@@ -13,6 +13,12 @@ storage:

 auth:

   openshift:

     realm: openshift

+    

+    # tokenrealm is a base URL to use for the token-granting registry endpoint.

+    # If unspecified, the scheme and host for the token redirect are determined from the incoming request.

+    # If specified, a scheme and host must be chosen that all registry clients can resolve and access:

+    #

+    # tokenrealm: https://example.com:5000

 middleware:

   registry:

     - name: openshift

@@ -7,7 +7,6 @@ import (

 	"io"

 	"io/ioutil"

 	"net/http"

-	"net/url"

 	"os"

 	"time"

@@ -47,28 +46,6 @@ func Execute(configFile io.Reader) {

 		log.Fatalf("Error parsing configuration file: %s", err)

 	}

-	tokenPath := "/openshift/token"

-

-	// If needed, generate and populate the token realm URL in the config.

-	// Must be done prior to instantiating the app, so our auth provider has the config available.

-	_, usingOpenShiftAuth := config.Auth[server.OpenShiftAuth]

-	_, hasTokenRealm := config.Auth[server.OpenShiftAuth][server.TokenRealmKey].(string)

-	if usingOpenShiftAuth && !hasTokenRealm {

-		registryHost := os.Getenv(server.DockerRegistryURLEnvVar)

-		if len(registryHost) == 0 {

-			log.Fatalf("%s is required", server.DockerRegistryURLEnvVar)

-		}

-		tokenURL := &url.URL{Scheme: "https", Host: registryHost, Path: tokenPath}

-		if len(config.HTTP.TLS.Certificate) == 0 {

-			tokenURL.Scheme = "http"

-		}

-

-		if config.Auth[server.OpenShiftAuth] == nil {

-			config.Auth[server.OpenShiftAuth] = configuration.Parameters{}

-		}

-		config.Auth[server.OpenShiftAuth][server.TokenRealmKey] = tokenURL.String()

-	}

-

 	ctx := context.Background()

 	ctx, err = configureLogging(ctx, config)

 	if err != nil {

@@ -82,8 +59,16 @@ func Execute(configFile io.Reader) {

 	app := handlers.NewApp(ctx, config)

 	// Add a token handling endpoint

-	if usingOpenShiftAuth {

-		app.NewRoute().Methods("GET").PathPrefix(tokenPath).Handler(server.NewTokenHandler(ctx, server.DefaultRegistryClient))

+	if options, usingOpenShiftAuth := config.Auth[server.OpenShiftAuth]; usingOpenShiftAuth {

+		tokenRealm, err := server.TokenRealm(options)

+		if err != nil {

+			log.Fatalf("error setting up token auth: %s", err)

+		}

+		err = app.NewRoute().Methods("GET").PathPrefix(tokenRealm.Path).Handler(server.NewTokenHandler(ctx, server.DefaultRegistryClient)).GetError()

+		if err != nil {

+			log.Fatalf("error setting up token endpoint at %q: %v", tokenRealm.Path, err)

+		}

+		log.Debugf("configured token endpoint at %q", tokenRealm.String())

 	}

 	// TODO add https scheme

@@ -4,6 +4,7 @@ import (

 	"errors"

 	"fmt"

 	"net/http"

+	"net/url"

 	"strings"

 	log "github.com/Sirupsen/logrus"

@@ -18,6 +19,7 @@ import (

 	"github.com/openshift/origin/pkg/client"

 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

 	imageapi "github.com/openshift/origin/pkg/image/api"

+	"github.com/openshift/origin/pkg/util/httprequest"

 )

 type deferredErrors map[string]error

@@ -36,8 +38,10 @@ func (d deferredErrors) Empty() bool {

 const (

 	OpenShiftAuth = "openshift"

+	defaultTokenPath = "/openshift/token"

+

 	RealmKey      = "realm"

-	TokenRealmKey = "token-realm"

+	TokenRealmKey = "tokenrealm"

 )

 // RegistryClient encapsulates getting access to the OpenShift API.

