Refactored execCredentialForImpersonationProxy to be shared
This commit is contained in:
Margo Crawford
parent
2f891b4bfb
commit
12e41d783f
@ -189,7 +189,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
|
||||
if concierge != nil && flags.useImpersonationProxy {
|
||||
// Put the token into a TokenCredentialRequest
|
||||
// put the TokenCredentialRequest in an ExecCredential
|
||||
req, err := execCredentialForImpersonationProxy(token, flags)
|
||||
req, err := execCredentialForImpersonationProxy(token.IDToken.Token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, token.IDToken.Expiry)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -257,10 +257,16 @@ func mustGetConfigDir() string {
|
||||
return filepath.Join(home, ".config", xdgAppName)
|
||||
}
|
||||
|
||||
func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLoginFlags) (*clientauthv1beta1.ExecCredential, error) {
|
||||
func execCredentialForImpersonationProxy(
|
||||
idToken string,
|
||||
conciergeAuthenticatorType string,
|
||||
conciergeNamespace string,
|
||||
conciergeAuthenticatorName string,
|
||||
tokenExpiry metav1.Time,
|
||||
) (*clientauthv1beta1.ExecCredential, error) {
|
||||
// TODO maybe de-dup this with conciergeclient.go
|
||||
var kind string
|
||||
switch strings.ToLower(flags.conciergeAuthenticatorType) {
|
||||
switch strings.ToLower(conciergeAuthenticatorType) {
|
||||
case "webhook":
|
||||
kind = "WebhookAuthenticator"
|
||||
case "jwt":
|
||||
@ -270,18 +276,18 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin
|
||||
}
|
||||
reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: flags.conciergeNamespace,
|
||||
Namespace: conciergeNamespace,
|
||||
},
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: "TokenCredentialRequest",
|
||||
APIVersion: loginv1alpha1.GroupName + "/v1alpha1",
|
||||
},
|
||||
Spec: loginv1alpha1.TokenCredentialRequestSpec{
|
||||
Token: token.IDToken.Token, // TODO
|
||||
Token: idToken, // TODO
|
||||
Authenticator: corev1.TypedLocalObjectReference{
|
||||
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
||||
Kind: kind,
|
||||
Name: flags.conciergeAuthenticatorName,
|
||||
Name: conciergeAuthenticatorName,
|
||||
},
|
||||
},
|
||||
})
|
||||
@ -298,8 +304,8 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin
|
||||
Token: encodedToken,
|
||||
},
|
||||
}
|
||||
if !token.IDToken.Expiry.IsZero() {
|
||||
cred.Status.ExpirationTimestamp = &token.IDToken.Expiry
|
||||
if !tokenExpiry.IsZero() {
|
||||
cred.Status.ExpirationTimestamp = &tokenExpiry
|
||||
}
|
||||
return cred, nil
|
||||
}
|
||||
|
||||
@ -5,22 +5,17 @@ package cmd
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/authentication/v1alpha1"
|
||||
loginv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/login/v1alpha1"
|
||||
"go.pinniped.dev/pkg/conciergeclient"
|
||||
"go.pinniped.dev/pkg/oidcclient/oidctypes"
|
||||
)
|
||||
@ -129,9 +124,10 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
|
||||
}
|
||||
}
|
||||
if concierge != nil && flags.useImpersonationProxy {
|
||||
var nilExpiry metav1.Time
|
||||
// Put the token into a TokenCredentialRequest
|
||||
// put the TokenCredentialRequest in an ExecCredential
|
||||
req, err := execCredentialForImpersonationProxyStatic(token, flags)
|
||||
req, err := execCredentialForImpersonationProxy(token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, nilExpiry)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -139,47 +135,3 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
|
||||
}
|
||||
return json.NewEncoder(out).Encode(cred)
|
||||
}
|
||||
|
||||
func execCredentialForImpersonationProxyStatic(token string, flags staticLoginParams) (*clientauthv1beta1.ExecCredential, error) {
|
||||
// TODO maybe de-dup this with conciergeclient.go
|
||||
var kind string
|
||||
switch strings.ToLower(flags.conciergeAuthenticatorType) {
|
||||
case "webhook":
|
||||
kind = "WebhookAuthenticator"
|
||||
case "jwt":
|
||||
kind = "JWTAuthenticator"
|
||||
default:
|
||||
return nil, fmt.Errorf(`invalid authenticator type: %q, supported values are "webhook" and "jwt"`, kind)
|
||||
}
|
||||
reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: flags.conciergeNamespace,
|
||||
},
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: "TokenCredentialRequest",
|
||||
APIVersion: loginv1alpha1.GroupName + "/v1alpha1",
|
||||
},
|
||||
Spec: loginv1alpha1.TokenCredentialRequestSpec{
|
||||
Token: token, // TODO
|
||||
Authenticator: corev1.TypedLocalObjectReference{
|
||||
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
||||
Kind: kind,
|
||||
Name: flags.conciergeAuthenticatorName,
|
||||
},
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
encodedToken := base64.RawURLEncoding.EncodeToString(reqJSON)
|
||||
cred := &clientauthv1beta1.ExecCredential{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: "ExecCredential",
|
||||
APIVersion: "client.authentication.k8s.io/v1beta1",
|
||||
},
|
||||
Status: &clientauthv1beta1.ExecCredentialStatus{
|
||||
Token: encodedToken,
|
||||
},
|
||||
}
|
||||
return cred, nil
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user