func TestOAuthLDAP(t *testing.T) {
var (
randomSuffix = string(kutil.NewUUID())
providerName = "myldapprovider"
bindDN = "uid=admin,ou=company,ou=" + randomSuffix
bindPassword = "******" + randomSuffix
searchDN = "ou=company,ou=" + randomSuffix
searchAttr = "myuid" + randomSuffix
searchScope = "one" // must be "one","sub", or "base"
searchFilter = "(myAttr=myValue)" // must be a valid LDAP filter format
nameAttr1 = "missing-name-attr"
nameAttr2 = "a-display-name" + randomSuffix
idAttr1 = "missing-id-attr"
idAttr2 = "dn" // "dn" is a special value, so don't add a random suffix to make sure we handle it correctly
emailAttr1 = "missing-attr"
emailAttr2 = "c-mail" + randomSuffix
loginAttr1 = "missing-attr"
loginAttr2 = "d-mylogin" + randomSuffix
myUserUID = "myuser"
myUserName = "******"
myUserEmail = "*****@*****.**"
myUserDN = searchAttr + "=" + myUserUID + "," + searchDN
myUserPassword = "******" + randomSuffix
)
expectedAttributes := [][]byte{}
for _, attr := range kutil.NewStringSet(searchAttr, nameAttr1, nameAttr2, idAttr1, idAttr2, emailAttr1, emailAttr2, loginAttr1, loginAttr2).List() {
expectedAttributes = append(expectedAttributes, []byte(attr))
}
expectedSearchRequest := ldapserver.SearchRequest{
BaseObject: []byte(searchDN),
Scope: ldapserver.SearchRequestSingleLevel,
DerefAliases: 0,
SizeLimit: 2,
TimeLimit: 0,
TypesOnly: false,
Attributes: expectedAttributes,
Filter: fmt.Sprintf("(&%s(%s=%s))", searchFilter, searchAttr, myUserUID),
}
// Start LDAP server
ldapAddress, err := testutil.FindAvailableBindAddress(8389, 8400)
if err != nil {
t.Fatalf("could not allocate LDAP bind address: %v", err)
}
ldapServer := testutil.NewTestLDAPServer()
ldapServer.SetPassword(bindDN, bindPassword)
ldapServer.Start(ldapAddress)
defer ldapServer.Stop()
masterOptions, err := testutil.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: providerName,
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
&configapi.LDAPPasswordIdentityProvider{
URL: fmt.Sprintf("ldap://%s/%s?%s?%s?%s", ldapAddress, searchDN, searchAttr, searchScope, searchFilter),
BindDN: bindDN,
BindPassword: bindPassword,
Insecure: true,
CA: "",
Attributes: configapi.LDAPAttributes{
ID: []string{idAttr1, idAttr2},
PreferredUsername: []string{loginAttr1, loginAttr2},
Name: []string{nameAttr1, nameAttr2},
Email: []string{emailAttr1, emailAttr2},
},
},
},
}
clusterAdminKubeConfig, err := testutil.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := kclient.Config{}
anonConfig.Host = clusterAdminClientConfig.Host
anonConfig.CAFile = clusterAdminClientConfig.CAFile
anonConfig.CAData = clusterAdminClientConfig.CAData
// Make sure we can't authenticate as a missing user
ldapServer.ResetRequests()
if _, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, myUserPassword); err == nil {
t.Error("Expected error, got none")
}
if len(ldapServer.BindRequests) != 1 {
t.Error("Expected a single bind request for the search phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
// Add user
ldapServer.SetPassword(myUserDN, myUserPassword)
ldapServer.AddSearchResult(myUserDN, map[string]string{emailAttr2: myUserEmail, nameAttr2: myUserName, loginAttr2: myUserUID})
// Make sure we can't authenticate with a bad password
ldapServer.ResetRequests()
if _, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, "badpassword"); err == nil {
t.Error("Expected error, got none")
}
if len(ldapServer.BindRequests) != 2 {
t.Error("Expected a bind request for the search phase and a failed bind request for the auth phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
// Make sure we can get a token with a good password
ldapServer.ResetRequests()
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, myUserPassword)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Errorf("Expected access token, got none")
}
if len(ldapServer.BindRequests) != 2 {
t.Error("Expected a bind request for the search phase and a failed bind request for the auth phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if !reflect.DeepEqual(expectedSearchRequest.BaseObject, ldapServer.SearchRequests[0].BaseObject) {
t.Errorf("Expected search base DN\n\t%#v\ngot\n\t%#v",
string(expectedSearchRequest.BaseObject),
string(ldapServer.SearchRequests[0].BaseObject),
)
}
if !reflect.DeepEqual(expectedSearchRequest.Filter, ldapServer.SearchRequests[0].Filter) {
t.Errorf("Expected search filter\n\t%#v\ngot\n\t%#v",
