := regexp.MustCompile(`(^|&)access_token=([^&]+)($|&)`)
accessToken := ""
if matches := accessTokenRedirectRegex.FindStringSubmatch(tokenRedirect.Fragment); matches != nil {
accessToken = matches[2]
}
if accessToken == "" {
t.Fatalf("Expected access token, got %s", tokenRedirect.String())
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != "myusername" {
t.Fatalf("Expected myusername as the user, got %v", user)
}
// Get the master CA data for the login command
masterCAFile := userConfig.CAFile
if masterCAFile == "" {
// Write master ca data
tmpFile, err := ioutil.TempFile("", "ca.crt")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(tmpFile.Name())
if err := ioutil.WriteFile(tmpFile.Name(), userConfig.CAData, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterCAFile = tmpFile.Name()
}
// Attempt a login using a redirecting auth proxy
loginOutput := &bytes.Buffer{}
loginOptions := &cmd.LoginOptions{
Server: anonConfig.Host,
CAFile: masterCAFile,
StartingKubeConfig: &clientcmdapi.Config{},
Reader: bytes.NewBufferString("myusername\nmypassword\n"),
Out: loginOutput,
}
if err := loginOptions.GatherInfo(); err != nil {
t.Fatalf("Error trying to determine server info: %v\n%v", err, loginOutput.String())
}
if loginOptions.Username != "myusername" {
t.Fatalf("Unexpected user after authentication: %#v", loginOptions)
}
if len(loginOptions.Config.BearerToken) == 0 {
t.Fatalf("Expected token after authentication: %#v", loginOptions.Config)
}
}
// TestOAuthRequestHeader checks the following scenarios:
// * request containing remote user header is ignored if it doesn't have client cert auth
// * request containing remote user header is honored if it has valid client cert auth matching ClientCommonNames
// * unauthenticated requests are redirected to an auth proxy
// * login command succeeds against a request-header identity provider via redirection to an auth proxy
func TestOAuthRequestHeader(t *testing.T) {
// Test data used by auth proxy
users := map[string]string{
"myusername": "******",
}
// Write cert we're going to use to verify OAuth requestheader requests
caFile, err := ioutil.TempFile("", "test.crt")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(caFile.Name())
if err := ioutil.WriteFile(caFile.Name(), rootCACert, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Get master config
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterURL, _ := url.Parse(masterOptions.OAuthConfig.MasterPublicURL)
// Set up an auth proxy
var proxyTransport http.RoundTripper
proxyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Decide whether to challenge
username, password, hasBasicAuth := r.BasicAuth()
if correctPassword, hasUser := users[username]; !hasBasicAuth || !hasUser || password != correctPassword {
w.Header().Set("WWW-Authenticate", "Basic realm=Protected Area")
w.WriteHeader(401)
return
}
// Swap the scheme and host to the master, keeping path and params the same
proxyURL := r.URL
proxyURL.Scheme = masterURL.Scheme
proxyURL.Host = masterURL.Host
// Build a request, copying the original method, body, and headers, overriding the remote user headers
proxyRequest, _ := http.NewRequest(r.Method, proxyURL.String(), r.Body)
proxyRequest.Header = r.Header
proxyRequest.Header.Set("My-Remote-User", username)
proxyRequest.Header.Set("SSO-User", "")
// Round trip to the back end
response, err := proxyTransport.RoundTrip(r)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
defer response.Body.Close()
// Copy response back to originator
for k, v := range response.Header {
w.Header()[k] = v
}
w.WriteHeader(response.StatusCode)
if _, err := io.Copy(w, response.Body); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
}))
defer proxyServer.Close()
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "requestheader",
UseAsChallenger: true,
UseAsLogin: true,
MappingMethod: "claim",
Provider: &configapi.RequestHeaderIdentityProvider{
ChallengeURL: proxyServer.URL + "/oauth/authorize?${query}",
LoginURL: "http://www.example.com/login?then=${url}",
ClientCA: caFile.Name(),
ClientCommonNames: []string{"proxy"},
Headers: []string{"My-Remote-User", "SSO-User"},
},
}
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info, but no client cert info
anonConfig := restclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
anonTransport, err := restclient.TransportFor(&anonConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info, with cert info
proxyConfig := anonConfig
proxyConfig.CertData = proxyClientCert
proxyConfig.KeyData = proxyClientKey
proxyTransport, err = restclient.TransportFor(&proxyConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// client cert that is valid, but not in the list of allowed common names
otherCertConfig := anonConfig
otherCertConfig.CertData = otherClientCert
otherCertConfig.KeyData = otherClientKey
otherCertTransport, err := restclient.TransportFor(&otherCertConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// client cert that has the desired common name, but does not have a valid signature
invalidCertConfig := anonConfig
invalidCertConfig.CertData = invalidClientCert
