func TestClientSet_v1_3(t *testing.T) {
const namespace = "test-clientset-v13"
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatal(err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatal(err)
}
testCreateProject := func() {
c, err := projectclient.NewForConfig(clusterAdminClientConfig)
if err != nil {
t.Fatal(err)
}
project := &v1projectapi.Project{}
project.Name = namespace
if _, err := c.Projects().Create(project); err != nil {
t.Fatal(err)
}
}
testBuilds := func() {
c, err := buildclient.NewForConfig(clusterAdminClientConfig)
if err != nil {
t.Fatal(err)
}
build := &v1buildapi.Build{}
build.Name = "test-build"
build.Spec.Source.Git = &v1buildapi.GitBuildSource{URI: "http://build.uri/build"}
build.Spec.Strategy.DockerStrategy = &v1buildapi.DockerBuildStrategy{}
build.Spec.Output.To = &kapiv1.ObjectReference{
Kind: "DockerImage",
Name: "namespace/image",
}
if _, err := c.Builds(namespace).Create(build); err != nil {
t.Fatal(err)
}
result, err := c.Builds(namespace).List(api.ListOptions{})
if err != nil {
t.Fatal(err)
}
if len(result.Items) != 1 {
t.Fatal(fmt.Errorf("expected to get 1 build, got %d", len(result.Items)))
}
if _, err := c.Builds(namespace).Get(build.Name); err != nil {
t.Fatal(err)
}
}
// try to create the non-namespaced resource
testCreateProject()
// try to create the namespace resource
testBuilds()
}
func TestUnprivilegedNewProjectDenied(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role, err := clusterAdminClient.ClusterRoles().Get(bootstrappolicy.SelfProvisionerRoleName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role.Rules = []authorizationapi.PolicyRule{}
if _, err := clusterAdminClient.ClusterRoles().Update(role); err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForClusterPolicyUpdate(valerieOpenshiftClient, "create", projectapi.Resource("projectrequests"), false); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
_, err = valerieOpenshiftClient.ProjectRequests().List(kapi.ListOptions{})
if err == nil {
t.Fatalf("expected error: %v", err)
}
expectedError := `You may not request a new project via this API.`
if (err != nil) && (err.Error() != expectedError) {
t.Fatalf("expected\n\t%v\ngot\n\t%v", expectedError, err.Error())
}
}
func setupProjectRequestLimitTest(t *testing.T, pluginConfig *requestlimit.ProjectRequestLimitConfig) (kclientset.Interface, client.Interface, *restclient.Config) {
testutil.RequireEtcd(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("error creating config: %v", err)
}
masterConfig.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{
"ProjectRequestLimit": {
Configuration: pluginConfig,
},
}
kubeConfigFile, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("error starting server: %v", err)
}
kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client: %v", err)
}
openshiftClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting openshift client: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client config: %v", err)
}
return kubeClient, openshiftClient, clientConfig
}
func TestUnprivilegedNewProject(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
allowed, err := valerieOpenshiftClient.ProjectRequests().List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if allowed.Status != unversioned.StatusSuccess {
t.Fatalf("expected %v, got %v", unversioned.StatusSuccess, allowed.Status)
}
requestProject := oc.NewProjectOptions{
ProjectName: "new-project",
DisplayName: "display name here",
Description: "the special description",
Client: valerieOpenshiftClient,
Out: ioutil.Discard,
}
if err := requestProject.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForProject(t, valerieOpenshiftClient, "new-project", 5*time.Second, 10)
if err := requestProject.Run(); !kapierrors.IsAlreadyExists(err) {
t.Fatalf("expected an already exists error, but got %v", err)
}
}
func StartConfiguredMasterWithOptions(masterConfig *configapi.MasterConfig, testOptions TestOptions) (string, error) {
if testOptions.DeleteAllEtcdKeys {
util.DeleteAllEtcdKeys()
}
if err := start.NewMaster(masterConfig, true, true).Start(); err != nil {
return "", err
}
adminKubeConfigFile := util.KubeConfigPath()
clientConfig, err := util.GetClusterAdminClientConfig(adminKubeConfigFile)
if err != nil {
return "", err
}
masterURL, err := url.Parse(clientConfig.Host)
if err != nil {
return "", err
}
// wait for the server to come up: 35 seconds
if err := cmdutil.WaitForSuccessfulDial(true, "tcp", masterURL.Host, 100*time.Millisecond, 1*time.Second, 35); err != nil {
return "", err
}
for {
// confirm that we can actually query from the api server
if client, err := util.GetClusterAdminClient(adminKubeConfigFile); err == nil {
if _, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything()); err == nil {
break
}
}
time.Sleep(100 * time.Millisecond)
}
return adminKubeConfigFile, nil
}
func setupClusterResourceOverrideTest(t *testing.T, pluginConfig *overrideapi.ClusterResourceOverrideConfig) kclient.Interface {
masterConfig, err := testserver.DefaultMasterOptions()
checkErr(t, err)
// fill in possibly-empty config values
if masterConfig.KubernetesMasterConfig == nil {
masterConfig.KubernetesMasterConfig = &api.KubernetesMasterConfig{}
}
kubeMaster := masterConfig.KubernetesMasterConfig
if kubeMaster.AdmissionConfig.PluginConfig == nil {
kubeMaster.AdmissionConfig.PluginConfig = map[string]api.AdmissionPluginConfig{}
}
// set our config as desired
kubeMaster.AdmissionConfig.PluginConfig[overrideapi.PluginName] =
api.AdmissionPluginConfig{Configuration: pluginConfig}
// start up a server and return useful clients to that server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterConfig)
checkErr(t, err)
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
// need to create a project and return client for project admin
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, testutil.Namespace(), "peon")
checkErr(t, err)
checkErr(t, testserver.WaitForServiceAccounts(clusterAdminKubeClient, testutil.Namespace(), []string{bootstrappolicy.DefaultServiceAccountName}))
return clusterAdminKubeClient
}
func TestCLIGetToken(t *testing.T) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
anonymousConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
reader := bytes.NewBufferString("user\npass")
accessToken, err := tokencmd.RequestToken(&anonymousConfig, reader, "", "")
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Error("Expected accessToken, but did not get one")
}
clientConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
clientConfig.BearerToken = accessToken
osClient, err := client.New(&clientConfig)
checkErr(t, err)
user, err := osClient.Users().Get("~")
checkErr(t, err)
if user.Name != "user" {
t.Errorf("expected %v, got %v", "user", user.Name)
}
}
func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// can I get a subjectaccessreview on myself even if I have no rights to do it generally
askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{Verb: "create", Resource: "policybindings"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create policybindings in project "openshift"`,
Namespace: "openshift",
},
}.run(t)
// I shouldn't be allowed to ask whether someone else can perform an action
askCanClusterAdminsCreateProject := &authorizationapi.LocalSubjectAccessReview{
Groups: sets.NewString("system:cluster-admins"),
Action: authorizationapi.Action{Verb: "create", Resource: "projects"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanClusterAdminsCreateProject,
err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`,
}.run(t)
}
func setupProjectRequestLimitTest(t *testing.T, pluginConfig *requestlimit.ProjectRequestLimitConfig) (kclient.Interface, client.Interface, *kclient.Config) {
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("error creating config: %v", err)
}
masterConfig.AdmissionConfig.PluginOrderOverride = []string{"OriginNamespaceLifecycle", "BuildByStrategy", "ProjectRequestLimit"}
masterConfig.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{
"ProjectRequestLimit": {
Configuration: runtime.EmbeddedObject{
Object: pluginConfig,
},
},
}
kubeConfigFile, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("error starting server: %v", err)
}
kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client: %v", err)
}
openshiftClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting openshift client: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client config: %v", err)
}
return kubeClient, openshiftClient, clientConfig
}
// ChangeUser changes the user used by the current CLI session.
func (c *CLI) ChangeUser(name string) *CLI {
adminClientConfig, err := testutil.GetClusterAdminClientConfig(c.adminConfigPath)
if err != nil {
FatalErr(err)
}
_, _, clientConfig, err := testutil.GetClientForUser(*adminClientConfig, name)
if err != nil {
FatalErr(err)
}
kubeConfig, err := config.CreateConfig(c.Namespace(), clientConfig)
if err != nil {
FatalErr(err)
}
c.configPath = filepath.Join(c.outputDir, name+".kubeconfig")
err = clientcmd.WriteToFile(*kubeConfig, c.configPath)
if err != nil {
FatalErr(err)
}
c.username = name
e2e.Logf("configPath is now %q", c.configPath)
return c
}
func setupBuildStrategyTest(t *testing.T) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
namespace := testutil.Namespace()
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", authorizationapi.DockerBuildResource, true); err != nil {
t.Fatalf(err.Error())
}
// Create builder image stream and tag
imageStream := &imageapi.ImageStream{}
imageStream.Name = "builderimage"
_, err = clusterAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream)
if err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
// Create image stream mapping
imageStreamMapping := &imageapi.ImageStreamMapping{}
imageStreamMapping.Name = "builderimage"
imageStreamMapping.Tag = "latest"
imageStreamMapping.Image.Name = "image-id"
imageStreamMapping.Image.DockerImageReference = "test/builderimage:latest"
err = clusterAdminClient.ImageStreamMappings(testutil.Namespace()).Create(imageStreamMapping)
if err != nil {
t.Fatalf("Couldn't create ImageStreamMapping: %v", err)
}
return
}
func TestWebhookGitHubPing(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unable to start master: %v", err)
}
kubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unable to get kubeClient: %v", err)
}
osClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unable to get osClient: %v", err)
}
kubeClient.Core().Namespaces().Create(&kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{Name: testutil.Namespace()},
})
// create buildconfig
buildConfig := mockBuildConfigImageParms("originalimage", "imagestream", "validtag")
if _, err := osClient.BuildConfigs(testutil.Namespace()).Create(buildConfig); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
watch, err := osClient.Builds(testutil.Namespace()).Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("Couldn't subscribe to builds: %v", err)
}
defer watch.Stop()
for _, s := range []string{
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret101/github",
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret100/github",
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret102/github",
} {
// trigger build event sending push notification
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
postFile(osClient.RESTClient.Client, "ping", "pingevent.json", clusterAdminClientConfig.Host+s, http.StatusOK, t)
// TODO: improve negative testing
timer := time.NewTimer(time.Second / 2)
select {
case <-timer.C:
// nothing should happen
case event := <-watch.ResultChan():
build := event.Object.(*buildapi.Build)
t.Fatalf("Unexpected build created: %#v", build)
}
}
}
func TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
openshiftSharedResourcesNamespace := "openshift"
if _, err := valerieOpenshiftClient.Templates(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.Templates(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(openshiftSharedResourcesNamespace).Get("name", "tag"); !kapierror.IsNotFound(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(kapi.NamespaceDefault).Get("name", "tag"); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
}
func TestDeployScale(t *testing.T) {
const namespace = "test-deploy-scale"
