Merge pull request #128 from mattmoyer/add-idp-selector
Support multiple IDPs by adding IdentityProvider selector to TokenCredentialRequest spec.
This commit is contained in:
commit
3578d7cb9a
@ -3,11 +3,17 @@
|
|||||||
|
|
||||||
package login
|
package login
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string
|
Token string
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference
|
||||||
}
|
}
|
||||||
|
|
||||||
type TokenCredentialRequestStatus struct {
|
type TokenCredentialRequestStatus struct {
|
||||||
|
@ -3,12 +3,18 @@
|
|||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string `json:"token,omitempty"`
|
Token string `json:"token,omitempty"`
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
||||||
|
@ -9,11 +9,14 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"os"
|
"os"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||||
|
|
||||||
|
idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
"go.pinniped.dev/internal/client"
|
"go.pinniped.dev/internal/client"
|
||||||
"go.pinniped.dev/internal/constable"
|
"go.pinniped.dev/internal/constable"
|
||||||
"go.pinniped.dev/internal/here"
|
"go.pinniped.dev/internal/here"
|
||||||
@ -57,6 +60,12 @@ func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchange
|
|||||||
Requires all of the following environment variables, which are
|
Requires all of the following environment variables, which are
|
||||||
typically set in the kubeconfig:
|
typically set in the kubeconfig:
|
||||||
- PINNIPED_TOKEN: the token to send to Pinniped for exchange
|
- PINNIPED_TOKEN: the token to send to Pinniped for exchange
|
||||||
|
- PINNIPED_NAMESPACE: the namespace of the identity provider to authenticate
|
||||||
|
against
|
||||||
|
- PINNIPED_IDP_TYPE: the type of identity provider to authenticate
|
||||||
|
against (e.g., "webhook")
|
||||||
|
- PINNIPED_IDP_NAME: the name of the identity provider to authenticate
|
||||||
|
against
|
||||||
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
||||||
Pinniped's HTTPS endpoint
|
Pinniped's HTTPS endpoint
|
||||||
- PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential
|
- PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential
|
||||||
@ -75,9 +84,19 @@ func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchange
|
|||||||
}
|
}
|
||||||
|
|
||||||
type envGetter func(string) (string, bool)
|
type envGetter func(string) (string, bool)
|
||||||
type tokenExchanger func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error)
|
type tokenExchanger func(
|
||||||
|
ctx context.Context,
|
||||||
|
namespace string,
|
||||||
|
idp corev1.TypedLocalObjectReference,
|
||||||
|
token string,
|
||||||
|
caBundle string,
|
||||||
|
apiEndpoint string,
|
||||||
|
) (*clientauthenticationv1beta1.ExecCredential, error)
|
||||||
|
|
||||||
const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set")
|
const (
|
||||||
|
ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set")
|
||||||
|
ErrInvalidIDPType = constable.Error("invalid IDP type")
|
||||||
|
)
|
||||||
|
|
||||||
func runExchangeCredential(stdout, _ io.Writer) {
|
func runExchangeCredential(stdout, _ io.Writer) {
|
||||||
err := exchangeCredential(os.LookupEnv, client.ExchangeToken, stdout, 30*time.Second)
|
err := exchangeCredential(os.LookupEnv, client.ExchangeToken, stdout, 30*time.Second)
|
||||||
@ -96,6 +115,16 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
|
|||||||
return envVarNotSetError("PINNIPED_NAMESPACE")
|
return envVarNotSetError("PINNIPED_NAMESPACE")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
idpType, varExists := envGetter("PINNIPED_IDP_TYPE")
|
||||||
|
if !varExists {
|
||||||
|
return envVarNotSetError("PINNIPED_IDP_TYPE")
|
||||||
|
}
|
||||||
|
|
||||||
|
idpName, varExists := envGetter("PINNIPED_IDP_NAME")
|
||||||
|
if !varExists {
|
||||||
|
return envVarNotSetError("PINNIPED_IDP_NAME")
|
||||||
|
}
|
||||||
|
|
||||||
token, varExists := envGetter("PINNIPED_TOKEN")
|
token, varExists := envGetter("PINNIPED_TOKEN")
|
||||||
if !varExists {
|
if !varExists {
|
||||||
return envVarNotSetError("PINNIPED_TOKEN")
|
return envVarNotSetError("PINNIPED_TOKEN")
|
||||||
@ -111,7 +140,16 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
|
|||||||
return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT")
|
return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT")
|
||||||
}
|
}
|
||||||
|
|
||||||
cred, err := tokenExchanger(ctx, namespace, token, caBundle, apiEndpoint)
|
idp := corev1.TypedLocalObjectReference{Name: idpName}
|
||||||
|
switch strings.ToLower(idpType) {
|
||||||
|
case "webhook":
|
||||||
|
idp.APIGroup = &idpv1alpha1.SchemeGroupVersion.Group
|
||||||
|
idp.Kind = "WebhookIdentityProvider"
|
||||||
|
default:
|
||||||
|
return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidIDPType, idpType)
|
||||||
|
}
|
||||||
|
|
||||||
|
cred, err := tokenExchanger(ctx, namespace, idp, token, caBundle, apiEndpoint)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to get credential: %w", err)
|
return fmt.Errorf("failed to get credential: %w", err)
|
||||||
}
|
}
|
||||||
|
@ -14,6 +14,7 @@ import (
|
|||||||
"github.com/sclevine/spec"
|
"github.com/sclevine/spec"
|
||||||
"github.com/sclevine/spec/report"
|
"github.com/sclevine/spec/report"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||||
|
|
||||||
@ -42,6 +43,12 @@ var (
|
|||||||
Requires all of the following environment variables, which are
|
Requires all of the following environment variables, which are
|
||||||
typically set in the kubeconfig:
|
typically set in the kubeconfig:
|
||||||
- PINNIPED_TOKEN: the token to send to Pinniped for exchange
|
- PINNIPED_TOKEN: the token to send to Pinniped for exchange
|
||||||
|
- PINNIPED_NAMESPACE: the namespace of the identity provider to authenticate
|
||||||
|
against
|
||||||
|
- PINNIPED_IDP_TYPE: the type of identity provider to authenticate
|
||||||
|
against (e.g., "webhook")
|
||||||
|
- PINNIPED_IDP_NAME: the name of the identity provider to authenticate
|
||||||
|
against
|
||||||
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
||||||
Pinniped's HTTPS endpoint
|
Pinniped's HTTPS endpoint
|
||||||
- PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential
|
- PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential
|
||||||
@ -136,6 +143,8 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
buffer = new(bytes.Buffer)
|
buffer = new(bytes.Buffer)
|
||||||
fakeEnv = map[string]string{
|
fakeEnv = map[string]string{
|
||||||
"PINNIPED_NAMESPACE": "namespace from env",
|
"PINNIPED_NAMESPACE": "namespace from env",
|
||||||
|
"PINNIPED_IDP_TYPE": "Webhook",
|
||||||
|
"PINNIPED_IDP_NAME": "webhook name from env",
|
||||||
"PINNIPED_TOKEN": "token from env",
|
"PINNIPED_TOKEN": "token from env",
|
||||||
"PINNIPED_CA_BUNDLE": "ca bundle from env",
|
"PINNIPED_CA_BUNDLE": "ca bundle from env",
|
||||||
"PINNIPED_K8S_API_ENDPOINT": "k8s api from env",
|
"PINNIPED_K8S_API_ENDPOINT": "k8s api from env",
|
||||||
@ -149,6 +158,18 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_NAMESPACE")
|
r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_NAMESPACE")
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it("returns an error when PINNIPED_IDP_TYPE is missing", func() {
|
||||||
|
delete(fakeEnv, "PINNIPED_IDP_TYPE")
|
||||||
|
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
||||||
|
r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_IDP_TYPE")
|
||||||
|
})
|
||||||
|
|
||||||
|
it("returns an error when PINNIPED_IDP_NAME is missing", func() {
|
||||||
|
delete(fakeEnv, "PINNIPED_IDP_NAME")
|
||||||
|
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
||||||
|
r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_IDP_NAME")
|
||||||
|
})
|
||||||
|
|
||||||
it("returns an error when PINNIPED_TOKEN is missing", func() {
|
it("returns an error when PINNIPED_TOKEN is missing", func() {
|
||||||
delete(fakeEnv, "PINNIPED_TOKEN")
|
delete(fakeEnv, "PINNIPED_TOKEN")
|
||||||
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
||||||
@ -168,9 +189,17 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
when("env vars are invalid", func() {
|
||||||
|
it("returns an error when PINNIPED_IDP_TYPE is missing", func() {
|
||||||
|
fakeEnv["PINNIPED_IDP_TYPE"] = "invalid"
|
||||||
|
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
||||||
|
r.EqualError(err, `invalid IDP type: "invalid", supported values are "webhook"`)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
when("the token exchange fails", func() {
|
when("the token exchange fails", func() {
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
||||||
return nil, fmt.Errorf("some error")
|
return nil, fmt.Errorf("some error")
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
@ -183,7 +212,7 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
|
|
||||||
when("the JSON encoder fails", func() {
|
when("the JSON encoder fails", func() {
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
||||||
return &clientauthenticationv1beta1.ExecCredential{
|
return &clientauthenticationv1beta1.ExecCredential{
|
||||||
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
|
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
|
||||||
Token: "some token",
|
Token: "some token",
|
||||||
@ -200,7 +229,7 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
|
|
||||||
when("the token exchange times out", func() {
|
when("the token exchange times out", func() {
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
||||||
select {
|
select {
|
||||||
case <-time.After(100 * time.Millisecond):
|
case <-time.After(100 * time.Millisecond):
|
||||||
return &clientauthenticationv1beta1.ExecCredential{
|
return &clientauthenticationv1beta1.ExecCredential{
|
||||||
@ -224,7 +253,7 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
var actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint string
|
var actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint string
|
||||||
|
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
||||||
actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint = namespace, token, caBundle, apiEndpoint
|
actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint = namespace, token, caBundle, apiEndpoint
|
||||||
now := metav1.NewTime(time.Date(2020, 7, 29, 1, 2, 3, 0, time.UTC))
|
now := metav1.NewTime(time.Date(2020, 7, 29, 1, 2, 3, 0, time.UTC))
|
||||||
return &clientauthenticationv1beta1.ExecCredential{
|
return &clientauthenticationv1beta1.ExecCredential{
|
||||||
|
@ -27,51 +27,42 @@ import (
|
|||||||
"go.pinniped.dev/internal/here"
|
"go.pinniped.dev/internal/here"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
getKubeConfigCmdTokenFlagName = "token"
|
|
||||||
getKubeConfigCmdKubeconfigFlagName = "kubeconfig"
|
|
||||||
getKubeConfigCmdKubeconfigContextFlagName = "kubeconfig-context"
|
|
||||||
getKubeConfigCmdPinnipedNamespaceFlagName = "pinniped-namespace"
|
|
||||||
)
|
|
||||||
|
|
||||||
//nolint: gochecknoinits
|
//nolint: gochecknoinits
|
||||||
func init() {
|
func init() {
|
||||||
rootCmd.AddCommand(newGetKubeConfigCmd(os.Args, os.Stdout, os.Stderr).cmd)
|
rootCmd.AddCommand(newGetKubeConfigCommand().Command())
|
||||||
|
}
|
||||||
|
|
||||||
|
type getKubeConfigFlags struct {
|
||||||
|
token string
|
||||||
|
kubeconfig string
|
||||||
|
contextOverride string
|
||||||
|
namespace string
|
||||||
|
idpName string
|
||||||
|
idpType string
|
||||||
}
|
}
|
||||||
|
|
||||||
type getKubeConfigCommand struct {
|
type getKubeConfigCommand struct {
|
||||||
// runFunc is called by the cobra.Command.Run hook. It is included here for
|
flags getKubeConfigFlags
|
||||||
// testability.
|
// Test mocking points
|
||||||
runFunc func(
|
getPathToSelf func() (string, error)
|
||||||
stdout, stderr io.Writer,
|
kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error)
|
||||||
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
|
|
||||||
)
|
|
||||||
|
|
||||||
// cmd is the cobra.Command for this CLI command. It is included here for
|
|
||||||
// testability.
|
|
||||||
cmd *cobra.Command
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func newGetKubeConfigCmd(args []string, stdout, stderr io.Writer) *getKubeConfigCommand {
|
func newGetKubeConfigCommand() *getKubeConfigCommand {
|
||||||
c := &getKubeConfigCommand{
|
return &getKubeConfigCommand{
|
||||||
runFunc: runGetKubeConfig,
|
flags: getKubeConfigFlags{
|
||||||
}
|
namespace: "pinniped",
|
||||||
|
|
||||||
c.cmd = &cobra.Command{
|
|
||||||
Run: func(cmd *cobra.Command, _ []string) {
|
|
||||||
token := cmd.Flag(getKubeConfigCmdTokenFlagName).Value.String()
|
|
||||||
kubeconfigPathOverride := cmd.Flag(getKubeConfigCmdKubeconfigFlagName).Value.String()
|
|
||||||
currentContextOverride := cmd.Flag(getKubeConfigCmdKubeconfigContextFlagName).Value.String()
|
|
||||||
pinnipedInstallationNamespace := cmd.Flag(getKubeConfigCmdPinnipedNamespaceFlagName).Value.String()
|
|
||||||
c.runFunc(
|
|
||||||
stdout,
|
|
||||||
stderr,
|
|
||||||
token,
|
|
||||||
kubeconfigPathOverride,
|
|
||||||
currentContextOverride,
|
|
||||||
pinnipedInstallationNamespace,
|
|
||||||
)
|
|
||||||
},
|
},
|
||||||
|
getPathToSelf: os.Executable,
|
||||||
|
kubeClientCreator: func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedclientset.NewForConfig(restConfig)
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *getKubeConfigCommand) Command() *cobra.Command {
|
||||||
|
cmd := &cobra.Command{
|
||||||
|
RunE: c.run,
|
||||||
Args: cobra.NoArgs, // do not accept positional arguments for this command
|
Args: cobra.NoArgs, // do not accept positional arguments for this command
|
||||||
Use: "get-kubeconfig",
|
Use: "get-kubeconfig",
|
||||||
Short: "Print a kubeconfig for authenticating into a cluster via Pinniped",
|
Short: "Print a kubeconfig for authenticating into a cluster via Pinniped",
|
||||||
@ -93,94 +84,50 @@ func newGetKubeConfigCmd(args []string, stdout, stderr io.Writer) *getKubeConfig
|
|||||||
kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods
|
kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods
|
||||||
`),
|
`),
|
||||||
}
|
}
|
||||||
|
cmd.Flags().StringVar(&c.flags.token, "token", "", "Credential to include in the resulting kubeconfig output (Required)")
|
||||||
c.cmd.SetArgs(args)
|
err := cmd.MarkFlagRequired("token")
|
||||||
c.cmd.SetOut(stdout)
|
|
||||||
c.cmd.SetErr(stderr)
|
|
||||||
|
|
||||||
c.cmd.Flags().StringP(
|
|
||||||
getKubeConfigCmdTokenFlagName,
|
|
||||||
"",
|
|
||||||
"",
|
|
||||||
"Credential to include in the resulting kubeconfig output (Required)",
|
|
||||||
)
|
|
||||||
err := c.cmd.MarkFlagRequired(getKubeConfigCmdTokenFlagName)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
|
cmd.Flags().StringVar(&c.flags.kubeconfig, "kubeconfig", c.flags.kubeconfig, "Path to the kubeconfig file")
|
||||||
c.cmd.Flags().StringP(
|
cmd.Flags().StringVar(&c.flags.contextOverride, "kubeconfig-context", c.flags.contextOverride, "Kubeconfig context override")
|
||||||
getKubeConfigCmdKubeconfigFlagName,
|
cmd.Flags().StringVar(&c.flags.namespace, "pinniped-namespace", c.flags.namespace, "Namespace in which Pinniped was installed")
|
||||||
"",
|
cmd.Flags().StringVar(&c.flags.idpType, "idp-type", c.flags.idpType, "Identity provider type (e.g., 'webhook')")
|
||||||
"",
|
cmd.Flags().StringVar(&c.flags.idpName, "idp-name", c.flags.idpType, "Identity provider name")
|
||||||
"Path to the kubeconfig file",
|
return cmd
|
||||||
)
|
|
||||||
|
|
||||||
c.cmd.Flags().StringP(
|
|
||||||
getKubeConfigCmdKubeconfigContextFlagName,
|
|
||||||
"",
|
|
||||||
"",
|
|
||||||
"Kubeconfig context override",
|
|
||||||
)
|
|
||||||
|
|
||||||
c.cmd.Flags().StringP(
|
|
||||||
getKubeConfigCmdPinnipedNamespaceFlagName,
|
|
||||||
"",
|
|
||||||
"pinniped",
|
|
||||||
"Namespace in which Pinniped was installed",
|
|
||||||
)
|
|
||||||
|
|
||||||
return c
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func runGetKubeConfig(
|
func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
|
||||||
stdout, stderr io.Writer,
|
fullPathToSelf, err := c.getPathToSelf()
|
||||||
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
|
|
||||||
) {
|
|
||||||
err := getKubeConfig(
|
|
||||||
stdout,
|
|
||||||
stderr,
|
|
||||||
token,
|
|
||||||
kubeconfigPathOverride,
|
|
||||||
currentContextOverride,
|
|
||||||
pinnipedInstallationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
return pinnipedclientset.NewForConfig(restConfig)
|
|
||||||
},
|
|
||||||
)
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
_, _ = fmt.Fprintf(os.Stderr, "error: %s\n", err.Error())
|
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func getKubeConfig(
|
|
||||||
outputWriter io.Writer,
|
|
||||||
warningsWriter io.Writer,
|
|
||||||
token string,
|
|
||||||
kubeconfigPathOverride string,
|
|
||||||
currentContextNameOverride string,
|
|
||||||
pinnipedInstallationNamespace string,
|
|
||||||
kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error),
|
|
||||||
) error {
|
|
||||||
if token == "" {
|
|
||||||
return constable.Error("--" + getKubeConfigCmdTokenFlagName + " flag value cannot be empty")
|
|
||||||
}
|
|
||||||
|
|
||||||
fullPathToSelf, err := os.Executable()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("could not find path to self: %w", err)
|
return fmt.Errorf("could not find path to self: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
clientConfig := newClientConfig(kubeconfigPathOverride, currentContextNameOverride)
|
clientConfig := newClientConfig(c.flags.kubeconfig, c.flags.contextOverride)
|
||||||
|
|
||||||
currentKubeConfig, err := clientConfig.RawConfig()
|
currentKubeConfig, err := clientConfig.RawConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
credentialIssuerConfig, err := fetchPinnipedCredentialIssuerConfig(clientConfig, kubeClientCreator, pinnipedInstallationNamespace)
|
restConfig, err := clientConfig.ClientConfig()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
clientset, err := c.kubeClientCreator(restConfig)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
idpType, idpName := c.flags.idpType, c.flags.idpName
|
||||||
|
if idpType == "" || idpName == "" {
|
||||||
|
idpType, idpName, err = getDefaultIDP(clientset, c.flags.namespace)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
credentialIssuerConfig, err := fetchPinnipedCredentialIssuerConfig(clientset, c.flags.namespace)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -189,19 +136,19 @@ func getKubeConfig(
|
|||||||
return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`)
|
return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`)
|
||||||
}
|
}
|
||||||
|
|
||||||
v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(currentKubeConfig, currentContextNameOverride)
|
v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(currentKubeConfig, c.flags.contextOverride)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, warningsWriter)
|
err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, cmd.ErrOrStderr())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
config := newPinnipedKubeconfig(v1Cluster, fullPathToSelf, token, pinnipedInstallationNamespace)
|
config := newPinnipedKubeconfig(v1Cluster, fullPathToSelf, c.flags.token, c.flags.namespace, idpType, idpName)
|
||||||
|
|
||||||
err = writeConfigAsYAML(outputWriter, config)
|
err = writeConfigAsYAML(cmd.OutOrStdout(), config)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -224,16 +171,46 @@ func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuer
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func fetchPinnipedCredentialIssuerConfig(clientConfig clientcmd.ClientConfig, kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error), pinnipedInstallationNamespace string) (*configv1alpha1.CredentialIssuerConfig, error) {
|
type noIDPError struct{ Namespace string }
|
||||||
restConfig, err := clientConfig.ClientConfig()
|
|
||||||
|
func (e noIDPError) Error() string {
|
||||||
|
return fmt.Sprintf(`no identity providers were found in namespace %q`, e.Namespace)
|
||||||
|
}
|
||||||
|
|
||||||
|
type indeterminateIDPError struct{ Namespace string }
|
||||||
|
|
||||||
|
func (e indeterminateIDPError) Error() string {
|
||||||
|
return fmt.Sprintf(
|
||||||
|
`multiple identity providers were found in namespace %q, so --pinniped-idp-name/--pinniped-idp-type must be specified`,
|
||||||
|
e.Namespace,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
func getDefaultIDP(clientset pinnipedclientset.Interface, namespace string) (string, string, error) {
|
||||||
|
