new file mode 100644

@@ -0,0 +1,76 @@

+package redirector

+

+import (

+	"net/http"

+	"net/url"

+	"strings"

+

+	oauthhandlers "github.com/openshift/origin/pkg/auth/oauth/handlers"

+)

+

+const (

+	// URLToken in the query of the redirectURL gets replaced with the original request URL, escaped as a query parameter.

+	// Example use: https://www.example.com/login?then=${url}

+	URLToken = "${url}"

+

+	// QueryToken in the query of the redirectURL gets replaced with the original request URL, unescaped.

+	// Example use: https://www.example.com/sso/oauth/authorize?${query}

+	QueryToken = "${query}"

+)

+

+// NewRedirector returns an oauthhandlers.AuthenticationRedirector that redirects to the specified redirectURL.

+// Request URLs missing scheme/host, or with relative paths are resolved relative to the baseRequestURL, if specified.

+// The following tokens are replaceable in the query of the redirectURL:

+//   ${url} is replaced with the current request URL, escaped as a query parameter. Example: https://www.example.com/login?then=${url}

+//   ${query} is replaced with the current request query, unescaped. Example: https://www.example.com/sso/oauth/authorize?${query}

+func NewRedirector(baseRequestURL *url.URL, redirectURL string) oauthhandlers.AuthenticationRedirector {

+	return &redirector{BaseRequestURL: baseRequestURL, RedirectURL: redirectURL}

+}

+

+// NewChallenger returns an oauthhandlers.AuthenticationChallenger that returns a Location header to the specified redirectURL.

+// Request URLs missing scheme/host, or with relative paths are resolved relative to the baseRequestURL, if specified.

+// The following tokens are replaceable in the query of the redirectURL:

+//   ${url} is replaced with the current request URL, escaped as a query parameter. Example: https://www.example.com/login?then=${url}

+//   ${query} is replaced with the current request query, unescaped. Example: https://www.example.com/sso/oauth/authorize?${query}

+func NewChallenger(baseRequestURL *url.URL, redirectURL string) oauthhandlers.AuthenticationChallenger {

+	return &redirector{BaseRequestURL: baseRequestURL, RedirectURL: redirectURL}

+}

+

+type redirector struct {

+	BaseRequestURL *url.URL

+	RedirectURL    string

+}

+

+// AuthenticationChallenge returns a Location header to the configured RedirectURL (which should return a challenge)

+func (r *redirector) AuthenticationChallenge(req *http.Request) (http.Header, error) {

+	redirectURL, err := buildRedirectURL(r.RedirectURL, r.BaseRequestURL, req.URL)

+	if err != nil {

+		return nil, err

+	}

+	headers := http.Header{}

+	headers.Add("Location", redirectURL.String())

+	return headers, nil

+}

+

+// AuthenticationRedirect redirects to the configured RedirectURL

+func (r *redirector) AuthenticationRedirect(w http.ResponseWriter, req *http.Request) error {

+	redirectURL, err := buildRedirectURL(r.RedirectURL, r.BaseRequestURL, req.URL)

+	if err != nil {

+		return nil

+	}

+	http.Redirect(w, req, redirectURL.String(), http.StatusFound)

+	return nil

+}

+

+func buildRedirectURL(redirectTemplate string, baseRequestURL, requestURL *url.URL) (*url.URL, error) {

+	if baseRequestURL != nil {

+		requestURL = baseRequestURL.ResolveReference(requestURL)

+	}

+	redirectURL, err := url.Parse(redirectTemplate)

+	if err != nil {

+		return nil, err

+	}

+	redirectURL.RawQuery = strings.Replace(redirectURL.RawQuery, QueryToken, requestURL.RawQuery, -1)

+	redirectURL.RawQuery = strings.Replace(redirectURL.RawQuery, URLToken, url.QueryEscape(requestURL.String()), -1)

+	return redirectURL, nil

+}

@@ -95,7 +95,22 @@ func (authHandler *unionAuthenticationHandler) AuthenticationNeeded(apiClient au

 		if len(headers) > 0 {

 			mergeHeaders(w.Header(), headers)

-			w.WriteHeader(http.StatusUnauthorized)

+

+			redirectHeader := w.Header().Get("Location")

+			redirectHeaders := w.Header()[http.CanonicalHeaderKey("Location")]

+			challengeHeader := w.Header().Get("WWW-Authenticate")

+			switch {

+			case len(redirectHeader) > 0 && len(challengeHeader) > 0:

+				errors = append(errors, fmt.Errorf("redirect header (Location: %s) and challenge header (WWW-Authenticate: %s) cannot both be set", redirectHeader, challengeHeader))

+				return false, kerrors.NewAggregate(errors)

+			case len(redirectHeaders) > 1:

+				errors = append(errors, fmt.Errorf("cannot set multiple redirect headers: %s", strings.Join(redirectHeaders, ", ")))

+				return false, kerrors.NewAggregate(errors)

+			case len(redirectHeader) > 0:

+				w.WriteHeader(http.StatusFound)

