exec credential provider: don't run exec plugin with basic auth

If a user specifies basic auth, then apply the same short circuit logic that we do for bearer tokens (see comment). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Kubernetes-commit: 9dee2b95c27a9d61c2bade8fe67f120b5853c4d6
2025-08-15 05:53:15 +00:00 · 2021-05-20 09:17:17 -04:00 · 2021-05-20 09:17:17 -04:00 · 9edbd9bed3
commit 9edbd9bed3
parent d1fa200aef
2 changed files with 41 additions and 17 deletions
--- a/plugin/pkg/client/auth/exec/exec.go
+++ b/plugin/pkg/client/auth/exec/exec.go
@ -263,8 +263,9 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
 	// setting up the transport, as that triggers the exec action if the server is
 	// also configured to allow client certificates for authentication. For requests
 	// like "kubectl get --token (token) pods" we should assume the intention is to
-	// use the provided token for authentication.
-	if c.HasTokenAuth() {
+	// use the provided token for authentication. The same can be said for when the
+	// user specifies basic auth.
+	if c.HasTokenAuth() || c.HasBasicAuth() {
 		return nil
 	}

--- a/plugin/pkg/client/auth/exec/exec_test.go
+++ b/plugin/pkg/client/auth/exec/exec_test.go
@ -922,24 +922,47 @@ func TestRoundTripper(t *testing.T) {
 	get(t, http.StatusOK)
 }

-func TestTokenPresentCancelsExecAction(t *testing.T) {
-	a, err := newAuthenticator(newCache(), &api.ExecConfig{
-		Command:    "./testdata/test-plugin.sh",
-		APIVersion: "client.authentication.k8s.io/v1alpha1",
-	}, nil)
-	if err != nil {
-		t.Fatal(err)
+func TestAuthorizationHeaderPresentCancelsExecAction(t *testing.T) {
+	tests := []struct {
+		name               string
+		setTransportConfig func(*transport.Config)
+	}{
+		{
+			name: "bearer token",
+			setTransportConfig: func(config *transport.Config) {
+				config.BearerToken = "token1f"
+			},
+		},
+		{
+			name: "basic auth",
+			setTransportConfig: func(config *transport.Config) {
+				config.Username = "marshmallow"
+				config.Password = "zelda"
+			},
+		},
 	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			a, err := newAuthenticator(newCache(), &api.ExecConfig{
+				Command:    "./testdata/test-plugin.sh",
+				APIVersion: "client.authentication.k8s.io/v1alpha1",
+			}, nil)
+			if err != nil {
+				t.Fatal(err)
+			}

-	// UpdateTransportConfig returns error on existing TLS certificate callback, unless a bearer token is present in the
-	// transport config, in which case it takes precedence
-	cert := func() (*tls.Certificate, error) {
-		return nil, nil
-	}
-	tc := &transport.Config{BearerToken: "token1", TLS: transport.TLSConfig{Insecure: true, GetCert: cert}}
+			// UpdateTransportConfig returns error on existing TLS certificate callback, unless a bearer token is present in the
+			// transport config, in which case it takes precedence
+			cert := func() (*tls.Certificate, error) {
+				return nil, nil
+			}
+			tc := &transport.Config{TLS: transport.TLSConfig{Insecure: true, GetCert: cert}}
+			test.setTransportConfig(tc)

-	if err := a.UpdateTransportConfig(tc); err != nil {
-		t.Error("Expected presence of bearer token in config to cancel exec action")
+			if err := a.UpdateTransportConfig(tc); err != nil {
+				t.Error("Expected presence of bearer token in config to cancel exec action")
+			}
+		})
 	}
 }