added various fixes for BasicAuth and for Issue 65 load 2nd time error

Author: Jeff McCormick

apiserver.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	//"crypto/tls"
+	//"crypto/x509"
 	log "github.com/Sirupsen/logrus"
 	"github.com/crunchydata/postgres-operator/apiserver/backupservice"
 	"github.com/crunchydata/postgres-operator/apiserver/cloneservice"
@@ -13,14 +15,15 @@ import (
 	"github.com/crunchydata/postgres-operator/apiserver/userservice"
 	"github.com/crunchydata/postgres-operator/apiserver/versionservice"
 	"github.com/gorilla/mux"
+	//"io/ioutil"
 	"net/http"
+	//"os"
 )
 
 func main() {
 
 	log.Infoln("postgres-operator apiserver starts")
 	r := mux.NewRouter()
-	r.HandleFunc("/authtest", versionservice.AuthTestHandler)
 	r.HandleFunc("/version", versionservice.VersionHandler)
 	r.HandleFunc("/clones", cloneservice.CreateCloneHandler)
 	r.HandleFunc("/policies", policyservice.CreatePolicyHandler)
@@ -38,6 +41,27 @@ func main() {
 	r.HandleFunc("/clusters/scale/{name}", clusterservice.ScaleClusterHandler)
 	r.HandleFunc("/backups/{name}", backupservice.ShowBackupHandler).Methods("GET", "DELETE")
 	r.HandleFunc("/backups", backupservice.CreateBackupHandler).Methods("POST")
-	//log.Fatal(http.ListenAndServeTLS(":8080", "/cpmkeys/cert.pem", "/cpmkeys/key.pem", r))
+	//log.Fatal(http.ListenAndServeTLS(":8443", "/config/cert.pem", "/config/key.pem", r))
+	//log.Fatal(http.ListenAndServeTLS(":8443", "/config/secure.domain.com.crt", "/config/secure.domain.com.key", r))
+	//caCert, err := ioutil.ReadFile("/config/client.crt")
+	//if err != nil {
+	//log.Fatal(err)
+	//log.Error("could not read /config/client.crt")
+	//os.Exit(2)
+	//}
+	//caCertPool := x509.NewCertPool()
+	//caCertPool.AppendCertsFromPEM(caCert)
+	//cfg := &tls.Config{
+	//ClientAuth: tls.RequireAndVerifyClientCert,
+	//ClientCAs:  caCertPool,
+	//}
+	//srv := &http.Server{
+	////Addr: ":8443",
+	//Handler:   &handler{},
+	//Handler:   r,
+	//TLSConfig: cfg,
+	//}
+
+	//log.Fatal(srv.ListenAndServeTLS("/config/server.crt", "/config/server.key"))
 	log.Fatal(http.ListenAndServe(":8080", r))
 }

apiserver/backupservice/backupimpl.go

@@ -220,6 +220,7 @@ func getBackupParams(name, Namespace string) (*crv1.Pgbackup, error) {
 	spec.StorageSpec.Size = viper.GetString("BackupStorage.Size")
 	spec.StorageSpec.StorageClass = viper.GetString("BackupStorage.StorageClass")
 	spec.StorageSpec.StorageType = viper.GetString("BackupStorage.StorageType")
+	log.Debug("JEFF in backup setting storagetype to " + spec.StorageSpec.StorageType)
 	spec.StorageSpec.SupplementalGroups = viper.GetString("BackupStorage.SupplementalGroups")
 	spec.StorageSpec.Fsgroup = viper.GetString("BackupStorage.Fsgroup")
 	spec.CCPImageTag = viper.GetString("Cluster.CCPImageTag")

apiserver/clusterservice/clusterservice.go

@@ -18,6 +18,7 @@ limitations under the License.
 import (
 	"encoding/json"
 	log "github.com/Sirupsen/logrus"
+	"github.com/crunchydata/postgres-operator/apiserver"
 	msgs "github.com/crunchydata/postgres-operator/apiservermsgs"
 	"github.com/gorilla/mux"
 	"net/http"
@@ -78,6 +79,11 @@ func ShowClusterHandler(w http.ResponseWriter, r *http.Request) {
 		log.Debug("selector param was [" + selector + "]")
 	}
 
+	err := apiserver.Authn("ShowClusterHandler", w, r)
+	if err != nil {
+		return
+	}
+
 	w.WriteHeader(http.StatusOK)
 	w.Header().Set("Content-Type", "application/json")
 

apiserver/loadservice/loadimpl.go

@@ -24,6 +24,7 @@ import (
 	"github.com/crunchydata/postgres-operator/apiserver"
 	"github.com/crunchydata/postgres-operator/apiserver/util"
 	msgs "github.com/crunchydata/postgres-operator/apiservermsgs"
+	operutil "github.com/crunchydata/postgres-operator/util"
 	"github.com/spf13/viper"
 	"io/ioutil"
 	"k8s.io/apimachinery/pkg/labels"
@@ -169,8 +170,8 @@ func Load(request *msgs.LoadRequest) msgs.LoadResponse {
 
 func createJob(clusterName, namespace string) error {
 	var err error
-
-	LoadConfigTemplate.Name = "csvload-" + clusterName
+	randStr := operutil.GenerateRandString(3)
+	LoadConfigTemplate.Name = "csvload-" + clusterName + "-" + randStr
 	LoadConfigTemplate.DbHost = clusterName
 	LoadConfigTemplate.DbPass, err = util.GetSecretPassword(clusterName, crv1.RootSecretSuffix, namespace)
 	if err != nil {

apiserver/root.go

@@ -17,13 +17,15 @@ limitations under the License.
 