+			default:

+				w.WriteHeader(http.StatusUnauthorized)

+			}

 			// Print Misc Warning headers (code 199) to the body

 			if warnings, hasWarnings := w.Header()[http.CanonicalHeaderKey("Warning")]; hasWarnings {

@@ -161,6 +161,64 @@ func TestWithChallengeErrorsAndMergedSuccess(t *testing.T) {

 	if !(reflect.DeepEqual(map[string][]string(responseRecorder.HeaderMap), expectedHeader1) || reflect.DeepEqual(map[string][]string(responseRecorder.HeaderMap), expectedHeader2)) {

 		t.Errorf("Expected %#v or %#v, got %#v.", expectedHeader1, expectedHeader2, responseRecorder.HeaderMap)

 	}

+	if responseRecorder.Code != 401 {

+		t.Errorf("Expected 401, got %d", responseRecorder.Code)

+	}

+}

+

+func TestWithChallengeAndRedirect(t *testing.T) {

+	expectedError := "Location"

+	workingChallengeHandler1 := &mockChallenger{headerName: "Location", headerValue: "https://example.com"}

+	workingChallengeHandler2 := &mockChallenger{headerName: "WWW-Authenticate", headerValue: "Basic"}

+

+	authHandler := NewUnionAuthenticationHandler(

+		map[string]AuthenticationChallenger{

+			"first":  workingChallengeHandler1,

+			"second": workingChallengeHandler2,

+		}, nil, nil)

+	client := &testClient{&oauthapi.OAuthClient{RespondWithChallenges: true}}

+	req, _ := http.NewRequest("GET", "http://example.org", nil)

+	responseRecorder := httptest.NewRecorder()

+	handled, err := authHandler.AuthenticationNeeded(client, responseRecorder, req)

+

+	if err == nil {

+		t.Errorf("Expected error, got none")

+	} else if !strings.Contains(err.Error(), expectedError) {

+		t.Errorf("Expected error containing %q, got %v", expectedError, err)

+	}

+	if handled {

+		t.Error("Unexpected handling.")

+	}

+}

+

+func TestWithRedirect(t *testing.T) {

+	workingChallengeHandler1 := &mockChallenger{headerName: "Location", headerValue: "https://example.com"}

+

+	// order of the array is not guaranteed

+	expectedHeader1 := map[string][]string{"Location": {"https://example.com"}}

+

+	authHandler := NewUnionAuthenticationHandler(

+		map[string]AuthenticationChallenger{

+			"first": workingChallengeHandler1,

+		},

+		nil, nil)

+	client := &testClient{&oauthapi.OAuthClient{RespondWithChallenges: true}}

+	req, _ := http.NewRequest("GET", "http://example.org", nil)

+	responseRecorder := httptest.NewRecorder()

+	handled, err := authHandler.AuthenticationNeeded(client, responseRecorder, req)

+

+	if err != nil {

+		t.Errorf("Unexpected error: %v", err)

+	}

+	if !handled {

+		t.Error("Expected handling.")

+	}

+	if !reflect.DeepEqual(map[string][]string(responseRecorder.HeaderMap), expectedHeader1) {

+		t.Errorf("Expected %#v, got %#v.", expectedHeader1, responseRecorder.HeaderMap)

+	}

+	if responseRecorder.Code != 302 {

+		t.Errorf("Expected 302, got %d", responseRecorder.Code)

+	}

 }

 type badTestClient struct {

@@ -89,7 +89,7 @@ func (o *LoginOptions) getClientConfig() (*kclient.Config, error) {

 				defaultServer := defaultClusterURL

 				promptMsg := fmt.Sprintf("Server [%s]: ", defaultServer)

-				o.Server = cmdutil.PromptForStringWithDefault(o.Reader, defaultServer, promptMsg)

+				o.Server = cmdutil.PromptForStringWithDefault(o.Reader, o.Out, defaultServer, promptMsg)

 			}

 		}

 	}

@@ -133,6 +133,9 @@ func (o *LoginOptions) getClientConfig() (*kclient.Config, error) {

 		switch {

 		case o.InsecureTLS:

 			clientConfig.Insecure = true

+			// insecure, clear CA info

+			clientConfig.CAFile = ""

+			clientConfig.CAData = nil

 		// certificate issue, prompt user for insecure connection

 		case clientcmd.IsCertificateAuthorityUnknown(result.Error()):

@@ -148,10 +151,13 @@ func (o *LoginOptions) getClientConfig() (*kclient.Config, error) {

 				fmt.Fprintln(o.Out, "The server uses a certificate signed by an unknown authority.")

 				fmt.Fprintln(o.Out, "You can bypass the certificate check, but any data you send to the server could be intercepted by others.")