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "my-test-user")
checkErr(t, err)
osClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "my-test-user")
checkErr(t, err)
config := deploytest.OkDeploymentConfig(0)
config.Spec.Triggers = []deployapi.DeploymentTriggerPolicy{}
config.Spec.Replicas = 1
dc, err := osClient.DeploymentConfigs(namespace).Create(config)
if err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v %#v", err, config)
}
scale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if scale.Spec.Replicas != 1 {
t.Fatalf("Expected scale.spec.replicas=1, got %#v", scale)
}
scaleUpdate := &extensions.Scale{
ObjectMeta: kapi.ObjectMeta{
Name: dc.Name,
Namespace: namespace,
},
Spec: extensions.ScaleSpec{Replicas: 3},
}
updatedScale, err := osClient.DeploymentConfigs(namespace).UpdateScale(scaleUpdate)
if err != nil {
// If this complains about "Scale" not being registered in "v1", check the kind overrides in the API registration in SubresourceGroupVersionKind
t.Fatalf("Couldn't update DeploymentConfig scale to %#v: %v", scaleUpdate, err)
}
if updatedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
persistedScale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if persistedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
}
func TestAuthorizationRestrictedAccessForProjectAdmins(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = haroldClient.DeploymentConfigs("hammer-project").List(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.DeploymentConfigs("hammer-project").List(kapi.ListOptions{})
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// projects are a special case where a get of a project actually sets a namespace. Make sure that
// the namespace is properly special cased and set for authorization rules
_, err = haroldClient.Projects().Get("hammer-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.Projects().Get("hammer-project")
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// wait for the project authorization cache to catch the change. It is on a one second period
waitForProject(t, haroldClient, "hammer-project", 1*time.Second, 10)
waitForProject(t, markClient, "mallet-project", 1*time.Second, 10)
}
func setupUserPodNodeConstraintsTest(t *testing.T, pluginConfig *pluginapi.PodNodeConstraintsConfig, user string) (*client.Client, *kclientset.Clientset) {
testutil.RequireEtcd(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("error creating config: %v", err)
}
cfg := map[string]configapi.AdmissionPluginConfig{
"PodNodeConstraints": {
Configuration: pluginConfig,
},
}
masterConfig.AdmissionConfig.PluginConfig = cfg
masterConfig.KubernetesMasterConfig.AdmissionConfig.PluginConfig = cfg
kubeConfigFile, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("error starting server: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(kubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
userClient, userkubeClientset, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, user)
if err != nil {
t.Fatalf("error getting user/kube client: %v", err)
}
kubeClientset, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting kube client: %v", err)
}
ns := &kapi.Namespace{}
ns.Name = testutil.Namespace()
_, err = kubeClientset.Core().Namespaces().Create(ns)
if err != nil {
t.Fatalf("error creating namespace: %v", err)
}
if err := testserver.WaitForServiceAccounts(kubeClientset, testutil.Namespace(), []string{bootstrappolicy.DefaultServiceAccountName}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addUser := &policy.RoleModificationOptions{
RoleNamespace: ns.Name,
RoleName: bootstrappolicy.AdminRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{user},
}
if err := addUser.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
return userClient, userkubeClientset
}
func TestOAuthDisabled(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
// Build master config
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Disable OAuth
masterOptions.OAuthConfig = nil
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
client, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Make sure cert auth still works
namespaces, err := client.Namespaces().List(kapi.ListOptions{})
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(namespaces.Items) == 0 {
t.Errorf("Expected namespaces, got none")
}
// Use the server and CA info
anonConfig := restclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
// Make sure we can't authenticate using OAuth
if _, err := tokencmd.RequestToken(&anonConfig, nil, "username", "password"); err == nil {
t.Error("Expected error, got none")
}
}
func TestSelfSubjectAccessReviewsNonExistingNamespace(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(valerieClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// ensure that a SAR for a non-exisitng namespace gives a SAR response and not a
// namespace doesn't exist response from admisison.
askCanICreatePodsInNonExistingNamespace := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{Namespace: "foo", Verb: "create", Resource: "pods"},
}
subjectAccessReviewTest{
description: "ensure SAR for non-existing namespace does not leak namespace info",
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("foo"),
localReview: askCanICreatePodsInNonExistingNamespace,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create pods in project "foo"`,
Namespace: "foo",
},
}.run(t)
}
func TestScopedImpersonation(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectName := "hammer-project"
userName := "******"
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, userName); err != nil {
t.Fatalf("unexpected error: %v", err)
}
err = clusterAdminClient.Get().
SetHeader(authenticationapi.ImpersonateUserHeader, "harold").
SetHeader(authenticationapi.ImpersonateUserScopeHeader, "user:info").
Namespace(projectName).Resource("builds").Name("name").Do().Into(&buildapi.Build{})
if !kapierrors.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
user := &userapi.User{}
err = clusterAdminClient.Get().
SetHeader(authenticationapi.ImpersonateUserHeader, "harold").
SetHeader(authenticationapi.ImpersonateUserScopeHeader, "user:info").
