WIP: integration test

Signed-off-by: Simo Sorce <[email protected]>

test/integration/oauth_external_test.go

@@ -0,0 +1,160 @@
+package integration
+
+import (
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strings"
+	"testing"
+
+	restclient "k8s.io/client-go/rest"
+	kclientcmd "k8s.io/client-go/tools/clientcmd"
+	kclientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/oc/cli/cmd"
+	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
+	testutil "github.com/openshift/origin/test/util"
+	testserver "github.com/openshift/origin/test/util/server"
+)
+
+func getWellknown(t *testing.T, masterConfig *configapi.MasterConfig, clusterAdminKubeConfig string) []byte {
+	transport, err := anonymousHttpTransport(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	req, err := http.NewRequest("GET", masterConfig.OAuthConfig.MasterPublicURL+"/.well-known/oauth-authorization-server", nil)
+	req.Header.Set("Accept", "*/*")
+	resp, err := transport.RoundTrip(req)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("Expected %d, got %d", http.StatusOK, resp.StatusCode)
+	}
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("Unexpected error reading the body: %v", err)
+	}
+	if !strings.Contains(string(body), "authorization_endpoint") {
+		t.Fatal("Expected \"authorization_endpoint\" in the body.")
+	}
+
+	return body
+}
+
+// TestWebhookTokenAuthn checks Tokens directly against an external
+// authenticator
+func TestExternalOAuthAuthn(t *testing.T) {
+	authTestUser := "testuser"
+
+	// Start Oauth Cluster
+	upstreamClusterMasterConfig, upstreamClusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer testserver.CleanupMasterEtcd(t, upstreamClusterMasterConfig)
+
+	// GET .wellknown oauth metadata
+	oauthMetadataFile, err := ioutil.TempFile("", "metadata.config")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer os.Remove(oauthMetadataFile.Name())
+	oauthMetadata := getWellknown(t, upstreamClusterMasterConfig, upstreamClusterAdminKubeConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	oauthMetadataFile.Write(oauthMetadata)
+	oauthMetadataFile.Sync()
+	oauthMetadataFile.Close()
+
+	// Write cert we're going to use to verify auth server requests
+	caFile, err := ioutil.TempFile("", "test.crt")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer os.Remove(caFile.Name())
+	if err := ioutil.WriteFile(caFile.Name(), authLocalhostCert, os.FileMode(0600)); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	authConfigFile, err := ioutil.TempFile("", "test.cfg")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer os.Remove(authConfigFile.Name())
+	authConfigObj := kclientcmdapi.Config{
+		Clusters: map[string]*kclientcmdapi.Cluster{
+			"authService": {
+				CertificateAuthority: upstreamClusterMasterConfig.ServingInfo.ClientCA,
+				Server:               upstreamClusterMasterConfig.OAuthConfig.MasterPublicURL + "/authenticate",
+			},
+		},
+		AuthInfos: map[string]*kclientcmdapi.AuthInfo{
+			"apiServer": {
+				ClientCertificate: upstreamClusterMasterConfig.ServingInfo.ServerCert.CertFile,
+				ClientKey:         upstreamClusterMasterConfig.ServingInfo.ServerCert.KeyFile,
+			},
+		},
+		CurrentContext: "webhook",
+		Contexts: map[string]*kclientcmdapi.Context{
+			"webhook": {
+				Cluster:  "authService",
+				AuthInfo: "apiServer",
+			},
+		},
+	}
+	if err := kclientcmd.WriteToFile(authConfigObj, authConfigFile.Name()); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Get master config
+	masterOptions, err := testserver.DefaultMasterOptions()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer testserver.CleanupMasterEtcd(t, masterOptions)
+
+	masterOptions.AuthConfig.WebhookTokenAuthenticators = []configapi.WebhookTokenAuthenticator{
+		{
+			ConfigFile: authConfigFile.Name(),
+			CacheTTL:   "10s",
+		},
+	}
+	masterOptions.OAuthConfig = nil
+	masterOptions.ExternalOAuthConfig = &configapi.ExternalOAuthConfig{
+		MetadataFile:    oauthMetadataFile.Name(),
+		MasterPublicURL: masterOptions.MasterPublicURL,
+		AssetPublicURL:  masterOptions.MasterPublicURL + "/console/",
+	}
+
+	// Start server
+	clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Try to authenticate with a token that can be validated only by our
+	// external token reviewer
+	userConfig := restclient.AnonymousClientConfig(clientConfig)
+
+	userClient, err := userclient.NewForConfig(userConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	userWhoamiOptions := cmd.WhoAmIOptions{UserInterface: userClient.Users(), Out: ioutil.Discard}
+	retrievedUser, err := userWhoamiOptions.WhoAmI()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if retrievedUser.Name != authTestUser {
+		t.Errorf("expected username %v, got %v", authTestUser, retrievedUser.Name)
+	}
+}