Merge pull request #40170 from deads2k/client-10-restclient
Automatic merge from submit-queue (batch tested with PRs 36693, 40154, 40170, 39033) make client-go authoritative for pkg/client/restclient Moves client/restclient to client-go and a util/certs, util/testing as transitives.
This commit is contained in:
Kubernetes Submit Queue
@@ -34,7 +34,6 @@ filegroup(
|
||||
"//plugin/pkg/admission/serviceaccount:all-srcs",
|
||||
"//plugin/pkg/admission/storageclass/default:all-srcs",
|
||||
"//plugin/pkg/auth:all-srcs",
|
||||
"//plugin/pkg/client/auth:all-srcs",
|
||||
"//plugin/pkg/scheduler:all-srcs",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
|
||||
@@ -18,7 +18,6 @@ go_library(
|
||||
"//pkg/client/leaderelection:go_default_library",
|
||||
"//pkg/client/leaderelection/resourcelock:go_default_library",
|
||||
"//pkg/client/record:go_default_library",
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//pkg/client/unversioned/clientcmd:go_default_library",
|
||||
"//pkg/util/configz:go_default_library",
|
||||
"//plugin/cmd/kube-scheduler/app/options:go_default_library",
|
||||
@@ -34,6 +33,7 @@ go_library(
|
||||
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime",
|
||||
"//vendor:k8s.io/apiserver/pkg/server/healthz",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -30,13 +30,13 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apiserver/pkg/server/healthz"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||
v1core "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1"
|
||||
"k8s.io/kubernetes/pkg/client/leaderelection"
|
||||
"k8s.io/kubernetes/pkg/client/leaderelection/resourcelock"
|
||||
"k8s.io/kubernetes/pkg/client/record"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
"k8s.io/kubernetes/pkg/client/unversioned/clientcmd"
|
||||
"k8s.io/kubernetes/pkg/util/configz"
|
||||
"k8s.io/kubernetes/plugin/cmd/kube-scheduler/app/options"
|
||||
|
||||
@@ -21,7 +21,6 @@ go_library(
|
||||
deps = [
|
||||
"//pkg/api:go_default_library",
|
||||
"//pkg/api/resource:go_default_library",
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//pkg/client/unversioned/clientcmd:go_default_library",
|
||||
"//vendor:cloud.google.com/go/compute/metadata",
|
||||
"//vendor:github.com/golang/glog",
|
||||
@@ -32,6 +31,7 @@ go_library(
|
||||
"//vendor:google.golang.org/api/cloudmonitoring/v2beta2",
|
||||
"//vendor:k8s.io/apimachinery/pkg/api/errors",
|
||||
"//vendor:k8s.io/apiserver/pkg/admission",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -31,7 +31,7 @@ import (
|
||||
"github.com/hawkular/hawkular-client-go/metrics"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/pkg/client/unversioned/clientcmd"
|
||||
)
|
||||
|
||||
|
||||
@@ -15,12 +15,12 @@ go_library(
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/util/cert:go_default_library",
|
||||
"//vendor:github.com/golang/glog",
|
||||
"//vendor:github.com/rackspace/gophercloud",
|
||||
"//vendor:github.com/rackspace/gophercloud/openstack",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/net",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/client-go/pkg/util/cert",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -27,7 +27,7 @@ import (
|
||||
"github.com/rackspace/gophercloud/openstack"
|
||||
netutil "k8s.io/apimachinery/pkg/util/net"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
certutil "k8s.io/kubernetes/pkg/util/cert"
|
||||
certutil "k8s.io/client-go/pkg/util/cert"
|
||||
)
|
||||
|
||||
// KeystoneAuthenticator contacts openstack keystone to validate user's credentials passed in the request.
|
||||
|
||||
@@ -13,13 +13,13 @@ go_library(
|
||||
srcs = ["oidc.go"],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/util/cert:go_default_library",
|
||||
"//vendor:github.com/coreos/go-oidc/jose",
|
||||
"//vendor:github.com/coreos/go-oidc/oidc",
|
||||
"//vendor:github.com/golang/glog",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/net",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/runtime",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/client-go/pkg/util/cert",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/net"
|
||||
"k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
certutil "k8s.io/kubernetes/pkg/util/cert"
|
||||
certutil "k8s.io/client-go/pkg/util/cert"
|
||||
)
|
||||
|
||||
type OIDCOptions struct {
|
||||
|
||||
@@ -1,35 +0,0 @@
|
||||
package(default_visibility = ["//visibility:public"])
|
||||
|
||||
licenses(["notice"])
|
||||
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["plugins.go"],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//plugin/pkg/client/auth/gcp:go_default_library",
|
||||
"//plugin/pkg/client/auth/oidc:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [
|
||||
":package-srcs",
|
||||
"//plugin/pkg/client/auth/gcp:all-srcs",
|
||||
"//plugin/pkg/client/auth/oidc:all-srcs",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
)
|
||||
@@ -1,45 +0,0 @@
|
||||
package(default_visibility = ["//visibility:public"])
|
||||
|
||||
licenses(["notice"])
|
||||
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
"go_test",
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["gcp.go"],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//pkg/util/jsonpath:go_default_library",
|
||||
"//vendor:github.com/golang/glog",
|
||||
"//vendor:golang.org/x/net/context",
|
||||
"//vendor:golang.org/x/oauth2",
|
||||
"//vendor:golang.org/x/oauth2/google",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/yaml",
|
||||
],
|
||||
)
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["gcp_test.go"],
|
||||
library = ":go_default_library",
|
||||
tags = ["automanaged"],
|
||||
deps = ["//vendor:golang.org/x/oauth2"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
)
|
||||
@@ -1,3 +0,0 @@
|
||||
assignees:
|
||||
- cjcullen
|
||||
- jlowdermilk
|
||||
@@ -1,274 +0,0 @@
|
||||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package gcp
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os/exec"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"golang.org/x/net/context"
|
||||
"golang.org/x/oauth2"
|
||||
"golang.org/x/oauth2/google"
|
||||
"k8s.io/apimachinery/pkg/util/yaml"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
"k8s.io/kubernetes/pkg/util/jsonpath"
|
||||
)
|
||||
|
||||
func init() {
|
||||
if err := restclient.RegisterAuthProviderPlugin("gcp", newGCPAuthProvider); err != nil {
|
||||
glog.Fatalf("Failed to register gcp auth plugin: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// gcpAuthProvider is an auth provider plugin that uses GCP credentials to provide
|
||||
// tokens for kubectl to authenticate itself to the apiserver. A sample json config
|
||||
// is provided below with all recognized options described.
