本文整理汇总了Golang中github.com/openshift/origin/pkg/cmd/util/clientcmd.AnonymousClientConfig函数的典型用法代码示例。如果您正苦于以下问题:Golang AnonymousClientConfig函数的具体用法?Golang AnonymousClientConfig怎么用?Golang AnonymousClientConfig使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了AnonymousClientConfig函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: TestCLIGetToken
func TestCLIGetToken(t *testing.T) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
anonymousConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
reader := bytes.NewBufferString("user\npass")
accessToken, err := tokencmd.RequestToken(&anonymousConfig, reader, "", "")
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if len(accessToken) == 0 {
t.Error("Expected accessToken, but did not get one")
}
clientConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
clientConfig.BearerToken = accessToken
osClient, err := client.New(&clientConfig)
checkErr(t, err)
user, err := osClient.Users().Get("~")
checkErr(t, err)
if user.Name != "user" {
t.Errorf("expected %v, got %v", "user", user.Name)
}
}
示例2: GetScopedClientForUser
func GetScopedClientForUser(adminClient *client.Client, clientConfig restclient.Config, username string, scopes []string) (*client.Client, *kclient.Client, *restclient.Config, error) {
// make sure the user exists
if _, _, _, err := GetClientForUser(clientConfig, username); err != nil {
return nil, nil, nil, err
}
user, err := adminClient.Users().Get(username)
if err != nil {
return nil, nil, nil, err
}
token := &oauthapi.OAuthAccessToken{
ObjectMeta: kapi.ObjectMeta{Name: fmt.Sprintf("%s-token-plus-some-padding-here-to-make-the-limit-%d", username, rand.Int())},
ClientName: origin.OpenShiftCLIClientID,
ExpiresIn: 86400,
Scopes: scopes,
RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit",
UserName: user.Name,
UserUID: string(user.UID),
}
if _, err := adminClient.OAuthAccessTokens().Create(token); err != nil {
return nil, nil, nil, err
}
scopedConfig := clientcmd.AnonymousClientConfig(&clientConfig)
scopedConfig.BearerToken = token.Name
kubeClient, err := kclient.New(&scopedConfig)
if err != nil {
return nil, nil, nil, err
}
osClient, err := client.New(&scopedConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClient, &scopedConfig, nil
}
示例3: NewAuthenticator
// NewAuthenticator authenticates by fetching users/~ using the provided token as a bearer token
func NewAuthenticator(anonymousConfig kclient.Config) (*Authenticator, error) {
// Ensure credentials are removed from the anonymous config
anonymousConfig = clientcmd.AnonymousClientConfig(anonymousConfig)
return &Authenticator{
anonymousConfig: anonymousConfig,
}, nil
}
示例4: GetClientForServiceAccount
func GetClientForServiceAccount(adminClient *kclientset.Clientset, clientConfig restclient.Config, namespace, name string) (*client.Client, *kclientset.Clientset, *restclient.Config, error) {
_, err := adminClient.Core().Namespaces().Create(&kapi.Namespace{ObjectMeta: kapi.ObjectMeta{Name: namespace}})
if err != nil && !kerrs.IsAlreadyExists(err) {
return nil, nil, nil, err
}
sa, err := adminClient.Core().ServiceAccounts(namespace).Create(&kapi.ServiceAccount{ObjectMeta: kapi.ObjectMeta{Name: name}})
if kerrs.IsAlreadyExists(err) {
sa, err = adminClient.Core().ServiceAccounts(namespace).Get(name)
}
if err != nil {
return nil, nil, nil, err
}
token := ""
err = wait.Poll(time.Second, 30*time.Second, func() (bool, error) {
selector := fields.OneTermEqualSelector(kapi.SecretTypeField, string(kapi.SecretTypeServiceAccountToken))
secrets, err := adminClient.Core().Secrets(namespace).List(kapi.ListOptions{FieldSelector: selector})
if err != nil {
return false, err
}
for _, secret := range secrets.Items {
if serviceaccounts.IsValidServiceAccountToken(sa, &secret) {
token = string(secret.Data[kapi.ServiceAccountTokenKey])
return true, nil
}
}
return false, nil
})
if err != nil {
return nil, nil, nil, err
}
saClientConfig := clientcmd.AnonymousClientConfig(&clientConfig)
saClientConfig.BearerToken = token
kubeClient, err := kclient.New(&saClientConfig)
if err != nil {
return nil, nil, nil, err
}
kubeClientset := adapter.FromUnversionedClient(kubeClient)
osClient, err := client.New(&saClientConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClientset, &saClientConfig, nil
}
示例5: GetClientForUser
func GetClientForUser(clientConfig kclient.Config, username string) (*client.Client, *kclient.Client, *kclient.Config, error) {
