Merge pull request #1206 from spadgett/validate-token-url

openshift-merge-robot · web-flow · commit be656a7d7edf · 2019-02-21T05:26:20.000+01:00
Bug 1679272 - Validate console can talk to OAuth token URL
diff --git a/auth/auth.go b/auth/auth.go
@@ -93,9 +93,9 @@ type Config struct {
 	ClientSecret string
 	Scope        []string
 
-	// DiscoveryCA is required for OpenShift OAuth metadata discovery. This is the CA
+	// K8sCA is required for OpenShift OAuth metadata discovery. This is the CA
 	// used to talk to the master, which might be different than the issuer CA.
-	DiscoveryCA string
+	K8sCA string
 
 	SuccessURL  string
 	ErrorURL    string
@@ -140,33 +140,37 @@ func newHTTPClient(issuerCA string, includeSystemRoots bool) (*http.Client, erro
 // NewAuthenticator initializes an Authenticator struct. It blocks until the authenticator is
 // able to contact the provider.
 func NewAuthenticator(ctx context.Context, c *Config) (*Authenticator, error) {
-	a, err := newUnstartedAuthenticator(c)
-	if err != nil {
-		return nil, err
-	}
-
 	// Retry connecting to the identity provider a few times
 	backoff := time.Second * 2
-	maxSteps := 5
+	maxSteps := 7
 	steps := 0
 
 	for {
 		var (
+			a        *Authenticator
 			lm       loginMethod
 			endpoint oauth2.Endpoint
 			err      error
 		)
+
+		a, err = newUnstartedAuthenticator(c)
+		if err != nil {
+			return nil, err
+		}
+
 		switch c.AuthSource {
 		case AuthSourceOpenShift:
 			// Use the k8s CA for OAuth metadata discovery.
-			var client *http.Client
-			client, err = newHTTPClient(c.DiscoveryCA, false)
+			var k8sClient *http.Client
+			// Don't include system roots when talking to the API server.
+			k8sClient, err = newHTTPClient(c.K8sCA, false)
 			if err != nil {
 				return nil, err
 			}
 
 			endpoint, lm, err = newOpenShiftAuth(ctx, &openShiftConfig{
-				client:        client,
+				k8sClient:     k8sClient,
+				oauthClient:   a.client,
 				issuerURL:     c.IssuerURL,
 				cookiePath:    c.CookiePath,
 				secureCookies: c.SecureCookies,
@@ -183,11 +187,11 @@ func NewAuthenticator(ctx context.Context, c *Config) (*Authenticator, error) {
 		if err != nil {
 			steps++
 			if steps > maxSteps {
-				log.Errorf("error contacting openid connect provider: %v", err)
+				log.Errorf("error contacting auth provider: %v", err)
 				return nil, err
 			}
 
-			log.Errorf("error contacting openid connect provider (retrying in %s): %v", backoff, err)
+			log.Errorf("error contacting auth provider (retrying in %s): %v", backoff, err)
 
 			time.Sleep(backoff)
 			backoff *= 2
diff --git a/auth/auth_openshift.go b/auth/auth_openshift.go
@@ -23,7 +23,8 @@ type openShiftAuth struct {
 }
 
 type openShiftConfig struct {
-	client        *http.Client
+	k8sClient     *http.Client
+	oauthClient   *http.Client
 	issuerURL     string
 	cookiePath    string
 	secureCookies bool
@@ -52,7 +53,7 @@ func newOpenShiftAuth(ctx context.Context, c *openShiftConfig) (oauth2.Endpoint,
 		return oauth2.Endpoint{}, nil, err
 	}
 
-	resp, err := c.client.Do(req.WithContext(ctx))
+	resp, err := c.k8sClient.Do(req.WithContext(ctx))
 	if err != nil {
 		return oauth2.Endpoint{}, nil, err
 	}
@@ -86,6 +87,19 @@ func newOpenShiftAuth(ctx context.Context, c *openShiftConfig) (oauth2.Endpoint,
 		return oauth2.Endpoint{}, nil, err
 	}
 
+	// Make sure we can talk to the token endpoint.
+	req, err = http.NewRequest(http.MethodHead, metadata.Token, nil)
+	if err != nil {
+		return oauth2.Endpoint{}, nil, err
+	}
+
+	resp, err = c.oauthClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return oauth2.Endpoint{}, nil, fmt.Errorf("request to OAuth token endpoint %s failed: %v",
+			metadata.Token, err)
+	}
+	defer resp.Body.Close()
+
 	kubeAdminLogoutURL := proxy.SingleJoiningSlash(metadata.Issuer, "/logout")
 	return oauth2.Endpoint{
 		AuthURL:  metadata.Auth,
diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
@@ -366,7 +366,7 @@ func main() {
 
 			// Use the k8s CA file for OpenShift OAuth metadata discovery.
 			// This might be different than IssuerCA.
-			DiscoveryCA: caCertFilePath,
+			K8sCA: caCertFilePath,
 
 			ErrorURL:   authLoginErrorEndpoint,
 			SuccessURL: authLoginSuccessEndpoint,
@@ -394,7 +394,7 @@ func main() {
 		}
 
 		if srv.Auther, err = auth.NewAuthenticator(context.Background(), oidcClientConfig); err != nil {
-			log.Fatalf("Error initializing OIDC authenticator: %v", err)
+			log.Fatalf("Error initializing authenticator: %v", err)
 		}
 	case "disabled":
 		log.Warningf("running with AUTHENTICATION DISABLED!")

Original file line number	Diff line number	Diff line change
`@@ -366,7 +366,7 @@ func main() {`
`366`	`366`
`367`	`367`	`// Use the k8s CA file for OpenShift OAuth metadata discovery.`
`368`	`368`	`// This might be different than IssuerCA.`
`369`		`- DiscoveryCA: caCertFilePath,`
	`369`	`+ K8sCA: caCertFilePath,`
`370`	`370`
`371`	`371`	`ErrorURL: authLoginErrorEndpoint,`
`372`	`372`	`SuccessURL: authLoginSuccessEndpoint,`
`@@ -394,7 +394,7 @@ func main() {`
`394`	`394`	`}`
`395`	`395`
`396`	`396`	`if srv.Auther, err = auth.NewAuthenticator(context.Background(), oidcClientConfig); err != nil {`
`397`		`- log.Fatalf("Error initializing OIDC authenticator: %v", err)`
	`397`	`+ log.Fatalf("Error initializing authenticator: %v", err)`
`398`	`398`	`}`
`399`	`399`	`case "disabled":`
`400`	`400`	`log.Warningf("running with AUTHENTICATION DISABLED!")`