|
||||
//
|
||||
// {
|
||||
// 'auth-provider': {
|
||||
// # Required
|
||||
// "name": "gcp",
|
||||
//
|
||||
// 'config': {
|
||||
// # Caching options
|
||||
//
|
||||
// # Raw string data representing cached access token.
|
||||
// "access-token": "ya29.CjWdA4GiBPTt",
|
||||
// # RFC3339Nano expiration timestamp for cached access token.
|
||||
// "expiry": "2016-10-31 22:31:9.123",
|
||||
//
|
||||
// # Command execution options
|
||||
// # These options direct the plugin to execute a specified command and parse
|
||||
// # token and expiry time from the output of the command.
|
||||
//
|
||||
// # Command to execute for access token. String is split on whitespace
|
||||
// # with first field treated as the executable, remaining fields as args.
|
||||
// # Command output will be parsed as JSON.
|
||||
// "cmd-path": "/usr/bin/gcloud config config-helper --output=json",
|
||||
//
|
||||
// # JSONPath to the string field that represents the access token in
|
||||
// # command output. If omitted, defaults to "{.access_token}".
|
||||
// "token-key": "{.credential.access_token}",
|
||||
//
|
||||
// # JSONPath to the string field that represents expiration timestamp
|
||||
// # of the access token in the command output. If omitted, defaults to
|
||||
// # "{.token_expiry}"
|
||||
// "expiry-key": ""{.credential.token_expiry}",
|
||||
//
|
||||
// # golang reference time in the format that the expiration timestamp uses.
|
||||
// # If omitted, defaults to time.RFC3339Nano
|
||||
// "time-fmt": "2006-01-02 15:04:05.999999999"
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
//
|
||||
type gcpAuthProvider struct {
|
||||
tokenSource oauth2.TokenSource
|
||||
persister restclient.AuthProviderConfigPersister
|
||||
}
|
||||
|
||||
func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
|
||||
cmd, useCmd := gcpConfig["cmd-path"]
|
||||
var ts oauth2.TokenSource
|
||||
var err error
|
||||
if useCmd {
|
||||
ts, err = newCmdTokenSource(cmd, gcpConfig["token-key"], gcpConfig["expiry-key"], gcpConfig["time-fmt"])
|
||||
} else {
|
||||
ts, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cts, err := newCachedTokenSource(gcpConfig["access-token"], gcpConfig["expiry"], persister, ts, gcpConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &gcpAuthProvider{cts, persister}, nil
|
||||
}
|
||||
|
||||
func (g *gcpAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
|
||||
return &oauth2.Transport{
|
||||
Source: g.tokenSource,
|
||||
Base: rt,
|
||||
}
|
||||
}
|
||||
|
||||
func (g *gcpAuthProvider) Login() error { return nil }
|
||||
|
||||
type cachedTokenSource struct {
|
||||
lk sync.Mutex
|
||||
source oauth2.TokenSource
|
||||
accessToken string
|
||||
expiry time.Time
|
||||
persister restclient.AuthProviderConfigPersister
|
||||
cache map[string]string
|
||||
}
|
||||
|
||||
func newCachedTokenSource(accessToken, expiry string, persister restclient.AuthProviderConfigPersister, ts oauth2.TokenSource, cache map[string]string) (*cachedTokenSource, error) {
|
||||
var expiryTime time.Time
|
||||
if parsedTime, err := time.Parse(time.RFC3339Nano, expiry); err == nil {
|
||||
expiryTime = parsedTime
|
||||
}
|
||||
if cache == nil {
|
||||
cache = make(map[string]string)
|
||||
}
|
||||
return &cachedTokenSource{
|
||||
source: ts,
|
||||
accessToken: accessToken,
|
||||
expiry: expiryTime,
|
||||
persister: persister,
|
||||
cache: cache,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (t *cachedTokenSource) Token() (*oauth2.Token, error) {
|
||||
tok := t.cachedToken()
|
||||
if tok.Valid() && !tok.Expiry.IsZero() {
|
||||
return tok, nil
|
||||
}
|
||||
tok, err := t.source.Token()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cache := t.update(tok)
|
||||
if t.persister != nil {
|
||||
if err := t.persister.Persist(cache); err != nil {
|
||||
glog.V(4).Infof("Failed to persist token: %v", err)
|
||||
}
|
||||
}
|
||||
return tok, nil
|
||||
}
|
||||
|
||||
func (t *cachedTokenSource) cachedToken() *oauth2.Token {
|
||||
t.lk.Lock()
|
||||
defer t.lk.Unlock()
|
||||
return &oauth2.Token{
|
||||
AccessToken: t.accessToken,
|
||||
TokenType: "Bearer",
|
||||
Expiry: t.expiry,
|
||||
}
|
||||
}
|
||||
|
||||
func (t *cachedTokenSource) update(tok *oauth2.Token) map[string]string {
|
||||
t.lk.Lock()
|
||||
defer t.lk.Unlock()
|
||||
t.accessToken = tok.AccessToken
|
||||
t.expiry = tok.Expiry
|
||||
ret := map[string]string{}
|
||||
for k, v := range t.cache {
|
||||
ret[k] = v
|
||||
}
|
||||
ret["access-token"] = t.accessToken
|
||||
ret["expiry"] = t.expiry.Format(time.RFC3339Nano)
|
||||
return ret
|
||||
}
|
||||
|
||||
type commandTokenSource struct {
|
||||
cmd string
|
||||
args []string
|
||||
tokenKey string
|
||||
expiryKey string
|
||||
timeFmt string
|
||||
}
|
||||
|
||||
func newCmdTokenSource(cmd, tokenKey, expiryKey, timeFmt string) (*commandTokenSource, error) {
|
||||
if len(timeFmt) == 0 {
|
||||
timeFmt = time.RFC3339Nano
|
||||
}
|
||||
if len(tokenKey) == 0 {
|
||||
tokenKey = "{.access_token}"
|
||||
}
|
||||
if len(expiryKey) == 0 {
|
||||
expiryKey = "{.token_expiry}"
|
||||
}
|
||||
fields := strings.Fields(cmd)
|
||||
if len(fields) == 0 {
|
||||
return nil, fmt.Errorf("missing access token cmd")
|
||||
}
|
||||
return &commandTokenSource{
|
||||
cmd: fields[0],
|
||||
args: fields[1:],
|
||||
tokenKey: tokenKey,
|
||||
expiryKey: expiryKey,
|
||||
timeFmt: timeFmt,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (c *commandTokenSource) Token() (*oauth2.Token, error) {
|
||||
fullCmd := fmt.Sprintf("%s %s", c.cmd, strings.Join(c.args, " "))
|
||||
cmd := exec.Command(c.cmd, c.args...)
