func TestCLIGetToken(t *testing.T) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
anonymousConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
reader := bytes.NewBufferString("user\npass")
accessToken, err := tokencmd.RequestToken(&anonymousConfig, reader, "", "")
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Error("Expected accessToken, but did not get one")
}
clientConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
clientConfig.BearerToken = accessToken
osClient, err := client.New(&clientConfig)
checkErr(t, err)
user, err := osClient.Users().Get("~")
checkErr(t, err)
if user.Name != "user" {
t.Errorf("expected %v, got %v", "user", user.Name)
}
}
func TestUnprivilegedNewProject(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
allowed, err := valerieOpenshiftClient.ProjectRequests().List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if allowed.Status != unversioned.StatusSuccess {
t.Fatalf("expected %v, got %v", unversioned.StatusSuccess, allowed.Status)
}
requestProject := oc.NewProjectOptions{
ProjectName: "new-project",
DisplayName: "display name here",
Description: "the special description",
Client: valerieOpenshiftClient,
Out: ioutil.Discard,
}
if err := requestProject.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForProject(t, valerieOpenshiftClient, "new-project", 5*time.Second, 10)
if err := requestProject.Run(); !kapierrors.IsAlreadyExists(err) {
t.Fatalf("expected an already exists error, but got %v", err)
}
}
func TestUnprivilegedNewProjectDenied(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role, err := clusterAdminClient.ClusterRoles().Get(bootstrappolicy.SelfProvisionerRoleName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role.Rules = []authorizationapi.PolicyRule{}
if _, err := clusterAdminClient.ClusterRoles().Update(role); err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForClusterPolicyUpdate(valerieOpenshiftClient, "create", projectapi.Resource("projectrequests"), false); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
_, err = valerieOpenshiftClient.ProjectRequests().List(kapi.ListOptions{})
if err == nil {
t.Fatalf("expected error: %v", err)
}
expectedError := `You may not request a new project via this API.`
if (err != nil) && (err.Error() != expectedError) {
t.Fatalf("expected\n\t%v\ngot\n\t%v", expectedError, err.Error())
}
}
func GetClientForUser(clientConfig kclient.Config, username string) (*client.Client, *kclient.Client, *kclient.Config, error) {
token, err := tokencmd.RequestToken(&clientConfig, nil, username, "password")
if err != nil {
return nil, nil, nil, err
}
userClientConfig := clientConfig
userClientConfig.BearerToken = token
userClientConfig.Username = ""
userClientConfig.Password = ""
userClientConfig.TLSClientConfig.CertFile = ""
userClientConfig.TLSClientConfig.KeyFile = ""
userClientConfig.TLSClientConfig.CertData = nil
userClientConfig.TLSClientConfig.KeyData = nil
kubeClient, err := kclient.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
osClient, err := client.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClient, &userClientConfig, nil
}
func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// can I get a subjectaccessreview on myself even if I have no rights to do it generally
askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{Verb: "create", Resource: "policybindings"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create policybindings in project "openshift"`,
Namespace: "openshift",
},
}.run(t)
// I shouldn't be allowed to ask whether someone else can perform an action
askCanClusterAdminsCreateProject := &authorizationapi.LocalSubjectAccessReview{
Groups: sets.NewString("system:cluster-admins"),
Action: authorizationapi.Action{Verb: "create", Resource: "projects"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanClusterAdminsCreateProject,
err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`,
}.run(t)
}
func TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
openshiftSharedResourcesNamespace := "openshift"
if _, err := valerieOpenshiftClient.Templates(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.Templates(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(openshiftSharedResourcesNamespace).Get("name", "tag"); !kapierror.IsNotFound(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(kapi.NamespaceDefault).Get("name", "tag"); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
}
func TestOAuthDisabled(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
// Build master config
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Disable OAuth
masterOptions.OAuthConfig = nil
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
client, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Make sure cert auth still works
namespaces, err := client.Namespaces().List(kapi.ListOptions{})
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(namespaces.Items) == 0 {
t.Errorf("Expected namespaces, got none")
}
// Use the server and CA info
anonConfig := restclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
// Make sure we can't authenticate using OAuth
if _, err := tokencmd.RequestToken(&anonConfig, nil, "username", "password"); err == nil {
t.Error("Expected error, got none")
}
}
func NewCmdRequestToken(f *clientcmd.Factory) *cobra.Command {
cmd := &cobra.Command{
Use: "request-token",
Short: "Request an access token",
Long: `Request an access token`,
Run: func(cmd *cobra.Command, args []string) {
clientCfg, err := f.OpenShiftClientConfig.ClientConfig()
util.CheckErr(err)
accessToken, err := tokencmd.RequestToken(clientCfg, os.Stdin, "", "")
util.CheckErr(err)
fmt.Printf("%v\n", string(accessToken))
},
}
return cmd
}
func GetClientForUser(clientConfig kclient.Config, username string) (*client.Client, *kclient.Client, *kclient.Config, error) {
token, err := tokencmd.RequestToken(&clientConfig, nil, username, "password")
if err != nil {
return nil, nil, nil, err
}
userClientConfig := clientcmd.AnonymousClientConfig(clientConfig)
userClientConfig.BearerToken = token
kubeClient, err := kclient.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
osClient, err := client.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClient, &userClientConfig, nil
}
// TODO internalclientset: get rid of oldClient after next rebase
func GetClientForUser(clientConfig restclient.Config, username string) (*client.Client, *kclientset.Clientset, *restclient.Config, error) {