-				clientConfig.Insecure = cmdutil.PromptForBool(os.Stdin, "Use insecure connections? (y/n): ")

+				clientConfig.Insecure = cmdutil.PromptForBool(os.Stdin, o.Out, "Use insecure connections? (y/n): ")

 				if !clientConfig.Insecure {

 					return nil, fmt.Errorf(clientcmd.GetPrettyMessageFor(result.Error()))

 				}

+				// insecure, clear CA info

+				clientConfig.CAFile = ""

+				clientConfig.CAData = nil

 				fmt.Fprintln(o.Out)

 			}

@@ -216,39 +222,32 @@ func (o *LoginOptions) gatherAuthInfo() error {

 		}

 	}

-	// if a token was provided try to make use of it

-	// make sure we have a username before continuing

-	if !o.usernameProvided() {

-		if cmdutil.IsTerminal(o.Reader) {

-			for !o.usernameProvided() {

-				o.Username = cmdutil.PromptForString(o.Reader, "Username: ")

-			}

-		}

-	}

+	// if a username was provided try to make use of it

+	if o.usernameProvided() {

+		// search all valid contexts with matching server stanzas to see if we have a matching user stanza

+		kubeconfig := *o.StartingKubeConfig

+		matchingClusters := getMatchingClusters(*clientConfig, kubeconfig)

-	// search all valid contexts with matching server stanzas to see if we have a matching user stanza

-	kubeconfig := *o.StartingKubeConfig

-	matchingClusters := getMatchingClusters(*clientConfig, kubeconfig)

+		for key, context := range o.StartingKubeConfig.Contexts {

+			if matchingClusters.Has(context.Cluster) {

+				clientcmdConfig := kclientcmd.NewDefaultClientConfig(kubeconfig, &kclientcmd.ConfigOverrides{CurrentContext: key})

+				if kubeconfigClientConfig, err := clientcmdConfig.ClientConfig(); err == nil {

+					if osClient, err := client.New(kubeconfigClientConfig); err == nil {

+						if me, err := whoAmI(osClient); err == nil && (o.Username == me.Name) {

+							clientConfig.BearerToken = kubeconfigClientConfig.BearerToken

+							clientConfig.CertFile = kubeconfigClientConfig.CertFile

+							clientConfig.CertData = kubeconfigClientConfig.CertData

+							clientConfig.KeyFile = kubeconfigClientConfig.KeyFile

+							clientConfig.KeyData = kubeconfigClientConfig.KeyData

-	for key, context := range o.StartingKubeConfig.Contexts {

-		if matchingClusters.Has(context.Cluster) {

-			clientcmdConfig := kclientcmd.NewDefaultClientConfig(kubeconfig, &kclientcmd.ConfigOverrides{CurrentContext: key})

-			if kubeconfigClientConfig, err := clientcmdConfig.ClientConfig(); err == nil {

-				if osClient, err := client.New(kubeconfigClientConfig); err == nil {

-					if me, err := whoAmI(osClient); err == nil && (o.Username == me.Name) {

-						clientConfig.BearerToken = kubeconfigClientConfig.BearerToken

-						clientConfig.CertFile = kubeconfigClientConfig.CertFile

-						clientConfig.CertData = kubeconfigClientConfig.CertData

-						clientConfig.KeyFile = kubeconfigClientConfig.KeyFile

-						clientConfig.KeyData = kubeconfigClientConfig.KeyData

+							o.Config = clientConfig

-						o.Config = clientConfig

+							if key == o.StartingKubeConfig.CurrentContext {

+								fmt.Fprintf(o.Out, "Logged into %q as %q using existing credentials.\n\n", o.Config.Host, o.Username)

+							}

-						if key == o.StartingKubeConfig.CurrentContext {

-							fmt.Fprintf(o.Out, "Already logged into %q as %q.\n\n", o.Config.Host, o.Username)

+							return nil

 						}

-

-						return nil

 					}

 				}

 			}

@@ -515,6 +515,22 @@ type LDAPAttributes struct {

 type RequestHeaderIdentityProvider struct {

 	api.TypeMeta

+	// LoginURL is a URL to redirect unauthenticated /authorize requests to

+	// Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here

+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter

+	//   https://www.example.com/sso-login?then=${url}

+	// ${query} is replaced with the current query string

+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}

+	LoginURL string

+

+	// ChallengeURL is a URL to redirect unauthenticated /authorize requests to

+	// Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here

+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter

+	//   https://www.example.com/sso-login?then=${url}

+	// ${query} is replaced with the current query string

+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}

+	ChallengeURL string

+

 	// ClientCA is a file with the trusted signer certs.  If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.

 	ClientCA string

 	// Headers is the set of headers to check for identity information

@@ -501,6 +501,22 @@ type LDAPAttributes struct {

 type RequestHeaderIdentityProvider struct {

 	v1.TypeMeta `json:",inline"`

+	// LoginURL is a URL to redirect unauthenticated /authorize requests to

+	// Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here

+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter

+	//   https://www.example.com/sso-login?then=${url}

+	// ${query} is replaced with the current query string

+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}

+	LoginURL string `json:"loginURL"`

+

+	// ChallengeURL is a URL to redirect unauthenticated /authorize requests to

+	// Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here

+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter

+	//   https://www.example.com/sso-login?then=${url}

+	// ${query} is replaced with the current query string

+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}

+	ChallengeURL string `json:"challengeURL"`

+

 	// ClientCA is a file with the trusted signer certs.  If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.

