Merge branch 'master' into release-2.5

jamhed · Jan 27, 2020 · 9afa678 · 9afa678
2 parents 5e755c6 + 85fa9aa
commit 9afa678
Show file tree

Hide file tree

Showing 17 changed files with 205 additions and 160 deletions.
diff --git a/Makefile b/Makefile
@@ -349,6 +349,8 @@ up:
  kubectl -n argo scale deployment/argo-server --replicas 1
  # Wait for pods to be ready
  kubectl -n argo wait --for=condition=Ready pod --all -l app --timeout 2m
+ # Token
+ kubectl -n argo get `kubectl -n argo get secret -o name | grep argo-server` -o jsonpath='{.data.token}' | base64 --decode
 
 .PHONY: pf
 pf:

diff --git a/cmd/argo/commands/client/conn.go b/cmd/argo/commands/client/conn.go
@@ -44,7 +44,7 @@ func GetContext() context.Context {
  if token == "" {
  return context.Background()
  }
- return metadata.NewOutgoingContext(context.Background(), metadata.Pairs("grpcgateway-authorization", "Bearer "+GetBearerToken()))
+ return metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorization", "Bearer "+GetBearerToken()))
 }
 
 func GetBearerToken() string {

diff --git a/cmd/server/artifacts/artifact_server.go b/cmd/server/artifacts/artifact_server.go
@@ -91,9 +91,15 @@ func (a *ArtifactServer) GetArtifactByUID(w http.ResponseWriter, r *http.Request
  a.ok(w, data)
 }
 func (a *ArtifactServer) gateKeeping(r *http.Request) (context.Context, error) {
- // TODO - we should not put the token in the URL - OSWAP obvs
- authHeader := r.URL.Query().Get("Authorization")
- ctx := metadata.NewIncomingContext(r.Context(), metadata.MD{"grpcgateway-authorization": []string{authHeader}})
+ token := r.Header.Get("Authorization")
+ if token == "" {
+ cookie, err := r.Cookie("authorization")
+ if err != nil {
+ return nil, err
+ }
+ token = cookie.Value
+ }
+ ctx := metadata.NewIncomingContext(r.Context(), metadata.MD{"authorization": []string{token}})
  return a.authN.Context(ctx)
 }
 

diff --git a/cmd/server/auth/gatekeeper.go b/cmd/server/auth/gatekeeper.go
@@ -2,6 +2,7 @@ package auth
 
 import (
  "context"
+ "net/http"
  "strings"
 
  grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
@@ -85,15 +86,34 @@ func (s Gatekeeper) useHybridAuth() bool {
  return s.authType == Hybrid
 }
 
-func (s Gatekeeper) useClientAuth(md metadata.MD) bool {
+func (s Gatekeeper) useClientAuth(token string) bool {
  if s.authType == Client {
  return true
  }
- if s.useHybridAuth() && len(md.Get("grpcgateway-authorization")) > 0 {
+ if s.useHybridAuth() && token != "" {
  return true
  }
  return false
 }
+
+func getToken(md metadata.MD) string {
+ // looks for the HTTP header `Authorization: Bearer ...`
+ for _, t := range md.Get("authorization") {
+ return strings.TrimPrefix(t, "Bearer ")
+ }
+ // check the HTTP cookie
+ for _, t := range md.Get("grpcgateway-cookie") {
+ header := http.Header{}
+ header.Add("Cookie", t)
+ request := http.Request{Header: header}
+ token, err := request.Cookie("authorization")
+ if err == nil {
+ return strings.TrimPrefix(token.Value, "Bearer ")
+ }
+ }
+ return ""
+}
+
 func (s Gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubernetes.Interface, error) {
 
  if s.useServerAuth() {
@@ -107,14 +127,10 @@ func (s Gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubern
  return nil, nil, status.Error(codes.Unauthenticated, "unable to get metadata from incoming context")
  }
 
- if !s.useClientAuth(md) {
- return s.wfClient, s.kubeClient, nil
- }
+ token := getToken(md)
 
- token := ""
- authorization := md.Get("grpcgateway-authorization")
- if len(authorization) > 0 {
- token = strings.TrimPrefix(authorization[0], "Bearer ")
+ if !s.useClientAuth(token) {
+ return s.wfClient, s.kubeClient, nil
  }
 
  restConfig, err := kubeconfig.GetRestConfig(token)

diff --git a/cmd/server/auth/gatekeeper_test.go b/cmd/server/auth/gatekeeper_test.go
@@ -29,17 +29,26 @@ func TestServer_GetWFClient(t *testing.T) {
  t.Run("ClientAuth", func(t *testing.T) {
  t.SkipNow() // TODO
  s := NewGatekeeper("client", wfClient, kubeClient, restConfig)
- ctx, err := authAndHandle(s, metadata.NewIncomingContext(context.Background(), metadata.Pairs("grpcgateway-authorization", "v0:"+base64.StdEncoding.EncodeToString([]byte("anything")))))
- if assert.NoError(t, err) {
- assert.NotEqual(t, wfClient, GetWfClient(*ctx))
- assert.NotEqual(t, kubeClient, GetKubeClient(*ctx))
- }
+ t.Run("AuthorizationHeader", func(t *testing.T) {
+ ctx, err := authAndHandle(s, metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", base64.StdEncoding.EncodeToString([]byte("anything")))))
+ if assert.NoError(t, err) {
+ assert.NotEqual(t, wfClient, GetWfClient(*ctx))
+ assert.NotEqual(t, kubeClient, GetKubeClient(*ctx))
+ }
+ })
+ t.Run("Cookie", func(t *testing.T) {
+ ctx, err := authAndHandle(s, metadata.NewIncomingContext(context.Background(), metadata.Pairs("grpcgateway-cookie", "authorization="+base64.StdEncoding.EncodeToString([]byte("anything")))))
+ if assert.NoError(t, err) {
+ assert.NotEqual(t, wfClient, GetWfClient(*ctx))
+ assert.NotEqual(t, kubeClient, GetKubeClient(*ctx))
+ }
+ })
  })
  t.Run("HybridAuth", func(t *testing.T) {
  t.SkipNow() // TODO
  s := NewGatekeeper("hybrid", wfClient, kubeClient, restConfig)
  t.Run("clientAuth", func(t *testing.T) {
- ctx, err := authAndHandle(s, metadata.NewIncomingContext(context.Background(), metadata.Pairs("grpcgateway-authorization", "v0:"+base64.StdEncoding.EncodeToString([]byte("{anything}")))))
+ ctx, err := authAndHandle(s, metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", base64.StdEncoding.EncodeToString([]byte("{anything}")))))
  if assert.NoError(t, err) {
  assert.NotEqual(t, wfClient, GetWfClient(*ctx))
  assert.NotEqual(t, kubeClient, GetKubeClient(*ctx))