|
||||
output, err := cmd.Output()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error executing access token command %q: %v", fullCmd, err)
|
||||
}
|
||||
token, err := c.parseTokenCmdOutput(output)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error parsing output for access token command %q: %v", fullCmd, err)
|
||||
}
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func (c *commandTokenSource) parseTokenCmdOutput(output []byte) (*oauth2.Token, error) {
|
||||
output, err := yaml.ToJSON(output)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var data interface{}
|
||||
if err := json.Unmarshal(output, &data); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
accessToken, err := parseJSONPath(data, "token-key", c.tokenKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error parsing token-key %q: %v", c.tokenKey, err)
|
||||
}
|
||||
expiryStr, err := parseJSONPath(data, "expiry-key", c.expiryKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error parsing expiry-key %q: %v", c.expiryKey, err)
|
||||
}
|
||||
var expiry time.Time
|
||||
if t, err := time.Parse(c.timeFmt, expiryStr); err != nil {
|
||||
glog.V(4).Infof("Failed to parse token expiry from %s (fmt=%s): %v", expiryStr, c.timeFmt, err)
|
||||
} else {
|
||||
expiry = t
|
||||
}
|
||||
|
||||
return &oauth2.Token{
|
||||
AccessToken: accessToken,
|
||||
TokenType: "Bearer",
|
||||
Expiry: expiry,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func parseJSONPath(input interface{}, name, template string) (string, error) {
|
||||
j := jsonpath.New(name)
|
||||
buf := new(bytes.Buffer)
|
||||
if err := j.Parse(template); err != nil {
|
||||
return "", err
|
||||
}
|
||||
if err := j.Execute(buf, input); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return buf.String(), nil
|
||||
}
|
||||
@@ -1,211 +0,0 @@
|
||||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package gcp
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"reflect"
|
||||
"strings"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
func TestCmdTokenSource(t *testing.T) {
|
||||
fakeExpiry := time.Date(2016, 10, 31, 22, 31, 9, 123000000, time.UTC)
|
||||
customFmt := "2006-01-02 15:04:05.999999999"
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
output []byte
|
||||
cmd, tokenKey, expiryKey, timeFmt string
|
||||
tok *oauth2.Token
|
||||
expectErr error
|
||||
}{
|
||||
{
|
||||
"defaults",
|
||||
[]byte(`{
|
||||
"access_token": "faketoken",
|
||||
"token_expiry": "2016-10-31T22:31:09.123000000Z"
|
||||
}`),
|
||||
"/fake/cmd/path", "", "", "",
|
||||
&oauth2.Token{
|
||||
AccessToken: "faketoken",
|
||||
TokenType: "Bearer",
|
||||
Expiry: fakeExpiry,
|
||||
},
|
||||
nil,
|
||||
},
|
||||
{
|
||||
"custom keys",
|
||||
[]byte(`{
|
||||
"token": "faketoken",
|
||||
"token_expiry": {
|
||||
"datetime": "2016-10-31 22:31:09.123"
|
||||
}
|
||||
}`),
|
||||
"/fake/cmd/path", "{.token}", "{.token_expiry.datetime}", customFmt,
|
||||
&oauth2.Token{
|
||||
AccessToken: "faketoken",
|
||||
TokenType: "Bearer",
|
||||
Expiry: fakeExpiry,
|
||||
},
|
||||
nil,
|
||||
},
|
||||
{
|
||||
"missing cmd",
|
||||
nil,
|
||||
"", "", "", "",
|
||||
nil,
|
||||
fmt.Errorf("missing access token cmd"),
|
||||
},
|
||||
{
|
||||
"missing token-key",
|
||||
[]byte(`{
|
||||
"broken": "faketoken",
|
||||
"token_expiry": {
|
||||
"datetime": "2016-10-31 22:31:09.123000000Z"
|
||||
}
|
||||
}`),
|
||||
"/fake/cmd/path", "{.token}", "", "",
|
||||
nil,
|
||||
fmt.Errorf("error parsing token-key %q", "{.token}"),
|
||||
},
|
||||
{
|
||||
"missing expiry-key",
|
||||
[]byte(`{
|
||||
"access_token": "faketoken",
|
||||
"expires": "2016-10-31T22:31:09.123000000Z"
|
||||
}`),
|
||||
"/fake/cmd/path", "", "{.expiry}", "",
|
||||
nil,
|
||||
fmt.Errorf("error parsing expiry-key %q", "{.expiry}"),
|
||||
},
|
||||
{
|
||||
"invalid expiry timestamp",
|
||||
[]byte(`{
|
||||
"access_token": "faketoken",
|
||||
"token_expiry": "sometime soon, idk"
|
||||
}`),
|
||||
"/fake/cmd/path", "", "", "",
|
||||
&oauth2.Token{
|
||||
AccessToken: "faketoken",
|
||||
TokenType: "Bearer",
|
||||
Expiry: time.Time{},
|
||||
},
|
||||
nil,
|
||||
},
|
||||
{
|
||||
"bad JSON",
|
||||
[]byte(`{
|
||||
"access_token": "faketoken",
|
||||
"token_expiry": "sometime soon, idk"
|
||||
------
|
||||
`),
|
||||
"/fake/cmd", "", "", "",
|
||||
nil,
|
||||
fmt.Errorf("invalid character '-' after object key:value pair"),
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
ts, err := newCmdTokenSource(tc.cmd, tc.tokenKey, tc.expiryKey, tc.timeFmt)
|
||||
if err != nil {
|
||||
if !strings.Contains(err.Error(), tc.expectErr.Error()) {
|
||||