@@ -113,7 +117,7 @@ func DeferredErrorsFrom(ctx context.Context) (deferredErrors, bool) {

 type AccessController struct {

 	realm      string

-	tokenRealm string

+	tokenRealm *url.URL

 	config     restclient.Config

 }

@@ -147,6 +151,36 @@ var (

 	ErrUnsupportedResource = errors.New("unsupported resource")

 )

+// TokenRealm returns the template URL to use as the token realm redirect.

+// An empty scheme/host in the returned URL means to match the scheme/host on incoming requests.

+func TokenRealm(options map[string]interface{}) (*url.URL, error) {

+	if options[TokenRealmKey] == nil {

+		// If not specified, default to "/openshift/token", auto-detecting the scheme and host

+		return &url.URL{Path: defaultTokenPath}, nil

+	}

+

+	tokenRealmString, ok := options[TokenRealmKey].(string)

+	if !ok {

+		return nil, fmt.Errorf("%s config option must be a string, got %T", TokenRealmKey, options[TokenRealmKey])

+	}

+

+	tokenRealm, err := url.Parse(tokenRealmString)

+	if err != nil {

+		return nil, fmt.Errorf("error parsing URL in %s config option: %v", TokenRealmKey, err)

+	}

+	if len(tokenRealm.RawQuery) > 0 || len(tokenRealm.Fragment) > 0 {

+		return nil, fmt.Errorf("%s config option may not contain query parameters or a fragment", TokenRealmKey)

+	}

+	if len(tokenRealm.Path) > 0 {

+		return nil, fmt.Errorf("%s config option may not contain a path (%q was specified)", TokenRealmKey, tokenRealm.Path)

+	}

+

+	// pin to "/openshift/token"

+	tokenRealm.Path = defaultTokenPath

+

+	return tokenRealm, nil

+}

+

 func newAccessController(options map[string]interface{}) (registryauth.AccessController, error) {

 	log.Info("Using Origin Auth handler")

 	realm, ok := options[RealmKey].(string)

@@ -155,7 +189,10 @@ func newAccessController(options map[string]interface{}) (registryauth.AccessCon

 		realm = "origin"

 	}

-	tokenRealm, _ := options[TokenRealmKey].(string)

+	tokenRealm, err := TokenRealm(options)

+	if err != nil {

+		return nil, err

+	}

 	return &AccessController{realm: realm, tokenRealm: tokenRealm, config: DefaultRegistryClient.SafeClientConfig()}, nil

 }

@@ -193,17 +230,34 @@ func (ac *tokenAuthChallenge) SetHeaders(w http.ResponseWriter) {

 }

 // wrapErr wraps errors related to authorization in an authChallenge error that will present a WWW-Authenticate challenge response

-func (ac *AccessController) wrapErr(err error) error {

+func (ac *AccessController) wrapErr(ctx context.Context, err error) error {

 	switch err {

 	case ErrTokenRequired:

 		// Challenge for errors that involve missing tokens

-		if len(ac.tokenRealm) > 0 {

-			// Direct to token auth if we've been given a place to direct to

-			return &tokenAuthChallenge{realm: ac.tokenRealm, err: err}

-		} else {

-			// Otherwise just send the basic challenge

+		if ac.tokenRealm == nil {

+			// Send the basic challenge if we don't have a place to redirect

 			return &authChallenge{realm: ac.realm, err: err}

 		}

+

+		if len(ac.tokenRealm.Scheme) > 0 && len(ac.tokenRealm.Host) > 0 {

+			// Redirect to token auth if we've been given an absolute URL

+			return &tokenAuthChallenge{realm: ac.tokenRealm.String(), err: err}

+		}

+

+		// Auto-detect scheme/host from request

+		req, reqErr := context.GetRequest(ctx)

+		if reqErr != nil {

+			return reqErr

+		}

+		scheme, host := httprequest.SchemeHost(req)

