Add cmd support to gcp auth provider plugin

2025-08-05 10:19:50 +00:00 · 2016-11-01 14:26:24 -07:00 · 2016-11-01 14:26:24 -07:00 · 283bb31ada
commit 283bb31ada
parent 33c1c93863
5 changed files with 274 additions and 11 deletions
--- a/plugin/pkg/client/auth/gcp/BUILD
+++ b/plugin/pkg/client/auth/gcp/BUILD
@ -16,9 +16,19 @@ go_library(
    tags = ["automanaged"],
    deps = [
        "//pkg/client/restclient:go_default_library",
        "//pkg/util/jsonpath:go_default_library",
        "//pkg/util/yaml:go_default_library",
        "//vendor:github.com/golang/glog",
        "//vendor:golang.org/x/net/context",
        "//vendor:golang.org/x/oauth2",
        "//vendor:golang.org/x/oauth2/google",
    ],
 )
 go_test(
    name = "go_default_test",
    srcs = ["gcp_test.go"],
    library = "go_default_library",
    tags = ["automanaged"],
    deps = ["//vendor:golang.org/x/oauth2"],
 )
--- a/plugin/pkg/client/auth/gcp/OWNERS
+++ b/plugin/pkg/client/auth/gcp/OWNERS
@ -0,0 +1,3 @@
 assignees:
  - cjcullen
  - jlowdermilk
--- a/plugin/pkg/client/auth/gcp/gcp.go
+++ b/plugin/pkg/client/auth/gcp/gcp.go
@ -17,7 +17,12 @@ limitations under the License.
 package gcp
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"os/exec"
 	"strings"
 	"time"
 	"github.com/golang/glog"
@ -25,6 +30,8 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"k8s.io/kubernetes/pkg/client/restclient"
 	"k8s.io/kubernetes/pkg/util/jsonpath"
 	"k8s.io/kubernetes/pkg/util/yaml"
 )
 func init() {
@ -39,11 +46,22 @@ type gcpAuthProvider struct {
 }
 func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
-	ts, err := newCachedTokenSource(gcpConfig["access-token"], gcpConfig["expiry"], persister)
+	cmd, useCmd := gcpConfig["cmd-path"]
 	var ts oauth2.TokenSource
 	var err error
 	if useCmd {
 		ts, err = newCmdTokenSource(cmd, gcpConfig["token-key"], gcpConfig["expiry-key"], gcpConfig["time-fmt"])
 	} else {
 		ts, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
 	}
 	if err != nil {
 		return nil, err
 	}
-	return &gcpAuthProvider{ts, persister}, nil
+	cts, err := newCachedTokenSource(gcpConfig["access-token"], gcpConfig["expiry"], persister, ts, gcpConfig)
 	if err != nil {
 		return nil, err
 	}
 	return &gcpAuthProvider{cts, persister}, nil
 }
 func (g *gcpAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
@ -60,22 +78,23 @@ type cachedTokenSource struct {
 	accessToken string
 	expiry      time.Time
 	persister   restclient.AuthProviderConfigPersister
 	cache       map[string]string
 }
-func newCachedTokenSource(accessToken, expiry string, persister restclient.AuthProviderConfigPersister) (*cachedTokenSource, error) {
+func newCachedTokenSource(accessToken, expiry string, persister restclient.AuthProviderConfigPersister, ts oauth2.TokenSource, cache map[string]string) (*cachedTokenSource, error) {
 	var expiryTime time.Time
 	if parsedTime, err := time.Parse(time.RFC3339Nano, expiry); err == nil {
 		expiryTime = parsedTime
 	}
-	ts, err := google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
+	if cache == nil {
-	if err != nil {
+		cache = make(map[string]string)
 		return nil, err
 	}
 	return &cachedTokenSource{
 		source:      ts,
 		accessToken: accessToken,
 		expiry:      expiryTime,
 		persister:   persister,
 		cache:       cache,
 	}, nil
 }