 	ClientCA string `json:"clientCA"`

 	// Headers is the set of headers to check for identity information

@@ -182,9 +182,11 @@ oauthConfig:

     name: ""

     provider:

       apiVersion: v1

+      challengeURL: ""

       clientCA: ""

       headers: null

       kind: RequestHeaderIdentityProvider

+      loginURL: ""

   - challenge: false

     login: false

     name: ""

@@ -5,6 +5,7 @@ import (

 	"strings"

 	"github.com/openshift/origin/pkg/auth/authenticator/password/ldappassword"

+	"github.com/openshift/origin/pkg/auth/authenticator/redirector"

 	"github.com/openshift/origin/pkg/cmd/server/api"

 	"github.com/openshift/origin/pkg/cmd/server/api/latest"

 	"github.com/openshift/origin/pkg/user/api/validation"

@@ -35,6 +36,10 @@ func ValidateOAuthConfig(config *api.OAuthConfig) ValidationResults {

 	providerNames := util.NewStringSet()

 	redirectingIdentityProviders := []string{}

+

+	challengeIssuingIdentityProviders := []string{}

+	challengeRedirectingIdentityProviders := []string{}

+

 	for i, identityProvider := range config.IdentityProviders {

 		if identityProvider.UseAsLogin {

 			redirectingIdentityProviders = append(redirectingIdentityProviders, identityProvider.Name)

@@ -46,6 +51,16 @@ func ValidateOAuthConfig(config *api.OAuthConfig) ValidationResults {

 			}

 		}

+		if identityProvider.UseAsChallenger {

+			// RequestHeaderIdentityProvider is special, it can only react to challenge clients by redirecting them

+			// Make sure we don't have more than a single redirector, and don't have a mix of challenge issuers and redirectors

+			if _, isRequestHeader := identityProvider.Provider.Object.(*api.RequestHeaderIdentityProvider); isRequestHeader {

+				challengeRedirectingIdentityProviders = append(challengeRedirectingIdentityProviders, identityProvider.Name)

+			} else {

+				challengeIssuingIdentityProviders = append(challengeIssuingIdentityProviders, identityProvider.Name)

+			}

+		}

+

 		validationResults.Append(ValidateIdentityProvider(identityProvider).Prefix(fmt.Sprintf("identityProvider[%d]", i)))

 		if len(identityProvider.Name) > 0 {

@@ -57,7 +72,18 @@ func ValidateOAuthConfig(config *api.OAuthConfig) ValidationResults {

 	}

 	if len(redirectingIdentityProviders) > 1 {

-		validationResults.AddErrors(fielderrors.NewFieldInvalid("identityProviders", config.IdentityProviders, fmt.Sprintf("only one identity provider can support login for a browser, found: %v", redirectingIdentityProviders)))

+		validationResults.AddErrors(fielderrors.NewFieldInvalid("identityProviders", "login", fmt.Sprintf("only one identity provider can support login for a browser, found: %v", strings.Join(redirectingIdentityProviders, ", "))))

+	}

+	if len(challengeRedirectingIdentityProviders) > 1 {

+		validationResults.AddErrors(fielderrors.NewFieldInvalid("identityProviders", "challenge", fmt.Sprintf("only one identity provider can redirect clients requesting an authentication challenge, found: %v", strings.Join(challengeRedirectingIdentityProviders, ", "))))

+	}

+	if len(challengeRedirectingIdentityProviders) > 0 && len(challengeIssuingIdentityProviders) > 0 {

+		validationResults.AddErrors(

+			fielderrors.NewFieldInvalid("identityProviders", "challenge", fmt.Sprintf(

+				"cannot mix providers that redirect clients requesting auth challenges (%s) with providers issuing challenges to those clients (%s)",

+				strings.Join(challengeRedirectingIdentityProviders, ", "),

+				strings.Join(challengeIssuingIdentityProviders, ", "),

+			)))

 	}

 	return validationResults

@@ -78,7 +104,7 @@ func ValidateIdentityProvider(identityProvider api.IdentityProvider) ValidationR

 	} else {

 		switch provider := identityProvider.Provider.Object.(type) {

 		case (*api.RequestHeaderIdentityProvider):

-			validationResults.AddErrors(ValidateRequestHeaderIdentityProvider(provider, identityProvider)...)

+			validationResults.Append(ValidateRequestHeaderIdentityProvider(provider, identityProvider))

 		case (*api.BasicAuthPasswordIdentityProvider):

 			validationResults.AddErrors(ValidateRemoteConnectionInfo(provider.RemoteConnectionInfo).Prefix("provider")...)

