argoproj · sarabala1979 · Jan 30, 2020 · Jan 29, 2020 · Jan 29, 2020 · Jan 29, 2020
diff --git a/cmd/argo/commands/client/conn.go b/cmd/argo/commands/client/conn.go
@@ -40,21 +40,21 @@ func GetClientConn() *grpc.ClientConn {
 }
 
 func GetContext() context.Context {
-	token := GetBearerToken()
-	if token == "" {
+	authString := GetAuthString()
+	if authString == "" {
 		return context.Background()
 	}
-	return metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorization", "Bearer "+GetBearerToken()))
+	return metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorization", authString))
 }
 
-func GetBearerToken() string {
+func GetAuthString() string {
 	restConfig, err := Config.ClientConfig()
 	if err != nil {
 		log.Fatal(err)
 	}
-	token, err := kubeconfig.GetBearerToken(restConfig)
+	authString, err := kubeconfig.GetAuthString(restConfig)
 	if err != nil {
 		log.Fatal(err)
 	}
-	return token
+	return authString
 }
diff --git a/cmd/argo/commands/token.go b/cmd/argo/commands/token.go
@@ -18,7 +18,7 @@ func NewTokenCommand() *cobra.Command {
 				cmd.HelpFunc()(cmd, args)
 				os.Exit(1)
 			}
-			fmt.Print(client.GetBearerToken())
+			fmt.Print(client.GetAuthString())
 		},
 	}
 }
diff --git a/server/auth/gatekeeper.go b/server/auth/gatekeeper.go
@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"net/http"
-	"strings"
 
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"google.golang.org/grpc"
@@ -96,10 +95,10 @@ func (s Gatekeeper) useClientAuth(token string) bool {
 	return false
 }
 
-func getToken(md metadata.MD) string {
+func getAuthHeader(md metadata.MD) string {
 	// looks for the HTTP header `Authorization: Bearer ...`
 	for _, t := range md.Get("authorization") {
-		return strings.TrimPrefix(t, "Bearer ")
+		return t
 	}
 	// check the HTTP cookie
 	for _, t := range md.Get("grpcgateway-cookie") {
@@ -108,7 +107,7 @@ func getToken(md metadata.MD) string {
 		request := http.Request{Header: header}
 		token, err := request.Cookie("authorization")
 		if err == nil {
-			return strings.TrimPrefix(token.Value, "Bearer ")
+			return token.Value
 		}
 	}
 	return ""
@@ -127,13 +126,14 @@ func (s Gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubern
 		return nil, nil, status.Error(codes.Unauthenticated, "unable to get metadata from incoming context")
 	}
 
-	token := getToken(md)
+	authString := getAuthHeader(md)
 
-	if !s.useClientAuth(token) {
+	if !s.useClientAuth(authString) {
 		return s.wfClient, s.kubeClient, nil
 	}
 
-	restConfig, err := kubeconfig.GetRestConfig(token)
+	restConfig, err := kubeconfig.GetRestConfig(authString)
+
 	if err != nil {
 		return nil, nil, status.Errorf(codes.Unauthenticated, "failed to create REST config: %v", err)
 	}

diff --git a/test/e2e/argo_server_test.go b/test/e2e/argo_server_test.go
@@ -83,7 +83,7 @@ func (s *ArgoServerSuite) TestCookieAuth() {
 	defer func() { s.bearerToken = token }()
 	s.bearerToken = ""
 	s.e(s.T()).GET("/api/v1/workflows/argo").
-		WithHeader("Cookie", "authorization="+token).
+		WithHeader("Cookie", "authorization=Bearer "+token).
 		Expect().
 		Status(200)
 }
@@ -671,7 +671,7 @@ func (s *ArgoServerSuite) TestArtifactServer() {
 		defer func() { s.bearerToken = token }()
 		s.bearerToken = ""
 		s.e(t).GET("/artifacts-by-uid/{uid}/basic/main-logs", uid).
-			WithHeader("Cookie", "authorization="+token).
+			WithHeader("Cookie", "authorization=Bearer "+token).
 			Expect().
 			Status(200)
 	})

