Refactored execCredentialForImpersonationProxy to be shared
This commit is contained in:
Margo Crawford
parent
2f891b4bfb
commit
12e41d783f
@ -189,7 +189,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
|
|||||||
if concierge != nil && flags.useImpersonationProxy {
|
if concierge != nil && flags.useImpersonationProxy {
|
||||||
// Put the token into a TokenCredentialRequest
|
// Put the token into a TokenCredentialRequest
|
||||||
// put the TokenCredentialRequest in an ExecCredential
|
// put the TokenCredentialRequest in an ExecCredential
|
||||||
req, err := execCredentialForImpersonationProxy(token, flags)
|
req, err := execCredentialForImpersonationProxy(token.IDToken.Token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, token.IDToken.Expiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -257,10 +257,16 @@ func mustGetConfigDir() string {
|
|||||||
return filepath.Join(home, ".config", xdgAppName)
|
return filepath.Join(home, ".config", xdgAppName)
|
||||||
}
|
}
|
||||||
|
|
||||||
func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLoginFlags) (*clientauthv1beta1.ExecCredential, error) {
|
func execCredentialForImpersonationProxy(
|
||||||
|
idToken string,
|
||||||
|
conciergeAuthenticatorType string,
|
||||||
|
conciergeNamespace string,
|
||||||
|
conciergeAuthenticatorName string,
|
||||||
|
tokenExpiry metav1.Time,
|
||||||
|
) (*clientauthv1beta1.ExecCredential, error) {
|
||||||
// TODO maybe de-dup this with conciergeclient.go
|
// TODO maybe de-dup this with conciergeclient.go
|
||||||
var kind string
|
var kind string
|
||||||
switch strings.ToLower(flags.conciergeAuthenticatorType) {
|
switch strings.ToLower(conciergeAuthenticatorType) {
|
||||||
case "webhook":
|
case "webhook":
|
||||||
kind = "WebhookAuthenticator"
|
kind = "WebhookAuthenticator"
|
||||||
case "jwt":
|
case "jwt":
|
||||||
@ -270,18 +276,18 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin
|
|||||||
}
|
}
|
||||||
reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{
|
reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: flags.conciergeNamespace,
|
Namespace: conciergeNamespace,
|
||||||
},
|
},
|
||||||
TypeMeta: metav1.TypeMeta{
|
TypeMeta: metav1.TypeMeta{
|
||||||
Kind: "TokenCredentialRequest",
|
Kind: "TokenCredentialRequest",
|
||||||
APIVersion: loginv1alpha1.GroupName + "/v1alpha1",
|
APIVersion: loginv1alpha1.GroupName + "/v1alpha1",
|
||||||
},
|
},
|
||||||
Spec: loginv1alpha1.TokenCredentialRequestSpec{
|
Spec: loginv1alpha1.TokenCredentialRequestSpec{
|
||||||
Token: token.IDToken.Token, // TODO
|
Token: idToken, // TODO
|
||||||
Authenticator: corev1.TypedLocalObjectReference{
|
Authenticator: corev1.TypedLocalObjectReference{
|
||||||
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
||||||
Kind: kind,
|
Kind: kind,
|
||||||
Name: flags.conciergeAuthenticatorName,
|
Name: conciergeAuthenticatorName,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
@ -298,8 +304,8 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin
|
|||||||
Token: encodedToken,
|
Token: encodedToken,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
if !token.IDToken.Expiry.IsZero() {
|
if !tokenExpiry.IsZero() {
|
||||||
cred.Status.ExpirationTimestamp = &token.IDToken.Expiry
|
cred.Status.ExpirationTimestamp = &tokenExpiry
|
||||||
}
|
}
|
||||||
return cred, nil
|
return cred, nil
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5,22 +5,17 @@ package cmd
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"encoding/base64"
|
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||||
|
|
||||||
authenticationv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/authentication/v1alpha1"
|
|
||||||
loginv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/login/v1alpha1"
|
|
||||||
"go.pinniped.dev/pkg/conciergeclient"
|
"go.pinniped.dev/pkg/conciergeclient"
|
||||||
"go.pinniped.dev/pkg/oidcclient/oidctypes"
|
"go.pinniped.dev/pkg/oidcclient/oidctypes"
|
||||||
)
|
)
|
||||||
@ -129,9 +124,10 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if concierge != nil && flags.useImpersonationProxy {
|
if concierge != nil && flags.useImpersonationProxy {
|
||||||
|
var nilExpiry metav1.Time
|
||||||
// Put the token into a TokenCredentialRequest
|
// Put the token into a TokenCredentialRequest
|
||||||
// put the TokenCredentialRequest in an ExecCredential
|
// put the TokenCredentialRequest in an ExecCredential
|
||||||
req, err := execCredentialForImpersonationProxyStatic(token, flags)
|
req, err := execCredentialForImpersonationProxy(token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, nilExpiry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -139,47 +135,3 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
|
|||||||
}
|
}
|
||||||
return json.NewEncoder(out).Encode(cred)
|
return json.NewEncoder(out).Encode(cred)
|
||||||
}
|
}
|
||||||
|
|
||||||
func execCredentialForImpersonationProxyStatic(token string, flags staticLoginParams) (*clientauthv1beta1.ExecCredential, error) {
|
|
||||||
// TODO maybe de-dup this with conciergeclient.go
|
|
||||||
var kind string
|
|
||||||
switch strings.ToLower(flags.conciergeAuthenticatorType) {
|
|
||||||
case "webhook":
|
|
||||||
kind = "WebhookAuthenticator"
|
|
||||||
case "jwt":
|
|
||||||
kind = "JWTAuthenticator"
|
|
||||||
default:
|
|
||||||
return nil, fmt.Errorf(`invalid authenticator type: %q, supported values are "webhook" and "jwt"`, kind)
|
|
||||||
}
|
|
||||||
reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Namespace: flags.conciergeNamespace,
|
|
||||||
},
|
|
||||||
TypeMeta: metav1.TypeMeta{
|
|
||||||
Kind: "TokenCredentialRequest",
|
|
||||||
APIVersion: loginv1alpha1.GroupName + "/v1alpha1",
|
|
||||||
},
|
|
||||||
Spec: loginv1alpha1.TokenCredentialRequestSpec{
|
|
||||||
Token: token, // TODO
|
|
||||||
Authenticator: corev1.TypedLocalObjectReference{
|
|
||||||
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
|
||||||
Kind: kind,
|
|
||||||
Name: flags.conciergeAuthenticatorName,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
encodedToken := base64.RawURLEncoding.EncodeToString(reqJSON)
|
|
||||||
cred := &clientauthv1beta1.ExecCredential{
|
|
||||||
TypeMeta: metav1.TypeMeta{
|
|
||||||
Kind: "ExecCredential",
|
|
||||||
APIVersion: "client.authentication.k8s.io/v1beta1",
|
|
||||||
},
|
|
||||||
Status: &clientauthv1beta1.ExecCredentialStatus{
|
|
||||||
Token: encodedToken,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
return cred, nil
|
|
||||||
}
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user