token, err := tokencmd.RequestToken(&clientConfig, nil, username, "password")
if err != nil {
return nil, nil, nil, err
}
userClientConfig := clientcmd.AnonymousClientConfig(clientConfig)
userClientConfig.BearerToken = token
kubeClient, err := kclient.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
osClient, err := client.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClient, &userClientConfig, nil
}
示例6: GetClientForUser
// TODO internalclientset: get rid of oldClient after next rebase
func GetClientForUser(clientConfig restclient.Config, username string) (*client.Client, *kclientset.Clientset, *restclient.Config, error) {
token, err := tokencmd.RequestToken(&clientConfig, nil, username, "password")
if err != nil {
return nil, nil, nil, err
}
userClientConfig := clientcmd.AnonymousClientConfig(&clientConfig)
userClientConfig.BearerToken = token
kubeClient, err := kclient.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
kubeClientset := adapter.FromUnversionedClient(kubeClient)
osClient, err := client.New(&userClientConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClientset, &userClientConfig, nil
}
示例7: TestNodeAuth
func TestNodeAuth(t *testing.T) {
// Server config
masterConfig, nodeConfig, adminKubeConfigFile, err := testserver.StartTestAllInOne()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Cluster admin clients and client configs
adminClient, err := testutil.GetClusterAdminKubeClient(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
originAdminClient, err := testutil.GetClusterAdminClient(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
adminConfig, err := testutil.GetClusterAdminClientConfig(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Client configs for lesser users
masterKubeletClientConfig := configapi.GetKubeletClientConfig(*masterConfig)
anonymousConfig := clientcmd.AnonymousClientConfig(*adminConfig)
badTokenConfig := clientcmd.AnonymousClientConfig(*adminConfig)
badTokenConfig.BearerToken = "bad-token"
bobClient, _, bobConfig, err := testutil.GetClientForUser(*adminConfig, "bob")
_, _, aliceConfig, err := testutil.GetClientForUser(*adminConfig, "alice")
sa1Client, _, sa1Config, err := testutil.GetClientForServiceAccount(adminClient, *adminConfig, "default", "sa1")
_, _, sa2Config, err := testutil.GetClientForServiceAccount(adminClient, *adminConfig, "default", "sa2")
// Grant Bob system:node-reader, which should let them read metrics and stats
addBob := &policy.RoleModificationOptions{
RoleName: bootstrappolicy.NodeReaderRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(originAdminClient),
Subjects: []kapi.ObjectReference{{Kind: "User", Name: "bob"}},
}
if err := addBob.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Grant sa1 system:cluster-reader, which should let them read metrics and stats
addSA1 := &policy.RoleModificationOptions{
RoleName: bootstrappolicy.ClusterReaderRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(originAdminClient),
Subjects: []kapi.ObjectReference{{Kind: "ServiceAccount", Namespace: "default", Name: "sa1"}},
}
if err := addSA1.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Wait for policy cache
if err := testutil.WaitForClusterPolicyUpdate(bobClient, "get", "nodes/metrics", true); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForClusterPolicyUpdate(sa1Client, "get", "nodes/metrics", true); err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, nodePort, err := net.SplitHostPort(nodeConfig.ServingInfo.BindAddress)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
nodePortInt, err := strconv.ParseInt(nodePort, 0, 0)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
nodeTLS := configapi.UseTLS(nodeConfig.ServingInfo)
kubeletClientConfig := func(config *kclient.Config) *kubeletclient.KubeletClientConfig {
return &kubeletclient.KubeletClientConfig{
Port: uint(nodePortInt),
EnableHttps: nodeTLS,
TLSClientConfig: config.TLSClientConfig,
BearerToken: config.BearerToken,
}
}
testCases := map[string]struct {
KubeletClientConfig *kubeletclient.KubeletClientConfig
Forbidden bool
NodeViewer bool
NodeAdmin bool
}{
"bad token": {
KubeletClientConfig: kubeletClientConfig(&badTokenConfig),
},
"anonymous": {
KubeletClientConfig: kubeletClientConfig(&anonymousConfig),
Forbidden: true,
},
"cluster admin": {
KubeletClientConfig: kubeletClientConfig(adminConfig),
NodeAdmin: true,
},
"master kubelet client": {
KubeletClientConfig: masterKubeletClientConfig,
//.........这里部分代码省略.........
