Merge pull request #882 from brendandburns/tsc

k8s-ci-robot · web-flow · commit 45b68c98e62b · 2022-09-30T16:50:12.000-07:00
Defer loading of OIDC until it's actually used.
diff --git a/src/config.ts b/src/config.ts
@@ -26,7 +26,7 @@ import {
 import { ExecAuth } from './exec_auth';
 import { FileAuth } from './file_auth';
 import { GoogleCloudPlatformAuth } from './gcp_auth';
-import { OpenIDConnectAuth } from './oidc_auth';
+import { DelayedOpenIDConnectAuth } from './oidc_auth_delayed';
 
 // fs.existsSync was removed in node 10
 function fileExists(filepath: string): boolean {
@@ -44,7 +44,7 @@ export class KubeConfig {
         new GoogleCloudPlatformAuth(),
         new ExecAuth(),
         new FileAuth(),
-        new OpenIDConnectAuth(),
+        new DelayedOpenIDConnectAuth(),
     ];
 
     /**
diff --git a/src/oidc_auth_delayed.ts b/src/oidc_auth_delayed.ts
@@ -0,0 +1,35 @@
+import https = require('https');
+import request = require('request');
+
+import { Authenticator } from './auth';
+import { User } from './config_types';
+
+export class DelayedOpenIDConnectAuth implements Authenticator {
+    private delegate?: Authenticator;
+
+    public constructor() {
+        this.delegate = undefined;
+    }
+
+    public isAuthProvider(user: User): boolean {
+        if (!user.authProvider) {
+            return false;
+        }
+        return user.authProvider.name === 'oidc';
+    }
+
+    /**
+     * Setup the authentication header for oidc authed clients
+     * @param user user info
+     * @param opts request options
+     * @param overrideClient for testing, a preconfigured oidc client
+     */
+    public async applyAuthentication(
+        user: User,
+        opts: request.Options | https.RequestOptions,
+        overrideClient?: any,
+    ): Promise<void> {
+        const oidc = await import('./oidc_auth');
+        return new oidc.OpenIDConnectAuth().applyAuthentication(user, opts, overrideClient);
+    }
+}
diff --git a/src/oidc_auth_delayed_test.ts b/src/oidc_auth_delayed_test.ts
@@ -0,0 +1,178 @@
+import { expect } from 'chai';
+import * as request from 'request';
+import { base64url } from 'rfc4648';
+import { TextEncoder } from 'util';
+
+import { User } from './config_types';
+import { DelayedOpenIDConnectAuth } from './oidc_auth_delayed';
+
+function encode(value: string): string {
+    return base64url.stringify(new TextEncoder().encode(value));
+}
+
+function makeJWT(header: string, payload: object, signature: string): string {
+    return encode(header) + '.' + encode(JSON.stringify(payload)) + '.' + encode(signature);
+}
+
+describe('OIDCAuth', () => {
+    var auth: DelayedOpenIDConnectAuth;
+    beforeEach(() => {
+        auth = new DelayedOpenIDConnectAuth();
+    });
+
+    it('should be true for oidc user', () => {
+        const user = {
+            authProvider: {
+                name: 'oidc',
+            },
+        } as User;
+
+        expect(auth.isAuthProvider(user)).to.equal(true);
+    });
+
+    it('should be false for other user', () => {
+        const user = {
+            authProvider: {
+                name: 'azure',
+            },
+        } as User;
+
+        expect(auth.isAuthProvider(user)).to.equal(false);
+    });
+
+    it('should be false for null user.authProvider', () => {
+        const user = {} as User;
+
+        expect(auth.isAuthProvider(user)).to.equal(false);
+    });
+
+    it('authorization should be undefined if token missing', async () => {
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                    'client-id': 'id',
+                    'client-secret': 'clientsecret',
+                    'refresh-token': 'refreshtoken',
+                    'idp-issuer-url': 'https://www.google.com/',
+                },
+            },
+        } as User;
+
+        const opts = {} as request.Options;
+        opts.headers = [];
+        await auth.applyAuthentication(user, opts);
+        expect(opts.headers.Authorization).to.be.undefined;
+    });
+
+    it('authorization should be undefined if client-id missing', async () => {
+        const past = 100;
+        const token = makeJWT('{}', { exp: past }, 'fake');
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                    'id-token': token,
+                    'client-secret': 'clientsecret',
+                    'refresh-token': 'refreshtoken',
+                    'idp-issuer-url': 'https://www.google.com/',
+                },
+            },
+        } as User;
+
+        const opts = {} as request.Options;
+        opts.headers = [];
+        await auth.applyAuthentication(user, opts);
+        expect(opts.headers.Authorization).to.be.undefined;
+    });
+
+    it('authorization should be work if client-secret missing', async () => {
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                    'id-token': 'fakeToken',
+                    'client-id': 'id',
+                    'refresh-token': 'refreshtoken',
+                    'idp-issuer-url': 'https://www.google.com/',
+                },
+            },
+        } as User;
+
+        const opts = {} as request.Options;
+        opts.headers = [];
+        (auth as any).currentTokenExpiration = Date.now() / 1000 + 1000;
+        await auth.applyAuthentication(user, opts, {
+            refresh: () => {
+                return {
+                    id_token: 'fakeToken',
+                    refresh_token: 'fakerToken',
+                };
+            },
+        });
+        expect(opts.headers.Authorization).to.equal('Bearer fakeToken');
+    });
+
+    it('authorization should be undefined if refresh-token missing', async () => {
+        const past = 100;
+        const token = makeJWT('{}', { exp: past }, 'fake');
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                    'id-token': token,
+                    'client-id': 'id',
+                    'client-secret': 'clientsecret',
+                    'idp-issuer-url': 'https://www.google.com/',
+                },
+            },
+        } as User;
+
+        const opts = {} as request.Options;
+        opts.headers = [];
+        await auth.applyAuthentication(user, opts);
+        expect(opts.headers.Authorization).to.be.undefined;
+    });
+
+    it('authorization should work if refresh-token missing but token is unexpired', async () => {
+        const future = Date.now() / 1000 + 1000000;
+        const token = makeJWT('{}', { exp: future }, 'fake');
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                    'id-token': token,
+                    'client-id': 'id',
+                    'client-secret': 'clientsecret',
+                    'idp-issuer-url': 'https://www.google.com/',
+                },
+            },
+        } as User;
+
+        const opts = {} as request.Options;
+        opts.headers = [];
+        await auth.applyAuthentication(user, opts);
+        expect(opts.headers.Authorization).to.equal(`Bearer ${token}`);
+    });
+
+    it('authorization should be undefined if idp-issuer-url missing', async () => {
+        const past = 100;
+        const token = makeJWT('{}', { exp: past }, 'fake');
+        const user = {
+            authProvider: {
+                name: 'oidc',
+                config: {
+                    'id-token': token,
+                    'client-id': 'id',
+                    'client-secret': 'clientsecret',
+                    'refresh-token': 'refreshtoken',
+                },
+            },
+        } as User;
+
+        const opts = {} as request.Options;
+        opts.headers = [];
+        await auth.applyAuthentication(user, opts, {});
+        expect(opts.headers.Authorization).to.be.undefined;
+    });
+});
