Merge pull request #158 from brendandburns/auth

k8s-ci-robot · web-flow · commit d9987e4cfdc6 · 2018-12-06T00:34:41.000-08:00
Add support for exec based auth.
diff --git a/package.json b/package.json
@@ -49,7 +49,6 @@
     "base-64": "^0.1.0",
     "bluebird": "^3.5.2",
     "byline": "^5.0.0",
-    "execa": "^1.0.0",
     "isomorphic-ws": "^4.0.1",
     "js-yaml": "^3.12.0",
     "jsonpath": "^1.0.0",
diff --git a/src/auth.ts b/src/auth.ts
@@ -0,0 +1,6 @@
+import { User } from './config_types';
+
+export interface Authenticator {
+    isAuthProvider(user: User): boolean;
+    getToken(user: User): string | null;
+}
diff --git a/src/cloud_auth.ts b/src/cloud_auth.ts
@@ -0,0 +1,57 @@
+// workaround for issue https://github.com/dchester/jsonpath/issues/96
+import jsonpath = require('jsonpath/jsonpath.min');
+import * as shelljs from 'shelljs';
+
+import { Authenticator } from './auth';
+import { User } from './config_types';
+
+export class CloudAuth implements Authenticator {
+    public isAuthProvider(user: User): boolean {
+        return user.authProvider.name === 'azure' ||
+            user.authProvider.name === 'gcp';
+    }
+
+    public getToken(user: User): string | null {
+        const config = user.authProvider.config;
+        // This should probably be extracted as auth-provider specific plugins...
+        let token: string = 'Bearer ' + config['access-token'];
+        const expiry = config.expiry;
+
+        if (expiry) {
+            const expiration = Date.parse(expiry);
+            if (expiration < Date.now()) {
+                if (config['cmd-path']) {
+                    const args = config['cmd-args'];
+                    // TODO: Cache to file?
+                    // TODO: do this asynchronously
+                    let result: any;
+                    try {
+                        let cmd = config['cmd-path'];
+                        if (args) {
+                            cmd = `${cmd} ${args}`;
+                        }
+                        result = shelljs.exec(cmd);
+                        if (result.code !== 0) {
+                            throw new Error(`Failed to refresh token: ${result.stderr}`);
+                        }
+                    } catch (err) {
+                        throw new Error('Failed to refresh token: ' + err.message);
+                    }
+
+                    const output = result.stdout.toString();
+                    const resultObj = JSON.parse(output);
+
+                    let pathKey = config['token-key'];
+                    // Format in file is {<query>}, so slice it out and add '$'
+                    pathKey = '$' + pathKey.slice(1, -1);
+
+                    config['access-token'] = jsonpath.query(resultObj, pathKey);
+                    token = 'Bearer ' + config['access-token'];
+                } else {
+                    throw new Error('Token is expired!');
+                }
+            }
+        }
+        return token;
+    }
+}
diff --git a/src/config.ts b/src/config.ts
@@ -3,15 +3,15 @@ import https = require('https');
 import path = require('path');
 
 import base64 = require('base-64');
-import execa = require('execa');
 import yaml = require('js-yaml');
-// workaround for issue https://github.com/dchester/jsonpath/issues/96
-import jsonpath = require('jsonpath/jsonpath.min');
 import request = require('request');
 import shelljs = require('shelljs');
 
-import api = require('./api');
+import * as api from './api';
+import { Authenticator } from './auth';
+import { CloudAuth } from './cloud_auth';
 import { Cluster, Context, newClusters, newContexts, newUsers, User } from './config_types';
+import { ExecAuth } from './exec_auth';
 
 export class KubeConfig {
     // Only public for testing.
@@ -49,6 +49,11 @@ export class KubeConfig {
         return null;
     }
 
+    private static authenticators: Authenticator[] = [
+        new CloudAuth(),
+        new ExecAuth(),
+    ];
+
     /**
      * The list of all known clusters
      */
@@ -301,41 +306,12 @@ export class KubeConfig {
         let token: string | null = null;
 
         if (user.authProvider && user.authProvider.config) {
-            const config = user.authProvider.config;
-            // This should probably be extracted as auth-provider specific plugins...
-            token = 'Bearer ' + config['access-token'];
-            const expiry = config.expiry;
-
-            if (expiry) {
-                const expiration = Date.parse(expiry);
-                if (expiration < Date.now()) {
-                    if (config['cmd-path']) {
-                        const args = config['cmd-args'] ? [config['cmd-args']] : [];
-                        // TODO: Cache to file?
-                        // TODO: do this asynchronously
-                        let result: execa.ExecaReturns;
-
-                        try {
-                            result = execa.sync(config['cmd-path'], args);
-                        } catch (err) {
-                            throw new Error('Failed to refresh token: ' + err.message);
-                        }
-
-                        const output = result.stdout.toString();
-                        const resultObj = JSON.parse(output);
-
-                        let pathKey = config['token-key'];
-                        // Format in file is {<query>}, so slice it out and add '$'
-                        pathKey = '$' + pathKey.slice(1, -1);
-
-                        config['access-token'] = jsonpath.query(resultObj, pathKey);
-                        token = 'Bearer ' + config['access-token'];
-                    } else {
-                        throw new Error('Token is expired!');
+            KubeConfig.authenticators.forEach(
+                (authenticator: Authenticator) => {
+                    if (authenticator.isAuthProvider(user)) {
+                        token = authenticator.getToken(user);
                     }
-                }
-            }
-
+                });
         }
 