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
|
||||||
|
defer cancelFunc()
|
||||||
|
|
||||||
|
webhooks, err := clientset.IDPV1alpha1().WebhookIdentityProviders(namespace).List(ctx, metav1.ListOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return "", "", err
|
||||||
}
|
|
||||||
clientset, err := kubeClientCreator(restConfig)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type ref struct{ idpType, idpName string }
|
||||||
|
idps := make([]ref, 0, len(webhooks.Items))
|
||||||
|
for _, webhook := range webhooks.Items {
|
||||||
|
idps = append(idps, ref{idpType: "webhook", idpName: webhook.Name})
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(idps) == 0 {
|
||||||
|
return "", "", noIDPError{namespace}
|
||||||
|
}
|
||||||
|
if len(idps) > 1 {
|
||||||
|
return "", "", indeterminateIDPError{namespace}
|
||||||
|
}
|
||||||
|
return idps[0].idpType, idps[0].idpName, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func fetchPinnipedCredentialIssuerConfig(clientset pinnipedclientset.Interface, pinnipedInstallationNamespace string) (*configv1alpha1.CredentialIssuerConfig, error) {
|
||||||
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
|
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
|
||||||
defer cancelFunc()
|
defer cancelFunc()
|
||||||
|
|
||||||
@ -303,7 +280,7 @@ func copyCurrentClusterFromExistingKubeConfig(currentKubeConfig clientcmdapi.Con
|
|||||||
return v1Cluster, nil
|
return v1Cluster, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token string, namespace string) v1.Config {
|
func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token string, namespace string, idpType string, idpName string) v1.Config {
|
||||||
clusterName := "pinniped-cluster"
|
clusterName := "pinniped-cluster"
|
||||||
userName := "pinniped-user"
|
userName := "pinniped-user"
|
||||||
|
|
||||||
@ -349,6 +326,14 @@ func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token st
|
|||||||
Name: "PINNIPED_TOKEN",
|
Name: "PINNIPED_TOKEN",
|
||||||
Value: token,
|
Value: token,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Name: "PINNIPED_IDP_TYPE",
|
||||||
|
Value: idpType,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "PINNIPED_IDP_NAME",
|
||||||
|
Value: idpName,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
|
APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
|
||||||
InstallHint: "The Pinniped CLI is required to authenticate to the current cluster.\n" +
|
InstallHint: "The Pinniped CLI is required to authenticate to the current cluster.\n" +
|
||||||
|
@ -7,18 +7,18 @@ import (
|
|||||||
"bytes"
|
"bytes"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"strings"
|
||||||
"os"
|
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/sclevine/spec"
|
"github.com/spf13/cobra"
|
||||||
"github.com/sclevine/spec/report"
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
|
coretesting "k8s.io/client-go/testing"
|
||||||
|
|
||||||
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
|
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
|
||||||
|
idpv1alpha "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
||||||
pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
|
pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
|
||||||
"go.pinniped.dev/internal/here"
|
"go.pinniped.dev/internal/here"
|
||||||
@ -31,6 +31,8 @@ var (
|
|||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
-h, --help help for get-kubeconfig
|
-h, --help help for get-kubeconfig
|
||||||
|
--idp-name string Identity provider name
|
||||||
|
--idp-type string Identity provider type (e.g., 'webhook')
|
||||||
--kubeconfig string Path to the kubeconfig file
|
--kubeconfig string Path to the kubeconfig file
|
||||||
--kubeconfig-context string Kubeconfig context override
|
--kubeconfig-context string Kubeconfig context override
|
||||||
--pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped")
|
--pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped")
|
||||||
@ -60,6 +62,8 @@ var (
|
|||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
-h, --help help for get-kubeconfig
|
-h, --help help for get-kubeconfig
|
||||||
|
--idp-name string Identity provider name
|
||||||
|
--idp-type string Identity provider type (e.g., 'webhook')
|
||||||
--kubeconfig string Path to the kubeconfig file
|
--kubeconfig string Path to the kubeconfig file
|
||||||
--kubeconfig-context string Kubeconfig context override
|
--kubeconfig-context string Kubeconfig context override
|
||||||
--pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped")
|
--pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped")
|
||||||
@ -68,149 +72,62 @@ var (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func TestNewGetKubeConfigCmd(t *testing.T) {
|
func TestNewGetKubeConfigCmd(t *testing.T) {
|
||||||
spec.Run(t, "newGetKubeConfigCmd", func(t *testing.T, when spec.G, it spec.S) {
|
t.Parallel()
|
||||||
var r *require.Assertions
|
tests := []struct {
|
||||||
var stdout, stderr *bytes.Buffer
|
name string
|
||||||
|
args []string
|
||||||
|
wantError bool
|
||||||
|
wantStdout string
|
||||||
|
wantStderr string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "help flag passed",
|
||||||
|
args: []string{"--help"},
|
||||||
|
wantStdout: knownGoodHelpForGetKubeConfig,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "missing required flag",
|
||||||
|
args: []string{},
|
||||||
|
wantError: true,
|
||||||
|
wantStdout: `Error: required flag(s) "token" not set` + "\n" + knownGoodUsageForGetKubeConfig,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
tt := tt
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
cmd := newGetKubeConfigCommand().Command()
|
||||||
|
require.NotNil(t, cmd)
|
||||||
|
|
||||||
it.Before(func() {
|
var stdout, stderr bytes.Buffer
|
||||||
r = require.New(t)
|
cmd.SetOut(&stdout)
|
||||||
|
cmd.SetErr(&stderr)
|
||||||
stdout, stderr = bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{})
|
cmd.SetArgs(tt.args)
|
||||||
|
err := cmd.Execute()
|
||||||
|
if tt.wantError {
|
||||||
|
require.Error(t, err)
|
||||||
|
} else {
|
||||||
|
require.NoError(t, err)
|
||||||
|
}
|
||||||
|
require.Equal(t, tt.wantStdout, stdout.String(), "unexpected stdout")
|
||||||
|
require.Equal(t, tt.wantStderr, stderr.String(), "unexpected stderr")
|
||||||
})
|
})
|
||||||
|
}
|
||||||
it("passes all flags to runFunc", func() {
|
|
||||||
args := []string{
|
|
||||||
"--token", "some-token",
|
|
||||||
"--kubeconfig", "some-kubeconfig",
|
|
||||||
"--kubeconfig-context", "some-kubeconfig-context",
|
|
||||||
"--pinniped-namespace", "some-pinniped-namespace",
|
|
||||||
}
|
|
||||||
c := newGetKubeConfigCmd(args, stdout, stderr)
|
|
||||||
|
|
||||||
runFuncCalled := false
|
|
||||||
c.runFunc = func(
|
|
||||||
out, err io.Writer,
|
|
||||||
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
|
|
||||||
) {
|
|
||||||
runFuncCalled = true
|
|
||||||
r.Equal("some-token", token)
|
|
||||||
r.Equal("some-kubeconfig", kubeconfigPathOverride)
|
|
||||||
r.Equal("some-kubeconfig-context", currentContextOverride)
|
|
||||||
r.Equal("some-pinniped-namespace", pinnipedInstallationNamespace)
|
|
||||||
}
|
|
||||||
|
|
||||||
r.NoError(c.cmd.Execute())
|
|
||||||
r.True(runFuncCalled)
|
|
||||||
r.Empty(stdout.String())
|
|
||||||
r.Empty(stderr.String())
|
|
||||||
})
|
|
||||||
|
|
||||||
it("requires the 'token' flag", func() {
|
|
||||||
args := []string{
|
|
||||||
"--kubeconfig", "some-kubeconfig",
|
|
||||||
"--kubeconfig-context", "some-kubeconfig-context",
|
|
||||||
"--pinniped-namespace", "some-pinniped-namespace",
|
|
||||||
}
|
|
||||||
c := newGetKubeConfigCmd(args, stdout, stderr)
|
|
||||||
|
|
||||||
runFuncCalled := false
|
|
||||||
c.runFunc = func(
|
|
||||||
out, err io.Writer,
|
|
||||||
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
|
|
||||||
) {
|
|
||||||
runFuncCalled = true
|
|
||||||
}
|
|
||||||
|
|
||||||
errorMessage := `required flag(s) "token" not set`
|
|
||||||
r.EqualError(c.cmd.Execute(), errorMessage)
|
|
||||||
r.False(runFuncCalled)
|
|
||||||
|
|
||||||
output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig
|
|
||||||
r.Equal(output, stdout.String())
|
|
||||||
r.Empty(stderr.String())
|
|
||||||
})
|
|
||||||
|
|
||||||
it("defaults the flags correctly", func() {
|
|
||||||
args := []string{
|
|
||||||
"--token", "some-token",
|
|
||||||
}
|
|
||||||
c := newGetKubeConfigCmd(args, stdout, stderr)
|
|
||||||
|
|
||||||
runFuncCalled := false
|
|
||||||
c.runFunc = func(
|
|
||||||
out, err io.Writer,
|
|
||||||
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
|
|
||||||
) {
|
|
||||||
runFuncCalled = true
|
|
||||||
r.Equal("some-token", token)
|
|
||||||
r.Equal("", kubeconfigPathOverride)
|
|
||||||
r.Equal("", currentContextOverride)
|
|
||||||
r.Equal("pinniped", pinnipedInstallationNamespace)
|
|
||||||
}
|
|
||||||
|
|
||||||
r.NoError(c.cmd.Execute())
|
|
||||||
r.True(runFuncCalled)
|
|
||||||
r.Empty(stdout.String())
|
|
||||||
r.Empty(stderr.String())
|
|
||||||
})
|
|
||||||
|
|
||||||
it("fails when args are passed", func() {
|
|
||||||
args := []string{
|
|
||||||
"--token", "some-token",
|
|
||||||
"some-arg",
|
|
||||||
}
|
|
||||||
c := newGetKubeConfigCmd(args, stdout, stderr)
|
|
||||||
|
|
||||||
runFuncCalled := false
|
|
||||||
c.runFunc = func(
|
|
||||||
out, err io.Writer,
|
|
||||||
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
|
|
||||||
) {
|
|
||||||
runFuncCalled = true
|
|
||||||
}
|
|
||||||
|
|
||||||
errorMessage := `unknown command "some-arg" for "get-kubeconfig"`
|
|
||||||
r.EqualError(c.cmd.Execute(), errorMessage)
|
|
||||||
r.False(runFuncCalled)
|
|
||||||
|
|
||||||
output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig
|
|
||||||
r.Equal(output, stdout.String())
|
|
||||||
r.Empty(stderr.String())
|
|
||||||
})
|
|
||||||
|
|
||||||
it("prints a nice help message", func() {
|
|
||||||
args := []string{
|
|
||||||
"--help",
|
|
||||||
}
|
|
||||||
c := newGetKubeConfigCmd(args, stdout, stderr)
|
|
||||||
|
|
||||||
runFuncCalled := false
|
|
||||||
c.runFunc = func(
|
|
||||||
out, err io.Writer,
|
|
||||||
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
|
|
||||||
) {
|
|
||||||
runFuncCalled = true
|
|
||||||
}
|
|
||||||
|
|
||||||
r.NoError(c.cmd.Execute())
|
|
||||||
r.False(runFuncCalled)
|
|
||||||
r.Equal(knownGoodHelpForGetKubeConfig, stdout.String())
|
|
||||||
r.Empty(stderr.String())
|
|
||||||
})
|
|
||||||
}, spec.Parallel(), spec.Report(report.Terminal{}))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func expectedKubeconfigYAML(
|
type expectedKubeconfigYAML struct {
|
||||||
clusterCAData,
|
clusterCAData string
|
||||||
clusterServer,
|
clusterServer string
|
||||||
command,
|
command string
|
||||||
// nolint: unparam // Pass in the token even if it is always the same in practice
|
token string
|
||||||
token,
|
pinnipedEndpoint string
|
||||||
pinnipedEndpoint,
|
pinnipedCABundle string
|
||||||
pinnipedCABundle,
|
namespace string
|
||||||
// nolint: unparam // Pass in the namespace even if it is always the same in practice
|
idpType string
|
||||||
namespace string,
|
idpName string
|
||||||
) string {
|
}
|
||||||
|
|
||||||
|
func (e expectedKubeconfigYAML) String() string {
|
||||||
return here.Docf(`
|
return here.Docf(`
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
@ -243,19 +160,17 @@ func expectedKubeconfigYAML(
|
|||||||
value: %s
|
value: %s
|
||||||
- name: PINNIPED_TOKEN
|
- name: PINNIPED_TOKEN
|
||||||
value: %s
|
value: %s
|
||||||
|
- name: PINNIPED_IDP_TYPE
|
||||||
|
value: %s
|
||||||
|
- name: PINNIPED_IDP_NAME
|
||||||
|
value: %s
|
||||||
installHint: |-
|
installHint: |-
|
||||||
The Pinniped CLI is required to authenticate to the current cluster.
|
The Pinniped CLI is required to authenticate to the current cluster.
|
||||||
For more information, please visit https://pinniped.dev
|
For more information, please visit https://pinniped.dev
|
||||||
`, clusterCAData, clusterServer, command, pinnipedEndpoint, pinnipedCABundle, namespace, token)
|
`, e.clusterCAData, e.clusterServer, e.command, e.pinnipedEndpoint, e.pinnipedCABundle, e.namespace, e.token, e.idpType, e.idpName)
|
||||||
}
|
}
|
||||||
|
|
||||||
func newCredentialIssuerConfig(
|
func newCredentialIssuerConfig(name, namespace, server, certificateAuthorityData string) *configv1alpha1.CredentialIssuerConfig {
|
||||||
name,
|
|
||||||
//nolint: unparam // Pass in the namespace even if it is always the same in practice
|
|
||||||
namespace,
|
|
||||||
server,
|
|
||||||
certificateAuthorityData string,
|
|
||||||
) *configv1alpha1.CredentialIssuerConfig {
|
|
||||||
return &configv1alpha1.CredentialIssuerConfig{
|
return &configv1alpha1.CredentialIssuerConfig{
|
||||||
TypeMeta: metav1.TypeMeta{
|
TypeMeta: metav1.TypeMeta{
|
||||||
Kind: "CredentialIssuerConfig",
|
Kind: "CredentialIssuerConfig",
|
||||||
@ -274,439 +189,213 @@ func newCredentialIssuerConfig(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestGetKubeConfig(t *testing.T) {
|
func TestRun(t *testing.T) {
|
||||||
spec.Run(t, "cmd.getKubeConfig", func(t *testing.T, when spec.G, it spec.S) {
|
t.Parallel()
|
||||||
var r *require.Assertions
|
tests := []struct {
|
||||||
var outputBuffer *bytes.Buffer
|
name string
|
||||||
var warningsBuffer *bytes.Buffer
|
mocks func(*getKubeConfigCommand)
|
||||||
var fullPathToSelf string
|
wantError string
|
||||||
var pinnipedClient *pinnipedfake.Clientset
|
wantStdout string
|
||||||
const installationNamespace = "some-namespace"
|
wantStderr string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "failure to get path to self",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.getPathToSelf = func() (string, error) {
|
||||||
|
return "", fmt.Errorf("some error getting path to self")
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: "could not find path to self: some error getting path to self",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "kubeconfig does not exist",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.flags.kubeconfig = "./testdata/does-not-exist.yaml"
|
||||||
|
},
|
||||||
|
wantError: "stat ./testdata/does-not-exist.yaml: no such file or directory",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "fail to get client",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return nil, fmt.Errorf("some error configuring clientset")
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: "some error configuring clientset",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "fail to get IDPs",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.flags.idpName = ""
|
||||||
|
cmd.flags.idpType = ""
|
||||||
|
clientset := pinnipedfake.NewSimpleClientset()
|
||||||
|
clientset.PrependReactor("*", "*", func(_ coretesting.Action) (bool, runtime.Object, error) {
|
||||||
|
return true, nil, fmt.Errorf("some error getting IDPs")
|
||||||
|
})
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return clientset, nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: "some error getting IDPs",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "zero IDPs",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.flags.idpName = ""
|
||||||
|
cmd.flags.idpType = ""
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedfake.NewSimpleClientset(), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: `no identity providers were found in namespace "test-namespace"`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "multiple IDPs",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.flags.idpName = ""
|
||||||
|
cmd.flags.idpType = ""
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedfake.NewSimpleClientset(
|
||||||
|
&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
|
||||||
|
&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
|
||||||
|
), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: `multiple identity providers were found in namespace "test-namespace", so --pinniped-idp-name/--pinniped-idp-type must be specified`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "fail to get CredentialIssuerConfigs",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
clientset := pinnipedfake.NewSimpleClientset()
|
||||||
|
clientset.PrependReactor("*", "*", func(_ coretesting.Action) (bool, runtime.Object, error) {
|
||||||
|
return true, nil, fmt.Errorf("some error getting CredentialIssuerConfigs")
|
||||||
|
})
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return clientset, nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: "some error getting CredentialIssuerConfigs",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "zero CredentialIssuerConfigs found",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedfake.NewSimpleClientset(
|
||||||
|
newCredentialIssuerConfig("pinniped-config-1", "not-the-test-namespace", "", ""),
|
||||||
|
), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: `No CredentialIssuerConfig was found in namespace "test-namespace". Is Pinniped installed on this cluster in namespace "test-namespace"?`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "multiple CredentialIssuerConfigs found",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedfake.NewSimpleClientset(
|
||||||
|
newCredentialIssuerConfig("pinniped-config-1", "test-namespace", "", ""),
|
||||||
|
newCredentialIssuerConfig("pinniped-config-2", "test-namespace", "", ""),
|
||||||
|
), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: `More than one CredentialIssuerConfig was found in namespace "test-namespace"`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "CredentialIssuerConfig missing KubeConfigInfo",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "", "")
|
||||||
|
cic.Status.KubeConfigInfo = nil
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedfake.NewSimpleClientset(cic), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: `CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "KubeConfigInfo has invalid base64",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "")
|
||||||
|
cic.Status.KubeConfigInfo.CertificateAuthorityData = "invalid-base64-test-ca"
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedfake.NewSimpleClientset(cic), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantError: `illegal base64 data at input byte 7`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "success using remote CA data",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://fake-server-url-value", "fake-certificate-authority-data-value")
|
||||||
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
|
return pinnipedfake.NewSimpleClientset(cic), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantStdout: expectedKubeconfigYAML{
|
||||||
|
clusterCAData: "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
|
||||||
|
clusterServer: "https://fake-server-url-value",
|
||||||
|
command: "/path/to/pinniped",
|
||||||
|
token: "test-token",
|
||||||
|
pinnipedEndpoint: "https://fake-server-url-value",
|
||||||
|
pinnipedCABundle: "fake-certificate-authority-data-value",
|
||||||
|
namespace: "test-namespace",
|
||||||
|
idpType: "test-idp-type",
|
||||||
|
idpName: "test-idp-name",
|
||||||
|
}.String(),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "success using local CA data and discovered IDP",
|
||||||
|
mocks: func(cmd *getKubeConfigCommand) {
|
||||||
|
cmd.flags.idpName = ""
|
||||||
|
cmd.flags.idpType = ""
|
||||||
|
|
||||||
it.Before(func() {
|
cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
|
||||||
r = require.New(t)
|
return pinnipedfake.NewSimpleClientset(
|
||||||
|
&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
|
||||||
|
newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
|
||||||
|
), nil
|
||||||
|
}
|
||||||
|
},
|
||||||
|
wantStderr: `WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.`,
|
||||||
|
wantStdout: expectedKubeconfigYAML{
|
||||||
|
clusterCAData: "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
|
||||||
|
clusterServer: "https://fake-server-url-value",
|
||||||
|
command: "/path/to/pinniped",
|
||||||
|
token: "test-token",
|
||||||
|
pinnipedEndpoint: "https://fake-server-url-value",
|
||||||
|
pinnipedCABundle: "fake-certificate-authority-data-value",
|
||||||
|
namespace: "test-namespace",
|
||||||
|
idpType: "webhook",
|
||||||
|
idpName: "discovered-idp",
|
||||||
|
}.String(),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
tt := tt
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
outputBuffer = new(bytes.Buffer)
|
// Start with a default getKubeConfigCommand, set some defaults, then apply any mocks.