示例8: TestAuthorizationSubjectAccessReview
func TestAuthorizationSubjectAccessReview(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dannyClient, _, dannyConfig, err := testutil.GetClientForUser(*clusterAdminClientConfig, "danny")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
anonymousConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
anonymousClient, err := client.New(&anonymousConfig)
if err != nil {
t.Fatalf("error getting anonymous client: %v", err)
}
addAnonymous := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", clusterAdminClient),
Users: []string{"system:anonymous"},
}
if err := addAnonymous.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
addDanny := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("default", clusterAdminClient),
Users: []string{"danny"},
}
if err := addDanny.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
askCanDannyGetProject := &authorizationapi.SubjectAccessReview{
User: "danny",
Action: authorizationapi.Action{Verb: "get", Resource: "projects"},
}
subjectAccessReviewTest{
description: "cluster admin told danny can get project default",
localInterface: clusterAdminClient.LocalSubjectAccessReviews("default"),
localReview: &authorizationapi.LocalSubjectAccessReview{
User: "danny",
Action: authorizationapi.Action{Verb: "get", Resource: "projects"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in default",
Namespace: "default",
},
}.run(t)
subjectAccessReviewTest{
description: "cluster admin told danny cannot get projects cluster-wide",
clusterInterface: clusterAdminClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot get projects at the cluster scope`,
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "as danny, can I make cluster subject access reviews",
clusterInterface: dannyClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
err: `User "danny" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
subjectAccessReviewTest{
description: "as anonymous, can I make cluster subject access reviews",
clusterInterface: anonymousClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
err: `User "system:anonymous" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
addValerie := &policy.RoleModificationOptions{
//.........这里部分代码省略.........
示例9: TestScopedTokens
func TestScopedTokens(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectName := "hammer-project"
userName := "harold"
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, userName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := haroldClient.Builds(projectName).List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldUser, err := haroldClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
whoamiOnlyToken := &oauthapi.OAuthAccessToken{
ObjectMeta: kapi.ObjectMeta{Name: "whoami-token-plus-some-padding-here-to-make-the-limit"},
ClientName: origin.OpenShiftCLIClientID,
ExpiresIn: 200,
Scopes: []string{scope.UserInfo},
UserName: userName,
UserUID: string(haroldUser.UID),
}
if _, err := clusterAdminClient.OAuthAccessTokens().Create(whoamiOnlyToken); err != nil {
t.Fatalf("unexpected error: %v", err)
}
whoamiConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
whoamiConfig.BearerToken = whoamiOnlyToken.Name
whoamiClient, err := client.New(&whoamiConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := whoamiClient.Builds(projectName).List(kapi.ListOptions{}); !kapierrors.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
user, err := whoamiClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if user.Name != userName {
t.Fatalf("expected %v, got %v", userName, user.Name)
}
// try to impersonate a service account using this token
whoamiConfig.Impersonate = serviceaccount.MakeUsername(projectName, "default")
impersonatingClient, err := client.New(&whoamiConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
impersonatedUser, err := impersonatingClient.Users().Get("~")
if !kapierrors.IsForbidden(err) {
t.Fatalf("missing error: %v got user %#v", err, impersonatedUser)
}
}
示例10: TestScopeEscalations
func TestScopeEscalations(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectName := "hammer-project"
