Merge branch 'master' into fix/refresh-token-if-empty

macrozone · macrozone · commit 35df1adf46e5 · 2019-01-15T10:21:49.000+01:00
diff --git a/src/config.ts b/src/config.ts
@@ -13,6 +13,16 @@ import { CloudAuth } from './cloud_auth';
 import { Cluster, Context, newClusters, newContexts, newUsers, User } from './config_types';
 import { ExecAuth } from './exec_auth';
 
+// fs.existsSync was removed in node 10
+function fileExists(filepath: string): boolean {
+    try {
+        fs.accessSync(filepath);
+        return true;
+    // tslint:disable-next-line:no-empty
+    } catch (ignore) { }
+    return false;
+}
+
 export class KubeConfig {
     private static authenticators: Authenticator[] = [
         new CloudAuth(),
@@ -197,12 +207,10 @@ export class KubeConfig {
         const home = findHomeDir();
         if (home) {
             const config = path.join(home, '.kube', 'config');
-            try {
-                fs.accessSync(config);
+            if (fileExists(config)) {
                 this.loadFromFile(config);
                 return;
-            // tslint:disable-next-line:no-empty
-            } catch (ignore) {}
+            }
         }
         if (process.platform === 'win32' && shelljs.which('wsl.exe')) {
             // TODO: Handle if someome set $KUBECONFIG in wsl here...
@@ -213,12 +221,10 @@ export class KubeConfig {
             }
         }
 
-        try {
-            fs.accessSync(Config.SERVICEACCOUNT_TOKEN_PATH);
+        if (fileExists(Config.SERVICEACCOUNT_TOKEN_PATH)) {
             this.loadFromCluster();
             return;
-        // tslint:disable-next-line:no-empty
-        } catch (ignore) {}
+        }
 
         this.loadFromClusterAndUser(
             { name: 'cluster', server: 'http://localhost:8080' } as Cluster,
diff --git a/src/config_test.ts b/src/config_test.ts
@@ -702,7 +702,7 @@ describe('KubeConfig', () => {
         it('should exec with exec auth and env vars', () => {
             const config = new KubeConfig();
             const token = 'token';
-            const responseStr = `'{ "token": "${token}" }'`;
+            const responseStr = `'{"status": { "token": "${token}" }}'`;
             config.loadFromClusterAndUser(
                 { skipTLSVerify: false } as Cluster,
                 {
@@ -733,7 +733,13 @@ describe('KubeConfig', () => {
         it('should exec with exec auth', () => {
             const config = new KubeConfig();
             const token = 'token';
-            const responseStr = `'{ "token": "${token}" }'`;
+            const responseStr = `'{
+                "apiVersion": "client.authentication.k8s.io/v1beta1",
+                "kind": "ExecCredential",
+                "status": {
+                  "token": "${token}"
+                }
+              }'`;
             config.loadFromClusterAndUser(
                 { skipTLSVerify: false } as Cluster,
                 {
diff --git a/src/exec_auth.ts b/src/exec_auth.ts
@@ -4,12 +4,26 @@ import { Authenticator } from './auth';
 import { User } from './config_types';
 
 export class ExecAuth implements Authenticator {
+    private readonly tokenCache: { [key: string]: any } = {};
+
     public isAuthProvider(user: User) {
         return user.authProvider.name === 'exec' ||
             (user.authProvider.config && user.authProvider.config.exec);
     }
 
     public getToken(user: User): string | null {
+        // TODO: Handle client cert auth here, requires auth refactor.
+        // See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#input-and-output-formats
+        // for details on this protocol.
+        // TODO: Add a unit test for token caching.
+        const cachedToken = this.tokenCache[user.name];
+        if (cachedToken) {
+            const date = Date.parse(cachedToken.status.expirationTimestamp);
+            if (date < Date.now()) {
+                return `Bearer ${cachedToken.status.token}`;
+            }
+            this.tokenCache[user.name] = null;
+        }
         const config = user.authProvider.config;
         if (!config.exec.command) {
             throw new Error('No command was specified for exec authProvider!');
@@ -27,7 +41,8 @@ export class ExecAuth implements Authenticator {
         const result = shell.exec(cmd, opts);
         if (result.code === 0) {
             const obj = JSON.parse(result.stdout);
-            return `Bearer ${obj.token}`;
+            this.tokenCache[user.name] = obj;
+            return `Bearer ${obj.status.token}`;
         }
         throw new Error(result.stderr);
     }
diff --git a/src/oidc_auth.ts b/src/oidc_auth.ts
@@ -0,0 +1,20 @@
+import { Authenticator } from './auth';
+import { User } from './config_types';
+
+export class OpenIDConnectAuth implements Authenticator {
+    public isAuthProvider(user: User): boolean {
+        if (!user.authProvider) {
+            return false;
+        }
+        return user.authProvider.name === 'oidc';
+    }
+
+    public getToken(user: User): string | null {
+        if (!user.authProvider.config || !user.authProvider.config['id-token']) {
+            return null;
+        }
+        // TODO: Handle expiration and refresh here...
+        // TODO: Extract the 'Bearer ' to config.ts?
+        return `Bearer ${user.authProvider.config['id-token']}`;
+    }
+}
diff --git a/src/oidc_auth_test.ts b/src/oidc_auth_test.ts
@@ -0,0 +1,59 @@
+import { expect } from 'chai';
+
+import { User } from './config_types';
+import { OpenIDConnectAuth } from './oidc_auth';
+
+describe('OIDCAuth', () => {
+    const auth = new OpenIDConnectAuth();
+    it('should be true for oidc user', () => {
+        const user = {
+            authProvider: {
+                name: 'oidc',
+            },
+        } as User;
+
+        expect(auth.isAuthProvider(user)).to.equal(true);
+    });
+
+    it('should be false for other user', () => {
+        const user = {
+            authProvider: {
+                name: 'azure',
+            },
+        } as User;
+
+        expect(auth.isAuthProvider(user)).to.equal(false);
+    });
+
+    it('should be false for null user.authProvider', () => {
+        const user = {} as User;
+
+        expect(auth.isAuthProvider(user)).to.equal(false);
+    });
+
+    it('get a token if present', () => {
+        const token = 'some token';
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                    'id-token': token,
+                },
+            },
+        } as User;
+
+        expect(auth.getToken(user)).to.equal(`Bearer ${token}`);
+    });
+
+    it('get null if token missing', () => {
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                },
+            },
+        } as User;
+
+        expect(auth.getToken(user)).to.equal(null);
+    });
+});
