Keystone authentication plugin

2015-07-23 23:06:14 -07:00
parent c367d3c2e5
commit 937db3f70d
7 changed files with 261 additions and 2 deletions
--- a/plugin/pkg/auth/authenticator/request/keystone/doc.go
+++ b/plugin/pkg/auth/authenticator/request/keystone/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//Package keystone provide authentication via keystone.
+// For details //about keystone and how to use the plugin, refer to
+// https://github.com/GoogleCloudPlatform/kubernetes/blob/oidc/docs/admin/authentication.md
+package keystone
--- a/plugin/pkg/auth/authenticator/request/keystone/keystone.go
+++ b/plugin/pkg/auth/authenticator/request/keystone/keystone.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package keystone
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/golang/glog"
+	"github.com/rackspace/gophercloud"
+	"github.com/rackspace/gophercloud/openstack"
+	"k8s.io/kubernetes/pkg/auth/user"
+)
+
+// Keystone authenticator contacts openstack keystone to validate user's credentials passed in the request.
+// The keystone endpoint is passed during apiserver startup
+type KeystoneAuthenticator struct {
+	authURL string
+}
+
+func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticatePassword(username string, password string) (user.Info, bool, error) {
+	opts := gophercloud.AuthOptions{
+		IdentityEndpoint: keystoneAuthenticator.authURL,
+		Username:         username,
+		Password:         password,
+	}
+
+	_, err := openstack.AuthenticatedClient(opts)
+	if err != nil {
+		glog.Info("Failed: Starting openstack authenticate client")
+		return nil, false, errors.New("Failed to authenticate")
+	}
+
+	return &user.DefaultInfo{Name: username}, true, nil
+}
+
+// New returns a request authenticator that validates credentials using openstack keystone
+func NewKeystoneAuthenticator(authURL string) (*KeystoneAuthenticator, error) {
+	if !strings.HasPrefix(authURL, "https") {
+		return nil, errors.New("Auth URL should be secure and start with https")
+	}
+	if authURL == "" {
+		return nil, errors.New("Auth URL is empty")
+	}
+
+	return &KeystoneAuthenticator{authURL}, nil
+}
--- a/plugin/pkg/auth/authenticator/request/keystone/keystone_test.go
+++ b/plugin/pkg/auth/authenticator/request/keystone/keystone_test.go
@@ -0,0 +1,147 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package keystone
+
+import (
+	"encoding/base64"
+	"net/http"
+	"testing"
+
+	"k8s.io/kubernetes/pkg/auth/user"
+	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/basicauth"
+)
+
+type testKeystoneAuthenticator struct {
+	User user.Info
+	OK   bool
+	Err  error
+}
+
+func (osClient *testKeystoneAuthenticator) AuthenticatePassword(username string, password string) (user.Info, bool, error) {
+
+	userPasswordMap := map[string]string{
+		"user1": "password1",
+		"user2": "password2",
+		"user3": "password3",
+		"user4": "password4",
+		"user5": "password5",
+		"user6": "password6",
+		"user7": "password7",
+		"user8": "password8",
+		"user9": "password9",
+	}
+
+	if userPasswordMap[username] == password {
+		return &user.DefaultInfo{Name: username}, true, nil
+	}
+	return nil, false, nil
+}
+
+func TestKeystoneAuth(t *testing.T) {
+
+	testCases := map[string]struct {
+		Header                string
+		keystoneAuthenticator testKeystoneAuthenticator
+
+		ExpectedCalled   bool
+		ExpectedUsername string
+		ExpectedPassword string
+
+		ExpectedUser string
+		ExpectedOK   bool
+		ExpectedErr  bool
+	}{
+		"no header": {
+			Header: "",
+		},
+		"non-basic header": {
+			Header: "Bearer foo",
+		},
+		"empty value basic header": {
+			Header: "Basic",
+		},
+		"whitespace value basic header": {
+			Header: "Basic  ",
+		},
+		"non base-64 basic header": {
+			Header:      "Basic !@#$",
+			ExpectedErr: true,
+		},
+		"malformed basic header": {
+			Header:      "Basic " + base64.StdEncoding.EncodeToString([]byte("user_without_password")),
+			ExpectedErr: true,
+		},
+		"empty password basic header": {
+			Header:     "Basic " + base64.StdEncoding.EncodeToString([]byte("user1:")),
+			ExpectedOK: false,
+		},
+		"valid basic header": {
+			Header:      "Basic " + base64.StdEncoding.EncodeToString([]byte("user1:password1:withcolon")),
+			ExpectedOK:  false,
+			ExpectedErr: false,
+		},
+		"password auth returned user": {
+			Header:           "Basic " + base64.StdEncoding.EncodeToString([]byte("user1:password1")),
+			ExpectedCalled:   true,
+			ExpectedUsername: "user1",
+			ExpectedPassword: "password1",
+			ExpectedOK:       true,
+		},
+		"password auth returned error": {
+			Header:           "Basic " + base64.StdEncoding.EncodeToString([]byte("user1:password2")),
+			ExpectedCalled:   true,
+			ExpectedUsername: "user1",
+			ExpectedPassword: "password1",
+			ExpectedErr:      false,
+			ExpectedOK:       false,
+		},
+	}
+
+	for k, testCase := range testCases {
+
+		ksAuth := testCase.keystoneAuthenticator
+
+		auth := basicauth.New(&ksAuth)
+
+		req, _ := http.NewRequest("GET", "/", nil)
+		if testCase.Header != "" {
+			req.Header.Set("Authorization", testCase.Header)
+		}
+
+		user, ok, err := auth.AuthenticateRequest(req)
+
+		if testCase.ExpectedErr && err == nil {
+			t.Errorf("%s: Expected error, got none", k)
+			continue
+		}
+		if !testCase.ExpectedErr && err != nil {
+			t.Errorf("%s: Did not expect error, got err:%v", k, err)
+			continue
+		}
+		if testCase.ExpectedOK != ok {
+			t.Errorf("%s: Expected ok=%v, got %v", k, testCase.ExpectedOK, ok)
+			continue
+		}
+
+		if testCase.ExpectedOK {
+			if testCase.ExpectedUsername != user.GetName() {
+				t.Errorf("%s: Expected user.name=%v, got %v", k, testCase.ExpectedUsername, user.GetName())
+				continue
+			}
+		}
+	}
+}