+		tokenRealmCopy := *ac.tokenRealm

+		if len(tokenRealmCopy.Scheme) == 0 {

+			tokenRealmCopy.Scheme = scheme

+		}

+		if len(tokenRealmCopy.Host) == 0 {

+			tokenRealmCopy.Host = host

+		}

+		return &tokenAuthChallenge{realm: tokenRealmCopy.String(), err: err}

 	case ErrTokenInvalid, ErrOpenShiftAccessDenied:

 		// Challenge for errors that involve tokens or access denied

 		return &authChallenge{realm: ac.realm, err: err}

@@ -224,25 +278,25 @@ func (ac *AccessController) wrapErr(err error) error {

 func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...registryauth.Access) (context.Context, error) {

 	req, err := context.GetRequest(ctx)

 	if err != nil {

-		return nil, ac.wrapErr(err)

+		return nil, ac.wrapErr(ctx, err)

 	}

 	bearerToken, err := getOpenShiftAPIToken(ctx, req)

 	if err != nil {

-		return nil, ac.wrapErr(err)

+		return nil, ac.wrapErr(ctx, err)

 	}

 	copied := ac.config

 	copied.BearerToken = bearerToken

 	osClient, err := client.New(&copied)

 	if err != nil {

-		return nil, ac.wrapErr(err)

+		return nil, ac.wrapErr(ctx, err)

 	}

 	// In case of docker login, hits endpoint /v2

 	if len(accessRecords) == 0 {

 		if err := verifyOpenShiftUser(ctx, osClient); err != nil {

-			return nil, ac.wrapErr(err)

+			return nil, ac.wrapErr(ctx, err)

 		}

 	}

@@ -262,7 +316,7 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg

 		case "repository":

 			imageStreamNS, imageStreamName, err := getNamespaceName(access.Resource.Name)

 			if err != nil {

-				return nil, ac.wrapErr(err)

+				return nil, ac.wrapErr(ctx, err)

 			}

 			verb := ""

@@ -275,7 +329,7 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg

 			case "*":

 				verb = "prune"

 			default:

-				return nil, ac.wrapErr(ErrUnsupportedAction)

+				return nil, ac.wrapErr(ctx, ErrUnsupportedAction)

 			}

 			switch verb {

@@ -284,15 +338,15 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg

 					continue

 				}

 				if err := verifyPruneAccess(ctx, osClient); err != nil {

-					return nil, ac.wrapErr(err)

+					return nil, ac.wrapErr(ctx, err)

 				}

 				verifiedPrune = true

 			default:

 				if err := verifyImageStreamAccess(ctx, imageStreamNS, imageStreamName, verb, osClient); err != nil {

 					if access.Action != "pull" {

-						return nil, ac.wrapErr(err)

+						return nil, ac.wrapErr(ctx, err)

 					}

-					possibleCrossMountErrors.Add(imageStreamNS, imageStreamName, ac.wrapErr(err))

+					possibleCrossMountErrors.Add(imageStreamNS, imageStreamName, ac.wrapErr(ctx, err))

 				}

 			}

@@ -303,14 +357,14 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg

 					continue

 				}

 				if err := verifyPruneAccess(ctx, osClient); err != nil {

-					return nil, ac.wrapErr(err)

+					return nil, ac.wrapErr(ctx, err)

 				}

 				verifiedPrune = true

 			default:

-				return nil, ac.wrapErr(ErrUnsupportedAction)

+				return nil, ac.wrapErr(ctx, ErrUnsupportedAction)

 			}

 		default:

-			return nil, ac.wrapErr(ErrUnsupportedResource)

+			return nil, ac.wrapErr(ctx, ErrUnsupportedResource)

 		}

 	}

@@ -1,10 +1,12 @@

 package server

 import (

+	"crypto/tls"

 	"errors"

 	"fmt"

 	"net/http"

 	"net/http/httptest"

+	"net/url"

 	"reflect"

 	"testing"