Resource("users").Name("~").Do().Into(user)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if user.Name != "harold" {
t.Fatalf("expected %v, got %v", "harold", user.Name)
}
}
func setup(t *testing.T) *client.Client {
_, clusterAdminKubeConfigFile, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminKubeConfig, testutil.Namespace(), testutil.Namespace())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
return projectAdminClient
}
func testSetupImageSignatureTest(t *testing.T, userName string) (adminClient *client.Client, userClient *client.Client, image *imageapi.Image) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
adminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
image, err = testutil.GetImageFixture("testdata/test-image.json")
if err != nil {
t.Fatalf("failed to read image fixture: %v", err)
}
image, err = adminClient.Images().Create(image)
if err != nil {
t.Fatalf("unexpected error creating image: %v", err)
}
if len(image.Signatures) != 0 {
t.Fatalf("expected empty signatures, not: %s", diff.ObjectDiff(image.Signatures, []imageapi.ImageSignature{}))
}
clusterAdminConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
userClient, _, _, err = testutil.GetClientForUser(*clusterAdminConfig, userName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
return adminClient, userClient, image
}
func TestOAuthBasicAuthPassword(t *testing.T) {
remotePrefix := "remote"
expectedLogin := "******"
expectedPassword := "******"
expectedAuthHeader := "Basic " + base64.StdEncoding.EncodeToString([]byte(expectedLogin+":"+expectedPassword))
expectedUsername := remotePrefix + expectedLogin
// Create tempfiles with certs and keys we're going to use
certNames := map[string]string{}
for certName, certContents := range basicAuthCerts {
f, err := ioutil.TempFile("", certName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(f.Name())
if err := ioutil.WriteFile(f.Name(), certContents, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
certNames[certName] = f.Name()
}
// Build client cert pool
clientCAs, err := util.CertPoolFromFile(certNames[basicAuthRemoteCACert])
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Build remote handler
remoteHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
if req.TLS == nil {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected TLS")
}
if len(req.TLS.VerifiedChains) != 1 {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Expected peer cert verified by server")
}
if req.Header.Get("Authorization") != expectedAuthHeader {
w.WriteHeader(http.StatusUnauthorized)
t.Fatalf("Unexpected auth header: %s", req.Header.Get("Authorization"))
}
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(fmt.Sprintf(`{"sub":"%s"}`, expectedUsername)))
})
// Start remote server
remoteAddr, err := testserver.FindAvailableBindAddress(9443, 9999)
if err != nil {
t.Fatalf("Couldn't get free address for test server: %v", err)
}
remoteServer := &http.Server{
Addr: remoteAddr,
Handler: remoteHandler,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// RequireAndVerifyClientCert lets us limit requests to ones with a valid client certificate
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
},
}
go func() {
if err := remoteServer.ListenAndServeTLS(certNames[basicAuthRemoteServerCert], certNames[basicAuthRemoteServerKey]); err != nil {
t.Fatalf("unexpected error: %v", err)
}
}()
// Build master config
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "basicauth",
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
Object: &configapi.BasicAuthPasswordIdentityProvider{
RemoteConnectionInfo: configapi.RemoteConnectionInfo{
URL: fmt.Sprintf("https://%s", remoteAddr),
CA: certNames[basicAuthRemoteCACert],
ClientCert: configapi.CertInfo{
CertFile: certNames[basicAuthClientCert],
KeyFile: certNames[basicAuthClientKey],
},
},
},
},
}
// Start server
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := kclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
// Make sure we can get a token
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, expectedLogin, expectedPassword)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Errorf("Expected access token, got none")
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != expectedUsername {
t.Fatalf("Expected username as the user, got %v", user)
}
}
func TestNodeAuth(t *testing.T) {
// Server config
masterConfig, nodeConfig, adminKubeConfigFile, err := testserver.StartTestAllInOne()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Cluster admin clients and client configs
adminClient, err := testutil.GetClusterAdminKubeClient(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
originAdminClient, err := testutil.GetClusterAdminClient(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
adminConfig, err := testutil.GetClusterAdminClientConfig(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Client configs for lesser users
masterKubeletClientConfig := configapi.GetKubeletClientConfig(*masterConfig)
anonymousConfig := clientcmd.AnonymousClientConfig(*adminConfig)
badTokenConfig := clientcmd.AnonymousClientConfig(*adminConfig)
badTokenConfig.BearerToken = "bad-token"
bobClient, _, bobConfig, err := testutil.GetClientForUser(*adminConfig, "bob")
_, _, aliceConfig, err := testutil.GetClientForUser(*adminConfig, "alice")
sa1Client, _, sa1Config, err := testutil.GetClientForServiceAccount(adminClient, *adminConfig, "default", "sa1")
_, _, sa2Config, err := testutil.GetClientForServiceAccount(adminClient, *adminConfig, "default", "sa2")
// Grant Bob system:node-reader, which should let them read metrics and stats
addBob := &policy.RoleModificationOptions{
RoleName: bootstrappolicy.NodeReaderRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(originAdminClient),
Subjects: []kapi.ObjectReference{{Kind: "User", Name: "bob"}},
}
if err := addBob.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Grant sa1 system:cluster-reader, which should let them read metrics and stats
addSA1 := &policy.RoleModificationOptions{
RoleName: bootstrappolicy.ClusterReaderRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(originAdminClient),
Subjects: []kapi.ObjectReference{{Kind: "ServiceAccount", Namespace: "default", Name: "sa1"}},
}
if err := addSA1.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Wait for policy cache