token, err := tokencmd.RequestToken(&clientConfig, nil, username, "password")
if err != nil {
return nil, nil, nil, err
}
userClientConfig := clientcmd.AnonymousClientConfig(&clientConfig)
userClientConfig.BearerToken = token
kubeClient, err := kclient.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
kubeClientset := adapter.FromUnversionedClient(kubeClient)
osClient, err := client.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClientset, &userClientConfig, nil
}
func TestCLIGetToken(t *testing.T) {
testutil.DeleteAllEtcdKeys()
// setup
etcdClient := testutil.NewEtcdClient()
etcdHelper, _ := master.NewEtcdStorage(etcdClient, latest.InterfacesFor, latest.Version, etcdtest.PathPrefix())
accessTokenStorage := accesstokenetcd.NewREST(etcdHelper)
accessTokenRegistry := accesstokenregistry.NewRegistry(accessTokenStorage)
authorizeTokenStorage := authorizetokenetcd.NewREST(etcdHelper)
authorizeTokenRegistry := authorizetokenregistry.NewRegistry(authorizeTokenStorage)
clientStorage := clientetcd.NewREST(etcdHelper)
clientRegistry := clientregistry.NewRegistry(clientStorage)
clientAuthStorage := clientauthetcd.NewREST(etcdHelper)
clientAuthRegistry := clientauthregistry.NewRegistry(clientAuthStorage)
userStorage := useretcd.NewREST(etcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage := identityetcd.NewREST(etcdHelper)
identityRegistry := identityregistry.NewRegistry(identityStorage)
identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(identityRegistry, userRegistry)
authRequestHandler := basicauthrequest.NewBasicAuthAuthentication(allowanypassword.New("get-token-test", identityMapper), true)
authHandler := oauthhandlers.NewUnionAuthenticationHandler(
map[string]oauthhandlers.AuthenticationChallenger{"login": passwordchallenger.NewBasicAuthChallenger("openshift")}, nil, nil)
storage := registrystorage.New(accessTokenRegistry, authorizeTokenRegistry, clientRegistry, oauthregistry.NewUserConversion())
config := osinserver.NewDefaultServerConfig()
grantChecker := oauthregistry.NewClientAuthorizationGrantChecker(clientAuthRegistry)
grantHandler := oauthhandlers.NewAutoGrant()
server := osinserver.New(
config,
storage,
osinserver.AuthorizeHandlers{
oauthhandlers.NewAuthorizeAuthenticator(
authRequestHandler,
authHandler,
oauthhandlers.EmptyError{},
),
oauthhandlers.NewGrantCheck(
grantChecker,
grantHandler,
oauthhandlers.EmptyError{},
),
},
osinserver.AccessHandlers{
oauthhandlers.NewDenyAccessAuthenticator(),
},
osinserver.NewDefaultErrorHandler(),
)
mux := http.NewServeMux()
server.Install(mux, origin.OpenShiftOAuthAPIPrefix)
oauthServer := httptest.NewServer(http.Handler(mux))
defer oauthServer.Close()
t.Logf("oauth server is on %v\n", oauthServer.URL)
// create the default oauth clients with redirects to our server
origin.CreateOrUpdateDefaultOAuthClients(oauthServer.URL, []string{oauthServer.URL}, clientRegistry)
flags := pflag.NewFlagSet("test-flags", pflag.ContinueOnError)
clientCfg := clientcmd.NewConfig()
clientCfg.Bind(flags)
flags.Parse(strings.Split("--master="+oauthServer.URL, " "))
reader := bytes.NewBufferString("user\npass")
accessToken, err := tokencmd.RequestToken(clientCfg.OpenShiftConfig(), reader, "", "")
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Error("Expected accessToken, but did not get one")
}
// lets see if this access token is any good
token, err := accessTokenRegistry.GetAccessToken(kapi.NewContext(), accessToken)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if token.UserName != "user" {
t.Errorf("Expected token for \"user\", but got: %#v", token)
}
}
func TestHTPasswd(t *testing.T) {
htpasswdFile, err := ioutil.TempFile("", "test.htpasswd")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(htpasswdFile.Name())
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "htpasswd",
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
Object: &configapi.HTPasswdPasswordIdentityProvider{
File: htpasswdFile.Name(),
},
},
}
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := kclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
// Make sure we can't authenticate
if _, err := tokencmd.RequestToken(&anonConfig, nil, "username", "password"); err == nil {
t.Error("Expected error, got none")
}
// Update the htpasswd file with output of `htpasswd -n -b username password`
userpass := "******"
ioutil.WriteFile(htpasswdFile.Name(), []byte(userpass), os.FileMode(0600))
// Make sure we can get a token
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, "username", "password")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Errorf("Expected access token, got none")
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != "username" {
t.Fatalf("Expected username as the user, got %v", user)
}
}
func TestOAuthLDAP(t *testing.T) {
var (
randomSuffix = string(kutil.NewUUID())
providerName = "myldapprovider"
bindDN = "uid=admin,ou=company,ou=" + randomSuffix
bindPassword = "******" + randomSuffix
searchDN = "ou=company,ou=" + randomSuffix
searchAttr = "myuid" + randomSuffix
searchScope = "one" // must be "one","sub", or "base"
searchFilter = "(myAttr=myValue)" // must be a valid LDAP filter format
nameAttr1 = "missing-name-attr"
nameAttr2 = "a-display-name" + randomSuffix
idAttr1 = "missing-id-attr"
idAttr2 = "dn" // "dn" is a special value, so don't add a random suffix to make sure we handle it correctly
emailAttr1 = "missing-attr"
emailAttr2 = "c-mail" + randomSuffix
loginAttr1 = "missing-attr"
loginAttr2 = "d-mylogin" + randomSuffix
myUserUID = "myuser"
myUserName = "******"
myUserEmail = "*****@*****.**"
myUserDN = searchAttr + "=" + myUserUID + "," + searchDN
myUserPassword = "******" + randomSuffix
)
expectedAttributes := [][]byte{}
for _, attr := range kutil.NewStringSet(searchAttr, nameAttr1, nameAttr2, idAttr1, idAttr2, emailAttr1, emailAttr2, loginAttr1, loginAttr2).List() {
expectedAttributes = append(expectedAttributes, []byte(attr))
}
expectedSearchRequest := ldapserver.SearchRequest{
BaseObject: []byte(searchDN),
Scope: ldapserver.SearchRequestSingleLevel,
DerefAliases: 0,
SizeLimit: 2,
TimeLimit: 0,
TypesOnly: false,
Attributes: expectedAttributes,
Filter: fmt.Sprintf("(&%s(%s=%s))", searchFilter, searchAttr, myUserUID),
}
// Start LDAP server
ldapAddress, err := testutil.FindAvailableBindAddress(8389, 8400)
if err != nil {