diff --git a/test/e2e/cli_test.go b/test/e2e/cli_test.go
@@ -36,9 +36,16 @@ func (s *CLISuite) TestCompletion() {
 func (s *CLISuite) TestToken() {
 	s.Given().RunCli([]string{"token"}, func(t *testing.T, output string, err error) {
 		assert.NoError(t, err)
-		token, err := s.GetServiceAccountToken()
-		assert.NoError(t, err)
-		assert.Equal(t, token, output)
+		var authString, token string
+		token = s.GetBasicAuthToken()
+		if token == "" {
+			token, err = s.GetServiceAccountToken()
+			assert.NoError(t, err)
+			authString = "Bearer "+ token
+		}else {
+			authString = "Basic "+ token
+		}
+		assert.Equal(t, authString, output)
 	})
 }
 

diff --git a/test/e2e/fixtures/e2e_suite.go b/test/e2e/fixtures/e2e_suite.go
@@ -2,6 +2,7 @@ package fixtures
 
 import (
 	"bufio"
+	"encoding/base64"
 	"fmt"
 	"strings"
 	"testing"
@@ -140,6 +141,14 @@ func (s *E2ESuite) BeforeTest(_, _ string) {
 	s.Persistence.DeleteEverything()
 }
 
+func (s *E2ESuite) GetBasicAuthToken() string {
+	if s.RestConfig.Username == "" {
+		return ""
+	}
+	auth := s.RestConfig.Username + ":" + s.RestConfig.Password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}
+
 func (s *E2ESuite) GetServiceAccountToken() (string, error) {
 	// create the clientset
 	clientset, err := kubernetes.NewForConfig(s.RestConfig)

diff --git a/util/kubeconfig/kubeconfig.go b/util/kubeconfig/kubeconfig.go
@@ -1,6 +1,7 @@
 package kubeconfig
 
 import (
+	"encoding/base64"
 	"net/http"
 	"os"
 	"strings"
@@ -13,16 +14,60 @@ import (
 	"k8s.io/client-go/transport"
 )
 
+const (
+	BasicAuthScheme  = "Basic"
+	BearerAuthScheme = "Bearer"
+)
+
 // get the default one from the filesystem
 func DefaultRestConfig() (*restclient.Config, error) {
 	rules := clientcmd.NewDefaultClientConfigLoadingRules()
 	config := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(rules, &clientcmd.ConfigOverrides{})
 	return config.ClientConfig()
 }
 
-// convert a bearer token into a REST config
+func IsBasicAuthScheme(token string) bool {
+	return strings.HasPrefix(token, BasicAuthScheme)
+}
+
+func IsBearerAuthScheme(token string) bool {
+	return strings.HasPrefix(token, BearerAuthScheme)
+}
+
 func GetRestConfig(token string) (*restclient.Config, error) {
 
+	if IsBasicAuthScheme(token) {
+		token = strings.TrimSpace(strings.TrimPrefix(token, BasicAuthScheme))
+		username, password, ok := decodeBasicAuthToken(token)
+		if !ok {
+			return nil, errors.New("Error parsing Basic Authentication")
+		}
+		return GetBasicRestConfig(username, password)
+	}
+	if IsBearerAuthScheme(token) {
+		token = strings.TrimSpace(strings.TrimPrefix(token, BearerAuthScheme))
+		return GetBearerRestConfig(token)
+	}
+	return nil, errors.New("Unsupported authentication scheme")
+}
+
+// convert a basic token (username, password) into a REST config
+func GetBasicRestConfig(username, password string) (*restclient.Config, error) {
+
+	restConfig, err := DefaultRestConfig()
+	if err != nil {
+		return nil, err
+	}
+	restConfig.BearerToken = ""
+	restConfig.BearerTokenFile = ""
+	restConfig.Username = username
+	restConfig.Password = password
+	return restConfig, nil
+}
+
+// convert a bearer token into a REST config
+func GetBearerRestConfig(token string) (*restclient.Config, error) {
+
 	restConfig, err := DefaultRestConfig()
 	if err != nil {
 		return nil, err
@@ -37,6 +82,27 @@ func GetRestConfig(token string) (*restclient.Config, error) {
 	return restConfig, nil
 }
 