|
||||||
warningsBuffer = new(bytes.Buffer)
|
c := newGetKubeConfigCommand()
|
||||||
|
c.flags.token = "test-token"
|
||||||
|
c.flags.namespace = "test-namespace"
|
||||||
|
c.flags.idpName = "test-idp-name"
|
||||||
|
c.flags.idpType = "test-idp-type"
|
||||||
|
c.getPathToSelf = func() (string, error) { return "/path/to/pinniped", nil }
|
||||||
|
c.flags.kubeconfig = "./testdata/kubeconfig.yaml"
|
||||||
|
tt.mocks(c)
|
||||||
|
|
||||||
var err error
|
cmd := &cobra.Command{}
|
||||||
fullPathToSelf, err = os.Executable()
|
var stdout, stderr bytes.Buffer
|
||||||
r.NoError(err)
|
cmd.SetOut(&stdout)
|
||||||
|
cmd.SetErr(&stderr)
|
||||||
pinnipedClient = pinnipedfake.NewSimpleClientset()
|
cmd.SetArgs([]string{})
|
||||||
|
err := c.run(cmd, []string{})
|
||||||
|
if tt.wantError != "" {
|
||||||
|
require.EqualError(t, err, tt.wantError)
|
||||||
|
} else {
|
||||||
|
require.NoError(t, err)
|
||||||
|
}
|
||||||
|
require.Equal(t, strings.TrimSpace(tt.wantStdout), strings.TrimSpace(stdout.String()), "unexpected stdout")
|
||||||
|
require.Equal(t, strings.TrimSpace(tt.wantStderr), strings.TrimSpace(stderr.String()), "unexpected stderr")
|
||||||
})
|
})
|
||||||
|
}
|
||||||
when("the CredentialIssuerConfig is found on the cluster with a configuration that matches the existing kubeconfig", func() {
|
|
||||||
it.Before(func() {
|
|
||||||
r.NoError(pinnipedClient.Tracker().Add(
|
|
||||||
newCredentialIssuerConfig(
|
|
||||||
"some-cic-name",
|
|
||||||
installationNamespace,
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
"fake-certificate-authority-data-value",
|
|
||||||
),
|
|
||||||
))
|
|
||||||
})
|
|
||||||
|
|
||||||
it("writes the kubeconfig to the given writer", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.NoError(err)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Equal(expectedKubeconfigYAML(
|
|
||||||
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
fullPathToSelf,
|
|
||||||
"some-token",
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
"fake-certificate-authority-data-value",
|
|
||||||
installationNamespace,
|
|
||||||
), outputBuffer.String())
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the currentContextOverride is used to specify a context other than the default context", func() {
|
|
||||||
it.Before(func() {
|
|
||||||
// update the Server and CertificateAuthorityData to make them match the other kubeconfig context
|
|
||||||
r.NoError(pinnipedClient.Tracker().Update(
|
|
||||||
schema.GroupVersionResource{
|
|
||||||
Group: configv1alpha1.GroupName,
|
|
||||||
Version: configv1alpha1.SchemeGroupVersion.Version,
|
|
||||||
Resource: "credentialissuerconfigs",
|
|
||||||
},
|
|
||||||
newCredentialIssuerConfig(
|
|
||||||
"some-cic-name",
|
|
||||||
installationNamespace,
|
|
||||||
"https://some-other-fake-server-url-value",
|
|
||||||
"some-other-fake-certificate-authority-data-value",
|
|
||||||
),
|
|
||||||
installationNamespace,
|
|
||||||
))
|
|
||||||
})
|
|
||||||
|
|
||||||
when("that context exists", func() {
|
|
||||||
it("writes the kubeconfig to the given writer using the specified context", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"some-other-context",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://some-other-fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("some-other-fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.NoError(err)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Equal(expectedKubeconfigYAML(
|
|
||||||
base64.StdEncoding.EncodeToString([]byte("some-other-fake-certificate-authority-data-value")),
|
|
||||||
"https://some-other-fake-server-url-value",
|
|
||||||
fullPathToSelf,
|
|
||||||
"some-token",
|
|
||||||
"https://some-other-fake-server-url-value",
|
|
||||||
"some-other-fake-certificate-authority-data-value",
|
|
||||||
installationNamespace,
|
|
||||||
), outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("that context does not exist the in the current kubeconfig", func() {
|
|
||||||
it("returns an error", func() {
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"this-context-name-does-not-exist-in-kubeconfig.yaml",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil },
|
|
||||||
)
|
|
||||||
r.EqualError(err, `context "this-context-name-does-not-exist-in-kubeconfig.yaml" does not exist`)
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Empty(outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the token passed in is empty", func() {
|
|
||||||
it("returns an error", func() {
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil },
|
|
||||||
)
|
|
||||||
r.EqualError(err, "--token flag value cannot be empty")
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Empty(outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the kubeconfig path passed refers to a file that does not exist", func() {
|
|
||||||
it("returns an error", func() {
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/this-file-does-not-exist.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil },
|
|
||||||
)
|
|
||||||
r.EqualError(err, "stat ./testdata/this-file-does-not-exist.yaml: no such file or directory")
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Empty(outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the kubeconfig path parameter is empty", func() {
|
|
||||||
it.Before(func() {
|
|
||||||
// Note that this is technically polluting other parallel tests in this file, but other tests
|
|
||||||
// are always specifying the kubeconfigPathOverride parameter, so they're not actually looking
|
|
||||||
// at the value of this environment variable.
|
|
||||||
r.NoError(os.Setenv("KUBECONFIG", "./testdata/kubeconfig.yaml"))
|
|
||||||
})
|
|
||||||
|
|
||||||
it.After(func() {
|
|
||||||
r.NoError(os.Unsetenv("KUBECONFIG"))
|
|
||||||
})
|
|
||||||
|
|
||||||
it("falls back to using the KUBECONFIG env var to find the kubeconfig file", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.NoError(err)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Equal(expectedKubeconfigYAML(
|
|
||||||
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
fullPathToSelf,
|
|
||||||
"some-token",
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
"fake-certificate-authority-data-value",
|
|
||||||
installationNamespace,
|
|
||||||
), outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the wrong pinniped namespace is passed in", func() {
|
|
||||||
it("returns an error", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
"this-is-the-wrong-namespace",
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.EqualError(err, `No CredentialIssuerConfig was found in namespace "this-is-the-wrong-namespace". Is Pinniped installed on this cluster in namespace "this-is-the-wrong-namespace"?`)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("there is more than one CredentialIssuerConfig is found on the cluster", func() {
|
|
||||||
it.Before(func() {
|
|
||||||
r.NoError(pinnipedClient.Tracker().Add(
|
|
||||||
newCredentialIssuerConfig(
|
|
||||||
"another-cic-name",
|
|
||||||
installationNamespace,
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
"fake-certificate-authority-data-value",
|
|
||||||
),
|
|
||||||
))
|
|
||||||
})
|
|
||||||
|
|
||||||
it("returns an error", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.EqualError(err, `More than one CredentialIssuerConfig was found in namespace "some-namespace"`)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
})
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the CredentialIssuerConfig is found on the cluster with a configuration that does not match the existing kubeconfig", func() {
|
|
||||||
when("the Server doesn't match", func() {
|
|
||||||
it.Before(func() {
|
|
||||||
r.NoError(pinnipedClient.Tracker().Add(
|
|
||||||
newCredentialIssuerConfig(
|
|
||||||
"some-cic-name",
|
|
||||||
installationNamespace,
|
|
||||||
"non-matching-pinniped-server-url",
|
|
||||||
"fake-certificate-authority-data-value",
|
|
||||||
),
|
|
||||||
))
|
|
||||||
})
|
|
||||||
|
|
||||||
it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.NoError(err)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
|
|
||||||
r.Equal(
|
|
||||||
"WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n",
|
|
||||||
warningsBuffer.String(),
|
|
||||||
)
|
|
||||||
r.Equal(expectedKubeconfigYAML(
|
|
||||||
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
fullPathToSelf,
|
|
||||||
"some-token",
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
"fake-certificate-authority-data-value",
|
|
||||||
installationNamespace,
|
|
||||||
), outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the CA doesn't match", func() {
|
|
||||||
it.Before(func() {
|
|
||||||
r.NoError(pinnipedClient.Tracker().Add(
|
|
||||||
newCredentialIssuerConfig(
|
|
||||||
"some-cic-name",
|
|
||||||
installationNamespace,
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
"non-matching-certificate-authority-data-value",
|
|
||||||
),
|
|
||||||
))
|
|
||||||
})
|
|
||||||
|
|
||||||
it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.NoError(err)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
|
|
||||||
r.Equal(
|
|
||||||
"WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n",
|
|
||||||
warningsBuffer.String(),
|
|
||||||
)
|
|
||||||
r.Equal(expectedKubeconfigYAML(
|
|
||||||
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
fullPathToSelf,
|
|
||||||
"some-token",
|
|
||||||
"https://fake-server-url-value",
|
|
||||||
"fake-certificate-authority-data-value",
|
|
||||||
installationNamespace,
|
|
||||||
), outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the CredentialIssuerConfig is found on the cluster with an empty KubeConfigInfo", func() {
|
|
||||||
it.Before(func() {
|
|
||||||
r.NoError(pinnipedClient.Tracker().Add(
|
|
||||||
&configv1alpha1.CredentialIssuerConfig{
|
|
||||||
TypeMeta: metav1.TypeMeta{
|
|
||||||
Kind: "CredentialIssuerConfig",
|
|
||||||
APIVersion: configv1alpha1.SchemeGroupVersion.String(),
|
|
||||||
},
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Name: "pinniped-config",
|
|
||||||
Namespace: installationNamespace,
|
|
||||||
},
|
|
||||||
Status: configv1alpha1.CredentialIssuerConfigStatus{},
|
|
||||||
},
|
|
||||||
))
|
|
||||||
})
|
|
||||||
|
|
||||||
it("returns an error", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`)
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Empty(outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("the CredentialIssuerConfig does not exist on the cluster", func() {
|
|
||||||
it("returns an error", func() {
|
|
||||||
kubeClientCreatorFuncWasCalled := false
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
kubeClientCreatorFuncWasCalled = true
|
|
||||||
r.Equal("https://fake-server-url-value", restConfig.Host)
|
|
||||||
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
|
|
||||||
return pinnipedClient, nil
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.True(kubeClientCreatorFuncWasCalled)
|
|
||||||
r.EqualError(err, `No CredentialIssuerConfig was found in namespace "some-namespace". Is Pinniped installed on this cluster in namespace "some-namespace"?`)
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Empty(outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
|
|
||||||
when("there is an error while getting the CredentialIssuerConfig from the cluster", func() {
|
|
||||||
it("returns an error", func() {
|
|
||||||
err := getKubeConfig(outputBuffer,
|
|
||||||
warningsBuffer,
|
|
||||||
"some-token",
|
|
||||||
"./testdata/kubeconfig.yaml",
|
|
||||||
"",
|
|
||||||
installationNamespace,
|
|
||||||
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
|
|
||||||
return nil, fmt.Errorf("some error getting CredentialIssuerConfig")
|
|
||||||
},
|
|
||||||
)
|
|
||||||
r.EqualError(err, "some error getting CredentialIssuerConfig")
|
|
||||||
r.Empty(warningsBuffer.String())
|
|
||||||
r.Empty(outputBuffer.String())
|
|
||||||
})
|
|
||||||
})
|
|
||||||
}, spec.Parallel(), spec.Report(report.Terminal{}))
|
|
||||||
}
|
}
|
||||||
|
@ -21,10 +21,6 @@ image_tag: latest
|
|||||||
#! Optional.
|
#! Optional.
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
|
||||||
#! Configure a webhook identity provider.
|
|
||||||
webhook_url: #! e.g., https://example.com
|
|
||||||
webhook_ca_bundle: #! Must be a base64 encoded PEM certificate. e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F...
|
|
||||||
|
|
||||||
#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
|
#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
|
||||||
#! This settings allows the guess to be overridden.
|
#! This settings allows the guess to be overridden.
|
||||||
#! Optional.
|
#! Optional.
|
||||||
|
@ -1,16 +0,0 @@
|
|||||||
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
|
||||||
|
|
||||||
#@ load("@ytt:data", "data")
|
|
||||||
|
|
||||||
apiVersion: idp.pinniped.dev/v1alpha1
|
|
||||||
kind: WebhookIdentityProvider
|
|
||||||
metadata:
|
|
||||||
name: #@ data.values.app_name + "-webhook"
|
|
||||||
namespace: #@ data.values.namespace
|
|
||||||
labels:
|
|
||||||
app: #@ data.values.app_name
|
|
||||||
spec:
|
|
||||||
endpoint: #@ data.values.webhook_url
|
|
||||||
tls:
|
|
||||||
certificateAuthorityData: #@ data.values.webhook_ca_bundle
|
|
22
doc/demo.md
22
doc/demo.md
@ -83,12 +83,24 @@
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd /tmp/pinniped/deploy
|
cd /tmp/pinniped/deploy
|
||||||
ytt --file . \
|
ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file -
|
||||||
--data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \
|
|
||||||
--data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca-base64-encoded)" \
|
|
||||||
| kapp deploy --yes --app pinniped --diff-changes --file -
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using `local-user-authenticator`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat <<EOF | kubectl create --namespace pinniped -f -
|
||||||
|
apiVersion: idp.pinniped.dev/v1alpha1
|
||||||
|
kind: WebhookIdentityProvider
|
||||||
|
metadata:
|
||||||
|
name: local-user-authenticator
|
||||||
|
spec:
|
||||||
|
endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
|
||||||
|
tls:
|
||||||
|
certificateAuthorityData: $(cat /tmp/local-user-authenticator-ca-base64-encoded)
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
1. Download the latest version of the Pinniped CLI binary for your platform
|
1. Download the latest version of the Pinniped CLI binary for your platform
|
||||||
from [Pinniped's github Releases page](https://github.com/vmware-tanzu/pinniped/releases/latest).
|
from [Pinniped's github Releases page](https://github.com/vmware-tanzu/pinniped/releases/latest).
|
||||||
|
|
||||||
@ -99,7 +111,7 @@
|
|||||||
allow you to authenticate as the user that you created above.
|
allow you to authenticate as the user that you created above.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig
|
pinniped get-kubeconfig --token "pinny-the-seal:password123" --idp-type webhook --idp-name local-user-authenticator > /tmp/pinniped-kubeconfig
|
||||||
```
|
```
|
||||||
|
|
||||||
Note that the above command will print a warning to the screen. You can ignore this warning.
|
Note that the above command will print a warning to the screen. You can ignore this warning.
|
||||||
|
1
generated/1.17/README.adoc
generated
1
generated/1.17/README.adoc
generated
@ -263,6 +263,7 @@ TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, exp
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`token`* __string__ | Bearer token supplied with the credential request.
|
| *`token`* __string__ | Bearer token supplied with the credential request.
|
||||||
|
| *`identityProvider`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an identity provider which can fulfill this credential request.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
5
generated/1.17/apis/go.mod
generated
5
generated/1.17/apis/go.mod
generated
@ -3,4 +3,7 @@ module go.pinniped.dev/generated/1.17/apis
|
|||||||
|
|
||||||
go 1.13
|
go 1.13
|
||||||
|
|
||||||
require k8s.io/apimachinery v0.17.11
|
require (
|
||||||
|
k8s.io/api v0.17.11
|
||||||
|
k8s.io/apimachinery v0.17.11
|
||||||
|
)
|
||||||
|
2
generated/1.17/apis/go.sum
generated
2
generated/1.17/apis/go.sum
generated
@ -94,6 +94,8 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
|||||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
|
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
|
||||||
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
k8s.io/api v0.17.11 h1:FAO+RMv/JhjBawixa33qZNZ2Yb5lNjgGuK8IjN2Ac3s=
|
||||||
|
k8s.io/api v0.17.11/go.mod h1:WR3CbTwCAxtfMcEB6c92W3l5aZw09unPCyxmxjYV3xg=
|
||||||
k8s.io/apimachinery v0.17.11 h1:hgMFLIR+ofBpaPb27lZkf44v3bLn3MLqcbnw32PgoGA=
|
k8s.io/apimachinery v0.17.11 h1:hgMFLIR+ofBpaPb27lZkf44v3bLn3MLqcbnw32PgoGA=
|
||||||
k8s.io/apimachinery v0.17.11/go.mod h1:q+iFxLyaMeWIBhSlQ4OMkvdwbwrb8Ux0ALl90XD9paU=
|
k8s.io/apimachinery v0.17.11/go.mod h1:q+iFxLyaMeWIBhSlQ4OMkvdwbwrb8Ux0ALl90XD9paU=
|
||||||
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||||
|
8
generated/1.17/apis/login/types_token.go
generated
8
generated/1.17/apis/login/types_token.go
generated
@ -3,11 +3,17 @@
|
|||||||
|
|
||||||
package login
|
package login
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string
|
Token string
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference
|
||||||
}
|
}
|
||||||
|
|
||||||
type TokenCredentialRequestStatus struct {
|
type TokenCredentialRequestStatus struct {
|
||||||
|
@ -3,12 +3,18 @@
|
|||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string `json:"token,omitempty"`
|
Token string `json:"token,omitempty"`
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
||||||
|
@ -157,6 +157,7 @@ func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequest
|
|||||||
|
|
||||||
func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
|
func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
|
||||||
out.Token = in.Token
|
out.Token = in.Token
|
||||||
|
out.IdentityProvider = in.IdentityProvider
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -167,6 +168,7 @@ func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequest
|
|||||||
|
|
||||||
func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
|
func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
|
||||||
out.Token = in.Token
|
out.Token = in.Token
|
||||||
|
out.IdentityProvider = in.IdentityProvider
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -92,6 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -92,6 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -671,9 +671,18 @@ func schema_117_apis_login_v1alpha1_TokenCredentialRequestSpec(ref common.Refere
|
|||||||
Format: "",
|
Format: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
"identityProvider": {
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "Reference to an identity provider which can fulfill this credential request.",
|
||||||
|
Ref: ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
|
Required: []string{"identityProvider"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Dependencies: []string{
|
||||||
|
"k8s.io/api/core/v1.TypedLocalObjectReference"},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
1
generated/1.18/README.adoc
generated
1
generated/1.18/README.adoc
generated
@ -263,6 +263,7 @@ TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, exp
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`token`* __string__ | Bearer token supplied with the credential request.