if err := testutil.WaitForClusterPolicyUpdate(bobClient, "get", "nodes/metrics", true); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForClusterPolicyUpdate(sa1Client, "get", "nodes/metrics", true); err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, nodePort, err := net.SplitHostPort(nodeConfig.ServingInfo.BindAddress)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
nodePortInt, err := strconv.ParseInt(nodePort, 0, 0)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
nodeTLS := configapi.UseTLS(nodeConfig.ServingInfo)
kubeletClientConfig := func(config *kclient.Config) *kubeletclient.KubeletClientConfig {
return &kubeletclient.KubeletClientConfig{
Port: uint(nodePortInt),
EnableHttps: nodeTLS,
TLSClientConfig: config.TLSClientConfig,
BearerToken: config.BearerToken,
}
}
testCases := map[string]struct {
KubeletClientConfig *kubeletclient.KubeletClientConfig
Forbidden bool
NodeViewer bool
NodeAdmin bool
}{
"bad token": {
KubeletClientConfig: kubeletClientConfig(&badTokenConfig),
},
"anonymous": {
KubeletClientConfig: kubeletClientConfig(&anonymousConfig),
Forbidden: true,
},
"cluster admin": {
KubeletClientConfig: kubeletClientConfig(adminConfig),
NodeAdmin: true,
},
"master kubelet client": {
KubeletClientConfig: masterKubeletClientConfig,
NodeAdmin: true,
},
"bob": {
KubeletClientConfig: kubeletClientConfig(bobConfig),
NodeViewer: true,
},
"alice": {
KubeletClientConfig: kubeletClientConfig(aliceConfig),
Forbidden: true,
},
"sa1": {
KubeletClientConfig: kubeletClientConfig(sa1Config),
NodeViewer: true,
},
"sa2": {
KubeletClientConfig: kubeletClientConfig(sa2Config),
Forbidden: true,
},
}
for k, tc := range testCases {
var (
// expected result for requests a viewer should be able to make
viewResult int
// expected result for requests an admin should be able to make (that can actually complete with a 200 in our tests)
adminResultOK int
// expected result for requests an admin should be able to make (that return a 404 in this test if the authn/authz layer is completed)
adminResultMissing int
)
switch {
case tc.NodeAdmin:
viewResult = http.StatusOK
adminResultOK = http.StatusOK
adminResultMissing = http.StatusNotFound
case tc.NodeViewer:
viewResult = http.StatusOK
adminResultOK = http.StatusForbidden
adminResultMissing = http.StatusForbidden
case tc.Forbidden:
viewResult = http.StatusForbidden
adminResultOK = http.StatusForbidden
adminResultMissing = http.StatusForbidden
default:
viewResult = http.StatusUnauthorized
adminResultOK = http.StatusUnauthorized
adminResultMissing = http.StatusUnauthorized
}
requests := []testRequest{
// Responses to invalid paths are the same for all users
{"GET", "/", http.StatusNotFound},
{"GET", "/stats", http.StatusMovedPermanently}, // ServeMux redirects to the directory
{"GET", "/logs", http.StatusMovedPermanently}, // ServeMux redirects to the directory
{"GET", "/invalid", http.StatusNotFound},
// viewer requests
{"GET", "/metrics", viewResult},
{"GET", "/stats/", viewResult},
{"POST", "/stats/", viewResult}, // stats requests can be POSTs which contain query options
// successful admin requests
{"GET", "/healthz", adminResultOK},
{"GET", "/pods", adminResultOK},
{"GET", "/logs/", adminResultOK},
// not found admin requests
{"GET", "/containerLogs/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/exec/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/run/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/attach/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/portForward/mynamespace/mypod/mycontainer", adminResultMissing},
// GET is supported in origin on /exec and /attach for backwards compatibility
// make sure node admin permissions are required
{"GET", "/exec/mynamespace/mypod/mycontainer", adminResultMissing},
{"GET", "/attach/mynamespace/mypod/mycontainer", adminResultMissing},
}
rt, err := kubeletclient.MakeTransport(tc.KubeletClientConfig)
if err != nil {
t.Errorf("%s: unexpected error: %v", k, err)
continue
}
for _, r := range requests {
req, err := http.NewRequest(r.Method, "https://"+nodeConfig.NodeName+":10250"+r.Path, nil)
if err != nil {
t.Errorf("%s: %s: unexpected error: %v", k, r.Path, err)
continue
}
resp, err := rt.RoundTrip(req)
if err != nil {
t.Errorf("%s: %s: unexpected error: %v", k, r.Path, err)
continue
}
resp.Body.Close()
if resp.StatusCode != r.Result {
t.Errorf("%s: %s: expected %d, got %d", k, r.Path, r.Result, resp.StatusCode)
continue
}
}
}
}
func TestTriggers_imageChange(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("error starting master: %v", err)
}
openshiftClusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting OpenShift cluster admin client: %v", err)
}
openshiftClusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting cluster admin client config: %v", err)
}
openshiftProjectAdminClient, err := testutil.CreateNewProject(openshiftClusterAdminClient, *openshiftClusterAdminClientConfig, testutil.Namespace(), "bob")
if err != nil {
t.Fatalf("error creating project: %v", err)
}
imageStream := &imageapi.ImageStream{ObjectMeta: kapi.ObjectMeta{Name: "test-image-stream"}}
config := deploytest.OkDeploymentConfig(0)
config.Namespace = testutil.Namespace()
configWatch, err := openshiftProjectAdminClient.DeploymentConfigs(testutil.Namespace()).Watch(labels.Everything(), fields.Everything(), "0")
if err != nil {
t.Fatalf("Couldn't subscribe to Deployments %v", err)
}
defer configWatch.Stop()
if imageStream, err = openshiftProjectAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream); err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
imageWatch, err := openshiftProjectAdminClient.ImageStreams(testutil.Namespace()).Watch(labels.Everything(), fields.Everything(), "0")
if err != nil {
t.Fatalf("Couldn't subscribe to ImageStreams: %s", err)
}
defer imageWatch.Stop()
// Make a function which can create a new tag event for the image stream and
// then wait for the stream status to be asynchronously updated.
createTagEvent := func(image string) {
mapping := &imageapi.ImageStreamMapping{
ObjectMeta: kapi.ObjectMeta{Name: imageStream.Name},
Tag: "latest",
Image: imageapi.Image{
ObjectMeta: kapi.ObjectMeta{
Name: image,
},
DockerImageReference: fmt.Sprintf("registry:8080/openshift/test-image@%s", image),
},
}
if err := openshiftProjectAdminClient.ImageStreamMappings(testutil.Namespace()).Create(mapping); err != nil {
t.Fatalf("unexpected error: %v", err)
}
t.Log("Waiting for image stream mapping to be reflected in the IS status...")