@@ -152,23 +178,59 @@ func ValidateLDAPIdentityProvider(provider *api.LDAPPasswordIdentityProvider, id

 	return validationResults

 }

-func ValidateRequestHeaderIdentityProvider(provider *api.RequestHeaderIdentityProvider, identityProvider api.IdentityProvider) fielderrors.ValidationErrorList {

-	allErrs := fielderrors.ValidationErrorList{}

+func ValidateRequestHeaderIdentityProvider(provider *api.RequestHeaderIdentityProvider, identityProvider api.IdentityProvider) ValidationResults {

+	validationResults := ValidationResults{}

 	if len(provider.ClientCA) > 0 {

-		allErrs = append(allErrs, ValidateFile(provider.ClientCA, "provider.clientCA")...)

+		validationResults.AddErrors(ValidateFile(provider.ClientCA, "provider.clientCA")...)

 	}

 	if len(provider.Headers) == 0 {

-		allErrs = append(allErrs, fielderrors.NewFieldRequired("provider.headers"))

+		validationResults.AddErrors(fielderrors.NewFieldRequired("provider.headers"))

 	}

-	if identityProvider.UseAsChallenger {

-		allErrs = append(allErrs, fielderrors.NewFieldInvalid("challenge", identityProvider.UseAsChallenger, "request header providers cannot be used for challenges"))

+	if identityProvider.UseAsChallenger && len(provider.ChallengeURL) == 0 {

+		err := fielderrors.NewFieldRequired("provider.challengeURL")

+		err.Detail = "challengeURL is required if challenge=true"

+		validationResults.AddErrors(err)

 	}

-	if identityProvider.UseAsLogin {

-		allErrs = append(allErrs, fielderrors.NewFieldInvalid("login", identityProvider.UseAsChallenger, "request header providers cannot be used for browser login"))

+	if identityProvider.UseAsLogin && len(provider.LoginURL) == 0 {

+		err := fielderrors.NewFieldRequired("provider.loginURL")

+		err.Detail = "loginURL is required if login=true"

+		validationResults.AddErrors(err)

 	}

-	return allErrs

+	if len(provider.ChallengeURL) > 0 {

+		url, urlErrs := ValidateURL(provider.ChallengeURL, "provider.challengeURL")

+		validationResults.AddErrors(urlErrs...)

+		if len(urlErrs) == 0 && !strings.Contains(url.RawQuery, redirector.URLToken) && !strings.Contains(url.RawQuery, redirector.QueryToken) {

+			validationResults.AddWarnings(

+				fielderrors.NewFieldInvalid(

+					"provider.challengeURL",

+					provider.ChallengeURL,

+					fmt.Sprintf("query does not include %q or %q, redirect will not preserve original authorize parameters", redirector.URLToken, redirector.QueryToken),

+				),

+			)

+		}

+	}

+	if len(provider.LoginURL) > 0 {

+		url, urlErrs := ValidateURL(provider.LoginURL, "provider.loginURL")

+		validationResults.AddErrors(urlErrs...)

+		if len(urlErrs) == 0 && !strings.Contains(url.RawQuery, redirector.URLToken) && !strings.Contains(url.RawQuery, redirector.QueryToken) {

+			validationResults.AddWarnings(

+				fielderrors.NewFieldInvalid(

+					"provider.loginURL",

+					provider.LoginURL,

+					fmt.Sprintf("query does not include %q or %q, redirect will not preserve original authorize parameters", redirector.URLToken, redirector.QueryToken),

+				),

+			)

+		}

+	}

+

+	// Warn if it looks like they expect direct requests to the OAuth endpoints, and have not secured the header checking with a client certificate check

+	if len(provider.ClientCA) == 0 && (len(provider.ChallengeURL) > 0 || len(provider.LoginURL) > 0) {

+		validationResults.AddWarnings(fielderrors.NewFieldInvalid("provider.clientCA", "", "if no clientCA is set, no request verification is done, and any request directly against the OAuth server can impersonate any identity from this provider"))

+	}

+

+	return validationResults

 }

 func ValidateOAuthIdentityProvider(clientID, clientSecret string, challenge bool) fielderrors.ValidationErrorList {

@@ -28,6 +28,7 @@ import (

 	"github.com/openshift/origin/pkg/auth/authenticator/password/denypassword"

 	"github.com/openshift/origin/pkg/auth/authenticator/password/htpasswd"

 	"github.com/openshift/origin/pkg/auth/authenticator/password/ldappassword"

+	"github.com/openshift/origin/pkg/auth/authenticator/redirector"

 	"github.com/openshift/origin/pkg/auth/authenticator/request/basicauthrequest"

 	"github.com/openshift/origin/pkg/auth/authenticator/request/headerrequest"

 	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"

@@ -323,6 +324,7 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand

 	for _, identityProvider := range c.Options.IdentityProviders {

 		identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(c.IdentityRegistry, c.UserRegistry)

+		// TODO: refactor handler building per type

 		if configapi.IsPasswordAuthenticator(identityProvider) {

 			passwordAuth, err := c.getPasswordAuthenticator(identityProvider)

 			if err != nil {

@@ -338,14 +340,15 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand

 				}

 				passwordSuccessHandler := handlers.AuthenticationSuccessHandlers{c.SessionAuth, redirectSuccessHandler{}}