userName := "harold"
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, userName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := haroldClient.Builds(projectName).List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldUser, err := haroldClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
nonEscalatingEditToken := &oauthapi.OAuthAccessToken{
ObjectMeta: kapi.ObjectMeta{Name: "non-escalating-edit-plus-some-padding-here-to-make-the-limit"},
ClientName: origin.OpenShiftCLIClientID,
ExpiresIn: 200,
Scopes: []string{scope.ClusterRoleIndicator + "edit:*"},
UserName: userName,
UserUID: string(haroldUser.UID),
}
if _, err := clusterAdminClient.OAuthAccessTokens().Create(nonEscalatingEditToken); err != nil {
t.Fatalf("unexpected error: %v", err)
}
nonEscalatingEditConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
nonEscalatingEditConfig.BearerToken = nonEscalatingEditToken.Name
nonEscalatingEditClient, err := kclientset.NewForConfig(&nonEscalatingEditConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := nonEscalatingEditClient.Secrets(projectName).List(kapi.ListOptions{}); !kapierrors.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
escalatingEditToken := &oauthapi.OAuthAccessToken{
ObjectMeta: kapi.ObjectMeta{Name: "escalating-edit-plus-some-padding-here-to-make-the-limit"},
ClientName: origin.OpenShiftCLIClientID,
ExpiresIn: 200,
Scopes: []string{scope.ClusterRoleIndicator + "edit:*:!"},
UserName: userName,
UserUID: string(haroldUser.UID),
}
if _, err := clusterAdminClient.OAuthAccessTokens().Create(escalatingEditToken); err != nil {
t.Fatalf("unexpected error: %v", err)
}
escalatingEditConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
escalatingEditConfig.BearerToken = escalatingEditToken.Name
escalatingEditClient, err := kclientset.NewForConfig(&escalatingEditConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := escalatingEditClient.Secrets(projectName).List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
}
示例11: SafeClientConfig
// SafeClientConfig returns a client config without authentication info.
func (r *registryClient) SafeClientConfig() restclient.Config {
return clientcmd.AnonymousClientConfig(r.config.OpenShiftConfig())
}
示例12: BuildKubernetesNodeConfig
//.........这里部分代码省略.........
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
if value := cmdutil.Env("OPENSHIFT_CONTAINERIZED", ""); len(value) > 0 {
server.Containerized = value == "true"
}
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, errors.NewAggregate(err)
}
cfg, err := server.UnsecuredKubeletConfig()
if err != nil {
return nil, err
}
// provide any config overrides
cfg.NodeName = options.NodeName
cfg.StreamingConnectionIdleTimeout = 5 * time.Minute // TODO: should be set
cfg.KubeClient = kubeClient
cfg.DockerExecHandler = dockerExecHandler
// Setup auth
osClient, osClientConfig, err := configapi.GetOpenShiftClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
if err != nil {
return nil, err
}
authn, err := newAuthenticator(clientCAs, clientcmd.AnonymousClientConfig(*osClientConfig), authnTTL, options.AuthConfig.AuthenticationCacheSize)
if err != nil {
return nil, err
}
authzAttr, err := newAuthorizerAttributesGetter(options.NodeName)
if err != nil {
return nil, err
}
authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
if err != nil {
return nil, err
}
authz, err := newAuthorizer(osClient, authzTTL, options.AuthConfig.AuthorizationCacheSize)
if err != nil {
return nil, err
}
cfg.Auth = kubelet.NewKubeletAuth(authn, authzAttr, authz)
// Make sure the node doesn't think it is in standalone mode
// This is required for the node to enforce nodeSelectors on pods, to set hostIP on pod status updates, etc
cfg.StandaloneMode = false
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
extraCerts, err := configapi.GetNamedCertificateMap(options.ServingInfo.NamedCertificates)
if err != nil {
return nil, err
}
cfg.TLSOptions = &kubelet.TLSOptions{
Config: crypto.SecureTLSConfig(&tls.Config{
示例13: BuildKubernetesNodeConfig
//.........这里部分代码省略.........