statusLoop:
for {
select {
case event := <-imageWatch.ResultChan():
stream := event.Object.(*imageapi.ImageStream)
if _, ok := stream.Status.Tags["latest"]; ok {
t.Logf("ImageStream %s now has Status with tags: %#v", stream.Name, stream.Status.Tags)
break statusLoop
} else {
t.Logf("Still waiting for latest tag status on ImageStream %s", stream.Name)
}
}
}
}
if config, err = openshiftProjectAdminClient.DeploymentConfigs(testutil.Namespace()).Create(config); err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v", err)
}
createTagEvent("sha256:00000000000000000000000000000001")
var newConfig *deployapi.DeploymentConfig
t.Log("Waiting for a new deployment config in response to ImageStream update")
waitForNewConfig:
for {
select {
case event := <-configWatch.ResultChan():
if event.Type == watchapi.Modified {
newConfig = event.Object.(*deployapi.DeploymentConfig)
break waitForNewConfig
}
}
}
if e, a := 1, newConfig.LatestVersion; e != a {
t.Fatalf("expected config version %d, got %d", e, a)
}
}
func TestBasicUserBasedGroupManipulation(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// make sure we don't get back system groups
firstValerie, err := clusterAdminClient.Users().Get("valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if len(firstValerie.Groups) != 0 {
t.Errorf("unexpected groups: %v", firstValerie.Groups)
}
// make sure that user/~ returns groups for unbacked users
expectedClusterAdminGroups := []string{"system:cluster-admins"}
clusterAdminUser, err := clusterAdminClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(clusterAdminUser.Groups, expectedClusterAdminGroups) {
t.Errorf("expected %v, got %v", clusterAdminUser.Groups, expectedClusterAdminGroups)
}
valerieGroups := []string{"theGroup"}
firstValerie.Groups = append(firstValerie.Groups, valerieGroups...)
_, err = clusterAdminClient.Users().Update(firstValerie)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// make sure that user/~ doesn't get back system groups when it merges
secondValerie, err := valerieOpenshiftClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(secondValerie.Groups, valerieGroups) {
t.Errorf("expected %v, got %v", secondValerie.Groups, valerieGroups)
}
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err == nil {
t.Fatalf("expected error")
}
emptyProject := &projectapi.Project{}
emptyProject.Name = "empty"
_, err = clusterAdminClient.Projects().Create(emptyProject)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleBinding := &authorizationapi.RoleBinding{}
roleBinding.Name = "admins"
roleBinding.RoleRef.Name = "admin"
roleBinding.Subjects = authorizationapi.BuildSubjects([]string{}, valerieGroups, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)
_, err = clusterAdminClient.RoleBindings("empty").Create(roleBinding)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(valerieOpenshiftClient, "empty", "get", kapi.Resource("pods"), true); err != nil {
t.Error(err)
}
// make sure that user groups are respected for policy
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}
func TestBasicGroupManipulation(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
theGroup := &userapi.Group{}
theGroup.Name = "thegroup"
theGroup.Users = append(theGroup.Users, "valerie", "victor")
_, err = clusterAdminClient.Groups().Create(theGroup)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err == nil {
t.Fatalf("expected error")
}
emptyProject := &projectapi.Project{}
emptyProject.Name = "empty"
_, err = clusterAdminClient.Projects().Create(emptyProject)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleBinding := &authorizationapi.RoleBinding{}
roleBinding.Name = "admins"
roleBinding.RoleRef.Name = "admin"
roleBinding.Subjects = authorizationapi.BuildSubjects([]string{}, []string{theGroup.Name}, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)
_, err = clusterAdminClient.RoleBindings("empty").Create(roleBinding)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(valerieOpenshiftClient, "empty", "get", kapi.Resource("pods"), true); err != nil {
t.Error(err)
}
// make sure that user groups are respected for policy
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
victorOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "victor")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = victorOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
func TestAuthorizationSubjectAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dannyClient, err := testutil.GetClientForUser(*clusterAdminClientConfig, "danny")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addDanny := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("default", clusterAdminClient),
Users: []string{"danny"},
}
if err := addDanny.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
askCanDannyGetProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "get", Resource: "projects"}
subjectAccessReviewTest{
description: "cluster admin told danny can get project default",
clientInterface: clusterAdminClient.SubjectAccessReviews("default"),
review: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in default",
Namespace: "default",
},
}.run(t)
subjectAccessReviewTest{
description: "cluster admin told danny cannot get projects cluster-wide",
clientInterface: clusterAdminClient.ClusterSubjectAccessReviews(),
review: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot get projects at the cluster scope`,
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "as danny, can I make cluster subject access reviews",
clientInterface: dannyClient.ClusterSubjectAccessReviews(),
review: askCanDannyGetProject,
err: `User "danny" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
askCanValerieGetProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "get", Resource: "projects"}
subjectAccessReviewTest{
description: "harold told valerie can get project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
subjectAccessReviewTest{
description: "mark told valerie cannot get project mallet-project",
clientInterface: markClient.SubjectAccessReviews("mallet-project"),
review: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot get projects in project "mallet-project"`,
Namespace: "mallet-project",
},
}.run(t)
askCanEdgarDeletePods := &authorizationapi.SubjectAccessReview{User: "******", Verb: "delete", Resource: "pods"}
subjectAccessReviewTest{
description: "mark told edgar can delete pods in mallet-project",
clientInterface: markClient.SubjectAccessReviews("mallet-project"),
review: askCanEdgarDeletePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in mallet-project",
Namespace: "mallet-project",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run subject access review in project mallet-project",
clientInterface: haroldClient.SubjectAccessReviews("mallet-project"),
review: askCanEdgarDeletePods,
err: `User "harold" cannot create subjectaccessreviews in project "mallet-project"`,
}.run(t)
askCanHaroldUpdateProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "update", Resource: "projects"}
subjectAccessReviewTest{
description: "harold told harold can update project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanHaroldUpdateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanClusterAdminsCreateProject := &authorizationapi.SubjectAccessReview{Groups: util.NewStringSet("system:cluster-admins"), Verb: "create", Resource: "projects"}
subjectAccessReviewTest{
description: "cluster admin told cluster admins can create projects",
clientInterface: clusterAdminClient.ClusterSubjectAccessReviews(),
review: askCanClusterAdminsCreateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by cluster rule:",
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run cluster subject access review",
clientInterface: haroldClient.ClusterSubjectAccessReviews(),
review: askCanClusterAdminsCreateProject,
err: `User "harold" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
askCanICreatePods := &authorizationapi.SubjectAccessReview{Verb: "create", Resource: "pods"}
subjectAccessReviewTest{
description: "harold told he can create pods in project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanICreatePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanICreatePolicyBindings := &authorizationapi.SubjectAccessReview{Verb: "create", Resource: "policybindings"}
subjectAccessReviewTest{
description: "harold told he can create policybindings in project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "harold" cannot create policybindings in project "hammer-project"`,
Namespace: "hammer-project",
},
}.run(t)
}
func TestAuthorizationResourceAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
requestWhoCanViewDeployments := &authorizationapi.ResourceAccessReview{Verb: "get", Resource: "deployments"}
{
test := resourceAccessReviewTest{
clientInterface: haroldClient.ResourceAccessReviews("hammer-project"),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: util.NewStringSet("harold", "valerie"),
Groups: globalClusterAdminGroups,
Namespace: "hammer-project",
},
}
test.response.Users.Insert(globalClusterAdminUsers.List()...)