t.Fatalf("could not allocate LDAP bind address: %v", err)
}
ldapServer := testutil.NewTestLDAPServer()
ldapServer.SetPassword(bindDN, bindPassword)
ldapServer.Start(ldapAddress)
defer ldapServer.Stop()
masterOptions, err := testutil.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: providerName,
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
&configapi.LDAPPasswordIdentityProvider{
URL: fmt.Sprintf("ldap://%s/%s?%s?%s?%s", ldapAddress, searchDN, searchAttr, searchScope, searchFilter),
BindDN: bindDN,
BindPassword: bindPassword,
Insecure: true,
CA: "",
Attributes: configapi.LDAPAttributes{
ID: []string{idAttr1, idAttr2},
PreferredUsername: []string{loginAttr1, loginAttr2},
Name: []string{nameAttr1, nameAttr2},
Email: []string{emailAttr1, emailAttr2},
},
},
},
}
clusterAdminKubeConfig, err := testutil.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := kclient.Config{}
anonConfig.Host = clusterAdminClientConfig.Host
anonConfig.CAFile = clusterAdminClientConfig.CAFile
anonConfig.CAData = clusterAdminClientConfig.CAData
// Make sure we can't authenticate as a missing user
ldapServer.ResetRequests()
if _, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, myUserPassword); err == nil {
t.Error("Expected error, got none")
}
if len(ldapServer.BindRequests) != 1 {
t.Error("Expected a single bind request for the search phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
// Add user
ldapServer.SetPassword(myUserDN, myUserPassword)
ldapServer.AddSearchResult(myUserDN, map[string]string{emailAttr2: myUserEmail, nameAttr2: myUserName, loginAttr2: myUserUID})
// Make sure we can't authenticate with a bad password
ldapServer.ResetRequests()
if _, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, "badpassword"); err == nil {
t.Error("Expected error, got none")
}
if len(ldapServer.BindRequests) != 2 {
t.Error("Expected a bind request for the search phase and a failed bind request for the auth phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
// Make sure we can get a token with a good password
ldapServer.ResetRequests()
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, myUserPassword)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Errorf("Expected access token, got none")
}
if len(ldapServer.BindRequests) != 2 {
t.Error("Expected a bind request for the search phase and a failed bind request for the auth phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if !reflect.DeepEqual(expectedSearchRequest.BaseObject, ldapServer.SearchRequests[0].BaseObject) {
t.Errorf("Expected search base DN\n\t%#v\ngot\n\t%#v",
string(expectedSearchRequest.BaseObject),
string(ldapServer.SearchRequests[0].BaseObject),
)
}
if !reflect.DeepEqual(expectedSearchRequest.Filter, ldapServer.SearchRequests[0].Filter) {
t.Errorf("Expected search filter\n\t%#v\ngot\n\t%#v",
string(expectedSearchRequest.Filter),
string(ldapServer.SearchRequests[0].Filter),
)
}
{
expectedAttrs := []string{}
for _, a := range expectedSearchRequest.Attributes {
expectedAttrs = append(expectedAttrs, string(a))
}
actualAttrs := []string{}
for _, a := range ldapServer.SearchRequests[0].Attributes {
actualAttrs = append(actualAttrs, string(a))
}
if !reflect.DeepEqual(expectedAttrs, actualAttrs) {
t.Errorf("Expected search attributes\n\t%#v\ngot\n\t%#v", expectedAttrs, actualAttrs)
}
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != myUserUID {
t.Fatalf("Expected %s as the user, got %v", myUserUID, user)
}
// Make sure the identity got created and contained the mapped attributes
identity, err := clusterAdminClient.Identities().Get(fmt.Sprintf("%s:%s", providerName, myUserDN))
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if identity.ProviderUserName != myUserDN {
t.Error("Expected %q, got %q", myUserDN, identity.ProviderUserName)
}
if v := identity.Extra[authapi.IdentityDisplayNameKey]; v != myUserName {
t.Error("Expected %q, got %q", myUserName, v)
}
if v := identity.Extra[authapi.IdentityPreferredUsernameKey]; v != myUserUID {
t.Error("Expected %q, got %q", myUserUID, v)
}
if v := identity.Extra[authapi.IdentityEmailKey]; v != myUserEmail {
t.Error("Expected %q, got %q", myUserEmail, v)
}
}
// Negotiate a bearer token with the auth server, or try to reuse one based on the
// information already present. In case of any missing information, ask for user input
// (usually username and password, interactive depending on the Reader).
func (o *LoginOptions) gatherAuthInfo() error {
directClientConfig, err := o.getClientConfig()
if err != nil {
return err
}
// make a copy and use it to avoid mutating the original
t := *directClientConfig
clientConfig := &t
// if a token were explicitly provided, try to use it
if o.tokenProvided() {
clientConfig.BearerToken = o.Token
if me, err := whoAmI(clientConfig); err == nil {
o.Username = me.Name
o.Config = clientConfig
fmt.Fprintf(o.Out, "Logged into %q as %q using the token provided.\n\n", o.Config.Host, o.Username)
return nil
} else {
if kerrors.IsUnauthorized(err) {
return fmt.Errorf("The token provided is invalid or expired.\n\n")
}
return err
}
}
// if a username was provided try to make use of it, but if a password were provided we force a token
// request which will return a proper response code for that given password
if o.usernameProvided() && !o.passwordProvided() {
// search all valid contexts with matching server stanzas to see if we have a matching user stanza
kubeconfig := *o.StartingKubeConfig
matchingClusters := getMatchingClusters(*clientConfig, kubeconfig)
for key, context := range o.StartingKubeConfig.Contexts {
if matchingClusters.Has(context.Cluster) {
clientcmdConfig := kclientcmd.NewDefaultClientConfig(kubeconfig, &kclientcmd.ConfigOverrides{CurrentContext: key})
if kubeconfigClientConfig, err := clientcmdConfig.ClientConfig(); err == nil {
if me, err := whoAmI(kubeconfigClientConfig); err == nil && (o.Username == me.Name) {
clientConfig.BearerToken = kubeconfigClientConfig.BearerToken
clientConfig.CertFile = kubeconfigClientConfig.CertFile
clientConfig.CertData = kubeconfigClientConfig.CertData
clientConfig.KeyFile = kubeconfigClientConfig.KeyFile
clientConfig.KeyData = kubeconfigClientConfig.KeyData
o.Config = clientConfig
fmt.Fprintf(o.Out, "Logged into %q as %q using existing credentials.\n\n", o.Config.Host, o.Username)
return nil
}
}
}
}
}
// if kubeconfig doesn't already have a matching user stanza...
