Merge pull request #16520 from liggitt/oauth-code-expiration

openshift-merge-robot · web-flow · commit 11e88a482a59 · 2017-09-24T06:36:10.000-07:00
Automatic merge from submit-queue Set access token expiration correctly for code and implicit flows The expiration was only being set during the authorization request, which meant it was only set for implicit flow access tokens, and was incorrectly set on authorization tokens. Fixed up and added tests for both flows Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1493903
diff --git a/pkg/auth/oauth/handlers/authenticator.go b/pkg/auth/oauth/handlers/authenticator.go
@@ -46,9 +46,12 @@ func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, resp
 	ar.UserData = info
 	ar.Authorized = true
 
-	if e, ok := ar.Client.(TokenMaxAgeSeconds); ok {
-		if maxAge := e.GetTokenMaxAgeSeconds(); maxAge != nil {
-			ar.Expiration = *maxAge
+	// If requesting a token directly, optionally override the expiration
+	if ar.Type == osin.TOKEN {
+		if e, ok := ar.Client.(TokenMaxAgeSeconds); ok {
+			if maxAge := e.GetTokenMaxAgeSeconds(); maxAge != nil {
+				ar.Expiration = *maxAge
+			}
 		}
 	}
 
@@ -101,7 +104,14 @@ func (h *AccessAuthenticator) HandleAccess(ar *osin.AccessRequest, w http.Respon
 		if info != nil {
 			ar.AccessData.UserData = info
 		}
+
+		if e, ok := ar.Client.(TokenMaxAgeSeconds); ok {
+			if maxAge := e.GetTokenMaxAgeSeconds(); maxAge != nil {
+				ar.Expiration = *maxAge
+			}
+		}
 	}
+
 	return nil
 }
 
diff --git a/pkg/client/oauthauthorizetoken.go b/pkg/client/oauthauthorizetoken.go
@@ -1,6 +1,9 @@
 package client
 
 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kapi "k8s.io/kubernetes/pkg/api"
+
 	oauthapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
 )
 
@@ -10,6 +13,7 @@ type OAuthAuthorizeTokensInterface interface {
 
 type OAuthAuthorizeTokenInterface interface {
 	Create(token *oauthapi.OAuthAuthorizeToken) (*oauthapi.OAuthAuthorizeToken, error)
+	Get(name string, options metav1.GetOptions) (*oauthapi.OAuthAuthorizeToken, error)
 	Delete(name string) error
 }
 
@@ -33,3 +37,9 @@ func (c *oauthAuthorizeTokenInterface) Create(token *oauthapi.OAuthAuthorizeToke
 	err = c.r.Post().Resource("oauthauthorizetokens").Body(token).Do().Into(result)
 	return
 }
+
+func (c *oauthAuthorizeTokenInterface) Get(name string, options metav1.GetOptions) (result *oauthapi.OAuthAuthorizeToken, err error) {
+	result = &oauthapi.OAuthAuthorizeToken{}
+	err = c.r.Get().Resource("oauthauthorizetokens").Name(name).VersionedParams(&options, kapi.ParameterCodec).Do().Into(result)
+	return
+}
diff --git a/pkg/client/testclient/fake_oauthauthorizetoken.go b/pkg/client/testclient/fake_oauthauthorizetoken.go
@@ -1,6 +1,7 @@
 package testclient
 
 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	clientgotesting "k8s.io/client-go/testing"
 
@@ -26,3 +27,12 @@ func (c *FakeOAuthAuthorizeTokens) Create(inObj *oauthapi.OAuthAuthorizeToken) (
 
 	return obj.(*oauthapi.OAuthAuthorizeToken), err
 }
+
+func (c *FakeOAuthAuthorizeTokens) Get(name string, options metav1.GetOptions) (*oauthapi.OAuthAuthorizeToken, error) {
+	obj, err := c.Fake.Invokes(clientgotesting.NewRootGetAction(oAuthAuthorizeTokensResource, name), &oauthapi.OAuthAuthorizeToken{})
+	if obj == nil {
+		return nil, err
+	}
+
+	return obj.(*oauthapi.OAuthAuthorizeToken), err
+}
diff --git a/test/integration/oauth_expiration_test.go b/test/integration/oauth_expiration_test.go
@@ -1,9 +1,12 @@
 package integration
 
 import (
+	"net/http"
 	"testing"
 	"time"
 
+	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -43,7 +46,7 @@ func TestOAuthExpiration(t *testing.T) {
 