t.Errorf("%s newCmdTokenSource error: %v, want %v", tc.name, err, tc.expectErr)
|
||||
}
|
||||
continue
|
||||
}
|
||||
tok, err := ts.parseTokenCmdOutput(tc.output)
|
||||
|
||||
if err != tc.expectErr && !strings.Contains(err.Error(), tc.expectErr.Error()) {
|
||||
t.Errorf("%s parseCmdTokenSource error: %v, want %v", tc.name, err, tc.expectErr)
|
||||
}
|
||||
if !reflect.DeepEqual(tok, tc.tok) {
|
||||
t.Errorf("%s got token %v, want %v", tc.name, tok, tc.tok)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
type fakePersister struct {
|
||||
lk sync.Mutex
|
||||
cache map[string]string
|
||||
}
|
||||
|
||||
func (f *fakePersister) Persist(cache map[string]string) error {
|
||||
f.lk.Lock()
|
||||
defer f.lk.Unlock()
|
||||
f.cache = map[string]string{}
|
||||
for k, v := range cache {
|
||||
f.cache[k] = v
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *fakePersister) read() map[string]string {
|
||||
ret := map[string]string{}
|
||||
f.lk.Lock()
|
||||
for k, v := range f.cache {
|
||||
ret[k] = v
|
||||
}
|
||||
return ret
|
||||
}
|
||||
|
||||
type fakeTokenSource struct {
|
||||
token *oauth2.Token
|
||||
err error
|
||||
}
|
||||
|
||||
func (f *fakeTokenSource) Token() (*oauth2.Token, error) {
|
||||
return f.token, f.err
|
||||
}
|
||||
|
||||
func TestCachedTokenSource(t *testing.T) {
|
||||
tok := &oauth2.Token{AccessToken: "fakeaccesstoken"}
|
||||
persister := &fakePersister{}
|
||||
source := &fakeTokenSource{
|
||||
token: tok,
|
||||
err: nil,
|
||||
}
|
||||
cache := map[string]string{
|
||||
"foo": "bar",
|
||||
"baz": "bazinga",
|
||||
}
|
||||
ts, err := newCachedTokenSource("fakeaccesstoken", "", persister, source, cache)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
var wg sync.WaitGroup
|
||||
wg.Add(10)
|
||||
for i := 0; i < 10; i++ {
|
||||
go func() {
|
||||
_, err := ts.Token()
|
||||
if err != nil {
|
||||
t.Errorf("unexpected error: %s", err)
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
}
|
||||
wg.Wait()
|
||||
cache["access-token"] = "fakeaccesstoken"
|
||||
cache["expiry"] = tok.Expiry.Format(time.RFC3339Nano)
|
||||
if got := persister.read(); !reflect.DeepEqual(got, cache) {
|
||||
t.Errorf("got cache %v, want %v", got, cache)
|
||||
}
|
||||
}
|
||||
@@ -1,48 +0,0 @@
|
||||
package(default_visibility = ["//visibility:public"])
|
||||
|
||||
licenses(["notice"])
|
||||
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
"go_test",
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["oidc.go"],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//vendor:github.com/coreos/go-oidc/jose",
|
||||
"//vendor:github.com/coreos/go-oidc/oauth2",
|
||||
"//vendor:github.com/coreos/go-oidc/oidc",
|
||||
"//vendor:github.com/golang/glog",
|
||||
],
|
||||
)
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["oidc_test.go"],
|
||||
library = ":go_default_library",
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//plugin/pkg/auth/authenticator/token/oidc/testing:go_default_library",
|
||||
"//vendor:github.com/coreos/go-oidc/jose",
|
||||
"//vendor:github.com/coreos/go-oidc/key",
|
||||
"//vendor:github.com/coreos/go-oidc/oauth2",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
)
|
||||
@@ -1,2 +0,0 @@
|
||||
assignees:
|
||||
- ericchiang
|
||||
@@ -1,333 +0,0 @@
|
||||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package oidc
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/coreos/go-oidc/jose"
|
||||
"github.com/coreos/go-oidc/oauth2"
|
||||
"github.com/coreos/go-oidc/oidc"
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
)
|
||||
|
||||
const (
|
||||
cfgIssuerUrl = "idp-issuer-url"
|
||||
cfgClientID = "client-id"
|
||||
cfgClientSecret = "client-secret"
|
||||
cfgCertificateAuthority = "idp-certificate-authority"
|
||||
cfgCertificateAuthorityData = "idp-certificate-authority-data"
|
||||
cfgExtraScopes = "extra-scopes"
|
||||
cfgIDToken = "id-token"
|
||||
cfgRefreshToken = "refresh-token"
|
||||
)
|
||||
|
||||
func init() {
|
||||
if err := restclient.RegisterAuthProviderPlugin("oidc", newOIDCAuthProvider); err != nil {
|
||||
glog.Fatalf("Failed to register oidc auth plugin: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// expiryDelta determines how earlier a token should be considered
|
||||
// expired than its actual expiration time. It is used to avoid late
|
||||
// expirations due to client-server time mismatches.
|
||||
//
|
||||
// NOTE(ericchiang): this is take from golang.org/x/oauth2
|
||||
const expiryDelta = 10 * time.Second
|
||||
|
||||
var cache = newClientCache()
|
||||
|
||||
// Like TLS transports, keep a cache of OIDC clients indexed by issuer URL.
