support exec through discovery

2016-12-13 15:55:38 -05:00 · 2016-12-13 15:55:38 -05:00 · cd5f8a85f0
parent 6d081e4566
commit cd5f8a85f0
2 changed files with 23 additions and 6 deletions
--- a/cmd/kubernetes-discovery/pkg/apiserver/handler_proxy.go
+++ b/cmd/kubernetes-discovery/pkg/apiserver/handler_proxy.go
@ -98,8 +98,20 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {

 	upgrade := false
 	// we need to wrap the roundtripper in another roundtripper which will apply the front proxy headers
-	proxyRoundTripper = transport.NewAuthProxyRoundTripper(user.GetName(), user.GetGroups(), user.GetExtra(), proxyRoundTripper)
 	proxyRoundTripper, upgrade, err = r.maybeWrapForConnectionUpgrades(proxyRoundTripper, req)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	proxyRoundTripper = transport.NewAuthProxyRoundTripper(user.GetName(), user.GetGroups(), user.GetExtra(), proxyRoundTripper)
+
+	// if we are upgrading, then the upgrade path tries to use this request with the TLS config we provide, but it does
+	// NOT use the roundtripper.  Its a direct call that bypasses the round tripper.  This means that we have to
+	// attach the "correct" user headers to the request ahead of time.  After the initial upgrade, we'll be back
+	// at the roundtripper flow, so we only have to muck with this request, but we do have to do it.
+	if upgrade {
+		transport.SetAuthProxyHeaders(newReq, user.GetName(), user.GetGroups(), user.GetExtra())
+	}

 	handler := genericrest.NewUpgradeAwareProxyHandler(location, proxyRoundTripper, true, upgrade, &responder{w: w})
 	handler.ServeHTTP(w, newReq)
--- a/pkg/client/transport/round_trippers.go
+++ b/pkg/client/transport/round_trippers.go
@ -106,6 +106,13 @@ func NewAuthProxyRoundTripper(username string, groups []string, extra map[string

 func (rt *authProxyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	req = cloneRequest(req)
+	SetAuthProxyHeaders(req, rt.username, rt.groups, rt.extra)
+
+	return rt.rt.RoundTrip(req)
+}
+
+// SetAuthProxyHeaders stomps the auth proxy header fields.  It mutates its argument.
+func SetAuthProxyHeaders(req *http.Request, username string, groups []string, extra map[string][]string) {
 	req.Header.Del("X-Remote-User")
 	req.Header.Del("X-Remote-Group")
 	for key := range req.Header {
@ -114,17 +121,15 @@ func (rt *authProxyRoundTripper) RoundTrip(req *http.Request) (*http.Response, e
 		}
 	}

-	req.Header.Set("X-Remote-User", rt.username)
-	for _, group := range rt.groups {
+	req.Header.Set("X-Remote-User", username)
+	for _, group := range groups {
 		req.Header.Add("X-Remote-Group", group)
 	}
-	for key, values := range rt.extra {
+	for key, values := range extra {
 		for _, value := range values {
 			req.Header.Add("X-Remote-Extra-"+key, value)
 		}
 	}
-
-	return rt.rt.RoundTrip(req)
 }

 func (rt *authProxyRoundTripper) CancelRequest(req *http.Request) {