kubernetes-client
diff --git a/‎kubernetes-client/package.yaml
Lines changed: 17 additions & 0 deletions b/‎kubernetes-client/package.yaml
Lines changed: 17 additions & 0 deletions
diff --git a/‎kubernetes-client/src/Kubernetes/Client/Auth/ClientCert.hs
Lines changed: 35 additions & 0 deletions b/‎kubernetes-client/src/Kubernetes/Client/Auth/ClientCert.hs
Lines changed: 35 additions & 0 deletions
diff --git a/‎kubernetes-client/src/Kubernetes/Client/Auth/GCP.hs
Lines changed: 108 additions & 0 deletions b/‎kubernetes-client/src/Kubernetes/Client/Auth/GCP.hs
Lines changed: 108 additions & 0 deletions
diff --git a/‎kubernetes-client/src/Kubernetes/Client/Auth/Internal/Types.hs
Lines changed: 9 additions & 0 deletions b/‎kubernetes-client/src/Kubernetes/Client/Auth/Internal/Types.hs
Lines changed: 9 additions & 0 deletions
diff --git a/‎kubernetes-client/src/Kubernetes/Client/Auth/OIDC.hs
Lines changed: 168 additions & 0 deletions b/‎kubernetes-client/src/Kubernetes/Client/Auth/OIDC.hs
Lines changed: 168 additions & 0 deletions
@@ -13,6 +13,8 @@ license: Apache-2.0
 license-file: LICENSE
 library:
   source-dirs: src
+  ghc-options:
+  - -Wall
 tests:
   spec:
     main: Spec.hs
@@ -27,26 +29,41 @@ tests:
     dependencies:
       - kubernetes-client
 extra-source-files:
+  - README.md
   - test/testdata/*
   - README.md
 dependencies:
   - base >=4.7 && <5.0
+  - base64-bytestring
   - bytestring >=0.10.0 && <0.11
   - aeson >=1.2.2 && <1.5
+  - attoparsec >=0.13.0.0 && <0.14
+  - jsonpath >=0.1.0.0 && <0.2
   - connection >=0.2.8
   - containers >= 0.6.0.1
   - data-default-class >=0.1.2.0
+  - either
+  - filepath
+  - hoauth2
   - http-client >=0.5 && <0.7
   - http-client-tls >=0.3.5.3
+  - jwt
   - kubernetes-client-core ==0.1.0.1
   - microlens >=0.4.3 && <0.5
   - mtl >=2.2.1
+  - oidc-client
   - pem >=0.2.4
   - safe-exceptions >=0.1.0.0
+  - stm
   - streaming-bytestring >= 0.1.5 && < 0.2.0
   - text >=0.11 && <1.3
+  - time
+  - timerep
   - tls >=1.4.1
+  - typed-process
+  - uri-bytestring
   - x509 >=1.7.5
   - x509-system >=1.6.6
   - x509-store >=1.6.7
   - x509-validation >=1.6.11
+  - yaml
@@ -0,0 +1,35 @@
+module Kubernetes.Client.Auth.ClientCert where
+
+import Data.Text.Encoding
+import Kubernetes.Client.Auth.Internal.Types
+import Kubernetes.Client.Internal.TLSUtils
+import Kubernetes.Client.KubeConfig
+import Kubernetes.OpenAPI                    (KubernetesClientConfig (..))
+import Network.TLS
+
+-- | Detects if kuebconfig file provides 'client-certificate', if it configures TLS client params with the client certificate
+clientCertFileAuth :: DetectAuth
+clientCertFileAuth auth (tlsParams, cfg) = do
+  certFile <- clientCertificate auth
+  keyFile <- clientKey auth
+  return $ do
+    cert <- credentialLoadX509 certFile keyFile >>= either error return
+    let newParams = (setClientCert cert tlsParams)
+        newCfg = (disableValidateAuthMethods cfg)
+    return (newParams, newCfg)
+
+-- | Detects if kuebconfig file provides 'client-certificate-data', if it configures TLS client params with the client certificate
+clientCertDataAuth :: DetectAuth
+clientCertDataAuth auth (tlsParams, cfg) = do
+  certB64 <- encodeUtf8 <$> clientCertificateData auth
+  keyB64 <- encodeUtf8 <$> clientKeyData auth
+  Just $  do
+    cert <- loadB64EncodedCert certB64 keyB64
+    let newParams = (setClientCert cert tlsParams)
+        newCfg = (disableValidateAuthMethods cfg)
+    return (newParams, newCfg)
+
+-- |Disables the client-side auth methods validation. This is necessary if you are using client cert authentication.