+//Return the AuthString include Auth type(Basic or Bearer)
+func GetAuthString(in *restclient.Config) (string, error) {
+	//Checking Basic Auth
+	if in.Username != "" {
+		token, err := GetBasicAuthToken(in)
+		return BasicAuthScheme + token, err
+	}
+
+	token, err := GetBearerToken(in)
+	return BearerAuthScheme + token, err
+}
+
+func GetBasicAuthToken(in *restclient.Config) (string, error) {
+
+	if in == nil {
+		return "", errors.Errorf("RestClient can't be nil")
+	}
+
+	return encodeBasicAuthToken(in.Username, in.Password), nil
+}
+
 // convert the REST config into a bearer token
 func GetBearerToken(in *restclient.Config) (string, error) {
 
@@ -47,6 +113,7 @@ func GetBearerToken(in *restclient.Config) (string, error) {
 	if in == nil {
 		return "", errors.Errorf("RestClient can't be nil")
 	}
+
 	if in.ExecProvider != nil {
 		tc, err := in.TransportConfig()
 		if err != nil {
@@ -106,3 +173,22 @@ func GetBearerToken(in *restclient.Config) (string, error) {
 func getEnvToken() string {
 	return os.Getenv("ARGO_TOKEN")
 }
+
+func encodeBasicAuthToken(username, password string) string {
+	auth := username + ":" + password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}
+
+func decodeBasicAuthToken(auth string) (username, password string, ok bool) {
+
+	c, err := base64.StdEncoding.DecodeString(auth)
+	if err != nil {
+		return
+	}
+	cs := string(c)
+	s := strings.IndexByte(cs, ':')
+	if s < 0 {
+		return
+	}
+	return cs[:s], cs[s+1:], true
+}
diff --git a/util/kubeconfig/kubeconfig_test.go b/util/kubeconfig/kubeconfig_test.go
@@ -0,0 +1,82 @@
+package kubeconfig
+
+import (
+	"io/ioutil"
+	"k8s.io/client-go/tools/clientcmd"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/client-go/rest"
+)
+
+const bearerToken = "bearertoken"
+
+const config = `
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:6443
+  name: k3s-default
+contexts:
+- context:
+    cluster: k3s-default
+    namespace: argo
+    user: k3s-default
+  name: k3s-default
+current-context: k3s-default
+kind: Config
+preferences: {}
+users:
+- name: k3s-default
+  user:
+    password: admin
+    username: admin
+`
+
+func Test_BasicAuthString(t *testing.T) {
+
+	t.Run("Basic Auth", func(t *testing.T) {
+
+		restConfig, err := clientcmd.RESTConfigFromKubeConfig([]byte(config))
+		authString, err := GetAuthString(restConfig)
+		assert.NoError(t, err)
+		assert.True(t, IsBasicAuthScheme(authString))
+		token := strings.TrimPrefix(authString, BasicAuthScheme)
+		uname, pwd, ok := decodeBasicAuthToken(token)
+		if assert.True(t, ok) {
+			assert.Equal(t, "admin", uname)
+			assert.Equal(t, "admin", pwd)
+		}
+		file, err := ioutil.TempFile("", "config.yaml")
+		file.WriteString(config)
+		file.Close()
+		os.Setenv("KUBECONFIG", file.Name())
+		config, err := GetRestConfig(authString)
+		if assert.NoError(t, err) {
+			assert.Equal(t, "admin", config.Username)
+			assert.Equal(t, "admin", config.Password)
+		}
+
+	})
+}
+
+func Test_BearerAuthString(t *testing.T) {
+
+	restConfig := rest.Config{}
+
+	t.Run("Bearer Auth", func(t *testing.T) {
+		os.Setenv("ARGO_TOKEN", bearerToken)
+		//_, err := ioutil.TempDir("~",".kube")
+
+		authString, err := GetAuthString(&restConfig)
+		assert.NoError(t, err)
+		assert.True(t, IsBearerAuthScheme(authString))
+		config, err := GetRestConfig(authString)
+		assert.NoError(t, err)
+		if assert.NoError(t, err) {
+			assert.Equal(t, bearerToken, config.BearerToken)
+		}
+	})
+}