@ -93,13 +112,100 @@ func (t *cachedTokenSource) Token() (*oauth2.Token, error) {
 		return nil, err
 	}
 	if t.persister != nil {
-		cached := map[string]string{
+		t.cache["access-token"] = tok.AccessToken
-			"access-token": tok.AccessToken,
+		t.cache["expiry"] = tok.Expiry.Format(time.RFC3339Nano)
-			"expiry":       tok.Expiry.Format(time.RFC3339Nano),
+		if err := t.persister.Persist(t.cache); err != nil {
 		}
 		if err := t.persister.Persist(cached); err != nil {
 			glog.V(4).Infof("Failed to persist token: %v", err)
 		}
 	}
 	return tok, nil
 }
 type commandTokenSource struct {
 	cmd       string
 	args      []string
 	tokenKey  string
 	expiryKey string
 	timeFmt   string
 }
 func newCmdTokenSource(cmd, tokenKey, expiryKey, timeFmt string) (*commandTokenSource, error) {
 	if len(timeFmt) == 0 {
 		timeFmt = time.RFC3339Nano
 	}
 	if len(tokenKey) == 0 {
 		tokenKey = "{.access_token}"
 	}
 	if len(expiryKey) == 0 {
 		expiryKey = "{.token_expiry}"
 	}
 	fields := strings.Fields(cmd)
 	if len(fields) == 0 {
 		return nil, fmt.Errorf("missing access token cmd")
 	}
 	return &commandTokenSource{
 		cmd:       fields[0],
 		args:      fields[1:],
 		tokenKey:  tokenKey,
 		expiryKey: expiryKey,
 		timeFmt:   timeFmt,
 	}, nil
 }
 func (c *commandTokenSource) Token() (*oauth2.Token, error) {
 	fullCmd := fmt.Sprintf("%s %s", c.cmd, strings.Join(c.args, " "))
 	cmd := exec.Command(c.cmd, c.args...)
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("error executing access token command %q: %v", fullCmd, err)
 	}
 	token, err := c.parseTokenCmdOutput(output)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing output for access token command %q: %v", fullCmd, err)
 	}
 	return token, nil
 }
 func (c *commandTokenSource) parseTokenCmdOutput(output []byte) (*oauth2.Token, error) {
 	output, err := yaml.ToJSON(output)
 	if err != nil {
 		return nil, err
 	}
 	var data interface{}
 	if err := json.Unmarshal(output, &data); err != nil {
 		return nil, err
 	}
 	accessToken, err := parseJSONPath(data, "token-key", c.tokenKey)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing token-key %q: %v", c.tokenKey, err)
 	}
 	expiryStr, err := parseJSONPath(data, "expiry-key", c.expiryKey)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing expiry-key %q: %v", c.expiryKey, err)
 	}
 	var expiry time.Time
 	if t, err := time.Parse(c.timeFmt, expiryStr); err != nil {
 		glog.V(4).Infof("Failed to parse token expiry from %s (fmt=%s): %v", expiryStr, c.timeFmt, err)
 	} else {
 		expiry = t
 	}
 	return &oauth2.Token{
 		AccessToken: accessToken,
 		TokenType:   "Bearer",
 		Expiry:      expiry,
 	}, nil
 }
 func parseJSONPath(input interface{}, name, template string) (string, error) {
 	j := jsonpath.New(name)
 	buf := new(bytes.Buffer)
 	if err := j.Parse(template); err != nil {
 		return "", err
 	}
 	if err := j.Execute(buf, input); err != nil {
 		return "", err
 	}
 	return buf.String(), nil
 }
--- a/plugin/pkg/client/auth/gcp/gcp_test.go
+++ b/plugin/pkg/client/auth/gcp/gcp_test.go
@ -0,0 +1,143 @@
 /*
 Copyright 2016 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package gcp
 import (
 	"fmt"
 	"reflect"
 	"strings"
 	"testing"
 	"time"
 	"golang.org/x/oauth2"
 )
 func TestCmdTokenSource(t *testing.T) {
 	fakeExpiry := time.Date(2016, 10, 31, 22, 31, 9, 123000000, time.UTC)
