Merge pull request #35 from sroze/feature/add-client-certificate-authentication

sroze · web-flow · commit 3015911e815b · 2017-08-14T15:32:37.000+01:00
Allow client-certificate authentication
diff --git a/README.md b/README.md
@@ -24,8 +24,8 @@ To had user authentication, you can decorate the http client:
 ```php
 $authenticatedHttpClient = new AuthenticationMiddleware(
     $httpClient,
-    'username',
-    'password'
+    AuthenticationMiddleware::USERNAME_PASSWORD,
+    'username:password'
 );
 ```
 
diff --git a/features/bootstrap/ClientContext.php b/features/bootstrap/ClientContext.php
@@ -31,17 +31,25 @@ class ClientContext implements Context, SnippetAcceptingContext
      * @param string $version
      * @param string $usernameOrToken
      * @param string $password
+     * @param bool $integration
+     * @param bool $record
+     * @param string|null $caCertificate
      */
-    public function __construct($baseUrl, $version, $usernameOrToken = null, $password = null, $integration = false, $record = false)
+    public function __construct($baseUrl, $version, $usernameOrToken = null, $password = null, $integration = false, $record = false, $caCertificate = null)
     {
         $serializer = SerializerBuilder::create()
             ->addMetadataDir(__DIR__.'/../../src/Resources/serializer', 'Kubernetes\Client')
             ->build();
 
         if ($integration) {
-            $httpClient = new GuzzleHttpClient(new GuzzleClient([
-                'verify' => false,
-            ]), $baseUrl, $version);
+            $httpClient = new GuzzleHttpClient(
+                new GuzzleClient([
+                    'verify' => false,
+                ]),
+                $baseUrl,
+                $version,
+                $caCertificate
+            );
         } else {
             $httpClient = new FileHttpClient(new FileResolver());
         }
@@ -53,8 +61,14 @@ public function __construct($baseUrl, $version, $usernameOrToken = null, $passwo
             );
         }
 
-        if ($usernameOrToken !== null) {
-            $httpClient = new AuthenticationMiddleware($httpClient, $usernameOrToken, $password);
+        if ($password !== null) {
+            if ($usernameOrToken == 'cert') {
+                $httpClient = new AuthenticationMiddleware($httpClient, AuthenticationMiddleware::CERTIFICATE, $password);
+            } else {
+                $httpClient = new AuthenticationMiddleware($httpClient, AuthenticationMiddleware::USERNAME_PASSWORD, $usernameOrToken . ':' . $password);
+            }
+        } elseif ($usernameOrToken !== null) {
+            $httpClient = new AuthenticationMiddleware($httpClient, AuthenticationMiddleware::TOKEN, $usernameOrToken);
         }
 
         $connector = new HttpConnector(
diff --git a/spec/Adapter/Http/AuthenticationMiddlewareSpec.php b/spec/Adapter/Http/AuthenticationMiddlewareSpec.php
@@ -13,7 +13,7 @@ class AuthenticationMiddlewareSpec extends ObjectBehavior
 {
     function let(HttpClient $httpClient)
     {
-        $this->beConstructedWith($httpClient, 'username', 'password');
+        $this->beConstructedWith($httpClient, AuthenticationMiddleware::USERNAME_PASSWORD, 'username:password');
     }
 
     function it_can_do_an_authenticated_request(HttpClient $httpClient)
diff --git a/src/Adapter/Http/AuthenticationMiddleware.php b/src/Adapter/Http/AuthenticationMiddleware.php
@@ -2,8 +2,14 @@
 
 namespace Kubernetes\Client\Adapter\Http;
 
+require_once 'functions.php';
+
 class AuthenticationMiddleware implements HttpClient
 {
+    const USERNAME_PASSWORD = 'username:password';
+    const TOKEN = 'token';
+    const CERTIFICATE = 'certificate';
+
     /**
      * @var HttpClient
      */
@@ -12,73 +18,79 @@ class AuthenticationMiddleware implements HttpClient
     /**
      * @var string
      */
-    private $usernameOrToken;
+    private $authenticationType;
 
     /**
      * @var string
      */
-    private $password;
+    private $credentials;
 
     /**
      * @param HttpClient $httpClient
-     * @param string     $usernameOrToken
-     * @param string     $password
+     * @param string $authenticationType
+     * @param string $credentials
      */
-    public function __construct(HttpClient $httpClient, $usernameOrToken, $password = null)
+    public function __construct(HttpClient $httpClient, string $authenticationType, string $credentials)
     {
         $this->httpClient = $httpClient;
-        $this->usernameOrToken = $usernameOrToken;
-        $this->password = $password;
+        $this->authenticationType = $authenticationType;
+        $this->credentials = $credentials;
     }
 