invalidCertConfig.KeyData = invalidClientKey
invalidCertTransport, err := restclient.TransportFor(&invalidCertConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
authorizeURL := clientConfig.Host + "/oauth/authorize?client_id=openshift-challenging-client&response_type=token"
proxyURL := proxyServer.URL + "/oauth/authorize?client_id=openshift-challenging-client&response_type=token"
testcases := map[string]struct {
transport http.RoundTripper
expectDirectRequestError bool
}{
"anonymous": {
transport: anonTransport,
expectDirectRequestError: false,
},
"valid signature, invalid cn": {
transport: otherCertTransport,
// TODO: this should redirect once we add support for client-cert logins
expectDirectRequestError: true,
},
"invalid signature, valid cn": {
transport: invalidCertTransport,
// TODO: this should redirect once we add support for client-cert logins
expectDirectRequestError: true,
},
}
for k, tc := range testcases {
// Build the authorize request, spoofing a remote user header
directRequest, err := http.NewRequest("GET", authorizeURL, nil)
directRequest.Header.Set("My-Remote-User", "myuser")
// direct request against authorizeURL should redirect to proxy
directResponse, err := tc.transport.RoundTrip(directRequest)
if err != nil {
t.Errorf("%s: unexpected error: %v", k, err)
continue
}
if tc.expectDirectRequestError {
if directResponse.StatusCode != 500 {
body, _ := ioutil.ReadAll(directResponse.Body)
t.Logf("%s: Status: %#v", k, directResponse.StatusCode)
t.Logf("%s: Headers: %#v", k, directResponse.Header)
t.Logf("%s: Body: %s", k, string(body))
t.Errorf("%s: Expected spoofed header to get 500 status code, got %d", k, directResponse.StatusCode)
continue
}
} else {
proxyRedirect, err := directResponse.Location()
if err != nil {
body, _ := ioutil.ReadAll(directResponse.Body)
t.Logf("%s: Status: %#v", k, directResponse.StatusCode)
t.Logf("%s: Headers: %#v", k, directResponse.Header)
t.Logf("%s: Body: %s", k, string(body))
t.Errorf("%s: expected spoofed remote user header to get 302 redirect, got error: %v", k, err)
continue
}
if proxyRedirect.String() != proxyURL {
t.Errorf("%s: expected redirect to proxy endpoint, got redirected to %v", k, proxyRedirect.String())
continue
}
}
// request to proxy without credentials should return 401
proxyRequest, err := http.NewRequest("GET", proxyURL, nil)
proxyRequest.Header.Set("My-Remote-User", "myuser")
unauthenticatedProxyResponse, err := tc.transport.RoundTrip(proxyRequest)
if err != nil {
t.Errorf("%s: unexpected error: %v", k, err)
continue
}
if unauthenticatedProxyResponse.StatusCode != 401 {
t.Errorf("%s: expected 401 status, got: %v", k, unauthenticatedProxyResponse.StatusCode)
continue
}
// request to proxy with credentials should succeed with given credentials, not with passed Remote-User header
proxyRequest.SetBasicAuth("myusername", "mypassword")
authenticatedProxyResponse, err := tc.transport.RoundTrip(proxyRequest)
if err != nil {
t.Errorf("%s: unexpected error: %v", k, err)
continue
}
tokenRedirect, err := authenticatedProxyResponse.Location()
if err != nil {
t.Errorf("%s: expected 302 redirect, got error: %v", k, err)
continue
}
if tokenRedirect.Query().Get("error") != "" {
t.Errorf("%s: expected successful token request, got error %v", k, tokenRedirect.String())
continue
}
// Extract the access_token
// group #0 is everything. #1 #2 #3
accessTokenRedirectRegex := regexp.MustCompile(`(^|&)access_token=([^&]+)($|&)`)
accessToken := ""
if matches := accessTokenRedirectRegex.FindStringSubmatch(tokenRedirect.Fragment); matches != nil {
accessToken = matches[2]
}
if accessToken == "" {
t.Errorf("%s: Expected access token, got %s", k, tokenRedirect.String())
continue
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Errorf("%s: Unexpected error: %v", k, err)
continue
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Errorf("%s: Unexpected error: %v", k, err)
continue
}
if user.Name != "myusername" {
t.Errorf("%s: Expected myusername as the user, got %v", k, user)
continue
}
}
// Get the master CA data for the login command
masterCAFile := anonConfig.CAFile
if masterCAFile == "" {
// Write master ca data
tmpFile, err := ioutil.TempFile("", "ca.crt")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(tmpFile.Name())
if err := ioutil.WriteFile(tmpFile.Name(), anonConfig.CAData, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterCAFile = tmpFile.Name()
}
// Attempt a login using a redirecting auth proxy
loginOutput := &bytes.Buffer{}
loginOptions := &login.LoginOptions{
Server: anonConfig.Host,
CAFile: masterCAFile,
StartingKubeConfig: &clientcmdapi.Config{},
Reader: bytes.NewBufferString("myusername\nmypassword\n"),
Out: loginOutput,
}
if err := loginOptions.GatherInfo(); err != nil {
t.Fatalf("Error trying to determine server info: %v\n%v", err, loginOutput.String())
}
if loginOptions.Username != "myusername" {
t.Fatalf("Unexpected user after authentication: %#v", loginOptions)
}
if len(loginOptions.Config.BearerToken) == 0 {
t.Fatalf("Expected token after authentication: %#v", loginOptions.Config)
}
}