|
| *`token`* __string__ | Bearer token supplied with the credential request.
|
||||||
|
| *`identityProvider`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an identity provider which can fulfill this credential request.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
5
generated/1.18/apis/go.mod
generated
5
generated/1.18/apis/go.mod
generated
@ -3,4 +3,7 @@ module go.pinniped.dev/generated/1.18/apis
|
|||||||
|
|
||||||
go 1.13
|
go 1.13
|
||||||
|
|
||||||
require k8s.io/apimachinery v0.18.2
|
require (
|
||||||
|
k8s.io/api v0.18.2
|
||||||
|
k8s.io/apimachinery v0.18.2
|
||||||
|
)
|
||||||
|
2
generated/1.18/apis/go.sum
generated
2
generated/1.18/apis/go.sum
generated
@ -94,6 +94,8 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
|||||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
|
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
|
||||||
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
k8s.io/api v0.18.2 h1:wG5g5ZmSVgm5B+eHMIbI9EGATS2L8Z72rda19RIEgY8=
|
||||||
|
k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
|
||||||
k8s.io/apimachinery v0.18.2 h1:44CmtbmkzVDAhCpRVSiP2R5PPrC2RtlIv/MoB8xpdRA=
|
k8s.io/apimachinery v0.18.2 h1:44CmtbmkzVDAhCpRVSiP2R5PPrC2RtlIv/MoB8xpdRA=
|
||||||
k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
|
k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
|
||||||
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||||
|
8
generated/1.18/apis/login/types_token.go
generated
8
generated/1.18/apis/login/types_token.go
generated
@ -3,11 +3,17 @@
|
|||||||
|
|
||||||
package login
|
package login
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string
|
Token string
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference
|
||||||
}
|
}
|
||||||
|
|
||||||
type TokenCredentialRequestStatus struct {
|
type TokenCredentialRequestStatus struct {
|
||||||
|
@ -3,12 +3,18 @@
|
|||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string `json:"token,omitempty"`
|
Token string `json:"token,omitempty"`
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
||||||
|
@ -157,6 +157,7 @@ func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequest
|
|||||||
|
|
||||||
func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
|
func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
|
||||||
out.Token = in.Token
|
out.Token = in.Token
|
||||||
|
out.IdentityProvider = in.IdentityProvider
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -167,6 +168,7 @@ func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequest
|
|||||||
|
|
||||||
func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
|
func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
|
||||||
out.Token = in.Token
|
out.Token = in.Token
|
||||||
|
out.IdentityProvider = in.IdentityProvider
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -92,6 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -92,6 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -671,9 +671,18 @@ func schema_118_apis_login_v1alpha1_TokenCredentialRequestSpec(ref common.Refere
|
|||||||
Format: "",
|
Format: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
"identityProvider": {
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "Reference to an identity provider which can fulfill this credential request.",
|
||||||
|
Ref: ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
|
Required: []string{"identityProvider"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Dependencies: []string{
|
||||||
|
"k8s.io/api/core/v1.TypedLocalObjectReference"},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
1
generated/1.19/README.adoc
generated
1
generated/1.19/README.adoc
generated
@ -263,6 +263,7 @@ TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, exp
|
|||||||
|===
|
|===
|
||||||
| Field | Description
|
| Field | Description
|
||||||
| *`token`* __string__ | Bearer token supplied with the credential request.
|
| *`token`* __string__ | Bearer token supplied with the credential request.
|
||||||
|
| *`identityProvider`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an identity provider which can fulfill this credential request.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
5
generated/1.19/apis/go.mod
generated
5
generated/1.19/apis/go.mod
generated
@ -3,4 +3,7 @@ module go.pinniped.dev/generated/1.19/apis
|
|||||||
|
|
||||||
go 1.13
|
go 1.13
|
||||||
|
|
||||||
require k8s.io/apimachinery v0.19.0
|
require (
|
||||||
|
k8s.io/api v0.19.0
|
||||||
|
k8s.io/apimachinery v0.19.0
|
||||||
|
)
|
||||||
|
2
generated/1.19/apis/go.sum
generated
2
generated/1.19/apis/go.sum
generated
@ -157,6 +157,8 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
|
|||||||
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
|
k8s.io/api v0.19.0 h1:XyrFIJqTYZJ2DU7FBE/bSPz7b1HvbVBuBf07oeo6eTc=
|
||||||
|
k8s.io/api v0.19.0/go.mod h1:I1K45XlvTrDjmj5LoM5LuP/KYrhWbjUKT/SoPG0qTjw=
|
||||||
k8s.io/apimachinery v0.19.0 h1:gjKnAda/HZp5k4xQYjL0K/Yb66IvNqjthCb03QlKpaQ=
|
k8s.io/apimachinery v0.19.0 h1:gjKnAda/HZp5k4xQYjL0K/Yb66IvNqjthCb03QlKpaQ=
|
||||||
k8s.io/apimachinery v0.19.0/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
|
k8s.io/apimachinery v0.19.0/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
|
||||||
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||||
|
8
generated/1.19/apis/login/types_token.go
generated
8
generated/1.19/apis/login/types_token.go
generated
@ -3,11 +3,17 @@
|
|||||||
|
|
||||||
package login
|
package login
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string
|
Token string
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference
|
||||||
}
|
}
|
||||||
|
|
||||||
type TokenCredentialRequestStatus struct {
|
type TokenCredentialRequestStatus struct {
|
||||||
|
@ -3,12 +3,18 @@
|
|||||||
|
|
||||||
package v1alpha1
|
package v1alpha1
|
||||||
|
|
||||||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
|
||||||
type TokenCredentialRequestSpec struct {
|
type TokenCredentialRequestSpec struct {
|
||||||
// Bearer token supplied with the credential request.
|
// Bearer token supplied with the credential request.
|
||||||
Token string `json:"token,omitempty"`
|
Token string `json:"token,omitempty"`
|
||||||
|
|
||||||
|
// Reference to an identity provider which can fulfill this credential request.
|
||||||
|
IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
|
||||||
|
@ -157,6 +157,7 @@ func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequest
|
|||||||
|
|
||||||
func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
|
func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
|
||||||
out.Token = in.Token
|
out.Token = in.Token
|
||||||
|
out.IdentityProvider = in.IdentityProvider
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -167,6 +168,7 @@ func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequest
|
|||||||
|
|
||||||
func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
|
func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
|
||||||
out.Token = in.Token
|
out.Token = in.Token
|
||||||
|
out.IdentityProvider = in.IdentityProvider
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -92,6 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -92,6 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -672,9 +672,18 @@ func schema_119_apis_login_v1alpha1_TokenCredentialRequestSpec(ref common.Refere
|
|||||||
Format: "",
|
Format: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
"identityProvider": {
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "Reference to an identity provider which can fulfill this credential request.",
|
||||||
|
Ref: ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
|
Required: []string{"identityProvider"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Dependencies: []string{
|
||||||
|
"k8s.io/api/core/v1.TypedLocalObjectReference"},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -79,6 +79,7 @@ go 1.13
|
|||||||
|
|
||||||
require (
|
require (
|
||||||
k8s.io/apimachinery ${KUBE_MODULE_VERSION}
|
k8s.io/apimachinery ${KUBE_MODULE_VERSION}
|
||||||
|
k8s.io/api ${KUBE_MODULE_VERSION}
|
||||||
)
|
)
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -93,9 +94,9 @@ go 1.13
|
|||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/go-openapi/spec v0.19.9
|
github.com/go-openapi/spec v0.19.9
|
||||||
k8s.io/api ${KUBE_MODULE_VERSION}
|
k8s.io/api ${KUBE_MODULE_VERSION}
|
||||||
k8s.io/apimachinery ${KUBE_MODULE_VERSION}
|
k8s.io/apimachinery ${KUBE_MODULE_VERSION}
|
||||||
k8s.io/client-go ${KUBE_MODULE_VERSION}
|
k8s.io/client-go ${KUBE_MODULE_VERSION}
|
||||||
k8s.io/apimachinery ${KUBE_MODULE_VERSION}
|
k8s.io/apimachinery ${KUBE_MODULE_VERSION}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -191,8 +191,6 @@ ytt --file . \
|
|||||||
--data-value "namespace=$namespace" \
|
--data-value "namespace=$namespace" \
|
||||||
--data-value "image_repo=$registry_repo" \
|
--data-value "image_repo=$registry_repo" \
|
||||||
--data-value "image_tag=$tag" \
|
--data-value "image_tag=$tag" \
|
||||||
--data-value "webhook_url=$webhook_url" \
|
|
||||||
--data-value "webhook_ca_bundle=$webhook_ca_bundle" \
|
|
||||||
--data-value "discovery_url=$discovery_url" >"$manifest"
|
--data-value "discovery_url=$discovery_url" >"$manifest"
|
||||||
|
|
||||||
kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
|
kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
|
||||||
@ -212,6 +210,8 @@ export PINNIPED_APP_NAME=${app_name}
|
|||||||
export PINNIPED_TEST_USER_USERNAME=${test_username}
|
export PINNIPED_TEST_USER_USERNAME=${test_username}
|
||||||
export PINNIPED_TEST_USER_GROUPS=${test_groups}
|
export PINNIPED_TEST_USER_GROUPS=${test_groups}
|
||||||
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
|
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
|
||||||
|
export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
|
||||||
|
export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
|
||||||
|
|
||||||
read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
|
read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
|
||||||
${pinniped_cluster_capability_file_content}
|
${pinniped_cluster_capability_file_content}
|
||||||
|
@ -12,7 +12,6 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
"k8s.io/apimachinery/pkg/runtime/serializer"
|
"k8s.io/apimachinery/pkg/runtime/serializer"
|
||||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
||||||
"k8s.io/apiserver/pkg/registry/rest"
|
"k8s.io/apiserver/pkg/registry/rest"
|
||||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||||
"k8s.io/client-go/pkg/version"
|
"k8s.io/client-go/pkg/version"
|
||||||
@ -54,7 +53,7 @@ type Config struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type ExtraConfig struct {
|
type ExtraConfig struct {
|
||||||
TokenAuthenticator authenticator.Token
|
Authenticator credentialrequest.TokenCredentialRequestAuthenticator
|
||||||
Issuer credentialrequest.CertIssuer
|
Issuer credentialrequest.CertIssuer
|
||||||
StartControllersPostStartHook func(ctx context.Context)
|
StartControllersPostStartHook func(ctx context.Context)
|
||||||
}
|
}
|
||||||
@ -98,7 +97,7 @@ func (c completedConfig) New() (*PinnipedServer, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
gvr := loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests")
|
gvr := loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests")
|
||||||
storage := credentialrequest.NewREST(c.ExtraConfig.TokenAuthenticator, c.ExtraConfig.Issuer)
|
storage := credentialrequest.NewREST(c.ExtraConfig.Authenticator, c.ExtraConfig.Issuer)
|
||||||
if err := s.GenericAPIServer.InstallAPIGroup(&genericapiserver.APIGroupInfo{
|
if err := s.GenericAPIServer.InstallAPIGroup(&genericapiserver.APIGroupInfo{
|
||||||
PrioritizedVersions: []schema.GroupVersion{gvr.GroupVersion()},
|
PrioritizedVersions: []schema.GroupVersion{gvr.GroupVersion()},
|
||||||
VersionedResourcesStorageMap: map[string]map[string]rest.Storage{gvr.Version: {gvr.Resource: storage}},
|
VersionedResourcesStorageMap: map[string]map[string]rest.Storage{gvr.Version: {gvr.Resource: storage}},
|
||||||
|
@ -9,6 +9,7 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||||
"k8s.io/client-go/tools/clientcmd"
|
"k8s.io/client-go/tools/clientcmd"
|
||||||
@ -21,15 +22,21 @@ import (
|
|||||||
// ErrLoginFailed is returned by ExchangeToken when the server rejects the login request.
|
// ErrLoginFailed is returned by ExchangeToken when the server rejects the login request.
|
||||||
var ErrLoginFailed = errors.New("login failed")
|
var ErrLoginFailed = errors.New("login failed")
|
||||||
|
|
||||||
// ExchangeToken exchanges an opaque token using the Pinniped CredentialRequest API, returning a client-go ExecCredential valid on the target cluster.
|
// ExchangeToken exchanges an opaque token using the Pinniped TokenCredentialRequest API, returning a client-go ExecCredential valid on the target cluster.
|
||||||
func ExchangeToken(ctx context.Context, namespace string, token string, caBundle string, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
func ExchangeToken(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token string, caBundle string, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
||||||
client, err := getClient(apiEndpoint, caBundle)
|
client, err := getClient(apiEndpoint, caBundle)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not get API client: %w", err)
|
return nil, fmt.Errorf("could not get API client: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
resp, err := client.LoginV1alpha1().TokenCredentialRequests(namespace).Create(ctx, &v1alpha1.TokenCredentialRequest{
|
resp, err := client.LoginV1alpha1().TokenCredentialRequests(namespace).Create(ctx, &v1alpha1.TokenCredentialRequest{
|
||||||
Spec: v1alpha1.TokenCredentialRequestSpec{Token: token},
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Namespace: namespace,
|
||||||
|
},
|
||||||
|
Spec: v1alpha1.TokenCredentialRequestSpec{
|
||||||
|
Token: token,
|
||||||
|
IdentityProvider: idp,
|
||||||
|
},
|
||||||
}, metav1.CreateOptions{})
|
}, metav1.CreateOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not login: %w", err)
|
return nil, fmt.Errorf("could not login: %w", err)
|
||||||
|
@ -12,10 +12,12 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||||
|
|
||||||
"go.pinniped.dev/generated/1.19/apis/login/v1alpha1"
|
idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
|
loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/login/v1alpha1"
|
||||||
"go.pinniped.dev/internal/testutil"
|
"go.pinniped.dev/internal/testutil"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -23,9 +25,15 @@ func TestExchangeToken(t *testing.T) {
|
|||||||
t.Parallel()
|
t.Parallel()
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
|
|
||||||
|
testIDP := corev1.TypedLocalObjectReference{
|
||||||
|
APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Name: "test-webhook",
|
||||||
|
}
|
||||||
|
|
||||||
t.Run("invalid configuration", func(t *testing.T) {
|
t.Run("invalid configuration", func(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
got, err := ExchangeToken(ctx, "test-namespace", "", "", "")
|
got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", "", "")
|
||||||
require.EqualError(t, err, "could not get API client: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable")
|
require.EqualError(t, err, "could not get API client: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable")
|
||||||
require.Nil(t, got)
|
require.Nil(t, got)
|
||||||
})
|
})
|
||||||
@ -38,7 +46,7 @@ func TestExchangeToken(t *testing.T) {
|
|||||||
_, _ = w.Write([]byte("some server error"))
|
_, _ = w.Write([]byte("some server error"))
|
||||||
})
|
})
|
||||||
|
|
||||||
got, err := ExchangeToken(ctx, "test-namespace", "", caBundle, endpoint)
|
got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", caBundle, endpoint)
|
||||||
require.EqualError(t, err, `could not login: an error on the server ("some server error") has prevented the request from succeeding (post tokencredentialrequests.login.pinniped.dev)`)
|
require.EqualError(t, err, `could not login: an error on the server ("some server error") has prevented the request from succeeding (post tokencredentialrequests.login.pinniped.dev)`)
|
||||||
require.Nil(t, got)
|
require.Nil(t, got)
|
||||||
})
|
})
|
||||||
@ -49,13 +57,13 @@ func TestExchangeToken(t *testing.T) {
|
|||||||
errorMessage := "some login failure"
|
errorMessage := "some login failure"
|
||||||
caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
|
caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
|
||||||
w.Header().Set("content-type", "application/json")
|
w.Header().Set("content-type", "application/json")
|
||||||
_ = json.NewEncoder(w).Encode(&v1alpha1.TokenCredentialRequest{
|
_ = json.NewEncoder(w).Encode(&loginv1alpha1.TokenCredentialRequest{
|
||||||
TypeMeta: metav1.TypeMeta{APIVersion: "login.pinniped.dev/v1alpha1", Kind: "TokenCredentialRequest"},
|
TypeMeta: metav1.TypeMeta{APIVersion: "login.pinniped.dev/v1alpha1", Kind: "TokenCredentialRequest"},
|
||||||
Status: v1alpha1.TokenCredentialRequestStatus{Message: &errorMessage},
|
Status: loginv1alpha1.TokenCredentialRequestStatus{Message: &errorMessage},
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
got, err := ExchangeToken(ctx, "test-namespace", "", caBundle, endpoint)
|
got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", caBundle, endpoint)
|
||||||
require.EqualError(t, err, `login failed: some login failure`)
|
require.EqualError(t, err, `login failed: some login failure`)
|
||||||
require.Nil(t, got)
|
require.Nil(t, got)
|
||||||
})
|
})
|
||||||
@ -65,12 +73,12 @@ func TestExchangeToken(t *testing.T) {
|
|||||||
// Start a test server that returns without any error message but also without valid credentials
|
// Start a test server that returns without any error message but also without valid credentials
|
||||||
caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
|
caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
|
||||||
w.Header().Set("content-type", "application/json")
|
w.Header().Set("content-type", "application/json")
|
||||||
_ = json.NewEncoder(w).Encode(&v1alpha1.TokenCredentialRequest{
|
_ = json.NewEncoder(w).Encode(&loginv1alpha1.TokenCredentialRequest{
|
||||||
TypeMeta: metav1.TypeMeta{APIVersion: "login.pinniped.dev/v1alpha1", Kind: "TokenCredentialRequest"},
|
TypeMeta: metav1.TypeMeta{APIVersion: "login.pinniped.dev/v1alpha1", Kind: "TokenCredentialRequest"},
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
got, err := ExchangeToken(ctx, "test-namespace", "", caBundle, endpoint)
|
got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", caBundle, endpoint)
|
||||||
require.EqualError(t, err, `login failed: unknown`)
|
require.EqualError(t, err, `login failed: unknown`)
|
||||||
require.Nil(t, got)
|
require.Nil(t, got)
|
||||||
})
|
})
|
||||||
@ -92,10 +100,16 @@ func TestExchangeToken(t *testing.T) {
|
|||||||
"kind": "TokenCredentialRequest",
|
"kind": "TokenCredentialRequest",
|
||||||
"apiVersion": "login.pinniped.dev/v1alpha1",
|
"apiVersion": "login.pinniped.dev/v1alpha1",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"creationTimestamp": null
|
"creationTimestamp": null,
|
||||||
|
"namespace": "test-namespace"
|
||||||
},
|
},
|
||||||
"spec": {
|
"spec": {
|
||||||
"token": "test-token"
|
"token": "test-token",
|
||||||
|
"identityProvider": {
|
||||||
|
"apiGroup": "idp.pinniped.dev",
|
||||||
|
"kind": "WebhookIdentityProvider",
|
||||||
|
"name": "test-webhook"
|
||||||
|
}
|
||||||
},
|
},
|
||||||
"status": {}
|
"status": {}
|
||||||
}`,
|
}`,
|
||||||
@ -103,10 +117,10 @@ func TestExchangeToken(t *testing.T) {
|
|||||||
)
|
)
|
||||||
|
|
||||||
w.Header().Set("content-type", "application/json")
|
w.Header().Set("content-type", "application/json")
|
||||||
_ = json.NewEncoder(w).Encode(&v1alpha1.TokenCredentialRequest{
|
_ = json.NewEncoder(w).Encode(&loginv1alpha1.TokenCredentialRequest{
|
||||||
TypeMeta: metav1.TypeMeta{APIVersion: "login.pinniped.dev/v1alpha1", Kind: "TokenCredentialRequest"},
|
TypeMeta: metav1.TypeMeta{APIVersion: "login.pinniped.dev/v1alpha1", Kind: "TokenCredentialRequest"},
|
||||||
Status: v1alpha1.TokenCredentialRequestStatus{
|
Status: loginv1alpha1.TokenCredentialRequestStatus{
|
||||||
Credential: &v1alpha1.ClusterCredential{
|
Credential: &loginv1alpha1.ClusterCredential{
|
||||||
ExpirationTimestamp: expires,
|
ExpirationTimestamp: expires,
|
||||||
ClientCertificateData: "test-certificate",
|
ClientCertificateData: "test-certificate",
|
||||||
ClientKeyData: "test-key",
|
ClientKeyData: "test-key",
|
||||||
@ -115,7 +129,7 @@ func TestExchangeToken(t *testing.T) {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
got, err := ExchangeToken(ctx, "test-namespace", "test-token", caBundle, endpoint)
|
got, err := ExchangeToken(ctx, "test-namespace", testIDP, "test-token", caBundle, endpoint)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, &clientauthenticationv1beta1.ExecCredential{
|
require.Equal(t, &clientauthenticationv1beta1.ExecCredential{
|
||||||
TypeMeta: metav1.TypeMeta{
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
@ -7,19 +7,18 @@ package idpcache
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"sort"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
|
||||||
"go.pinniped.dev/internal/controllerlib"
|
loginapi "go.pinniped.dev/generated/1.19/apis/login"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
// ErrNoIDPs is returned by Cache.AuthenticateToken() when there are no IDPs configured.