 	customFmt := "2006-01-02 15:04:05.999999999"
 	tests := []struct {
 		name                              string
 		output                            []byte
 		cmd, tokenKey, expiryKey, timeFmt string
 		tok                               *oauth2.Token
 		expectErr                         error
 	}{
 		{
 			"defaults",
 			[]byte(`{
  "access_token": "faketoken",
  "token_expiry": "2016-10-31T22:31:09.123000000Z"
 }`),
 			"/fake/cmd/path", "", "", "",
 			&oauth2.Token{
 				AccessToken: "faketoken",
 				TokenType:   "Bearer",
 				Expiry:      fakeExpiry,
 			},
 			nil,
 		},
 		{
 			"custom keys",
 			[]byte(`{
  "token": "faketoken",
  "token_expiry": {
    "datetime": "2016-10-31 22:31:09.123"
  }
 }`),
 			"/fake/cmd/path", "{.token}", "{.token_expiry.datetime}", customFmt,
 			&oauth2.Token{
 				AccessToken: "faketoken",
 				TokenType:   "Bearer",
 				Expiry:      fakeExpiry,
 			},
 			nil,
 		},
 		{
 			"missing cmd",
 			nil,
 			"", "", "", "",
 			nil,
 			fmt.Errorf("missing access token cmd"),
 		},
 		{
 			"missing token-key",
 			[]byte(`{
  "broken": "faketoken",
  "token_expiry": {
    "datetime": "2016-10-31 22:31:09.123000000Z"
  }
 }`),
 			"/fake/cmd/path", "{.token}", "", "",
 			nil,
 			fmt.Errorf("error parsing token-key %q", "{.token}"),
 		},
 		{
 			"missing expiry-key",
 			[]byte(`{
  "access_token": "faketoken",
  "expires": "2016-10-31T22:31:09.123000000Z"
 }`),
 			"/fake/cmd/path", "", "{.expiry}", "",
 			nil,
 			fmt.Errorf("error parsing expiry-key %q", "{.expiry}"),
 		},
 		{
 			"invalid expiry timestamp",
 			[]byte(`{
  "access_token": "faketoken",
  "token_expiry": "sometime soon, idk"
 }`),
 			"/fake/cmd/path", "", "", "",
 			&oauth2.Token{
 				AccessToken: "faketoken",
 				TokenType:   "Bearer",
 				Expiry:      time.Time{},
 			},
 			nil,
 		},
 		{
 			"bad JSON",
 			[]byte(`{
  "access_token": "faketoken",
  "token_expiry": "sometime soon, idk"
  ------
 `),
 			"/fake/cmd", "", "", "",
 			nil,
 			fmt.Errorf("invalid character '-' after object key:value pair"),
 		},
 	}
 	for _, tc := range tests {
 		ts, err := newCmdTokenSource(tc.cmd, tc.tokenKey, tc.expiryKey, tc.timeFmt)
 		if err != nil {
 			if !strings.Contains(err.Error(), tc.expectErr.Error()) {
 				t.Errorf("%s newCmdTokenSource error: %v, want %v", tc.name, err, tc.expectErr)
 			}
 			continue
 		}
 		tok, err := ts.parseTokenCmdOutput(tc.output)
 		if err != tc.expectErr && !strings.Contains(err.Error(), tc.expectErr.Error()) {
 			t.Errorf("%s parseCmdTokenSource error: %v, want %v", tc.name, err, tc.expectErr)
 		}
 		if !reflect.DeepEqual(tok, tc.tok) {
 			t.Errorf("%s got token %v, want %v", tc.name, tok, tc.tok)
 		}
 	}
 }
--- a/test/test_owners.csv
+++ b/test/test_owners.csv
@ -859,6 +859,7 @@ k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/webhook,ghodss,1
 k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac,hurf,1
 k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy,mml,1
 k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook,hurf,1
 k8s.io/kubernetes/plugin/pkg/client/auth/gcp,jlowdermilk,0
 k8s.io/kubernetes/plugin/pkg/client/auth/oidc,cjcullen,1
 k8s.io/kubernetes/plugin/pkg/scheduler,fgrzadkowski,0
 k8s.io/kubernetes/plugin/pkg/scheduler/algorithm/predicates,fgrzadkowski,0