 	{
 		zero := int32(0)
-		nonexpiring, err := clusterAdminClient.OAuthClients().Create(&oauthapi.OAuthClient{
+		client, err := clusterAdminClient.OAuthClients().Create(&oauthapi.OAuthClient{
 			ObjectMeta:               metav1.ObjectMeta{Name: "nonexpiring"},
 			RespondWithChallenges:    true,
 			RedirectURIs:             []string{"http://localhost"},
@@ -54,22 +57,59 @@ func TestOAuthExpiration(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		nonExpiringTokenOpts := tokencmd.NewRequestTokenOptions(anonConfig, nil, "username", "password")
-		nonExpiringTokenOpts.ClientID = nonexpiring.Name
-		nonexpiringToken, err := nonExpiringTokenOpts.RequestToken()
+		testExpiringOAuthFlows(t, clusterAdminClient, client, anonConfig, 0)
+	}
+
+	{
+		ten := int32(10)
+		client, err := clusterAdminClient.OAuthClients().Create(&oauthapi.OAuthClient{
+			ObjectMeta:               metav1.ObjectMeta{Name: "shortexpiring"},
+			RespondWithChallenges:    true,
+			RedirectURIs:             []string{"http://localhost"},
+			AccessTokenMaxAgeSeconds: &ten,
+			GrantMethod:              oauthapi.GrantHandlerAuto,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		token := testExpiringOAuthFlows(t, clusterAdminClient, client, anonConfig, 10)
+
+		// Ensure the token goes away after the time expiration
+		if err := wait.Poll(1*time.Second, time.Minute, func() (bool, error) {
+			_, err := clusterAdminClient.OAuthAccessTokens().Get(token, metav1.GetOptions{})
+			if errors.IsNotFound(err) {
+				return true, nil
+			}
+			if err != nil {
+				return false, err
+			}
+			return false, nil
+		}); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
+func testExpiringOAuthFlows(t *testing.T, clusterAdminClient *client.Client, oauthclient *oauthapi.OAuthClient, anonConfig *restclient.Config, expectedExpires int) string {
+
+	{
+		tokenOpts := tokencmd.NewRequestTokenOptions(anonConfig, nil, "username", "password")
+		tokenOpts.ClientID = oauthclient.Name
+		token, err := tokenOpts.RequestToken()
 		if err != nil {
 			t.Fatal(err)
 		}
 
 		// Make sure we can use the token, and it represents who we expect
-		nonExpiringUserConfig := *anonConfig
-		nonExpiringUserConfig.BearerToken = nonexpiringToken
-		nonExpiringUserClient, err := client.New(&nonExpiringUserConfig)
+		userConfig := *anonConfig
+		userConfig.BearerToken = token
+		userClient, err := client.New(&userConfig)
 		if err != nil {
 			t.Fatalf("Unexpected error: %v", err)
 		}
 
-		user, err := nonExpiringUserClient.Users().Get("~", metav1.GetOptions{})
+		user, err := userClient.Users().Get("~", metav1.GetOptions{})
 		if err != nil {
 			t.Fatalf("Unexpected error: %v", err)
 		}
@@ -78,63 +118,96 @@ func TestOAuthExpiration(t *testing.T) {
 		}
 
 		// Make sure the token exists with the overridden time
-		tokenObj, err := clusterAdminClient.OAuthAccessTokens().Get(nonexpiringToken, metav1.GetOptions{})
+		tokenObj, err := clusterAdminClient.OAuthAccessTokens().Get(token, metav1.GetOptions{})
 		if err != nil {
 			t.Fatal(err)
 		}
-		if tokenObj.ExpiresIn != 0 {
-			t.Fatalf("Expected expiration of 0, got %#v", tokenObj.ExpiresIn)
+		if tokenObj.ExpiresIn != int64(expectedExpires) {
+			t.Fatalf("Expected expiration of %d, got %#v", expectedExpires, tokenObj.ExpiresIn)
 		}
 	}
 
 	{
-		ten := int32(10)
-		shortexpiring, err := clusterAdminClient.OAuthClients().Create(&oauthapi.OAuthClient{
-			ObjectMeta:               metav1.ObjectMeta{Name: "shortexpiring"},
-			RespondWithChallenges:    true,
-			RedirectURIs:             []string{"http://localhost"},
-			AccessTokenMaxAgeSeconds: &ten,
-			GrantMethod:              oauthapi.GrantHandlerAuto,
-		})
+		rt, err := restclient.TransportFor(anonConfig)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		conf := &oauth2.Config{
+			ClientID:     oauthclient.Name,
+			ClientSecret: oauthclient.Secret,
+			RedirectURL:  oauthclient.RedirectURIs[0],
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  anonConfig.Host + "/oauth/authorize",
+				TokenURL: anonConfig.Host + "/oauth/token",
+			},
+		}
+
+		// get code
+		req, err := http.NewRequest("GET", conf.AuthCodeURL(""), nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		req.SetBasicAuth("username", "password")
+		resp, err := rt.RoundTrip(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp.StatusCode != http.StatusFound {
+			t.Fatalf("unexpected status %v", resp.StatusCode)
+		}
+		location, err := resp.Location()
+		if err != nil {
+			t.Fatal(err)
+		}
+		code := location.Query().Get("code")
+		if len(code) == 0 {
+			t.Fatalf("Unexpected response: %v", location)
+		}
+
+		// Make sure the code exists with the default time
+		codeObj, err := clusterAdminClient.OAuthAuthorizeTokens().Get(code, metav1.GetOptions{})
 		if err != nil {
 			t.Fatal(err)
 		}
+		if codeObj.ExpiresIn != (5 * 60) {
+			t.Fatalf("Expected expiration of %d, got %#v", (5 * 60), codeObj.ExpiresIn)
+		}
 