|
// ErrNoSuchIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the requested IDP is not configured.
|
||||||
ErrNoIDPs = fmt.Errorf("no identity providers are loaded")
|
ErrNoSuchIDP = fmt.Errorf("no such identity provider")
|
||||||
|
|
||||||
// ErrIndeterminateIDP is returned by Cache.AuthenticateToken() when the correct IDP cannot be determined.
|
|
||||||
ErrIndeterminateIDP = fmt.Errorf("could not uniquely match against an identity provider")
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers
|
// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers
|
||||||
@ -28,48 +27,96 @@ type Cache struct {
|
|||||||
cache sync.Map
|
cache sync.Map
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type Key struct {
|
||||||
|
APIGroup string
|
||||||
|
Kind string
|
||||||
|
Namespace string
|
||||||
|
Name string
|
||||||
|
}
|
||||||
|
|
||||||
|
type Value interface {
|
||||||
|
authenticator.Token
|
||||||
|
}
|
||||||
|
|
||||||
// New returns an empty cache.
|
// New returns an empty cache.
|
||||||
func New() *Cache {
|
func New() *Cache {
|
||||||
return &Cache{}
|
return &Cache{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Get an identity provider by key.
|
||||||
|
func (c *Cache) Get(key Key) Value {
|
||||||
|
res, _ := c.cache.Load(key)
|
||||||
|
if res == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return res.(Value)
|
||||||
|
}
|
||||||
|
|
||||||
// Store an identity provider into the cache.
|
// Store an identity provider into the cache.
|
||||||
func (c *Cache) Store(key controllerlib.Key, value authenticator.Token) {
|
func (c *Cache) Store(key Key, value Value) {
|
||||||
c.cache.Store(key, value)
|
c.cache.Store(key, value)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Delete an identity provider from the cache.
|
// Delete an identity provider from the cache.
|
||||||
func (c *Cache) Delete(key controllerlib.Key) {
|
func (c *Cache) Delete(key Key) {
|
||||||
c.cache.Delete(key)
|
c.cache.Delete(key)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Keys currently stored in the cache.
|
// Keys currently stored in the cache.
|
||||||
func (c *Cache) Keys() []controllerlib.Key {
|
func (c *Cache) Keys() []Key {
|
||||||
var result []controllerlib.Key
|
var result []Key
|
||||||
c.cache.Range(func(key, _ interface{}) bool {
|
c.cache.Range(func(key, _ interface{}) bool {
|
||||||
result = append(result, key.(controllerlib.Key))
|
result = append(result, key.(Key))
|
||||||
return true
|
return true
|
||||||
})
|
})
|
||||||
|
|
||||||
|
// Sort the results for consistency.
|
||||||
|
sort.Slice(result, func(i, j int) bool {
|
||||||
|
return result[i].APIGroup < result[j].APIGroup ||
|
||||||
|
result[i].Kind < result[j].Kind ||
|
||||||
|
result[i].Namespace < result[j].Namespace ||
|
||||||
|
result[i].Name < result[j].Name
|
||||||
|
})
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthenticateToken validates the provided token against the currently loaded identity providers.
|
func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *loginapi.TokenCredentialRequest) (user.Info, error) {
|
||||||
func (c *Cache) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
|
// Map the incoming request to a cache key.
|
||||||
var matchingIDPs []authenticator.Token
|
key := Key{
|
||||||
c.cache.Range(func(key, value interface{}) bool {
|
Namespace: req.Namespace,
|
||||||
matchingIDPs = append(matchingIDPs, value.(authenticator.Token))
|
Name: req.Spec.IdentityProvider.Name,
|
||||||
return true
|
Kind: req.Spec.IdentityProvider.Kind,
|
||||||
})
|
}
|
||||||
|
if req.Spec.IdentityProvider.APIGroup != nil {
|
||||||
// Return an error if there are no known IDPs.
|
key.APIGroup = *req.Spec.IdentityProvider.APIGroup
|
||||||
if len(matchingIDPs) == 0 {
|
|
||||||
return nil, false, ErrNoIDPs
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// For now, allow there to be only exactly one IDP (until we specify a good mechanism for selecting one).
|
val := c.Get(key)
|
||||||
if len(matchingIDPs) != 1 {
|
if val == nil {
|
||||||
return nil, false, ErrIndeterminateIDP
|
return nil, ErrNoSuchIDP
|
||||||
}
|
}
|
||||||
|
|
||||||
return matchingIDPs[0].AuthenticateToken(ctx, token)
|
// The incoming context could have an audience. Since we do not want to handle audiences right now, do not pass it
|
||||||
|
// through directly to the authentication webhook.
|
||||||
|
ctx = valuelessContext{ctx}
|
||||||
|
|
||||||
|
// Call the selected IDP.
|
||||||
|
resp, authenticated, err := val.AuthenticateToken(ctx, req.Spec.Token)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if !authenticated {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Return the user.Info from the response (if it is non-nil).
|
||||||
|
var respUser user.Info
|
||||||
|
if resp != nil {
|
||||||
|
respUser = resp.User
|
||||||
|
}
|
||||||
|
return respUser, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type valuelessContext struct{ context.Context }
|
||||||
|
|
||||||
|
func (valuelessContext) Value(interface{}) interface{} { return nil }
|
||||||
|
@ -5,95 +5,196 @@ package idpcache
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"fmt"
|
||||||
|
"math/rand"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/golang/mock/gomock"
|
"github.com/golang/mock/gomock"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
|
||||||
"go.pinniped.dev/internal/controllerlib"
|
idpv1alpha "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
|
loginapi "go.pinniped.dev/generated/1.19/apis/login"
|
||||||
"go.pinniped.dev/internal/mocks/mocktokenauthenticator"
|
"go.pinniped.dev/internal/mocks/mocktokenauthenticator"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestCache(t *testing.T) {
|
func TestCache(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
ctx, cancel := context.WithCancel(context.Background())
|
ctrl := gomock.NewController(t)
|
||||||
defer cancel()
|
defer ctrl.Finish()
|
||||||
|
|
||||||
tests := []struct {
|
cache := New()
|
||||||
name string
|
require.NotNil(t, cache)
|
||||||
mockAuthenticators map[controllerlib.Key]func(*mocktokenauthenticator.MockToken)
|
|
||||||
wantResponse *authenticator.Response
|
key1 := Key{Namespace: "foo", Name: "idp-one"}
|
||||||
wantAuthenticated bool
|
mockToken1 := mocktokenauthenticator.NewMockToken(ctrl)
|
||||||
wantErr string
|
cache.Store(key1, mockToken1)
|
||||||
}{
|
require.Equal(t, mockToken1, cache.Get(key1))
|
||||||
{
|
require.Equal(t, 1, len(cache.Keys()))
|
||||||
name: "no IDPs",
|
|
||||||
wantErr: "no identity providers are loaded",
|
key2 := Key{Namespace: "foo", Name: "idp-two"}
|
||||||
},
|
mockToken2 := mocktokenauthenticator.NewMockToken(ctrl)
|
||||||
{
|
cache.Store(key2, mockToken2)
|
||||||
name: "multiple IDPs",
|
require.Equal(t, mockToken2, cache.Get(key2))
|
||||||
mockAuthenticators: map[controllerlib.Key]func(mockToken *mocktokenauthenticator.MockToken){
|
require.Equal(t, 2, len(cache.Keys()))
|
||||||
controllerlib.Key{Namespace: "foo", Name: "idp-one"}: nil,
|
|
||||||
controllerlib.Key{Namespace: "foo", Name: "idp-two"}: nil,
|
for _, key := range cache.Keys() {
|
||||||
},
|
cache.Delete(key)
|
||||||
wantErr: "could not uniquely match against an identity provider",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "success",
|
|
||||||
mockAuthenticators: map[controllerlib.Key]func(mockToken *mocktokenauthenticator.MockToken){
|
|
||||||
controllerlib.Key{
|
|
||||||
Namespace: "foo",
|
|
||||||
Name: "idp-one",
|
|
||||||
}: func(mockToken *mocktokenauthenticator.MockToken) {
|
|
||||||
mockToken.EXPECT().AuthenticateToken(ctx, "test-token").Return(
|
|
||||||
&authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}},
|
|
||||||
true,
|
|
||||||
nil,
|
|
||||||
)
|
|
||||||
},
|
|
||||||
},
|
|
||||||
wantResponse: &authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}},
|
|
||||||
wantAuthenticated: true,
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
require.Zero(t, len(cache.Keys()))
|
||||||
tt := tt
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
t.Parallel()
|
|
||||||
|
|
||||||
ctrl := gomock.NewController(t)
|
// Fill the cache back up with a fixed set of keys, but inserted in shuffled order.
|
||||||
defer ctrl.Finish()
|
keysInExpectedOrder := []Key{
|
||||||
|
{APIGroup: "a", Kind: "a", Namespace: "a", Name: "a"},
|
||||||
|
{APIGroup: "b", Kind: "a", Namespace: "a", Name: "a"},
|
||||||
|
{APIGroup: "b", Kind: "b", Namespace: "a", Name: "a"},
|
||||||
|
{APIGroup: "b", Kind: "b", Namespace: "b", Name: "a"},
|
||||||
|
{APIGroup: "b", Kind: "b", Namespace: "b", Name: "b"},
|
||||||
|
}
|
||||||
|
for tries := 0; tries < 10; tries++ {
|
||||||
|
cache := New()
|
||||||
|
for _, i := range rand.Perm(len(keysInExpectedOrder)) {
|
||||||
|
cache.Store(keysInExpectedOrder[i], nil)
|
||||||
|
}
|
||||||
|
|
||||||
cache := New()
|
// Expect that they come back out in sorted order.
|
||||||
require.NotNil(t, cache)
|
require.Equal(t, keysInExpectedOrder, cache.Keys())
|
||||||
require.Implements(t, (*authenticator.Token)(nil), cache)
|
|
||||||
|
|
||||||
for key, mockFunc := range tt.mockAuthenticators {
|
|
||||||
mockToken := mocktokenauthenticator.NewMockToken(ctrl)
|
|
||||||
if mockFunc != nil {
|
|
||||||
mockFunc(mockToken)
|
|
||||||
}
|
|
||||||
cache.Store(key, mockToken)
|
|
||||||
}
|
|
||||||
|
|
||||||
require.Equal(t, len(tt.mockAuthenticators), len(cache.Keys()))
|
|
||||||
|
|
||||||
resp, authenticated, err := cache.AuthenticateToken(ctx, "test-token")
|
|
||||||
require.Equal(t, tt.wantResponse, resp)
|
|
||||||
require.Equal(t, tt.wantAuthenticated, authenticated)
|
|
||||||
if tt.wantErr != "" {
|
|
||||||
require.EqualError(t, err, tt.wantErr)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
for _, key := range cache.Keys() {
|
|
||||||
cache.Delete(key)
|
|
||||||
}
|
|
||||||
require.Zero(t, len(cache.Keys()))
|
|
||||||
})
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestAuthenticateTokenCredentialRequest(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
validRequest := loginapi.TokenCredentialRequest{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Namespace: "test-namespace",
|
||||||
|
},
|
||||||
|
Spec: loginapi.TokenCredentialRequestSpec{
|
||||||
|
IdentityProvider: corev1.TypedLocalObjectReference{
|
||||||
|
APIGroup: &idpv1alpha.SchemeGroupVersion.Group,
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Name: "test-name",
|
||||||
|
},
|
||||||
|
Token: "test-token",
|
||||||
|
},
|
||||||
|
Status: loginapi.TokenCredentialRequestStatus{},
|
||||||
|
}
|
||||||
|
validRequestKey := Key{
|
||||||
|
APIGroup: *validRequest.Spec.IdentityProvider.APIGroup,
|
||||||
|
Kind: validRequest.Spec.IdentityProvider.Kind,
|
||||||
|
Namespace: validRequest.Namespace,
|
||||||
|
Name: validRequest.Spec.IdentityProvider.Name,
|
||||||
|
}
|
||||||
|
|
||||||
|
mockCache := func(t *testing.T, res *authenticator.Response, authenticated bool, err error) *Cache {
|
||||||
|
ctrl := gomock.NewController(t)
|
||||||
|
t.Cleanup(ctrl.Finish)
|
||||||
|
m := mocktokenauthenticator.NewMockToken(ctrl)
|
||||||
|
m.EXPECT().AuthenticateToken(audienceFreeContext{}, validRequest.Spec.Token).Return(res, authenticated, err)
|
||||||
|
c := New()
|
||||||
|
c.Store(validRequestKey, m)
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
|
||||||
|
t.Run("no such IDP", func(t *testing.T) {
|
||||||
|
c := New()
|
||||||
|
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
|
||||||
|
require.EqualError(t, err, "no such identity provider")
|
||||||
|
require.Nil(t, res)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("authenticator returns error", func(t *testing.T) {
|
||||||
|
c := mockCache(t, nil, false, fmt.Errorf("some authenticator error"))
|
||||||
|
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
|
||||||
|
require.EqualError(t, err, "some authenticator error")
|
||||||
|
require.Nil(t, res)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("authenticator returns unauthenticated without error", func(t *testing.T) {
|
||||||
|
c := mockCache(t, &authenticator.Response{}, false, nil)
|
||||||
|
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Nil(t, res)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("authenticator returns nil response without error", func(t *testing.T) {
|
||||||
|
c := mockCache(t, nil, true, nil)
|
||||||
|
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Nil(t, res)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("authenticator returns response with nil user", func(t *testing.T) {
|
||||||
|
c := mockCache(t, &authenticator.Response{}, true, nil)
|
||||||
|
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Nil(t, res)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("context is cancelled", func(t *testing.T) {
|
||||||
|
ctrl := gomock.NewController(t)
|
||||||
|
t.Cleanup(ctrl.Finish)
|
||||||
|
m := mocktokenauthenticator.NewMockToken(ctrl)
|
||||||
|
m.EXPECT().AuthenticateToken(gomock.Any(), validRequest.Spec.Token).DoAndReturn(
|
||||||
|
func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
|
||||||
|
select {
|
||||||
|
case <-time.After(2 * time.Second):
|
||||||
|
require.Fail(t, "expected to be cancelled")
|
||||||
|
return nil, true, nil
|
||||||
|
case <-ctx.Done():
|
||||||
|
return nil, false, ctx.Err()
|
||||||
|
}
|
||||||
|
},
|
||||||
|
)
|
||||||
|
c := New()
|
||||||
|
c.Store(validRequestKey, m)
|
||||||
|
|
||||||
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
errchan := make(chan error)
|
||||||
|
go func() {
|
||||||
|
_, err := c.AuthenticateTokenCredentialRequest(ctx, validRequest.DeepCopy())
|
||||||
|
errchan <- err
|
||||||
|
}()
|
||||||
|
cancel()
|
||||||
|
require.EqualError(t, <-errchan, "context canceled")
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("authenticator returns success", func(t *testing.T) {
|
||||||
|
userInfo := user.DefaultInfo{
|
||||||
|
Name: "test-user",
|
||||||
|
UID: "test-uid",
|
||||||
|
Groups: []string{"test-group-1", "test-group-2"},
|
||||||
|
Extra: map[string][]string{"extra-key-1": {"extra-value-1", "extra-value-2"}},
|
||||||
|
}
|
||||||
|
c := mockCache(t, &authenticator.Response{User: &userInfo}, true, nil)
|
||||||
|
|
||||||
|
audienceCtx := authenticator.WithAudiences(context.Background(), authenticator.Audiences{"test-audience-1"})
|
||||||
|
res, err := c.AuthenticateTokenCredentialRequest(audienceCtx, validRequest.DeepCopy())
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.NotNil(t, res)
|
||||||
|
require.Equal(t, "test-user", res.GetName())
|
||||||
|
require.Equal(t, "test-uid", res.GetUID())
|
||||||
|
require.Equal(t, []string{"test-group-1", "test-group-2"}, res.GetGroups())
|
||||||
|
require.Equal(t, map[string][]string{"extra-key-1": {"extra-value-1", "extra-value-2"}}, res.GetExtra())
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
type audienceFreeContext struct{}
|
||||||
|
|
||||||
|
func (audienceFreeContext) Matches(in interface{}) bool {
|
||||||
|
ctx, isCtx := in.(context.Context)
|
||||||
|
if !isCtx {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
_, hasAudiences := authenticator.AudiencesFrom(ctx)
|
||||||
|
return !hasAudiences
|
||||||
|
}
|
||||||
|
|
||||||
|
func (audienceFreeContext) String() string {
|
||||||
|
return "is a context without authenticator audiences"
|
||||||
|
}
|
||||||
|
@ -59,7 +59,10 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
|
|||||||
|
|
||||||
// Delete any entries from the cache which are no longer in the cluster.
|
// Delete any entries from the cache which are no longer in the cluster.
