var _ = Describe("DiegoProxyAuthenticator", func() { var ( logger *lagertest.TestLogger credentials []byte permissionsBuilder *fake_authenticators.FakePermissionsBuilder authenticator *authenticators.DiegoProxyAuthenticator metadata *fake_ssh.FakeConnMetadata ) BeforeEach(func() { logger = lagertest.NewTestLogger("test") credentials = []byte("some-user:some-password") permissionsBuilder = &fake_authenticators.FakePermissionsBuilder{} permissionsBuilder.BuildReturns(&ssh.Permissions{}, nil) authenticator = authenticators.NewDiegoProxyAuthenticator(logger, credentials, permissionsBuilder) metadata = &fake_ssh.FakeConnMetadata{} }) Describe("Authenticate", func() { var ( permissions *ssh.Permissions password []byte authErr error ) BeforeEach(func() { permissions = nil password = []byte{} })
func configureProxy(logger lager.Logger) (*ssh.ServerConfig, error) { if *bbsAddress == "" { err := errors.New("bbsAddress is required") logger.Fatal("bbs-address-required", err) } url, err := url.Parse(*bbsAddress) if err != nil { logger.Fatal("failed-to-parse-bbs-address", err) } bbsClient := initializeBBSClient(logger) permissionsBuilder := authenticators.NewPermissionsBuiler(bbsClient) authens := []authenticators.PasswordAuthenticator{} if *enableDiegoAuth { diegoAuthenticator := authenticators.NewDiegoProxyAuthenticator(logger, []byte(*diegoCredentials), permissionsBuilder) authens = append(authens, diegoAuthenticator) } if *enableCFAuth { if *ccAPIURL == "" { return nil, errors.New("ccAPIURL is required for Cloud Foundry authentication") } _, err = url.Parse(*ccAPIURL) if *ccAPIURL != "" && err != nil { return nil, err } if *uaaPassword == "" { return nil, errors.New("UAA password is required for Cloud Foundry authentication") } if *uaaUsername == "" { return nil, errors.New("UAA username is required for Cloud Foundry authentication") } if *uaaTokenURL == "" { return nil, errors.New("uaaTokenURL is required for Cloud Foundry authentication") } _, err = url.Parse(*uaaTokenURL) if *uaaTokenURL != "" && err != nil { return nil, err } client := NewHttpClient() cfAuthenticator := authenticators.NewCFAuthenticator( logger, client, *ccAPIURL, *uaaTokenURL, *uaaUsername, *uaaPassword, permissionsBuilder, ) authens = append(authens, cfAuthenticator) } authenticator := authenticators.NewCompositeAuthenticator(authens...) sshConfig := &ssh.ServerConfig{ PasswordCallback: authenticator.Authenticate, AuthLogCallback: func(cmd ssh.ConnMetadata, method string, err error) { logger.Error("authentication-failed", err, lager.Data{"user": cmd.User()}) }, } if *hostKey == "" { err := errors.New("hostKey is required") logger.Fatal("host-key-required", err) } key, err := parsePrivateKey(logger, *hostKey) if err != nil { logger.Fatal("failed-to-parse-host-key", err) } sshConfig.AddHostKey(key) return sshConfig, err }
func configure(logger lager.Logger) (*ssh.ServerConfig, error) { cf_http.Initialize(*communicationTimeout) if *diegoAPIURL == "" { err := errors.New("diegoAPIURL is required") logger.Fatal("diego-api-url-required", err) } url, err := url.Parse(*diegoAPIURL) if err != nil { logger.Fatal("failed-to-parse-diego-api-url", err) } _, err = url.Parse(*ccAPIURL) if *ccAPIURL != "" && err != nil { logger.Fatal("failed-to-parse-cc-api-url", err) } var diegoCreds string if url.User != nil { diegoCreds = url.User.String() } receptorClient := receptor.NewClient(*diegoAPIURL) authenticatorMap := map[string]authenticators.PasswordAuthenticator{} if *enableDiegoAuth { diegoAuthenticator := authenticators.NewDiegoProxyAuthenticator(logger, receptorClient, []byte(diegoCreds)) authenticatorMap[diegoAuthenticator.Realm()] = diegoAuthenticator } if *ccAPIURL != "" && *enableCFAuth { ccClient := cf_http.NewClient() cfAuthenticator := authenticators.NewCFAuthenticator(logger, ccClient, *ccAPIURL, receptorClient) authenticatorMap[cfAuthenticator.Realm()] = cfAuthenticator } authenticator := authenticators.NewCompositeAuthenticator(authenticatorMap) sshConfig := &ssh.ServerConfig{ PasswordCallback: authenticator.Authenticate, AuthLogCallback: func(cmd ssh.ConnMetadata, method string, err error) { logger.Error("authentication-failed", err, lager.Data{"user": cmd.User()}) }, } if *hostKey == "" { err := errors.New("hostKey is required") logger.Fatal("host-key-required", err) } key, err := parsePrivateKey(logger, *hostKey) if err != nil { logger.Fatal("failed-to-parse-host-key", err) } sshConfig.AddHostKey(key) return sshConfig, err }
actualLrpResponse = receptor.ActualLRPResponse{ ProcessGuid: "some-guid", Index: 0, InstanceGuid: "some-instance-guid", Address: "1.2.3.4", Ports: []receptor.PortMapping{ {ContainerPort: 1111, HostPort: 3333}, }, } receptorClient.ActualLRPByProcessGuidAndIndexReturns(actualLrpResponse, nil) receptorClient.GetDesiredLRPReturns(desiredLRPResponse, nil) logger = lagertest.NewTestLogger("test") receptorCreds = []byte("receptor-user:receptor-password") authenticator = authenticators.NewDiegoProxyAuthenticator(logger, receptorClient, receptorCreds) metadata = &fake_ssh.FakeConnMetadata{} }) Describe("Authenticate", func() { var ( permissions *ssh.Permissions password []byte authErr error ) BeforeEach(func() { ipAddr, err := net.ResolveIPAddr("ip", "1.1.1.1") Expect(err).NotTo(HaveOccurred()) metadata.RemoteAddrReturns(ipAddr)