     /**
      * {@inheritdoc}
      */
     public function request($method, $path, $body = null, array $options = [])
     {
-        return $this->httpClient->request($method, $path, $body, $this->addAuthenticationHeader($options));
+        return $this->httpClient->request($method, $path, $body, $this->addAuthenticationOptions($options));
     }
 
     /**
      * {@inheritdoc}
      */
     public function asyncRequest($method, $path, $body = null, array $options = [])
     {
-        return $this->httpClient->asyncRequest($method, $path, $body, $this->addAuthenticationHeader($options));
+        return $this->httpClient->asyncRequest($method, $path, $body, $this->addAuthenticationOptions($options));
     }
 
     /**
      * @return string
      */
     private function getBasicAuthorizationString()
     {
-        return 'Basic '.base64_encode(sprintf('%s:%s', $this->usernameOrToken, $this->password));
+        return 'Basic '.base64_encode($this->credentials);
     }
 
     /**
      * @return string
      */
     private function getTokenAuthorizationString()
     {
-        return 'Bearer '.$this->usernameOrToken;
+        return 'Bearer '.$this->credentials;
     }
 
     /**
      * @return bool
      */
     private function isTokenAuthentication()
     {
-        return null === $this->password;
+        return self::TOKEN == $this->authenticationType;
     }
 
-    private function addAuthenticationHeader(array $options): array
+    private function addAuthenticationOptions(array $options): array
     {
-        $authorizationHeader = $this->isTokenAuthentication() ? $this->getTokenAuthorizationString() : $this->getBasicAuthorizationString();
+        if (self::CERTIFICATE == $this->authenticationType) {
+            $authorizationOptions = [
+                'cert' => certificate_file_path_from_contents($this->credentials),
+            ];
+        } else {
+            $authorizationOptions = [
+                'headers' => [
+                    'Authorization' => $this->isTokenAuthentication() ? $this->getTokenAuthorizationString() : $this->getBasicAuthorizationString(),
+                ],
+            ];
+        }
 
-        return array_merge_recursive([
-            'headers' => [
-                'Authorization' => $authorizationHeader,
-            ],
-        ], $options);
+        return array_merge_recursive($authorizationOptions, $options);
     }
 }
diff --git a/src/Adapter/Http/GuzzleHttpClient.php b/src/Adapter/Http/GuzzleHttpClient.php
@@ -5,6 +5,8 @@
 use GuzzleHttp\ClientInterface;
 use Psr\Http\Message\ResponseInterface;
 
+require_once 'functions.php';
+
 class GuzzleHttpClient implements HttpClient
 {
     /**
@@ -22,16 +24,23 @@ class GuzzleHttpClient implements HttpClient
      */
     private $version;
 
+    /**
+     * @var string
+     */
+    private $caCertificate;
+
     /**
      * @param ClientInterface $guzzleClient
-     * @param string          $baseUrl
-     * @param string          $version
+     * @param string $baseUrl
+     * @param string $version
+     * @param string $caCertificate
      */
-    public function __construct(ClientInterface $guzzleClient, $baseUrl, $version)
+    public function __construct(ClientInterface $guzzleClient, string $baseUrl, string $version, string $caCertificate = null)
     {
         $this->guzzleClient = $guzzleClient;
         $this->baseUrl = $baseUrl;
         $this->version = $version;
+        $this->caCertificate = $caCertificate;
     }
 
     /**
@@ -106,6 +115,10 @@ private function prepareOptions($body, $options)
             ],
         ];
 
+        if (null !== $this->caCertificate) {
+            $defaults['verify'] = certificate_file_path_from_contents($this->caCertificate);
+        }
+
         if ($body !== null) {
             $defaults['body'] = $body;
         }
diff --git a/src/Adapter/Http/functions.php b/src/Adapter/Http/functions.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace Kubernetes\Client\Adapter\Http;
+
+function certificate_file_path_from_contents(string $certificateContents)
+{
+    $file = tempnam(sys_get_temp_dir(), 'certificate');
+    file_put_contents($file, $certificateContents);
+
+    register_shutdown_function(function() use($file) {
+        unlink($file);
+    });
+
+    return $file;
+}

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ class AuthenticationMiddlewareSpec extends ObjectBehavior`
`13`	`13`	`{`
`14`	`14`	`function let(HttpClient $httpClient)`
`15`	`15`	`{`
`16`		`- $this->beConstructedWith($httpClient, 'username', 'password');`
	`16`	`+ $this->beConstructedWith($httpClient, AuthenticationMiddleware::USERNAME_PASSWORD, 'username:password');`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`function it_can_do_an_authenticated_request(HttpClient $httpClient)`