clientConfig.BearerToken = ""
clientConfig.CertData = []byte{}
clientConfig.KeyData = []byte{}
clientConfig.CertFile = o.CertFile
clientConfig.KeyFile = o.KeyFile
token, err := tokencmd.RequestToken(o.Config, o.Reader, o.Username, o.Password)
if err != nil {
return err
}
clientConfig.BearerToken = token
me, err := whoAmI(clientConfig)
if err != nil {
return err
}
o.Username = me.Name
o.Config = clientConfig
fmt.Fprint(o.Out, "Login successful.\n\n")
return nil
}
func TestUnprivilegedNewProjectFromTemplate(t *testing.T) {
namespace := "foo"
templateName := "bar"
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.ProjectConfig.ProjectRequestTemplate = namespace + "/" + templateName
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := clusterAdminClient.Projects().Create(&projectapi.Project{ObjectMeta: kapi.ObjectMeta{Name: namespace}}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
template := projectrequeststorage.DefaultTemplate()
template.Name = templateName
template.Namespace = namespace
template.Objects[0].(*projectapi.Project).Annotations["extra"] = "here"
_, err = clusterAdminClient.Templates(namespace).Create(template)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
requestProject := oc.NewProjectOptions{
ProjectName: "new-project",
DisplayName: "display name here",
Description: "the special description",
Client: valerieOpenshiftClient,
Out: ioutil.Discard,
}
if err := requestProject.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForProject(t, valerieOpenshiftClient, "new-project", 5*time.Second, 10)
project, err := valerieOpenshiftClient.Projects().Get("new-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if project.Annotations["extra"] != "here" {
t.Errorf("unexpected project %#v", project)
}
if err := clusterAdminClient.Templates(namespace).Delete(templateName); err != nil {
t.Fatalf("unexpected error: %v", err)
}
requestProject.ProjectName = "different"
// This should fail during the template retrieve
if err := requestProject.Run(); !kapierrors.IsNotFound(err) {
t.Fatalf("expected a not found error, but got %v", err)
}
}
func TestPullThroughInsecure(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("error starting master: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting cluster admin client: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting cluster admin client config: %v", err)
}
user := "******"
adminClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, testutil.Namespace(), user)
if err != nil {
t.Fatalf("error creating project: %v", err)
}
token, err := tokencmd.RequestToken(clusterAdminClientConfig, nil, user, "password")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
os.Setenv("OPENSHIFT_CA_DATA", string(clusterAdminClientConfig.CAData))
os.Setenv("OPENSHIFT_CERT_DATA", string(clusterAdminClientConfig.CertData))
os.Setenv("OPENSHIFT_KEY_DATA", string(clusterAdminClientConfig.KeyData))
os.Setenv("OPENSHIFT_MASTER", clusterAdminClientConfig.Host)
// start regular HTTP server
reponame := "testrepo"
repotag := "testtag"
isname := "test/" + reponame
countStat := 0
descriptors := map[string]int64{
"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4": 3000,
"sha256:86e0e091d0da6bde2456dbb48306f3956bbeb2eae1b5b9a43045843f69fe4aaa": 200,
"sha256:b4ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4": 10,
}
imageSize := int64(0)
for _, size := range descriptors {
imageSize += size
}
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Logf("External registry got %s %s", r.Method, r.URL.Path)
w.Header().Set("Docker-Distribution-API-Version", "registry/2.0")
switch r.URL.Path {
case "/v2/":
w.Write([]byte(`{}`))
case "/v2/" + isname + "/tags/list":
w.Write([]byte("{\"name\": \"" + isname + "\", \"tags\": [\"latest\", \"" + repotag + "\"]}"))
case "/v2/" + isname + "/manifests/latest", "/v2/" + isname + "/manifests/" + repotag, "/v2/" + isname + "/manifests/" + etcdDigest:
if r.Method == "HEAD" {
w.Header().Set("Content-Length", fmt.Sprintf("%d", len(etcdManifest)))
w.Header().Set("Docker-Content-Digest", etcdDigest)
w.WriteHeader(http.StatusOK)
} else {
w.Write([]byte(etcdManifest))
}
default:
if strings.HasPrefix(r.URL.Path, "/v2/"+isname+"/blobs/") {
for dgst, size := range descriptors {
if r.URL.Path != "/v2/"+isname+"/blobs/"+dgst {
continue
}
if r.Method == "HEAD" {
w.Header().Set("Content-Length", fmt.Sprintf("%d", size))
w.Header().Set("Docker-Content-Digest", dgst)
w.WriteHeader(http.StatusOK)
countStat++
return
}
w.Write(gzippedEmptyTar)
return
}
}
t.Fatalf("unexpected request %s: %#v", r.URL.Path, r)
}
}))
srvurl, _ := url.Parse(server.URL)
stream := imageapi.ImageStreamImport{
ObjectMeta: kapi.ObjectMeta{
Namespace: testutil.Namespace(),
Name: "myimagestream",
Annotations: map[string]string{
imageapi.InsecureRepositoryAnnotation: "true",
},
},
Spec: imageapi.ImageStreamImportSpec{
Import: true,
Images: []imageapi.ImageImportSpec{
{
From: kapi.ObjectReference{
Kind: "DockerImage",
Name: srvurl.Host + "/" + isname + ":" + repotag,
},
ImportPolicy: imageapi.TagImportPolicy{Insecure: true},
},
},
},
}
isi, err := adminClient.ImageStreams(testutil.Namespace()).Import(&stream)
if err != nil {
t.Fatal(err)
}
if len(isi.Status.Images) != 1 {
t.Fatalf("imported unexpected number of images (%d != 1)", len(isi.Status.Images))
}
for i, image := range isi.Status.Images {
if image.Status.Status != unversioned.StatusSuccess {
t.Fatalf("unexpected status %d: %#v", i, image.Status)
}
if image.Image == nil {
t.Fatalf("unexpected empty image %d", i)
}
// the image name is always the sha256, and size is calculated
if image.Image.Name != etcdDigest {
t.Fatalf("unexpected image %d: %#v (expect %q)", i, image.Image.Name, etcdDigest)
}
}
istream, err := adminClient.ImageStreams(stream.Namespace).Get(stream.Name)
if err != nil {
t.Fatal(err)
}
if istream.Annotations == nil {
istream.Annotations = make(map[string]string)
}
istream.Annotations[imageapi.InsecureRepositoryAnnotation] = "true"
_, err = adminClient.ImageStreams(istream.Namespace).Update(istream)
if err != nil {
t.Fatal(err)
}
t.Logf("Run registry...")