string(expectedSearchRequest.Filter),
string(ldapServer.SearchRequests[0].Filter),
)
}
{
expectedAttrs := []string{}
for _, a := range expectedSearchRequest.Attributes {
expectedAttrs = append(expectedAttrs, string(a))
}
actualAttrs := []string{}
for _, a := range ldapServer.SearchRequests[0].Attributes {
actualAttrs = append(actualAttrs, string(a))
}
if !reflect.DeepEqual(expectedAttrs, actualAttrs) {
t.Errorf("Expected search attributes\n\t%#v\ngot\n\t%#v", expectedAttrs, actualAttrs)
}
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != myUserUID {
t.Fatalf("Expected %s as the user, got %v", myUserUID, user)
}
// Make sure the identity got created and contained the mapped attributes
identity, err := clusterAdminClient.Identities().Get(fmt.Sprintf("%s:%s", providerName, myUserDN))
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if identity.ProviderUserName != myUserDN {
t.Error("Expected %q, got %q", myUserDN, identity.ProviderUserName)
}
if v := identity.Extra[authapi.IdentityDisplayNameKey]; v != myUserName {
t.Error("Expected %q, got %q", myUserName, v)
}
if v := identity.Extra[authapi.IdentityPreferredUsernameKey]; v != myUserUID {
t.Error("Expected %q, got %q", myUserUID, v)
}
if v := identity.Extra[authapi.IdentityEmailKey]; v != myUserEmail {
t.Error("Expected %q, got %q", myUserEmail, v)
}
}
func TestOAuthBasicAuthPassword(t *testing.T) {
remotePrefix := "remote"
expectedLogin := "******"
expectedPassword := "******"
expectedAuthHeader := "Basic " + base64.StdEncoding.EncodeToString([]byte(expectedLogin+":"+expectedPassword))
expectedUsername := remotePrefix + expectedLogin
// Create tempfiles with certs and keys we're going to use
certNames := map[string]string{}
for certName, certContents := range basicAuthCerts {
f, err := ioutil.TempFile("", certName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(f.Name())
if err := ioutil.WriteFile(f.Name(), certContents, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
certNames[certName] = f.Name()
}
// Build client cert pool
clientCAs, err := util.CertPoolFromFile(certNames[basicAuthRemoteCACert])
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Build remote handler
remoteHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
if req.TLS == nil {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected TLS")
}
if len(req.TLS.VerifiedChains) != 1 {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected peer cert verified by server")
}
if req.Header.Get("Authorization") != expectedAuthHeader {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Unexpected auth header: %s", req.Header.Get("Authorization"))
}
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(fmt.Sprintf(`{"sub":"%s"}`, expectedUsername)))
})
// Start remote server
remoteAddr, err := testutil.FindAvailableBindAddress(9443, 9999)
if err != nil {
t.Fatalf("Couldn't get free address for test server: %v", err)
}
remoteServer := &http.Server{
Addr: remoteAddr,
Handler: remoteHandler,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// RequireAndVerifyClientCert lets us limit requests to ones with a valid client certificate
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
},
}
go func() {
if err := remoteServer.ListenAndServeTLS(certNames[basicAuthRemoteServerCert], certNames[basicAuthRemoteServerKey]); err != nil {
t.Fatalf("unexpected error: %v", err)
}
}()
// Build master config
masterOptions, err := testutil.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "basicauth",
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
&configapi.BasicAuthPasswordIdentityProvider{
RemoteConnectionInfo: configapi.RemoteConnectionInfo{
URL: fmt.Sprintf("https://%s", remoteAddr),
CA: certNames[basicAuthRemoteCACert],
ClientCert: configapi.CertInfo{
CertFile: certNames[basicAuthClientCert],
KeyFile: certNames[basicAuthClientKey],
},
},
},
},
}
// Start server
clusterAdminKubeConfig, err := testutil.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := kclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
// Make sure we can get a token
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, expectedLogin, expectedPassword)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Errorf("Expected access token, got none")
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != expectedUsername {
t.Fatalf("Expected username as the user, got %v", user)
}
}