-				redirectors["login"] = &redirector{RedirectURL: OpenShiftLoginPrefix, ThenParam: "then"}

+				// Since we're redirecting to a local login page, we don't need to force absolute URL resolution

+				redirectors["login-"+identityProvider.Name+"-redirect"] = redirector.NewRedirector(nil, OpenShiftLoginPrefix+"?then=${url}")

 				login := login.NewLogin(c.getCSRF(), &callbackPasswordAuthenticator{passwordAuth, passwordSuccessHandler}, login.DefaultLoginFormRenderer)

 				login.Install(mux, OpenShiftLoginPrefix)

 			}

 			if identityProvider.UseAsChallenger {

-				challengers["login"] = passwordchallenger.NewBasicAuthChallenger("openshift")

+				// For now, all password challenges share a single basic challenger, since they'll all respond to any basic credentials

+				challengers["basic-challenge"] = passwordchallenger.NewBasicAuthChallenger("openshift")

 			}

-

 		} else if configapi.IsOAuthIdentityProvider(identityProvider) {

 			oauthProvider, err := c.getOAuthProvider(identityProvider)

 			if err != nil {

@@ -374,11 +377,23 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand

 			mux.Handle(callbackPath, oauthHandler)

 			if identityProvider.UseAsLogin {

-				redirectors[identityProvider.Name] = oauthHandler

+				redirectors["oauth-"+identityProvider.Name+"-redirect"] = oauthHandler

 			}

 			if identityProvider.UseAsChallenger {

 				return nil, errors.New("oauth identity providers cannot issue challenges")

 			}

+		} else if requestHeaderProvider, isRequestHeader := identityProvider.Provider.Object.(*configapi.RequestHeaderIdentityProvider); isRequestHeader {

+			// We might be redirecting to an external site, we need to fully resolve the request URL to the public master

+			baseRequestURL, err := url.Parse(c.Options.MasterPublicURL + OpenShiftOAuthAPIPrefix + osinserver.AuthorizePath)

+			if err != nil {

+				return nil, err

+			}

+			if identityProvider.UseAsChallenger {

+				challengers["requestheader-"+identityProvider.Name+"-redirect"] = redirector.NewChallenger(baseRequestURL, requestHeaderProvider.ChallengeURL)

+			}

+			if identityProvider.UseAsLogin {

+				redirectors["requestheader-"+identityProvider.Name+"-redirect"] = redirector.NewRedirector(baseRequestURL, requestHeaderProvider.LoginURL)

+			}

 		}

 	}

@@ -554,27 +569,6 @@ func (c *AuthConfig) getAuthenticationRequestHandler() (authenticator.Request, e

 	return authRequestHandler, nil

 }

-// redirector captures the original request url as a "then" param in a redirect to a login flow

-type redirector struct {

-	RedirectURL string

-	ThenParam   string

-}

-

-// AuthenticationRedirect redirects HTTP request to authorization URL

-func (auth *redirector) AuthenticationRedirect(w http.ResponseWriter, req *http.Request) error {

-	redirectURL, err := url.Parse(auth.RedirectURL)

-	if err != nil {

-		return err

-	}

-	if len(auth.ThenParam) != 0 {

-		redirectURL.RawQuery = url.Values{

-			auth.ThenParam: {req.URL.String()},

-		}.Encode()

-	}

-	http.Redirect(w, req, redirectURL.String(), http.StatusFound)

-	return nil

-}

-

 // callbackPasswordAuthenticator combines password auth, successful login callback,

 // and "then" param redirection

 type callbackPasswordAuthenticator struct {

@@ -12,13 +12,21 @@ import (

 )

 // PromptForString takes an io.Reader and prompts for user input if it's a terminal, returning the result.

-func PromptForString(r io.Reader, format string, a ...interface{}) string {

-	fmt.Printf(format, a...)

+func PromptForString(r io.Reader, w io.Writer, format string, a ...interface{}) string {

+	if w == nil {

+		w = os.Stdout

+	}

+

+	fmt.Fprintf(w, format, a...)

 	return readInput(r)

 }

 // PromptForPasswordString prompts for user input by disabling echo in terminal, useful for password prompt.

-func PromptForPasswordString(r io.Reader, format string, a ...interface{}) string {

+func PromptForPasswordString(r io.Reader, w io.Writer, format string, a ...interface{}) string {

+	if w == nil {

+		w = os.Stdout

+	}

+

 	if file, ok := r.(*os.File); ok {

 		inFd := file.Fd()

@@ -26,10 +34,10 @@ func PromptForPasswordString(r io.Reader, format string, a ...interface{}) strin

 			oldState, err := term.SaveState(inFd)

 			if err != nil {

 				glog.V(3).Infof("Unable to save terminal state")

-				return PromptForString(r, format, a...)

+				return PromptForString(r, w, format, a...)

 			}

-			fmt.Printf(format, a...)