|
||||
type clientCache struct {
|
||||
mu sync.RWMutex
|
||||
cache map[cacheKey]*oidcAuthProvider
|
||||
}
|
||||
|
||||
func newClientCache() *clientCache {
|
||||
return &clientCache{cache: make(map[cacheKey]*oidcAuthProvider)}
|
||||
}
|
||||
|
||||
type cacheKey struct {
|
||||
// Canonical issuer URL string of the provider.
|
||||
issuerURL string
|
||||
|
||||
clientID string
|
||||
clientSecret string
|
||||
|
||||
// Don't use CA as cache key because we only add a cache entry if we can connect
|
||||
// to the issuer in the first place. A valid CA is a prerequisite.
|
||||
}
|
||||
|
||||
func (c *clientCache) getClient(issuer, clientID, clientSecret string) (*oidcAuthProvider, bool) {
|
||||
c.mu.RLock()
|
||||
defer c.mu.RUnlock()
|
||||
client, ok := c.cache[cacheKey{issuer, clientID, clientSecret}]
|
||||
return client, ok
|
||||
}
|
||||
|
||||
// setClient attempts to put the client in the cache but may return any clients
|
||||
// with the same keys set before. This is so there's only ever one client for a provider.
|
||||
func (c *clientCache) setClient(issuer, clientID, clientSecret string, client *oidcAuthProvider) *oidcAuthProvider {
|
||||
c.mu.Lock()
|
||||
defer c.mu.Unlock()
|
||||
key := cacheKey{issuer, clientID, clientSecret}
|
||||
|
||||
// If another client has already initialized a client for the given provider we want
|
||||
// to use that client instead of the one we're trying to set. This is so all transports
|
||||
// share a client and can coordinate around the same mutex when refreshing and writing
|
||||
// to the kubeconfig.
|
||||
if oldClient, ok := c.cache[key]; ok {
|
||||
return oldClient
|
||||
}
|
||||
|
||||
c.cache[key] = client
|
||||
return client
|
||||
}
|
||||
|
||||
func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
|
||||
issuer := cfg[cfgIssuerUrl]
|
||||
if issuer == "" {
|
||||
return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
|
||||
}
|
||||
|
||||
clientID := cfg[cfgClientID]
|
||||
if clientID == "" {
|
||||
return nil, fmt.Errorf("Must provide %s", cfgClientID)
|
||||
}
|
||||
|
||||
clientSecret := cfg[cfgClientSecret]
|
||||
if clientSecret == "" {
|
||||
return nil, fmt.Errorf("Must provide %s", cfgClientSecret)
|
||||
}
|
||||
|
||||
// Check cache for existing provider.
|
||||
if provider, ok := cache.getClient(issuer, clientID, clientSecret); ok {
|
||||
return provider, nil
|
||||
}
|
||||
|
||||
var certAuthData []byte
|
||||
var err error
|
||||
if cfg[cfgCertificateAuthorityData] != "" {
|
||||
certAuthData, err = base64.StdEncoding.DecodeString(cfg[cfgCertificateAuthorityData])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
clientConfig := restclient.Config{
|
||||
TLSClientConfig: restclient.TLSClientConfig{
|
||||
CAFile: cfg[cfgCertificateAuthority],
|
||||
CAData: certAuthData,
|
||||
},
|
||||
}
|
||||
|
||||
trans, err := restclient.TransportFor(&clientConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
hc := &http.Client{Transport: trans}
|
||||
|
||||
providerCfg, err := oidc.FetchProviderConfig(hc, issuer)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error fetching provider config: %v", err)
|
||||
}
|
||||
|
||||
scopes := strings.Split(cfg[cfgExtraScopes], ",")
|
||||
oidcCfg := oidc.ClientConfig{
|
||||
HTTPClient: hc,
|
||||
Credentials: oidc.ClientCredentials{
|
||||
ID: clientID,
|
||||
Secret: clientSecret,
|
||||
},
|
||||
ProviderConfig: providerCfg,
|
||||
Scope: append(scopes, oidc.DefaultScope...),
|
||||
}
|
||||
client, err := oidc.NewClient(oidcCfg)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error creating OIDC Client: %v", err)
|
||||
}
|
||||
|
||||
provider := &oidcAuthProvider{
|
||||
client: &oidcClient{client},
|
||||
cfg: cfg,
|
||||
persister: persister,
|
||||
now: time.Now,
|
||||
}
|
||||
|
||||
return cache.setClient(issuer, clientID, clientSecret, provider), nil
|
||||
}
|
||||
|
||||
type oidcAuthProvider struct {
|
||||
// Interface rather than a raw *oidc.Client for testing.
|
||||
client OIDCClient
|
||||
|
||||
// Stubbed out for testing.
|
||||
now func() time.Time
|
||||
|
||||
// Mutex guards persisting to the kubeconfig file and allows synchronized
|
||||
// updates to the in-memory config. It also ensures concurrent calls to
|
||||
// the RoundTripper only trigger a single refresh request.
|
||||
mu sync.Mutex
|
||||
cfg map[string]string
|
||||
persister restclient.AuthProviderConfigPersister
|
||||
}
|
||||
|
||||
func (p *oidcAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
|
||||
return &roundTripper{
|
||||
wrapped: rt,
|
||||
provider: p,
|
||||
}
|
||||
}
|
||||
|
||||
func (p *oidcAuthProvider) Login() error {
|
||||
return errors.New("not yet implemented")
|
||||
}
|
||||
|
||||
type OIDCClient interface {
|
||||
refreshToken(rt string) (oauth2.TokenResponse, error)
|
||||
verifyJWT(jwt *jose.JWT) error
|
||||
}
|
||||
|
||||
type roundTripper struct {
|
||||
provider *oidcAuthProvider
|
||||
wrapped http.RoundTripper
|
||||
}
|
||||
|
||||
func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
token, err := r.provider.idToken()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// shallow copy of the struct
|
||||
r2 := new(http.Request)
|
||||
*r2 = *req
|
||||
// deep copy of the Header so we don't modify the original
|
||||
// request's Header (as per RoundTripper contract).
