Add integration test for front proxy

enj · deads2k · commit 359c3122b962 · 2017-03-02T14:53:00.000-05:00
Signed-off-by: Monis Khan &lt;mkhan@redhat.com&gt;
diff --git a/pkg/cmd/server/kubernetes/master_config.go b/pkg/cmd/server/kubernetes/master_config.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@@ -112,6 +113,17 @@ func BuildDefaultAPIServer(options configapi.MasterConfig) (*apiserveroptions.Se
 	server.GenericServerRunOptions.TLSCertFile = options.ServingInfo.ServerCert.CertFile
 	server.GenericServerRunOptions.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
 	server.GenericServerRunOptions.ClientCAFile = options.ServingInfo.ClientCA
+
+	// TODO this is a terrible hack that should be removed in 1.6
+	if options.AuthConfig.RequestHeader != nil {
+		clientCAFile, err := concatenateFiles("cafrontproxybundle", "\n", options.ServingInfo.ClientCA, options.AuthConfig.RequestHeader.ClientCA)
+		if err != nil {
+			return nil, nil, fmt.Errorf("unable to create ca bundle temp file: %v", err)
+		}
+		glog.V(2).Infof("temp clientCA bundle file is %s", clientCAFile)
+		server.GenericServerRunOptions.ClientCAFile = clientCAFile
+	}
+
 	server.GenericServerRunOptions.MaxRequestsInFlight = options.ServingInfo.MaxRequestsInFlight
 	server.GenericServerRunOptions.MinRequestTimeout = options.ServingInfo.RequestTimeoutSeconds
 	for _, nc := range options.ServingInfo.NamedCertificates {
@@ -545,3 +557,27 @@ func getAPIResourceConfig(options configapi.MasterConfig) genericapiserver.APIRe
 
 	return resourceConfig
 }
+
+// TODO remove this func in 1.6 when we get rid of the hack above
+func concatenateFiles(prefix, separator string, files ...string) (string, error) {
+	data := []byte{}
+	for _, file := range files {
+		fileBytes, err := ioutil.ReadFile(file)
+		if err != nil {
+			return "", err
+		}
+		data = append(data, fileBytes...)
+		data = append(data, []byte(separator)...)
+	}
+	tmpFile, err := ioutil.TempFile("", prefix)
+	if err != nil {
+		return "", err
+	}
+	if _, err := tmpFile.Write(data); err != nil {
+		return "", err
+	}
+	if err := tmpFile.Close(); err != nil {
+		return "", err
+	}
+	return tmpFile.Name(), nil
+}
diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -665,7 +665,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 		authenticators = append(authenticators, certauth)
 	}
 
-	ret := &unionrequest.Authenticator{
+	var ret authenticator.Request = &unionrequest.Authenticator{
 		FailOnError: true,
 		Handlers: []authenticator.Request{
 			// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user
@@ -684,7 +684,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 			config.AuthConfig.RequestHeader.ExtraHeaderPrefixes,
 		)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("Error building front proxy auth config: %v", err)
 		}
 		// First try to authenticate with the front proxy
 		// If that fails then gracefully fallthrough to the original authentication chain
diff --git a/test/integration/auth_proxy_test.go b/test/integration/auth_proxy_test.go
@@ -13,7 +13,6 @@ import (
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	"github.com/openshift/origin/pkg/cmd/server/origin"
 	oauthapi "github.com/openshift/origin/pkg/oauth/api"
-	clientregistry "github.com/openshift/origin/pkg/oauth/registry/oauthclient"
 	testutil "github.com/openshift/origin/test/util"
 	testserver "github.com/openshift/origin/test/util/server"
 )
@@ -90,6 +89,9 @@ func TestAuthProxyOnAuthorize(t *testing.T) {
 
 	// make our authorize request again, but this time our transport has properly set the auth info for the front proxy
 	req, err := http.NewRequest("GET", rawAuthorizeRequest, nil)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
 	_, err = httpClient.Do(req)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
@@ -108,12 +110,6 @@ func TestAuthProxyOnAuthorize(t *testing.T) {
 	}
 }
 
-func createClient(t *testing.T, clientRegistry clientregistry.Registry, client *oauthapi.OAuthClient) {
-	if _, err := clientRegistry.CreateClient(kapi.NewContext(), client); err != nil {
-		t.Errorf("Error creating client: %v due to %v\n", client, err)
-	}
-}
-
 type checkRedirect func(req *http.Request, via []*http.Request) error
 
 func getRedirectMethod(t *testing.T, redirectRecord *[]url.URL) checkRedirect {
diff --git a/test/integration/front_proxy_test.go b/test/integration/front_proxy_test.go

Original file line number	Diff line number	Diff line change
`@@ -665,7 +665,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio`
`665`	`665`	`authenticators = append(authenticators, certauth)`
`666`	`666`	`}`
`667`	`667`
`668`		`- ret := &unionrequest.Authenticator{`
	`668`	`+ var ret authenticator.Request = &unionrequest.Authenticator{`
`669`	`669`	`FailOnError: true,`
`670`	`670`	`Handlers: []authenticator.Request{`
`671`	`671`	`// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user`
`@@ -684,7 +684,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio`
`684`	`684`	`config.AuthConfig.RequestHeader.ExtraHeaderPrefixes,`
`685`	`685`	`)`
`686`	`686`	`if err != nil {`
`687`		`- return nil, err`
	`687`	`+ return nil, fmt.Errorf("Error building front proxy auth config: %v", err)`
`688`	`688`	`}`
`689`	`689`	`// First try to authenticate with the front proxy`
`690`	`690`	`// If that fails then gracefully fallthrough to the original authentication chain`