Merge pull request #38512 from deads2k/fed-11-fix-client-cert-termination

Automatic merge from submit-queue fix client cert handling for delegate authn Builds on https://github.com/kubernetes/kubernetes/pull/38409. The client cert wasn't presented by the API server, so tools didn't send it. These will start getting caught as we add usage into e2e. Once we split genericapiserver out, we can have a different style integration test that hits these too.
2016-12-12 08:01:22 -08:00
parent b6f466ac61 bae26c2030
commit 492f8d412f
16 changed files with 610 additions and 193 deletions
--- a/pkg/genericapiserver/config.go
+++ b/pkg/genericapiserver/config.go
@@ -316,9 +316,28 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
 		return c, nil
 	}

+	var err error
+	if o.ClientCert != nil {
+		c, err = c.applyClientCert(o.ClientCert.ClientCA)
+		if err != nil {
+			return nil, fmt.Errorf("unable to load client CA file: %v", err)
+		}
+	}
+	if o.RequestHeader != nil {
+		c, err = c.applyClientCert(o.RequestHeader.ClientCAFile)
+		if err != nil {
+			return nil, fmt.Errorf("unable to load client CA file: %v", err)
+		}
+	}
+
+	c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
+	return c, nil
+}
+
+func (c *Config) applyClientCert(clientCAFile string) (*Config, error) {
 	if c.SecureServingInfo != nil {
-		if o.ClientCert != nil && len(o.ClientCert.ClientCA) > 0 {
-			clientCAs, err := certutil.CertsFromFile(o.ClientCert.ClientCA)
+		if len(clientCAFile) > 0 {
+			clientCAs, err := certutil.CertsFromFile(clientCAFile)
 			if err != nil {
 				return nil, fmt.Errorf("unable to load client CA file: %v", err)
 			}
@@ -329,21 +348,8 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
 				c.SecureServingInfo.ClientCA.AddCert(cert)
 			}
 		}
-		if o.RequestHeader != nil && len(o.RequestHeader.ClientCAFile) > 0 {
-			clientCAs, err := certutil.CertsFromFile(o.RequestHeader.ClientCAFile)
-			if err != nil {
-				return nil, fmt.Errorf("unable to load requestheader client CA file: %v", err)
-			}
-			if c.SecureServingInfo.ClientCA == nil {
-				c.SecureServingInfo.ClientCA = x509.NewCertPool()
-			}
-			for _, cert := range clientCAs {
-				c.SecureServingInfo.ClientCA.AddCert(cert)
-			}
-		}
 	}

-	c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
 	return c, nil
 }

@@ -352,6 +358,16 @@ func (c *Config) ApplyDelegatingAuthenticationOptions(o *options.DelegatingAuthe
 		return c, nil
 	}

+	var err error
+	c, err = c.applyClientCert(o.ClientCert.ClientCA)
+	if err != nil {
+		return nil, fmt.Errorf("unable to load client CA file: %v", err)
+	}
+	c, err = c.applyClientCert(o.RequestHeader.ClientCAFile)
+	if err != nil {
+		return nil, fmt.Errorf("unable to load client CA file: %v", err)
+	}
+
 	cfg, err := o.ToAuthenticationConfig()
 	if err != nil {
 		return nil, err