|
||||||
for _, key := range c.cache.Keys() {
|
for _, key := range c.cache.Keys() {
|
||||||
if _, exists := webhooksByKey[key]; !exists {
|
if key.APIGroup != idpv1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookIdentityProvider" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if _, exists := webhooksByKey[controllerlib.Key{Namespace: key.Namespace, Name: key.Name}]; !exists {
|
||||||
c.log.WithValues("idp", klog.KRef(key.Namespace, key.Name)).Info("deleting webhook IDP from cache")
|
c.log.WithValues("idp", klog.KRef(key.Namespace, key.Name)).Info("deleting webhook IDP from cache")
|
||||||
c.cache.Delete(key)
|
c.cache.Delete(key)
|
||||||
}
|
}
|
||||||
|
@ -11,7 +11,6 @@ import (
|
|||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
||||||
|
|
||||||
idpv1alpha "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
idpv1alpha "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
|
pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
|
||||||
@ -24,22 +23,36 @@ import (
|
|||||||
func TestController(t *testing.T) {
|
func TestController(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
testKey1 := controllerlib.Key{Namespace: "test-namespace", Name: "test-name-one"}
|
testKey1 := idpcache.Key{
|
||||||
testKey2 := controllerlib.Key{Namespace: "test-namespace", Name: "test-name-two"}
|
APIGroup: "idp.pinniped.dev",
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Namespace: "test-namespace",
|
||||||
|
Name: "test-name-one",
|
||||||
|
}
|
||||||
|
testKey2 := idpcache.Key{
|
||||||
|
APIGroup: "idp.pinniped.dev",
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Namespace: "test-namespace",
|
||||||
|
Name: "test-name-two",
|
||||||
|
}
|
||||||
|
testKeyNonwebhook := idpcache.Key{
|
||||||
|
APIGroup: "idp.pinniped.dev",
|
||||||
|
Kind: "SomeOtherIdentityProvider",
|
||||||
|
Namespace: "test-namespace",
|
||||||
|
Name: "test-name-one",
|
||||||
|
}
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
syncKey controllerlib.Key
|
|
||||||
webhookIDPs []runtime.Object
|
webhookIDPs []runtime.Object
|
||||||
initialCache map[controllerlib.Key]authenticator.Token
|
initialCache map[idpcache.Key]idpcache.Value
|
||||||
wantErr string
|
wantErr string
|
||||||
wantLogs []string
|
wantLogs []string
|
||||||
wantCacheKeys []controllerlib.Key
|
wantCacheKeys []idpcache.Key
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "no change",
|
name: "no change",
|
||||||
syncKey: testKey1,
|
initialCache: map[idpcache.Key]idpcache.Value{testKey1: nil},
|
||||||
initialCache: map[controllerlib.Key]authenticator.Token{testKey1: nil},
|
|
||||||
webhookIDPs: []runtime.Object{
|
webhookIDPs: []runtime.Object{
|
||||||
&idpv1alpha.WebhookIdentityProvider{
|
&idpv1alpha.WebhookIdentityProvider{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
@ -48,11 +61,10 @@ func TestController(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantCacheKeys: []controllerlib.Key{testKey1},
|
wantCacheKeys: []idpcache.Key{testKey1},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "IDPs not yet added",
|
name: "IDPs not yet added",
|
||||||
syncKey: testKey1,
|
|
||||||
initialCache: nil,
|
initialCache: nil,
|
||||||
webhookIDPs: []runtime.Object{
|
webhookIDPs: []runtime.Object{
|
||||||
&idpv1alpha.WebhookIdentityProvider{
|
&idpv1alpha.WebhookIdentityProvider{
|
||||||
@ -68,14 +80,14 @@ func TestController(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantCacheKeys: []controllerlib.Key{},
|
wantCacheKeys: []idpcache.Key{},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "successful cleanup",
|
name: "successful cleanup",
|
||||||
syncKey: testKey1,
|
initialCache: map[idpcache.Key]idpcache.Value{
|
||||||
initialCache: map[controllerlib.Key]authenticator.Token{
|
testKey1: nil,
|
||||||
testKey1: nil,
|
testKey2: nil,
|
||||||
testKey2: nil,
|
testKeyNonwebhook: nil,
|
||||||
},
|
},
|
||||||
webhookIDPs: []runtime.Object{
|
webhookIDPs: []runtime.Object{
|
||||||
&idpv1alpha.WebhookIdentityProvider{
|
&idpv1alpha.WebhookIdentityProvider{
|
||||||
@ -88,7 +100,7 @@ func TestController(t *testing.T) {
|
|||||||
wantLogs: []string{
|
wantLogs: []string{
|
||||||
`webhookcachecleaner-controller "level"=0 "msg"="deleting webhook IDP from cache" "idp"={"name":"test-name-two","namespace":"test-namespace"}`,
|
`webhookcachecleaner-controller "level"=0 "msg"="deleting webhook IDP from cache" "idp"={"name":"test-name-two","namespace":"test-namespace"}`,
|
||||||
},
|
},
|
||||||
wantCacheKeys: []controllerlib.Key{testKey1},
|
wantCacheKeys: []idpcache.Key{testKey1, testKeyNonwebhook},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
@ -112,7 +124,13 @@ func TestController(t *testing.T) {
|
|||||||
informers.Start(ctx.Done())
|
informers.Start(ctx.Done())
|
||||||
controllerlib.TestRunSynchronously(t, controller)
|
controllerlib.TestRunSynchronously(t, controller)
|
||||||
|
|
||||||
syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey}
|
syncCtx := controllerlib.Context{
|
||||||
|
Context: ctx,
|
||||||
|
Key: controllerlib.Key{
|
||||||
|
Namespace: "test-namespace",
|
||||||
|
Name: "test-name-one",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" {
|
if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" {
|
||||||
require.EqualError(t, err, tt.wantErr)
|
require.EqualError(t, err, tt.wantErr)
|
||||||
|
@ -68,7 +68,12 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
|
|||||||
return fmt.Errorf("failed to build webhook config: %w", err)
|
return fmt.Errorf("failed to build webhook config: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
c.cache.Store(ctx.Key, webhookAuthenticator)
|
c.cache.Store(idpcache.Key{
|
||||||
|
APIGroup: idpv1alpha1.GroupName,
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Namespace: ctx.Key.Namespace,
|
||||||
|
Name: ctx.Key.Name,
|
||||||
|
}, webhookAuthenticator)
|
||||||
c.log.WithValues("idp", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook IDP")
|
c.log.WithValues("idp", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook IDP")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,96 @@
|
|||||||
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||||
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
//
|
||||||
|
|
||||||
|
// Code generated by MockGen. DO NOT EDIT.
|
||||||
|
// Source: go.pinniped.dev/internal/registry/credentialrequest (interfaces: CertIssuer,TokenCredentialRequestAuthenticator)
|
||||||
|
|
||||||
|
// Package credentialrequestmocks is a generated GoMock package.
|
||||||
|
package credentialrequestmocks
|
||||||
|
|
||||||
|
import (
|
||||||
|
context "context"
|
||||||
|
pkix "crypto/x509/pkix"
|
||||||
|
gomock "github.com/golang/mock/gomock"
|
||||||
|
login "go.pinniped.dev/generated/1.19/apis/login"
|
||||||
|
user "k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
reflect "reflect"
|
||||||
|
time "time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// MockCertIssuer is a mock of CertIssuer interface
|
||||||
|
type MockCertIssuer struct {
|
||||||
|
ctrl *gomock.Controller
|
||||||
|
recorder *MockCertIssuerMockRecorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// MockCertIssuerMockRecorder is the mock recorder for MockCertIssuer
|
||||||
|
type MockCertIssuerMockRecorder struct {
|
||||||
|
mock *MockCertIssuer
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewMockCertIssuer creates a new mock instance
|
||||||
|
func NewMockCertIssuer(ctrl *gomock.Controller) *MockCertIssuer {
|
||||||
|
mock := &MockCertIssuer{ctrl: ctrl}
|
||||||
|
mock.recorder = &MockCertIssuerMockRecorder{mock}
|
||||||
|
return mock
|
||||||
|
}
|
||||||
|
|
||||||
|
// EXPECT returns an object that allows the caller to indicate expected use
|
||||||
|
func (m *MockCertIssuer) EXPECT() *MockCertIssuerMockRecorder {
|
||||||
|
return m.recorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// IssuePEM mocks base method
|
||||||
|
func (m *MockCertIssuer) IssuePEM(arg0 pkix.Name, arg1 []string, arg2 time.Duration) ([]byte, []byte, error) {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "IssuePEM", arg0, arg1, arg2)
|
||||||
|
ret0, _ := ret[0].([]byte)
|
||||||
|
ret1, _ := ret[1].([]byte)
|
||||||
|
ret2, _ := ret[2].(error)
|
||||||
|
return ret0, ret1, ret2
|
||||||
|
}
|
||||||
|
|
||||||
|
// IssuePEM indicates an expected call of IssuePEM
|
||||||
|
func (mr *MockCertIssuerMockRecorder) IssuePEM(arg0, arg1, arg2 interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IssuePEM", reflect.TypeOf((*MockCertIssuer)(nil).IssuePEM), arg0, arg1, arg2)
|
||||||
|
}
|
||||||
|
|
||||||
|
// MockTokenCredentialRequestAuthenticator is a mock of TokenCredentialRequestAuthenticator interface
|
||||||
|
type MockTokenCredentialRequestAuthenticator struct {
|
||||||
|
ctrl *gomock.Controller
|
||||||
|
recorder *MockTokenCredentialRequestAuthenticatorMockRecorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// MockTokenCredentialRequestAuthenticatorMockRecorder is the mock recorder for MockTokenCredentialRequestAuthenticator
|
||||||
|
type MockTokenCredentialRequestAuthenticatorMockRecorder struct {
|
||||||
|
mock *MockTokenCredentialRequestAuthenticator
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewMockTokenCredentialRequestAuthenticator creates a new mock instance
|
||||||
|
func NewMockTokenCredentialRequestAuthenticator(ctrl *gomock.Controller) *MockTokenCredentialRequestAuthenticator {
|
||||||
|
mock := &MockTokenCredentialRequestAuthenticator{ctrl: ctrl}
|
||||||
|
mock.recorder = &MockTokenCredentialRequestAuthenticatorMockRecorder{mock}
|
||||||
|
return mock
|
||||||
|
}
|
||||||
|
|
||||||
|
// EXPECT returns an object that allows the caller to indicate expected use
|
||||||
|
func (m *MockTokenCredentialRequestAuthenticator) EXPECT() *MockTokenCredentialRequestAuthenticatorMockRecorder {
|
||||||
|
return m.recorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthenticateTokenCredentialRequest mocks base method
|
||||||
|
func (m *MockTokenCredentialRequestAuthenticator) AuthenticateTokenCredentialRequest(arg0 context.Context, arg1 *login.TokenCredentialRequest) (user.Info, error) {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "AuthenticateTokenCredentialRequest", arg0, arg1)
|
||||||
|
ret0, _ := ret[0].(user.Info)
|
||||||
|
ret1, _ := ret[1].(error)
|
||||||
|
return ret0, ret1
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthenticateTokenCredentialRequest indicates an expected call of AuthenticateTokenCredentialRequest
|
||||||
|
func (mr *MockTokenCredentialRequestAuthenticatorMockRecorder) AuthenticateTokenCredentialRequest(arg0, arg1 interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateTokenCredentialRequest", reflect.TypeOf((*MockTokenCredentialRequestAuthenticator)(nil).AuthenticateTokenCredentialRequest), arg0, arg1)
|
||||||
|
}
|
6
internal/mocks/credentialrequestmocks/generate.go
Normal file
6
internal/mocks/credentialrequestmocks/generate.go
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||||
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
package credentialrequestmocks
|
||||||
|
|
||||||
|
//go:generate go run -v github.com/golang/mock/mockgen -destination=credentialrequestmocks.go -package=credentialrequestmocks -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/registry/credentialrequest CertIssuer,TokenCredentialRequestAuthenticator
|
@ -1,6 +0,0 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
|
||||||
|
|
||||||
package mockcertissuer
|
|
||||||
|
|
||||||
//go:generate go run -v github.com/golang/mock/mockgen -destination=mockcertissuer.go -package=mockcertissuer -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/registry/credentialrequest CertIssuer
|
|
@ -1,56 +0,0 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
|
||||||
//
|
|
||||||
|
|
||||||
// Code generated by MockGen. DO NOT EDIT.
|
|
||||||
// Source: go.pinniped.dev/internal/registry/credentialrequest (interfaces: CertIssuer)
|
|
||||||
|
|
||||||
// Package mockcertissuer is a generated GoMock package.
|
|
||||||
package mockcertissuer
|
|
||||||
|
|
||||||
import (
|
|
||||||
pkix "crypto/x509/pkix"
|
|
||||||
reflect "reflect"
|
|
||||||
time "time"
|
|
||||||
|
|
||||||
gomock "github.com/golang/mock/gomock"
|
|
||||||
)
|
|
||||||
|
|
||||||
// MockCertIssuer is a mock of CertIssuer interface
|
|
||||||
type MockCertIssuer struct {
|
|
||||||
ctrl *gomock.Controller
|
|
||||||
recorder *MockCertIssuerMockRecorder
|
|
||||||
}
|
|
||||||
|
|
||||||
// MockCertIssuerMockRecorder is the mock recorder for MockCertIssuer
|
|
||||||
type MockCertIssuerMockRecorder struct {
|
|
||||||
mock *MockCertIssuer
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewMockCertIssuer creates a new mock instance
|
|
||||||
func NewMockCertIssuer(ctrl *gomock.Controller) *MockCertIssuer {
|
|
||||||
mock := &MockCertIssuer{ctrl: ctrl}
|
|
||||||
mock.recorder = &MockCertIssuerMockRecorder{mock}
|
|
||||||
return mock
|
|
||||||
}
|
|
||||||
|
|
||||||
// EXPECT returns an object that allows the caller to indicate expected use
|
|
||||||
func (m *MockCertIssuer) EXPECT() *MockCertIssuerMockRecorder {
|
|
||||||
return m.recorder
|
|
||||||
}
|
|
||||||
|
|
||||||
// IssuePEM mocks base method
|
|
||||||
func (m *MockCertIssuer) IssuePEM(arg0 pkix.Name, arg1 []string, arg2 time.Duration) ([]byte, []byte, error) {
|
|
||||||
m.ctrl.T.Helper()
|
|
||||||
ret := m.ctrl.Call(m, "IssuePEM", arg0, arg1, arg2)
|
|
||||||
ret0, _ := ret[0].([]byte)
|
|
||||||
ret1, _ := ret[1].([]byte)
|
|
||||||
ret2, _ := ret[2].(error)
|
|
||||||
return ret0, ret1, ret2
|
|
||||||
}
|
|
||||||
|
|
||||||
// IssuePEM indicates an expected call of IssuePEM
|
|
||||||
func (mr *MockCertIssuerMockRecorder) IssuePEM(arg0, arg1, arg2 interface{}) *gomock.Call {
|
|
||||||
mr.mock.ctrl.T.Helper()
|
|
||||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IssuePEM", reflect.TypeOf((*MockCertIssuer)(nil).IssuePEM), arg0, arg1, arg2)
|
|
||||||
}
|
|
@ -14,7 +14,7 @@ import (
|
|||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/apiserver/pkg/registry/rest"
|
"k8s.io/apiserver/pkg/registry/rest"
|
||||||
"k8s.io/utils/trace"
|
"k8s.io/utils/trace"
|
||||||
|
|
||||||
@ -35,16 +35,20 @@ type CertIssuer interface {
|
|||||||
IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
|
IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewREST(tokenAuthenticator authenticator.Token, issuer CertIssuer) *REST {
|
type TokenCredentialRequestAuthenticator interface {
|
||||||
|
AuthenticateTokenCredentialRequest(ctx context.Context, req *loginapi.TokenCredentialRequest) (user.Info, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewREST(authenticator TokenCredentialRequestAuthenticator, issuer CertIssuer) *REST {
|
||||||
return &REST{
|
return &REST{
|
||||||
tokenAuthenticator: tokenAuthenticator,
|
authenticator: authenticator,
|
||||||
issuer: issuer,
|
issuer: issuer,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
type REST struct {
|
type REST struct {
|
||||||
tokenAuthenticator authenticator.Token
|
authenticator TokenCredentialRequestAuthenticator
|
||||||
issuer CertIssuer
|
issuer CertIssuer
|
||||||
}
|
}
|
||||||
|
|
||||||
func (*REST) New() runtime.Object {
|
func (*REST) New() runtime.Object {
|
||||||
@ -67,35 +71,20 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// The incoming context could have an audience. Since we do not want to handle audiences right now, do not pass it
|
user, err := r.authenticator.AuthenticateTokenCredentialRequest(ctx, credentialRequest)
|
||||||
// through directly to the authentication webhook. Instead only propagate cancellation of the parent context.
|
|
||||||
cancelCtx, cancel := context.WithCancel(context.Background())
|
|
||||||
defer cancel()
|
|
||||||
go func() {
|
|
||||||
select {
|
|
||||||
case <-ctx.Done():
|
|
||||||
cancel()
|
|
||||||
case <-cancelCtx.Done():
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
|
|
||||||
authResponse, authenticated, err := r.tokenAuthenticator.AuthenticateToken(cancelCtx, credentialRequest.Spec.Token)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
traceFailureWithError(t, "webhook authentication", err)
|
traceFailureWithError(t, "webhook authentication", err)
|
||||||
return failureResponse(), nil
|
return failureResponse(), nil
|
||||||
}
|
}
|
||||||
if !authenticated || authResponse == nil || authResponse.User == nil || authResponse.User.GetName() == "" {
|
if user == nil || user.GetName() == "" {
|
||||||
traceSuccess(t, authResponse, authenticated, false)
|
traceSuccess(t, user, false)
|
||||||
return failureResponse(), nil
|
return failureResponse(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
username := authResponse.User.GetName()
|
|
||||||
groups := authResponse.User.GetGroups()
|
|
||||||
|
|
||||||
certPEM, keyPEM, err := r.issuer.IssuePEM(
|
certPEM, keyPEM, err := r.issuer.IssuePEM(
|
||||||
pkix.Name{
|
pkix.Name{
|
||||||
CommonName: username,
|
CommonName: user.GetName(),
|
||||||
Organization: groups,
|
Organization: user.GetGroups(),
|
||||||
},
|
},
|
||||||
[]string{},
|
[]string{},
|
||||||
clientCertificateTTL,
|
clientCertificateTTL,
|
||||||
@ -105,7 +94,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
return failureResponse(), nil
|
return failureResponse(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
traceSuccess(t, authResponse, authenticated, true)
|
traceSuccess(t, user, true)
|
||||||
|
|
||||||
return &loginapi.TokenCredentialRequest{
|
return &loginapi.TokenCredentialRequest{
|
||||||
Status: loginapi.TokenCredentialRequestStatus{
|
Status: loginapi.TokenCredentialRequestStatus{
|
||||||
@ -121,8 +110,8 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
func validateRequest(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions, t *trace.Trace) (*loginapi.TokenCredentialRequest, error) {
|
func validateRequest(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions, t *trace.Trace) (*loginapi.TokenCredentialRequest, error) {
|
||||||
credentialRequest, ok := obj.(*loginapi.TokenCredentialRequest)
|
credentialRequest, ok := obj.(*loginapi.TokenCredentialRequest)
|
||||||
if !ok {
|
if !ok {
|
||||||
traceValidationFailure(t, "not a CredentialRequest")
|
traceValidationFailure(t, "not a TokenCredentialRequest")
|
||||||
return nil, apierrors.NewBadRequest(fmt.Sprintf("not a CredentialRequest: %#v", obj))
|
return nil, apierrors.NewBadRequest(fmt.Sprintf("not a TokenCredentialRequest: %#v", obj))
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(credentialRequest.Spec.Token) == 0 {
|
if len(credentialRequest.Spec.Token) == 0 {
|
||||||
@ -157,15 +146,14 @@ func validateRequest(ctx context.Context, obj runtime.Object, createValidation r
|
|||||||
return credentialRequest, nil
|
return credentialRequest, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func traceSuccess(t *trace.Trace, response *authenticator.Response, webhookAuthenticated bool, pinnipedAuthenticated bool) {
|
func traceSuccess(t *trace.Trace, userInfo user.Info, authenticated bool) {
|
||||||
userID := "<none>"
|
userID := "<none>"
|
||||||
if response != nil && response.User != nil {
|
if userInfo != nil {
|
||||||
userID = response.User.GetUID()
|
userID = userInfo.GetUID()
|
||||||
}
|
}
|
||||||
t.Step("success",
|
t.Step("success",
|
||||||
trace.Field{Key: "userID", Value: userID},
|
trace.Field{Key: "userID", Value: userID},
|
||||||
trace.Field{Key: "idpAuthenticated", Value: webhookAuthenticated},
|
trace.Field{Key: "authenticated", Value: authenticated},
|
||||||
trace.Field{Key: "pinnipedAuthenticated", Value: pinnipedAuthenticated},
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -17,45 +17,21 @@ import (
|
|||||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||||
"k8s.io/apiserver/pkg/registry/rest"
|
"k8s.io/apiserver/pkg/registry/rest"
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
|
|
||||||
loginapi "go.pinniped.dev/generated/1.19/apis/login"
|
loginapi "go.pinniped.dev/generated/1.19/apis/login"
|
||||||
"go.pinniped.dev/internal/mocks/mockcertissuer"
|
"go.pinniped.dev/internal/mocks/credentialrequestmocks"
|
||||||
"go.pinniped.dev/internal/testutil"
|
"go.pinniped.dev/internal/testutil"
|
||||||
)
|
)
|
||||||
|
|
||||||
type contextKey struct{}
|
func TestNew(t *testing.T) {
|
||||||
|
r := NewREST(nil, nil)
|
||||||
type FakeToken struct {
|
require.NotNil(t, r)
|
||||||
calledWithToken string
|
require.True(t, r.NamespaceScoped())
|
||||||
calledWithContext context.Context
|
require.IsType(t, &loginapi.TokenCredentialRequest{}, r.New())
|
||||||
timeout time.Duration
|
|
||||||
reachedTimeout bool
|
|
||||||
cancelled bool
|
|
||||||
webhookStartedRunningNotificationChan chan bool
|
|
||||||
returnResponse *authenticator.Response
|
|
||||||
returnUnauthenticated bool
|
|
||||||
returnErr error
|
|
||||||
}
|
|
||||||
|
|
||||||
func (f *FakeToken) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
|
|
||||||
f.calledWithToken = token
|
|
||||||
f.calledWithContext = ctx
|
|
||||||
if f.webhookStartedRunningNotificationChan != nil {
|
|
||||||
f.webhookStartedRunningNotificationChan <- true
|
|
||||||
}
|
|
||||||
afterCh := time.After(f.timeout)
|
|
||||||
select {
|
|
||||||
case <-afterCh:
|
|
||||||
f.reachedTimeout = true
|
|
||||||
case <-ctx.Done():
|
|
||||||
f.cancelled = true
|
|
||||||
}
|
|
||||||
return f.returnResponse, !f.returnUnauthenticated, f.returnErr
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestCreate(t *testing.T) {
|
func TestCreate(t *testing.T) {
|
||||||
@ -77,18 +53,17 @@ func TestCreate(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
it("CreateSucceedsWhenGivenATokenAndTheWebhookAuthenticatesTheToken", func() {
|
it("CreateSucceedsWhenGivenATokenAndTheWebhookAuthenticatesTheToken", func() {
|
||||||
webhook := FakeToken{
|
req := validCredentialRequest()
|
||||||
returnResponse: &authenticator.Response{
|
|
||||||
User: &user.DefaultInfo{
|
|
||||||
Name: "test-user",
|
|
||||||
UID: "test-user-uid",
|
|
||||||
Groups: []string{"test-group-1", "test-group-2"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
returnUnauthenticated: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
issuer := mockcertissuer.NewMockCertIssuer(ctrl)
|
requestAuthenticator := credentialrequestmocks.NewMockTokenCredentialRequestAuthenticator(ctrl)
|
||||||
|
requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req).