@@ -84,14 +86,15 @@ func TestVerifyImageStreamAccess(t *testing.T) {

 // TestAccessController tests complete integration of the v2 registry auth package.

 func TestAccessController(t *testing.T) {

-	options := map[string]interface{}{

+	defaultOptions := map[string]interface{}{

 		"addr":        "https://openshift-example.com/osapi",

 		"apiVersion":  latest.Version,

 		RealmKey:      "myrealm",

-		TokenRealmKey: "https://tokenrealm.com/token",

+		TokenRealmKey: "http://tokenrealm.com",

 	}

 	tests := map[string]struct {

+		options            map[string]interface{}

 		access             []auth.Access

 		basicToken         string

 		bearerToken        string

@@ -107,7 +110,20 @@ func TestAccessController(t *testing.T) {

 			basicToken:        "",

 			expectedError:     ErrTokenRequired,

 			expectedChallenge: true,

-			expectedHeaders:   http.Header{"Www-Authenticate": []string{`Bearer realm="https://tokenrealm.com/token"`}},

+			expectedHeaders:   http.Header{"Www-Authenticate": []string{`Bearer realm="http://tokenrealm.com/openshift/token"`}},

+		},

+		"no token, autodetected tokenrealm": {

+			options: map[string]interface{}{

+				"addr":        "https://openshift-example.com/osapi",

+				"apiVersion":  latest.Version,

+				RealmKey:      "myrealm",

+				TokenRealmKey: "",

+			},

+			access:            []auth.Access{},

+			basicToken:        "",

+			expectedError:     ErrTokenRequired,

+			expectedChallenge: true,

+			expectedHeaders:   http.Header{"Www-Authenticate": []string{`Bearer realm="https://openshift-example.com/openshift/token"`}},

 		},

 		"invalid registry token": {

 			access: []auth.Access{{

@@ -317,11 +333,22 @@ func TestAccessController(t *testing.T) {

 	}

 	for k, test := range tests {

+		options := test.options

+		if options == nil {

+			options = defaultOptions

+		}

+		reqURL, err := url.Parse(options["addr"].(string))

+		if err != nil {

+			t.Fatal(err)

+		}

 		req, err := http.NewRequest("GET", options["addr"].(string), nil)

 		if err != nil {

 			t.Errorf("%s: %v", k, err)

 			continue

 		}

+		// Simulate a secure request to the specified server

+		req.Host = reqURL.Host

+		req.TLS = &tls.ConnectionState{ServerName: reqURL.Host}

 		if len(test.basicToken) > 0 {

 			req.Header.Set("Authorization", fmt.Sprintf("Basic %s", test.basicToken))

 		}

@@ -1,6 +1,7 @@

 package httprequest

 import (

+	"net"

 	"net/http"

 	"strings"

@@ -38,3 +39,72 @@ func PrefersHTML(req *http.Request) bool {

 	return false

 }

+

+// SchemeHost returns the scheme and host used to make this request.

+// Suitable for use to compute scheme/host in returned 302 redirect Location.

+// Note the returned host is not normalized, and may or may not contain a port.

+// Returned values are based on the following information:

+//

+// Host:

+// * X-Forwarded-Host/X-Forwarded-Port headers

+// * Host field on the request (parsed from Host header)

+// * Host in the request's URL (parsed from Request-Line)

+//

+// Scheme:

+// * X-Forwarded-Proto header

+// * Existence of TLS information on the request implies https

+// * Scheme in the request's URL (parsed from Request-Line)

+// * Port (if included in calculated Host value, 443 implies https)

+// * Otherwise, defaults to "http"

+func SchemeHost(req *http.Request) (string /*scheme*/, string /*host*/) {

+	forwarded := func(attr string) string {

+		// Get the X-Forwarded-<attr> value

+		value := req.Header.Get("X-Forwarded-" + attr)

+		// Take the first comma-separated value, if multiple exist

+		value = strings.SplitN(value, ",", 2)[0]

+		// Trim whitespace

+		return strings.TrimSpace(value)

