Use the Upstream header for scope impersonation

Signed-off-by: Simo Sorce <[email protected]>

Author: simo5

pkg/cmd/server/origin/handlers.go

@@ -24,7 +24,6 @@ import (
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
-	authenticationapi "github.com/openshift/origin/pkg/oauthserver/api"
 )
 
 // cacheExcludedPaths is small and simple until the handlers include the cache headers they need
@@ -155,10 +154,12 @@ func (c *MasterConfig) versionSkewFilter(handler http.Handler, contextMapper api
 	})
 }
 
+const legacyImpersonateUserScopeHeader = "Impersonate-User-Scope"
+
 // translateLegacyScopeImpersonation is a filter that will translates user scope impersonation for openshift into the equivalent kube headers.
 func translateLegacyScopeImpersonation(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		for _, scope := range req.Header[authenticationapi.ImpersonateUserScopeHeader] {
+		for _, scope := range req.Header[legacyImpersonateUserScopeHeader] {
 			req.Header[authenticationv1.ImpersonateUserExtraHeaderPrefix+authorizationapi.ScopesKey] =
 				append(req.Header[authenticationv1.ImpersonateUserExtraHeaderPrefix+authorizationapi.ScopesKey], scope)
 		}

pkg/oauthserver/api/types.go

@@ -13,8 +13,6 @@ const (
 	// This is useful when the immutable providerUserName is different than the login used to authenticate
 	// If present, this extra value is used as the preferred username
 	IdentityPreferredUsernameKey = "preferred_username"
-
-	ImpersonateUserScopeHeader = "Impersonate-User-Scope"
 )
 
 // UserIdentityInfo contains information about an identity.  Identities are distinct from users.  An authentication server of

pkg/oauthserver/client/impersonate.go

@@ -13,9 +13,11 @@ import (
 	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	authenticationapi "github.com/openshift/origin/pkg/oauthserver/api"
 )
 
+const legacyImpersonateUserScopeHeader = "Impersonate-User-Scope"
+const impersonateUserExtraPlusScopesHeader = authenticationv1.ImpersonateUserExtraHeaderPrefix + authorizationapi.ScopesKey
+
 type impersonatingRoundTripper struct {
 	user     user.Info
 	delegate http.RoundTripper
@@ -30,14 +32,16 @@ func (rt *impersonatingRoundTripper) RoundTrip(req *http.Request) (*http.Respons
 	req = utilnet.CloneRequest(req)
 	req.Header.Del(authenticationv1.ImpersonateUserHeader)
 	req.Header.Del(authenticationv1.ImpersonateGroupHeader)
-	req.Header.Del(authenticationapi.ImpersonateUserScopeHeader)
+	req.Header.Del(impersonateUserExtraPlusScopesHeader)
+	// Also delete legacy scope header just in case it was set
+	req.Header.Del(legacyImpersonateUserScopeHeader)
 
 	req.Header.Set(authenticationv1.ImpersonateUserHeader, rt.user.GetName())
 	for _, group := range rt.user.GetGroups() {
 		req.Header.Add(authenticationv1.ImpersonateGroupHeader, group)
 	}
 	for _, scope := range rt.user.GetExtra()[authorizationapi.ScopesKey] {
-		req.Header.Add(authenticationapi.ImpersonateUserScopeHeader, scope)
+		req.Header.Add(impersonateUserExtraPlusScopesHeader, scope)
 	}
 	return rt.delegate.RoundTrip(req)
 }
@@ -71,7 +75,7 @@ func NewImpersonatingRESTClient(user user.Info, client restclient.Interface) res
 func (c impersonatingRESTClient) impersonate(req *restclient.Request) *restclient.Request {
 	req.SetHeader(authenticationv1.ImpersonateUserHeader, c.user.GetName())
 	req.SetHeader(authenticationv1.ImpersonateGroupHeader, c.user.GetGroups()...)
-	req.SetHeader(authenticationapi.ImpersonateUserScopeHeader, c.user.GetExtra()[authorizationapi.ScopesKey]...)
+	req.SetHeader(impersonateUserExtraPlusScopesHeader, c.user.GetExtra()[authorizationapi.ScopesKey]...)
 	return req
 }
 

test/integration/scopes_test.go

@@ -10,12 +10,12 @@ import (
 	"k8s.io/client-go/rest"
 	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 
+	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	"github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
 	buildclient "github.com/openshift/origin/pkg/build/generated/internalclientset"
 	oauthapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
 	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
-	authenticationapi "github.com/openshift/origin/pkg/oauthserver/api"
 	"github.com/openshift/origin/pkg/oauthserver/oauthserver"
 	userapi "github.com/openshift/origin/pkg/user/apis/user"
 	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
@@ -107,7 +107,7 @@ func TestScopedImpersonation(t *testing.T) {
 
 	err = clusterAdminBuildClient.Build().RESTClient().Get().
 		SetHeader(authenticationv1.ImpersonateUserHeader, "harold").
-		SetHeader(authenticationapi.ImpersonateUserScopeHeader, "user:info").
+		SetHeader(authenticationv1.ImpersonateUserExtraHeaderPrefix+authorizationapi.ScopesKey, "user:info").
 		Namespace(projectName).Resource("builds").Name("name").Do().Into(&buildapi.Build{})
 	if !kapierrors.IsForbidden(err) {
 		t.Fatalf("unexpected error: %v", err)
@@ -116,7 +116,7 @@ func TestScopedImpersonation(t *testing.T) {
 	user := &userapi.User{}
 	err = userclient.NewForConfigOrDie(clusterAdminClientConfig).RESTClient().Get().
 		SetHeader(authenticationv1.ImpersonateUserHeader, "harold").
-		SetHeader(authenticationapi.ImpersonateUserScopeHeader, "user:info").
+		SetHeader(authenticationv1.ImpersonateUserExtraHeaderPrefix+authorizationapi.ScopesKey, "user:info").
 		Resource("users").Name("~").Do().Into(user)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)