|
||||||
|
Return(&user.DefaultInfo{
|
||||||
|
Name: "test-user",
|
||||||
|
UID: "test-user-uid",
|
||||||
|
Groups: []string{"test-group-1", "test-group-2"},
|
||||||
|
}, nil)
|
||||||
|
|
||||||
|
issuer := credentialrequestmocks.NewMockCertIssuer(ctrl)
|
||||||
issuer.EXPECT().IssuePEM(
|
issuer.EXPECT().IssuePEM(
|
||||||
pkix.Name{
|
pkix.Name{
|
||||||
CommonName: "test-user",
|
CommonName: "test-user",
|
||||||
@ -97,10 +72,9 @@ func TestCreate(t *testing.T) {
|
|||||||
1*time.Hour,
|
1*time.Hour,
|
||||||
).Return([]byte("test-cert"), []byte("test-key"), nil)
|
).Return([]byte("test-cert"), []byte("test-key"), nil)
|
||||||
|
|
||||||
storage := NewREST(&webhook, issuer)
|
storage := NewREST(requestAuthenticator, issuer)
|
||||||
requestToken := "a token"
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequestWithToken(requestToken))
|
response, err := callCreate(context.Background(), storage, req)
|
||||||
|
|
||||||
r.NoError(err)
|
r.NoError(err)
|
||||||
r.IsType(&loginapi.TokenCredentialRequest{}, response)
|
r.IsType(&loginapi.TokenCredentialRequest{}, response)
|
||||||
@ -119,203 +93,89 @@ func TestCreate(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
r.Equal(requestToken, webhook.calledWithToken)
|
requireOneLogStatement(r, logger, `"success" userID:test-user-uid,authenticated:true`)
|
||||||
requireOneLogStatement(r, logger, `"success" userID:test-user-uid,idpAuthenticated:true`)
|
|
||||||
})
|
|
||||||
|
|
||||||
it("CreateSucceedsWhenGivenANewLoginAPITokenAndTheWebhookAuthenticatesTheToken", func() {
|
|
||||||
webhook := FakeToken{
|
|
||||||
returnResponse: &authenticator.Response{
|
|
||||||
User: &user.DefaultInfo{
|
|
||||||
Name: "test-user",
|
|
||||||
UID: "test-user-uid",
|
|
||||||
Groups: []string{"test-group-1", "test-group-2"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
returnUnauthenticated: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
issuer := mockcertissuer.NewMockCertIssuer(ctrl)
|
|
||||||
issuer.EXPECT().IssuePEM(
|
|
||||||
pkix.Name{
|
|
||||||
CommonName: "test-user",
|
|
||||||
Organization: []string{"test-group-1", "test-group-2"}},
|
|
||||||
[]string{},
|
|
||||||
1*time.Hour,
|
|
||||||
).Return([]byte("test-cert"), []byte("test-key"), nil)
|
|
||||||
|
|
||||||
storage := NewREST(&webhook, issuer)
|
|
||||||
requestToken := "a token"
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, &loginapi.TokenCredentialRequest{
|
|
||||||
TypeMeta: metav1.TypeMeta{},
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Name: "request name",
|
|
||||||
},
|
|
||||||
Spec: loginapi.TokenCredentialRequestSpec{
|
|
||||||
Token: requestToken,
|
|
||||||
},
|
|
||||||
})
|
|
||||||
|
|
||||||
r.NoError(err)
|
|
||||||
r.IsType(&loginapi.TokenCredentialRequest{}, response)
|
|
||||||
|
|
||||||
expires := response.(*loginapi.TokenCredentialRequest).Status.Credential.ExpirationTimestamp
|
|
||||||
r.NotNil(expires)
|
|
||||||
r.InDelta(time.Now().Add(1*time.Hour).Unix(), expires.Unix(), 5)
|
|
||||||
response.(*loginapi.TokenCredentialRequest).Status.Credential.ExpirationTimestamp = metav1.Time{}
|
|
||||||
|
|
||||||
r.Equal(response, &loginapi.TokenCredentialRequest{
|
|
||||||
Status: loginapi.TokenCredentialRequestStatus{
|
|
||||||
Credential: &loginapi.ClusterCredential{
|
|
||||||
ExpirationTimestamp: metav1.Time{},
|
|
||||||
ClientCertificateData: "test-cert",
|
|
||||||
ClientKeyData: "test-key",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
})
|
|
||||||
r.Equal(requestToken, webhook.calledWithToken)
|
|
||||||
requireOneLogStatement(r, logger, `"success" userID:test-user-uid,idpAuthenticated:true`)
|
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateFailsWithValidTokenWhenCertIssuerFails", func() {
|
it("CreateFailsWithValidTokenWhenCertIssuerFails", func() {
|
||||||
webhook := FakeToken{
|
req := validCredentialRequest()
|
||||||
returnResponse: &authenticator.Response{
|
|
||||||
User: &user.DefaultInfo{
|
|
||||||
Name: "test-user",
|
|
||||||
Groups: []string{"test-group-1", "test-group-2"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
returnUnauthenticated: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
issuer := mockcertissuer.NewMockCertIssuer(ctrl)
|
requestAuthenticator := credentialrequestmocks.NewMockTokenCredentialRequestAuthenticator(ctrl)
|
||||||
|
requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req).
|
||||||
|
Return(&user.DefaultInfo{
|
||||||
|
Name: "test-user",
|
||||||
|
Groups: []string{"test-group-1", "test-group-2"},
|
||||||
|
}, nil)
|
||||||
|
|
||||||
|
issuer := credentialrequestmocks.NewMockCertIssuer(ctrl)
|
||||||
issuer.EXPECT().
|
issuer.EXPECT().
|
||||||
IssuePEM(gomock.Any(), gomock.Any(), gomock.Any()).
|
IssuePEM(gomock.Any(), gomock.Any(), gomock.Any()).
|
||||||
Return(nil, nil, fmt.Errorf("some certificate authority error"))
|
Return(nil, nil, fmt.Errorf("some certificate authority error"))
|
||||||
|
|
||||||
storage := NewREST(&webhook, issuer)
|
storage := NewREST(requestAuthenticator, issuer)
|
||||||
requestToken := "a token"
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequestWithToken(requestToken))
|
response, err := callCreate(context.Background(), storage, req)
|
||||||
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
||||||
r.Equal(requestToken, webhook.calledWithToken)
|
|
||||||
requireOneLogStatement(r, logger, `"failure" failureType:cert issuer,msg:some certificate authority error`)
|
requireOneLogStatement(r, logger, `"failure" failureType:cert issuer,msg:some certificate authority error`)
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateSucceedsWithAnUnauthenticatedStatusWhenGivenATokenAndTheWebhookReturnsUnauthenticatedWithUserId", func() {
|
it("CreateSucceedsWithAnUnauthenticatedStatusWhenGivenATokenAndTheWebhookReturnsNilUser", func() {
|
||||||
webhook := FakeToken{
|
req := validCredentialRequest()
|
||||||
returnResponse: &authenticator.Response{
|
|
||||||
User: &user.DefaultInfo{UID: "test-user-uid"},
|
|
||||||
},
|
|
||||||
returnUnauthenticated: true,
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, nil)
|
|
||||||
requestToken := "a token"
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequestWithToken(requestToken))
|
requestAuthenticator := credentialrequestmocks.NewMockTokenCredentialRequestAuthenticator(ctrl)
|
||||||
|
requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req).Return(nil, nil)
|
||||||
|
|
||||||
|
storage := NewREST(requestAuthenticator, nil)
|
||||||
|
|
||||||
|
response, err := callCreate(context.Background(), storage, req)
|
||||||
|
|
||||||
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
||||||
r.Equal(requestToken, webhook.calledWithToken)
|
requireOneLogStatement(r, logger, `"success" userID:<none>,authenticated:false`)
|
||||||
requireOneLogStatement(r, logger, `"success" userID:test-user-uid,idpAuthenticated:false,pinnipedAuthenticated:false`)
|
|
||||||
})
|
|
||||||
|
|
||||||
it("CreateSucceedsWithAnUnauthenticatedStatusWhenGivenATokenAndTheWebhookReturnsUnauthenticatedWithNilUser", func() {
|
|
||||||
webhook := FakeToken{
|
|
||||||
returnResponse: &authenticator.Response{User: nil},
|
|
||||||
returnUnauthenticated: true,
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, nil)
|
|
||||||
requestToken := "a token"
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequestWithToken(requestToken))
|
|
||||||
|
|
||||||
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
||||||
r.Equal(requestToken, webhook.calledWithToken)
|
|
||||||
requireOneLogStatement(r, logger, `"success" userID:<none>,idpAuthenticated:false,pinnipedAuthenticated:false`)
|
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateSucceedsWithAnUnauthenticatedStatusWhenWebhookFails", func() {
|
it("CreateSucceedsWithAnUnauthenticatedStatusWhenWebhookFails", func() {
|
||||||
webhook := FakeToken{
|
req := validCredentialRequest()
|
||||||
returnErr: errors.New("some webhook error"),
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, nil)
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequest())
|
requestAuthenticator := credentialrequestmocks.NewMockTokenCredentialRequestAuthenticator(ctrl)
|
||||||
|
requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req).
|
||||||
|
Return(nil, errors.New("some webhook error"))
|
||||||
|
|
||||||
|
storage := NewREST(requestAuthenticator, nil)
|
||||||
|
|
||||||
|
response, err := callCreate(context.Background(), storage, req)
|
||||||
|
|
||||||
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
||||||
requireOneLogStatement(r, logger, `"failure" failureType:webhook authentication,msg:some webhook error`)
|
requireOneLogStatement(r, logger, `"failure" failureType:webhook authentication,msg:some webhook error`)
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateSucceedsWithAnUnauthenticatedStatusWhenWebhookReturnsNilResponseWithAuthenticatedFalse", func() {
|
|
||||||
webhook := FakeToken{
|
|
||||||
returnResponse: nil,
|
|
||||||
returnUnauthenticated: false,
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, nil)
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequest())
|
|
||||||
|
|
||||||
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
||||||
requireOneLogStatement(r, logger, `"success" userID:<none>,idpAuthenticated:true,pinnipedAuthenticated:false`)
|
|
||||||
})
|
|
||||||
|
|
||||||
it("CreateSucceedsWithAnUnauthenticatedStatusWhenWebhookDoesNotReturnAnyUserInfo", func() {
|
|
||||||
webhook := FakeToken{
|
|
||||||
returnResponse: &authenticator.Response{},
|
|
||||||
returnUnauthenticated: false,
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, nil)
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequest())
|
|
||||||
|
|
||||||
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
||||||
requireOneLogStatement(r, logger, `"success" userID:<none>,idpAuthenticated:true,pinnipedAuthenticated:false`)
|
|
||||||
})
|
|
||||||
|
|
||||||
it("CreateSucceedsWithAnUnauthenticatedStatusWhenWebhookReturnsAnEmptyUsername", func() {
|
it("CreateSucceedsWithAnUnauthenticatedStatusWhenWebhookReturnsAnEmptyUsername", func() {
|
||||||
webhook := FakeToken{
|
req := validCredentialRequest()
|
||||||
returnResponse: &authenticator.Response{
|
|
||||||
User: &user.DefaultInfo{
|
|
||||||
Name: "",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, nil)
|
|
||||||
|
|
||||||
response, err := callCreate(context.Background(), storage, validCredentialRequest())
|
requestAuthenticator := credentialrequestmocks.NewMockTokenCredentialRequestAuthenticator(ctrl)
|
||||||
|
requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req).
|
||||||
|
Return(&user.DefaultInfo{Name: ""}, nil)
|
||||||
|
|
||||||
|
storage := NewREST(requestAuthenticator, nil)
|
||||||
|
|
||||||
|
response, err := callCreate(context.Background(), storage, req)
|
||||||
|
|
||||||
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
||||||
requireOneLogStatement(r, logger, `"success" userID:,idpAuthenticated:true,pinnipedAuthenticated:false`)
|
requireOneLogStatement(r, logger, `"success" userID:,authenticated:false`)
|
||||||
})
|
|
||||||
|
|
||||||
it("CreateDoesNotPassAdditionalContextInfoToTheWebhook", func() {
|
|
||||||
webhook := FakeToken{
|
|
||||||
returnResponse: webhookSuccessResponse(),
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
||||||
ctx := context.WithValue(context.Background(), contextKey{}, "context-value")
|
|
||||||
|
|
||||||
_, err := callCreate(ctx, storage, validCredentialRequest())
|
|
||||||
|
|
||||||
r.NoError(err)
|
|
||||||
r.Nil(webhook.calledWithContext.Value("context-key"))
|
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateFailsWhenGivenTheWrongInputType", func() {
|
it("CreateFailsWhenGivenTheWrongInputType", func() {
|
||||||
notACredentialRequest := runtime.Unknown{}
|
notACredentialRequest := runtime.Unknown{}
|
||||||
response, err := NewREST(&FakeToken{}, nil).Create(
|
response, err := NewREST(nil, nil).Create(
|
||||||
genericapirequest.NewContext(),
|
genericapirequest.NewContext(),
|
||||||
¬ACredentialRequest,
|
¬ACredentialRequest,
|
||||||
rest.ValidateAllObjectFunc,
|
rest.ValidateAllObjectFunc,
|
||||||
&metav1.CreateOptions{})
|
&metav1.CreateOptions{})
|
||||||
|
|
||||||
requireAPIError(t, response, err, apierrors.IsBadRequest, "not a CredentialRequest")
|
requireAPIError(t, response, err, apierrors.IsBadRequest, "not a TokenCredentialRequest")
|
||||||
requireOneLogStatement(r, logger, `"failure" failureType:request validation,msg:not a CredentialRequest`)
|
requireOneLogStatement(r, logger, `"failure" failureType:request validation,msg:not a TokenCredentialRequest`)
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateFailsWhenTokenValueIsEmptyInRequest", func() {
|
it("CreateFailsWhenTokenValueIsEmptyInRequest", func() {
|
||||||
storage := NewREST(&FakeToken{}, nil)
|
storage := NewREST(nil, nil)
|
||||||
response, err := callCreate(context.Background(), storage, credentialRequest(loginapi.TokenCredentialRequestSpec{
|
response, err := callCreate(context.Background(), storage, credentialRequest(loginapi.TokenCredentialRequestSpec{
|
||||||
Token: "",
|
Token: "",
|
||||||
}))
|
}))
|
||||||
@ -326,7 +186,7 @@ func TestCreate(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
it("CreateFailsWhenValidationFails", func() {
|
it("CreateFailsWhenValidationFails", func() {
|
||||||
storage := NewREST(&FakeToken{}, nil)
|
storage := NewREST(nil, nil)
|
||||||
response, err := storage.Create(
|
response, err := storage.Create(
|
||||||
context.Background(),
|
context.Background(),
|
||||||
validCredentialRequest(),
|
validCredentialRequest(),
|
||||||
@ -340,14 +200,16 @@ func TestCreate(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
it("CreateDoesNotAllowValidationFunctionToMutateRequest", func() {
|
it("CreateDoesNotAllowValidationFunctionToMutateRequest", func() {
|
||||||
webhook := FakeToken{
|
req := validCredentialRequest()
|
||||||
returnResponse: webhookSuccessResponse(),
|
|
||||||
}
|
requestAuthenticator := credentialrequestmocks.NewMockTokenCredentialRequestAuthenticator(ctrl)
|
||||||
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req.DeepCopy()).
|
||||||
requestToken := "a token"
|
Return(&user.DefaultInfo{Name: "test-user"}, nil)
|
||||||
|
|
||||||
|
storage := NewREST(requestAuthenticator, successfulIssuer(ctrl))
|
||||||
response, err := storage.Create(
|
response, err := storage.Create(
|
||||||
context.Background(),
|
context.Background(),
|
||||||
validCredentialRequestWithToken(requestToken),
|
req,
|
||||||
func(ctx context.Context, obj runtime.Object) error {
|
func(ctx context.Context, obj runtime.Object) error {
|
||||||
credentialRequest, _ := obj.(*loginapi.TokenCredentialRequest)
|
credentialRequest, _ := obj.(*loginapi.TokenCredentialRequest)
|
||||||
credentialRequest.Spec.Token = "foobaz"
|
credentialRequest.Spec.Token = "foobaz"
|
||||||
@ -356,20 +218,21 @@ func TestCreate(t *testing.T) {
|
|||||||
&metav1.CreateOptions{})
|
&metav1.CreateOptions{})
|
||||||
r.NoError(err)
|
r.NoError(err)
|
||||||
r.NotEmpty(response)
|
r.NotEmpty(response)
|
||||||
r.Equal(requestToken, webhook.calledWithToken) // i.e. not called with foobaz
|
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateDoesNotAllowValidationFunctionToSeeTheActualRequestToken", func() {
|
it("CreateDoesNotAllowValidationFunctionToSeeTheActualRequestToken", func() {
|
||||||
webhook := FakeToken{
|
req := validCredentialRequest()
|
||||||
returnResponse: webhookSuccessResponse(),
|
|
||||||
}
|
|
||||||
|
|
||||||
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
requestAuthenticator := credentialrequestmocks.NewMockTokenCredentialRequestAuthenticator(ctrl)
|
||||||
|
requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req.DeepCopy()).