+	}

+

+	forwardedProto := forwarded("Proto")

+	forwardedHost := forwarded("Host")

+	// If both X-Forwarded-Host and X-Forwarded-Port are sent, use the explicit port info

+	if forwardedPort := forwarded("Port"); len(forwardedHost) > 0 && len(forwardedPort) > 0 {

+		if h, _, err := net.SplitHostPort(forwardedHost); err == nil {

+			forwardedHost = net.JoinHostPort(h, forwardedPort)

+		} else {

+			forwardedHost = net.JoinHostPort(forwardedHost, forwardedPort)

+		}

+	}

+

+	host := ""

+	switch {

+	case len(forwardedHost) > 0:

+		host = forwardedHost

+	case len(req.Host) > 0:

+		host = req.Host

+	case len(req.URL.Host) > 0:

+		host = req.URL.Host

+	}

+

+	port := ""

+	if _, p, err := net.SplitHostPort(host); err == nil {

+		port = p

+	}

+

+	scheme := ""

+	switch {

+	case len(forwardedProto) > 0:

+		scheme = forwardedProto

+	case req.TLS != nil:

+		scheme = "https"

+	case len(req.URL.Scheme) > 0:

+		scheme = req.URL.Scheme

+	case port == "443":

+		scheme = "https"

+	default:

+		scheme = "http"

+	}

+

+	return scheme, host

+}

new file mode 100644

@@ -0,0 +1,196 @@

+package httprequest

+

+import (

+	"crypto/tls"

+	"net/http"

+	"net/url"

+	"testing"

+)

+

+func TestSchemeHost(t *testing.T) {

+

+	testcases := map[string]struct {

+		req            *http.Request

+		expectedScheme string

+		expectedHost   string

+	}{

+		"X-Forwarded-Host and X-Forwarded-Port combined": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "127.0.0.1",

+				Header: http.Header{

+					"X-Forwarded-Host":  []string{"example.com"},

+					"X-Forwarded-Port":  []string{"443"},

+					"X-Forwarded-Proto": []string{"https"},

+				},

+			},

+			expectedScheme: "https",

+			expectedHost:   "example.com:443",

+		},

+		"X-Forwarded-Port overwrites X-Forwarded-Host port": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "127.0.0.1",

