// Do watches for unauthorized challenges. If we know to respond, we respond to the challenge
func (client *challengingClient) Do(req *http.Request) (*http.Response, error) {
// Set custom header required by server to avoid CSRF attacks on browsers using basic auth
if req.Header == nil {
req.Header = http.Header{}
}
req.Header.Set(CSRFTokenHeader, "1")
resp, err := client.delegate.Do(req)
if err != nil {
return nil, err
}
if resp.StatusCode == http.StatusUnauthorized {
if wantsBasicAuth, realm := isBasicAuthChallenge(resp); wantsBasicAuth {
username := client.defaultUsername
password := client.defaultPassword
missingUsername := len(username) == 0
missingPassword := len(password) == 0
url := *req.URL
url.Path, url.RawQuery, url.Fragment = "", "", ""
if (missingUsername || missingPassword) && client.reader != nil {
fmt.Printf("Authentication required for %s (%s)\n", &url, realm)
if missingUsername {
username = util.PromptForString(client.reader, "Username: "******"Password: ")
}
}
if len(username) > 0 || len(password) > 0 {
client.delegate.Transport = kclient.NewBasicAuthRoundTripper(username, password, client.delegate.Transport)
return client.delegate.Do(resp.Request)
}
}
}
return resp, err
}
// Negotiate a bearer token with the auth server, or try to reuse one based on the
// information already present. In case of any missing information, ask for user input
// (usually username and password, interactive depending on the Reader).
func (o *LoginOptions) gatherAuthInfo() error {
directClientConfig, err := o.getClientConfig()
if err != nil {
return err
}
// make a copy and use it to avoid mutating the original
t := *directClientConfig
clientConfig := &t
// if a token were explicitly provided, try to use it
if o.tokenProvided() {
clientConfig.BearerToken = o.Token
if osClient, err := client.New(clientConfig); err == nil {
me, err := whoAmI(osClient)
if err == nil {
o.Username = me.Name
o.Config = clientConfig
fmt.Fprintf(o.Out, "Logged into %q as %q using the token provided.\n\n", o.Config.Host, o.Username)
return nil
}
if !kerrors.IsUnauthorized(err) {
return err
}
fmt.Fprintln(o.Out, "The token provided is invalid (probably expired).\n")
}
}
// if a token was provided try to make use of it
// make sure we have a username before continuing
if !o.usernameProvided() {
if cmdutil.IsTerminal(o.Reader) {
for !o.usernameProvided() {
o.Username = cmdutil.PromptForString(o.Reader, "Username: "******"Already logged into %q as %q.\n\n", o.Config.Host, o.Username)
}
return nil
}
}
}
}
}
// if kubeconfig doesn't already have a matching user stanza...
clientConfig.BearerToken = ""
clientConfig.CertData = []byte{}
clientConfig.KeyData = []byte{}
clientConfig.CertFile = o.CertFile
clientConfig.KeyFile = o.KeyFile
token, err := tokencmd.RequestToken(o.Config, o.Reader, o.Username, o.Password)
if err != nil {
return err
}
clientConfig.BearerToken = token
osClient, err := client.New(clientConfig)
if err != nil {
return err
}
me, err := whoAmI(osClient)
if err != nil {
return err
}
o.Username = me.Name
o.Config = clientConfig
fmt.Fprintln(o.Out, "Login successful.\n")
return nil
}