if err := runRegistry(); err != nil {
t.Fatal(err)
}
t.Logf("Run testPullThroughGetManifest with tag...")
if err := testPullThroughGetManifest(&stream, user, token, repotag); err != nil {
t.Fatal(err)
}
t.Logf("Run testPullThroughGetManifest with digest...")
if err := testPullThroughGetManifest(&stream, user, token, etcdDigest); err != nil {
t.Fatal(err)
}
t.Logf("Run testPullThroughStatBlob (%s == true)...", imageapi.InsecureRepositoryAnnotation)
for digest := range descriptors {
if err := testPullThroughStatBlob(&stream, user, token, digest); err != nil {
t.Fatal(err)
}
}
istream, err = adminClient.ImageStreams(stream.Namespace).Get(stream.Name)
if err != nil {
t.Fatal(err)
}
istream.Annotations[imageapi.InsecureRepositoryAnnotation] = "false"
_, err = adminClient.ImageStreams(istream.Namespace).Update(istream)
if err != nil {
t.Fatal(err)
}
t.Logf("Run testPullThroughStatBlob (%s == false)...", imageapi.InsecureRepositoryAnnotation)
for digest := range descriptors {
if err := testPullThroughStatBlob(&stream, user, token, digest); err == nil {
t.Fatal("unexpexted access to insecure blobs")
}
}
}
func TestUnprivilegedNewProject(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
allowed, err := valerieOpenshiftClient.ProjectRequests().List(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if allowed.Status != unversioned.StatusSuccess {
t.Fatalf("expected %v, got %v", unversioned.StatusSuccess, allowed.Status)
}
requestProject := oc.NewProjectOptions{
ProjectName: "new-project",
DisplayName: "display name here",
Description: "the special description",
Client: valerieOpenshiftClient,
Out: ioutil.Discard,
}
if err := requestProject.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForProject(t, valerieOpenshiftClient, "new-project", 5*time.Second, 10)
actualProject, err := valerieOpenshiftClient.Projects().Get("new-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := "valerie", actualProject.Annotations[projectapi.ProjectRequester]; e != a {
t.Errorf("incorrect project requester: expected %v, got %v", e, a)
}
if err := requestProject.Run(); !kapierrors.IsAlreadyExists(err) {
t.Fatalf("expected an already exists error, but got %v", err)
}
}
func TestOAuthCertFallback(t *testing.T) {
var (
invalidToken = "invalid"
noToken = ""
invalidCert = restclient.TLSClientConfig{
// We have to generate this dynamically in order to have an invalid cert signed by a signer with the same name as the valid CA
// CertData: ...,
// KeyData: ...,
}
noCert = restclient.TLSClientConfig{}
tokenUser = "******"
certUser = "******"
unauthorizedError = "the server has asked for the client to provide credentials (get users ~)"
anonymousError = `User "system:anonymous" cannot get users at the cluster scope`
)
testutil.RequireEtcd(t)
// Build master config
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
adminConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
validCert := adminConfig.TLSClientConfig
validToken, err := tokencmd.RequestToken(adminConfig, nil, tokenUser, "pass")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(validToken) == 0 {
t.Fatalf("Expected valid token, got none")
}
// make a client cert signed by a fake CA with the same name as the real CA.
// this is needed to get the go client to actually send the cert to the server,
// since the server advertises the signer name it requires
fakecadir, err := ioutil.TempDir("", "fakeca")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
defer os.RemoveAll(fakecadir)
cacerts, err := util.CertificatesFromFile(masterOptions.ServingInfo.ClientCA)
if err != nil || len(cacerts) != 1 {
t.Fatalf("Unexpected error or number of certs: %v, %d", err, len(cacerts))
}
fakeca, err := (&admin.CreateSignerCertOptions{
CertFile: path.Join(fakecadir, "fakeca.crt"),
KeyFile: path.Join(fakecadir, "fakeca.key"),
SerialFile: path.Join(fakecadir, "fakeca.serial"),
Name: cacerts[0].Subject.CommonName,
Output: ioutil.Discard,
Overwrite: true,
}).CreateSignerCert()
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
clientCertConfig, err := fakeca.MakeClientCertificate(
path.Join(fakecadir, "fakeclient.crt"),
path.Join(fakecadir, "fakeclient.key"),
&user.DefaultInfo{Name: "fakeuser"},
)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
invalidCert.CertData, invalidCert.KeyData, err = clientCertConfig.GetPEMBytes()
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
for k, test := range map[string]struct {
token string
cert restclient.TLSClientConfig
expectedUser string
errorExpected bool
errorString string
}{
"valid token, valid cert": {
token: validToken,
cert: validCert,
expectedUser: tokenUser,
},
"valid token, invalid cert": {
token: validToken,
cert: invalidCert,
expectedUser: tokenUser,
},
"valid token, no cert": {
token: validToken,
cert: noCert,
expectedUser: tokenUser,
},
"invalid token, valid cert": {
token: invalidToken,
cert: validCert,
errorExpected: true,
errorString: unauthorizedError,
},
"invalid token, invalid cert": {
token: invalidToken,
cert: invalidCert,
errorExpected: true,
errorString: unauthorizedError,
},
"invalid token, no cert": {
token: invalidToken,
cert: noCert,
errorExpected: true,
errorString: unauthorizedError,
},
"no token, valid cert": {
token: noToken,
cert: validCert,
expectedUser: certUser,
},
"no token, invalid cert": {
token: noToken,
cert: invalidCert,
errorExpected: true,
errorString: unauthorizedError,
},
"no token, no cert": {
token: noToken,
cert: noCert,
errorExpected: true,
errorString: anonymousError,
},
} {
config := *adminConfig
config.BearerToken = test.token
config.TLSClientConfig = test.cert
config.CAData = adminConfig.CAData
client := oclient.NewOrDie(&config)
user, err := client.Users().Get("~")
if user.Name != test.expectedUser {
t.Errorf("%s: unexpected user %q", k, user.Name)
}
if test.errorExpected {
if err == nil {
