Add integration test for front proxy

Signed-off-by: Monis Khan <[email protected]>

Author: enj

pkg/cmd/server/kubernetes/master_config.go

@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@@ -112,6 +113,17 @@ func BuildDefaultAPIServer(options configapi.MasterConfig) (*apiserveroptions.Se
 	server.GenericServerRunOptions.TLSCertFile = options.ServingInfo.ServerCert.CertFile
 	server.GenericServerRunOptions.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
 	server.GenericServerRunOptions.ClientCAFile = options.ServingInfo.ClientCA
+
+	// TODO this is a terrible hack that should be removed in 1.6
+	if options.AuthConfig.RequestHeader != nil {
+		clientCAFile, err := concatenateFiles("cafrontproxybundle", "\n", options.ServingInfo.ClientCA, options.AuthConfig.RequestHeader.ClientCA)
+		if err != nil {
+			return nil, nil, fmt.Errorf("unable to create ca bundle temp file: %v", err)
+		}
+		glog.V(2).Infof("temp clientCA bundle file is %s", clientCAFile)
+		server.GenericServerRunOptions.ClientCAFile = clientCAFile
+	}
+
 	server.GenericServerRunOptions.MaxRequestsInFlight = options.ServingInfo.MaxRequestsInFlight
 	server.GenericServerRunOptions.MinRequestTimeout = options.ServingInfo.RequestTimeoutSeconds
 	for _, nc := range options.ServingInfo.NamedCertificates {
@@ -542,3 +554,27 @@ func getAPIResourceConfig(options configapi.MasterConfig) genericapiserver.APIRe
 
 	return resourceConfig
 }
+
+// TODO remove this func in 1.6 when we get rid of the hack above
+func concatenateFiles(prefix, separator string, files ...string) (string, error) {
+	data := []byte{}
+	for _, file := range files {
+		fileBytes, err := ioutil.ReadFile(file)
+		if err != nil {
+			return "", err
+		}
+		data = append(data, fileBytes...)
+		data = append(data, []byte(separator)...)
+	}
+	tmpFile, err := ioutil.TempFile("", prefix)
+	if err != nil {
+		return "", err
+	}
+	if _, err := tmpFile.Write(data); err != nil {
+		return "", err
+	}
+	if err := tmpFile.Close(); err != nil {
+		return "", err
+	}
+	return tmpFile.Name(), nil
+}

pkg/cmd/server/origin/master_config.go

@@ -665,7 +665,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 		authenticators = append(authenticators, certauth)
 	}
 
-	ret := &unionrequest.Authenticator{
+	var ret authenticator.Request = &unionrequest.Authenticator{
 		FailOnError: true,
 		Handlers: []authenticator.Request{
 			// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user
@@ -684,9 +684,12 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 			config.AuthConfig.RequestHeader.ExtraHeaderPrefixes,
 		)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("Error building front proxy auth config: %v", err)
 		}
-		ret.Handlers = append([]authenticator.Request{requestHeaderAuthenticator}, ret.Handlers...)
+		// First try to authenticate with the front proxy
+		// If that fails then gracefully fallthrough to the original authentication chain
+		// Thus failing to authenticate with the front proxy is equivalent to not having the proxy in the authentication chain
+		ret = unionrequest.NewUnionAuthentication(requestHeaderAuthenticator, ret)
 	}
 
 	return ret, nil

test/integration/auth_proxy_test.go

@@ -13,7 +13,6 @@ import (
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	"github.com/openshift/origin/pkg/cmd/server/origin"
 	oauthapi "github.com/openshift/origin/pkg/oauth/api"
-	clientregistry "github.com/openshift/origin/pkg/oauth/registry/oauthclient"
 	testutil "github.com/openshift/origin/test/util"
 	testserver "github.com/openshift/origin/test/util/server"
 )
@@ -90,6 +89,9 @@ func TestAuthProxyOnAuthorize(t *testing.T) {
 
 	// make our authorize request again, but this time our transport has properly set the auth info for the front proxy
 	req, err := http.NewRequest("GET", rawAuthorizeRequest, nil)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
 	_, err = httpClient.Do(req)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
@@ -108,12 +110,6 @@ func TestAuthProxyOnAuthorize(t *testing.T) {
 	}
 }
 
-func createClient(t *testing.T, clientRegistry clientregistry.Registry, client *oauthapi.OAuthClient) {
-	if _, err := clientRegistry.CreateClient(kapi.NewContext(), client); err != nil {
-		t.Errorf("Error creating client: %v due to %v\n", client, err)
-	}
-}
-
 type checkRedirect func(req *http.Request, via []*http.Request) error
 
 func getRedirectMethod(t *testing.T, redirectRecord *[]url.URL) checkRedirect {