func TestCLIGetToken(t *testing.T) { testutil.DeleteAllEtcdKeys() // setup etcdClient := testutil.NewEtcdClient() etcdHelper, _ := master.NewEtcdHelper(etcdClient, latest.Version, etcdtest.PathPrefix()) accessTokenStorage := accesstokenetcd.NewREST(etcdHelper) accessTokenRegistry := accesstokenregistry.NewRegistry(accessTokenStorage) authorizeTokenStorage := authorizetokenetcd.NewREST(etcdHelper) authorizeTokenRegistry := authorizetokenregistry.NewRegistry(authorizeTokenStorage) clientStorage := clientetcd.NewREST(etcdHelper) clientRegistry := clientregistry.NewRegistry(clientStorage) clientAuthStorage := clientauthetcd.NewREST(etcdHelper) clientAuthRegistry := clientauthregistry.NewRegistry(clientAuthStorage) userStorage := useretcd.NewREST(etcdHelper) userRegistry := userregistry.NewRegistry(userStorage) identityStorage := identityetcd.NewREST(etcdHelper) identityRegistry := identityregistry.NewRegistry(identityStorage) identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(identityRegistry, userRegistry) authRequestHandler := basicauthrequest.NewBasicAuthAuthentication(allowanypassword.New("get-token-test", identityMapper), true) authHandler := oauthhandlers.NewUnionAuthenticationHandler( map[string]oauthhandlers.AuthenticationChallenger{"login": passwordchallenger.NewBasicAuthChallenger("openshift")}, nil, nil) storage := registrystorage.New(accessTokenRegistry, authorizeTokenRegistry, clientRegistry, oauthregistry.NewUserConversion()) config := osinserver.NewDefaultServerConfig() grantChecker := oauthregistry.NewClientAuthorizationGrantChecker(clientAuthRegistry) grantHandler := oauthhandlers.NewAutoGrant() server := osinserver.New( config, storage, osinserver.AuthorizeHandlers{ oauthhandlers.NewAuthorizeAuthenticator( authRequestHandler, authHandler, oauthhandlers.EmptyError{}, ), oauthhandlers.NewGrantCheck( grantChecker, grantHandler, oauthhandlers.EmptyError{}, ), }, osinserver.AccessHandlers{ oauthhandlers.NewDenyAccessAuthenticator(), }, osinserver.NewDefaultErrorHandler(), ) mux := http.NewServeMux() server.Install(mux, origin.OpenShiftOAuthAPIPrefix) oauthServer := httptest.NewServer(http.Handler(mux)) defer oauthServer.Close() t.Logf("oauth server is on %v\n", oauthServer.URL) // create the default oauth clients with redirects to our server origin.CreateOrUpdateDefaultOAuthClients(oauthServer.URL, []string{oauthServer.URL}, clientRegistry) flags := pflag.NewFlagSet("test-flags", pflag.ContinueOnError) clientCfg := clientcmd.NewConfig() clientCfg.Bind(flags) flags.Parse(strings.Split("--master="+oauthServer.URL, " ")) reader := bytes.NewBufferString("user\npass") accessToken, err := tokencmd.RequestToken(clientCfg.OpenShiftConfig(), reader, "", "") if err != nil { t.Errorf("Unexpected error: %v", err) } if len(accessToken) == 0 { t.Error("Expected accessToken, but did not get one") } // lets see if this access token is any good token, err := accessTokenRegistry.GetAccessToken(kapi.NewContext(), accessToken) if err != nil { t.Errorf("Unexpected error: %v", err) } if token.UserName != "user" { t.Errorf("Expected token for \"user\", but got: %#v", token) } }
func TestHandler(t *testing.T) { _ = handlers.NewUnionAuthenticationHandler(nil, map[string]handlers.AuthenticationRedirector{"handler": &Handler{}}, nil) }
func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler handlers.AuthenticationErrorHandler) (handlers.AuthenticationHandler, error) { challengers := map[string]handlers.AuthenticationChallenger{} redirectors := map[string]handlers.AuthenticationRedirector{} for _, identityProvider := range c.Options.IdentityProviders { identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry) if configapi.IsPasswordAuthenticator(identityProvider) { if identityProvider.UseAsLogin { if c.OpenshiftEnabled { passwordAuth, err := c.getPasswordAuthenticator(identityProvider) if err != nil { return nil, err } //map[string]handlers.AuthenticationRedirector // Password auth requires: // 1. a session success handler (to remember you logged in) // 2. a redirectSuccessHandler (to go back to the "then" param) if c.SessionAuth == nil { return nil, errors.New("SessionAuth is required for password-based login") } passwordSuccessHandler := handlers.AuthenticationSuccessHandlers{c.SessionAuth, redirectSuccessHandler{}} redirectors["login"] = &redirector{RedirectURL: OpenShiftLoginPrefix, ThenParam: "then"} login := login.NewLogin(c.getCSRF(), &callbackPasswordAuthenticator{passwordAuth, passwordSuccessHandler}, login.DefaultLoginFormRenderer) login.Install(mux, OpenShiftLoginPrefix) } } if identityProvider.UseAsChallenger { challengers["login"] = passwordchallenger.NewBasicAuthChallenger("openshift") } } else if configapi.IsOAuthIdentityProvider(identityProvider) { oauthProvider, err := c.getOAuthProvider(identityProvider) if err != nil { return nil, err } // Default state builder, combining CSRF and return URL handling state := external.CSRFRedirectingState(c.getCSRF()) // OAuth auth requires // 1. a session success handler (to remember you logged in) // 2. a state success handler (to go back to the URL encoded in the state) if c.SessionAuth == nil { return nil, errors.New("SessionAuth is required for OAuth-based login") } oauthSuccessHandler := handlers.AuthenticationSuccessHandlers{c.SessionAuth, state} // If the specified errorHandler doesn't handle the login error, let the state error handler attempt to propagate specific errors back to the token requester oauthErrorHandler := handlers.AuthenticationErrorHandlers{errorHandler, state} callbackPath := path.Join(OpenShiftOAuthCallbackPrefix, identityProvider.Name) oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.Options.MasterPublicURL+callbackPath, oauthSuccessHandler, oauthErrorHandler, identityMapper) if err != nil { return nil, fmt.Errorf("unexpected error: %v", err) } mux.Handle(callbackPath, oauthHandler) if identityProvider.UseAsLogin { redirectors[identityProvider.Name] = oauthHandler } if identityProvider.UseAsChallenger { return nil, errors.New("oauth identity providers cannot issue challenges") } } } if len(redirectors) > 0 && len(challengers) == 0 { // Add a default challenger that will warn and give a link to the web browser token-granting location challengers["placeholder"] = placeholderchallenger.New(OpenShiftOAuthTokenRequestURL(c.Options.MasterPublicURL)) } authHandler := handlers.NewUnionAuthenticationHandler(challengers, redirectors, errorHandler) return authHandler, nil }