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
{
test := resourceAccessReviewTest{
clientInterface: markClient.ResourceAccessReviews("mallet-project"),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: util.NewStringSet("mark", "edgar"),
Groups: globalClusterAdminGroups,
Namespace: "mallet-project",
},
}
test.response.Users.Insert(globalClusterAdminUsers.List()...)
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
// mark should not be able to make global access review requests
{
test := resourceAccessReviewTest{
clientInterface: markClient.ClusterResourceAccessReviews(),
review: requestWhoCanViewDeployments,
err: "cannot ",
}
test.run(t)
}
// a cluster-admin should be able to make global access review requests
{
test := resourceAccessReviewTest{
clientInterface: clusterAdminClient.ClusterResourceAccessReviews(),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: globalClusterAdminUsers,
Groups: globalClusterAdminGroups,
},
}
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
}
func TestOAuthLDAP(t *testing.T) {
var (
randomSuffix = string(kutil.NewUUID())
providerName = "myldapprovider"
bindDN = "uid=admin,ou=company,ou=" + randomSuffix
bindPassword = "******" + randomSuffix
searchDN = "ou=company,ou=" + randomSuffix
searchAttr = "myuid" + randomSuffix
searchScope = "one" // must be "one","sub", or "base"
searchFilter = "(myAttr=myValue)" // must be a valid LDAP filter format
nameAttr1 = "missing-name-attr"
nameAttr2 = "a-display-name" + randomSuffix
idAttr1 = "missing-id-attr"
idAttr2 = "dn" // "dn" is a special value, so don't add a random suffix to make sure we handle it correctly
emailAttr1 = "missing-attr"
emailAttr2 = "c-mail" + randomSuffix
loginAttr1 = "missing-attr"
loginAttr2 = "d-mylogin" + randomSuffix
myUserUID = "myuser"
myUserName = "******"
myUserEmail = "*****@*****.**"
myUserDN = searchAttr + "=" + myUserUID + "," + searchDN
myUserPassword = "******" + randomSuffix
)
expectedAttributes := [][]byte{}
for _, attr := range kutil.NewStringSet(searchAttr, nameAttr1, nameAttr2, idAttr1, idAttr2, emailAttr1, emailAttr2, loginAttr1, loginAttr2).List() {
expectedAttributes = append(expectedAttributes, []byte(attr))
}
expectedSearchRequest := ldapserver.SearchRequest{
BaseObject: []byte(searchDN),
Scope: ldapserver.SearchRequestSingleLevel,
DerefAliases: 0,
SizeLimit: 2,
TimeLimit: 0,
TypesOnly: false,
Attributes: expectedAttributes,
Filter: fmt.Sprintf("(&%s(%s=%s))", searchFilter, searchAttr, myUserUID),
}
// Start LDAP server
ldapAddress, err := testutil.FindAvailableBindAddress(8389, 8400)
if err != nil {
t.Fatalf("could not allocate LDAP bind address: %v", err)
}
ldapServer := testutil.NewTestLDAPServer()
ldapServer.SetPassword(bindDN, bindPassword)
ldapServer.Start(ldapAddress)
defer ldapServer.Stop()
masterOptions, err := testutil.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: providerName,
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
&configapi.LDAPPasswordIdentityProvider{
URL: fmt.Sprintf("ldap://%s/%s?%s?%s?%s", ldapAddress, searchDN, searchAttr, searchScope, searchFilter),
BindDN: bindDN,
BindPassword: bindPassword,
Insecure: true,
CA: "",
Attributes: configapi.LDAPAttributes{
ID: []string{idAttr1, idAttr2},
PreferredUsername: []string{loginAttr1, loginAttr2},
Name: []string{nameAttr1, nameAttr2},
Email: []string{emailAttr1, emailAttr2},
},
},
},
}
clusterAdminKubeConfig, err := testutil.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// Use the server and CA info
anonConfig := kclient.Config{}
anonConfig.Host = clusterAdminClientConfig.Host
anonConfig.CAFile = clusterAdminClientConfig.CAFile
anonConfig.CAData = clusterAdminClientConfig.CAData
// Make sure we can't authenticate as a missing user
ldapServer.ResetRequests()
if _, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, myUserPassword); err == nil {
t.Error("Expected error, got none")
}
if len(ldapServer.BindRequests) != 1 {
t.Error("Expected a single bind request for the search phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
// Add user
ldapServer.SetPassword(myUserDN, myUserPassword)
ldapServer.AddSearchResult(myUserDN, map[string]string{emailAttr2: myUserEmail, nameAttr2: myUserName, loginAttr2: myUserUID})
// Make sure we can't authenticate with a bad password
ldapServer.ResetRequests()
if _, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, "badpassword"); err == nil {
t.Error("Expected error, got none")
}
if len(ldapServer.BindRequests) != 2 {
t.Error("Expected a bind request for the search phase and a failed bind request for the auth phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
// Make sure we can get a token with a good password
ldapServer.ResetRequests()
accessToken, err := tokencmd.RequestToken(&anonConfig, nil, myUserUID, myUserPassword)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Errorf("Expected access token, got none")
}
if len(ldapServer.BindRequests) != 2 {
t.Error("Expected a bind request for the search phase and a failed bind request for the auth phase, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if len(ldapServer.SearchRequests) != 1 {
