github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2025-08-15 22:13:09 +00:00
Code Issues Projects Releases Wiki Activity

exec credential provider: don't run exec plugin with basic auth

Browse Source 
If a user specifies basic auth, then apply the same short circuit logic
that we do for bearer tokens (see comment).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

Kubernetes-commit: 9dee2b95c27a9d61c2bade8fe67f120b5853c4d6
This commit is contained in:
Andrew Keesler 2021-05-20 09:17:17 -04:00 committed by Kubernetes Publisher
parent d1fa200aef
commit 9edbd9bed3
2 changed files with 41 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
plugin/pkg/client/auth/exec/exec.go
View File

@ -263,8 +263,9 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
// setting up the transport, as that triggers the exec action if the server is // setting up the transport, as that triggers the exec action if the server is
// also configured to allow client certificates for authentication. For requests // also configured to allow client certificates for authentication. For requests
// like "kubectl get --token (token) pods" we should assume the intention is to // like "kubectl get --token (token) pods" we should assume the intention is to
// use the provided token for authentication. // use the provided token for authentication. The same can be said for when the
if c.HasTokenAuth() { // user specifies basic auth.
if c.HasTokenAuth() || c.HasBasicAuth() {
return nil return nil
} }

53
plugin/pkg/client/auth/exec/exec_test.go
View File

@ -922,24 +922,47 @@ func TestRoundTripper(t *testing.T) {
get(t, http.StatusOK) get(t, http.StatusOK)
} }
func TestTokenPresentCancelsExecAction(t *testing.T) { func TestAuthorizationHeaderPresentCancelsExecAction(t *testing.T) {
a, err := newAuthenticator(newCache(), &api.ExecConfig{ tests := []struct {
Command: "./testdata/test-plugin.sh", name string
APIVersion: "client.authentication.k8s.io/v1alpha1", setTransportConfig func(*transport.Config)
}, nil) }{
if err != nil { {
t.Fatal(err) name: "bearer token",
setTransportConfig: func(config *transport.Config) {
config.BearerToken = "token1f"
},
},
{
name: "basic auth",
setTransportConfig: func(config *transport.Config) {
config.Username = "marshmallow"
config.Password = "zelda"
},
},
} }
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
a, err := newAuthenticator(newCache(), &api.ExecConfig{
Command: "./testdata/test-plugin.sh",
APIVersion: "client.authentication.k8s.io/v1alpha1",
}, nil)
if err != nil {
t.Fatal(err)
}
// UpdateTransportConfig returns error on existing TLS certificate callback, unless a bearer token is present in the // UpdateTransportConfig returns error on existing TLS certificate callback, unless a bearer token is present in the
// transport config, in which case it takes precedence // transport config, in which case it takes precedence
cert := func() (*tls.Certificate, error) { cert := func() (*tls.Certificate, error) {
return nil, nil return nil, nil
} }
tc := &transport.Config{BearerToken: "token1", TLS: transport.TLSConfig{Insecure: true, GetCert: cert}} tc := &transport.Config{TLS: transport.TLSConfig{Insecure: true, GetCert: cert}}
test.setTransportConfig(tc)
if err := a.UpdateTransportConfig(tc); err != nil { if err := a.UpdateTransportConfig(tc); err != nil {
t.Error("Expected presence of bearer token in config to cancel exec action") t.Error("Expected presence of bearer token in config to cancel exec action")
}
})
} }
} }