t.Errorf("%s: expected error but got nil", k)
} else if err.Error() != test.errorString {
t.Errorf("%s: unexpected error string %q", k, err.Error())
}
} else {
if err != nil {
t.Errorf("%s: unexpected error %q", k, err.Error())
}
}
}
}
func TestOAuthBasicAuthPassword(t *testing.T) {
expectedLogin := "******"
expectedPassword := "******"
expectedAuthHeader := "Basic " + base64.StdEncoding.EncodeToString([]byte(expectedLogin+":"+expectedPassword))
testcases := map[string]struct {
RemoteStatus int
RemoteHeaders http.Header
RemoteBody []byte
ExpectUsername string
ExpectSuccess bool
ExpectErrStatus int32
}{
"success": {
RemoteStatus: 200,
RemoteHeaders: http.Header{"Content-Type": []string{"application/json"}},
RemoteBody: []byte(`{"sub":"remoteusername"}`),
ExpectSuccess: true,
ExpectUsername: "******",
},
"401": {
RemoteStatus: 401,
RemoteHeaders: http.Header{"Content-Type": []string{"application/json"}},
RemoteBody: []byte(`{"error":"bad-user"}`),
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 401,
},
"301": {
RemoteStatus: 301,
RemoteHeaders: http.Header{"Location": []string{"http://www.example.com"}},
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 500,
},
"302": {
RemoteStatus: 302,
RemoteHeaders: http.Header{"Location": []string{"http://www.example.com"}},
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 500,
},
"303": {
RemoteStatus: 303,
RemoteHeaders: http.Header{"Location": []string{"http://www.example.com"}},
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 500,
},
"304": {
RemoteStatus: 304,
RemoteHeaders: http.Header{"Location": []string{"http://www.example.com"}},
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 500,
},
"305": {
RemoteStatus: 305,
RemoteHeaders: http.Header{"Location": []string{"http://www.example.com"}},
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 500,
},
"404": {
RemoteStatus: 404,
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 500,
},
"500": {
RemoteStatus: 500,
ExpectSuccess: false,
ExpectUsername: "",
ExpectErrStatus: 500,
},
}
// Create tempfiles with certs and keys we're going to use
certNames := map[string]string{}
for certName, certContents := range basicAuthCerts {
f, err := ioutil.TempFile("", certName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(f.Name())
if err := ioutil.WriteFile(f.Name(), certContents, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
certNames[certName] = f.Name()
}
// Build client cert pool
clientCAs, err := util.CertPoolFromFile(certNames[basicAuthRemoteCACert])
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Build remote handler
var (
remoteStatus int
remoteHeaders http.Header
remoteBody []byte
)
remoteHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
if req.TLS == nil {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected TLS")
}
if len(req.TLS.VerifiedChains) != 1 {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected peer cert verified by server")
}
if req.Header.Get("Authorization") != expectedAuthHeader {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected auth header %s got %s", expectedAuthHeader, req.Header.Get("Authorization"))
}
for k, values := range remoteHeaders {
for _, v := range values {
w.Header().Add(k, v)
}
}
w.WriteHeader(remoteStatus)
w.Write(remoteBody)
})
// Start remote server
remoteAddr, err := testserver.FindAvailableBindAddress(9443, 9999)
if err != nil {
t.Fatalf("Couldn't get free address for test server: %v", err)
}
remoteServer := &http.Server{
Addr: remoteAddr,
Handler: remoteHandler,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: crypto.SecureTLSConfig(&tls.Config{
// RequireAndVerifyClientCert lets us limit requests to ones with a valid client certificate
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
}),
}
go func() {
if err := remoteServer.ListenAndServeTLS(certNames[basicAuthRemoteServerCert], certNames[basicAuthRemoteServerKey]); err != nil {
t.Fatalf("unexpected error: %v", err)
}
}()
// Build master config
testutil.RequireEtcd(t)
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "basicauth",
UseAsChallenger: true,
UseAsLogin: true,
MappingMethod: "claim",
Provider: &configapi.BasicAuthPasswordIdentityProvider{
RemoteConnectionInfo: configapi.RemoteConnectionInfo{
URL: fmt.Sprintf("https://%s", remoteAddr),
CA: certNames[basicAuthRemoteCACert],
ClientCert: configapi.CertInfo{
CertFile: certNames[basicAuthClientCert],
KeyFile: certNames[basicAuthClientKey],
},
},
},
}
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := restclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
for k, tc := range testcases {
// Specify the remote server's response
remoteStatus = tc.RemoteStatus
remoteHeaders = tc.RemoteHeaders
remoteBody = tc.RemoteBody
// Attempt to obtain a token
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, expectedLogin, expectedPassword)
// Expected error
if !tc.ExpectSuccess {
if err == nil {
t.Errorf("%s: Expected error, got token=%v", k, accessToken)
} else if statusErr, ok := err.(*apierrs.StatusError); !ok {
t.Errorf("%s: expected status error, got %#v", k, err)
} else if statusErr.ErrStatus.Code != tc.ExpectErrStatus {
t.Errorf("%s: expected error status %d, got %#v", k, tc.ExpectErrStatus, statusErr)
}
continue
}
// Expected success
if err != nil {
t.Errorf("%s: Unexpected error: %v", k, err)
continue
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("%s: Unexpected error: %v", k, err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("%s: Unexpected error: %v", k, err)
}
if user.Name != tc.ExpectUsername {
t.Fatalf("%s: Expected %v as the user, got %v", k, tc.ExpectUsername, user)
}
}
}
// Negotiate a bearer token with the auth server, or try to reuse one based on the
// information already present. In case of any missing information, ask for user input
// (usually username and password, interactive depending on the Reader).