|
||||
r2.Header = make(http.Header)
|
||||
for k, s := range req.Header {
|
||||
r2.Header[k] = s
|
||||
}
|
||||
r2.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
|
||||
|
||||
return r.wrapped.RoundTrip(r2)
|
||||
}
|
||||
|
||||
func (p *oidcAuthProvider) idToken() (string, error) {
|
||||
p.mu.Lock()
|
||||
defer p.mu.Unlock()
|
||||
|
||||
if idToken, ok := p.cfg[cfgIDToken]; ok && len(idToken) > 0 {
|
||||
valid, err := verifyJWTExpiry(p.now(), idToken)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if valid {
|
||||
// If the cached id token is still valid use it.
|
||||
return idToken, nil
|
||||
}
|
||||
}
|
||||
|
||||
// Try to request a new token using the refresh token.
|
||||
rt, ok := p.cfg[cfgRefreshToken]
|
||||
if !ok || len(rt) == 0 {
|
||||
return "", errors.New("No valid id-token, and cannot refresh without refresh-token")
|
||||
}
|
||||
|
||||
tokens, err := p.client.refreshToken(rt)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("could not refresh token: %v", err)
|
||||
}
|
||||
jwt, err := jose.ParseJWT(tokens.IDToken)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if err := p.client.verifyJWT(&jwt); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
// Create a new config to persist.
|
||||
newCfg := make(map[string]string)
|
||||
for key, val := range p.cfg {
|
||||
newCfg[key] = val
|
||||
}
|
||||
|
||||
if tokens.RefreshToken != "" && tokens.RefreshToken != rt {
|
||||
newCfg[cfgRefreshToken] = tokens.RefreshToken
|
||||
}
|
||||
|
||||
newCfg[cfgIDToken] = tokens.IDToken
|
||||
if err = p.persister.Persist(newCfg); err != nil {
|
||||
return "", fmt.Errorf("could not perist new tokens: %v", err)
|
||||
}
|
||||
|
||||
// Update the in memory config to reflect the on disk one.
|
||||
p.cfg = newCfg
|
||||
|
||||
return tokens.IDToken, nil
|
||||
}
|
||||
|
||||
// oidcClient is the real implementation of the OIDCClient interface, which is
|
||||
// used for testing.
|
||||
type oidcClient struct {
|
||||
client *oidc.Client
|
||||
}
|
||||
|
||||
func (o *oidcClient) refreshToken(rt string) (oauth2.TokenResponse, error) {
|
||||
oac, err := o.client.OAuthClient()
|
||||
if err != nil {
|
||||
return oauth2.TokenResponse{}, err
|
||||
}
|
||||
|
||||
return oac.RequestToken(oauth2.GrantTypeRefreshToken, rt)
|
||||
}
|
||||
|
||||
func (o *oidcClient) verifyJWT(jwt *jose.JWT) error {
|
||||
return o.client.VerifyJWT(*jwt)
|
||||
}
|
||||
|
||||
func verifyJWTExpiry(now time.Time, s string) (valid bool, err error) {
|
||||
jwt, err := jose.ParseJWT(s)
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("invalid %q", cfgIDToken)
|
||||
}
|
||||
claims, err := jwt.Claims()
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
exp, ok, err := claims.TimeClaim("exp")
|
||||
switch {
|
||||
case err != nil:
|
||||
return false, fmt.Errorf("failed to parse 'exp' claim: %v", err)
|
||||
case !ok:
|
||||
return false, errors.New("missing required 'exp' claim")
|
||||
case exp.After(now.Add(expiryDelta)):
|
||||
return true, nil
|
||||
}
|
||||
|
||||
return false, nil
|
||||
}
|
||||
@@ -1,384 +0,0 @@
|
||||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package oidc
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/coreos/go-oidc/jose"
|
||||
"github.com/coreos/go-oidc/key"
|
||||
"github.com/coreos/go-oidc/oauth2"
|
||||
|
||||
oidctesting "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/testing"
|
||||
)
|
||||
|
||||
func clearCache() {
|
||||
cache = newClientCache()
|
||||
}
|
||||
|
||||
type persister struct{}
|
||||
|
||||
// we don't need to actually persist anything because there's no way for us to
|
||||
// read from a persister.
|
||||
func (p *persister) Persist(map[string]string) error { return nil }
|
||||
|
||||
type noRefreshOIDCClient struct{}
|
||||
|
||||
func (c *noRefreshOIDCClient) refreshToken(rt string) (oauth2.TokenResponse, error) {
|
||||
return oauth2.TokenResponse{}, errors.New("alwaysErrOIDCClient: cannot refresh token")
|
||||
}
|
||||
|
||||
func (c *noRefreshOIDCClient) verifyJWT(jwt *jose.JWT) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
type mockOIDCClient struct {
|
||||
tokenResponse oauth2.TokenResponse
|
||||
}
|
||||
|
||||
func (c *mockOIDCClient) refreshToken(rt string) (oauth2.TokenResponse, error) {
|
||||
return c.tokenResponse, nil
|
||||
}
|
||||
|
||||
func (c *mockOIDCClient) verifyJWT(jwt *jose.JWT) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func TestNewOIDCAuthProvider(t *testing.T) {
|
||||
tempDir, err := ioutil.TempDir(os.TempDir(), "oidc_test")
|
||||
if err != nil {
|
||||
t.Fatalf("Cannot make temp dir %v", err)
|
||||
}
|
||||
cert := path.Join(tempDir, "oidc-cert")
|
||||
key := path.Join(tempDir, "oidc-key")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert, key)
|
||||
op := oidctesting.NewOIDCProvider(t, "")
|
||||
srv, err := op.ServeTLSWithKeyPair(cert, key)
|
||||
if err != nil {
|
||||
t.Fatalf("Cannot start server %v", err)
|
||||
}
|
||||
defer srv.Close()
|
||||
|
||||
certData, err := ioutil.ReadFile(cert)
|
||||
if err != nil {
|
||||
t.Fatalf("Could not read cert bytes %v", err)
|
||||
}
|
||||
|
||||
makeToken := func(exp time.Time) *jose.JWT {
|
||||
jwt, err := jose.NewSignedJWT(jose.Claims(map[string]interface{}{
|
||||
"exp": exp.UTC().Unix(),
|
||||
}), op.PrivKey.Signer())
|
||||
if err != nil {
|
||||
t.Fatalf("Could not create signed JWT %v", err)
|
||||
}
|
||||
return jwt
|
||||
}
|
||||
|
||||
t0 := time.Now()