         if (user.token) {
diff --git a/src/config_test.ts b/src/config_test.ts
@@ -523,6 +523,7 @@ describe('KubeConfig', () => {
                 { skipTLSVerify: false } as Cluster,
                 {
                     authProvider: {
+                        name: 'azure',
                         config: {
                             'access-token': token,
                             'expiry': 'Fri Aug 24 07:32:05 PDT 3018',
@@ -548,6 +549,7 @@ describe('KubeConfig', () => {
                 { skipTLSVerify: false } as Cluster,
                 {
                     authProvider: {
+                        name: 'azure',
                         config: {
                             'access-token': token,
                         },
@@ -568,6 +570,7 @@ describe('KubeConfig', () => {
                 { skipTLSVerify: false } as Cluster,
                 {
                     authProvider: {
+                        name: 'azure',
                         config: {
                             expiry: 'Aug 24 07:32:05 PDT 2017',
                         },
@@ -584,6 +587,7 @@ describe('KubeConfig', () => {
                 { skipTLSVerify: false } as Cluster,
                 {
                     authProvider: {
+                        name: 'azure',
                         config: {
                             'expiry': 'Aug 24 07:32:05 PDT 2017',
                             'cmd-path': 'non-existent-command',
@@ -592,7 +596,7 @@ describe('KubeConfig', () => {
                 } as User);
             const opts = {} as requestlib.Options;
             expect(() => config.applyToRequest(opts)).to.throw(
-                'Failed to refresh token: spawnSync non-existent-command ENOENT');
+                'Failed to refresh token: /bin/sh: 1: non-existent-command: not found');
         });
 
         it('should exec with expired token', () => {
@@ -603,10 +607,11 @@ describe('KubeConfig', () => {
                 { skipTLSVerify: false } as Cluster,
                 {
                     authProvider: {
+                        name: 'azure',
                         config: {
                             'expiry': 'Aug 24 07:32:05 PDT 2017',
                             'cmd-path': 'echo',
-                            'cmd-args': `${responseStr}`,
+                            'cmd-args': `'${responseStr}'`,
                             'token-key': '{.token.accessToken}',
                         },
                     },
@@ -618,6 +623,38 @@ describe('KubeConfig', () => {
                 expect(opts.headers.Authorization).to.equal(`Bearer ${token}`);
             }
         });
+
+        it('should exec with exec auth', () => {
+            const config = new KubeConfig();
+            const token = 'token';
+            const responseStr = `'{ "token": "${token}" }'`;
+            config.loadFromClusterAndUser(
+                { skipTLSVerify: false } as Cluster,
+                {
+                    authProvider: {
+                        name: 'exec',
+                        config: {
+                            exec: {
+                                command: 'echo',
+                                args: [`${responseStr}`],
+                                env: [
+                                    {
+                                        name: 'foo',
+                                        value: 'bar',
+                                    },
+                                ],
+                            },
+                        },
+                    },
+                } as User);
+            // TODO: inject the exec command here?
+            const opts = {} as requestlib.Options;
+            config.applyToRequest(opts);
+            expect(opts.headers).to.not.be.undefined;
+            if (opts.headers) {
+                expect(opts.headers.Authorization).to.equal(`Bearer ${token}`);
+            }
+        });
     });
 
     describe('loadFromDefault', () => {
diff --git a/src/exec_auth.ts b/src/exec_auth.ts
@@ -0,0 +1,36 @@
+import * as shell from 'shelljs';
+
+import { Authenticator } from './auth';
+import { User } from './config_types';
+
+export class ExecAuth implements Authenticator {
+    public isAuthProvider(user: User) {
+        return user.authProvider.name === 'exec' ||
+            (user.authProvider.config && user.authProvider.config.exec);
+    }
+
+    public getToken(user: User): string | null {
+        const config = user.authProvider.config;
+        if (!config.exec.command) {
+            throw new Error('No command was specified for exec authProvider!');
+        }
+        let cmd = config.exec.command;
+        if (config.exec.args) {
+            cmd = `${cmd} ${config.exec.args.join(' ')}`;
+        }
+        let opts: shell.ExecOpts;
+        if (config.exec.env) {
+            const env = {};
+            if (config.exec.env) {
+                config.exec.env.forEach((elt) => env[elt.name] = elt.value);
+            }
+            opts = { env };
+        }
+        const result = shell.exec(cmd, opts);
+        if (result.code === 0) {
+            const obj = JSON.parse(result.stdout);
+            return `Bearer ${obj.token}`;
+        }
+        throw new Error(result.stderr);
+    }
+}