func (o *LoginOptions) gatherAuthInfo() error {
directClientConfig, err := o.getClientConfig()
if err != nil {
return err
}
// make a copy and use it to avoid mutating the original
t := *directClientConfig
clientConfig := &t
// if a token were explicitly provided, try to use it
if o.tokenProvided() {
clientConfig.BearerToken = o.Token
if osClient, err := client.New(clientConfig); err == nil {
me, err := whoAmI(osClient)
if err == nil {
o.Username = me.Name
o.Config = clientConfig
fmt.Fprintf(o.Out, "Logged into %q as %q using the token provided.\n\n", o.Config.Host, o.Username)
return nil
}
if !kerrors.IsUnauthorized(err) {
return err
}
fmt.Fprintln(o.Out, "The token provided is invalid (probably expired).\n")
}
}
// if a token was provided try to make use of it
// make sure we have a username before continuing
if !o.usernameProvided() {
if cmdutil.IsTerminal(o.Reader) {
for !o.usernameProvided() {
o.Username = cmdutil.PromptForString(o.Reader, "Username: "******"Already logged into %q as %q.\n\n", o.Config.Host, o.Username)
}
return nil
}
}
}
}
}
// if kubeconfig doesn't already have a matching user stanza...
clientConfig.BearerToken = ""
clientConfig.CertData = []byte{}
clientConfig.KeyData = []byte{}
clientConfig.CertFile = o.CertFile
clientConfig.KeyFile = o.KeyFile
token, err := tokencmd.RequestToken(o.Config, o.Reader, o.Username, o.Password)
if err != nil {
return err
}
clientConfig.BearerToken = token
osClient, err := client.New(clientConfig)
if err != nil {
return err
}
me, err := whoAmI(osClient)
if err != nil {
return err
}
o.Username = me.Name
o.Config = clientConfig
fmt.Fprintln(o.Out, "Login successful.\n")
return nil
}
func TestV2RegistryGetTags(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("error starting master: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting cluster admin client: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting cluster admin client config: %v", err)
}
user := "******"
adminClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, testutil.Namespace(), user)
if err != nil {
t.Fatalf("error creating project: %v", err)
}
token, err := tokencmd.RequestToken(clusterAdminClientConfig, nil, user, "password")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
config := `version: 0.1
loglevel: debug
http:
addr: 127.0.0.1:5000
storage:
inmemory: {}
auth:
openshift:
middleware:
repository:
- name: openshift
`
os.Setenv("OPENSHIFT_CA_DATA", string(clusterAdminClientConfig.CAData))
os.Setenv("OPENSHIFT_CERT_DATA", string(clusterAdminClientConfig.CertData))
os.Setenv("OPENSHIFT_KEY_DATA", string(clusterAdminClientConfig.KeyData))
os.Setenv("OPENSHIFT_MASTER", clusterAdminClientConfig.Host)
os.Setenv("REGISTRY_URL", "127.0.0.1:5000")
go dockerregistry.Execute(strings.NewReader(config))
stream := imageapi.ImageStream{
ObjectMeta: kapi.ObjectMeta{
Namespace: testutil.Namespace(),
Name: "test",
},
}
if _, err := adminClient.ImageStreams(testutil.Namespace()).Create(&stream); err != nil {
t.Fatalf("error creating image stream: %s", err)
}
tags, err := getTags(stream.Name, user, token)
if err != nil {
t.Fatal(err)
}
if len(tags) > 0 {
t.Fatalf("expected 0 tags, got: %#v", tags)
}
dgst, err := putManifest(stream.Name, user, token)
if err != nil {
t.Fatal(err)
}
tags, err = getTags(stream.Name, user, token)
if err != nil {
t.Fatal(err)
}
if len(tags) != 1 {
t.Fatalf("expected 1 tag, got %d: %v", len(tags), tags)
}
if tags[0] != imageapi.DefaultImageTag {
t.Fatalf("expected latest, got %q", tags[0])
}
// test get by tag
url := fmt.Sprintf("http://127.0.0.1:5000/v2/%s/%s/manifests/%s", testutil.Namespace(), stream.Name, imageapi.DefaultImageTag)
req, err := http.NewRequest("GET", url, nil)
if err != nil {
t.Fatalf("error creating request: %v", err)
}
req.SetBasicAuth(user, token)
resp, err := http.DefaultClient.Do(req)
if err != nil {
t.Fatalf("error retrieving manifest from registry: %s", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("unexpected status code: %d", resp.StatusCode)
}
body, err := ioutil.ReadAll(resp.Body)
var retrievedManifest manifest.Manifest
if err := json.Unmarshal(body, &retrievedManifest); err != nil {
t.Fatalf("error unmarshaling retrieved manifest")
}
if retrievedManifest.Name != fmt.Sprintf("%s/%s", testutil.Namespace(), stream.Name) {
t.Fatalf("unexpected manifest name: %s", retrievedManifest.Name)
}
if retrievedManifest.Tag != imageapi.DefaultImageTag {
t.Fatalf("unexpected manifest tag: %s", retrievedManifest.Tag)
}
// test get by digest
url = fmt.Sprintf("http://127.0.0.1:5000/v2/%s/%s/manifests/%s", testutil.Namespace(), stream.Name, dgst.String())
req, err = http.NewRequest("GET", url, nil)
if err != nil {
t.Fatalf("error creating request: %v", err)
}
req.SetBasicAuth(user, token)
resp, err = http.DefaultClient.Do(req)
if err != nil {
t.Fatalf("error retrieving manifest from registry: %s", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("unexpected status code: %d", resp.StatusCode)
}
body, err = ioutil.ReadAll(resp.Body)
if err := json.Unmarshal(body, &retrievedManifest); err != nil {
t.Fatalf("error unmarshaling retrieved manifest")
}
if retrievedManifest.Name != fmt.Sprintf("%s/%s", testutil.Namespace(), stream.Name) {
t.Fatalf("unexpected manifest name: %s", retrievedManifest.Name)
}
if retrievedManifest.Tag != imageapi.DefaultImageTag {
t.Fatalf("unexpected manifest tag: %s", retrievedManifest.Tag)
}
image, err := adminClient.ImageStreamImages(testutil.Namespace()).Get(stream.Name, dgst.String())
if err != nil {
t.Fatalf("error getting imageStreamImage: %s", err)
}
if e, a := fmt.Sprintf("test@%s", dgst.Hex()[:7]), image.Name; e != a {
t.Errorf("image name: expected %q, got %q", e, a)
}
if e, a := dgst.String(), image.Image.Name; e != a {
t.Errorf("image name: expected %q, got %q", e, a)
}
if e, a := fmt.Sprintf("127.0.0.1:5000/%s/%s@%s", testutil.Namespace(), stream.Name, dgst.String()), image.Image.DockerImageReference; e != a {
t.Errorf("image dockerImageReference: expected %q, got %q", e, a)