|
||||
|
||||
goodToken := makeToken(t0.Add(time.Hour)).Encode()
|
||||
expiredToken := makeToken(t0.Add(-time.Hour)).Encode()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
|
||||
cfg map[string]string
|
||||
wantInitErr bool
|
||||
|
||||
client OIDCClient
|
||||
wantCfg map[string]string
|
||||
wantTokenErr bool
|
||||
}{
|
||||
{
|
||||
// A Valid configuration
|
||||
name: "no id token and no refresh token",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
},
|
||||
wantTokenErr: true,
|
||||
},
|
||||
{
|
||||
name: "valid config with an initial token",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
cfgIDToken: goodToken,
|
||||
},
|
||||
client: new(noRefreshOIDCClient),
|
||||
wantCfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
cfgIDToken: goodToken,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "invalid ID token with a refresh token",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
cfgRefreshToken: "foo",
|
||||
cfgIDToken: expiredToken,
|
||||
},
|
||||
client: &mockOIDCClient{
|
||||
tokenResponse: oauth2.TokenResponse{
|
||||
IDToken: goodToken,
|
||||
},
|
||||
},
|
||||
wantCfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
cfgRefreshToken: "foo",
|
||||
cfgIDToken: goodToken,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "invalid ID token with a refresh token, server returns new refresh token",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
cfgRefreshToken: "foo",
|
||||
cfgIDToken: expiredToken,
|
||||
},
|
||||
client: &mockOIDCClient{
|
||||
tokenResponse: oauth2.TokenResponse{
|
||||
IDToken: goodToken,
|
||||
RefreshToken: "bar",
|
||||
},
|
||||
},
|
||||
wantCfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
cfgRefreshToken: "bar",
|
||||
cfgIDToken: goodToken,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "expired token and no refresh otken",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
cfgIDToken: expiredToken,
|
||||
},
|
||||
wantTokenErr: true,
|
||||
},
|
||||
{
|
||||
name: "valid base64d ca",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthorityData: base64.StdEncoding.EncodeToString(certData),
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "client-secret",
|
||||
},
|
||||
client: new(noRefreshOIDCClient),
|
||||
wantTokenErr: true,
|
||||
},
|
||||
{
|
||||
name: "missing client ID",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientSecret: "client-secret",
|
||||
},
|
||||
wantInitErr: true,
|
||||
},
|
||||
{
|
||||
name: "missing client secret",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
},
|
||||
wantInitErr: true,
|
||||
},
|
||||
{
|
||||
name: "missing issuer URL",
|
||||
cfg: map[string]string{
|
||||
cfgCertificateAuthority: cert,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "secret",
|
||||
},
|
||||
wantInitErr: true,
|
||||
},
|
||||
{
|
||||
name: "missing TLS config",
|
||||
cfg: map[string]string{
|
||||
cfgIssuerUrl: srv.URL,
|
||||
cfgClientID: "client-id",
|
||||
cfgClientSecret: "secret",
|
||||
},
|
||||
wantInitErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
clearCache()
|
||||
|
||||
p, err := newOIDCAuthProvider("cluster.example.com", tt.cfg, new(persister))
|
||||
if tt.wantInitErr {
|
||||
if err == nil {
|
||||
t.Errorf("%s: want non-nil err", tt.name)
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
t.Errorf("%s: unexpected error on newOIDCAuthProvider: %v", tt.name, err)
|
||||
continue
|
||||
}
|
||||
|
||||
provider := p.(*oidcAuthProvider)
|
||||
provider.client = tt.client
|
||||
provider.now = func() time.Time { return t0 }
|
||||
|
||||
if _, err := provider.idToken(); err != nil {
|
||||
if !tt.wantTokenErr {
|
||||
t.Errorf("%s: failed to get id token: %v", tt.name, err)
|
||||
}
|
||||
continue
|
||||
}
|
||||
if tt.wantTokenErr {
|
||||
t.Errorf("%s: expected to not get id token: %v", tt.name, err)
|
||||
continue
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(tt.wantCfg, provider.cfg) {
|
||||
t.Errorf("%s: expected config %#v got %#v", tt.name, tt.wantCfg, provider.cfg)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestVerifyJWTExpiry(t *testing.T) {
|
||||
privKey, err := key.GeneratePrivateKey()
|
||||
if err != nil {
|
||||
t.Fatalf("can't generate private key: %v", err)
|
||||
}
|
||||
makeToken := func(s string, exp time.Time, count int) *jose.JWT {
|
||||
jwt, err := jose.NewSignedJWT(jose.Claims(map[string]interface{}{
|
||||
"test": s,
|
||||
"exp": exp.UTC().Unix(),
|
||||
"count": count,
|
||||
}), privKey.Signer())
|
||||
if err != nil {
|
||||
t.Fatalf("Could not create signed JWT %v", err)
|
||||
}
|
||||
return jwt
|
||||
}
|
||||
|
||||
t0 := time.Now()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
jwt *jose.JWT
|
||||
now time.Time
|
||||
wantErr bool
|
||||
wantExpired bool
|
||||
}{
|
||||
{
|
||||
name: "valid jwt",
|
||||
jwt: makeToken("foo", t0.Add(time.Hour), 1),
|
||||
now: t0,
|
||||
},
|
||||
{
|
||||
name: "invalid jwt",
|
||||
jwt: &jose.JWT{},
|
||||
now: t0,
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "expired jwt",
|
||||
jwt: makeToken("foo", t0.Add(-time.Hour), 1),
|
||||
now: t0,
|
||||
wantExpired: true,
|
||||
},
|
||||
{
|
||||
name: "jwt expires soon enough to be marked expired",
|
||||
jwt: makeToken("foo", t0, 1),
|
||||
now: t0,
|
||||
wantExpired: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
func() {
|
||||
valid, err := verifyJWTExpiry(tc.now, tc.jwt.Encode())
|
||||
if err != nil {
|
||||
if !tc.wantErr {