+			fmt.Fprintf(w, format, a...)

 			term.DisableEcho(inFd, oldState)

@@ -37,22 +45,26 @@ func PromptForPasswordString(r io.Reader, format string, a ...interface{}) strin

 			defer term.RestoreTerminal(inFd, oldState)

-			fmt.Printf("\n")

+			fmt.Fprintf(w, "\n")

 			return input

 		}

 		glog.V(3).Infof("Stdin is not a terminal")

-		return PromptForString(r, format, a...)

+		return PromptForString(r, w, format, a...)

 	}

-	return PromptForString(r, format, a...)

+	return PromptForString(r, w, format, a...)

 }

 // PromptForBool prompts for user input of a boolean value. The accepted values are:

 //   yes, y, true, 	t, 1 (not case sensitive)

 //   no, 	n, false, f, 0 (not case sensitive)

 // A valid answer is mandatory so it will keep asking until an answer is provided.

-func PromptForBool(r io.Reader, format string, a ...interface{}) bool {

-	str := PromptForString(r, format, a...)

+func PromptForBool(r io.Reader, w io.Writer, format string, a ...interface{}) bool {

+	if w == nil {

+		w = os.Stdout

+	}

+

+	str := PromptForString(r, w, format, a...)

 	switch strings.ToLower(str) {

 	case "1", "t", "true", "y", "yes":

 		return true

@@ -60,12 +72,16 @@ func PromptForBool(r io.Reader, format string, a ...interface{}) bool {

 		return false

 	}

 	fmt.Println("Please enter 'yes' or 'no'.")

-	return PromptForBool(r, format, a...)

+	return PromptForBool(r, w, format, a...)

 }

 // PromptForStringWithDefault prompts for user input but take a default in case nothing is provided.

-func PromptForStringWithDefault(r io.Reader, def string, format string, a ...interface{}) string {

-	s := PromptForString(r, format, a...)

+func PromptForStringWithDefault(r io.Reader, w io.Writer, def string, format string, a ...interface{}) string {

+	if w == nil {

+		w = os.Stdout

+	}

+

+	s := PromptForString(r, w, format, a...)

 	if len(s) == 0 {

 		return def

 	}

new file mode 100644

@@ -0,0 +1,119 @@

+package tokencmd

+

+import (

+	"encoding/base64"

+	"fmt"

+	"io"

+	"net/http"

+	"os"

+	"regexp"

+

+	"github.com/golang/glog"

+

+	"github.com/openshift/origin/pkg/cmd/util"

+)

+

+type BasicChallengeHandler struct {

+	// Host is the server being authenticated to. Used only for displaying messages when prompting for username/password

+	Host string

+

+	// Reader is used to prompt for username/password. If nil, no prompting is done

+	Reader io.Reader

+	// Writer is used to output prompts. If nil, stdout is used

+	Writer io.Writer

+

+	// Username is the username to use when challenged. If empty, a prompt is issued to a non-nil Reader

+	Username string

+	// Password is the password to use when challenged. If empty, a prompt is issued to a non-nil Reader

+	Password string

+

+	// handled tracks whether this handler has already handled a challenge.

+	handled bool

+	// prompted tracks whether this handler has already prompted for a username and/or password.

+	prompted bool

+}

+

+func (c *BasicChallengeHandler) CanHandle(headers http.Header) bool {

+	isBasic, _ := basicRealm(headers)

+	return isBasic

+}

+func (c *BasicChallengeHandler) HandleChallenge(headers http.Header) (http.Header, bool, error) {

+	if c.prompted {

+		glog.V(2).Info("already prompted for challenge, won't prompt again")

+		return nil, false, nil

+	}

+	if c.Reader == nil && c.handled {

+		glog.V(2).Info("already handled basic challenge, no reader to alter inputs")

+		return nil, false, nil

+	}

+

+	username := c.Username

+	password := c.Password

+

+	missingUsername := len(username) == 0

+	missingPassword := len(password) == 0

+

+	if (missingUsername || missingPassword) && c.Reader != nil {

+		w := c.Writer

+		if w == nil {

+			w = os.Stdout

+		}

+

+		if _, realm := basicRealm(headers); len(realm) > 0 {

+			fmt.Fprintf(w, "Authentication required for %s (%s)\n", c.Host, realm)

+		} else {

+			fmt.Fprintf(w, "Authentication required for %s\n", c.Host)

+		}

+		if missingUsername {

+			username = util.PromptForString(c.Reader, w, "Username: ")

+		} else {

+			fmt.Fprintf(w, "Username: %s\n", username)

+		}

+		if missingPassword {

+			password = util.PromptForPasswordString(c.Reader, w, "Password: ")

+		}

+		// remember so we don't re-prompt

+		c.prompted = true

+	}

+

+	if len(username) > 0 || len(password) > 0 {

+		responseHeaders := http.Header{}

+		responseHeaders.Set("Authorization", getBasicHeader(username, password))

+		// remember so we don't re-handle non-interactively

+		c.handled = true

+		return responseHeaders, true, nil

+	}

+

+	glog.V(2).Info("no username or password available")