 import (
 	"bufio"
+	"errors"
 	"flag"
 	log "github.com/Sirupsen/logrus"
 	crdclient "github.com/crunchydata/postgres-operator/client"
 	"github.com/spf13/viper"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	"net/http"
 	"os"
 	"strings"
 )
@@ -197,3 +199,24 @@ func BasicAuthCheck(username, password string) bool {
 
 	return true
 }
+
+func Authn(where string, w http.ResponseWriter, r *http.Request) error {
+	var err error
+	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+
+	username, password, authOK := r.BasicAuth()
+	log.Debugf("Authn Attempt %s username=[%s] password=[%s]\n", where, username, password)
+	if authOK == false {
+		http.Error(w, "Not authorized", 401)
+		return errors.New("Not Authorized")
+	}
+
+	if !BasicAuthCheck(username, password) {
+		log.Errorf("Authn Failed %s username=[%s] password=[%s]\n", where, username, password)
+		http.Error(w, "Not authenticated in apiserver", 401)
+		return errors.New("Not Authenticated")
+	}
+	log.Debugf("Authn Success %s username=[%s] password=[%s]\n", where, username, password)
+	return err
+
+}

apiserver/upgradeservice/upgradeimpl.go

@@ -310,15 +310,16 @@ func getUpgradeParams(name, currentImageTag string, request *msgs.CreateUpgradeR
 		if request.CCPImageTag == existingImage {
 			log.Error("CCPImageTag is the same as the cluster")
 			log.Error("can't upgrade to the same image version")
-
+			log.Error("requested version is " + request.CCPImageTag)
+			log.Error("existing version is " + existingImage)
 			return nil, errors.New("invalid image tag")
 		}
 		requestedMajorVersion, strRep, err = parseMajorVersion(request.CCPImageTag)
 		if err != nil {
 			log.Error(err)
 		}
 	} else if viper.GetString("Cluster.CCPImageTag") == existingImage {
-		log.Error("CCPImageTag is the same as the cluster")
+		log.Error("Cluster.CCPImageTag is the same as the cluster")
 		log.Error("can't upgrade to the same image version")
 
 		return nil, errors.New("invalid image tag")

apiserver/versionservice/versionimpl.go

@@ -25,7 +25,7 @@ func Version() msgs.VersionResponse {
 	resp := msgs.VersionResponse{}
 	resp.Status.Code = msgs.Ok
 	resp.Status.Msg = "apiserver version"
-	resp.Version = "2.1"
+	resp.Version = "2.2"
 
 	return resp
 }

apiserver/versionservice/versionservice.go

@@ -28,35 +28,28 @@ func VersionHandler(w http.ResponseWriter, r *http.Request) {
 
 	log.Debug("versionservice.VersionHandler called")
 
-	w.WriteHeader(http.StatusOK)
-	w.Header().Set("Content-Type", "application/json")
-
-	resp := Version()
-
-	json.NewEncoder(w).Encode(resp)
-}
-
-// VersionHandler ...
-// pgo version
-func AuthTestHandler(w http.ResponseWriter, r *http.Request) {
-
-	log.Debug("versionservice.AuthTestHandler called")
-
 	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 
+	err := apiserver.Authn("VersionHandler", w, r)
+	if err != nil {
+		return
+	}
+
+	/**
 	username, password, authOK := r.BasicAuth()
 	if authOK == false {
 		http.Error(w, "Not authorized", 401)
 		return
 	}
 
-	log.Debugf("versionservice.AuthTestHandler username=[%s] password=[%s]\n", username, password)
+	log.Debugf("versionservice.VersionHandler username=[%s] password=[%s]\n", username, password)
 
 	if !apiserver.BasicAuthCheck(username, password) {
-		//if username != "username" || password != "password" {
+		log.Error("authentication failed for " + username + " in VersionHandler")
 		http.Error(w, "Not authenticated in apiserver", 401)
 		return
 	}
+	*/
 
 	w.WriteHeader(http.StatusOK)
 	w.Header().Set("Content-Type", "application/json")

deploy/deployment.json

@@ -17,9 +17,9 @@
                     "name": "apiserver",
                     "image": "crunchydata/apiserver:$CO_IMAGE_TAG",
                     "imagePullPolicy": "IfNotPresent",
-					"ports":[{
-						"containerPort": 8080
-					}],
+			"ports":[{
+			"containerPort": 8080
+			}],
                     "env": [{
                         "name": "DEBUG",
                         "value": "true"