|
||||
t.Errorf("%s: %v", tc.name, err)
|
||||
}
|
||||
return
|
||||
}
|
||||
if tc.wantErr {
|
||||
t.Errorf("%s: expected error", tc.name)
|
||||
return
|
||||
}
|
||||
|
||||
if valid && tc.wantExpired {
|
||||
t.Errorf("%s: expected token to be expired", tc.name)
|
||||
}
|
||||
if !valid && !tc.wantExpired {
|
||||
t.Errorf("%s: expected token to be valid", tc.name)
|
||||
}
|
||||
}()
|
||||
}
|
||||
}
|
||||
|
||||
func TestClientCache(t *testing.T) {
|
||||
cache := newClientCache()
|
||||
|
||||
if _, ok := cache.getClient("issuer1", "id1", "secret1"); ok {
|
||||
t.Fatalf("got client before putting one in the cache")
|
||||
}
|
||||
|
||||
cli1 := new(oidcAuthProvider)
|
||||
cli2 := new(oidcAuthProvider)
|
||||
|
||||
gotcli := cache.setClient("issuer1", "id1", "secret1", cli1)
|
||||
if cli1 != gotcli {
|
||||
t.Fatalf("set first client and got a different one")
|
||||
}
|
||||
|
||||
gotcli = cache.setClient("issuer1", "id1", "secret1", cli2)
|
||||
if cli1 != gotcli {
|
||||
t.Fatalf("set a second client and didn't get the first")
|
||||
}
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package auth
|
||||
|
||||
import (
|
||||
// Initialize all known client auth plugins.
|
||||
_ "k8s.io/kubernetes/plugin/pkg/client/auth/gcp"
|
||||
_ "k8s.io/kubernetes/plugin/pkg/client/auth/oidc"
|
||||
)
|
||||
@@ -22,7 +22,6 @@ go_library(
|
||||
"//pkg/client/cache:go_default_library",
|
||||
"//pkg/client/clientset_generated/clientset:go_default_library",
|
||||
"//pkg/client/record:go_default_library",
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//pkg/util:go_default_library",
|
||||
"//pkg/util/hash:go_default_library",
|
||||
"//pkg/util/workqueue:go_default_library",
|
||||
@@ -39,6 +38,7 @@ go_library(
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/net",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/sets",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/wait",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -35,13 +35,13 @@ go_test(
|
||||
"//pkg/api:go_default_library",
|
||||
"//pkg/api/v1:go_default_library",
|
||||
"//pkg/client/clientset_generated/clientset:go_default_library",
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//pkg/util/testing:go_default_library",
|
||||
"//plugin/pkg/scheduler/api:go_default_library",
|
||||
"//plugin/pkg/scheduler/api/latest:go_default_library",
|
||||
"//plugin/pkg/scheduler/factory:go_default_library",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/sets",
|
||||
"//vendor:k8s.io/client-go/pkg/util/testing",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -25,11 +25,11 @@ import (
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
utiltesting "k8s.io/client-go/pkg/util/testing"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
utiltesting "k8s.io/kubernetes/pkg/util/testing"
|
||||
schedulerapi "k8s.io/kubernetes/plugin/pkg/scheduler/api"
|
||||
latestschedulerapi "k8s.io/kubernetes/plugin/pkg/scheduler/api/latest"
|
||||
"k8s.io/kubernetes/plugin/pkg/scheduler/factory"
|
||||
|
||||
@@ -16,10 +16,10 @@ go_library(
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/api/v1:go_default_library",
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -20,8 +20,8 @@ import (
|
||||
"time"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
)
|
||||
|
||||
type Policy struct {
|
||||
|
||||
@@ -16,11 +16,11 @@ go_library(
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/api/v1:go_default_library",
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//plugin/pkg/scheduler/api:go_default_library",
|
||||
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -20,8 +20,8 @@ import (
|
||||
"time"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
apiv1 "k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
)
|
||||
|
||||
type Policy struct {
|
||||
|
||||
@@ -25,8 +25,8 @@ import (
|
||||
"time"
|
||||
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
"k8s.io/kubernetes/plugin/pkg/scheduler/algorithm"
|
||||
schedulerapi "k8s.io/kubernetes/plugin/pkg/scheduler/api"
|
||||
)
|
||||
|
||||
@@ -56,8 +56,6 @@ go_test(
|
||||
"//pkg/api/v1:go_default_library",
|
||||
"//pkg/client/cache:go_default_library",
|
||||
"//pkg/client/clientset_generated/clientset:go_default_library",
|
||||
"//pkg/client/restclient:go_default_library",
|
||||
"//pkg/util/testing:go_default_library",
|
||||
"//plugin/pkg/scheduler/algorithm:go_default_library",
|
||||
"//plugin/pkg/scheduler/api:go_default_library",
|
||||
"//plugin/pkg/scheduler/api/latest:go_default_library",
|
||||
@@ -65,6 +63,8 @@ go_test(
|
||||
"//plugin/pkg/scheduler/util:go_default_library",
|
||||
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime",
|
||||
"//vendor:k8s.io/client-go/pkg/util/testing",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -25,14 +25,14 @@ import (
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
utiltesting "k8s.io/client-go/pkg/util/testing"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/api/testapi"
|
||||
apitesting "k8s.io/kubernetes/pkg/api/testing"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/cache"
|
||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
utiltesting "k8s.io/kubernetes/pkg/util/testing"
|
||||
"k8s.io/kubernetes/plugin/pkg/scheduler/algorithm"
|
||||
schedulerapi "k8s.io/kubernetes/plugin/pkg/scheduler/api"
|
||||
latestschedulerapi "k8s.io/kubernetes/plugin/pkg/scheduler/api/latest"
|
||||
|
||||
Reference in New Issue
Block a user