|
||||||
|
Return(&user.DefaultInfo{Name: "test-user"}, nil)
|
||||||
|
|
||||||
|
storage := NewREST(requestAuthenticator, successfulIssuer(ctrl))
|
||||||
validationFunctionWasCalled := false
|
validationFunctionWasCalled := false
|
||||||
var validationFunctionSawTokenValue string
|
var validationFunctionSawTokenValue string
|
||||||
response, err := storage.Create(
|
response, err := storage.Create(
|
||||||
context.Background(),
|
context.Background(),
|
||||||
validCredentialRequest(),
|
req,
|
||||||
func(ctx context.Context, obj runtime.Object) error {
|
func(ctx context.Context, obj runtime.Object) error {
|
||||||
credentialRequest, _ := obj.(*loginapi.TokenCredentialRequest)
|
credentialRequest, _ := obj.(*loginapi.TokenCredentialRequest)
|
||||||
validationFunctionWasCalled = true
|
validationFunctionWasCalled = true
|
||||||
@ -384,7 +247,7 @@ func TestCreate(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
it("CreateFailsWhenRequestOptionsDryRunIsNotEmpty", func() {
|
it("CreateFailsWhenRequestOptionsDryRunIsNotEmpty", func() {
|
||||||
response, err := NewREST(&FakeToken{}, nil).Create(
|
response, err := NewREST(nil, nil).Create(
|
||||||
genericapirequest.NewContext(),
|
genericapirequest.NewContext(),
|
||||||
validCredentialRequest(),
|
validCredentialRequest(),
|
||||||
rest.ValidateAllObjectFunc,
|
rest.ValidateAllObjectFunc,
|
||||||
@ -396,60 +259,6 @@ func TestCreate(t *testing.T) {
|
|||||||
`.pinniped.dev "request name" is invalid: dryRun: Unsupported value: []string{"some dry run flag"}`)
|
`.pinniped.dev "request name" is invalid: dryRun: Unsupported value: []string{"some dry run flag"}`)
|
||||||
requireOneLogStatement(r, logger, `"failure" failureType:request validation,msg:dryRun not supported`)
|
requireOneLogStatement(r, logger, `"failure" failureType:request validation,msg:dryRun not supported`)
|
||||||
})
|
})
|
||||||
|
|
||||||
it("CreateCancelsTheWebhookInvocationWhenTheCallToCreateIsCancelledItself", func() {
|
|
||||||
webhookStartedRunningNotificationChan := make(chan bool)
|
|
||||||
webhook := FakeToken{
|
|
||||||
timeout: time.Second * 2,
|
|
||||||
webhookStartedRunningNotificationChan: webhookStartedRunningNotificationChan,
|
|
||||||
returnResponse: webhookSuccessResponse(),
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
||||||
ctx, cancel := context.WithCancel(context.Background())
|
|
||||||
|
|
||||||
c := make(chan bool)
|
|
||||||
go func() {
|
|
||||||
_, err := callCreate(ctx, storage, validCredentialRequest())
|
|
||||||
c <- true
|
|
||||||
r.NoError(err)
|
|
||||||
}()
|
|
||||||
|
|
||||||
r.False(webhook.cancelled)
|
|
||||||
r.False(webhook.reachedTimeout)
|
|
||||||
<-webhookStartedRunningNotificationChan // wait long enough to make sure that the webhook has started
|
|
||||||
cancel() // cancel the context that was passed to storage.Create() above
|
|
||||||
<-c // wait for the above call to storage.Create() to be finished
|
|
||||||
r.True(webhook.cancelled)
|
|
||||||
r.False(webhook.reachedTimeout)
|
|
||||||
r.Equal(context.Canceled, webhook.calledWithContext.Err()) // the inner context is cancelled
|
|
||||||
})
|
|
||||||
|
|
||||||
it("CreateAllowsTheWebhookInvocationToFinishWhenTheCallToCreateIsNotCancelledItself", func() {
|
|
||||||
webhookStartedRunningNotificationChan := make(chan bool)
|
|
||||||
webhook := FakeToken{
|
|
||||||
timeout: 0,
|
|
||||||
webhookStartedRunningNotificationChan: webhookStartedRunningNotificationChan,
|
|
||||||
returnResponse: webhookSuccessResponse(),
|
|
||||||
}
|
|
||||||
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
||||||
ctx, cancel := context.WithCancel(context.Background())
|
|
||||||
defer cancel()
|
|
||||||
|
|
||||||
c := make(chan bool)
|
|
||||||
go func() {
|
|
||||||
_, err := callCreate(ctx, storage, validCredentialRequest())
|
|
||||||
c <- true
|
|
||||||
r.NoError(err)
|
|
||||||
}()
|
|
||||||
|
|
||||||
r.False(webhook.cancelled)
|
|
||||||
r.False(webhook.reachedTimeout)
|
|
||||||
<-webhookStartedRunningNotificationChan // wait long enough to make sure that the webhook has started
|
|
||||||
<-c // wait for the above call to storage.Create() to be finished
|
|
||||||
r.False(webhook.cancelled)
|
|
||||||
r.True(webhook.reachedTimeout)
|
|
||||||
r.Equal(context.Canceled, webhook.calledWithContext.Err()) // the inner context is cancelled (in this case by the "defer")
|
|
||||||
})
|
|
||||||
}, spec.Sequential())
|
}, spec.Sequential())
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -488,15 +297,6 @@ func credentialRequest(spec loginapi.TokenCredentialRequestSpec) *loginapi.Token
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func webhookSuccessResponse() *authenticator.Response {
|
|
||||||
return &authenticator.Response{User: &user.DefaultInfo{
|
|
||||||
Name: "some-user",
|
|
||||||
UID: "",
|
|
||||||
Groups: []string{},
|
|
||||||
Extra: nil,
|
|
||||||
}}
|
|
||||||
}
|
|
||||||
|
|
||||||
func requireAPIError(t *testing.T, response runtime.Object, err error, expectedErrorTypeChecker func(err error) bool, expectedErrorMessage string) {
|
func requireAPIError(t *testing.T, response runtime.Object, err error, expectedErrorTypeChecker func(err error) bool, expectedErrorMessage string) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
require.Nil(t, response)
|
require.Nil(t, response)
|
||||||
@ -518,7 +318,7 @@ func requireSuccessfulResponseWithAuthenticationFailureMessage(t *testing.T, err
|
|||||||
}
|
}
|
||||||
|
|
||||||
func successfulIssuer(ctrl *gomock.Controller) CertIssuer {
|
func successfulIssuer(ctrl *gomock.Controller) CertIssuer {
|
||||||
issuer := mockcertissuer.NewMockCertIssuer(ctrl)
|
issuer := credentialrequestmocks.NewMockCertIssuer(ctrl)
|
||||||
issuer.EXPECT().
|
issuer.EXPECT().
|
||||||
IssuePEM(gomock.Any(), gomock.Any(), gomock.Any()).
|
IssuePEM(gomock.Any(), gomock.Any(), gomock.Any()).
|
||||||
Return([]byte("test-cert"), []byte("test-key"), nil)
|
Return([]byte("test-cert"), []byte("test-key"), nil)
|
||||||
|
@ -12,7 +12,6 @@ import (
|
|||||||
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
||||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||||
genericoptions "k8s.io/apiserver/pkg/server/options"
|
genericoptions "k8s.io/apiserver/pkg/server/options"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
@ -246,8 +245,8 @@ func getClusterCASigner(
|
|||||||
// Create a configuration for the aggregated API server.
|
// Create a configuration for the aggregated API server.
|
||||||
func getAggregatedAPIServerConfig(
|
func getAggregatedAPIServerConfig(
|
||||||
dynamicCertProvider provider.DynamicTLSServingCertProvider,
|
dynamicCertProvider provider.DynamicTLSServingCertProvider,
|
||||||
tokenAuthenticator authenticator.Token,
|
authenticator credentialrequest.TokenCredentialRequestAuthenticator,
|
||||||
ca credentialrequest.CertIssuer,
|
issuer credentialrequest.CertIssuer,
|
||||||
startControllersPostStartHook func(context.Context),
|
startControllersPostStartHook func(context.Context),
|
||||||
) (*apiserver.Config, error) {
|
) (*apiserver.Config, error) {
|
||||||
recommendedOptions := genericoptions.NewRecommendedOptions(
|
recommendedOptions := genericoptions.NewRecommendedOptions(
|
||||||
@ -275,8 +274,8 @@ func getAggregatedAPIServerConfig(
|
|||||||
apiServerConfig := &apiserver.Config{
|
apiServerConfig := &apiserver.Config{
|
||||||
GenericConfig: serverConfig,
|
GenericConfig: serverConfig,
|
||||||
ExtraConfig: apiserver.ExtraConfig{
|
ExtraConfig: apiserver.ExtraConfig{
|
||||||
TokenAuthenticator: tokenAuthenticator,
|
Authenticator: authenticator,
|
||||||
Issuer: ca,
|
Issuer: issuer,
|
||||||
StartControllersPostStartHook: startControllersPostStartHook,
|
StartControllersPostStartHook: startControllersPostStartHook,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -27,6 +27,12 @@ func TestCLI(t *testing.T) {
|
|||||||
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Create a test webhook configuration to use with the CLI.
|
||||||
|
ctx, cancelFunc := context.WithTimeout(context.Background(), 30*time.Second)
|
||||||
|
defer cancelFunc()
|
||||||
|
|
||||||
|
idp := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
// Remove all Pinniped environment variables for the remainder of this test
|
// Remove all Pinniped environment variables for the remainder of this test
|
||||||
// because some of their names clash with the env vars expected by our
|
// because some of their names clash with the env vars expected by our
|
||||||
// kubectl exec plugin. We would like this test to prove that the exec
|
// kubectl exec plugin. We would like this test to prove that the exec
|
||||||
@ -56,14 +62,11 @@ func TestCLI(t *testing.T) {
|
|||||||
defer cleanupFunc()
|
defer cleanupFunc()
|
||||||
|
|
||||||
// Run pinniped CLI to get kubeconfig.
|
// Run pinniped CLI to get kubeconfig.
|
||||||
kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName)
|
kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName, "webhook", idp.Name)
|
||||||
|
|
||||||
adminClient := library.NewClientset(t)
|
|
||||||
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*3)
|
|
||||||
defer cancelFunc()
|
|
||||||
|
|
||||||
// In addition to the client-go based testing below, also try the kubeconfig
|
// In addition to the client-go based testing below, also try the kubeconfig
|
||||||
// with kubectl to validate that it works.
|
// with kubectl to validate that it works.
|
||||||
|
adminClient := library.NewClientset(t)
|
||||||
t.Run(
|
t.Run(
|
||||||
"access as user with kubectl",
|
"access as user with kubectl",
|
||||||
accessAsUserWithKubectlTest(ctx, adminClient, kubeConfigYAML, testUsername, namespaceName),
|
accessAsUserWithKubectlTest(ctx, adminClient, kubeConfigYAML, testUsername, namespaceName),
|
||||||
@ -108,7 +111,7 @@ func buildPinnipedCLI(t *testing.T) (string, func()) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) string {
|
func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName, idpType, idpName string) string {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
output, err := exec.Command(
|
output, err := exec.Command(
|
||||||
@ -116,6 +119,8 @@ func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) stri
|
|||||||
"get-kubeconfig",
|
"get-kubeconfig",
|
||||||
"--token", token,
|
"--token", token,
|
||||||
"--pinniped-namespace", namespaceName,
|
"--pinniped-namespace", namespaceName,
|
||||||
|
"--idp-type", idpType,
|
||||||
|
"--idp-name", idpName,
|
||||||
).CombinedOutput()
|
).CombinedOutput()
|
||||||
require.NoError(t, err, string(output))
|
require.NoError(t, err, string(output))
|
||||||
|
|
||||||
|
@ -61,6 +61,8 @@ func TestClient(t *testing.T) {
|
|||||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
|
idp := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
|
// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
|
||||||
invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
|
invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
|
||||||
_, err := invalidClient.Discovery().ServerVersion()
|
_, err := invalidClient.Discovery().ServerVersion()
|
||||||
@ -68,7 +70,8 @@ func TestClient(t *testing.T) {
|
|||||||
|
|
||||||
// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
|
// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
|
||||||
clientConfig := library.NewClientConfig(t)
|
clientConfig := library.NewClientConfig(t)
|
||||||
resp, err := client.ExchangeToken(ctx, namespace, token, string(clientConfig.CAData), clientConfig.Host)
|
|
||||||
|
resp, err := client.ExchangeToken(ctx, namespace, idp, token, string(clientConfig.CAData), clientConfig.Host)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, resp.Status.ExpirationTimestamp)
|
require.NotNil(t, resp.Status.ExpirationTimestamp)
|
||||||
require.InDelta(t, time.Until(resp.Status.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
|
require.InDelta(t, time.Until(resp.Status.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
|
||||||
|
@ -12,13 +12,32 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
"go.pinniped.dev/generated/1.19/apis/login/v1alpha1"
|
idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
|
loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/login/v1alpha1"
|
||||||
"go.pinniped.dev/test/library"
|
"go.pinniped.dev/test/library"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func TestUnsuccessfulCredentialRequest(t *testing.T) {
|
||||||
|
library.SkipUnlessIntegration(t)
|
||||||
|
|
||||||
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, corev1.TypedLocalObjectReference{
|
||||||
|
APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Name: "some-webhook-that-does-not-exist",
|
||||||
|
}))
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Nil(t, response.Status.Credential)
|
||||||
|
require.NotNil(t, response.Status.Message)
|
||||||
|
require.Equal(t, "authentication failed", *response.Status.Message)
|
||||||
|
}
|
||||||
|
|
||||||
func TestSuccessfulCredentialRequest(t *testing.T) {
|
func TestSuccessfulCredentialRequest(t *testing.T) {
|
||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
@ -26,8 +45,12 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
|
|||||||
expectedTestUserGroups := strings.Split(
|
expectedTestUserGroups := strings.Split(
|
||||||
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
||||||
)
|
)
|
||||||
|
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
|
testWebhook := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
|
response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
require.NotNil(t, response.Status.Credential)
|
require.NotNil(t, response.Status.Credential)
|
||||||
@ -41,9 +64,6 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
|
|||||||
require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
|
require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
|
||||||
require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
|
require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
|
||||||
defer cancel()
|
|
||||||
|
|
||||||
// Create a client using the admin kubeconfig.
|
// Create a client using the admin kubeconfig.
|
||||||
adminClient := library.NewClientset(t)
|
adminClient := library.NewClientset(t)
|
||||||
|
|
||||||
@ -71,7 +91,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
|
|||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
|
|
||||||
response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"})
|
response, err := makeRequest(context.Background(), t, loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token"})
|
||||||
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
@ -84,7 +104,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
|
|||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
|
|
||||||
response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: ""})
|
response, err := makeRequest(context.Background(), t, loginv1alpha1.TokenCredentialRequestSpec{Token: ""})
|
||||||
|
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
statusError, isStatus := err.(*errors.StatusError)
|
statusError, isStatus := err.(*errors.StatusError)
|
||||||
@ -104,7 +124,12 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
|
|||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipWhenClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipWhenClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
|
|
||||||
response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
|
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
testWebhook := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
|
response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook))
|
||||||
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
@ -113,24 +138,27 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
|
|||||||
require.Equal(t, stringPtr("authentication failed"), response.Status.Message)
|
require.Equal(t, stringPtr("authentication failed"), response.Status.Message)
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeRequest(t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) {
|
func makeRequest(ctx context.Context, t *testing.T, spec loginv1alpha1.TokenCredentialRequestSpec) (*loginv1alpha1.TokenCredentialRequest, error) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
client := library.NewAnonymousPinnipedClientset(t)
|
client := library.NewAnonymousPinnipedClientset(t)
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
ns := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
ns := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
||||||
return client.LoginV1alpha1().TokenCredentialRequests(ns).Create(ctx, &v1alpha1.TokenCredentialRequest{
|
return client.LoginV1alpha1().TokenCredentialRequests(ns).Create(ctx, &loginv1alpha1.TokenCredentialRequest{
|
||||||
TypeMeta: metav1.TypeMeta{},
|
TypeMeta: metav1.TypeMeta{},
|
||||||
ObjectMeta: metav1.ObjectMeta{},
|
ObjectMeta: metav1.ObjectMeta{Namespace: ns},
|
||||||
Spec: spec,
|
Spec: spec,
|
||||||
}, metav1.CreateOptions{})
|
}, metav1.CreateOptions{})
|
||||||
}
|
}
|
||||||
|
|
||||||
func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.TokenCredentialRequestSpec {
|
func validCredentialRequestSpecWithRealToken(t *testing.T, idp corev1.TypedLocalObjectReference) loginv1alpha1.TokenCredentialRequestSpec {
|
||||||
return v1alpha1.TokenCredentialRequestSpec{Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")}
|
return loginv1alpha1.TokenCredentialRequestSpec{
|
||||||
|
Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN"),
|
||||||
|
IdentityProvider: idp,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func stringPtr(s string) *string {
|
func stringPtr(s string) *string {
|
||||||
|
@ -4,17 +4,22 @@
|
|||||||
package library
|
package library
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
"k8s.io/client-go/tools/clientcmd"
|
"k8s.io/client-go/tools/clientcmd"
|
||||||
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
||||||
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
||||||
|
|
||||||
|
idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
||||||
|
|
||||||
// Import to initialize client auth plugins - the kubeconfig that we use for
|
// Import to initialize client auth plugins - the kubeconfig that we use for
|
||||||
@ -136,3 +141,46 @@ func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertifi
|
|||||||
config.KeyData = []byte(clientKeyData)
|
config.KeyData = []byte(clientKeyData)
|
||||||
return config
|
return config
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CreateTestWebhookIDP creates and returns a test WebhookIdentityProvider in $PINNIPED_NAMESPACE, which will be
|
||||||
|
// automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which
|
||||||
|
// descibes the test IDP within the test namespace.
|
||||||
|
func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
|
||||||
|
t.Helper()
|
||||||
|
|
||||||
|
namespace := GetEnv(t, "PINNIPED_NAMESPACE")
|
||||||
|
endpoint := GetEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT")
|
||||||
|
caBundle := GetEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")
|
||||||
|
client := NewPinnipedClientset(t)
|
||||||
|
webhooks := client.IDPV1alpha1().WebhookIdentityProviders(namespace)
|
||||||
|
|
||||||
|
createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
idp, err := webhooks.Create(createContext, &idpv1alpha1.WebhookIdentityProvider{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
GenerateName: "test-webhook-",
|
||||||
|
Labels: map[string]string{"pinniped.dev/test": t.Name()},
|
||||||
|
},
|
||||||
|
Spec: idpv1alpha1.WebhookIdentityProviderSpec{
|
||||||
|
Endpoint: endpoint,
|
||||||
|
TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: caBundle},
|
||||||
|
},
|
||||||
|
}, metav1.CreateOptions{})
|
||||||
|
require.NoError(t, err, "could not create test WebhookIdentityProvider")
|
||||||
|
t.Logf("created test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
|
||||||
|
|
||||||
|
t.Cleanup(func() {
|
||||||
|
t.Helper()
|
||||||
|
t.Logf("cleaning up test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
|
||||||
|
deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
err := webhooks.Delete(deleteCtx, idp.Name, metav1.DeleteOptions{})
|
||||||
|
require.NoErrorf(t, err, "could not cleanup test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
|
||||||
|
})
|
||||||
|
|
||||||
|
return corev1.TypedLocalObjectReference{
|
||||||
|
APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Name: idp.Name,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user