-		expiringTokenOpts := tokencmd.NewRequestTokenOptions(anonConfig, nil, "username", "password")
-		expiringTokenOpts.ClientID = shortexpiring.Name
-		expiringToken, err := expiringTokenOpts.RequestToken()
+		// Use the custom HTTP client when requesting a token.
+		httpClient := &http.Client{Transport: rt}
+		ctx := context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)
+		oauthToken, err := conf.Exchange(ctx, code)
 		if err != nil {
 			t.Fatal(err)
 		}
+		token := oauthToken.AccessToken
 
 		// Make sure we can use the token, and it represents who we expect
-		expiringUserConfig := *anonConfig
-		expiringUserConfig.BearerToken = expiringToken
-		expiringUserClient, err := client.New(&expiringUserConfig)
+		userConfig := *anonConfig
+		userConfig.BearerToken = token
+		userClient, err := client.New(&userConfig)
 		if err != nil {
 			t.Fatalf("Unexpected error: %v", err)
 		}
 
-		user, err := expiringUserClient.Users().Get("~", metav1.GetOptions{})
+		user, err := userClient.Users().Get("~", metav1.GetOptions{})
 		if err != nil {
 			t.Fatalf("Unexpected error: %v", err)
 		}
 		if user.Name != "username" {
 			t.Fatalf("Expected username as the user, got %v", user)
 		}
 
-		// Ensure the token goes away after the time expiration
-		if err := wait.Poll(1*time.Second, time.Minute, func() (bool, error) {
-			_, err := clusterAdminClient.OAuthAccessTokens().Get(expiringToken, metav1.GetOptions{})
-			if errors.IsNotFound(err) {
-				return true, nil
-			}
-			if err != nil {
-				return false, err
-			}
-			return false, nil
-		}); err != nil {
+		// Make sure the token exists with the overridden time
+		tokenObj, err := clusterAdminClient.OAuthAccessTokens().Get(token, metav1.GetOptions{})
+		if err != nil {
 			t.Fatal(err)
 		}
+		if tokenObj.ExpiresIn != int64(expectedExpires) {
+			t.Fatalf("Expected expiration of %d, got %#v", expectedExpires, tokenObj.ExpiresIn)
+		}
+
+		return token
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -46,9 +46,12 @@ func (h AuthorizeAuthenticator) HandleAuthorize(ar osin.AuthorizeRequest, resp`
`46`	`46`	`ar.UserData = info`
`47`	`47`	`ar.Authorized = true`
`48`	`48`
`49`		`- if e, ok := ar.Client.(TokenMaxAgeSeconds); ok {`
`50`		`- if maxAge := e.GetTokenMaxAgeSeconds(); maxAge != nil {`
`51`		`- ar.Expiration = *maxAge`
	`49`	`+ // If requesting a token directly, optionally override the expiration`
	`50`	`+ if ar.Type == osin.TOKEN {`
	`51`	`+ if e, ok := ar.Client.(TokenMaxAgeSeconds); ok {`
	`52`	`+ if maxAge := e.GetTokenMaxAgeSeconds(); maxAge != nil {`
	`53`	`+ ar.Expiration = *maxAge`
	`54`	`+ }`
`52`	`55`	`}`
`53`	`56`	`}`
`54`	`57`
`@@ -101,7 +104,14 @@ func (h AccessAuthenticator) HandleAccess(ar osin.AccessRequest, w http.Respon`
`101`	`104`	`if info != nil {`
`102`	`105`	`ar.AccessData.UserData = info`
`103`	`106`	`}`
	`107`	`+`
	`108`	`+ if e, ok := ar.Client.(TokenMaxAgeSeconds); ok {`
	`109`	`+ if maxAge := e.GetTokenMaxAgeSeconds(); maxAge != nil {`
	`110`	`+ ar.Expiration = *maxAge`
	`111`	`+ }`
	`112`	`+ }`
`104`	`113`	`}`
	`114`	`+`
`105`	`115`	`return nil`
`106`	`116`	`}`
`107`	`117`