+disableValidateAuthMethods :: KubernetesClientConfig -> KubernetesClientConfig
+disableValidateAuthMethods kcfg = kcfg { configValidateAuthMethods = False }
+
@@ -0,0 +1,108 @@
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards   #-}
+module Kubernetes.Client.Auth.GCP
+  ( gcpAuth )
+where
+
+import Control.Concurrent.STM
+import Data.Bifunctor                        (first)
+import Data.Either.Combinators
+import Data.Function                         ((&))
+import Data.JSONPath
+import Data.Map                              (Map)
+import Data.Text                             (Text)
+import Data.Time.Clock
+import Data.Time.LocalTime
+import Data.Time.RFC3339
+import Kubernetes.Client.Auth.Internal.Types
+import Kubernetes.Client.KubeConfig
+import Kubernetes.Data.K8sJSONPath
+import Kubernetes.OpenAPI.Core
+import System.Process.Typed
+
+import qualified Data.Aeson         as Aeson
+import qualified Data.Map           as Map
+import qualified Data.Text          as Text
+import qualified Data.Text.Encoding as Text
+import qualified Lens.Micro         as L
+
+-- TODO: Add support for scopes based token fetching
+data GCPAuth = GCPAuth { gcpAccessToken :: TVar(Maybe Text)
+                       , gcpTokenExpiry :: TVar(Maybe UTCTime)
+                       , gcpCmd         :: ProcessConfig () () ()
+                       , gcpTokenKey    :: [K8sPathElement]
+                       , gcpExpiryKey   :: [K8sPathElement]
+                       }
+
+instance AuthMethod GCPAuth where
+  applyAuthMethod _ gcp req = do
+    token <- getToken gcp >>= exceptEither
+    pure
+      $ setHeader req [("Authorization", "Bearer " <> (Text.encodeUtf8 token))]
+      & L.set rAuthTypesL []
+
+-- |Detects if auth-provier name is gcp, if it is configures the 'KubernetesClientConfig' with GCPAuth 'AuthMethod'
+gcpAuth :: DetectAuth
+gcpAuth AuthInfo{authProvider = Just(AuthProviderConfig "gcp" (Just cfg))} (tls, kubecfg)
+  = Just $ do
+      configOfErr <- parseGCPAuthInfo cfg
+      case configOfErr of
+        Left e    -> error $ Text.unpack e
+        Right gcp -> pure (tls, addAuthMethod kubecfg gcp)
+gcpAuth _ _ = Nothing
+
+exceptEither :: Either Text a -> IO a
+exceptEither (Right a) = pure a
+exceptEither (Left t)  = error (show t)
+
+getToken :: GCPAuth -> IO (Either Text Text)
+getToken g@(GCPAuth{..}) = getCurrentToken g
+                           >>= maybe (fetchToken g) (return . Right)
+
+getCurrentToken :: GCPAuth -> IO (Maybe Text)
+getCurrentToken (GCPAuth{..}) = do
+  now <- getCurrentTime
+  maybeExpiry <- atomically $ readTVar gcpTokenExpiry
+  maybeToken <- atomically $ readTVar gcpAccessToken
+  return $ do
+    expiry <- maybeExpiry
+    if expiry > now
+      then maybeToken
+      else Nothing
+
+-- TODO: log if parsed expiry is invalid
+fetchToken :: GCPAuth -> IO (Either Text Text)
+fetchToken GCPAuth{..} = do
+  (stdOut, _) <- readProcess_ gcpCmd
+  let credsJSON = Aeson.eitherDecode stdOut
+                    & first Text.pack
+      token =  runJSONPath gcpTokenKey =<< credsJSON
+      expText = runJSONPath gcpExpiryKey =<< credsJSON
+      expiry :: Either Text (Maybe UTCTime)
+      expiry = Just <$> (parseExpiryTime =<< expText)
+  atomically $ writeTVar gcpAccessToken (rightToMaybe token)
+  atomically $ writeTVar gcpTokenExpiry (either (const Nothing) id expiry)
+  return token
+
+parseGCPAuthInfo :: Map Text Text -> IO (Either Text GCPAuth)
+parseGCPAuthInfo m = do
+  gcpAccessToken <- atomically $ newTVar $ Map.lookup "access-token" m
+  case maybe (pure Nothing) ((Just <$>) . parseExpiryTime) $ Map.lookup "expiry" m of
+    (Left e) -> return $ Left e
+    Right t -> do
+      gcpTokenExpiry <- atomically $ newTVar t
+      return $ do
+        cmdPath <- Text.unpack <$> lookupEither m "cmd-path"
+        cmdArgs <- Text.splitOn " " <$> lookupEither m "cmd-args"
+        let gcpCmd = proc cmdPath (map Text.unpack cmdArgs)
+            gcpTokenKey = readJSONPath m "token-key" [JSONPath [KeyChild "token_expiry"]]
+            gcpExpiryKey = readJSONPath m "expiry-key" [JSONPath [KeyChild "access_token"]]
+        pure $ GCPAuth{..}
+
+lookupEither :: (Show key, Ord key) => Map key val -> key -> Either Text val
