Add simple Bearer authenticator filter for Kube

* Default file based implementation * Define some simple interfaces * Add -token_auth_file to apiserver that will start the apiserver with a request filter for tokens
2014-10-01 17:54:11 -04:00
parent 11c2b1ea93
commit c8ef4b8230
10 changed files with 643 additions and 0 deletions
--- a/pkg/auth/authenticator/tokenfile/tokenfile_test.go
+++ b/pkg/auth/authenticator/tokenfile/tokenfile_test.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2014 Google Inc. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tokenfile
+
+import (
+	"io/ioutil"
+	"os"
+	"reflect"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user"
+)
+
+func TestTokenFile(t *testing.T) {
+	auth, err := newWithContents(t, `
+token1,user1,uid1
+token2,user2,uid2
+`)
+	if err != nil {
+		t.Fatalf("unable to read tokenfile: %v", err)
+	}
+
+	testCases := []struct {
+		Token string
+		User  *user.DefaultInfo
+		Ok    bool
+		Err   bool
+	}{
+		{
+			Token: "token1",
+			User:  &user.DefaultInfo{Name: "user1", UID: "uid1"},
+			Ok:    true,
+		},
+		{
+			Token: "token2",
+			User:  &user.DefaultInfo{Name: "user2", UID: "uid2"},
+			Ok:    true,
+		},
+		{
+			Token: "token3",
+		},
+		{
+			Token: "token4",
+		},
+	}
+	for i, testCase := range testCases {
+		user, ok, err := auth.AuthenticateToken(testCase.Token)
+		if testCase.User == nil {
+			if user != nil {
+				t.Errorf("%d: unexpected non-nil user %#v", i, user)
+			}
+		} else if !reflect.DeepEqual(testCase.User, user) {
+			t.Errorf("%d: expected user %#v, got %#v", i, testCase.User, user)
+		}
+		if testCase.Ok != ok {
+			t.Errorf("%d: expected auth %f, got %f", i, testCase.Ok, ok)
+		}
+		switch {
+		case err == nil && testCase.Err:
+			t.Errorf("%d: unexpected nil error", i)
+		case err != nil && !testCase.Err:
+			t.Errorf("%d: unexpected error: %v", i, err)
+		}
+	}
+}
+
+func TestBadTokenFile(t *testing.T) {
+	_, err := newWithContents(t, `
+token1,user1,uid1
+token2,user2,uid2
+token3,user3
+token4
+`)
+	if err == nil {
+		t.Fatalf("unexpected non error")
+	}
+}
+
+func TestInsufficientColumnsTokenFile(t *testing.T) {
+	_, err := newWithContents(t, "token4\n")
+	if err == nil {
+		t.Fatalf("unexpected non error")
+	}
+}
+
+func newWithContents(t *testing.T, contents string) (auth *TokenAuthenticator, err error) {
+	f, err := ioutil.TempFile("", "tokenfile_test")
+	if err != nil {
+		t.Fatalf("unexpected error creating tokenfile: %v", err)
+	}
+	f.Close()
+	defer os.Remove(f.Name())
+
+	if err := ioutil.WriteFile(f.Name(), []byte(contents), 0700); err != nil {
+		t.Fatalf("unexpected error writing tokenfile: %v", err)
+	}
+
+	return New(f.Name())
+}