t.Error("Expected a single search request, got %d:\n%#v", len(ldapServer.BindRequests), ldapServer.BindRequests)
}
if !reflect.DeepEqual(expectedSearchRequest.BaseObject, ldapServer.SearchRequests[0].BaseObject) {
t.Errorf("Expected search base DN\n\t%#v\ngot\n\t%#v",
string(expectedSearchRequest.BaseObject),
string(ldapServer.SearchRequests[0].BaseObject),
)
}
if !reflect.DeepEqual(expectedSearchRequest.Filter, ldapServer.SearchRequests[0].Filter) {
t.Errorf("Expected search filter\n\t%#v\ngot\n\t%#v",
string(expectedSearchRequest.Filter),
string(ldapServer.SearchRequests[0].Filter),
)
}
{
expectedAttrs := []string{}
for _, a := range expectedSearchRequest.Attributes {
expectedAttrs = append(expectedAttrs, string(a))
}
actualAttrs := []string{}
for _, a := range ldapServer.SearchRequests[0].Attributes {
actualAttrs = append(actualAttrs, string(a))
}
if !reflect.DeepEqual(expectedAttrs, actualAttrs) {
t.Errorf("Expected search attributes\n\t%#v\ngot\n\t%#v", expectedAttrs, actualAttrs)
}
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != myUserUID {
t.Fatalf("Expected %s as the user, got %v", myUserUID, user)
}
// Make sure the identity got created and contained the mapped attributes
identity, err := clusterAdminClient.Identities().Get(fmt.Sprintf("%s:%s", providerName, myUserDN))
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if identity.ProviderUserName != myUserDN {
t.Error("Expected %q, got %q", myUserDN, identity.ProviderUserName)
}
if v := identity.Extra[authapi.IdentityDisplayNameKey]; v != myUserName {
t.Error("Expected %q, got %q", myUserName, v)
}
if v := identity.Extra[authapi.IdentityPreferredUsernameKey]; v != myUserUID {
t.Error("Expected %q, got %q", myUserUID, v)
}
if v := identity.Extra[authapi.IdentityEmailKey]; v != myUserEmail {
t.Error("Expected %q, got %q", myUserEmail, v)
}
}
func TestOAuthRequestHeader(t *testing.T) {
// Write cert we're going to use to verify OAuth requestheader requests
caFile, err := ioutil.TempFile("", "test.crt")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer os.Remove(caFile.Name())
if err := ioutil.WriteFile(caFile.Name(), rootCACert, os.FileMode(0600)); err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions, err := testutil.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{
Name: "requestheader",
UseAsChallenger: false,
UseAsLogin: false,
Provider: runtime.EmbeddedObject{
&configapi.RequestHeaderIdentityProvider{
ClientCA: caFile.Name(),
Headers: []string{"My-Remote-User", "SSO-User"},
},
},
}
// Start server
clusterAdminKubeConfig, err := testutil.StartConfiguredMaster(masterOptions)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Use the server and CA info, but no client cert info
anonConfig := kclient.Config{}
anonConfig.Host = clientConfig.Host
anonConfig.CAFile = clientConfig.CAFile
anonConfig.CAData = clientConfig.CAData
// Build the authorize request with the My-Remote-User header
authorizeURL := clientConfig.Host + "/oauth/authorize?client_id=openshift-challenging-client&response_type=token"
req, err := http.NewRequest("GET", authorizeURL, nil)
req.Header.Set("My-Remote-User", "myuser")
// Make the request without cert auth
transport, err := kclient.TransportFor(&anonConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
resp, err := transport.RoundTrip(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
redirect, err := resp.Location()
if err != nil {
t.Fatalf("expected 302 redirect, got error: %v", err)
}
if redirect.Query().Get("error") == "" {
t.Fatalf("expected unsuccessful token request, got redirected to %v", redirect.String())
}
// Use the server and CA info, with cert info
authProxyConfig := anonConfig
authProxyConfig.CertData = clientCert
authProxyConfig.KeyData = clientKey
// Make the request with cert info
transport, err = kclient.TransportFor(&authProxyConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
resp, err = transport.RoundTrip(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
redirect, err = resp.Location()
if err != nil {
t.Fatalf("expected 302 redirect, got error: %v", err)
}
if redirect.Query().Get("error") != "" {
t.Fatalf("expected successful token request, got error %v", redirect.String())
}
// Extract the access_token
// group #0 is everything. #1 #2 #3
accessTokenRedirectRegex := regexp.MustCompile(`(^|&)access_token=([^&]+)($|&)`)
accessToken := ""
if matches := accessTokenRedirectRegex.FindStringSubmatch(redirect.Fragment); matches != nil {
accessToken = matches[2]
}
if accessToken == "" {
t.Fatalf("Expected access token, got %s", redirect.String())
}
// Make sure we can use the token, and it represents who we expect
userConfig := anonConfig
userConfig.BearerToken = accessToken
userClient, err := client.New(&userConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
user, err := userClient.Users().Get("~")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if user.Name != "myuser" {
t.Fatalf("Expected myuser as the user, got %v", user)
}
}