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
containerized := cmdutil.Env("OPENSHIFT_CONTAINERIZED", "") == "true"
server.Containerized = containerized
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, kerrors.NewAggregate(err)
}
proxyconfig, err := buildKubeProxyConfig(options)
if err != nil {
return nil, err
}
cfg, err := kubeletapp.UnsecuredKubeletConfig(server)
if err != nil {
return nil, err
}
// provide any config overrides
cfg.NodeName = options.NodeName
cfg.KubeClient = clientadapter.FromUnversionedClient(kubeClient)
cfg.EventClient = clientadapter.FromUnversionedClient(eventClient)
cfg.DockerExecHandler = dockerExecHandler
// Setup auth
authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
if err != nil {
return nil, err
}
authn, err := newAuthenticator(clientCAs, clientcmd.AnonymousClientConfig(osClientConfig), authnTTL, options.AuthConfig.AuthenticationCacheSize)
if err != nil {
return nil, err
}
authzAttr, err := newAuthorizerAttributesGetter(options.NodeName)
if err != nil {
return nil, err
}
authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
if err != nil {
return nil, err
}
authz, err := newAuthorizer(originClient, authzTTL, options.AuthConfig.AuthorizationCacheSize)
if err != nil {
return nil, err
}
cfg.Auth = kubeletserver.NewKubeletAuth(authn, authzAttr, authz)
// Make sure the node doesn't think it is in standalone mode
// This is required for the node to enforce nodeSelectors on pods, to set hostIP on pod status updates, etc
cfg.StandaloneMode = false
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
extraCerts, err := configapi.GetNamedCertificateMap(options.ServingInfo.NamedCertificates)
if err != nil {
return nil, err
}
cfg.TLSOptions = &kubeletserver.TLSOptions{
Config: crypto.SecureTLSConfig(&tls.Config{
示例14: runOAuthFlow
//.........这里部分代码省略.........
if !expectGrantSuccess {
if !strings.Contains(string(body), "requested illegal scopes") {
t.Fatalf("missing expected message: %v", string(body))
}
return
}
csrfMatches := grantCSRFRegex.FindStringSubmatch(string(body))
if len(csrfMatches) != 2 {
response, _ := httputil.DumpResponse(authentictedAuthorizeResponse2, false)
t.Fatalf("unexpected body :\n %v\n%v", string(response), string(body))
}
thenMatches := grantThenRegex.FindStringSubmatch(string(body))
if len(thenMatches) != 2 {
response, _ := httputil.DumpResponse(authentictedAuthorizeResponse2, false)
t.Fatalf("unexpected body :\n %v\n%v", string(response), string(body))
}
t.Logf("CSRF is %v", csrfMatches)
t.Logf("then is %v", thenMatches)
// third we respond and approve the grant, then let the transport follow redirects and give us the code
postBody := strings.NewReader(url.Values(map[string][]string{
"then": {thenMatches[1]},
"csrf": {csrfMatches[1]},
"client_id": {oauthClientConfig.ClientId},
"user_name": {"harold"},
"scopes": {oauthClientConfig.Scope},
"redirect_uri": {clusterAdminClientConfig.Host},
"approve": {"true"},
}).Encode())
authenticatedAuthorizeHTTPRequest3, err := http.NewRequest("POST", clusterAdminClientConfig.Host+origin.OpenShiftApprovePrefix, postBody)
authenticatedAuthorizeHTTPRequest3.Header.Set("Content-Type", "application/x-www-form-urlencoded")
authenticatedAuthorizeHTTPRequest3.Header.Add("X-CSRF-Token", csrfMatches[1])
authenticatedAuthorizeHTTPRequest3.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))
for i := range authentictedAuthorizeResponse2.Cookies() {
cookie := authentictedAuthorizeResponse2.Cookies()[i]
authenticatedAuthorizeHTTPRequest3.AddCookie(cookie)
}
authentictedAuthorizeResponse3, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest3)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if authentictedAuthorizeResponse3.StatusCode != http.StatusFound {
response, _ := httputil.DumpResponse(authentictedAuthorizeResponse3, true)
t.Fatalf("unexpected status :\n %v", string(response))
}
// fourth, the grant redirects us again to have us send the code to the server
authenticatedAuthorizeHTTPRequest4, err := http.NewRequest("GET", clusterAdminClientConfig.Host+authentictedAuthorizeResponse3.Header.Get("Location"), nil)
authenticatedAuthorizeHTTPRequest4.Header.Add("X-CSRF-Token", "csrf-01")
authenticatedAuthorizeHTTPRequest4.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))