+lookupEither m k = maybeToRight e $ Map.lookup k m
+                   where e = "Couldn't find key: " <> (Text.pack $ show k) <> " in GCP auth info"
+
+parseExpiryTime :: Text -> Either Text UTCTime
+parseExpiryTime s = zonedTimeToUTC <$> parseTimeRFC3339 s
+                    & maybeToRight ("failed to parse token expiry time " <> s)
@@ -0,0 +1,9 @@
+module Kubernetes.Client.Auth.Internal.Types where
+
+import Network.TLS as TLS
+import Kubernetes.Client.KubeConfig
+import Kubernetes.OpenAPI (KubernetesClientConfig)
+
+type DetectAuth = AuthInfo
+                  -> (TLS.ClientParams, KubernetesClientConfig)
+                  -> Maybe (IO (TLS.ClientParams, KubernetesClientConfig))
@@ -0,0 +1,168 @@
+{-# LANGUAGE FlexibleContexts  #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards   #-}
+module Kubernetes.Client.Auth.OIDC
+  (oidcAuth, OIDCCache, cachedOIDCAuth)
+where
+
+import Control.Applicative
+import Control.Concurrent.STM
+import Data.Either.Combinators
+import Data.Function                         ((&))
+import Data.Map                              (Map)
+import Data.Maybe
+import Data.Text
+import Data.Time.Clock.POSIX                 (getPOSIXTime)
+import Kubernetes.Client.Auth.Internal.Types
+import Kubernetes.Client.Internal.TLSUtils
+import Kubernetes.Client.KubeConfig
+import Kubernetes.OpenAPI.Core
+import Network.HTTP.Client
+import Network.HTTP.Client.TLS
+import Network.OAuth.OAuth2                  as OAuth hiding (error)
+import Network.TLS                           as TLS
+import URI.ByteString
+import Web.JWT                               as JWT
+import Web.OIDC.Client.Discovery             as OIDC
+
+import qualified Data.ByteString        as BS
+import qualified Data.ByteString.Base64 as B64
+import qualified Data.Map               as Map
+import qualified Data.Text              as Text
+import qualified Data.Text.Encoding     as Text
+import qualified Lens.Micro             as L
+
+data OIDCAuth = OIDCAuth { issuerURL        :: Text
+                         , clientID         :: Text
+                         , clientSecret     :: Text
+                         , tlsParams        :: TLS.ClientParams
+                         , idTokenMVar      :: TVar(Maybe Text)
+                         , refreshTokenMVar :: TVar(Maybe Text)
+                         }
+
+-- | Cache OIDCAuth based on issuerURL and clientID.
+type OIDCCache = TVar (Map (Text, Text) OIDCAuth)
+
+instance AuthMethod OIDCAuth where
+  applyAuthMethod _ oidc req = do
+    token <- getToken oidc
+    pure
+      $ setHeader req [("Authorization", "Bearer " <> (Text.encodeUtf8 token))]
+      & L.set rAuthTypesL []
+
+-- TODO: Consider a token expired few seconds before actual expiry to account for time skew
+getToken :: OIDCAuth -> IO Text
+getToken o@(OIDCAuth{..}) = do
+  now <- getPOSIXTime
+  mgr <- newManager tlsManagerSettings
+  idToken <- atomically $ readTVar idTokenMVar
+  let maybeExp = idToken
+                 & (>>= decode)
+                 & (fmap claims)
+                 & (>>= JWT.exp)
+                 & (fmap secondsSinceEpoch)
+      isValidToken = fromMaybe False (fmap (now <) maybeExp)
+  if not isValidToken
+    then fetchToken mgr o
+    else return $ fromMaybe (error "impossible") idToken
+
+fetchToken :: Manager -> OIDCAuth -> IO Text
+fetchToken mgr o@(OIDCAuth{..}) = do
+  maybeToken <- atomically $ readTVar refreshTokenMVar
+  case maybeToken of
+    Nothing -> error "cannot refresh id-token without a refresh token"
+    Just token -> do
+      tokenEndpoint <- fetchTokenEndpoint mgr o
+      tokenURI <- exceptEither $ parseURI strictURIParserOptions (Text.encodeUtf8 tokenEndpoint)
+      let oauth = OAuth2{ oauthClientId = clientID
+                        , oauthClientSecret = clientSecret
+                        , oauthAccessTokenEndpoint = tokenURI
+                        , oauthOAuthorizeEndpoint = tokenURI
+                        , oauthCallback = Nothing
+                        }
+      oauthToken <- refreshAccessToken mgr oauth (RefreshToken token)
+                    >>= exceptEither
+      case OAuth.idToken oauthToken of
+        Nothing -> error "token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response."