+				Header: http.Header{

+					"X-Forwarded-Host":  []string{"example.com:1234"},

+					"X-Forwarded-Port":  []string{"443"},

+					"X-Forwarded-Proto": []string{"https"},

+				},

+			},

+			expectedScheme: "https",

+			expectedHost:   "example.com:443",

+		},

+		"X-Forwarded-* multiple attrs": {

+			req: &http.Request{

+				URL:  &url.URL{Host: "urlhost", Path: "/"},

+				Host: "reqhost",

+				Header: http.Header{

+					"X-Forwarded-Host":  []string{"example.com,foo.com"},

+					"X-Forwarded-Port":  []string{"443,123"},

+					"X-Forwarded-Proto": []string{"https,http"},

+				},

+			},

+			expectedScheme: "https",

+			expectedHost:   "example.com:443",

+		},

+

+		"req host": {

+			req: &http.Request{

+				URL:  &url.URL{Host: "urlhost", Path: "/"},

+				Host: "example.com",

+			},

+			expectedScheme: "http",

+			expectedHost:   "example.com",

+		},

+		"req host with port": {

+			req: &http.Request{

+				URL:  &url.URL{Host: "urlhost", Path: "/"},

+				Host: "example.com:80",

+			},

+			expectedScheme: "http",

+			expectedHost:   "example.com:80",

+		},

+		"req host with tls port": {

+			req: &http.Request{

+				URL:  &url.URL{Host: "urlhost", Path: "/"},

+				Host: "example.com:443",

+			},

+			expectedScheme: "https",

+			expectedHost:   "example.com:443",

+		},

+

+		"req tls": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "example.com",

+				TLS:  &tls.ConnectionState{},

+			},

+			expectedScheme: "https",

+			expectedHost:   "example.com",

+		},

+

+		"req url": {

+			req: &http.Request{

+				URL: &url.URL{Scheme: "https", Host: "example.com", Path: "/"},

+			},

+			expectedScheme: "https",

+			expectedHost:   "example.com",

+		},

+		"req url with port": {

+			req: &http.Request{

+				URL: &url.URL{Scheme: "https", Host: "example.com:123", Path: "/"},

+			},

+			expectedScheme: "https",

+			expectedHost:   "example.com:123",

+		},

+

+		// The following scenarios are captured from actual direct requests to pods

+		"non-tls pod": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "172.17.0.2:9080",

+			},

+			expectedScheme: "http",

+			expectedHost:   "172.17.0.2:9080",

+		},

+		"tls pod": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "172.17.0.2:9443",

+				TLS:  &tls.ConnectionState{ /* request has non-nil TLS connection state */ },

+			},

+			expectedScheme: "https",

+			expectedHost:   "172.17.0.2:9443",

+		},

+

+		// The following scenarios are captured from actual requests to pods via services

+		"svc -> non-tls pod": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "service.default.svc.cluster.local:10080",

+			},

+			expectedScheme: "http",

+			expectedHost:   "service.default.svc.cluster.local:10080",

+		},

+		"svc -> tls pod": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "service.default.svc.cluster.local:10443",

+				TLS:  &tls.ConnectionState{ /* request has non-nil TLS connection state */ },

+			},

+			expectedScheme: "https",

+			expectedHost:   "service.default.svc.cluster.local:10443",

+		},

+

+		// The following scenarios are captured from actual requests to pods via services via routes serviced by haproxy

+		"haproxy non-tls route -> svc -> non-tls pod": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "route-namespace.router.default.svc.cluster.local",

+				Header: http.Header{

+					"X-Forwarded-Host":  []string{"route-namespace.router.default.svc.cluster.local"},

+					"X-Forwarded-Port":  []string{"80"},

+					"X-Forwarded-Proto": []string{"http"},

+					"Forwarded":         []string{"for=172.18.2.57;host=route-namespace.router.default.svc.cluster.local;proto=http"},

+					"X-Forwarded-For":   []string{"172.18.2.57"},

+				},

+			},

+			expectedScheme: "http",

+			expectedHost:   "route-namespace.router.default.svc.cluster.local:80",

+		},

+		"haproxy edge terminated route -> svc -> non-tls pod": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "route-namespace.router.default.svc.cluster.local",

+				Header: http.Header{

+					"X-Forwarded-Host":  []string{"route-namespace.router.default.svc.cluster.local"},

+					"X-Forwarded-Port":  []string{"443"},

+					"X-Forwarded-Proto": []string{"https"},

+					"Forwarded":         []string{"for=172.18.2.57;host=route-namespace.router.default.svc.cluster.local;proto=https"},

+					"X-Forwarded-For":   []string{"172.18.2.57"},

+				},

+			},

+			expectedScheme: "https",

+			expectedHost:   "route-namespace.router.default.svc.cluster.local:443",

+		},

+		"haproxy passthrough route -> svc -> tls pod": {

+			req: &http.Request{

+				URL:  &url.URL{Path: "/"},

+				Host: "route-namespace.router.default.svc.cluster.local",

+				TLS:  &tls.ConnectionState{ /* request has non-nil TLS connection state */ },

+			},

+			expectedScheme: "https",

+			expectedHost:   "route-namespace.router.default.svc.cluster.local",

+		},

+	}

+

+	for k, tc := range testcases {

+		scheme, host := SchemeHost(tc.req)

+		if scheme != tc.expectedScheme {

+			t.Errorf("%s: expected scheme %q, got %q", k, tc.expectedScheme, scheme)

+		}

+		if host != tc.expectedHost {

+			t.Errorf("%s: expected host %q, got %q", k, tc.expectedHost, host)

+		}

+	}

+}