+	return nil, false, nil

+}

+

+// if any of these match a WWW-Authenticate header, it is a basic challenge

+// capturing group 1 (if present) should contain the realm

+var basicRegexes = []*regexp.Regexp{

+	// quoted realm

+	regexp.MustCompile(`(?i)^\s*basic\s+realm\s*=\s*"(.*?)"\s*(,|$)`),

+	// token realm

+	regexp.MustCompile(`(?i)^\s*basic\s+realm\s*=\s*(.*?)\s*(,|$)`),

+	// no realm

+	regexp.MustCompile(`(?i)^\s*basic(?:\s+|$)`),

+}

+

+func basicRealm(headers http.Header) (bool, string) {

+	for _, challengeHeader := range headers[http.CanonicalHeaderKey("WWW-Authenticate")] {

+		for _, r := range basicRegexes {

+			if matches := r.FindStringSubmatch(challengeHeader); matches != nil {

+				if len(matches) > 1 {

+					// We got a realm as well

+					return true, matches[1]

+				}

+				// No realm, but still basic

+				return true, ""

+			}

+		}

+	}

+	return false, ""

+}

+func getBasicHeader(username, password string) string {

+	return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))

+}

new file mode 100644

@@ -0,0 +1,296 @@

+package tokencmd

+

+import (

+	"bytes"

+	"net/http"

+	"reflect"

+	"testing"

+)

+

+var (

+	AUTHORIZATION    = http.CanonicalHeaderKey("Authorization")

+	WWW_AUTHENTICATE = http.CanonicalHeaderKey("WWW-Authenticate")

+)

+

+type Challenge struct {

+	Headers http.Header

+

+	ExpectedCanHandle bool

+	ExpectedHeaders   http.Header

+	ExpectedHandled   bool

+	ExpectedErr       error

+	ExpectedPrompt    string

+}

+

+func TestHandleChallenge(t *testing.T) {

+

+	basicChallenge := http.Header{WWW_AUTHENTICATE: []string{`Basic realm="myrealm"`}}

+

+	testCases := map[string]struct {

+		Handler    *BasicChallengeHandler

+		Challenges []Challenge

+	}{

+		"non-interactive with no defaults": {

+			Handler: &BasicChallengeHandler{

+				Host:     "myhost",

+				Reader:   nil,

+				Username: "",

+				Password: "",

+			},

+			Challenges: []Challenge{

+				{

+					Headers:           basicChallenge,

+					ExpectedCanHandle: true,

+					ExpectedHeaders:   nil,

+					ExpectedHandled:   false,

+					ExpectedErr:       nil,

+					ExpectedPrompt:    "",

+				},

+			},

+		},

+

+		"non-interactive challenge with defaults": {

+			Handler: &BasicChallengeHandler{

+				Host:     "myhost",

+				Reader:   nil,

+				Username: "myuser",

+				Password: "mypassword",

+			},

+			Challenges: []Challenge{

+				{

+					Headers:           basicChallenge,

+					ExpectedCanHandle: true,

+					ExpectedHeaders:   http.Header{AUTHORIZATION: []string{getBasicHeader("myuser", "mypassword")}},

+					ExpectedHandled:   true,

+					ExpectedErr:       nil,

+					ExpectedPrompt:    "",

+				},

+				{

+					Headers:           basicChallenge,

+					ExpectedCanHandle: true,

+					ExpectedHeaders:   nil,

+					ExpectedHandled:   false,

+					ExpectedErr:       nil,

+					ExpectedPrompt:    "",

+				},

+			},

+		},

+

+		"interactive challenge with default user": {

+			Handler: &BasicChallengeHandler{

+				Host:     "myhost",

+				Reader:   bytes.NewBufferString("mypassword\n"),

+				Username: "myuser",

+				Password: "",

+			},

+			Challenges: []Challenge{

+				{

+					Headers:           basicChallenge,

+					ExpectedCanHandle: true,

+					ExpectedHeaders:   http.Header{AUTHORIZATION: []string{getBasicHeader("myuser", "mypassword")}},

+					ExpectedHandled:   true,

+					ExpectedErr:       nil,

+					ExpectedPrompt: `Authentication required for myhost (myrealm)

+Username: myuser

+Password: `,

+				},

+			},

+		},

+

+		"interactive challenge": {

+			Handler: &BasicChallengeHandler{

+				Host:     "myhost",

+				Reader:   bytes.NewBufferString("myuser\nmypassword\n"),

+				Username: "",

+				Password: "",

+			},

+			Challenges: []Challenge{

+				{

+					Headers:           basicChallenge,

+					ExpectedCanHandle: true,

+					ExpectedHeaders:   http.Header{AUTHORIZATION: []string{getBasicHeader("myuser", "mypassword")}},

+					ExpectedHandled:   true,

+					ExpectedErr:       nil,

+					ExpectedPrompt: `Authentication required for myhost (myrealm)

+Username: Password: `,

+				},

+				{