forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathauth_proxy_test.go
125 lines (106 loc) · 4.52 KB
/
auth_proxy_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package integration
import (
"errors"
"net/http"
"net/http/httptest"
"net/url"
"testing"
kapi "k8s.io/kubernetes/pkg/api"
ktransport "k8s.io/kubernetes/pkg/client/transport"
configapi "github.com/openshift/origin/pkg/cmd/server/api"
"github.com/openshift/origin/pkg/cmd/server/origin"
oauthapi "github.com/openshift/origin/pkg/oauth/api"
testutil "github.com/openshift/origin/test/util"
testserver "github.com/openshift/origin/test/util/server"
)
var (
validUsers = []User{
{ID: "sanefarmer", Password: "who?", Name: "Sane Farmer", Email: "[email protected]"},
{ID: "unsightlycook", Password: "what?", Name: "Unsightly Cook", Email: "[email protected]"},
{ID: "novelresearcher", Password: "why?", Name: "Novel Researcher", Email: "[email protected]"},
}
)
func TestAuthProxyOnAuthorize(t *testing.T) {
idp := configapi.IdentityProvider{}
idp.Name = "front-proxy"
idp.Provider = &configapi.RequestHeaderIdentityProvider{Headers: []string{"X-Remote-User"}}
idp.MappingMethod = "claim"
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatal(err)
}
masterConfig.OAuthConfig.IdentityProviders = []configapi.IdentityProvider{idp}
clusterAdminKubeConfig, err := testserver.StartConfiguredMasterAPI(masterConfig)
if err != nil {
t.Fatal(err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatal(err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatal(err)
}
// set up a front proxy guarding the oauth server
proxyHTTPHandler := NewBasicAuthChallenger("TestRegistryAndServer", validUsers, NewXRemoteUserProxyingHandler(clusterAdminClientConfig.Host))
proxyServer := httptest.NewServer(proxyHTTPHandler)
defer proxyServer.Close()
t.Logf("proxy server is on %v\n", proxyServer.URL)
// need to prime clients so that we can get back a code. the client must be valid
result := clusterAdminClient.RESTClient.Post().Resource("oAuthClients").Body(&oauthapi.OAuthClient{ObjectMeta: kapi.ObjectMeta{Name: "test"}, Secret: "secret", RedirectURIs: []string{clusterAdminClientConfig.Host}}).Do()
if result.Error() != nil {
t.Fatal(result.Error())
}
// our simple URL to get back a code. We want to go through the front proxy
rawAuthorizeRequest := proxyServer.URL + origin.OpenShiftOAuthAPIPrefix + "/authorize?response_type=code&client_id=test"
// the first request we make to the front proxy should challenge us for authentication info
shouldBeAChallengeResponse, err := http.Get(rawAuthorizeRequest)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if shouldBeAChallengeResponse.StatusCode != http.StatusUnauthorized {
t.Errorf("Expected Unauthorized, but got %v", shouldBeAChallengeResponse.StatusCode)
}
// create an http.Client to make our next request. We need a custom Transport to authenticate us through our front proxy
// and a custom CheckRedirect so that we can keep track of the redirect responses we're getting
// OAuth requests a few redirects that we don't really care about checking, so this simpler than using a round tripper
// and manually handling redirects and setting our auth information every time for the front proxy
redirectedUrls := make([]url.URL, 10)
httpClient := http.Client{
CheckRedirect: getRedirectMethod(t, &redirectedUrls),
Transport: ktransport.NewBasicAuthRoundTripper("sanefarmer", "who?", insecureTransport()),
}
// make our authorize request again, but this time our transport has properly set the auth info for the front proxy
req, err := http.NewRequest("GET", rawAuthorizeRequest, nil)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
_, err = httpClient.Do(req)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// check the last redirect and see if we got a code
foundCode := ""
if len(redirectedUrls) > 0 {
foundCode = redirectedUrls[len(redirectedUrls)-1].Query().Get("code")
}
if len(foundCode) == 0 {
t.Errorf("Did not find code in any redirect: %v", redirectedUrls)
} else {
t.Logf("Found code %v\n", foundCode)
}
}
type checkRedirect func(req *http.Request, via []*http.Request) error
func getRedirectMethod(t *testing.T, redirectRecord *[]url.URL) checkRedirect {
return func(req *http.Request, via []*http.Request) error {
t.Logf("Going to %v\n", req.URL)
*redirectRecord = append(*redirectRecord, *req.URL)
if len(via) >= 10 {
return errors.New("stopped after 10 redirects")
}
return nil
}
}