Merge pull request #168 from brendandburns/exec

k8s-ci-robot · web-flow · commit 4e93cbe16bd0 · 2019-01-14T17:05:16.000-08:00
Fix Exec implementation, improve tests.
diff --git a/src/config.ts b/src/config.ts
@@ -13,6 +13,16 @@ import { CloudAuth } from './cloud_auth';
 import { Cluster, Context, newClusters, newContexts, newUsers, User } from './config_types';
 import { ExecAuth } from './exec_auth';
 
+// fs.existsSync was removed in node 10
+function fileExists(filepath: string): boolean {
+    try {
+        fs.accessSync(filepath);
+        return true;
+    // tslint:disable-next-line:no-empty
+    } catch (ignore) { }
+    return false;
+}
+
 export class KubeConfig {
     private static authenticators: Authenticator[] = [
         new CloudAuth(),
@@ -197,12 +207,10 @@ export class KubeConfig {
         const home = findHomeDir();
         if (home) {
             const config = path.join(home, '.kube', 'config');
-            try {
-                fs.accessSync(config);
+            if (fileExists(config)) {
                 this.loadFromFile(config);
                 return;
-            // tslint:disable-next-line:no-empty
-            } catch (ignore) {}
+            }
         }
         if (process.platform === 'win32' && shelljs.which('wsl.exe')) {
             // TODO: Handle if someome set $KUBECONFIG in wsl here...
@@ -213,12 +221,10 @@ export class KubeConfig {
             }
         }
 
-        try {
-            fs.accessSync(Config.SERVICEACCOUNT_TOKEN_PATH);
+        if (fileExists(Config.SERVICEACCOUNT_TOKEN_PATH)) {
             this.loadFromCluster();
             return;
-        // tslint:disable-next-line:no-empty
-        } catch (ignore) {}
+        }
 
         this.loadFromClusterAndUser(
             { name: 'cluster', server: 'http://localhost:8080' } as Cluster,
diff --git a/src/config_test.ts b/src/config_test.ts
@@ -654,7 +654,7 @@ describe('KubeConfig', () => {
         it('should exec with exec auth and env vars', () => {
             const config = new KubeConfig();
             const token = 'token';
-            const responseStr = `'{ "token": "${token}" }'`;
+            const responseStr = `'{"status": { "token": "${token}" }}'`;
             config.loadFromClusterAndUser(
                 { skipTLSVerify: false } as Cluster,
                 {
@@ -685,7 +685,13 @@ describe('KubeConfig', () => {
         it('should exec with exec auth', () => {
             const config = new KubeConfig();
             const token = 'token';
-            const responseStr = `'{ "token": "${token}" }'`;
+            const responseStr = `'{
+                "apiVersion": "client.authentication.k8s.io/v1beta1",
+                "kind": "ExecCredential",
+                "status": {
+                  "token": "${token}"
+                }
+              }'`;
             config.loadFromClusterAndUser(
                 { skipTLSVerify: false } as Cluster,
                 {
diff --git a/src/exec_auth.ts b/src/exec_auth.ts
@@ -4,12 +4,26 @@ import { Authenticator } from './auth';
 import { User } from './config_types';
 
 export class ExecAuth implements Authenticator {
+    private readonly tokenCache: { [key: string]: any } = {};
+
     public isAuthProvider(user: User) {
         return user.authProvider.name === 'exec' ||
             (user.authProvider.config && user.authProvider.config.exec);
     }
 
     public getToken(user: User): string | null {
+        // TODO: Handle client cert auth here, requires auth refactor.
+        // See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#input-and-output-formats
+        // for details on this protocol.
+        // TODO: Add a unit test for token caching.
+        const cachedToken = this.tokenCache[user.name];
+        if (cachedToken) {
+            const date = Date.parse(cachedToken.status.expirationTimestamp);
+            if (date < Date.now()) {
+                return `Bearer ${cachedToken.status.token}`;
+            }
+            this.tokenCache[user.name] = null;
+        }
         const config = user.authProvider.config;
         if (!config.exec.command) {
             throw new Error('No command was specified for exec authProvider!');
@@ -27,7 +41,8 @@ export class ExecAuth implements Authenticator {
         const result = shell.exec(cmd, opts);
         if (result.code === 0) {
             const obj = JSON.parse(result.stdout);
-            return `Bearer ${obj.token}`;
+            this.tokenCache[user.name] = obj;
+            return `Bearer ${obj.status.token}`;
         }
         throw new Error(result.stderr);
     }