}
if e, a := "foo", image.Image.DockerImageMetadata.ID; e != a {
t.Errorf("image dockerImageMetadata.ID: expected %q, got %q", e, a)
}
// test auto provisioning
otherStream, err := adminClient.ImageStreams(testutil.Namespace()).Get("otherrepo")
t.Logf("otherStream=%#v, err=%v", otherStream, err)
if err == nil {
t.Fatalf("expected error getting otherrepo")
}
otherDigest, err := putManifest("otherrepo", user, token)
if err != nil {
t.Fatal(err)
}
otherStream, err = adminClient.ImageStreams(testutil.Namespace()).Get("otherrepo")
if err != nil {
t.Fatalf("unexpected error getting otherrepo: %s", err)
}
if otherStream == nil {
t.Fatalf("unexpected nil otherrepo")
}
if len(otherStream.Status.Tags) != 1 {
t.Errorf("expected 1 tag, got %#v", otherStream.Status.Tags)
}
history, ok := otherStream.Status.Tags[imageapi.DefaultImageTag]
if !ok {
t.Fatal("unable to find 'latest' tag")
}
if len(history.Items) != 1 {
t.Errorf("expected 1 tag event, got %#v", history.Items)
}
if e, a := otherDigest.String(), history.Items[0].Image; e != a {
t.Errorf("digest: expected %q, got %q", e, a)
}
}
func TestOAuthBasicAuthPassword(t *testing.T) {
remotePrefix := "remote"
expectedLogin := "******"
expectedPassword := "******"
expectedAuthHeader := "Basic " + base64.StdEncoding.EncodeToString([]byte(expectedLogin+":"+expectedPassword))
expectedUsername := remotePrefix + expectedLogin
// Create tempfiles with certs and keys we're going to use
certNames := map[string]string{}
for certName, certContents := range basicAuthCerts {
f, err := ioutil.TempFile("", certName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(f.Name())
if err := ioutil.WriteFile(f.Name(), certContents, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
certNames[certName] = f.Name()
}
// Build client cert pool
clientCAs, err := util.CertPoolFromFile(certNames[basicAuthRemoteCACert])
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Build remote handler
remoteHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
if req.TLS == nil {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected TLS")
}
if len(req.TLS.VerifiedChains) != 1 {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected peer cert verified by server")
}
if req.Header.Get("Authorization") != expectedAuthHeader {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Unexpected auth header: %s", req.Header.Get("Authorization"))
}
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(fmt.Sprintf(`{"sub":"%s"}`, expectedUsername)))
})
// Start remote server
remoteAddr, err := testserver.FindAvailableBindAddress(9443, 9999)
if err != nil {
t.Fatalf("Couldn't get free address for test server: %v", err)
}
remoteServer := &http.Server{
Addr: remoteAddr,
Handler: remoteHandler,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// RequireAndVerifyClientCert lets us limit requests to ones with a valid client certificate
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
},
}
go func() {
if err := remoteServer.ListenAndServeTLS(certNames[basicAuthRemoteServerCert], certNames[basicAuthRemoteServerKey]); err != nil {
t.Fatalf("unexpected error: %v", err)
}
}()
// Build master config
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "basicauth",
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
Object: &configapi.BasicAuthPasswordIdentityProvider{
RemoteConnectionInfo: configapi.RemoteConnectionInfo{
URL: fmt.Sprintf("https://%s", remoteAddr),
CA: certNames[basicAuthRemoteCACert],
ClientCert: configapi.CertInfo{
CertFile: certNames[basicAuthClientCert],
KeyFile: certNames[basicAuthClientKey],
},
},
},
},
}
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := kclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
// Make sure we can get a token
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, expectedLogin, expectedPassword)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Errorf("Expected access token, got none")
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != expectedUsername {
t.Fatalf("Expected username as the user, got %v", user)
}
}
func TestBasicGroupManipulation(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// make sure we don't get back system groups
firstValerie, err := clusterAdminClient.Users().Get("valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if len(firstValerie.Groups) != 0 {
t.Errorf("unexpected groups: %v", firstValerie.Groups)
}
// make sure that user/~ returns groups for unbacked users
expectedClusterAdminGroups := []string{"system:cluster-admins"}
clusterAdminUser, err := clusterAdminClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(clusterAdminUser.Groups, expectedClusterAdminGroups) {
t.Errorf("expected %v, got %v", clusterAdminUser.Groups, expectedClusterAdminGroups)
}
valerieGroups := []string{"thegroup"}
firstValerie.Groups = append(firstValerie.Groups, valerieGroups...)
_, err = clusterAdminClient.Users().Update(firstValerie)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// make sure that user/~ doesn't get back system groups when it merges
secondValerie, err := valerieOpenshiftClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(secondValerie.Groups, valerieGroups) {
t.Errorf("expected %v, got %v", secondValerie.Groups, valerieGroups)
}
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err == nil {
t.Fatalf("expected error")
}
emptyProject := &projectapi.Project{}
emptyProject.Name = "empty"
_, err = clusterAdminClient.Projects().Create(emptyProject)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleBinding := &authorizationapi.RoleBinding{}
roleBinding.Name = "admins"
roleBinding.RoleRef.Name = "admin"
roleBinding.Groups = util.NewStringSet(valerieGroups...)
_, err = clusterAdminClient.RoleBindings("empty").Create(roleBinding)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(valerieOpenshiftClient, "empty", "get", "pods", true); err != nil {
t.Error(err)
}
// make sure that user groups are respected for policy
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}