+        Just (IdToken t) -> do
+          _ <- atomically $ writeTVar idTokenMVar (Just t)
+          return t
+
+fetchTokenEndpoint :: Manager -> OIDCAuth -> IO Text
+fetchTokenEndpoint mgr OIDCAuth{..} = do
+  discover issuerURL mgr
+    & (fmap configuration)
+    & (fmap tokenEndpoint)
+
+exceptEither :: Show b => Either b a -> IO a
+exceptEither (Right a) = pure a
+exceptEither (Left t)  = error (show t)
+
+{-
+   Detects if auth-provier name is oidc, if it is configures the 'KubernetesClientConfig' with OIDCAuth 'AuthMethod'.
+   Does not use cache, consider using 'cachedOIDCAuth'.
+-}
+oidcAuth :: DetectAuth
+oidcAuth AuthInfo{authProvider = Just(AuthProviderConfig "oidc" (Just cfg))} (tls, kubecfg)
+  = Just
+    $ parseOIDCAuthInfo cfg
+    >>= either error (\oidc -> pure (tls, addAuthMethod kubecfg oidc))
+oidcAuth _ _ = Nothing
+
+-- TODO: Consider doing this whole function atomically, as two threads may miss the cache simultaneously
+{-
+   Detects if auth-provier name is oidc, if it is configures the 'KubernetesClientConfig' with OIDCAuth 'AuthMethod'.
+   First looks for Auth information to be present in 'OIDCCache'. If found returns that, otherwise creates new Auth information and persists it in cache.
+-}
+cachedOIDCAuth :: OIDCCache -> DetectAuth
+cachedOIDCAuth cache AuthInfo{authProvider = Just(AuthProviderConfig "oidc" (Just cfg))} (tls, kubecfg) = Just $ do
+  m <- atomically $ readTVar cache
+  o <- case findInCache m cfg of
+    Left e -> error e
+    Right (Just o) -> return o
+    Right Nothing -> do
+      o@(OIDCAuth{..}) <- either error pure =<< parseOIDCAuthInfo cfg
+      let newCache = Map.insert (issuerURL, clientID) o m
+      _ <- atomically $ swapTVar cache newCache
+      return o
+  pure (tls, addAuthMethod kubecfg o)
+cachedOIDCAuth _ _ _ = Nothing
+
+findInCache :: Map (Text, Text) a -> Map Text Text -> Either String (Maybe a)
+findInCache cache cfg = do
+  issuerURL <- lookupEither cfg "idp-issuer-url"
+  clientID <- lookupEither cfg "client-id"
+  return $ Map.lookup (issuerURL, clientID) cache
+
+parseOIDCAuthInfo :: Map Text Text -> IO (Either String OIDCAuth)
+parseOIDCAuthInfo m = do
+  eitherTLSParams <- parseCA m
+  idTokenMVar <- atomically $ newTVar $ Map.lookup "id-token" m
+  refreshTokenMVar <- atomically $ newTVar $ Map.lookup "refresh-token" m
+  return $ do
+    tlsParams <- eitherTLSParams
+    issuerURL <- lookupEither m "idp-issuer-url"
+    clientID <- lookupEither m "client-id"
+    clientSecret <- lookupEither m "client-secret"
+    return OIDCAuth{..}
+
+parseCA :: Map Text Text -> IO (Either String TLS.ClientParams)
+parseCA m = do
+  t <- defaultTLSClientParams
+  fromMaybe (pure $ pure t) (parseCAFile t m <|> parseCAData t m)
+
+parseCAFile :: TLS.ClientParams -> Map Text Text -> Maybe (IO (Either String TLS.ClientParams))
+parseCAFile t m = do
+  caFile <- Text.unpack <$> Map.lookup "idp-certificate-authority" m
+  return $ updateClientParams t <$> BS.readFile caFile
+
+parseCAData :: TLS.ClientParams -> Map Text Text -> Maybe (IO (Either String TLS.ClientParams))
+parseCAData t m = do
+  caText <- Map.lookup "idp-certificate-authority-data" m
+  pure . pure
+    $ (B64.decode $ Text.encodeUtf8 caText)
+    >>= updateClientParams t
+
+lookupEither :: (Show key, Ord key) => Map key val -> key -> Either String val
+lookupEither m k = maybeToRight e $ Map.lookup k m
+                   where e = "Couldn't find key: " <> show k <> " in OIDC auth info"