authentictedAuthorizeResponse4, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest4)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if authentictedAuthorizeResponse4.StatusCode != http.StatusFound {
response, _ := httputil.DumpResponse(authentictedAuthorizeResponse4, true)
t.Fatalf("unexpected status :\n %v", string(response))
}
authenticatedAuthorizeHTTPRequest5, err := http.NewRequest("GET", authentictedAuthorizeResponse4.Header.Get("Location"), nil)
authenticatedAuthorizeHTTPRequest5.Header.Add("X-CSRF-Token", "csrf-01")
authenticatedAuthorizeHTTPRequest5.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))
authentictedAuthorizeResponse5, err := directHTTPClient.Do(authenticatedAuthorizeHTTPRequest5)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
authorizationCode := ""
select {
case authorizationCode = <-authorizationCodes:
case <-time.After(10 * time.Second):
response, _ := httputil.DumpResponse(authentictedAuthorizeResponse5, true)
t.Fatalf("didn't get a code:\n %v", string(response))
}
accessRequest := oauthRuntimeClient.NewAccessRequest(osincli.AUTHORIZATION_CODE, &osincli.AuthorizeData{Code: authorizationCode})
accessData, err := accessRequest.GetToken()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
whoamiConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
whoamiConfig.BearerToken = accessData.AccessToken
whoamiClient, err := client.New(&whoamiConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := whoamiClient.Builds(projectName).List(kapi.ListOptions{}); !kapierrors.IsForbidden(err) && !expectBuildSuccess {
t.Fatalf("unexpected error: %v", err)
}
user, err := whoamiClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if user.Name != "harold" {
t.Fatalf("expected %v, got %v", "harold", user.Name)
}
}
示例15: runOAuthFlow
//.........这里部分代码省略.........
glog.Infof("%#v", operations)
glog.Infof("%#v", jar)
glog.Errorf("Error %v\n%#v\n%#v", err, err, resp)
t.Errorf("Error %v\n%#v\n%#v", err, err, resp)
return
}
defer resp.Body.Close()
// Save the current URL for reference
currentURL := req.URL
if resp.StatusCode == 401 {
// Set up a username and password once we're challenged
testTransport.username = "harold"
testTransport.password = "any-pass"
operations = append(operations, "received challenge")
continue
}
if resp.StatusCode != 200 {
responseDump, _ := httputil.DumpResponse(resp, true)
t.Errorf("Unexpected response %s", string(responseDump))
return
}
doc, err := html.Parse(resp.Body)
if err != nil {
t.Error(err)
return
}
forms := htmlutil.GetElementsByTagName(doc, "form")
// if there's a single form, submit it
if len(forms) > 1 {
t.Errorf("More than one form encountered: %d", len(forms))
return
}
if len(forms) == 0 {
break
}
req, err = htmlutil.NewRequestFromForm(forms[0], currentURL, inputFilter)
if err != nil {
t.Error(err)
return
}
operations = append(operations, "form")
}
authorizationCode := ""
select {
case authorizationCode = <-authorizationCodes:
operations = append(operations, "code")
case authorizationError := <-authorizationErrors:
operations = append(operations, "error:"+authorizationError)
case <-time.After(5 * time.Second):
t.Error("didn't get a code or an error")
}
if len(authorizationCode) > 0 {
accessRequest := oauthRuntimeClient.NewAccessRequest(osincli.AUTHORIZATION_CODE, &osincli.AuthorizeData{Code: authorizationCode})
accessData, err := accessRequest.GetToken()
if err != nil {
t.Errorf("unexpected error: %v", err)
return
}
operations = append(operations, fmt.Sprintf("scope:%v", accessData.ResponseData["scope"]))
whoamiConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
whoamiConfig.BearerToken = accessData.AccessToken
whoamiClient, err := client.New(&whoamiConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
return
}
_, err = whoamiClient.Builds(projectName).List(kapi.ListOptions{})
if expectBuildSuccess && err != nil {
t.Errorf("unexpected error: %v", err)
return
}
if !expectBuildSuccess && !kapierrors.IsForbidden(err) {
t.Errorf("expected forbidden error, got %v", err)
return
}
user, err := whoamiClient.Users().Get("~")
if err != nil {
t.Errorf("unexpected error: %v", err)
return
}
if user.Name != "harold" {
t.Errorf("expected %v, got %v", "harold", user.Name)
return
}
}
if !reflect.DeepEqual(operations, expectOperations) {
t.Errorf("Expected:\n%#v\nGot\n%#v", expectOperations, operations)
}
}